add volume/mount capability and set readOnlyRootFileSystem=true (#470)

Co-authored-by: Romeo Dumitrescu <[email protected]>

Author: nickel-tyler

src/helm/reflector/templates/deployment.yaml

@@ -75,6 +75,8 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            {{- toYaml .Values.volumeMounts | nindent 12 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -87,6 +89,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{ - with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8}}
+      {{- end }}  
       {{- with .Values.topologySpreadConstraints }}
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}

src/helm/reflector/values.yaml

@@ -56,7 +56,7 @@ securityContext:
   capabilities:
     drop:
       - ALL
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
 
@@ -105,3 +105,12 @@ affinity: {}
 topologySpreadConstraints: []
 
 priorityClassName: ""
+
+#mount external persistent/ephemeral storage to required locations if readOnlyRootFileSystem=true
+volumes:
+  - name: tmp
+    emptyDir: {}
+
+volumeMounts:
+  - name: tmp
+    mountPath: /tmp