177 collab intel rofs on open shift avoid run as user 0 support fs group (#178)

danc094codetogether · web-flow · commit dc6854c1dede · 2025-10-01T11:52:35.000-06:00
* OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue.
diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml
@@ -3,7 +3,7 @@ name: codetogether-collab
 description: CodeTogether Collab
 
 type: application
-version: 1.2.4
+version: 1.2.5
 appVersion: "2025.1.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml
@@ -194,10 +194,6 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
-            - mountPath: /var/log/nginx
-              name: codetogether-runtime
-            - mountPath: /var/cache/nginx
-              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume
@@ -248,13 +244,13 @@ spec:
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+  
       {{- if .Values.securityContext.readOnlyRootFilesystem}}
       volumes:
         - name: codetogether-runtime
           emptyDir: {}
         - name: codetogether-tmp
-          emptyDir:
-            medium: Memory
+          emptyDir: {}
       {{- else if .Values.favicon.enabled }}
       volumes:
         - name: favicon-volume
diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml
@@ -217,7 +217,8 @@ securityContext: {} #defaults
   #   - ALL
   # readOnlyRootFilesystem: true # enable for read-only setup
   # runAsNonRoot: true
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # runAsUser: 1000 # Use '0' for root user, in vanilla k8s you can use any non-root uid
+  # In openshift, dont set runAsUser, let OpenShift assign the values
 
 readinessProbe:
   initialDelaySeconds: 60
diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml
@@ -3,7 +3,7 @@ name: codetogether-intel
 description: CodeTogether Intel provides advanced project insights for developers
 
 type: application
-version: 1.2.7
+version: 1.2.8
 appVersion: "2025.3.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml
@@ -99,7 +99,6 @@ spec:
                   key: apiKey
               {{- end }}
             {{- end }}
-{{- if .Values.securityContext.readOnlyRootFilesystem }}
           volumeMounts:
             - name: properties-volume
               mountPath: /opt/codetogether/runtime/cthq.properties
@@ -109,26 +108,6 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
-            # Read-only root FS mounts
-            - mountPath: /run
-              name: codetogether-runtime
-            - mountPath: /tmp
-              name: codetogether-tmp
-            - mountPath: /var/log/nginx
-              name: codetogether-runtime
-            - mountPath: /var/cache/nginx
-              name: codetogether-runtime
-{{- else }}
-          volumeMounts:
-            - name: properties-volume
-              mountPath: /opt/codetogether/runtime/cthq.properties
-              subPath: cthq.properties
-            {{- if .Values.java.customCacerts.enabled }}
-            - name: java-cacerts
-              mountPath: /etc/ssl/certs/java/cacerts
-              subPath: cacerts
-            {{- end }}
-{{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -177,14 +156,6 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
-{{- if .Values.securityContext.readOnlyRootFilesystem }}
-        - name: codetogether-runtime
-          emptyDir: {}
-        - name: codetogether-tmp
-          emptyDir:
-            medium: Memory
-{{- end }}
-
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml
@@ -132,14 +132,14 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {} #defaults to
-
+securityContext: {} #defaults
   # capabilities:
   #   drop:
   #   - ALL
-  #readOnlyRootFilesystem: true  # enable for read-only setup
-  # runAsNonRoot: true           # false for non-root user
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsNonRoot: true
+  # runAsUser: 1000 # Use '0' for root user
+  # In openshift, dont set runAsUser, let OpenShift assign the values
 
 ai:
   enabled: false
