support for read only root file-system

[robert-mcnamara]

Hi Artemis Cloud maintainers,

We use the artemis-operator to deploy Artemis on EKS.

Our EKS platform team is enforcing a strict security requirements where workloads must have a read-only root file-system. This applies to init containers and containers.

We have tested out the following configuration when creating Artemis instances against our desired use-cases and so far testing has been positive.

extraVolumeMounts:
- mountPath: /home/jboss/amq-broker
  name: amq-jboss-home
- mountPath: /opt/jboss/container/jolokia/etc
  name: jolokia-configuration
- mountPath: /tmp
  name: temp-dir
extraVolumes:
- emptyDir: {}
  name: amq-jboss-home
- emptyDir: {}
  name: jolokia-configuration
- emptyDir: {}
  name: temp-dir

These changes have enabled the init container and main broker container to start and function with readOnlyRootFilesystem set to true, by using volume of type emptyDir mounted on the paths the Artemis init-container is writing to.

We would like to discuss how this could be supported 'natively' without a user have to apply a change like above.

Perhaps something like;
If readOnlyRootFilesystem is enabled, the operator would add the emptyDir volumes and mount for a tmp and 'run' directory, and the Artemis images could be updated to install into or use the tmp and run directory as needed.
Your input on this would be much appreciated.

Note: we recently experienced similar while exploring IBM MQ on EKS and found a newer version of IBM MQ approached this in a similar way
Ref: https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md#running-with-a-read-only-root-filesystem

[brusdev]

@robert-mcnamara thanks a lot for sharing it, your solution is very interesting! This is a feature that the operator should support natively. I'll create an issue from this discussion.

[brusdev]

Issue created: #1017