From 310b6c2ebff24bfe87884fffb288bf40711bc8da Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 10:07:07 -0600 Subject: [PATCH 1/6] feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) --- charts/collab/templates/deployment.yaml | 4 +++ charts/collab/values.yaml | 4 +-- charts/intel/templates/deployment.yaml | 35 +++++++++++++++++++++++++ charts/intel/values.yaml | 7 ++++- 4 files changed, 47 insertions(+), 3 deletions(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 689f562..7a6288f 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -182,6 +182,10 @@ spec: name: codetogether-runtime - mountPath: /tmp name: codetogether-tmp + - mountPath: /var/log/nginx + name: codetogether-runtime + - mountPath: /var/cache/nginx + name: codetogether-runtime {{- if .Values.favicon.enabled }} - mountPath: /opt/volatile-template/nginx/favicon.ico name: favicon-volume diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index b05bde9..b6666cc 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -210,9 +210,9 @@ securityContext: {} # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true + readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + runAsUser: 0 readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 4af3218..3ccea51 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,6 +26,17 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} + {{- if .Values.readOnlyMode.enabled }} + initContainers: + - name: prepare-ro + image: busybox:latest + securityContext: + runAsUser: 0 + command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] + volumeMounts: + - name: volatile + mountPath: /mnt/volatile + {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} @@ -108,6 +119,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + mountPath: /run/volatile + - name: run + mountPath: /run + - name: tmp + mountPath: /tmp + - name: volatile + mountPath: /var/log/nginx + subPath: var-log-nginx + - name: volatile + mountPath: /var/cache/nginx + subPath: var-cache-nginx + {{- end }} ports: - name: http containerPort: 1080 @@ -156,6 +181,16 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + emptyDir: {} + - name: run + emptyDir: + medium: Memory + - name: tmp + emptyDir: + medium: Memory + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index b17e158..3181a86 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -133,10 +133,12 @@ serviceAccount: podAnnotations: {} securityContext: {} + # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + runAsUser: 0 # runAsNonRoot: true # runAsUser: 1000 @@ -179,3 +181,6 @@ tolerations: [] affinity: {} replicaCount: 1 + +readOnlyMode: + enabled: true \ No newline at end of file From 16a67fe7ab9d73f5b7852b98b8efdeaa575c7bb7 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 10:15:51 -0600 Subject: [PATCH 2/6] Typo fixes --- charts/collab/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index b6666cc..e686ded 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -206,12 +206,12 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: # capabilities: # drop: # - ALL - readOnlyRootFilesystem: true # runAsNonRoot: true + readOnlyRootFilesystem: true runAsUser: 0 readinessProbe: From a1e29900e8fd7d8b64b5a9c890f4da855e9f1ef9 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 10:17:09 -0600 Subject: [PATCH 3/6] Typo fixes --- charts/intel/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 3181a86..eab7ba0 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -132,7 +132,7 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: # capabilities: # drop: From 0a55e6f8ab5df5b4eab90c274bfc1714c7afe62b Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 12:29:40 -0600 Subject: [PATCH 4/6] Fixing typo --- charts/intel/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index eab7ba0..fb474ba 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -32,7 +32,7 @@ imageCredentials: email: unused # -# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether) +# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether) # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide # guidance on the best deployment option based on your needs. # From 3521249c14edb7493f10abb07082cc7a030df8d6 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 12:45:53 -0600 Subject: [PATCH 5/6] Changes to defauts --- charts/collab/values.yaml | 6 +++--- charts/intel/values.yaml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index e686ded..4361394 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -206,13 +206,13 @@ serviceAccount: podAnnotations: {} -securityContext: +securityContext: {} #defaults to # capabilities: # drop: # - ALL # runAsNonRoot: true - readOnlyRootFilesystem: true - runAsUser: 0 + # readOnlyRootFilesystem: true # enable for read-only setup + # runAsUser: 0 # Use '0' for root user readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index fb474ba..905e2c8 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -132,13 +132,13 @@ serviceAccount: podAnnotations: {} -securityContext: +securityContext: {} #defaults to # capabilities: # drop: # - ALL - readOnlyRootFilesystem: true - runAsUser: 0 + #readOnlyRootFilesystem: true # enable for read-only setup + #runAsUser: 0 # Use '0' for root user # runAsNonRoot: true # runAsUser: 1000 @@ -183,4 +183,4 @@ affinity: {} replicaCount: 1 readOnlyMode: - enabled: true \ No newline at end of file + enabled: false # Set to 'true' to enable read-only mode \ No newline at end of file From ff674d8302c9315408a40dbf8f06004003743000 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 12:47:40 -0600 Subject: [PATCH 6/6] Fixes --- charts/collab/values.yaml | 2 +- charts/intel/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 4361394..13e4026 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -212,7 +212,7 @@ securityContext: {} #defaults to # - ALL # runAsNonRoot: true # readOnlyRootFilesystem: true # enable for read-only setup - # runAsUser: 0 # Use '0' for root user + # runAsUser: 0 # Use '0' for root user for read-only setup readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 905e2c8..a0378cb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -138,7 +138,7 @@ securityContext: {} #defaults to # drop: # - ALL #readOnlyRootFilesystem: true # enable for read-only setup - #runAsUser: 0 # Use '0' for root user + #runAsUser: 0 # Use '0' for root user for read-only setup # runAsNonRoot: true # runAsUser: 1000