Skip to content

feat: Ensure non-root container images.#382

Merged
pantierra merged 3 commits intomainfrom
feature/non-root-images
Feb 10, 2026
Merged

feat: Ensure non-root container images.#382
pantierra merged 3 commits intomainfrom
feature/non-root-images

Conversation

@pantierra
Copy link
Copy Markdown
Contributor

@pantierra pantierra commented Dec 10, 2025
edited
Loading

@pantierra pantierra force-pushed the feature/non-root-images branch 4 times, most recently from d50030b to cee859a Compare December 10, 2025 11:03
@pantierra pantierra mentioned this pull request Dec 10, 2025
Closed
@pantierra
Copy link
Copy Markdown
Contributor Author

pantierra commented Dec 10, 2025

Check work. Now we have to wait and rebase until all upstream projects release the non-root container images.

@pantierra pantierra self-assigned this Dec 15, 2025
@pantierra pantierra force-pushed the feature/non-root-images branch from cee859a to 517d8c0 Compare December 19, 2025 15:26
@pantierra pantierra force-pushed the feature/non-root-images branch from 517d8c0 to 7023284 Compare January 5, 2026 12:40
@j08lue j08lue mentioned this pull request Jan 8, 2026
Closed
@j08lue
Copy link
Copy Markdown
Member

j08lue commented Jan 8, 2026

STAC Browser 4.0.0 includes the change: https://github.com/radiantearth/stac-browser/releases/tag/v4.0.0

@pantierra
Copy link
Copy Markdown
Contributor Author

pantierra commented Jan 9, 2026

Yes, STAC-Browser 4.0.0 is part of #376

@pantierra pantierra force-pushed the feature/non-root-images branch 2 times, most recently from aa9314e to 3b4e0e0 Compare January 13, 2026 19:45
@pantierra pantierra requested a review from ciaransweet January 13, 2026 19:45
ciaransweet
ciaransweet reviewed Jan 13, 2026
View reviewed changes
Comment thread charts/eoapi/templates/_helpers/services.tpl Outdated
initContainers:
- name: wait-for-pgstac-jobs
image: alpine/k8s:1.28.0
image: bitnami/kubectl:latest
Copy link
Copy Markdown
Contributor

@ciaransweet ciaransweet Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use this one? Should it not be bitnamilegacy/kubectl:<something>?

Either way, I'd say ⛔ to bitnami.

Copy link
Copy Markdown
Contributor Author

@pantierra pantierra Jan 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works. Even without the legacy part.

As far as i know this is the only (serious) one that runs as non-root. Maybe we should stick to alpine/k8s but use securityContext with it?!

Copy link
Copy Markdown
Contributor

@ciaransweet ciaransweet Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird. I'm not convinced when deployed, it will work, but not sure, maybe kubectl is a rare case of bitnami truly keeping it free..

@pantierra
Copy link
Copy Markdown
Contributor Author

pantierra commented Jan 13, 2026

All services are running now as non-root, but pgstac-pypgstac. @bitner, is there any release planned?

@pantierra pantierra force-pushed the feature/non-root-images branch 2 times, most recently from 447d2dd to 3b4e0e0 Compare January 13, 2026 20:15
@pantierra pantierra force-pushed the main branch 7 times, most recently from 6f0a6fe to 25dc65d Compare January 14, 2026 15:55
@pantierra pantierra force-pushed the feature/non-root-images branch 2 times, most recently from a8abf21 to e211b95 Compare January 16, 2026 15:14
@pantierra pantierra force-pushed the feature/non-root-images branch from e211b95 to 05dc726 Compare January 23, 2026 15:41
@pantierra
Copy link
Copy Markdown
Contributor Author

pantierra commented Jan 23, 2026

Nice, pgstac got a release! Now all container tests go through and we have integration test failures. I need to have a look and prepare it. No external dependencies anymore 🎉

@pantierra pantierra force-pushed the feature/non-root-images branch from 05dc726 to d56c192 Compare February 9, 2026 14:59
@pantierra pantierra force-pushed the feature/non-root-images branch from da4c24e to 020d162 Compare February 9, 2026 15:38
@pantierra pantierra force-pushed the feature/non-root-images branch from 020d162 to 35f9719 Compare February 9, 2026 16:07
@pantierra pantierra marked this pull request as ready for review February 10, 2026 08:22
@pantierra pantierra merged commit 0832309 into main Feb 10, 2026
@pantierra pantierra deleted the feature/non-root-images branch February 10, 2026 08:23
@ds-release-bot ds-release-bot Bot mentioned this pull request Feb 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ciaransweet ciaransweet ciaransweet approved these changes

Assignees

@pantierra pantierra

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

eoAPI and STAC Manager: Services should not run as root

3 participants

@pantierra @j08lue @ciaransweet