feat(helm): read-only root filesystem support (ArcadeDB 26.6.1)#10
Conversation
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tFilesystem Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ootFilesystem Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… tests Addresses code review: rename volume example/test names off the chart-reserved arcadedb-config, add raft volumeMount/autoscaling coverage, and note the read-only root default in NOTES.txt.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements read-only root filesystem support for the ArcadeDB Helm chart by upgrading to ArcadeDB version 26.6.1 and hardening the container security posture. It introduces default configurations for securityContext.readOnlyRootFilesystem: true and configures automatic writable emptyDir mounts for logs, /tmp, Raft storage, and database/config directories when persistence is disabled. The environment variable ARCADEDB_LOG_DIR and JVM arguments are wired accordingly, backed by comprehensive unit test updates and design documentation. No review comments were provided, so there is no feedback to address.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
1 participant
Summary
Updates the chart for ArcadeDB 26.6.1 and ships full
securityContext.readOnlyRootFilesystem: truehardening that works out of the box. ArcadeDB 26.6.1 adds two settings (arcadedb-docs@0200db0) specifically to enable a read-only root; this wires them into the chart and auto-provisions every writable path the server needs.Changes
New values
arcadedb.logsDirectory(/home/arcadedb/log) — forwarded via theARCADEDB_LOG_DIRenv var (the documented, resolved-very-early mechanism the server scripts honor).arcadedb.ha.raftStorageDirectory(/home/arcadedb/raft) — emitted as-Darcadedb.ha.raftStorageDirectory, gated on the HA condition.securityContext.readOnlyRootFilesystem: trueby default.Writable mounts (auto-provided)
arcadedb-logsand/tmpemptyDirs — always.arcadedb-raftemptyDir — only when HA is active (replicaCount > 1or autoscaling enabled).The database/config mounts are now always present — only the volume source swaps between PVC and emptyDir, so persistent-mode behavior is unchanged. Logs and Raft storage were already ephemeral (container writable layer), so emptyDir preserves their durability semantics.
Version
version+appVersion→26.6.1(also fixes two stale26.4.2unit-test assertions).Testing
make test-unit: 134/134 passing (new coverage for the log env/mount,/tmp, raft wiring incl. the autoscaling HA path, and the negative single-node case).make lint: clean.Notes
make test-integration) was not run here: it requires thearcadedata/arcadedb:26.6.1image to be published. Once available, the existing 3-pod HA suite exercises the read-only-root path end-to-end.readOnlyRootFilesystem: trueis a behavior change for existing deployments;NOTES.txtnow documents the escape hatch (set it tofalse) for sidecars/init containers that write to the root FS.🤖 Generated with Claude Code