Skip to main content
The setup_f5_k8s.sh script in the fusion-cloud-native repository provides deployment support for any Kubernetes platform, including on-premise, private cloud, public cloud, and hybrid platforms. This script is used by the setup_f5_gke.sh, setup_f5_eks.sh, and setup_f5_aks.sh scripts, which provide additional platform-specific support for Google Kubernetes Engine (GKE), Amazon Elastic Kubernetes Service (EKS), and Azure Kubernetes Service (AKS). See Fusion 5 Upgrades for more information about deployment instructions for:
This guide describes how to perform Fusion 5 upgrades.
Before upgrading, be aware of changes by checking for Deprecations and Removals between versions.
Lucidworks recommends upgrading to the next minor version only. For example, you should upgrade from Fusion 5.6.1 to Fusion 5.7.1 before upgrading to Fusion 5.8.0.The general upgrade process is described in this article. However, the specific upgrade procedures may vary depending on your upgrade path. For the most accurate instructions, please refer to the upgrade article specific to your upgrade.

General upgrade process

Fusion natively supports deployments on supported Kubernetes platforms, including AKS, EKS, and GKE.Fusion includes an upgrade script for AKS, EKS, and GKE. This script is not generated for other Kubernetes deployments.Upgrades differ from platform to platform. See below for more information about upgrading on your platform of choice.Whenever you upgrade Fusion, you must also update your remote connectors, if you are running any. You can download the latest files at V2 Connectors Downloads.

Natively supported deployment upgrades

Deployment typePlatform
Azure Kubernetes Service (AKS)aks
Amazon Elastic Kubernetes Service (EKS)eks
Google Kubernetes Engine (GKE)gke
Fusion includes upgrade scripts for natively supported deployment types. To upgrade:
  1. Open the <platform>_<cluster>_<release>_upgrade_fusion.sh upgrade script file for editing.
  2. Update the CHART_VERSION to your target Fusion version, and save your changes.
  3. Run the <platform>_<cluster>_<release>_upgrade_fusion.sh script. The <release> value is the same as your namespace, unless you overrode the default value using the -r option.
After running the upgrade, use kubectl get pods to see the changes applied to your cluster. It may take several minutes to perform the upgrade, as new Docker images are pulled from DockerHub. To see the versions of running pods, do:
kubectl get po -o jsonpath='{..image}'  | tr -s '[[:space:]]' '\n' | sort | uniq

Other Kubernetes deployment upgrades

To update an existing installation, do:
RELEASE=f5
NAMESPACE=default
helm repo update
helm upgrade ${RELEASE} "lucidworks/fusion" --namespace "${NAMESPACE}" --values "${MY_VALUES}"
Except for ZooKeeper, all K8s deployments and statefulsets use a RollingUpdate update policy:
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
ZooKeeper instances use OnDelete to avoid changing critical stateful pods in the Fusion deployment. To apply changes to Zookeeper after performing the upgrade (uncommon), you need to manually delete the pods. For example:
kubectl delete pod f5-zookeeper-0
Delete one pod at a time. Verify the new pod is healthy and serving traffic, before deleting the next healthy pod.
You can also set the updateStrategy under the zookeeper section in your "${MY_VALUES}" file:
solr:
  ...  
    zookeeper:
    updateStrategy:
      type: "RollingUpdate"

Upgrades with Helm v3

One of the most powerful features provided by Kubernetes and a cloud-native microservices architecture is the ability to do a rolling update on a live cluster. For example, Fusion 5 allows customers to upgrade from Fusion 5.1.0 to a later 5.x.y version on a live cluster with zero downtime or disruption of service.When Kubernetes performs a rolling update to an individual microservice, there is a mix of old and new services in the cluster. Requests from other services route to both versions.
Lucidworks ensures all changes we make to our service do not break the API interface exposed to other services in the same minor release version (5.x). We also ensure that the stored configuration remains compatible in the same minor release version.
Lucidworks releases minor updates to individual services frequently. Pull in those upgrades using Helm at your discretion.How to upgrade Fusion
  1. Clone the fusion-cloud-native repo, if you haven’t already.
  2. Locate the setup_f5_<platform>.sh script that matches your Kubernetes platform.
  3. Run the script with the --upgrade option.
    To see what would be upgraded, pass the --dry-run option to the script.
The scripts in the fusion-cloud-native repo automatically pull in the latest chart updates from our Helm repository and deploy any updates needed by doing a diff of your current installation and the latest release from Lucidworks.

Helm upgrade script

Once you deploy a working cluster, use the upgrade script created by the customize_fusion_values.sh script. The upgrade script hard-codes the parameters and eases the need to remember which parameters to pass to the script. This is helpful when working with multiple K8s clusters. Make sure you check the script into version control alongside your custom values YAML files.Whenever you change the custom values YAML files for your cluster, you need to run the upgrade script to apply the changes. The script calls helm upgrade with the correct parameters and --values options.
If you run helm upgrade without passing the custom values YAML files, the deployment will revert to using chart defaults, which you never want to do.
The script assumes your kubeconfig is pointing to the correct cluster and you’re using Heml v3. If not, the upgrade fails. Select the correct kubeconfig before running the script.
  • Natively supported deployments
  • Other Kubernetes deployments

Considerations for on-prem deployments

Solr

Making changes to Solr’s memory settings after the initial installation, including changing the number of pods, is simple. Changing the size and type of disk, however, can be difficult. Before you begin, identify some basic sizing information for Solr:
  • Memory settings
  • Disk size
  • Disk type (e.g. SSD)

Docker images

Fusion’s public Docker images are hosted on DockerHub. If you do not allow your Kubernetes environment to pull images from DockerHub, you will need to copy the images to your internal registry. This can be a time-consuming process.
This teaches you how to use a private repository to manage your Docker images. When you install or upgrade Fusion, you can specify the private repository instead of the public repository. If you’re deploying on-premises, you’ll need to set up on-premises private Docker registries.
  1. Add a values.sh file with the following. Some third-party dependencies might need service account level secrets if the chart doesn’t expose that field. You can use the Fusion install scripts to skip creating this file manually.
    cat > values.yaml << EOF
    
    ---
    
    admin-ui:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    api-gateway:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    argo:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      minio:
        image:
          repository: ${REPOSITORY}/minio
    argo-common-workflows:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    auth-ui:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    classic-rest-service:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    classification:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    connector-plugin:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    connectors:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    connectors-backend:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    devops-ui:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    fusion-admin:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    fusion-data-augmentation:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    fusion-indexing:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    fusion-jupyter:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    fusion-log-forwarder:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    fusion-resources:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    fusion-superset:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    insights:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    job-launcher:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    job-rest-server:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    kafka:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}          
    ml-model-service:
      ambassador:
        image:
          repository: ${REPOSITORY}/datawire/ambassador
        imagePullSecrets:
        - name: ${REPOSITORY}
        pro:
          image:
            repository: ${REPOSITORY}/datawire/ambassador_pro
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
      milvus:
        admin:
          image:
            repository: ${REPOSITORY}/milvus-em
        image:
          repository: ${REPOSITORY}/milvus
        initContainerImage: ${REPOSITORY}/alpine:3.8
        mishards:
          image:
            repository: ${REPOSITORY}/mishards
        mysql:
          busybox:
            image: ${REPOSITORY}/busybox
          image: ${REPOSITORY}/mysql
      preinstall:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}/bitnami
    pm-ui:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    pulsar:
      dashboard:
        image:
          repository: ${REPOSITORY}/pulsar-dashboard
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      images:
        imagePullSecrets:
        - name: ${REPOSITORY}
      initContainer:
        image:
          repository: ${REPOSITORY}
      keytoolUtils:
        image:
          repository: ${REPOSITORY}
      pulsar_metadata:
        image:
          repository: ${REPOSITORY}/pulsar-all
    query-pipeline:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    question-answering:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    recommender:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    rules-ui:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    seldon-core-operator:
      engine:
        image:
          repository: ${REPOSITORY}/engine
      executor:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}/seldon-core-executor
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}/seldon-core-operator
    solr:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}/solr
      initContainer:
        image:
          repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
      zookeeper:
        exporters:
          jmx:
            image:
              repository: ${REPOSITORY}/jmx-prometheus-exporter
          zookeeper:
            image:
              repository: ${REPOSITORY}/zookeeper-exporter
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}/zookeeper
        keytoolUtils:
          image:
            imagePullSecrets:
            - name: ${REPOSITORY}
            repository: ${REPOSITORY}
    solr-backup-runner:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
    sql-service:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    templating:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    tikaserver:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}/apache
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    webapps:
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    zookeeper:
      exporters:
        jmx:
          image:
            repository: ${REPOSITORY}/jmx-prometheus-exporter
        zookeeper:
          image:
            repository: ${REPOSITORY}/zookeeper-exporter
      image:
        imagePullSecrets:
        - name: ${REPOSITORY}
        repository: ${REPOSITORY}/zookeeper
      keytoolUtils:
        image:
          imagePullSecrets:
          - name: ${REPOSITORY}
          repository: ${REPOSITORY}
    
    EOF
    
  2. Run the script: ./values.sh.
    If you receive an error stating bash: ./values.sh: Permission denied, make the script executable: chmod +x values.sh and run the script again: ./values.sh.

    The script creates a new file, <provider>_<cluster>_<namespace>_fusion_repository.yaml. The contents of the file resembles the following:
    ---    
    admin-ui:
     initContainer:
       image:
         repository: altostrat.com/repo
     image:
       repository: altostrat.com/repo
    api-gateway:
     keytoolUtils:
       image:
         repository: "altostrat.com/repo"
     initContainer:
       image:
         repository: altostrat.com/repo
     image:
       repository: altostrat.com/repo
    argo:
     images:
       ...
    
  3. Open the <provider>_<cluster>_<namespace>_upgrade_fusion.sh script for editing.
  4. Update the MY_VALUES values to refer to the <provider>_<cluster>_<namespace>_fusion_repository.yaml file.
    MY_VALUES=""
    MY_VALUES="$MY_VALUES --values <provider>_<cluster>_<namespace>_fusion__repository.yaml"
    MY_VALUES="$MY_VALUES --values <provider>_<cluster>_<namespace>_fusion_values.yaml"
    MY_VALUES="$MY_VALUES --values <provider>_<cluster>_<namespace>_fusion_resources.yaml"
    MY_VALUES="$MY_VALUES --values <provider>_<cluster>_<namespace>_fusion_affinity.yaml"
    MY_VALUES="$MY_VALUES --values <provider>_<cluster>_<namespace>_fusion_replicas.yaml"
    
  5. Run the <provider>_<cluster>_<namespace>_upgrade_fusion.sh script.

Helm charts

Helm is a package manager for Kubernetes that helps you install and manage applications on your Kubernetes cluster. We supply a Helm chart for the Fusion installation. If you are using Helm V2, the setup_f5_k8s.sh script installs Helm’s Tiller component into your Kubernetes cluster with the cluster admin role. If you want to prevent the installation of Tiller, upgrade to Helm V3.

Nodes

We recommend installing Fusion on at least 3 nodes, each starting in its own namespace. Only 1 Fusion instance per namespace is supported. Development and test environments only require 1 node with at least 12 GB of RAM.
It is possible to install other apps alongside Fusion in the same namespace, if desired.

Pod resources

We recommend not placing resource limits on pods until you have run production-like workloads with your data and fully understand your resource requirements.

Fusion gateway service

If you will be exposing the Fusion gateway service externally, you will need to consider your Kubernetes Ingress strategy:
  • How will you route to internal services, such as the gateway?
  • Will you do TLS termination at the Ingress?

Deploying with a read-only root file system

Fusion 5.9.9 and later supports a read-only root file system to safeguard against unauthorized modifications. Most services operate efficiently in this mode, and for components that need write access, a separate writable mount is available using specific helm configurations. See Enable Read-Only Root File System for examples of how to configure this feature.
This topic describes how to configure a read-only root file system for a Fusion deployment. Read-only mode safeguards your file system against unauthorized changes, such as by malicious software or other attacks. Enabling this feature entails configuring the readOnlyRootFilesystem attribute in the Fusion Helm chart.
This feature is available starting in Fusion 5.9.9 and in all subsequent Fusion 5.9 releases.
Beginning with Fusion 5.9.10, all of Fusion’s services are designed to work with a read-only root file system, but some external services may require write access to the file system. In that case, you can configure a read-only root file system and mount a separate writable file system for these services.The examples below show how to configure a read-only root file system for various Fusion services.

Solr

fusion:
  solr:
    containerSecurityContext:
      readOnlyRootFilesystem: true
With optional services:
fusion:
  solr:
    exporter:
      enabled: true
      securityContext:
        readOnlyRootFilesystem: true
    containerSecurityContext:
      readOnlyRootFilesystem: true

Zookeeper

fusion:
  zookeeper:
    containerSecurityContext:
      readOnlyRootFilesystem: true
With optional services:
fusion:
  zookeeper:
    containerSecurityContext:
      readOnlyRootFilesystem: true
    exporters:
      jmx:
        enabled: true
      zookeeper:
        enabled: true
    jobs:
      chroots:
        enabled: true
        config:
          create:
            - /root-read-only

Kafka

fusion:
  kafka:
    containerSecurityContext:
      readOnlyRootFilesystem: true
With optional services:
fusion:
  kafka:
    containerSecurityContext:
      readOnlyRootFilesystem: true
    volumePermissions:
      enabled: true
      containerSecurityContext:
        readOnlyRootFilesystem: true
    metrics:
      kafka:
        containerSecurityContext:
          readOnlyRootFilesystem: true
          enabled: true
      jmx:
        enabled: true
        containerSecurityContext:
          enabled: true
          readOnlyRootFilesystem: true
    externalAccess:
      enabled: true
      autoDiscovery:
        enabled: true
        containerSecurityContext:
          enabled: true
          readOnlyRootFilesystem: true
    provisioning:
      enabled: true
      topics:
      - name: test
        partitions: 1
        replicationFactor: 1
        ## https://kafka.apache.org/documentation/#topicconfigs
        config:
          max.message.bytes: 64000
          flush.messages: 1
      containerSecurityContext:
        readOnlyRootFilesystem: true
        enabled: true

ML Model Service

fusion:
  ml-model-service:
    ambassador:
      containerSecurityContext:
        readOnlyRootFilesystem: true
    milvus:
      mysql:
        containerSecurityContext:
          readOnlyRootFilesystem: true
      securityContext:
        readOnlyRootFilesystem: true
With optional services:
fusion:
  ml-model-service:
    ambassador:
      containerSecurityContext:
        readOnlyRootFilesystem: true
      prometheusExporter:
        enabled: true
        securityContext:
          readOnlyRootFilesystem: true
    milvus:
      mysql:
        metrics:
          enabled: true
          securityContext:
            readOnlyRootFilesystem: true
        containerSecurityContext:
          readOnlyRootFilesystem: true
      cluster:
        enabled: false
      mishards:
        securityContext:
          readOnlyRootFilesystem: true
      admin:
        enabled: true
        securityContext:
          readOnlyRootFilesystem: true
      securityContext:
        readOnlyRootFilesystem: true

Argo

fusion:
  argo:
    minio:
      containerSecurityContext:
        readOnlyRootFilesystem: true
      extraVolumes:
        - name: config-dir
          emptyDir: {}
        - name: certs-dir
          emptyDir: {}
      extraVolumeMounts:
        - name: config-dir
          mountPath: /.minio
        - name: certs-dir
          mountPath: /etc/minio/certs
    server:
      securityContext:
        readOnlyRootFilesystem: true
    controller:
      securityContext:
        readOnlyRootFilesystem: true
    mainContainer:
      securityContext:
        readOnlyRootFilesystem: true
    executor:
      securityContext:
        readOnlyRootFilesystem: true

Seldon Core Operator

fusion:
  seldon-core-operator:
    containersSecurityContext:
      readOnlyRootFilesystem: true

Argo Common Workflows

fusion:
  argo-common-workflows:
    containerSecurityContext:
      readOnlyRootFilesystem: true

Question Answering

fusion:
  question-answering:
    containersSecurityContext:
      readOnlyRootFilesystem: true

Classification

fusion:
  classification:
    containersSecurityContext:
      readOnlyRootFilesystem: true

All-in-one values.yaml example

fusion:
  solr:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  solr-managed:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  zookeeper:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  kafka:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  ml-model-service:
    ambassador:
      containerSecurityContext:
        readOnlyRootFilesystem: true
    milvus:
      mysql:
        containerSecurityContext:
          readOnlyRootFilesystem: true
      securityContext:
        readOnlyRootFilesystem: true
  argo:
    minio:
      containerSecurityContext:
        readOnlyRootFilesystem: true
      extraVolumes:
        - name: config-dir
          emptyDir: {}
        - name: certs-dir
          emptyDir: {}
      extraVolumeMounts:
        - name: config-dir
          mountPath: /.minio
        - name: certs-dir
          mountPath: /etc/minio/certs
    server:
      securityContext:
        readOnlyRootFilesystem: true
    controller:
      securityContext:
        readOnlyRootFilesystem: true
    mainContainer:
      securityContext:
        readOnlyRootFilesystem: true
    executor:
      securityContext:
        readOnlyRootFilesystem: true
  seldon-core-operator:
    containersSecurityContext:
      readOnlyRootFilesystem: true
  argo-common-workflows:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  question-answering:
    containersSecurityContext:
      readOnlyRootFilesystem: true
  classification:
    containersSecurityContext:
      readOnlyRootFilesystem: true

All-in-one values.yaml with optional services example

fusion:
  argo:
    minio:
      persistence:
        enabled: false
      containerSecurityContext:
        readOnlyRootFilesystem: true
      extraVolumes:
        - name: config-dir
          emptyDir: {}
        - name: certs-dir
          emptyDir: {}
      extraVolumeMounts:
        - name: config-dir
          mountPath: /.minio
        - name: certs-dir
          mountPath: /etc/minio/certs
    server:
      securityContext:
        readOnlyRootFilesystem: true
    controller:
      securityContext:
        readOnlyRootFilesystem: true
    mainContainer:
      securityContext:
        readOnlyRootFilesystem: true
    executor:
      securityContext:
        readOnlyRootFilesystem: true
  solr:
    exporter:
      enabled: true
      securityContext:
        readOnlyRootFilesystem: true
    containerSecurityContext:
      readOnlyRootFilesystem: true
    # tls:
    #   enabled: true
  solr-managed:
    exporter:
      enabled: true
      securityContext:
        readOnlyRootFilesystem: true
    enableExternalFiles: true
    enabledStorage:
    - gcs
    processRaw:
      image:
        repository: fusion-dev-docker.ci-artifactory.lucidworks.com
      cloudRoot: gs://lw-managed-fusion-data/tmp
      gcs:
        secret: gcs-key
        secretFieldName: key.json
      securityContext:
        readOnlyRootFilesystem: true
    containerSecurityContext:
      readOnlyRootFilesystem: true
    # tls:
    #   enabled: true
  zookeeper:
    containerSecurityContext:
      readOnlyRootFilesystem: true
    exporters:
      jmx:
        enabled: true
      zookeeper:
        enabled: true
    jobs:
      chroots:
        # enabled: true
        config:
          create:
            - /root-read-only
  kafka:
    containerSecurityContext:
      readOnlyRootFilesystem: true
    volumePermissions:
      enabled: true
      image:
        repository: "fusion-dev-docker.ci-artifactory.lucidworks.com/os-shell"
      containerSecurityContext:
        readOnlyRootFilesystem: true
    metrics:
      kafka:
        containerSecurityContext:
          readOnlyRootFilesystem: true
          enabled: true
      jmx:
        enabled: true
        containerSecurityContext:
          enabled: true
          readOnlyRootFilesystem: true
    externalAccess:
      enabled: true
      autoDiscovery:
        enabled: true
        containerSecurityContext:
          enabled: true
          readOnlyRootFilesystem: true
    provisioning:
      enabled: true
      topics:
      - name: test
        partitions: 1
        replicationFactor: 1
        ## https://kafka.apache.org/documentation/#topicconfigs
        config:
          max.message.bytes: 64000
          flush.messages: 1
      containerSecurityContext:
        readOnlyRootFilesystem: true
        enabled: true
  ml-model-service:
    enabled: true
    ambassador:
      containerSecurityContext:
        readOnlyRootFilesystem: true
      prometheusExporter:
        enabled: true
        securityContext:
          readOnlyRootFilesystem: true
    milvus:
      mysql:
        metrics:
          enabled: true
          securityContext:
            readOnlyRootFilesystem: true
        containerSecurityContext:
          readOnlyRootFilesystem: true
      cluster:
        enabled: false
      mishards:
        securityContext:
          readOnlyRootFilesystem: true
      admin:
        enabled: true
        securityContext:
          readOnlyRootFilesystem: true
      securityContext:
        readOnlyRootFilesystem: true
  seldon-core-operator:
    containersSecurityContext:
      readOnlyRootFilesystem: true
  argo-common-workflows:
    containerSecurityContext:
      readOnlyRootFilesystem: true
  question-answering:
    containersSecurityContext:
      readOnlyRootFilesystem: true
  classification:
    containersSecurityContext:
      readOnlyRootFilesystem: true

Supported services

The table below lists the services that support a read-only root file system, the ones that have it enabled by default, and the Fusion release in which support was added:
Chart NamePod NameContainer NameSupportedDefault enabledSupported version
admin-uiadmin-uiadmin-ui5.9.9+
api-gatewayapi-gatewayinit/api-gateway5.9.9+
api-gatewayapi-gatewayapi-gateway5.9.9+
api-gatewayapi-gatewaygenerate-jks5.9.9+
apps-managerapps-managerapps-manager5.9.9+
argoargo-serverargo-server5.9.10+
argoargo-executorexecutor5.9.10+
argoargo-mainContainermainContainer5.9.10+
argoargo-controllercontroller5.9.10+
argo/miniominiominio5.9.10+
argo/miniominiominio5.9.10+
argo/miniomake-bucket-jobminio-mc5.9.10+
argo-common-workflowsdelete-modelinit/main/wait5.9.10+
argo-common-workflowsdeploy-modelinit/main/wait5.9.10+
argo-common-workflowsmilvus-maintenanceinit/main/wait5.9.10+
argo-common-workflowsupload-model-to-cloudinit/main/wait5.9.10+
async-parsingasync-parsingtika-server5.9.9+
async-parsingasync-parsingasync-parsing5.9.9+
auth-uiauth-uiauth-ui5.9.9+
classic-rest-serviceclassic-rest-serviceinit/import-certs5.9.10+
classic-rest-serviceclassic-rest-serviceclassic-rest-service5.9.9+
classificationargo/classificationinit/wait/main5.9.10+
connector-pluginconnector-plugininit/import-certs5.9.10+
connector-pluginconnector-pluginconnector-plugin5.9.9+
connectorsconnectorsconnectors5.9.9+
connectors-backendCRD5.9.9+
connectors-backendconnectors-backendconnectors-backend5.9.9+
fusion-adminfusion-adminadmin5.9.9+
fusion-commonscheck-admin5.9.9+
fusion-commonscheck-api-gateway5.9.9+
fusion-commonscheck-indexing5.9.9+
fusion-commonscheck-kafka5.9.9+
fusion-commonscheck-logstash5.9.9+
fusion-commonscheck-pulsar5.9.9+
fusion-commonssetup-keystore-and-properties5.9.9+
fusion-commonscheck-zk5.9.9+
fusion-config-syncfusion-config-syncfusion-config-sync5.9.9+
fusion-data-augmentationargo/data-augmentation/volume-fixinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/init-workspaceinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/write-job-configsinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/write-io-configsinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/add-zkhostinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/pull-data-training-and-metadatainit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/pull-data-training-and-metadata-cloudinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/volume-fix2init/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/synonym-listinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/download-synonym-dictionaryinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/keystroke-listinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/download-keystroke-blobinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/augmentinit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/push-augmented-datainit/main/wait5.9.10+
fusion-data-augmentationargo/data-augmentation/push-augmented-data-cloudinit/main/wait5.9.10+
fusion-indexingfusion-indexingfusion-indexing5.9.9+
fusion-resourcesfusion-resources-secret-hooksetup-keystore-and-properties5.9.10+
insightsinsightsinsights5.9.9+
job-launcherjob-launcherjob-launcher5.9.9+
job-launcherjob-launcherkubectl-runner5.9.9+
job-launcherjob-launcher-spark-cleanupkubectl-runner5.9.9+
job-launcherspark-kubernetes-driverspark-kubernetes-driver5.9.10+
job-launcherspark-kubernetes-executorspark-kubernetes-executor5.9.10+
job-rest-serverjob-rest-serverjob-rest-server5.9.9+
kafkakafka-metricskafka-exporter-archived5.9.10+
kafkakafka-provisioninginit/wait-for-available-kafka5.9.10+
kafkakafka-provisioningkafka-provisioning5.9.10+
kafkakafkakafka5.9.10+
kafkakafkajmx-exporter5.9.10+
kafkakafkainit/check-zk5.9.9+
kafkakafkainit/auto-discovery5.9.10+
kafkakafkainit/volume-permissions5.9.10+
lwai-gatewaylwai-gatewaylwai-gateway5.9.9+
ml-model-serviceml-model-servicejava-service5.9.9+
ml-model-serviceml-model-service-namespace-hookkubectl-runner5.9.9+
ml-model-service/ambassadorambassadorambassador5.9.10+
ml-model-service/ambassadorambassadorprometheus-exporter5.9.10+
ml-model-service/milvusmilvus-writablemilvus5.9.10+
ml-model-service/milvusmilvus-writableinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-writableinit/create-for-share-storage5.9.10+
ml-model-service/milvusmilvus-adminadmin5.9.10+
ml-model-service/milvusmilvus-admininit/wait-for-milvus5.9.10+
ml-model-service/milvusmilvus-mishardsinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-mishardsinit/wait-for-mysql5.9.10+
ml-model-service/milvusmilvus-mishardsmishards5.9.10+
ml-model-service/milvus/mysqlmysqlinit/remove-lost-found5.9.10+
ml-model-service/milvus/mysqlmysqlmysql5.9.10+
pm-uipm-uipm-ui5.9.9+
query-pipelinequery-pipelinequery-pipeline5.9.9+
question-answeringargo/qna-coldstart/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/add-zkHostinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/pull-datainit/wait/main5.9.10+
question-answeringargo/qna-coldstart/pull-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/traininit/wait/main5.9.10+
question-answeringargo/qna-coldstart/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/post-modelinit/wait/main5.9.10+
question-answeringargo/qna-coldstart/apply-seldon-deploymentinit/wait/main5.9.10+
question-answeringargo/qna-supervised/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-supervised/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/add-zkhostinit/wait/main5.9.10+
question-answeringargo/qna-supervised/pull-qa-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-supervised/pull-qa-datainit/wait/main5.9.10+
question-answeringargo/qna-supervised/traininit/wait/main5.9.10+
question-answeringargo/qna-supervised/train-with-textsinit/wait/main5.9.10+
question-answeringargo/qna-supervised/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-supervised/post-modelinit/wait/main5.9.10+
question-answeringargo/qna-supervised/apply-seldon-deploymentinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/init-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/write-job-configsinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/write-io-configsinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/add-zkhostinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/list-workspaceinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/pull-eval-datainit/wait/main5.9.10+
question-answeringargo/qna-evaluation/pull-eval-data-cloudinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/evaluateinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/push-eval-results-cloudinit/wait/main5.9.10+
question-answeringargo/qna-evaluation/push-eval-resultsinit/wait/main5.9.10+
recommenderargo/item-recommender-userinit/wait/main5.9.10+
recommenderargo/item-recommender-user/init-workspaceinit/wait/main5.9.10+
recommenderargo/item-recommender-user/write-job-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/write-io-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/add-zkhostinit/wait/main5.9.10+
recommenderargo/item-recommender-user/pull-data-training-and-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/pull-data-training-and-metadata-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-user/train-with-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/train-without-metadatainit/wait/main5.9.10+
recommenderargo/item-recommender-user/push-recommendationsinit/wait/main5.9.10+
recommenderargo/item-recommender-user/push-recommendations-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-user/add-default-exclude-queryinit/wait/main5.9.10+
recommenderargo/item-recommender-user/init-workspaceinit/wait/main5.9.10+
recommenderargo/item-recommender-content/copy-modelinit/wait/main5.9.10+
recommenderargo/item-recommender-content/write-job-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-content/write-io-configsinit/wait/main5.9.10+
recommenderargo/item-recommender-content/add-zkhostinit/wait/main5.9.10+
recommenderargo/item-recommender-content/pull-datainit/wait/main5.9.10+
recommenderargo/item-recommender-content/pull-data-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-content/traininit/wait/main5.9.10+
recommenderargo/item-recommender-content/push-contentinit/wait/main5.9.10+
recommenderargo/item-recommender-content/push-content-cloudinit/wait/main5.9.10+
recommenderargo/item-recommender-content/add-default-exclude-queryinit/wait/main5.9.10+
recommenderargo/item-recommender-content/delete-old-content-recommendationsinit/wait/main5.9.10+
reverse-searchreverse-searchinit/set-reverse-search-zone5.9.10+
reverse-searchreverse-searchinit/check-zk5.9.9+
reverse-searchreverse-searchinit/enable-tls-in-reverse-search5.9.10+
reverse-searchreverse-searchreverse-search5.9.10+
rules-uirules-uirules-ui5.9.9+
seldon-core-operatorseldon-controller-managermanager5.9.10+
seldon-core-operatorseldon-spartakus-volunteerseldon-spartakus-volunteer5.9.9+
seldon-core-operatorcrd/SeldonDeployment✅/❌5.9.9+
solrsolrinit/set-solr-zone5.9.10+
solrsolrinit/enable-tls-in-solr5.9.10+
solrconfigset-bootstrapconfigset-bootstrap5.9.10+
solrsolrsolr5.9.10+
solrsolr-exporterexporter5.9.10+
solrsolr-exporterinit/solr-init5.9.10+
solr-managedconfigset-bootstrapconfigset-bootstrap5.9.10+
solr-managedexporterexporter5.9.10+
solr-managedexporterinit/solr-init5.9.10+
solr-managedsolrinit/set-solr-zone5.9.10+
solr-managedsolrinit/enable-tls-in-solr5.9.10+
solr-managedsolrsolr5.9.10+
solr-managedsolrprocess-raw5.9.10+
solr-backup-runnersolr-backup-runner-backupsolr-backups5.9.10+
solr-backup-runnersolr-backup-runner-prunesolr-prune5.9.10+
templatingtemplatingtemplating5.9.9+
webappswebappswebapps5.9.9+
zookeeperzookeeperzookeeper5.9.10+
zookeeperzookeeperjmx-exporter5.9.10+
zookeeperzookeeperzookeeper-exporter5.9.10+
zookeeperzookeeper-chrootsmain5.9.10+
I