From 9226eb878996550ccf5ab928956be3cf47ba58f3 Mon Sep 17 00:00:00 2001
From: Phil Gebhardt <phil@gremlin.com>
Date: Thu, 4 Dec 2025 08:27:45 -0800
Subject: [PATCH] chao: hardcode readOnlyRootFilesystem=true

---
 gremlin/Chart.yaml                     | 2 +-
 gremlin/templates/chao-deployment.yaml | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/gremlin/Chart.yaml b/gremlin/Chart.yaml
index 40b2505..8478fad 100644
--- a/gremlin/Chart.yaml
+++ b/gremlin/Chart.yaml
@@ -1,5 +1,5 @@
 name: gremlin
-version: 0.24.1
+version: 0.24.2
 description: The Gremlin Inc client application
 apiVersion: v1
 home: https://www.gremlin.com
diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml
index 582b4b6..e7bd061 100644
--- a/gremlin/templates/chao-deployment.yaml
+++ b/gremlin/templates/chao-deployment.yaml
@@ -54,6 +54,8 @@ spec:
           resources:
 {{ toYaml .Values.resources | trimSuffix "\n" | indent 12 }}
         {{- end }}
+          securityContext:
+            readOnlyRootFilesystem: true
           env:
             - name: GREMLIN_TEAM_ID
 {{- /* If we aren't managing this secret and a teamID was supplied, assume teamID is not in the external secret */}}