Allow chroot directory to pre-exist for volume mount support (#3967)

The chroot setup previously required the chroot directory to not exist,
which prevented mounting ConfigMaps or other volumes directly inside the
chroot path. This is a problem because the chroot-passthrough mechanism
copies files (losing symlinks), which breaks fsnotify-based hot reload
of authorization policy files mounted from ConfigMaps.

Allow the chroot directory to pre-exist so that Kubernetes volume mounts
can place files directly inside it. Also handle EROFS errors in the
makeReadOnly step, since read-only volume mounts (like ConfigMaps) cannot
be chmod'd.

Pre-create /tmp/chroot in the cloud Dockerfile owned by the connect user
so the process can populate the rest of the chroot structure at runtime.

* chore: update docs

---------

Co-authored-by: Tyler Rockwood <rockwood@redpanda.com>

Author: birdayz

CHANGELOG.md

@@ -3,6 +3,12 @@ Changelog
 
 All notable changes to this project will be documented in this file.
 
+## 4.80.1 - 2026-02-05
+
+### Changed
+
+- chroot: existing directories are now allowed. (@birdayz)
+
 ## 4.80.0 - 2026-02-04
 
 ### Added

internal/cli/chroot_linux.go

@@ -11,6 +11,7 @@
 package cli
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -45,10 +46,9 @@ func chroot(path string, passthroughFiles []string) error {
 }
 
 func setupChrootDir(chrootDir string, passthroughFiles []string) error {
-	// Make sure chroot directory does not exist
-	if _, err := os.Stat(chrootDir); err == nil {
-		return fmt.Errorf("chroot directory %s must not exist", chrootDir)
-	} else if !os.IsNotExist(err) {
+	// Allow the chroot directory to pre-exist (e.g. created by volume
+	// mounts). Only fail on unexpected stat errors.
+	if _, err := os.Stat(chrootDir); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("check directory: %w", err)
 	}
 
@@ -234,6 +234,13 @@ func makeReadOnly(root string) error {
 		if err != nil {
 			return err
 		}
-		return os.Chmod(filePath, info.Mode() & ^os.FileMode(0o222))
+		if err := os.Chmod(filePath, info.Mode() & ^os.FileMode(0o222)); err != nil {
+			// Ignore read-only filesystem errors from volume mounts.
+			if errors.Is(err, syscall.EROFS) {
+				return nil
+			}
+			return err
+		}
+		return nil
 	})
 }

internal/cli/flags_redpanda.go

@@ -83,7 +83,6 @@ func applyLicenseFlag(c *cli.Context, conf *license.Config) {
 var chrootFlag = &cli.StringFlag{
 	Name: "chroot",
 	Usage: "Chroot into the provided directory after parsing configuration. " +
-		"The directory must not exist and will be created. " +
 		"Common /etc/ files are copied to the chroot directory, and the directory is made read-only. " +
 		"This flag is only supported on Linux.",
 }

resources/docker/cloud.Dockerfile

@@ -27,6 +27,12 @@ COPY --from=build /etc/passwd /etc/passwd
 COPY --from=build /tmp/redpanda-connect /redpanda-connect
 COPY config/docker.yaml /connect.yaml
 
+# Pre-create the chroot directory so that volume mounts placed inside it
+# (e.g. ConfigMaps at /tmp/chroot/...) don't cause kubelet to create it
+# as root-owned, which would prevent the connect user from populating the
+# rest of the chroot structure at runtime.
+RUN mkdir -p /tmp/chroot && chown 10001:10001 /tmp/chroot
+
 USER connect
 
 EXPOSE 4195