feat(helm): add RO rootfs support for Intel and Collab

Fixes: #168

- tmpfs emptyDir for /run and /tmp
- RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx
- Intel: initContainer to create subpaths
- enable via securityContext (readOnlyRootFileSystem, runAsUser=0)

Author: danc094codetogether

charts/collab/templates/deployment.yaml

@@ -182,6 +182,10 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume

charts/collab/values.yaml

@@ -210,9 +210,9 @@ securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  runAsUser: 0
 
 readinessProbe:
   initialDelaySeconds: 60

charts/intel/templates/deployment.yaml

@@ -26,6 +26,17 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
+      {{- if .Values.readOnlyMode.enabled }}
+      initContainers:
+        - name: prepare-ro
+          image: busybox:latest
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
+          volumeMounts:
+            - name: volatile
+              mountPath: /mnt/volatile
+      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -108,6 +119,20 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
+            {{- if .Values.readOnlyMode.enabled }}
+            - name: volatile
+              mountPath: /run/volatile
+            - name: run
+              mountPath: /run
+            - name: tmp
+              mountPath: /tmp
+            - name: volatile
+              mountPath: /var/log/nginx
+              subPath: var-log-nginx
+            - name: volatile
+              mountPath: /var/cache/nginx
+              subPath: var-cache-nginx            
+            {{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -156,6 +181,16 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
+        {{- if .Values.readOnlyMode.enabled }}
+        - name: volatile
+          emptyDir: {}
+        - name: run
+          emptyDir:
+            medium: Memory
+        - name: tmp
+          emptyDir:
+            medium: Memory
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/intel/values.yaml

@@ -133,10 +133,12 @@ serviceAccount:
 podAnnotations: {}
 
 securityContext: {}
+
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: true
+  runAsUser: 0
   # runAsNonRoot: true
   # runAsUser: 1000
 
@@ -179,3 +181,6 @@ tolerations: []
 affinity: {}
 
 replicaCount: 1
+
+readOnlyMode:
+  enabled: true