kagent-dev · qasmi · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025
@@ -24,7 +24,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml (.Values.ui.podSecurityContext | default .Values.podSecurityContext ) | nindent 8 }}
       serviceAccountName: {{ include "kagent.fullname" . }}-ui
       {{- with .Values.ui.nodeSelector }}
       nodeSelector:
@@ -34,6 +34,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.ui.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      volumes:
+        - emptyDir: {}
+          name: tmp
+        - emptyDir: {}
+          name: lib-nginx
+        - emptyDir: {}
+          name: run-nginx
+      {{- with .Values.ui.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: ui
           securityContext:
@@ -62,4 +76,14 @@ spec:
             httpGet:
               path: /health
               port: http
-            periodSeconds: 30
+            periodSeconds: 30
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /var/lib/nginx
+              name: lib-nginx
+            - mountPath: /run/nginx
+              name: run-nginx
+          {{- with .Values.ui.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
@@ -102,4 +102,43 @@ tests:
             key: role
             value: AI
             effect: NoSchedule
-            operator: Equal
+            operator: Equal
+
+  - it: should include init-nginx container
+    set:
+      ui:
+        initContainers:
+          - name: init-nginx
+            image: busybox
+            command: []
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].name
+          value: init-nginx
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: busybox
+      - equal:
+          path: spec.template.spec.initContainers[0].command
+          value: []
+
+  - it: should include extra volumes and volumeMounts
+    set:
+      ui:
+        volumeMounts:
+        - mountPath: /tmp
+          name: custom-volume
+        volumes:
+        - name: custom-volume
+          emptyDir: {}
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /tmp
+            name: custom-volume
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: custom-volume
+            emptyDir: {}
@@ -163,6 +163,35 @@ ui:
   # -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
   nodeSelector: {}
 
+  # -- Init containers to add to the UI pod if you require a custom configuration
+  initContainers: []
+  # - name: init-nginx
+  #   image: busybox
+  #   command: []
+
+  # -- Additional volumeMounts to the UI container
+  volumeMounts: []
+  #  - mountPath: /tmp
+  #    name: tmp
+
+  # -- Additional volumes to the UI pod
+  volumes: []
+  #  - name: tmp
+  #    emptyDir: {}
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: false
+    seccompProfile:
+      type: RuntimeDefault
+
+  podSecurityContext:
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    fsGroup: 1001
 # ==============================================================================
 # LLM PROVIDERS CONFIGURATION
 # ==============================================================================

@@ -76,12 +76,16 @@ RUN mkdir -p $BUN_INSTALL  \
     && curl -fsSL https://bun.sh/install | bash -s "bun-v$TOOLS_BUN_VERSION" \
     && bun --version
 
-RUN mkdir -p /app/ui/public /tmp/nginx/client_temp /tmp/nginx/proxy_temp /tmp/nginx/fastcgi_temp /tmp/nginx/uwsgi_temp /tmp/nginx/scgi_temp  \
-    && addgroup -g 1001 nginx                        \
+RUN mkdir -p /app/ui/public /run/nginx/ /var/run/nginx/ /var/lib/nginx/tmp/ /var/lib/nginx/tmp/client_body /var/lib/nginx/logs/  \
+    && addgroup -g 1001    nginx                        \
     && adduser  -u 1001 -G nginx -s /bin/bash -D nextjs \
     && adduser  -u 1002 -G nginx -s /bin/bash -D nginx  \
     && chown    -vR nextjs:nginx /app/ui                \
-    && chown    -vR nextjs:nginx /tmp/nginx/
+    && chown    -vR nextjs:nginx /run/nginx             \
+    && chown    -vR nextjs:nginx /var/run/nginx         \
+    && chown    -vR nextjs:nginx /var/lib/nginx/        \
+
+    && touch /var/lib/nginx/logs/error.log && printf '\n' >> /var/lib/nginx/logs/error.log
 
 WORKDIR /app
 COPY conf/nginx.conf /etc/nginx/nginx.conf
@@ -108,4 +112,4 @@ LABEL org.opencontainers.image.version="$VERSION"
 
 USER nextjs
 
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]