From 114882418538581b7912183a35774defb440ac40 Mon Sep 17 00:00:00 2001
From: Marco Kilchhofer <marco@kilchhofer.info>
Date: Mon, 8 Mar 2021 23:13:34 +0100
Subject: [PATCH] fix: Mount emptyDir on repoServer when using read-only FS

Signed-off-by: Marco Kilchhofer <marco@kilchhofer.info>
---
 charts/argo-cd/Chart.yaml                           |  2 +-
 .../templates/argocd-repo-server/deployment.yaml    | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml
index af7da2f2..10f055f7 100644
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 1.8.4
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 2.15.0
+version: 2.15.1
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:
diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
index a75c1283..5b4ee105 100755
--- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@@ -1,4 +1,5 @@
 {{- $redisHa := (index .Values "redis-ha") -}}
+{{- $containerSecurityContext := .Values.repoServer.containerSecurityContext | default dict }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -82,7 +83,7 @@ spec:
         {{- if .Values.repoServer.volumeMounts }}
 {{- toYaml .Values.repoServer.volumeMounts | nindent 8}}
         {{- end }}
-        {{- if .Values.openshift.enabled }}
+        {{- if or .Values.openshift.enabled $containerSecurityContext.readOnlyRootFilesystem }}
         - mountPath: /app/config/gpg/keys
           name: gpg-keyring
         {{- end }}
@@ -94,6 +95,10 @@ spec:
         - mountPath: /app/config/tls
           name: tls-certs
         {{- end }}
+        {{- if $containerSecurityContext.readOnlyRootFilesystem }}
+        - mountPath: /tmp
+          name: tmp-dir
+        {{- end }}
         ports:
         - name: repo-server
           containerPort: {{ .Values.repoServer.containerPort }}
@@ -142,7 +147,7 @@ spec:
       {{- if .Values.repoServer.volumes }}
 {{- toYaml .Values.repoServer.volumes | nindent 6}}
       {{- end }}
-      {{- if .Values.openshift.enabled }}
+      {{- if or .Values.openshift.enabled $containerSecurityContext.readOnlyRootFilesystem }}
       - emptyDir: {}
         name: gpg-keyring
       {{- end }}
@@ -156,6 +161,10 @@ spec:
           name: argocd-tls-certs-cm
         name: tls-certs
       {{- end }}
+      {{- if $containerSecurityContext.readOnlyRootFilesystem }}
+      - emptyDir: {}
+        name: tmp-dir
+      {{- end }}
       {{- if .Values.repoServer.initContainers }}
       initContainers:
 {{- toYaml .Values.repoServer.initContainers | nindent 6 }}