Closed pschumacher closed 11 months ago
Hi, I'll review this shortly. Overall looks ok.
My only concern is the default volume.
This is because now by default we're allocating up to 2Gb extra memory on the node. I would prefer to just comment the default volume out and leave it as an example for whomever needs it as a template.
An alternative would be to place it behind a flag.
What do you think?
Sounds good. I have commented the default volume out and added the option to define volumeMounts.
Thanks for the PR. I think read-only rootfs is definitely the way to go. Maybe it should be supported more explicitly among other hardening settings in the future.
The Chromium module needs to be able to write to the /tmp directory of the container. When running the container with a read-only filesystem (securityContext.readOnlyRootFilesystem), this leads to the following Gotenberg error:
create request context: create working directory: create directory /tmp/6035cd1c-8e13-4e53-a871-c4c56d3e04bc: mkdir /tmp/6035cd1c-8e13-4e53-a871-c4c56d3e04bc: read-only file system
In oder to support running a read-only filesystem, it should be possible to configure a volume that is mounted at /tmp.
Tasks:
Chart.yaml
CHANGELOG.md
helm-docs