search

MaikuMori / helm-charts

Maiku's Helm charts
https://artifacthub.io/packages/search?user=MaikuMori&sort=relevance
MIT License
18 stars 11 forks source link

Add tmp volume #19

Closed pschumacher closed 11 months ago

pschumacher commented 12 months ago

The Chromium module needs to be able to write to the /tmp directory of the container. When running the container with a read-only filesystem (securityContext.readOnlyRootFilesystem), this leads to the following Gotenberg error:

create request context: create working directory: create directory /tmp/6035cd1c-8e13-4e53-a871-c4c56d3e04bc: mkdir /tmp/6035cd1c-8e13-4e53-a871-c4c56d3e04bc: read-only file system

In oder to support running a read-only filesystem, it should be possible to configure a volume that is mounted at /tmp.

Tasks:

MaikuMori commented 11 months ago

Hi, I'll review this shortly. Overall looks ok.

MaikuMori commented 11 months ago

My only concern is the default volume.

This is because now by default we're allocating up to 2Gb extra memory on the node. I would prefer to just comment the default volume out and leave it as an example for whomever needs it as a template.

An alternative would be to place it behind a flag.

What do you think?

pschumacher commented 11 months ago

Sounds good. I have commented the default volume out and added the option to define volumeMounts.

MaikuMori commented 11 months ago

Thanks for the PR. I think read-only rootfs is definitely the way to go. Maybe it should be supported more explicitly among other hardening settings in the future.