[Kubernetes] Breaks on Kubernetes ReadOnlyFileSystem

[Moep90]

On a ReadOnlyFileSystem Pod in Kubernetes, you got many Read-only file system errors

$ k logs -f supertokens-core-9fbc964db-t7vgj
Defaulted container "supertokens-core" out of: supertokens-core, create-db (init)
chown: changing ownership of '/usr/lib/supertokens/.started': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/LICENSE.md': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/argon2-jvm-nolibs-2.11.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/cli.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/gson-2.3.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-annotations-2.16.1.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/cli/jackson-core-2.16.1.jar': Read-only file system
[....]
chown: changing ownership of '/usr/lib/supertokens/plugin-interface/plugin-interface-4.0.6.jar': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/plugin-interface': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/version.yaml': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/webserver-temp': Read-only file system
chown: changing ownership of '/usr/lib/supertokens/': Read-only file system

There are many chown commands in the entry point; could they be make it optional?

For Instance as an ENV

env:
  READ_ONLY_FS: true
  # OR
  K8S: true
  # OR
  ON_KUBERNETES: true

supertokens-docker-postgresql/docker-entrypoint.sh

Line 39 in e6a6dae

chown -R supertokens:supertokens /usr/lib/supertokens/

[rishabhpoddar]

Hi @Moep90

We will have to investigate this, but not quite sure when, since this issue hasn't been bought up by others that use SuperTokens on Kubernetes.

Maybe you could fork our repo and make your own docker image? We have instructions on how to do that here: https://github.com/supertokens/supertokens-core/wiki/Building-from-source#creating-a-docker-image

[Moep90]

I assume they either build their container or helm chart 🤷

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/templates/deployment.yaml#L38

https://github.com/supertokens/supertokens-docker-postgresql/blob/master/helm-chart/values.yaml#L94

[rishabhpoddar]

Not quite sure. The helm chart is community contributed.

[Moep90]

It is currently impossible to run the docker image in a Kubernetes cluster with specific security requirements, such as a ReadOnlyRootFilesystem and/or another UID.

[rishabhpoddar]

Oh yea, I get that. Which is why i suggested to create your own docker image from the link above without the chown command in it.

We can further investigate if we can remove that from our repo, but, not quite sure about the timeline for that, unless there is a lot of interest in this issue.