[
https://issues.apache.org/jira/browse/FINERACT-830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17107920#comment-17107920
]
Petri Tuomola commented on FINERACT-830:
----------------------------------------
Great stuff. Just for reference, the changes I made are:
* kubectl create secret generic fineract-tenants-db-secret
--from-literal=username=root --from-literal=password=$(head /dev/urandom | *env
LC_C TYPE=C* tr -dc A-Za-z0-9 | head -c 16) to get the password generation to
work on MacOS
* Changed the image label to be the same across docker-compose.yml and
fineract-server-deployment.yml
* Added persistentVolumeReclaimPolicy: Recycle to the PersistentVolume spec
in fineractmysql-deployment.yml. This way the volume gets wiped after each
shutdown, allowing the new password to be used for MySQL. Of course also the
data gets wiped, so a better option would probably be to keep the generated
secret and reuse it from one startup to next.
> Use distroless base image instead of bitnami/tomcat in container
> ----------------------------------------------------------------
>
> Key: FINERACT-830
> URL: https://issues.apache.org/jira/browse/FINERACT-830
> Project: Apache Fineract
> Issue Type: Improvement
> Reporter: Michael Vorburger
> Priority: Major
> Labels: kubernetes, technical
>
> Rohit Verma on the mailing list raised using a "more hardened base image like
> distroless".
> I'll admit that I'm personally not a huge fan of "FROM bitnami/tomcat:7.0.94"
> myself! Any contributions you'd like to make on this front would be very very
> welcome, from my side.
> https://github.com/GoogleContainerTools/distroless is a great alternative.
> (BTW
> https://access.redhat.com/containers/?tab=images#/registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift
> is a another great choice, if you're into something supported.)
> Your mission, should you choose to accept it and work on this issue, would be
> to raise a PR modifying our Dockerfile, but then still have the related test
> at the end of .travis.yml pass - everything (container, Docker Compose,
> Kubernetes) should, obviously, still "work as is", even if you go for
> changing the base image. Makes sense and sounds fair?
>
> PS: What we really should do at some point is move away from 1990s style
> WAR-in-Tomcat, and make java -jar fineract.war work instead (and then use
> that in the container)... people working on this could also contribute,
> before or after, to FINERACT-730. (On a related front, there's also
> FINERACT-764, but both are probably independent enough from each other to be
> tackled separately.)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
