From 5cde98f529923af5e80cdf5b16da35f0ad9cc9b0 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Thu, 17 Oct 2024 20:41:59 -0500
Subject: [PATCH] refactor security context and add proper version to piped
 frontend

---
 .../apps/default/piped/app/helmrelease.yaml   | 32 ++++++-------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/kubernetes/apps/default/piped/app/helmrelease.yaml b/kubernetes/apps/default/piped/app/helmrelease.yaml
index 5c636719..72b80d18 100644
--- a/kubernetes/apps/default/piped/app/helmrelease.yaml
+++ b/kubernetes/apps/default/piped/app/helmrelease.yaml
@@ -18,6 +18,11 @@ spec:
   values:
     defaultPodOptions:
       automountServiceAccountToken: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
 
     controllers:
       backend:
@@ -25,13 +30,6 @@ spec:
         annotations:
           secret.reloader.stakater.com/reload: piped-secret
 
-        pod:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            fsGroupChangePolicy: "OnRootMismatch"
-
         containers:
           app:
             image:
@@ -58,21 +56,13 @@ spec:
 
       frontend:
         strategy: RollingUpdate
-        pod:
-          securityContext:
-            runAsUser: 101
-            runAsGroup: 101
-            fsGroup: 101
-            fsGroupChangePolicy: "OnRootMismatch"
 
         containers:
           app:
             image:
               repository: ghcr.io/bjw-s-labs/piped-frontend
-              tag: latest@sha256:07ab90aa25302bcc6673d7a52b5d4b129490a8fb543d5648b87ed1d366ce547e
+              tag: 2024.10.17@sha256:2d11886aef42a280e6ee924126882f7bb3593d87f0b27f8d035067cbc29c8edb
             env:
-              HTTP_PORT: 8080
-              HTTP_WORKERS: 4
               BACKEND_HOSTNAME: piped-api.hsn.dev
             probes:
               liveness:
@@ -87,15 +77,13 @@ spec:
                 memory: 256Mi
             securityContext:
               allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              readOnlyRootFilesystem: true
 
       ytproxy:
         strategy: RollingUpdate
-        pod:
-          securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
-            fsGroup: 1000
-            fsGroupChangePolicy: "OnRootMismatch"
 
         containers:
           app: