From 1d37c1f4de06645cfb7ffb79ea211bbc0026a43b Mon Sep 17 00:00:00 2001
From: Joe Lanford <joe.lanford@gmail.com>
Date: Fri, 6 Jun 2025 15:18:01 -0400
Subject: [PATCH] set readOnlyRootFilesystem: true for workloads

Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
---
 .tilt-support                                        | 1 +
 config/base/catalogd/manager/manager.yaml            | 5 +++++
 config/base/operator-controller/manager/manager.yaml | 7 +++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.tilt-support b/.tilt-support
index c55d2851d..b8ef80f14 100644
--- a/.tilt-support
+++ b/.tilt-support
@@ -67,6 +67,7 @@ COPY {} /
         live_update=[
             sync('.tiltbuild/bin/{}'.format(binary_name), '/{}'.format(binary_name)),
         ],
+        restart_file="/.tilt_restart_proc",
         # The command to run in the container.
         entrypoint=entrypoint,
     )
diff --git a/config/base/catalogd/manager/manager.yaml b/config/base/catalogd/manager/manager.yaml
index 5c52165ec..9772ed63b 100644
--- a/config/base/catalogd/manager/manager.yaml
+++ b/config/base/catalogd/manager/manager.yaml
@@ -52,8 +52,11 @@ spec:
         volumeMounts:
             - name: cache
               mountPath: /var/cache/
+            - name: tmp
+              mountPath: /tmp
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - ALL
@@ -80,3 +83,5 @@ spec:
       volumes:
         - name: cache
           emptyDir: {}
+        - name: tmp
+          emptyDir: {}
diff --git a/config/base/operator-controller/manager/manager.yaml b/config/base/operator-controller/manager/manager.yaml
index db34940c3..611c5816c 100644
--- a/config/base/operator-controller/manager/manager.yaml
+++ b/config/base/operator-controller/manager/manager.yaml
@@ -52,8 +52,11 @@ spec:
         volumeMounts:
           - name: cache
             mountPath: /var/cache
+          - name: tmp
+            mountPath: /tmp
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - "ALL"
@@ -69,8 +72,6 @@ spec:
             port: 8081
           initialDelaySeconds: 5
           periodSeconds: 10
-        # TODO(user): Configure the resources accordingly based on the project requirements.
-        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
         resources:
           requests:
             cpu: 10m
@@ -81,3 +82,5 @@ spec:
       volumes:
         - name: cache
           emptyDir: {}
+        - name: tmp
+          emptyDir: { }