From 346f1956c326d5d865a6ed162090ee3d49b36183 Mon Sep 17 00:00:00 2001
From: Stephen O'Dwyer <67125983+angrieralien@users.noreply.github.com>
Date: Wed, 14 Feb 2024 11:33:06 -0500
Subject: [PATCH] add readOnlyRootFilesystem security context to pass trivy
 plugin 0.18.4 plugin scans

---
 templates/application/deployment.toolbox.yaml | 2 ++
 templates/application/statefulset.yaml        | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/templates/application/deployment.toolbox.yaml b/templates/application/deployment.toolbox.yaml
index f07b676..a55168a 100644
--- a/templates/application/deployment.toolbox.yaml
+++ b/templates/application/deployment.toolbox.yaml
@@ -58,6 +58,8 @@ spec:
         command:
         - sleep
         - "2147483648" # 2^31
+        securityContext:
+          readOnlyRootFilesystem: true
       terminationGracePeriodSeconds: 0
       {{- if .Values.tls.enabled }}
       volumes:
diff --git a/templates/application/statefulset.yaml b/templates/application/statefulset.yaml
index 5c3272d..ca47c03 100644
--- a/templates/application/statefulset.yaml
+++ b/templates/application/statefulset.yaml
@@ -69,6 +69,8 @@ spec:
               mountPath: /cockroach-certs/
             - name: certs-secret
               mountPath: /certs/
+          securityContext:
+            readOnlyRootFilesystem: true
       {{- end }}
     {{- end }}
     {{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }}
@@ -277,6 +279,8 @@ spec:
         {{- with .Values.statefulset.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
+          securityContext:
+            readOnlyRootFilesystem: true
       volumes:
         - name: datadir
         {{- if .Values.storage.persistentVolume.enabled }}