fix: adding nonRootUser initialization to dockerfiles (#506)

SequeI · web-flow · commit c39b1bacd506 · 2025-10-17T16:02:09.000+01:00
## Summary by Sourcery

Enhancements:
- Remove `USER root` statements from Dockerfiles of backfill-redis,
rekor-cli, and rekor-server.

---------

Signed-off-by: SequeI &lt;asiek@redhat.com&gt;
diff --git a/.tekton/backfill-redis-pull-request.yaml b/.tekton/backfill-redis-pull-request.yaml
@@ -61,7 +61,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-backfill-redis
diff --git a/.tekton/backfill-redis-push.yaml b/.tekton/backfill-redis-push.yaml
@@ -59,7 +59,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-backfill-redis
diff --git a/.tekton/rekor-cli-pull-request.yaml b/.tekton/rekor-cli-pull-request.yaml
@@ -61,7 +61,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-rekor-cli
diff --git a/.tekton/rekor-cli-push.yaml b/.tekton/rekor-cli-push.yaml
@@ -58,7 +58,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-rekor-cli
diff --git a/.tekton/rekor-server-pull-request.yaml b/.tekton/rekor-server-pull-request.yaml
@@ -61,7 +61,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-rekor-server
diff --git a/.tekton/rekor-server-push.yaml b/.tekton/rekor-server-push.yaml
@@ -59,7 +59,7 @@ spec:
     stepSpecs:
     - computeResources:
         limits:
-          memory: 3Gi
+          memory: 5Gi
       name: run-tests
   taskRunTemplate:
     serviceAccountName: build-pipeline-rekor-server
diff --git a/Dockerfile.backfill-redis.rh b/Dockerfile.backfill-redis.rh
@@ -20,6 +20,7 @@ RUN go build -mod=readonly -trimpath -ldflags "$(SERVER_LDFLAGS)" -o backfill-re
 # Install stage
 FROM registry.redhat.io/rhel9/redis-6@sha256:0962d18bb5292c0e524354f319b63287c2298a4a2fd34556c68fa285df381427
 COPY --from=build-env /opt/app-root/src/backfill-redis /usr/local/bin/backfill-redis
+COPY LICENSE /licenses/license.txt
 WORKDIR /opt/app-root/src/home
 
 LABEL description="Backfillredis is a job that will go through the TLog and make sure that missing entries are added to the search index."
@@ -30,5 +31,7 @@ LABEL summary="Provides the backfill-redis binary for a rekor server"
 LABEL com.redhat.component="backfill-redis"
 LABEL name="rhtas/rekor-backfill-redis-rhel9"
 
+USER 65532:65532
+
 #ENTRYPOINT
 ENTRYPOINT [ "backfill-redis" ]
diff --git a/Dockerfile.rekor-cli.rh b/Dockerfile.rekor-cli.rh
@@ -48,6 +48,7 @@ COPY --from=build-env /opt/app-root/src/rekor_cli_linux_arm64.gz /usr/local/bin/
 COPY --from=build-env /opt/app-root/src/rekor_cli_linux_ppc64le.gz /usr/local/bin/rekor_cli_linux_ppc64le.gz
 COPY --from=build-env /opt/app-root/src/rekor_cli_linux_s390x.gz /usr/local/bin/rekor_cli_linux_s390x.gz
 COPY --from=build-env /opt/app-root/src/rekor_cli_windows_amd64.exe.gz /usr/local/bin/rekor_cli_windows_amd64.exe.gz
+COPY LICENSE /licenses/license.txt
 WORKDIR /opt/app-root/src/home
 
-
+USER 65532:65532
diff --git a/Dockerfile.rekor-server.rh b/Dockerfile.rekor-server.rh
@@ -73,6 +73,9 @@ LABEL name="rhtas/rekor-server-rhel9"
 
 # Retrieve the binary from the previous stage
 COPY --from=build-env /opt/app-root/src/rekor-server /usr/local/bin/rekor-server
+COPY LICENSE /licenses/license.txt
+
+USER 65532:65532
 
 # Set the binary as the entrypoint of the container
 ENTRYPOINT ["rekor-server"]
