RHIDP-5901: readOnlyRootFilesystem option (redhat-developer#938)

pabel-rh · web-flow · commit 9e97a369b7ed · 2025-02-27T14:04:16.000+01:00
* Added content

* Minor changes

* Incorporated Armel's comments

* Incorporated Lindsey's comment

* added to master

* Minor comment

* Added bullet points
diff --git a/assemblies/assembly-configuring-readonlyrootfilesystem.adoc b/assemblies/assembly-configuring-readonlyrootfilesystem.adoc
@@ -0,0 +1,13 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: readonlyrootfilesystem
+[id="{context}"]
+= Configuring readOnlyRootFilesystem in {product}
+
+The {product} deployment consists of two containers: an `initContainer` that installs the Dynamic Plugins, and a backend container that runs the application. The `initContainer` has the `readOnlyRootFilesystem` option enabled by default. To enable this option on the backend container, you must either have permission to deploy resources through Helm or to create or update a CR for Operator-backed deployments. You can manually configure the `readOnlyRootFilesystem` option on the backend container by using the following methods:
+
+* The {product} Operator
+* The {product} Helm chart
+
+ include::modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-operator-deployment.adoc[leveloffset=+1]
+
+ include::modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-helm-chart-deployment.adoc[leveloffset=+1]
diff --git a/modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-helm-chart-deployment.adoc b/modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-helm-chart-deployment.adoc
@@ -0,0 +1,15 @@
+[id="proc-configuring-readonlyrootfilesystem-option-in-rhdh-helm-chart-deployment"]
+= Configuring the readOnlyRootFilesystem option in a {product} Helm chart deployment
+
+.Procedure
+. In your 'values.yaml' file, add the `readOnlyRootFilesystem: true` line to the `containerSecurityContext` section. For example:
++
+====
+[source,yaml,subs="+attributes,+quotes"]
+----
+upstream:
+  backstage:
+    containerSecurityContext:
+      readOnlyRootFilesystem: true
+----
+====
diff --git a/modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-operator-deployment.adoc b/modules/configuring-readonlyrootfilesystem/proc-configuring-readonlyrootfilesystem-option-in-rhdh-operator-deployment.adoc
@@ -0,0 +1,25 @@
+[id="proc-configuring-readonlyrootfilesystem-option-in-rhdh-operator-deployment"]
+= Configuring the readOnlyRootFilesystem option in a {product} Operator deployment
+
+When you are deploying {product-short} using the Operator, you must specify a `patch` for the `deployment` in your `{product-custom-resource-type}` custom resource (CR) that applies the `readOnlyRootFilesystem` option to the `securityContext` section in the {product-short} backend container.
+
+.Procedure
+
+. In your `{product-custom-resource-type}` CR, add the `securityContext` specification. For example:
++
+====
+[source,yaml,subs="+attributes,+quotes"]
+----
+spec:
+  deployment:
+    patch:
+      spec:
+        template:
+          spec:
+            containers:
+              - name: backstage-backend <1>
+                securityContext:
+                  readOnlyRootFilesystem: true
+----
+====
+<1> Name of the main container defined in the Operator default configuration. 
diff --git a/modules/configuring/proc-mounting-additional-files-in-your-custom-configuration-using-rhdh-operator.adoc b/modules/configuring/proc-mounting-additional-files-in-your-custom-configuration-using-rhdh-operator.adoc
@@ -11,7 +11,7 @@ The `mountPath` field specifies the location where a ConfigMap or Secret is moun
 
 [NOTE]
 ====
-* {ocp-short} does not automatically update a volume mounted with `subPath`. By default, the {product-very-short} operator monitors these ConfigMaps or Secrets and refreshes the {product-very-short} Pod when changes occur.
+* {ocp-short} does not automatically update a volume mounted with `subPath`. By default, the {product-very-short} Operator monitors these ConfigMaps or Secrets and refreshes the {product-very-short} Pod when changes occur.
 * For security purposes, {product} does not give the Operator Service Account read access to Secrets. As a result, mounting files from Secrets without specifying both mountPath and key is not supported.
 ====
 
diff --git a/modules/configuring/proc-using-the-operator-to-run-rhdh-with-your-custom-configuration.adoc b/modules/configuring/proc-using-the-operator-to-run-rhdh-with-your-custom-configuration.adoc
@@ -1,7 +1,7 @@
 [id="using-the-operator-to-run-rhdh-with-your-custom-configuration"]
-= Using the {product} operator to run {product-short} with your custom configuration
+= Using the {product} Operator to run {product-short} with your custom configuration
 
-To use the {product-short} operator to run {product} with your custom configuration, create your {product-custom-resource-type} custom resource (CR) that:
+To use the {product-short} Operator to run {product} with your custom configuration, create your {product-custom-resource-type} custom resource (CR) that:
 
 * Mounts files provisioned in your custom config maps.
 * Injects environment variables provisioned in your custom secrets.
diff --git a/titles/configuring/master.adoc b/titles/configuring/master.adoc
@@ -18,6 +18,9 @@ include::assemblies/assembly-configuring-external-postgresql-databases.adoc[leve
 include::modules/configuring-deployment/proc-configuring-deployment-by-using-the-operator.adoc[leveloffset=+1]
 
 
+include::assemblies/assembly-configuring-readonlyrootfilesystem.adoc[leveloffset=+1]
+
+
 include::assemblies/assembly-configuring-a-proxy.adoc[leveloffset=+1]
 
 
