Merge pull request #112 from PDOK/read-only_base_volume_mapserver

For security set base volume to readOnly in mapserver deployment

Author: gerdos82

internal/controller/blobdownload/blob_download.go

@@ -63,7 +63,7 @@ func GetBlobDownloadInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Images)
 		},
 		Command: []string{"/bin/sh", "-c"},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetDataVolumeMount(),
 		},
 	}

internal/controller/featureinfogenerator/featureinfo_generator.go

@@ -27,7 +27,7 @@ func GetFeatureinfoGeneratorInitContainer(images types.Images) (*corev1.Containe
 			"feature-info",
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetConfigVolumeMount(constants.ConfigMapFeatureinfoGeneratorVolumeName),
 		},
 	}

internal/controller/legendgenerator/legend_generator.go

@@ -40,7 +40,7 @@ exit $exit_code;
 `,
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetDataVolumeMount(),
 			{Name: constants.MapserverName, MountPath: "/srv/mapserver/config/default_mapserver.conf", SubPath: "default_mapserver.conf"},
 		},

internal/controller/mapfilegenerator/mapfile_generator.go

@@ -28,7 +28,7 @@ func GetMapfileGeneratorInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Ima
 			"/srv/data/config/mapfile",
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetConfigVolumeMount(constants.ConfigMapMapfileGeneratorVolumeName),
 		},
 	}

internal/controller/mapserver/deployment.go

@@ -63,7 +63,7 @@ func GetMapserverContainer[O pdoknlv3.WMSWFS](obj O, images types.Images) (*core
 
 func getVolumeMounts(customMapfile bool) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
-		utils.GetBaseVolumeMount(),
+		utils.GetBaseVolumeMount(true),
 		utils.GetDataVolumeMount(),
 	}
 

internal/controller/mapserver/test_data/expected_volumemounts.yaml

@@ -1,6 +1,7 @@
 volumeMounts:
 - mountPath: /srv/data
   name: base
+  readOnly: true
 - mountPath: /var/www
   name: data
 - mountPath: /srv/mapserver/config/include.conf

internal/controller/test_data/wfs/complete/expected/deployment.yaml

@@ -126,7 +126,7 @@ spec:
           volumeMounts:
             - mountPath: /srv/data
               name: base
-              readOnly: false
+              readOnly: true
             - mountPath: /var/www
               name: data
               readOnly: false

internal/controller/test_data/wfs/minimal/expected/deployment.yaml

@@ -122,7 +122,7 @@ spec:
           volumeMounts:
             - mountPath: /srv/data
               name: base
-              readOnly: false
+              readOnly: true
             - mountPath: /var/www
               name: data
               readOnly: false

internal/controller/test_data/wfs/noprefetch/expected/deployment.yaml

@@ -122,7 +122,7 @@ spec:
           volumeMounts:
             - mountPath: /srv/data
               name: base
-              readOnly: false
+              readOnly: true
             - mountPath: /var/www
               name: data
               readOnly: false

internal/controller/test_data/wms/complete/expected/deployment.yaml

@@ -128,7 +128,7 @@ spec:
           volumeMounts:
             - mountPath: /srv/data
               name: base
-              readOnly: false
+              readOnly: true
             - mountPath: /var/www
               name: data
               readOnly: false