fix(minio): improve security and compatibility of minio image with openshift (#25)

ixxeL2097 · Frederic Spiers · web-flow · commit 93d4ce76b390 · 2025-10-27T10:35:52.000+01:00
Co-authored-by: Frederic Spiers &lt;frederic.spiers@gitguardian.com&gt;
diff --git a/images/minio/prod.yaml b/images/minio/prod.yaml
@@ -1,29 +1,60 @@
-include: images/apko.yaml
-
 contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
   packages:
     - coreutils
     - busybox
     - curl
 
+accounts:
+  groups:
+    - groupname: nonroot
+      gid: 65532
+  users:
+    - username: nonroot
+      uid: 65532
+      gid: 65532
+  run-as: nonroot
+
 paths:
-  - path: /mnt/data
+  - path: /home/nonroot
     type: directory
-    permissions: 0o777
+    permissions: 0o775
     uid: 65532
     gid: 65532
+  - path: /mnt
+    type: directory
+    permissions: 0o770
+    uid: 65532
+    gid: 0
+  - path: /mnt/data
+    type: directory
+    permissions: 0o770
+    uid: 65532
+    gid: 0
   - path: /.mc
     type: directory
-    permissions: 0o777
+    permissions: 0o770
     uid: 65532
-    gid: 65532
+    gid: 0
+
+work-dir: /home/nonroot
 
 entrypoint:
   command: /usr/bin/minio
 
 cmd: server /mnt/data --console-address :9090 --address :9000
 
+archs:
+  - amd64
+  - arm64
+
 annotations:
+  org.opencontainers.image.licenses: 'MIT'
+  org.opencontainers.image.vendor: 'GitGuardian'
+  org.opencontainers.image.authors: 'GitGuardian SRE Team <sre@gitguardian.com>'
   org.opencontainers.image.title: 'MinIO'
   org.opencontainers.image.description: 'MinIO image based on Wolfi OS'
   org.opencontainers.image.source: 'https://github.com/GitGuardian/wolfi/tree/main/images/minio'
