Default deployment YAML doesn't work for non-privileged containers or HTTP-only

[tillig]

Describe the bug

The generated deployment YAML fairly well hardcodes ports 80 and 443 in as the HTTP and HTTPS ports, respectively. Unfortunately, if your container doesn't run as root (which, from a security perspective, it shouldn't), this means the app won't start because it won't have permissions to ports under 1024.

In addition, if there aren't certificates configured, then telling the app to bind to an HTTPS port will also fail.

To Reproduce

Steps to reproduce the behavior:

1. Create a Dockerfile where you're not privileged.
2. Build the app using that Dockerfile.
3. Deploy using the default YAML.

Here's an example .NET 6 Dockerfile with restricted permissions:

FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine

RUN addgroup appgroup && adduser -D -h /app -G appgroup appuser

WORKDIR /app
COPY . .
RUN chmod 755 MyController
USER appuser
ENTRYPOINT ["/app/MyController"]

Expected behavior

The default ports should be set to something non-privileged, possibly 5000 and 5001 like in development. This would allow startup as either root or non-root.

Ideally the setup of the HTTPS port might be tied also to the _hasWebhooks logic in the generator, in the same way mounting the certificates is controlled that way.

Additional context

It may be that this could be addressed with documentation. I did have some challenges figuring out the right Kustomize incantations to get the environment updated. The actual spec for JSON strategic merge patch with all the $patch directives and stuff is surprisingly well hidden if you don't know what you're searching for.

install/kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# all of the other generated stuff omitted, but include a patch...
patches:
  - path: deployment-patch.yaml
    target:
      group: apps
      version: v1
      kind: Deployment
      name: operator

deployment-patch.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: operator
spec:
  template:
    spec:
      containers:
        - name: operator
          env:
            - name: ASPNETCORE_URLS
              value: http://localhost:5000
            - name: KESTREL__ENDPOINTS__HTTP__URL
              value: http://0.0.0.0:5000
          ports:
            - $patch: replace
            - containerPort: 5000
              name: http

[buehler]

Hey @tillig

I absolutely understand your point! And you are right. This should be set to some .net-ish standards as you proposed.

[buehler]

Actually, I think the default should be, that the operator does not run in priviledged mode.

[github-actions]

🎉 This issue has been resolved in version 6.0.0-prerelease.5 🎉

The release is available on:

• GitHub release
• v6.0.0-prerelease.5
• v6.0.0-prerelease.5

Your semantic-release bot 📦🚀

[github-actions]

🎉 This issue has been resolved in version 6.0.0 🎉

The release is available on:

• GitHub release
• v6.0.0
• v6.0.0

Your semantic-release bot 📦🚀