Merge pull request #401 from netbox-community/ranger/feat/pvc-readonl…

…y-flags

feat: allow the worker and housekeeping to mount the media PVC readOnly

charts/netbox/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: netbox
-version: 5.0.0-beta.136
+version: 5.0.0-beta.137
 appVersion: "v4.1.5"
 type: application
 kubeVersion: ^1.25.0-0

charts/netbox/templates/cronjob.yaml

@@ -88,15 +88,18 @@ spec:
             - name: media
               mountPath: /opt/netbox/netbox/media
               subPath: {{ .Values.persistence.subPath | default "" | quote }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
             {{- if .Values.reportsPersistence.enabled }}
             - name: reports
               mountPath: /opt/netbox/netbox/reports
               subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
             {{- end }}
             {{- if .Values.scriptsPersistence.enabled }}
             - name: scripts
               mountPath: /opt/netbox/netbox/scripts
               subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
             {{- end }}
             {{- with .Values.housekeeping.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
@@ -150,18 +153,21 @@ spec:
             {{- if .Values.persistence.enabled }}
             persistentVolumeClaim:
               claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "common.names.fullname" .)) }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
             {{- else }}
             emptyDir: {}
             {{- end }}
           {{- if .Values.reportsPersistence.enabled }}
           - name: reports
             persistentVolumeClaim:
               claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "common.names.fullname" .)) }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
           {{- end }}
           {{- if .Values.scriptsPersistence.enabled }}
           - name: scripts
             persistentVolumeClaim:
               claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "common.names.fullname" .)) }}
+              readOnly: {{ .Values.housekeeping.readOnlyPersistence | default false }}
           {{- end }}
           {{- with .Values.housekeeping.extraVolumes }}
           {{- toYaml . | nindent 10 }}

charts/netbox/templates/worker/deployment.yaml

@@ -94,15 +94,18 @@ spec:
         - name: media
           mountPath: /opt/netbox/netbox/media
           subPath: {{ .Values.persistence.subPath | default "" | quote }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
         {{- if .Values.reportsPersistence.enabled }}
         - name: reports
           mountPath: /opt/netbox/netbox/reports
           subPath: {{ .Values.reportsPersistence.subPath | default "" | quote }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
         {{- end }}
         {{- if .Values.scriptsPersistence.enabled }}
         - name: scripts
           mountPath: /opt/netbox/netbox/scripts
           subPath: {{ .Values.scriptsPersistence.subPath | default "" | quote }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
         {{- end }}
         {{- with .Values.worker.extraVolumeMounts }}
         {{- toYaml . | nindent 8 }}
@@ -163,18 +166,21 @@ spec:
         {{- if .Values.persistence.enabled }}
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.existingClaim | default (printf "%s-media" (include "common.names.fullname" .)) }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
         {{- else }}
         emptyDir: {}
         {{- end }}
       {{- if .Values.reportsPersistence.enabled }}
       - name: reports
         persistentVolumeClaim:
           claimName: {{ .Values.reportsPersistence.existingClaim | default (printf "%s-reports" (include "common.names.fullname" .)) }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
       {{- end }}
       {{- if .Values.scriptsPersistence.enabled }}
       - name: scripts
         persistentVolumeClaim:
           claimName: {{ .Values.scriptsPersistence.existingClaim | default (printf "%s-scripts" (include "common.names.fullname" .)) }}
+          readOnly: {{ .Values.worker.readOnlyPersistence | default false }}
       {{- end }}
       {{- with .Values.worker.extraVolumes }}
       {{- toYaml . | nindent 6 }}

charts/netbox/values.schema.json

@@ -525,6 +525,9 @@
           },
           "type": "object"
         },
+        "readOnlyPersistence": {
+          "type": "boolean"
+        },
         "resources": {
           "$ref": "#/$defs/resources"
         },
@@ -1444,6 +1447,9 @@
         "replicaCount": {
           "type": "integer"
         },
+        "readOnlyPersistence": {
+          "type": "boolean"
+        },
         "resources": {
           "properties": {},
           "type": "object"

charts/netbox/values.yaml

@@ -1324,6 +1324,9 @@ housekeeping:
   ##     memory: 1024Mi
   ##
   resources: {}
+  ## @param housekeeping.readOnlyPersistence Whether to mount media, script, and report directories as read-only
+  ##
+  readOnlyPersistence: false
   ## @param housekeeping.extraEnvs Extra environment variables to be set on containers
   ## E.g:
   ## extraEnvs:
@@ -1480,6 +1483,9 @@ worker:
   ##     memory: 1024Mi
   ##
   resources: {}
+  ## @param worker.readOnlyPersistence Whether to mount media, script, and report directories as read-only
+  ##
+  readOnlyPersistence: false
   ## @param worker.automountServiceAccountToken Mount Service Account token in pod
   ##
   automountServiceAccountToken: false