test with readonly fs

equinor · May 13, 2024 · 9528dff · 9528dff
1 parent 30b9341
commit 9528dff
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 30 deletions.
diff --git a/docker-compose-host-macos.yml b/docker-compose-host-macos.yml
@@ -4,7 +4,7 @@ services:
   web:
     image: node:20.9-alpine
     container_name: radix-web_container
-    stdin_open: true # because of https://github.com/facebook/create-react-app/issues/8688
+    read_only: true
     working_dir: /app
     command: [ "sh", "-c", "npm install --prefer-offline --no-audit && chown -R node:node node_modules && npm start" ]
     volumes:
@@ -14,6 +14,9 @@ services:
       - type: volume
         source: node-modules
         target: /app/node_modules
+      - type: volume
+        target: /root
+        tmpfs: {}
     networks:
       - radix
     environment:
@@ -32,6 +35,7 @@ services:
   proxy:
     image: nginxinc/nginx-unprivileged:1.25.2-alpine
     container_name: radix-proxy_container
+    read_only: true
     depends_on:
       web:
         condition: service_healthy
@@ -48,6 +52,12 @@ services:
       - type: bind
         source: ./proxy/run_nginx.sh
         target: /run_nginx.sh
+      - type: volume
+        target: /etc/nginx/conf.d
+        tmpfs: {}
+      - type: volume
+        target: /tmp
+        tmpfs: {}
     command: [ "/bin/sh", "-c", ". run_nginx.sh" ]
     networks:
       - radix
@@ -57,6 +67,7 @@ services:
   auth:
     image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
     container_name: radix-auth_container
+    read_only: true
     environment:
       # See the `radixconfig.yaml` file for a description of these settings
       - OAUTH2_PROXY_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84

diff --git a/docker-compose-host.yml b/docker-compose-host.yml
@@ -4,16 +4,16 @@ services:
   web:
     image: node:20.9-alpine
     container_name: radix-web_container
-    stdin_open: true # because of https://github.com/facebook/create-react-app/issues/8688
+    read_only: true
     working_dir: /app
     command: [ "sh", "-c", "npm install --prefer-offline --no-audit && chown -R node:node node_modules && npm start" ]
     volumes:
       - type: bind
         source: .
         target: /app
-#      - type: volume
-#        source: node-modules
-#        target: /app/node_modules
+      - type: volume
+        target: /root
+        tmpfs: {}
     network_mode: host
     ports:
       - "3000:3000"
@@ -22,6 +22,7 @@ services:
   proxy:
     image: nginxinc/nginx-unprivileged:1.25.2-alpine
     container_name: radix-proxy_container
+    read_only: true
     environment:
       - DYNATRACE_API_TOKEN=${DYNATRACE_API_TOKEN}
     volumes:
@@ -31,6 +32,12 @@ services:
       - type: bind
         source: ./proxy/run_nginx.sh
         target: /run_nginx.sh
+      - type: volume
+        target: /etc/nginx/conf.d
+        tmpfs: {}
+      - type: volume
+        target: /tmp
+        tmpfs: {}
     command: [ "/bin/sh", "-c", ". run_nginx.sh" ]
     network_mode: host
     ports:
@@ -39,6 +46,7 @@ services:
   auth:
     image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
     container_name: radix-auth_container
+    read_only: true
     environment:
       # See the `radixconfig.yaml` file for a description of these settings
       - OAUTH2_PROXY_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   web:
     image: node:20.9-alpine
     container_name: radix-web_container
-    stdin_open: true # because of https://github.com/facebook/create-react-app/issues/8688
+    read_only: true
     working_dir: /app
     command: [ "sh", "-c", "npm install --prefer-offline --no-audit && chown -R node:node node_modules && npm start" ]
     environment:
@@ -16,6 +16,9 @@ services:
       - type: volume
         source: node-modules
         target: /app/node_modules
+      - type: volume
+        target: /root
+        tmpfs: {}
     networks:
       - radix
     ports:
@@ -25,6 +28,7 @@ services:
   proxy:
     image: nginxinc/nginx-unprivileged:1.25.2-alpine
     container_name: radix-proxy_container
+    read_only: true
     environment:
       - DYNATRACE_API_TOKEN=${DYNATRACE_API_TOKEN}
     volumes:
@@ -34,6 +38,12 @@ services:
       - type: bind
         source: ./proxy/run_nginx.sh
         target: /run_nginx.sh
+      - type: volume
+        target: /etc/nginx/conf.d
+        tmpfs: {}
+      - type: volume
+        target: /tmp
+        tmpfs: {}
     command: [ "/bin/sh", "-c", ". run_nginx.sh" ]
     networks:
       - radix
@@ -43,6 +53,7 @@ services:
   auth:
     image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
     container_name: radix-auth_container
+    read_only: true
     environment:
       # See the `radixconfig.yaml` file for a description of these settings
       - OAUTH2_PROXY_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84

diff --git a/index.html b/index.html
@@ -63,6 +63,7 @@
     </style>
 
     <title>Radix Web Console</title>
+    <script type="text/javascript" src="/config/inject-env.js"></script>
   </head>
   <body>
     <noscript>
@@ -71,20 +72,5 @@
 
     <div id="root"></div>
     <script type="module" src="./src/index.ts"></script>
-    <script>
-      window.RADIX_API_ENVIRONMENT = "${RADIX_API_ENVIRONMENT}";
-      window.RADIX_CLUSTER_BASE = "${RADIX_DNS_ZONE}";
-      window.RADIX_CLUSTERNAME = "${RADIX_CLUSTERNAME}";
-      window.RADIX_CLUSTER_TYPE = "${RADIX_CLUSTER_TYPE}";
-      window.RADIX_ENVIRONMENT = "${RADIX_ENVIRONMENT}";
-      window.CLUSTER_EGRESS_IPS = "${CLUSTER_EGRESS_IPS}";
-      window.CLUSTER_INGRESS_IPS = "${CLUSTER_INGRESS_IPS}";
-      window.OAUTH2_CLIENT_ID = "${OAUTH2_CLIENT_ID}";
-      window.OAUTH2_AUTHORITY = "${OAUTH2_AUTHORITY}";
-      window.SERVICENOW_PROXY_SCOPES = "${SERVICENOW_PROXY_SCOPES}"
-      window.SERVICENOW_PROXY_BASEURL = "${SERVICENOW_PROXY_BASEURL}"
-      window.CMDB_CI_URL = "${CMDB_CI_URL}"
-      window.CLUSTER_OIDC_ISSUER_URL = "${CLUSTER_OIDC_ISSUER_URL}"
-    </script>
   </body>
 </html>
diff --git a/proxy/run_nginx.sh b/proxy/run_nginx.sh
@@ -15,8 +15,8 @@ envsubst '
   ${SERVICENOW_PROXY_SCOPES}
   ${SERVICENOW_PROXY_BASEURL}
   ${CLUSTER_OIDC_ISSUER_URL}
-  ' </app/index.html >/app/tmp.html
-mv /app/tmp.html /app/index.html
+  ' </app/config/inject-env.js >/app/tmp-inject-env.js
+mv /app/tmp-inject-env.js /app/config/inject-env.js
 
 # Substitute environment variables in the nginx.conf file using the values in the current container environment
 envsubst '

diff --git a/public/config/inject-env.js b/public/config/inject-env.js
@@ -0,0 +1,15 @@
+window.injectEnv = {
+  RADIX_API_ENVIRONMENT: '${RADIX_API_ENVIRONMENT}',
+  RADIX_CLUSTER_BASE: '${RADIX_CLUSTER_BASE}',
+  RADIX_CLUSTERNAME: '${RADIX_CLUSTERNAME}',
+  RADIX_CLUSTER_TYPE: '${RADIX_CLUSTER_TYPE}',
+  RADIX_ENVIRONMENT: '${RADIX_ENVIRONMENT}',
+  CLUSTER_EGRESS_IPS: '${CLUSTER_EGRESS_IPS}',
+  CLUSTER_INGRESS_IPS: '${CLUSTER_INGRESS_IPS}',
+  OAUTH2_CLIENT_ID: '${OAUTH2_CLIENT_ID}',
+  OAUTH2_AUTHORITY: '${OAUTH2_AUTHORITY}',
+  SERVICENOW_PROXY_SCOPES: '${SERVICENOW_PROXY_SCOPES}',
+  SERVICENOW_PROXY_BASEURL: '${SERVICENOW_PROXY_BASEURL}',
+  CMDB_CI_URL: '${CMDB_CI_URL}',
+  CLUSTER_OIDC_ISSUER_URL: '${CLUSTER_OIDC_ISSUER_URL}',
+};
diff --git a/radixconfig.yaml b/radixconfig.yaml
@@ -14,6 +14,20 @@ spec:
         from: release
   components:
     - name: web
+      readOnlyFileSystem: true
+      volumeMounts:
+        - name: tmp
+          path: /tmp
+          emptyDir:
+            sizeLimit: 1M
+        - name: nginxconfd
+          path: /etc/nginx/conf.d
+          emptyDir:
+            sizeLimit: 1M
+        - name: wwwconfig
+          path: /app/config
+          emptyDir:
+            sizeLimit: 1M
       src: "."
       ports:
         - name: http

diff --git a/src/utils/config/index.ts b/src/utils/config/index.ts
@@ -1,4 +1,4 @@
-import * as jsonConfig from '../../config.json';
+import jsonConfig from '../../config.json' assert { type: 'json' };
 
 function arrayTransformer(
   delimiter = ','
@@ -17,16 +17,21 @@ const transformers: Partial<
   SERVICENOW_PROXY_SCOPES: arrayTransformer(' '),
 };
 
+const injectEnvKey = 'injectEnv';
+
 export const configVariables: Readonly<typeof jsonConfig> = Object.freeze(
-  Object.keys(jsonConfig)
-    .filter((key) => key !== 'default')
-    .reduce<typeof jsonConfig>((config, key: keyof typeof jsonConfig) => {
+  Object.keys(jsonConfig).reduce<typeof jsonConfig>(
+    (config, key: keyof typeof jsonConfig) => {
       const value =
-        !window[key] || window[key].startsWith('${')
+        !window[injectEnvKey] ||
+        !window[injectEnvKey][key] ||
+        window[injectEnvKey][key].startsWith('${')
           ? jsonConfig[key]
-          : window[key];
+          : window[injectEnvKey][key];
 
       config[key] = transformers[key] ? transformers[key](value) : value;
       return config;
-    }, Object.create({}))
+    },
+    Object.create({})
+  )
 );