feat(helm): add RO rootfs support for Intel and Collab (#169)

danc094codetogether · web-flow · commit 2256e9d98201 · 2025-09-18T12:49:01.000-06:00
* feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes
diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml
@@ -182,6 +182,10 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume
diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml
@@ -206,13 +206,13 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsUser: 0 # Use '0' for root user for read-only setup
 
 readinessProbe:
   initialDelaySeconds: 60
diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml
@@ -26,6 +26,17 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
+      {{- if .Values.readOnlyMode.enabled }}
+      initContainers:
+        - name: prepare-ro
+          image: busybox:latest
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
+          volumeMounts:
+            - name: volatile
+              mountPath: /mnt/volatile
+      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -108,6 +119,20 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
+            {{- if .Values.readOnlyMode.enabled }}
+            - name: volatile
+              mountPath: /run/volatile
+            - name: run
+              mountPath: /run
+            - name: tmp
+              mountPath: /tmp
+            - name: volatile
+              mountPath: /var/log/nginx
+              subPath: var-log-nginx
+            - name: volatile
+              mountPath: /var/cache/nginx
+              subPath: var-cache-nginx            
+            {{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -156,6 +181,16 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
+        {{- if .Values.readOnlyMode.enabled }}
+        - name: volatile
+          emptyDir: {}
+        - name: run
+          emptyDir:
+            medium: Memory
+        - name: tmp
+          emptyDir:
+            medium: Memory
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml
@@ -32,7 +32,7 @@ imageCredentials:
   email: unused
 
 #
-# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether)
+# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether)
 # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide
 # guidance on the best deployment option based on your needs.
 #
@@ -132,11 +132,13 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
+
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+  #readOnlyRootFilesystem: true  # enable for read-only setup
+  #runAsUser: 0 # Use '0' for root user for read-only setup
   # runAsNonRoot: true
   # runAsUser: 1000
 
@@ -179,3 +181,6 @@ tolerations: []
 affinity: {}
 
 replicaCount: 1
+
+readOnlyMode:
+  enabled: false # Set to 'true' to enable read-only mode
