Fix sonarlint vulnerabilities (initial) (janus-idp#185)

* fix sonarlint issues (initial)

* increase limits

* Update config/manager/manager.yaml

---------

Co-authored-by: Armel Soro <armel@rm3l.org>

.rhdh/docker/Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 #@follow_tag(registry.redhat.io/rhel9/go-toolset:latest)
-FROM registry.access.redhat.com/ubi9/go-toolset:1.20.10-6 as builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.20.10-6 AS builder
 # hadolint ignore=DL3002
 USER 0
 ENV GOPATH=/go/

config/manager/default-config/db-statefulset.yaml

@@ -15,11 +15,13 @@ spec:
         janus-idp.io/app: backstage-psql-cr1 # placeholder for 'backstage-psql-<cr-name>'
       name: backstage-db-cr1 # placeholder for 'backstage-psql-<cr-name>'
     spec:
-#      securityContext:
-#        runAsGroup: 26
-      persistentVolumeClaimRetentionPolicy:
-        whenDeleted: Retain
-        whenScaled: Retain
+      automountServiceAccountToken: false
+      ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
+      ## The optional .spec.persistentVolumeClaimRetentionPolicy field controls if and how PVCs are deleted during the lifecycle of a StatefulSet.
+      ## You must enable the StatefulSetAutoDeletePVC feature gate on the API server and the controller manager to use this field.
+#      persistentVolumeClaimRetentionPolicy:
+#        whenDeleted: Retain
+#        whenScaled: Retain
       containers:
         - env:
             - name: POSTGRESQL_PORT_NUMBER
@@ -28,11 +30,12 @@ spec:
               value: /var/lib/pgsql/data
             - name: PGDATA
               value: /var/lib/pgsql/data/userdata
-          image: quay.io/fedora/postgresql-15:latest # will be replaced with the actual image
+          envFrom:
+            - secretRef:
+                name: <POSTGRESQL_SECRET>  # will be replaced with 'backstage-psql-secrets-<cr-name>'
+          image: <RELATED_IMAGE_postgresql> # will be replaced with the actual image
           imagePullPolicy: IfNotPresent
           securityContext:
-            runAsUser: 26
-            runAsGroup: 0
             runAsNonRoot: true
             allowPrivilegeEscalation: false
             seccompProfile:
@@ -74,13 +77,17 @@ spec:
               cpu: 250m
               memory: 256Mi
             limits:
+              cpu: 250m
               memory: 1024Mi
+              ephemeral-storage: 20Mi
           volumeMounts:
             - mountPath: /dev/shm
               name: dshm
             - mountPath: /var/lib/pgsql/data
               name: data
       restartPolicy: Always
+      securityContext: {}
+      serviceAccount: default
       serviceAccountName: default
       volumes:
         - emptyDir:
@@ -100,4 +107,4 @@ spec:
           - ReadWriteOnce
         resources:
           requests:
-            storage: 1Gi
+            storage: 1Gi

config/manager/default-config/deployment.yaml

@@ -12,11 +12,7 @@ spec:
       labels:
         janus-idp.io/app:  # placeholder for 'backstage-<cr-name>'
     spec:
-      #Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'
-#      securityContext:
-#        fsGroup: 1001
-#        runAsUser: 1001
-#        runAsGroup: 1001
+      automountServiceAccountToken: false
       volumes:
         - ephemeral:
             volumeClaimTemplate:
@@ -32,18 +28,17 @@ spec:
             defaultMode: 420
             optional: true
             secretName: dynamic-plugins-npmrc
+
       initContainers:
-        - name: install-dynamic-plugins
-          command:
+        - command:
             - ./install-dynamic-plugins.sh
             - /dynamic-plugins-root
-          image: quay.io/janus-idp/backstage-showcase:latest # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            runAsUser: 0
           env:
             - name: NPM_CONFIG_USERCONFIG
               value: /opt/app-root/src/.npmrc.dynamic-plugins
+          image: <RELATED_IMAGE_backstage> # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
+          imagePullPolicy: IfNotPresent
+          name: install-dynamic-plugins
           volumeMounts:
             - mountPath: /dynamic-plugins-root
               name: dynamic-plugins-root
@@ -52,18 +47,18 @@ spec:
               readOnly: true
               subPath: .npmrc
           workingDir: /opt/app-root/src
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 2.5Gi
+              ephemeral-storage: 5Gi
       containers:
         - name: backstage-backend
-          image: quay.io/janus-idp/backstage-showcase:latest # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
+          image: <RELATED_IMAGE_backstage> # will be replaced with the actual image quay.io/janus-idp/backstage-showcase:next
           imagePullPolicy: IfNotPresent
           args:
             - "--config"
             - "dynamic-plugins-root/app-config.dynamic-plugins.yaml"
-#          securityContext:
-#            runAsUser: 1001
-#            runAsGroup: 0
-#            runAsNonRoot: true
-#            allowPrivilegeEscalation: false
           readinessProbe:
             failureThreshold: 3
             httpGet:
@@ -90,6 +85,16 @@ spec:
           env:
             - name: APP_CONFIG_backend_listen_port
               value: "7007"
+          envFrom:
+            - secretRef:
+                name: <POSTGRESQL_SECRET>  # will be replaced with 'backstage-psql-secrets-<cr-name>'
+          #            - secretRef:
+          #                name: backstage-secrets
           volumeMounts:
             - mountPath: /opt/app-root/src/dynamic-plugins-root
-              name: dynamic-plugins-root
+              name: dynamic-plugins-root
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 2.5Gi
+              ephemeral-storage: 5Gi

config/manager/manager.yaml

@@ -36,6 +36,8 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      # Required because the operator does not work without a Service Account Token
+      automountServiceAccountToken: true # NOSONAR
       # TODO(user): Uncomment the following code to configure the nodeAffinity expression
       # according to the platforms which are supported by your solution. 
       # It is considered best practice to support multiple architectures. You can
@@ -100,6 +102,7 @@ spec:
           limits:
             cpu: 500m
             memory: 128Mi
+            ephemeral-storage: 20Mi
           requests:
             cpu: 10m
             memory: 64Mi

docker/Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 #@follow_tag(registry.redhat.io/rhel9/go-toolset:latest)
-FROM registry.access.redhat.com/ubi9/go-toolset:1.20.10-6 as builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.20.10-6 AS builder
 # hadolint ignore=DL3002
 USER 0
 ENV GOPATH=/go/