From 5527d925cc5662fb9b1eb87560b3b1f613af52f8 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Mon, 11 Dec 2023 11:45:40 +0100 Subject: [PATCH 1/7] modified files for Helm --- kubernetes/charts/oasis-models/templates/workers.yaml | 3 ++- kubernetes/charts/oasis-platform/templates/keycloak.yaml | 1 + kubernetes/charts/oasis-platform/templates/oasis_server.yaml | 1 + .../oasis-platform/templates/oasis_worker_controller.yaml | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index d914ea011..a770165b5 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -16,7 +16,7 @@ spec: app: {{ $name }} strategy: type: Recreate - replicas: 0 + replicas: 1 template: metadata: labels: @@ -33,6 +33,7 @@ spec: containers: - image: {{ .image }}:{{ .version }} {{- if .imagePullPolicy }} + readOnlyRootFilesystem: true imagePullPolicy: {{ .imagePullPolicy }} {{- end }} name: worker diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml index 9b8f92812..6a9e3bff0 100644 --- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml +++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml @@ -174,6 +174,7 @@ spec: volumes: - name: realm-config + readOnly: true configMap: name: {{ $realmSecretName }} {{- if (.Values.azure).secretProvider }} diff --git a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml index d1b1bb5c8..19c004e70 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml @@ -147,6 +147,7 @@ spec: volumes: {{- if ((.Values.volumes.host).sharedFs) }} - name: shared-fs-persistent-storage + readonly: true persistentVolumeClaim: claimName: {{ .Values.volumes.host.sharedFs.name }} {{- else if ((.Values.volumes.azureFiles).sharedFs) }} diff --git a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml index ad1da3ac3..736041cba 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml @@ -50,6 +50,7 @@ spec: annotations: checksum/{{ .Values.oasisServer.name }}: {{ toJson .Values.oasisWebsocket | sha256sum }} spec: + automountServiceAccountToken: false {{- include "h.affinity" . | nindent 6 }} serviceAccountName: {{ $workerControllerServiceAccountName }} initContainers: From 6144f14120b516417a9dc86fdf655e441d17a291 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Tue, 2 Jan 2024 10:49:50 +0100 Subject: [PATCH 2/7] added pv,pvc files and modified yml files --- .../oasis-models/templates/workers.yaml | 4 +- .../oasis-platform/templates/keycloak.yaml | 2 +- .../templates/oasis_server.yaml | 2 +- .../templates/oasis_worker_controller.yaml | 2 +- .../templates/pv_oasis_controller.yaml | 41 +++++++++++++++++++ .../templates/pvc_oasis_controller.yaml | 13 ++++++ 6 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml create mode 100644 kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index a770165b5..05b8b3677 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -33,7 +33,7 @@ spec: containers: - image: {{ .image }}:{{ .version }} {{- if .imagePullPolicy }} - readOnlyRootFilesystem: true + #readOnlyRootFilesystem: true imagePullPolicy: {{ .imagePullPolicy }} {{- end }} name: worker @@ -75,7 +75,7 @@ spec: {{- end }} volumes: - name: shared-fs-persistent-storage -{{- if (($root.Values.volumes.host).sharedFs) }} +#{{- if (($root.Values.volumes.host).sharedFs) }} persistentVolumeClaim: claimName: {{ $root.Values.volumes.host.sharedFs.name }} {{- else if (($root.Values.volumes.azureFiles).sharedFs) }} diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml index 6a9e3bff0..c16bc7175 100644 --- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml +++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml @@ -174,7 +174,7 @@ spec: volumes: - name: realm-config - readOnly: true + #readOnly: true configMap: name: {{ $realmSecretName }} {{- if (.Values.azure).secretProvider }} diff --git a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml index 19c004e70..89d0c3fd4 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml @@ -147,7 +147,7 @@ spec: volumes: {{- if ((.Values.volumes.host).sharedFs) }} - name: shared-fs-persistent-storage - readonly: true + #readonly: true persistentVolumeClaim: claimName: {{ .Values.volumes.host.sharedFs.name }} {{- else if ((.Values.volumes.azureFiles).sharedFs) }} diff --git a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml index 736041cba..3efb7d59e 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml @@ -50,7 +50,7 @@ spec: annotations: checksum/{{ .Values.oasisServer.name }}: {{ toJson .Values.oasisWebsocket | sha256sum }} spec: - automountServiceAccountToken: false + #automountServiceAccountToken: false {{- include "h.affinity" . | nindent 6 }} serviceAccountName: {{ $workerControllerServiceAccountName }} initContainers: diff --git a/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml b/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml new file mode 100644 index 000000000..d3f3d0b1a --- /dev/null +++ b/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml @@ -0,0 +1,41 @@ +# Please edit the object below. Lines beginning with a '#' will be ignored, +# and an empty file will abort the edit. If an error occurs while saving this file will be +# reopened with the relevant failures. +# +apiVersion: v1 +kind: PersistentVolume +metadata: + annotations: + meta.helm.sh/release-name: platform + meta.helm.sh/release-namespace: default + pv.kubernetes.io/bound-by-controller: "yes" + creationTimestamp: "2023-12-27T11:48:52Z" + finalizers: + - kubernetes.io/pv-protection + labels: + app.kubernetes.io/managed-by: Helm + type: local + name: controller-worker-pv + resourceVersion: "8622619" + uid: 9f8f31fb-1005-4c90-ba47-276412b30e41 +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi + claimRef: + apiVersion: v1 + kind: PersistentVolumeClaim + name: shared-fs-persistent-storage + namespace: default + resourceVersion: "8622617" + uid: b5eba303-d36c-483f-b09f-ccaf9233afa2 + hostPath: + path: /data/model-data/piwind/ + type: "" + persistentVolumeReclaimPolicy: Retain + storageClassName: standard + volumeMode: Filesystem +status: + phase: Bound + diff --git a/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml b/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml new file mode 100644 index 000000000..8c4a89591 --- /dev/null +++ b/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: shared-fs +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + storageClassName: standard + From c4752af7456f57b1aa53cf769b337b8becc0a1dd Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Tue, 2 Jan 2024 11:16:37 +0100 Subject: [PATCH 3/7] removed a commented line --- kubernetes/charts/oasis-models/templates/workers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index 05b8b3677..5a3e442bb 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -75,7 +75,7 @@ spec: {{- end }} volumes: - name: shared-fs-persistent-storage -#{{- if (($root.Values.volumes.host).sharedFs) }} +{{- if (($root.Values.volumes.host).sharedFs) }} persistentVolumeClaim: claimName: {{ $root.Values.volumes.host.sharedFs.name }} {{- else if (($root.Values.volumes.azureFiles).sharedFs) }} From 3f67d40ae253bd26da8a3e65a001ec71b6cb2c11 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Mon, 8 Jan 2024 14:31:34 +0100 Subject: [PATCH 4/7] modified workers and oasis_server files --- .../oasis-models/templates/workers.yaml | 3 +- .../templates/oasis_server.yaml | 2 +- .../templates/pv_oasis_controller.yaml | 41 ------------------- .../templates/pvc_oasis_controller.yaml | 13 ------ 4 files changed, 3 insertions(+), 56 deletions(-) delete mode 100644 kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml delete mode 100644 kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index 5a3e442bb..8ab6a8dad 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -33,7 +33,8 @@ spec: containers: - image: {{ .image }}:{{ .version }} {{- if .imagePullPolicy }} - #readOnlyRootFilesystem: true + securityContext: + readOnlyRootFilesystem: true imagePullPolicy: {{ .imagePullPolicy }} {{- end }} name: worker diff --git a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml index 89d0c3fd4..19c004e70 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml @@ -147,7 +147,7 @@ spec: volumes: {{- if ((.Values.volumes.host).sharedFs) }} - name: shared-fs-persistent-storage - #readonly: true + readonly: true persistentVolumeClaim: claimName: {{ .Values.volumes.host.sharedFs.name }} {{- else if ((.Values.volumes.azureFiles).sharedFs) }} diff --git a/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml b/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml deleted file mode 100644 index d3f3d0b1a..000000000 --- a/kubernetes/charts/oasis-platform/templates/pv_oasis_controller.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Please edit the object below. Lines beginning with a '#' will be ignored, -# and an empty file will abort the edit. If an error occurs while saving this file will be -# reopened with the relevant failures. -# -apiVersion: v1 -kind: PersistentVolume -metadata: - annotations: - meta.helm.sh/release-name: platform - meta.helm.sh/release-namespace: default - pv.kubernetes.io/bound-by-controller: "yes" - creationTimestamp: "2023-12-27T11:48:52Z" - finalizers: - - kubernetes.io/pv-protection - labels: - app.kubernetes.io/managed-by: Helm - type: local - name: controller-worker-pv - resourceVersion: "8622619" - uid: 9f8f31fb-1005-4c90-ba47-276412b30e41 -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 1Gi - claimRef: - apiVersion: v1 - kind: PersistentVolumeClaim - name: shared-fs-persistent-storage - namespace: default - resourceVersion: "8622617" - uid: b5eba303-d36c-483f-b09f-ccaf9233afa2 - hostPath: - path: /data/model-data/piwind/ - type: "" - persistentVolumeReclaimPolicy: Retain - storageClassName: standard - volumeMode: Filesystem -status: - phase: Bound - diff --git a/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml b/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml deleted file mode 100644 index 8c4a89591..000000000 --- a/kubernetes/charts/oasis-platform/templates/pvc_oasis_controller.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: shared-fs -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - volumeMode: Filesystem - storageClassName: standard - From 534c45ddb870818f00f514932d32cfeb155fe645 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Wed, 10 Jan 2024 15:00:04 +0100 Subject: [PATCH 5/7] updated readonly on all files --- kubernetes/charts/oasis-models/templates/workers.yaml | 4 ++-- kubernetes/charts/oasis-monitoring/templates/flower.yaml | 2 ++ kubernetes/charts/oasis-platform/templates/keycloak.yaml | 2 ++ kubernetes/charts/oasis-platform/templates/oasis.yaml | 2 ++ kubernetes/charts/oasis-platform/templates/oasis_server.yaml | 2 ++ .../oasis-platform/templates/oasis_worker_controller.yaml | 2 ++ 6 files changed, 12 insertions(+), 2 deletions(-) diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index 8ab6a8dad..eebf38238 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -33,8 +33,8 @@ spec: containers: - image: {{ .image }}:{{ .version }} {{- if .imagePullPolicy }} - securityContext: - readOnlyRootFilesystem: true + # securityContext: + # readOnlyRootFilesystem: true imagePullPolicy: {{ .imagePullPolicy }} {{- end }} name: worker diff --git a/kubernetes/charts/oasis-monitoring/templates/flower.yaml b/kubernetes/charts/oasis-monitoring/templates/flower.yaml index 6e9ddbc63..bac286cc1 100644 --- a/kubernetes/charts/oasis-monitoring/templates/flower.yaml +++ b/kubernetes/charts/oasis-monitoring/templates/flower.yaml @@ -25,6 +25,8 @@ spec: containers: - name: flower image: {{ .Values.monitoringImages.flower.image }}:{{- .Values.monitoringImages.flower.version }} + securityContext: + readOnlyRootFilesystem: true imagePullPolicy: IfNotPresent command: [ "celery" ] args: [ "flower", "--broker_api=http://guest:guest@broker:6379" ] diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml index c16bc7175..1c19d0415 100644 --- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml +++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml @@ -94,6 +94,8 @@ spec: containers: - name: {{ .Values.keycloak.name }} image: {{ .Values.images.keycloak.image }}:{{ .Values.images.keycloak.version }} + securityContext: + readOnlyRootFilesystem: true args: [ "start-dev", "--import-realm", diff --git a/kubernetes/charts/oasis-platform/templates/oasis.yaml b/kubernetes/charts/oasis-platform/templates/oasis.yaml index 3b29e2dbc..9bdd2eb58 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis.yaml @@ -202,6 +202,8 @@ spec: {{- include "h.initTcpAvailabilityCheckBySecret" (list . .Values.databases.oasis_db.name .Values.databases.celery_db.name .Values.databases.channel_layer.name) | nindent 8}} containers: - image: {{ .Values.images.oasis.platform.image }}:{{ .Values.images.oasis.platform.version }} + securityContext: + readOnlyRootFilesystem: true imagePullPolicy: {{ .Values.images.oasis.platform.imagePullPolicy }} name: celery-beat command: ["celery", "-A", "src.server.oasisapi.celery_app", "beat", "--loglevel=DEBUG"] diff --git a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml index 19c004e70..4b2fd92a2 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_server.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_server.yaml @@ -82,6 +82,8 @@ spec: {{- include "h.initTcpAvailabilityCheckBySecret" (list . .Values.databases.oasis_db.name .Values.databases.celery_db.name .Values.keycloak.name .Values.databases.broker.name) | nindent 8}} containers: - image: {{ .Values.images.oasis.platform.image }}:{{ .Values.images.oasis.platform.version }} + securityContext: + readOnlyRootFilesystem: true name: {{ .Values.oasisWebsocket.name }} imagePullPolicy: {{ .Values.images.oasis.platform.imagePullPolicy }} env: diff --git a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml index 3efb7d59e..54ab811eb 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml @@ -57,6 +57,8 @@ spec: {{- include "h.initTcpAvailabilityCheckBySecret" (list . .Values.oasisWebsocket.name) | nindent 8}} containers: - image: {{ .Values.images.oasis.worker_controller.image }}:{{ .Values.images.oasis.worker_controller.version }} + securityContext: + readOnlyRootFilesystem: true imagePullPolicy: {{ .Values.images.oasis.worker_controller.imagePullPolicy }} name: main env: From 66542ac666a554846dea1082abded207f0a51d97 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Mon, 15 Jan 2024 15:49:55 +0100 Subject: [PATCH 6/7] modified volume mounts on these files --- kubernetes/charts/oasis-models/templates/workers.yaml | 8 +++++--- .../charts/oasis-platform/templates/keycloak.yaml | 10 ++++++---- .../templates/oasis_worker_controller.yaml | 7 ++++--- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/kubernetes/charts/oasis-models/templates/workers.yaml b/kubernetes/charts/oasis-models/templates/workers.yaml index eebf38238..914a5a1cc 100644 --- a/kubernetes/charts/oasis-models/templates/workers.yaml +++ b/kubernetes/charts/oasis-models/templates/workers.yaml @@ -16,7 +16,7 @@ spec: app: {{ $name }} strategy: type: Recreate - replicas: 1 + replicas: 0 template: metadata: labels: @@ -33,8 +33,6 @@ spec: containers: - image: {{ .image }}:{{ .version }} {{- if .imagePullPolicy }} - # securityContext: - # readOnlyRootFilesystem: true imagePullPolicy: {{ .imagePullPolicy }} {{- end }} name: worker @@ -65,6 +63,8 @@ spec: {{- end }} mountPath: {{ .mountPath }} {{- end }} + - name: celery-temp + mountPath: /tmp {{- if .registryCredentials }} imagePullSecrets: - name: {{ .registryCredentials }} @@ -97,6 +97,8 @@ spec: {{- end }} {{- end }} {{- end }} + - name: celery-temp + emptyDir: {} {{- if ($root.Values.azure).secretProvider }} - name: azure-secret-provider csi: diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml index 1c19d0415..fbdafd84b 100644 --- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml +++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml @@ -94,8 +94,6 @@ spec: containers: - name: {{ .Values.keycloak.name }} image: {{ .Values.images.keycloak.image }}:{{ .Values.images.keycloak.version }} - securityContext: - readOnlyRootFilesystem: true args: [ "start-dev", "--import-realm", @@ -173,10 +171,12 @@ spec: - name: realm-config mountPath: /opt/keycloak/data/import/oasis-realm.json subPath: oasis + - name: keycloak-temp + mountPath: /tmp volumes: - name: realm-config - #readOnly: true + readOnly: true configMap: name: {{ $realmSecretName }} {{- if (.Values.azure).secretProvider }} @@ -186,4 +186,6 @@ spec: readOnly: true volumeAttributes: secretProviderClass: "azure-secret-provider" -{{- end }} +{{- end }} + - name: keycloak-temp + emptyDir: {} diff --git a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml index 54ab811eb..4c639cbe0 100644 --- a/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml +++ b/kubernetes/charts/oasis-platform/templates/oasis_worker_controller.yaml @@ -6,6 +6,7 @@ kind: ServiceAccount metadata: namespace: {{ .Release.Namespace }} name: {{ $workerControllerServiceAccountName }} +automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -50,15 +51,15 @@ spec: annotations: checksum/{{ .Values.oasisServer.name }}: {{ toJson .Values.oasisWebsocket | sha256sum }} spec: - #automountServiceAccountToken: false + automountServiceAccountToken: true {{- include "h.affinity" . | nindent 6 }} serviceAccountName: {{ $workerControllerServiceAccountName }} initContainers: {{- include "h.initTcpAvailabilityCheckBySecret" (list . .Values.oasisWebsocket.name) | nindent 8}} containers: - image: {{ .Values.images.oasis.worker_controller.image }}:{{ .Values.images.oasis.worker_controller.version }} - securityContext: - readOnlyRootFilesystem: true + securityContext: + readOnlyRootFilesystem: true imagePullPolicy: {{ .Values.images.oasis.worker_controller.imagePullPolicy }} name: main env: From 95825cb6f1f03fbd0ca06e9a865c11e710606fb9 Mon Sep 17 00:00:00 2001 From: Rodney Effah Date: Mon, 15 Jan 2024 17:59:01 +0100 Subject: [PATCH 7/7] updated readonly --- kubernetes/charts/oasis-platform/templates/keycloak.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml index fbdafd84b..c8503a3c9 100644 --- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml +++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml @@ -94,6 +94,8 @@ spec: containers: - name: {{ .Values.keycloak.name }} image: {{ .Values.images.keycloak.image }}:{{ .Values.images.keycloak.version }} + securityContext: + readOnlyRootfilesystem: true args: [ "start-dev", "--import-realm", @@ -172,7 +174,7 @@ spec: mountPath: /opt/keycloak/data/import/oasis-realm.json subPath: oasis - name: keycloak-temp - mountPath: /tmp + mountPath: /opt/keycloak/data/tmp volumes: - name: realm-config