From 6f9e3899266ae6c7912d8b1f3428ab97e239a21b Mon Sep 17 00:00:00 2001
From: Said Sef <saidsef@gmail.com>
Date: Fri, 25 Aug 2023 10:31:38 +0100
Subject: [PATCH] Moved part of Kubernetes securityContext spec to container
 level

This best practice applys the securityContext to all container in the deployment and reduces code duplications

Updated Kubernetes deployment spec set readOnlyRootFilesystem and increased initialDelaySeconds

Added apk package curl for internal use, updated folder path name by making it consistent

moved Bamboo logs to ephemeral storage

U[dated Kubernetes deployment manifest to include resources - this is to define resource specs, and added JAVA min max and opts from system resource

foo
---
 Dockerfile                      | 27 +++++++++++++--------------
 deployment/base/statefulset.yml | 27 +++++++++++++++++++--------
 2 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0c7e22c..810a285 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,16 @@
-FROM docker.io/openjdk:jre-alpine
+FROM docker.io/openjdk:22-slim
 
 ARG BUILD_ID=""
-ARG BAMBOO_VERSION=""
+ARG BAMBOO_VERSION="9.2.4"
 ARG PORT=""
 ARG REF=""
 
-LABEL org.opencontainers.image.description="Containerised Atlassian Bomboo Server"
+LABEL org.opencontainers.image.description="Containerised Atlassian Bamboo Server"
 LABEL maintainer="Said Sef <said@saidsef.co.uk> (saidsef.co.uk/)"
 LABEL "uk.co.saidsef.bamboo"="${REF}"
 
 ENV BAMBOO_HOME /data
-# If BAMBOO_VERSION is not supplied during build, use stable version 9.2.4
-ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-9.2.4}
+ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION}
 ENV PATH /opt/$BB_PKG_NAME/bin:$PATH
 ENV HOME /tmp
 ENV PORT ${PORT:-8085}
@@ -22,22 +21,22 @@ USER root
 WORKDIR $BAMBOO_HOME
 
 # Install wget and Download Bamboo
-RUN apk add --update --no-cache wget bash openssl procps && \
+RUN apt-get update && \
+    apt-get install -yq wget curl && \
     echo $BB_PKG_NAME && \
     wget https://www.atlassian.com/software/bamboo/downloads/binary/$BB_PKG_NAME.tar.gz && \
     tar xvzf $BB_PKG_NAME.tar.gz && \
     rm -vf $BB_PKG_NAME.tar.gz && \
     mkdir -p /opt && \
-    mv $BB_PKG_NAME /opt && \
-    rm -rf /var/cache/apk/*
+    mv $BB_PKG_NAME /opt/atlassian-bamboo
 
 # COPY bamboo-init.properties config
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/WEB-INF/classes/
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/WEB-INF/classes/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/
 
-# # Fix dir permissions/ownership
-RUN chmod a+rwx /opt/$BB_PKG_NAME/WEB-INF/classes/bamboo-init.properties && \
-    chown nobody:nobody -R /opt/$BB_PKG_NAME
+# Fix dir permissions/ownership
+RUN chmod a+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties && \
+    chown nobody:nobody -R /opt/atlassian-bamboo
 
 USER nobody
 
@@ -48,4 +47,4 @@ VOLUME ["/data"]
 EXPOSE ${PORT}
 
 # Define default command.
-CMD /opt/$BB_PKG_NAME/bin/start-bamboo.sh -fg
+CMD /opt/atlassian-bamboo/bin/start-bamboo.sh -fg
diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml
index 2a892d5..3d322e9 100644
--- a/deployment/base/statefulset.yml
+++ b/deployment/base/statefulset.yml
@@ -22,6 +22,10 @@ spec:
         name: bamboo
         app: bamboo
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 65534
+        runAsUser: 65534
       containers:
         - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04
           imagePullPolicy: Always
@@ -30,24 +34,31 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.hostIP
+            # - name: JAVA_OPTS
+            #   value: "-XX:+UseContainerSupport"
           name: bamboo
           ports:
             - protocol: TCP
               containerPort: 8085
               name: bamboo
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+              ephemeral-storage: 3Gi
           livenessProbe:
             exec:
               command:
                 - pgrep
                 - java
-            initialDelaySeconds: 3
+            initialDelaySeconds: 30
             periodSeconds: 3
             successThreshold: 1
             timeoutSeconds: 2
           readinessProbe:
             tcpSocket:
               port: bamboo
-            initialDelaySeconds: 5
+            initialDelaySeconds: 30
             periodSeconds: 5
             successThreshold: 1
             timeoutSeconds: 1
@@ -56,18 +67,18 @@ spec:
               type: RuntimeDefault
             allowPrivilegeEscalation: false
             privileged: false
-            runAsGroup: 65534
-            runAsUser: 65534
-            runAsNonRoot: true
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop:
                 - ALL
           volumeMounts:
-            - name: bamboo-storage
+            - name: data
               mountPath: /data
               subPath: data
+            - name: data
+              mountPath: /opt/atlassian-bamboo/logs
+              subPath: logs
       volumes:
-        - name: bamboo-storage
+        - name: data
           emptyDir:
             sizeLimit: 3Gi