diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 689f562..7a6288f 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -182,6 +182,10 @@ spec: name: codetogether-runtime - mountPath: /tmp name: codetogether-tmp + - mountPath: /var/log/nginx + name: codetogether-runtime + - mountPath: /var/cache/nginx + name: codetogether-runtime {{- if .Values.favicon.enabled }} - mountPath: /opt/volatile-template/nginx/favicon.ico name: favicon-volume diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index b05bde9..13e4026 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -206,13 +206,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # readOnlyRootFilesystem: true # enable for read-only setup + # runAsUser: 0 # Use '0' for root user for read-only setup readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 4af3218..3ccea51 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,6 +26,17 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} + {{- if .Values.readOnlyMode.enabled }} + initContainers: + - name: prepare-ro + image: busybox:latest + securityContext: + runAsUser: 0 + command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] + volumeMounts: + - name: volatile + mountPath: /mnt/volatile + {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} @@ -108,6 +119,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + mountPath: /run/volatile + - name: run + mountPath: /run + - name: tmp + mountPath: /tmp + - name: volatile + mountPath: /var/log/nginx + subPath: var-log-nginx + - name: volatile + mountPath: /var/cache/nginx + subPath: var-cache-nginx + {{- end }} ports: - name: http containerPort: 1080 @@ -156,6 +181,16 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + emptyDir: {} + - name: run + emptyDir: + medium: Memory + - name: tmp + emptyDir: + medium: Memory + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index b17e158..a0378cb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -32,7 +32,7 @@ imageCredentials: email: unused # -# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether) +# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether) # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide # guidance on the best deployment option based on your needs. # @@ -132,11 +132,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to + # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true + #readOnlyRootFilesystem: true # enable for read-only setup + #runAsUser: 0 # Use '0' for root user for read-only setup # runAsNonRoot: true # runAsUser: 1000 @@ -179,3 +181,6 @@ tolerations: [] affinity: {} replicaCount: 1 + +readOnlyMode: + enabled: false # Set to 'true' to enable read-only mode \ No newline at end of file