Refactor Dockerfile and Helm chart to enhance security and user permissions

- Updated Dockerfile to run as non-root user 'nginx' and adjusted Nginx configuration for improved security.
- Added pod security context in values.yaml to align with the non-root user setup.
- Refined deployment.yaml to utilize the new pod security context for better compliance with Kubernetes security standards.

talks-slides-dist/templates/deployment.yaml

@@ -24,15 +24,14 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        seccompProfile:
-          type: RuntimeDefault
+        {{- toYaml .Values.slides.podSecurityContext | nindent 8 }}
       containers:
         - name: nginx
           image: "{{ .Values.slides.image.repository }}:{{ .Values.slides.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.slides.image.pullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
-            # Port 8080 dans le conteneur : pas besoin de NET_BIND_SERVICE (ports privilégiés).
+            # Image : USER nginx + master non-root → pas de SETUID/SETGID ; port 8080 → pas de NET_BIND_SERVICE.
             capabilities:
               drop: ["ALL"]
             readOnlyRootFilesystem: false

talks-slides-dist/values.yaml

@@ -17,6 +17,14 @@ slides:
   # Port d’écoute dans le conteneur (doit correspondre à server/nginx/default.conf, ex. 8080).
   containerPort: 8080
 
+  # Aligné sur l’utilisateur nginx de l’image (UID/GID 101). L’image utilise USER nginx.
+  podSecurityContext:
+    runAsUser: 101
+    runAsGroup: 101
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
   service:
     type: ClusterIP
     # Port du Service (Ingress pointe ici) ; le trafic est envoyé vers containerPort sur les pods.