fix: make Docker images backward compatible with runAsUser: 1000

[buger]

Summary

• Remove --chown=65532:65532 from non-FIPS Dockerfile builds to restore backward compatibility with helm charts using runAsUser: 1000
• Files are made world-readable via chmod -R a+rX
• FIPS/DHI builds still get proper 65532 ownership via NONROOT_CHOWN build arg

Test plan

• Gateway starts with runAsUser: 1000 (old helm default)
• Gateway starts with runAsUser: 65532
• FIPS image still has proper nonroot ownership

🤖 Generated with Claude Code

[github-actions]

🚨 Jira Linter Failed

Commit: b696949
Failed at: 2026-04-20 16:50:12 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'fix/dockerfile-chown-compat-release-5.12' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[probelabs]

This pull request adjusts the Docker image build process to restore backward compatibility for deployments using runAsUser: 1000, which was a common default in older Helm charts. The change makes file ownership more flexible for standard builds while retaining stricter ownership for FIPS-compliant images.

Files Changed Analysis

• ci/Dockerfile.distroless: The --chown=65532:65532 flag has been removed from the final COPY instruction. Instead, a conditional chown command is added to the first build stage, controlled by the NONROOT_CHOWN build argument. All files in /opt/tyk-gateway/ are also made world-readable and traversable (chmod -R a+rX) to support different run-time users.
• .github/workflows/release.yml: The FIPS build steps in the release workflow are updated to set NONROOT_CHOWN=true, ensuring that FIPS images continue to have their files owned by user 65532.

Architecture & Impact Assessment

• Accomplishment: The PR decouples file ownership from the image build, allowing the final image to be run by different user IDs. This fixes a breaking change for users who relied on running the container with runAsUser: 1000.
• Key Technical Changes: The core change is the introduction of a conditional chown command in the Dockerfile, triggered by the NONROOT_CHOWN build argument. This allows the same Dockerfile to produce two variants of the image: a standard one with flexible permissions and a FIPS-compliant one with strict non-root ownership.
• Affected Components: This change primarily affects the Docker image build pipeline and the runtime environment of the Tyk Gateway container. Users deploying Tyk via Helm or other orchestration tools will be directly impacted, as it restores compatibility with their existing security contexts.

graph TD
    subgraph Docker Build Process
        A[Start Build] --> B{Is it a FIPS build?};
        B -- Yes --> C[Set NONROOT_CHOWN=true];
        B -- No --> D[Use default NONROOT_CHOWN=false];
        C & D --> E[Build Stage 1: Install .deb];
        E --> F["Make files world-readable (chmod a+rX)"];
        F --> G{NONROOT_CHOWN is true?};
        G -- Yes --> H["Change ownership to 65532 (chown)"];
        G -- No --> I["Keep default (root) ownership"];
        H & I --> J[Build Stage 2: Final Image];
        J --> K[COPY files from Stage 1];
    end

    subgraph Runtime
        K --> L[Standard Image: Compatible with runAsUser 1000 & 65532];
        K --> M[FIPS Image: Enforces runAsUser 65532];
    end

Loading

Scope Discovery & Context Expansion

The changes are narrowly focused on the Docker build configuration and the CI workflow that triggers it. The impact, however, is external, affecting users' deployment configurations. This PR addresses a regression where a previous security enhancement (enforcing a non-root user) inadvertently broke compatibility for existing users. By making the user enforcement conditional, it provides a path for both security and backward compatibility. No other parts of the application code are affected.

Metadata

• Review Effort: 2 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-20T16:51:59.715Z | Triggered by: pr_opened | Commit: b696949

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

\n\n

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

\n\n

Performance Issues (1)

Severity	Location	Issue
🟡 Warning	ci/Dockerfile.distroless:14-16	The `RUN` instruction introduces `chmod -R` and conditional `chown -R` operations. These recursive commands traverse the entire `/opt/tyk-gateway` directory, which can be time-consuming and slow down the image build process. This is less performant than the previous `COPY --chown` approach, which is handled more efficiently by the Docker daemon. While this change fixes an ownership issue, it comes at the cost of build performance. 💡 Suggestion The most performant solution would be to define the correct file modes and ownership within the `.deb` package itself, eliminating the need for these `RUN` commands during the image build. If modifying the package is not feasible, be aware of the potential impact on build duration.

✅ Quality Check Passed

No quality issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-20T16:51:26.360Z | Triggered by: pr_opened | Commit: b696949

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected