chore: run as non-root

Dockerfile

@@ -13,19 +13,18 @@ COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 # Used for ftl-runner
 FROM ubuntu:24.04@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782 AS ubuntu-runtime
 RUN apt-get update && apt-get install -y ca-certificates
-RUN mkdir -p /root/deployments
 
 # Final stage selection
 FROM ${RUNTIME}
 ARG EXTRA_FILES
 ARG SERVICE
 
-WORKDIR /root/
+WORKDIR /home/ubuntu/
 COPY . .
 
 
 # Common environment variables
-ENV PATH="$PATH:/root"
+ENV PATH="$PATH:/home/ubuntu"
 
 # Service-specific configurations
 EXPOSE 8891
@@ -42,7 +41,7 @@ ENV FTL_DSN="postgres://host.docker.internal/ftl?sslmode=disable&user=postgres&p
 ENV FTL_CONTROLLER_CONSOLE_URL="*"
 
 # Provisioner-specific configurations
-ENV FTL_PROVISIONER_PLUGIN_CONFIG_FILE="/root/ftl-provisioner-config.toml"
+ENV FTL_PROVISIONER_PLUGIN_CONFIG_FILE="/home/ubuntu/ftl-provisioner-config.toml"
 
 # Default command
-CMD ["/root/svc"]
+CMD ["/home/ubuntu/svc"]

charts/ftl/templates/console-deployment.yaml

@@ -47,6 +47,8 @@ spec:
             {{- if .Values.console.env }}
             {{- toYaml .Values.console.env | nindent 12 }}
             {{- end }}
+            - name: FTL_BIND
+              value: "http://0.0.0.0:8892"
             - name: FTL_TIMELINE_ENDPOINT
               value: "http://ftl-timeline:8892"
             - name: FTL_ENDPOINT

charts/ftl/templates/http-ingress-deployment.yaml

@@ -47,13 +47,17 @@ spec:
             {{- if .Values.ingress.env }}
             {{- toYaml .Values.ingress.env | nindent 12 }}
             {{- end }}
+            - name: FTL_BIND
+              value: "http://0.0.0.0:8892"
             - name: FTL_TIMELINE_ENDPOINT
               value: "http://{{ .Values.timeline.service.name }}:{{ .Values.timeline.service.port }}"
+            - name: FTL_SCHEMA_ENDPOINT
+              value: "http://ftl-schema:8892"
 
           ports:
             {{- range .Values.ingress.ports }}
             - name: {{ .name }}
-              containerPort: {{ .containerPort }}
+              containerPort: 8892
               protocol: {{ .protocol | default "TCP" }}
             {{- end }}
           {{- include "ftl.healthProbes" .Values.ingress | nindent 10 }}

charts/ftl/templates/http-ingress-services.yaml

@@ -15,7 +15,7 @@ spec:
     - name: {{ .name }}
       port: {{ .port }}
       protocol: {{ .protocol | default "TCP" }}
-      targetPort: {{ .targetPort }}
+      targetPort: 8892
     {{- end }}
   selector:
     {{- include "ftl-http-ingress.selectorLabels" . | nindent 4 }}

charts/ftl/templates/provisioner-deployment.yaml

@@ -40,14 +40,22 @@ spec:
                 name: {{ include "ftl.fullname" . }}-secrets
           {{- end }}
           env:
+            - name: FTL_WORKING_DIR
+              value: "/working"
+            - name: FTL_ENDPOINT
+              value: "http://ftl-controller:{{ .Values.controller.port }}"
             {{- if .Values.provisioner.env }}
             {{- toYaml .Values.provisioner.env | nindent 12 }}
             {{- end }}
           volumeMounts:
             - mountPath: /config
               name: config
+            - mountPath: /working
+              name: working
       volumes:
         - name: config
           configMap:
             name: {{ .Values.provisioner.configMap }}
+        - name: working
+          emptyDir: {}
       {{- include "ftl.commonPodConfig" .Values.provisioner | nindent 6 }}

charts/ftl/templates/runner.yaml

@@ -105,6 +105,12 @@ data:
                 successThreshold: 1
                 failureThreshold: 15
                 {{- end }}
+              volumeMounts:
+                - mountPath: /home/ubuntu/.cache
+                  name: cache
+          volumes:
+            - name: cache
+              emptyDir: {}
           {{- if .Values.runner.nodeSelector }}
           nodeSelector:
             {{- toYaml .Values.runner.nodeSelector | nindent 12 }}

charts/ftl/values.yaml

@@ -92,8 +92,6 @@ provisioner:
           fieldPath: status.podIP
     - name: FTL_BIND
       value: "http://$(MY_POD_IP):8893"
-    - name: FTL_ENDPOINT
-      value: "http://ftl-controller:8892"
     - name: FTL_SCHEMA_ENDPOINT
       value: "http://ftl-schema:8892"
     - name: LOG_LEVEL
@@ -168,8 +166,6 @@ cron:
   podAnnotations: null
 
   env:
-    - name: FTL_ENDPOINT
-      value: "http://ftl-controller:8892"
     - name: LOG_LEVEL
       value: "debug"
     - name: LOG_JSON
@@ -209,10 +205,6 @@ ingress:
       valueFrom:
         fieldRef:
           fieldPath: status.podIP
-    - name: FTL_ENDPOINT
-      value: "http://ftl-controller:8892"
-    - name: FTL_BIND
-      value: "http://$(MY_POD_IP):8891"
     - name: FTL_INGRESS_ALLOW_ORIGIN
       value: "*"
     - name: LOG_LEVEL
@@ -381,10 +373,6 @@ console:
       valueFrom:
         fieldRef:
           fieldPath: status.podIP
-    - name: FTL_ENDPOINT
-      value: "http://ftl-controller:8892"
-    - name: FTL_BIND
-      value: "http://$(MY_POD_IP):8892"
     - name: HOST_IP
       valueFrom:
         fieldRef:

deployment/Justfile

@@ -23,7 +23,7 @@ rm: teardown
 # Deploy all components after building images and setting up Istio
 full-deploy: build-all-images setup-istio-cluster
   #!/bin/bash
-  kubectl rollout restart deployment ftl-schema || true # if this exists already restart it to get the latest image
+  kubectl rollout restart replicaset ftl-schema || true # if this exists already restart it to get the latest image
   kubectl rollout restart deployment ftl-controller || true # if this exists already restart it to get the latest image
   kubectl rollout restart deployment ftl-provisioner || true # if this exists already restart it to get the latest image
   kubectl rollout restart deployment ftl-cron || true # if this exists already restart it to get the latest image
@@ -36,7 +36,9 @@ full-deploy: build-all-images setup-istio-cluster
 # Wait for core Kubernetes components to be ready
 wait-for-kube:
   #!/bin/bash
-  kubectl wait --for=condition=available deployment/ftl-schema --timeout=5m
+  kubectl wait --for=condition=ready pods/ftl-schema-1 --timeout=5m
+  kubectl wait --for=condition=ready pods/ftl-schema-2 --timeout=5m
+  kubectl wait --for=condition=ready pods/ftl-schema-3 --timeout=5m
   kubectl wait --for=condition=available deployment/ftl-timeline --timeout=5m
   kubectl wait --for=condition=available deployment/ftl-console --timeout=5m
   kubectl wait --for=condition=available deployment/ftl-controller --timeout=5m