collab, intel: align read-only handling with live legacy chart

danc094codetogether · danc094codetogether · commit bfeb8a84e8d9 · 2025-09-22T11:55:12.000-06:00
Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer
diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml
@@ -254,6 +254,7 @@ spec:
           emptyDir: {}
         - name: codetogether-tmp
           emptyDir: {}
+            medium: Memory
       {{- else if .Values.favicon.enabled }}
       volumes:
         - name: favicon-volume
diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml
@@ -211,13 +211,13 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {} #defaults to
+securityContext: {} #defaults
   # capabilities:
   #   drop:
   #   - ALL
   # runAsNonRoot: true
   # readOnlyRootFilesystem: true # enable for read-only setup
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # runAsUser: 1000
 
 readinessProbe:
   initialDelaySeconds: 60
diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml
@@ -26,17 +26,6 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
-      {{- if .Values.readOnlyMode.enabled }}
-      initContainers:
-        - name: prepare-ro
-          image: busybox:latest
-          securityContext:
-            runAsUser: 0
-          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
-          volumeMounts:
-            - name: volatile
-              mountPath: /mnt/volatile
-      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -110,6 +99,7 @@ spec:
                   key: apiKey
               {{- end }}
             {{- end }}
+{{- if .Values.securityContext.readOnlyRootFilesystem }}
           volumeMounts:
             - name: properties-volume
               mountPath: /opt/codetogether/runtime/cthq.properties
@@ -119,20 +109,26 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
-            {{- if .Values.readOnlyMode.enabled }}
-            - name: volatile
-              mountPath: /run/volatile
-            - name: run
-              mountPath: /run
-            - name: tmp
-              mountPath: /tmp
-            - name: volatile
-              mountPath: /var/log/nginx
-              subPath: var-log-nginx
-            - name: volatile
-              mountPath: /var/cache/nginx
-              subPath: var-cache-nginx            
+            # Read-only root FS mounts
+            - mountPath: /run
+              name: codetogether-runtime
+            - mountPath: /tmp
+              name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
+{{- else }}
+          volumeMounts:
+            - name: properties-volume
+              mountPath: /opt/codetogether/runtime/cthq.properties
+              subPath: cthq.properties
+            {{- if .Values.java.customCacerts.enabled }}
+            - name: java-cacerts
+              mountPath: /etc/ssl/certs/java/cacerts
+              subPath: cacerts
             {{- end }}
+{{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -181,16 +177,13 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
-        {{- if .Values.readOnlyMode.enabled }}
-        - name: volatile
+{{- if .Values.securityContext.readOnlyRootFilesystem }}
+        - name: codetogether-runtime
           emptyDir: {}
-        - name: run
+        - name: codetogether-tmp
           emptyDir:
             medium: Memory
-        - name: tmp
-          emptyDir:
-            medium: Memory
-        {{- end }}
+{{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml
@@ -138,9 +138,8 @@ securityContext: {} #defaults to
   #   drop:
   #   - ALL
   #readOnlyRootFilesystem: true  # enable for read-only setup
-  #runAsUser: 0 # Use '0' for root user for read-only setup
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsNonRoot: true           # false for non-root user
+  # runAsUser: 0
 
 ai:
   enabled: false
@@ -180,7 +179,4 @@ tolerations: []
 
 affinity: {}
 
-replicaCount: 1
-
-readOnlyMode:
-  enabled: false # Set to 'true' to enable read-only mode
+replicaCount: 1
