For security set base volume to readOnly in mapserver deployment

gerdos82 · gerdos82 · commit f9de52641e6a · 2025-09-17T15:19:34.000+02:00
diff --git a/internal/controller/blobdownload/blob_download.go b/internal/controller/blobdownload/blob_download.go
@@ -63,7 +63,7 @@ func GetBlobDownloadInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Images)
 		},
 		Command: []string{"/bin/sh", "-c"},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetDataVolumeMount(),
 		},
 	}
diff --git a/internal/controller/featureinfogenerator/featureinfo_generator.go b/internal/controller/featureinfogenerator/featureinfo_generator.go
@@ -27,7 +27,7 @@ func GetFeatureinfoGeneratorInitContainer(images types.Images) (*corev1.Containe
 			"feature-info",
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetConfigVolumeMount(constants.ConfigMapFeatureinfoGeneratorVolumeName),
 		},
 	}
diff --git a/internal/controller/legendgenerator/legend_generator.go b/internal/controller/legendgenerator/legend_generator.go
@@ -40,7 +40,7 @@ exit $exit_code;
 `,
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetDataVolumeMount(),
 			{Name: constants.MapserverName, MountPath: "/srv/mapserver/config/default_mapserver.conf", SubPath: "default_mapserver.conf"},
 		},
diff --git a/internal/controller/mapfilegenerator/mapfile_generator.go b/internal/controller/mapfilegenerator/mapfile_generator.go
@@ -28,7 +28,7 @@ func GetMapfileGeneratorInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Ima
 			"/srv/data/config/mapfile",
 		},
 		VolumeMounts: []corev1.VolumeMount{
-			utils.GetBaseVolumeMount(),
+			utils.GetBaseVolumeMount(false),
 			utils.GetConfigVolumeMount(constants.ConfigMapMapfileGeneratorVolumeName),
 		},
 	}
diff --git a/internal/controller/mapserver/deployment.go b/internal/controller/mapserver/deployment.go
@@ -63,7 +63,7 @@ func GetMapserverContainer[O pdoknlv3.WMSWFS](obj O, images types.Images) (*core
 
 func getVolumeMounts(customMapfile bool) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
-		utils.GetBaseVolumeMount(),
+		utils.GetBaseVolumeMount(true),
 		utils.GetDataVolumeMount(),
 	}
 
diff --git a/internal/controller/utils/utils.go b/internal/controller/utils/utils.go
@@ -41,8 +41,8 @@ func NewEnvFromSource(t EnvFromSourceType, name string) corev1.EnvFromSource {
 	}
 }
 
-func GetBaseVolumeMount() corev1.VolumeMount {
-	return corev1.VolumeMount{Name: constants.BaseVolumeName, MountPath: "/srv/data", ReadOnly: false}
+func GetBaseVolumeMount(readOnly bool) corev1.VolumeMount {
+	return corev1.VolumeMount{Name: constants.BaseVolumeName, MountPath: "/srv/data", ReadOnly: readOnly}
 }
 
 func GetDataVolumeMount() corev1.VolumeMount {

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func GetBlobDownloadInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Images)`
`63`	`63`	`},`
`64`	`64`	`Command: []string{"/bin/sh", "-c"},`
`65`	`65`	`VolumeMounts: []corev1.VolumeMount{`
`66`		`- utils.GetBaseVolumeMount(),`
	`66`	`+ utils.GetBaseVolumeMount(false),`
`67`	`67`	`utils.GetDataVolumeMount(),`
`68`	`68`	`},`
`69`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func GetFeatureinfoGeneratorInitContainer(images types.Images) (*corev1.Containe`
`27`	`27`	`"feature-info",`
`28`	`28`	`},`
`29`	`29`	`VolumeMounts: []corev1.VolumeMount{`
`30`		`- utils.GetBaseVolumeMount(),`
	`30`	`+ utils.GetBaseVolumeMount(false),`
`31`	`31`	`utils.GetConfigVolumeMount(constants.ConfigMapFeatureinfoGeneratorVolumeName),`
`32`	`32`	`},`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func GetMapfileGeneratorInitContainer[O pdoknlv3.WMSWFS](obj O, images types.Ima`
`28`	`28`	`"/srv/data/config/mapfile",`
`29`	`29`	`},`
`30`	`30`	`VolumeMounts: []corev1.VolumeMount{`
`31`		`- utils.GetBaseVolumeMount(),`
	`31`	`+ utils.GetBaseVolumeMount(false),`
`32`	`32`	`utils.GetConfigVolumeMount(constants.ConfigMapMapfileGeneratorVolumeName),`
`33`	`33`	`},`
`34`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func GetMapserverContainer[O pdoknlv3.WMSWFS](obj O, images types.Images) (*core`
`63`	`63`
`64`	`64`	`func getVolumeMounts(customMapfile bool) []corev1.VolumeMount {`
`65`	`65`	`volumeMounts := []corev1.VolumeMount{`
`66`		`- utils.GetBaseVolumeMount(),`
	`66`	`+ utils.GetBaseVolumeMount(true),`
`67`	`67`	`utils.GetDataVolumeMount(),`
`68`	`68`	`}`
`69`	`69`
Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,8 @@ func NewEnvFromSource(t EnvFromSourceType, name string) corev1.EnvFromSource {`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`
`44`		`-func GetBaseVolumeMount() corev1.VolumeMount {`
`45`		`- return corev1.VolumeMount{Name: constants.BaseVolumeName, MountPath: "/srv/data", ReadOnly: false}`
	`44`	`+func GetBaseVolumeMount(readOnly bool) corev1.VolumeMount {`
	`45`	`+ return corev1.VolumeMount{Name: constants.BaseVolumeName, MountPath: "/srv/data", ReadOnly: readOnly}`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`func GetDataVolumeMount() corev1.VolumeMount {`