diff --git a/invoice-ninja/init.sh b/invoice-ninja/init.sh deleted file mode 100644 index 324b74b..0000000 --- a/invoice-ninja/init.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -set -e - -cp -r /var/www/app/. /app - -# The Invoice Ninja logo on PDF invoices is always loaded from upstream's -# server, despite the APP_URL setting. -sed -i \ - -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \ - /app/app/Utils/HtmlEngine.php - -chown -R invoiceninja:invoiceninja /app - -if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then - chown -R invoiceninja:invoiceninja /storage - chmod -R u=rwx,go= /storage -fi diff --git a/invoice-ninja/invoice-ninja.yaml b/invoice-ninja/invoice-ninja.yaml index cfb02c9..58eb31d 100644 --- a/invoice-ninja/invoice-ninja.yaml +++ b/invoice-ninja/invoice-ninja.yaml @@ -54,33 +54,11 @@ spec: app.kubernetes.io/component: invoice-ninja app.kubernetes.io/part-of: invoice-ninja spec: - initContainers: - - name: init - image: &image docker.io/invoiceninja/invoiceninja:5.8.16 - command: - - /init.sh - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - readOnlyRootFilesystem: true - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumeMounts: - - mountPath: /app - name: app - - mountPath: /init.sh - name: init - subPath: init.sh - - mountPath: /storage - name: data - subPath: storage containers: - name: invoice-ninja - image: *image + image: &image docker.io/invoiceninja/invoiceninja:5.8.16 + command: + - /start.sh env: &env - name: DB_HOST value: invoice-ninja-db @@ -107,17 +85,19 @@ spec: <<: *probe periodSeconds: 1 failureThreshold: 60 - securityContext: - readOnlyRootFilesystem: true volumeMounts: &mounts - mountPath: /run/secrets/invoiceninja name: secrets readOnly: true + - mountPath: /start.sh + name: init + subPath: start.sh - mountPath: /tmp name: tmp subPath: tmp - - mountPath: /var/www/app - name: app + - mountPath: /var/www/app/public + name: data + subPath: public - mountPath: /var/www/app/public/storage name: data subPath: storage-public @@ -156,7 +136,7 @@ spec: - mountPath: /var/cache/nginx name: nginx-cache - mountPath: /var/www/app/public - name: app + name: data subPath: public readOnly: true - mountPath: /var/www/app/public/storage @@ -192,6 +172,8 @@ spec: - invoice-ninja-db securityContext: runAsNonRoot: True + fsGroup: 1500 + fsGroupChangePolicy: OnRootMismatch seccompProfile: type: RuntimeDefault volumes: diff --git a/invoice-ninja/kustomization.yaml b/invoice-ninja/kustomization.yaml index 9dcbc68..5a2e538 100644 --- a/invoice-ninja/kustomization.yaml +++ b/invoice-ninja/kustomization.yaml @@ -20,6 +20,7 @@ configMapGenerator: - name: invoice-ninja-init files: - init.sh + - start.sh - name: invoice-ninja envs: diff --git a/invoice-ninja/start.sh b/invoice-ninja/start.sh new file mode 100644 index 0000000..b3bf904 --- /dev/null +++ b/invoice-ninja/start.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +# The Invoice Ninja logo on PDF invoices is always loaded from upstream's +# server, despite the APP_URL setting. +sed -i \ + -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \ + /var/www/app/app/Utils/HtmlEngine.php + +exec /usr/local/bin/docker-entrypoint supervisord