From c45df3301297c5db6f06fec8b4d348c22f8e20c5 Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Wed, 24 Jul 2024 22:24:54 +0100
Subject: [PATCH 1/7] added the user and set the necessory permissions

---
 src/ledger/ledger-db/Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/ledger/ledger-db/Dockerfile b/src/ledger/ledger-db/Dockerfile
index 58babe0ef..55a441b9e 100644
--- a/src/ledger/ledger-db/Dockerfile
+++ b/src/ledger/ledger-db/Dockerfile
@@ -16,6 +16,15 @@ FROM postgres:16.3-alpine@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03
 # Need to get coreutils to get the date bash function working properly:
 RUN apk add --no-cache coreutils && rm -rf /var/cache/apk/*
 
+# Create a user and group with the same UID and GID as the postgress
+RUN addgroup -S postgres && adduser -S postgres -G postgres
+
+# Change ownership of the necessary directories
+RUN chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql
+
+# Set thte correct permissions
+RUN chmod -R 0700 /var/lib/postgresql/data && chmod -R 0755 /var/run/postgresql
+
 # Files for initializing the database.
 COPY initdb/0_init_tables.sql initdb/1_create_transactions.sh /docker-entrypoint-initdb.d/
 RUN chmod 755  /docker-entrypoint-initdb.d/0_init_tables.sql /docker-entrypoint-initdb.d/1_create_transactions.sh

From c7326f5a12d520c67ef79ab253db1a31f3671960 Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Thu, 25 Jul 2024 10:31:22 +0100
Subject: [PATCH 2/7] Trigger build with /gcbrun


From b344a3b46d84f7f9c01edc62c851e830343c1ebb Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Thu, 25 Jul 2024 19:45:44 +0100
Subject: [PATCH 3/7] Added the logic to create user & group only if it doesnt
 exist

---
 src/ledger/ledger-db/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ledger/ledger-db/Dockerfile b/src/ledger/ledger-db/Dockerfile
index 55a441b9e..1982d566b 100644
--- a/src/ledger/ledger-db/Dockerfile
+++ b/src/ledger/ledger-db/Dockerfile
@@ -17,7 +17,8 @@ FROM postgres:16.3-alpine@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03
 RUN apk add --no-cache coreutils && rm -rf /var/cache/apk/*
 
 # Create a user and group with the same UID and GID as the postgress
-RUN addgroup -S postgres && adduser -S postgres -G postgres
+RUN if ! getent group postgres > /dev/null; then addgroup -S postgres; fi && \
+    if ! getent passwd postgres > /dev/null; then adduser -S postgres -G postgres; fi
 
 # Change ownership of the necessary directories
 RUN chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql

From 0434a4247f3c8f9c928aab8de72d2f15bfa616e0 Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Fri, 26 Jul 2024 16:41:30 +0100
Subject: [PATCH 4/7] removing the conditional check as postgres user already
 exist

---
 src/ledger/ledger-db/Dockerfile | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/ledger/ledger-db/Dockerfile b/src/ledger/ledger-db/Dockerfile
index 1982d566b..d8ae4e703 100644
--- a/src/ledger/ledger-db/Dockerfile
+++ b/src/ledger/ledger-db/Dockerfile
@@ -16,10 +16,6 @@ FROM postgres:16.3-alpine@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03
 # Need to get coreutils to get the date bash function working properly:
 RUN apk add --no-cache coreutils && rm -rf /var/cache/apk/*
 
-# Create a user and group with the same UID and GID as the postgress
-RUN if ! getent group postgres > /dev/null; then addgroup -S postgres; fi && \
-    if ! getent passwd postgres > /dev/null; then adduser -S postgres -G postgres; fi
-
 # Change ownership of the necessary directories
 RUN chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql
 

From 462e87598b2688d65d0466a3bd8812a9db463f6a Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Sun, 28 Jul 2024 11:08:08 +0100
Subject: [PATCH 5/7] added the security context for the non root user

---
 kubernetes-manifests/ledger-db.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kubernetes-manifests/ledger-db.yaml b/kubernetes-manifests/ledger-db.yaml
index 2a716f3e1..8232f27c5 100644
--- a/kubernetes-manifests/ledger-db.yaml
+++ b/kubernetes-manifests/ledger-db.yaml
@@ -103,6 +103,11 @@ spec:
             - mountPath: /var/lib/postgresql/data
               name: postgresdb
               subPath: postgres
+          securityContext:
+            fsGroup: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            runAsUser: 1000
       serviceAccount: bank-of-anthos
       serviceAccountName: default
       volumes:

From 6080e4acf7b610e83aed3b0534f71164c1afecd1 Mon Sep 17 00:00:00 2001
From: Umair Ashraf <umair.ashraf2019@gmail.com>
Date: Sun, 28 Jul 2024 23:18:39 +0100
Subject: [PATCH 6/7] added the missing security contexts in the K8s file

---
 kubernetes-manifests/ledger-db.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kubernetes-manifests/ledger-db.yaml b/kubernetes-manifests/ledger-db.yaml
index 8232f27c5..aa5aa0336 100644
--- a/kubernetes-manifests/ledger-db.yaml
+++ b/kubernetes-manifests/ledger-db.yaml
@@ -108,6 +108,12 @@ spec:
             runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - all
+            privileged: false
+            readOnlyRootFilesystem: true
       serviceAccount: bank-of-anthos
       serviceAccountName: default
       volumes:

From e7adf614fdca3eebb1a7978d50c079f89dfab54c Mon Sep 17 00:00:00 2001
From: Olivier Bourgeois <3271352+bourgeoisor@users.noreply.github.com>
Date: Mon, 29 Jul 2024 16:04:39 -0400
Subject: [PATCH 7/7] Fix up security contexts

---
 kubernetes-manifests/ledger-db.yaml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/kubernetes-manifests/ledger-db.yaml b/kubernetes-manifests/ledger-db.yaml
index aa5aa0336..1e03820cc 100644
--- a/kubernetes-manifests/ledger-db.yaml
+++ b/kubernetes-manifests/ledger-db.yaml
@@ -80,6 +80,11 @@ spec:
         team: ledger
         tier: db
     spec:
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
       containers:
         - envFrom:
             - configMapRef:
@@ -90,6 +95,13 @@ spec:
                 name: demo-data-config
           image: us-central1-docker.pkg.dev/bank-of-anthos-ci/bank-of-anthos/ledger-db:v0.6.4@sha256:f30e64b9cc30b25beea6eda54ffef5e3fcba7af72a8dca78f05c81af378f4553
           name: postgres
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - all
+            privileged: false
+            readOnlyRootFilesystem: true
           ports:
             - containerPort: 5432
           resources:
@@ -103,17 +115,6 @@ spec:
             - mountPath: /var/lib/postgresql/data
               name: postgresdb
               subPath: postgres
-          securityContext:
-            fsGroup: 1000
-            runAsGroup: 1000
-            runAsNonRoot: true
-            runAsUser: 1000
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - all
-            privileged: false
-            readOnlyRootFilesystem: true
       serviceAccount: bank-of-anthos
       serviceAccountName: default
       volumes: