From bccb9a7d0d0f3337f3b3c1ce1ca3db9b94d8d460 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Thu, 23 Oct 2025 08:49:05 -0400 Subject: [PATCH] Support for running with a read-only root filesystem for improved security. This involves an init container that merges configuration items from defaults and any overrides. --- charts/questdb/templates/_helpers.tpl | 1 + .../templates/init_config_scripts.yaml | 17 +++++ charts/questdb/templates/statefulset.yaml | 63 ++++++++++++++----- charts/questdb/values.yaml | 12 ++++ 4 files changed, 78 insertions(+), 15 deletions(-) create mode 100644 charts/questdb/templates/init_config_scripts.yaml diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl index 5be66e3..48dba79 100644 --- a/charts/questdb/templates/_helpers.tpl +++ b/charts/questdb/templates/_helpers.tpl @@ -89,6 +89,7 @@ Generate mime.types file content {{- end }} {{- end }} +{{/* Build openshift detection */}} {{- define "isOpenshiftEnabled" -}} diff --git a/charts/questdb/templates/init_config_scripts.yaml b/charts/questdb/templates/init_config_scripts.yaml new file mode 100644 index 0000000..ab25175 --- /dev/null +++ b/charts/questdb/templates/init_config_scripts.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "questdb.fullname" . }}-config-scripts + labels: + {{- include "questdb.labels" . | nindent 4 }} +data: + prepare_config.sh: | + #!/bin/bash + data_dir="$1" + + if [ -d "${data_dir}"/override_conf/ ] ; then + # Copy override configuration files + cp "${data_dir}"/override_conf/* "${data_dir}"/merged_conf/ + fi + + echo "Configuration preparation complete" diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml index 9c163a5..b790a47 100644 --- a/charts/questdb/templates/statefulset.yaml +++ b/charts/questdb/templates/statefulset.yaml @@ -50,23 +50,16 @@ spec: {{ toYaml .Values.questdb.envFrom | nindent 10 }} {{- end }} volumeMounts: + - name: tmpfs-tmp + mountPath: /tmp + - name: tmpfs-questdb-import + mountPath: /var/lib/questdb/import + - name: tmpfs-questdb-public + mountPath: /var/lib/questdb/public - name: {{ include "questdb.fullname" . }} mountPath: {{ .Values.questdb.dataDir }} - {{- if .Values.questdb.serverConfig.enabled }} - - name: server-config - mountPath: {{ .Values.questdb.dataDir }}/conf/server.conf - subPath: server.conf - {{- end }} - {{- if .Values.questdb.loggingConfig.enabled }} - - name: logging-config - mountPath: {{ .Values.questdb.dataDir }}/conf/log.conf - subPath: log.conf - {{- end }} - {{- if .Values.questdb.mimeConfig.enabled }} - - name: mime-config - mountPath: {{ .Values.questdb.dataDir }}/conf/mime.types - subPath: mime.types - {{- end }} + - name: config-mount + mountPath: {{ .Values.questdb.dataDir }}/conf {{- if .Values.extraVolumeMounts }} {{ toYaml .Values.extraVolumeMounts | nindent 10 }} {{- end }} @@ -99,6 +92,35 @@ spec: {{- toYaml .Values.sidecars | nindent 8 }} {{- end }} initContainers: + - name: init-config-prep + image: "{{ .Values.configPrep.image.repository }}:{{ .Values.configPrep.image.tag }}" + command: ["bash", "/mnt/prep_scripts/prepare_config.sh", "{{ .Values.questdb.dataDir }}"] + securityContext: + {{- include "generateSecurityContext" . | nindent 12 }} + volumeMounts: + - name: prep-scripts + mountPath: /mnt/prep_scripts + - name: config-mount + mountPath: {{ .Values.questdb.dataDir }}/merged_conf + {{- if .Values.questdb.serverConfig.enabled }} + - name: server-config + mountPath: {{ .Values.questdb.dataDir }}/override_conf/server.conf + subPath: server.conf + {{- end }} + {{- if .Values.questdb.loggingConfig.enabled }} + - name: logging-config + mountPath: {{ .Values.questdb.dataDir }}/override_conf/log.conf + subPath: log.conf + {{- end }} + {{- if .Values.questdb.mimeConfig.enabled }} + - name: mime-config + mountPath: {{ .Values.questdb.dataDir }}/override_conf/mime.types + subPath: mime.types + {{- end }} + {{- if .Values.configPrep.resources }} + resources: + {{- toYaml .Values.configPrep.resources | nindent 12}} + {{- end }} - name: init-db-migration image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}" command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"] @@ -129,6 +151,17 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + - name: tmpfs-tmp + emptyDir: {} + - name: tmpfs-questdb-import + emptyDir: {} + - name: tmpfs-questdb-public + emptyDir: {} + - name: config-mount + emptyDir: {} + - name: prep-scripts + configMap: + name: {{ include "questdb.fullname" . }}-config-scripts {{- if .Values.questdb.serverConfig.enabled }} - name: server-config {{- if eq .Values.questdb.configStorageType "Secret" }} diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml index 8365685..c34129b 100644 --- a/charts/questdb/values.yaml +++ b/charts/questdb/values.yaml @@ -14,6 +14,7 @@ podSecurityContext: type: RuntimeDefault securityContext: + readOnlyRootFilesystem: true capabilities: drop: - ALL @@ -142,6 +143,17 @@ dataMigration: limits: memory: "1Gi" +configPrep: + image: + repository: debian + pullPolicy: IfNotPresent + tag: 12.10-slim + resources: + requests: + memory: "256Mi" + limits: + memory: "256Mi" + # openshift openshift: enabled: detect \ No newline at end of file