Skip to content

feat(helm): read-only root filesystem support (ArcadeDB 26.6.1) #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
robfrank merged 7 commits into from
Jun 4, 2026
Merged

feat(helm): read-only root filesystem support (ArcadeDB 26.6.1) #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
45718e1
docs: design for read-only root filesystem support (#add-log-dir)
robfrank Jun 4, 2026
3b00e23
docs: implementation plan for read-only root filesystem support
robfrank Jun 4, 2026
7768fcd
chore(helm): bump chart to ArcadeDB 26.6.1
robfrank Jun 4, 2026
9ca049c
feat(helm): default container to readOnlyRootFilesystem
robfrank Jun 4, 2026
b9f3634
feat(helm): writable log, tmp, and data/config mounts for readOnlyRoo…
robfrank Jun 4, 2026
f9e5aed
feat(helm): relocate Raft storage to a writable mount under readOnlyR…
robfrank Jun 4, 2026
9e28624
fix(helm): avoid reserved volume-name collisions and harden RO-rootfs…
robfrank Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/arcadedb/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ description: |

type: application

version: 26.5.1
version: 26.6.1

appVersion: "26.5.1"
appVersion: "26.6.1"
annotations:
artifacthub.io/repositoryID: "fb85acb7-fb5b-4572-b44b-374a2b52658d"
7 changes: 7 additions & 0 deletions charts/arcadedb/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,10 @@
WARNING: persistence.enabled is false. Database data is EPHEMERAL and will be lost when pods restart.
Set persistence.enabled=true (the default) for any non-ephemeral deployment.
{{- end }}
{{- if .Values.securityContext.readOnlyRootFilesystem }}

NOTE: The container root filesystem is read-only by default (securityContext.readOnlyRootFilesystem=true).
ArcadeDB's database, config, logs, Raft storage, and /tmp are backed by writable mounts automatically.
If you add sidecars/init containers or custom paths that write to the root filesystem, either mount a
writable volume for them or set securityContext.readOnlyRootFilesystem=false.
{{- end }}
33 changes: 28 additions & 5 deletions charts/arcadedb/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ spec:
- -Darcadedb.ha.k8sSuffix={{ include "arcadedb.k8sSuffix" . }}
- -Darcadedb.ha.serverList={{ include "arcadedb.nodenames" . }}
- -Darcadedb.ha.raftPort={{ .Values.service.rpc.port }}
- -Darcadedb.ha.raftStorageDirectory={{ .Values.arcadedb.ha.raftStorageDirectory }}
{{- end }}
{{- with .Values.arcadedb.extraCommands }}
{{- toYaml . | nindent 12 }}
Expand All @@ -80,13 +81,17 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.persistence.enabled }}
- name: arcadedb-data
mountPath: {{ .Values.arcadedb.databaseDirectory }}
{{- end }}
{{- if .Values.persistence.config.enabled }}
- name: arcadedb-config
mountPath: {{ .Values.arcadedb.configDirectory }}
- name: arcadedb-logs
mountPath: {{ .Values.arcadedb.logsDirectory }}
- name: arcadedb-tmp
mountPath: /tmp
{{- if or (gt (int .Values.replicaCount) 1) .Values.autoscaling.enabled }}
- name: arcadedb-raft
mountPath: {{ .Values.arcadedb.ha.raftStorageDirectory }}
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
Expand All @@ -113,13 +118,31 @@ spec:
name: arcadedb-credentials-secret
key: rootPassword
{{- end }}
- name: ARCADEDB_LOG_DIR
value: {{ .Values.arcadedb.logsDirectory | quote }}
{{- with .Values.arcadedb.extraEnvironment }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.volumes }}
volumes:
- name: arcadedb-logs
emptyDir: {}
- name: arcadedb-tmp
emptyDir: {}
{{- if or (gt (int .Values.replicaCount) 1) .Values.autoscaling.enabled }}
- name: arcadedb-raft
emptyDir: {}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: arcadedb-data
emptyDir: {}
{{- end }}
{{- if not .Values.persistence.config.enabled }}
- name: arcadedb-config
emptyDir: {}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
166 changes: 158 additions & 8 deletions charts/arcadedb/tests/statefulset_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ tests:
asserts:
- equal:
path: "spec.template.spec.containers[0].image"
value: arcadedata/arcadedb:26.4.2
value: arcadedata/arcadedb:26.6.1

- it: image.tag override wins over AppVersion default
set:
Expand All @@ -64,7 +64,7 @@ tests:
asserts:
- equal:
path: "spec.template.spec.containers[0].image"
value: my-registry.example.com/arcadedb-fork:26.4.2
value: my-registry.example.com/arcadedb-fork:26.6.1

- it: image.pullPolicy default is IfNotPresent and is overridable
asserts:
Expand Down Expand Up @@ -204,6 +204,9 @@ tests:
- equal:
path: spec.template.spec.containers[0].securityContext.capabilities.drop[0]
value: ALL
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: true

- it: pod-level security context can be overridden
set:
Expand Down Expand Up @@ -231,14 +234,22 @@ tests:
path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
value: 8Gi

- it: persistence disabled removes volumeMount and volumeClaimTemplate
- it: persistence disabled drops the data VCT and backs the data dir with an emptyDir
set:
persistence.enabled: false
asserts:
- isEmpty:
path: spec.volumeClaimTemplates
- isEmpty:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-data
mountPath: /home/arcadedb/databases
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-data
emptyDir: {}

- it: persistence size and storageClass overrides flow through
set:
Expand Down Expand Up @@ -430,15 +441,15 @@ tests:
- it: extra volumeClaimTemplates flow through alongside the data PVC
set:
volumeClaimTemplates:
- metadata: { name: arcadedb-config }
- metadata: { name: arcadedb-backups }
spec:
accessModes: [ReadWriteOnce]
resources: { requests: { storage: 1Gi } }
asserts:
- lengthEqual: { path: spec.volumeClaimTemplates, count: 2 }
- equal:
path: spec.volumeClaimTemplates[1].metadata.name
value: arcadedb-config
value: arcadedb-backups

- it: command includes default databaseDirectory and defaultDatabases flags
asserts:
Expand All @@ -463,13 +474,18 @@ tests:

# ── config persistence ──────────────────────────────────────────────────────

- it: config persistence disabled by default — no config volumeMount or VCT
- it: config persistence disabled by default — config dir is a writable emptyDir, no VCT
asserts:
- notContains:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-config
mountPath: /home/arcadedb/config
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-config
emptyDir: {}
- notExists:
path: spec.volumeClaimTemplates[1]

Expand Down Expand Up @@ -562,3 +578,137 @@ tests:
resources:
requests:
storage: 1Gi

- it: log dir is wired via ARCADEDB_LOG_DIR and backed by a writable emptyDir
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ARCADEDB_LOG_DIR
value: /home/arcadedb/log
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-logs
mountPath: /home/arcadedb/log
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-logs
emptyDir: {}

- it: a writable emptyDir is mounted at /tmp for the JVM
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-tmp
mountPath: /tmp
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-tmp
emptyDir: {}

- it: arcadedb.logsDirectory override flows through to env and mount
set:
arcadedb.logsDirectory: /var/log/arcadedb
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: ARCADEDB_LOG_DIR
value: /var/log/arcadedb
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-logs
mountPath: /var/log/arcadedb
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-logs
emptyDir: {}

- it: config persistence enabled uses the PVC, not an emptyDir
set:
persistence.config.enabled: true
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: arcadedb-config
emptyDir: {}

- it: HA active wires raftStorageDirectory arg and a writable raft emptyDir
set:
replicaCount: 3
asserts:
- contains:
path: spec.template.spec.containers[0].command
content: -Darcadedb.ha.raftStorageDirectory=/home/arcadedb/raft
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-raft
mountPath: /home/arcadedb/raft
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-raft
emptyDir: {}

- it: single-node has no raft storage wiring
asserts:
- notContains:
path: spec.template.spec.containers[0].command
content: -Darcadedb.ha.raftStorageDirectory=/home/arcadedb/raft
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-raft
mountPath: /home/arcadedb/raft
- notContains:
path: spec.template.spec.volumes
content:
name: arcadedb-raft
emptyDir: {}

- it: raftStorageDirectory override flows through when HA active
set:
replicaCount: 3
arcadedb.ha.raftStorageDirectory: /data/raft
asserts:
- contains:
path: spec.template.spec.containers[0].command
content: -Darcadedb.ha.raftStorageDirectory=/data/raft
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-raft
mountPath: /data/raft
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-raft
emptyDir: {}

- it: autoscaling enabled wires raft volume and mount even when replicaCount is 1
set:
autoscaling.enabled: true
autoscaling.minReplicas: 2
autoscaling.maxReplicas: 3
asserts:
- contains:
path: spec.template.spec.containers[0].command
content: -Darcadedb.ha.raftStorageDirectory=/home/arcadedb/raft
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: arcadedb-raft
mountPath: /home/arcadedb/raft
- contains:
path: spec.template.spec.volumes
content:
name: arcadedb-raft
emptyDir: {}
32 changes: 25 additions & 7 deletions charts/arcadedb/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,17 @@ arcadedb:
- -Darcadedb.server.mode=production
## @param arcadedb.extraEnvironment Additional environment variables for the container
extraEnvironment: []
## @param arcadedb.logsDirectory Directory where the server writes log files.
## Backed by a writable emptyDir and forwarded via the ARCADEDB_LOG_DIR env var
## so logging works under readOnlyRootFilesystem.
logsDirectory: "/home/arcadedb/log"

## @section arcadedb.ha
ha:
## @param arcadedb.ha.raftStorageDirectory Parent directory for the per-node
## raft-storage-<node> folders. Backed by a writable emptyDir; only used when
## HA is active (replicaCount > 1 or autoscaling enabled).
raftStorageDirectory: "/home/arcadedb/raft"

## @section arcadedb.credentials
credentials:
Expand Down Expand Up @@ -97,6 +108,10 @@ securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
## readOnlyRootFilesystem hardens the container; the chart provides writable
## emptyDir mounts for logs, /tmp, Raft storage, and (when their PVCs are
## disabled) the database and config directories.
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]

Expand Down Expand Up @@ -197,23 +212,26 @@ persistence:
## @param persistence.config.storageClass StorageClass name for config PVC. Empty = cluster default.
storageClass: ""

## @param volumes Additional pod volumes
## @param volumes Additional pod volumes.
## Reserved names managed by the chart — do NOT reuse them here:
## arcadedb-data, arcadedb-config, arcadedb-logs, arcadedb-tmp, arcadedb-raft.
volumes: []
# - name: arcadedb-config
# - name: extra-config
# configMap:
# name: my-arcadedb-config

## @param volumeMounts Additional container volume mounts
volumeMounts: []
# - name: arcadedb-config
# mountPath: /home/arcadedb/config
# - name: extra-config
# mountPath: /etc/arcadedb/extra
# readOnly: true

## @param volumeClaimTemplates Extra StatefulSet volumeClaimTemplates (for config, replication, backups, log).
## The database-data PVC is controlled by persistence.enabled above.
## @param volumeClaimTemplates Extra StatefulSet volumeClaimTemplates (e.g. replication, backups).
## The database and config PVCs are controlled by persistence.* above; do not redeclare
## arcadedb-data or arcadedb-config here.
volumeClaimTemplates: []
# - metadata:
# name: arcadedb-config
# name: arcadedb-backups
# spec:
# accessModes:
# - ReadWriteOnce
Expand Down
Loading