From b794f3a4f08342d6e3cb8ead7650e694a89b5f09 Mon Sep 17 00:00:00 2001 From: Marc LeBlanc <7050295+marcleblanc2@users.noreply.github.com> Date: Fri, 24 Apr 2026 01:54:31 -0600 Subject: [PATCH] prometheus: enable readOnlyRootFilesystem The Prometheus container previously required readOnlyRootFilesystem: false because prom-wrapper writes the Alertmanager configuration file to /sg_config_prometheus/alertmanager.yml at runtime whenever site config observability.alerts or SMTP settings change. Additionally, Alertmanager stores state (silences, notification log) at /alertmanager/. This change enables readOnlyRootFilesystem: true by: 1. Adding an emptyDir volume mounted at /alertmanager for Alertmanager state storage (--storage.path). 2. Setting ALERTMANAGER_CONFIG_PATH=/alertmanager/alertmanager.yml so prom-wrapper writes the Alertmanager config to the writable emptyDir instead of the read-only image layer at /sg_config_prometheus/. The /prometheus TSDB data path was already handled by the existing PVC, and /sg_prometheus_add_ons is already a ConfigMap mount. The baked-in alert rules at /sg_config_prometheus/ are read-only at runtime (only written at image build time), so they remain accessible on the read-only root filesystem. Resolves: https://github.com/sourcegraph/sourcegraph/issues/34012 Co-authored-by: Amp Amp-Thread-ID: https://ampcode.com/threads/T-019dbe72-f13d-7233-aa22-cbeb04d03182 --- .../prometheus/prometheus.Deployment.yaml | 15 +++++++++++++++ charts/sourcegraph/values.yaml | 2 -- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml b/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml index cee8cc9e5..487dd54ef 100644 --- a/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml +++ b/charts/sourcegraph/templates/prometheus/prometheus.Deployment.yaml @@ -47,12 +47,24 @@ spec: - name: prometheus image: {{ include "sourcegraph.image" (list . "prometheus") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + # Seed the Alertmanager config from the baked-in default on first start + # so it works with readOnlyRootFilesystem. prom-wrapper then rewrites this + # file in place whenever site config changes (see ALERTMANAGER_CONFIG_PATH). + command: + - /bin/sh + - -c + - | + cp -n /sg_config_prometheus/alertmanager.yml /alertmanager/alertmanager.yml + exec /usr/bin/prom-wrapper "$@" + - prom-wrapper {{- with .Values.prometheus.args }} args: {{- toYaml . | nindent 8 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError env: + - name: ALERTMANAGER_CONFIG_PATH + value: /alertmanager/alertmanager.yml {{- range $name, $item := .Values.prometheus.env}} - name: {{ $name }} {{- $item | toYaml | nindent 10 }} @@ -72,6 +84,9 @@ spec: name: data - mountPath: /sg_prometheus_add_ons name: config + - mountPath: /alertmanager + name: data + subPath: alertmanager {{- if .Values.prometheus.extraVolumeMounts }} {{- toYaml .Values.prometheus.extraVolumeMounts | nindent 8 }} {{- end }} diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index cdb59b5fd..f7ef571e4 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -906,8 +906,6 @@ prometheus: allowPrivilegeEscalation: false runAsUser: 100 runAsGroup: 100 - # Read-only filesystem not supported for the prometheus container, - # see [sourcegraph/issues/34012](https://github.com/sourcegraph/sourcegraph/issues/34012) for more information readOnlyRootFilesystem: false # -- Name used by resources. Does not affect service names or PVCs. name: "prometheus"