DEVOPS-3101-fixed-readOnlyRootFilesystem-issue-for-artifacts-and-keycloak (#143)

yitzhaktal · web-flow · commit 540cade5e4a3 · 2025-10-05T16:32:24.000+03:00
diff --git a/chart/templates/artifacts/deployment.yaml b/chart/templates/artifacts/deployment.yaml
@@ -86,6 +86,12 @@ spec:
               mountPath: /cert/
               readOnly: true
           {{- end }}
+          {{- if .Values.general.readOnlyRootFilesystem }}
+            - name: tmpfs
+              mountPath: /var/lib/nginx/tmp
+            - name: tmpfs
+              mountPath: /tmp
+          {{- end }}          
       {{- if .Values.general.tolerations }}
       tolerations:
         {{ toYaml .Values.general.tolerations | nindent 8 }}
@@ -111,3 +117,8 @@ spec:
           secretName: {{ .Values.general.internal_tls.certificates.existing_certificates.artifacts }}
           {{- end }}
       {{- end }}
+      {{- if .Values.general.readOnlyRootFilesystem }}
+      - name: tmpfs
+        emptyDir:
+          sizeLimit: {{ .Values.general.readOnlyRootFilesystem_tmpfs_sizeLimit }}
+      {{- end -}}
diff --git a/chart/templates/helpers/_keycloak_initContainer.tpl b/chart/templates/helpers/_keycloak_initContainer.tpl
@@ -1,6 +1,9 @@
 {{ define "lightrun-keycloak.initContainer.read-only-rootfs" }}
       - args:
-          - cp -R /opt/* /keycloak-empty-dir/
+          - >
+            cp -R /opt/* /keycloak-empty-dir/ &&
+            cd /opt &&
+            find . -type f -exec touch -r {} /keycloak-empty-dir/{} \; 2>/dev/null
         command:
           - /bin/sh
           - -c
