make app storage writable

mms-gianni · mms-gianni · commit 0c9ff52b5b92 · 2023-10-18T14:38:14.000+02:00
diff --git a/client/src/components/apps/new.vue b/client/src/components/apps/new.vue
@@ -350,6 +350,24 @@
                 color="primary"
             ></v-switch>
             </v-col>
+            <v-col
+              cols="12"
+              md="6"
+            >
+            </v-col>
+          </v-row>
+
+          <v-row>
+            <v-col
+              cols="12"
+              md="6"
+            >
+              <v-switch
+                v-model="buildpack.run.readOnlyAppStorage"
+                label="Read only app storage"
+                color="primary"
+            ></v-switch>
+            </v-col>
             <v-col
               cols="12"
               md="6"
@@ -1029,6 +1047,7 @@ export default {
       },
       image: {
         run: {
+          readOnlyAppStorage: true,
           command: '',
           securityContext: {
             readOnlyRootFilesystem: true,
diff --git a/config.yaml b/config.yaml
@@ -30,6 +30,7 @@ buildpacks:
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -43,6 +44,7 @@ buildpacks:
       repository: node
       tag: latest
       command: "npm install"
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -56,6 +58,7 @@ buildpacks:
       repository: node
       tag: latest
       command: "node index.js"
+      readOnlyAppStorage: true
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -70,93 +73,184 @@ buildpacks:
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: false
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     build:
       repository: composer
       tag: latest
       command: "composer install; chown -R 1000:1000 /app"
+      readOnlyAppStorage: false
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: false
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     run:
       repository: ghcr.io/kubero-dev/buildpacks/php
       tag: "main"
+      command: "apache2-foreground"
+      readOnlyAppStorage: false
       securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
         allowPrivilegeEscalation: true
         readOnlyRootFilesystem: false
-      command: "apache2-foreground"
+        capabilities:
+          add: []
+          drop: []
   - name: Python
     language: Python
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: false
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     build:
       repository: python
       tag: 3.10-buster
       command: "python3 -m venv .venv && . .venv/bin/activate && pip install -r requirements.txt"
+      readOnlyAppStorage: false
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: false
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     run:
       repository: python
       tag: 3.10-buster
       command: ". .venv/bin/activate && python3 main.py"
+      readOnlyAppStorage: true
+      securityContext:
+          runAsUser: 0
+          runAsGroup: 0
+          runAsNonRoot: false
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            add: []
+            drop: []
   - name: GoLang
     language: GoLang
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
+      securityContext:
+          runAsUser: 0
+          runAsGroup: 0
+          runAsNonRoot: false
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            add: []
+            drop: []
     build:
       repository: golang
       tag: alpine
       command: "go mod download && go mod verify && go build -v -o app"
+      readOnlyAppStorage: false
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     run:
       repository: golang
       tag: alpine
       command: "./app"
+      readOnlyAppStorage: true
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
   - name: Hugo
     language: GoLang
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
       securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-          runAsNonRoot: false
-          readOnlyRootFilesystem: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            add: []
-            drop: []
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     build:
       repository: klakegg/hugo
       tag: latest
       command: hugo -D
+      readOnlyAppStorage: false
       securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-          runAsNonRoot: false
-          readOnlyRootFilesystem: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            add: []
-            drop: []
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
     run:
       repository: caddy
       tag: latest
       command: caddy file-server --listen :8080 --root /app/public
+      readOnlyAppStorage: true
       securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-          runAsNonRoot: false
-          readOnlyRootFilesystem: false
-          allowPrivilegeEscalation: false
-          capabilities:
-            add: []
-            drop: []
+        runAsUser: 0
+        runAsGroup: 0
+        runAsNonRoot: false
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          add: []
+          drop: []
   - name: Ruby
     language: Ruby
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
         runAsNonRoot: false
-        readOnlyRootFilesystem: false
+        readOnlyRootFilesystem: true
         allowPrivilegeEscalation: false
         capabilities:
           add: []
@@ -165,6 +259,7 @@ buildpacks:
       repository: ruby
       tag: "2.7"
       command: "export GEM_HOME=/app/bundle; bundle install --jobs=4 --retry=3"
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -178,6 +273,7 @@ buildpacks:
       repository: ruby
       tag: "2.7"
       command: "export GEM_HOME=/app/bundle; bundle exec ruby main.rb"
+      readOnlyAppStorage: true
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -192,6 +288,7 @@ buildpacks:
     fetch:
       repository: ghcr.io/kubero-dev/buildpacks/fetch
       tag: v1.2
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -205,6 +302,7 @@ buildpacks:
       repository: busybox
       tag: latest
       command: "echo 'Buildpack not required'"
+      readOnlyAppStorage: false
       securityContext:
         runAsUser: 0
         runAsGroup: 0
@@ -218,6 +316,7 @@ buildpacks:
       repository: caddy
       tag: latest
       command: caddy file-server --listen :8080 --root /app
+      readOnlyAppStorage: true
       securityContext:
         runAsUser: 0
         runAsGroup: 0
diff --git a/src/modules/application.ts b/src/modules/application.ts
@@ -84,7 +84,7 @@ export class App implements IApp{
         run: {
             repository: string,
             tag: string,
-            readOnly?: boolean,
+            readOnlyAppStorage?: boolean,
             securityContext: ISecurityContext
         }
     };
diff --git a/src/types.ts b/src/types.ts
@@ -32,6 +32,7 @@ export interface IApp {
         }
         run: {
             repository: string,
+            readOnlyAppStorage?: boolean,
             tag: string,
             readOnly?: boolean,
             securityContext: ISecurityContext

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ export class App implements IApp{`
`84`	`84`	`run: {`
`85`	`85`	`repository: string,`
`86`	`86`	`tag: string,`
`87`		`- readOnly?: boolean,`
	`87`	`+ readOnlyAppStorage?: boolean,`
`88`	`88`	`securityContext: ISecurityContext`
`89`	`89`	`}`
`90`	`90`	`};`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ export interface IApp {`
`32`	`32`	`}`
`33`	`33`	`run: {`
`34`	`34`	`repository: string,`
	`35`	`+ readOnlyAppStorage?: boolean,`
`35`	`36`	`tag: string,`
`36`	`37`	`readOnly?: boolean,`
`37`	`38`	`securityContext: ISecurityContext`