From fc439e6ed784fb18ebaf20fb9b97d811d878637e Mon Sep 17 00:00:00 2001
From: wadhah101 <wadhah.mahrouk@doctolib.com>
Date: Thu, 26 Mar 2026 16:22:40 +0100
Subject: [PATCH] feat(MLP-5609): add tmpVolume support to brainstore reader
 and writer

Add tmpVolume configuration for brainstore reader and writer deployments,
matching the existing API tmpVolume pattern. This mounts a writable emptyDir
at /tmp, which is required when readOnlyRootFilesystem is enabled for CEL
policy compliance.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../examples/google-autopilot-cel/values.yaml      | 10 ++++++++++
 .../templates/brainstore-reader-deployment.yaml    | 13 +++++++++++++
 .../templates/brainstore-writer-deployment.yaml    | 13 +++++++++++++
 braintrust/values.yaml                             | 14 +++++++++++---
 4 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/braintrust/examples/google-autopilot-cel/values.yaml b/braintrust/examples/google-autopilot-cel/values.yaml
index fcb14c3..f75a36d 100644
--- a/braintrust/examples/google-autopilot-cel/values.yaml
+++ b/braintrust/examples/google-autopilot-cel/values.yaml
@@ -94,6 +94,11 @@ brainstore:
         drop:
           - ALL
 
+    # Required when readOnlyRootFilesystem is true — mounts a writable emptyDir at /tmp
+    tmpVolume:
+      enabled: true
+      sizeLimit: "1Gi"
+
     volume:
       # Requests a local SSD from GKE Autopilot via ephemeral-storage resource request
       size: "1000Gi"
@@ -131,6 +136,11 @@ brainstore:
         drop:
           - ALL
 
+    # Required when readOnlyRootFilesystem is true — mounts a writable emptyDir at /tmp
+    tmpVolume:
+      enabled: true
+      sizeLimit: "1Gi"
+
     volume:
       size: "1000Gi"
       sizeLimit: "900Gi"
diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml
index ac0f4c3..a3cb1a3 100644
--- a/braintrust/templates/brainstore-reader-deployment.yaml
+++ b/braintrust/templates/brainstore-reader-deployment.yaml
@@ -138,6 +138,10 @@ spec:
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.reader.cacheDir }}
+            {{- if .Values.brainstore.reader.tmpVolume.enabled }}
+            - name: tmp-volume
+              mountPath: /tmp
+            {{- end }}
             {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
@@ -163,6 +167,15 @@ spec:
             {}
             {{- end }}
           {{- end }}
+        {{- if .Values.brainstore.reader.tmpVolume.enabled }}
+        - name: tmp-volume
+          emptyDir:
+            {{- if .Values.brainstore.reader.tmpVolume.sizeLimit }}
+            sizeLimit: {{ .Values.brainstore.reader.tmpVolume.sizeLimit | quote }}
+            {{- else }}
+            {}
+            {{- end }}
+        {{- end }}
         {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
         - name: secrets-store-inline
           csi:
diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml
index dd24a2e..1a23ba6 100644
--- a/braintrust/templates/brainstore-writer-deployment.yaml
+++ b/braintrust/templates/brainstore-writer-deployment.yaml
@@ -138,6 +138,10 @@ spec:
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.writer.cacheDir }}
+            {{- if .Values.brainstore.writer.tmpVolume.enabled }}
+            - name: tmp-volume
+              mountPath: /tmp
+            {{- end }}
             {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
@@ -163,6 +167,15 @@ spec:
             {}
             {{- end }}
           {{- end }}
+        {{- if .Values.brainstore.writer.tmpVolume.enabled }}
+        - name: tmp-volume
+          emptyDir:
+            {{- if .Values.brainstore.writer.tmpVolume.sizeLimit }}
+            sizeLimit: {{ .Values.brainstore.writer.tmpVolume.sizeLimit | quote }}
+            {{- else }}
+            {}
+            {{- end }}
+        {{- end }}
         {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
         - name: secrets-store-inline
           csi:
diff --git a/braintrust/values.yaml b/braintrust/values.yaml
index 65c9940..0c6b94f 100644
--- a/braintrust/values.yaml
+++ b/braintrust/values.yaml
@@ -116,9 +116,9 @@ api:
   #     drop:
   #       - ALL
   # Temporary directory configuration (needed when readOnlyRootFilesystem is true)
-  # tmpVolume:
-  #   enabled: true
-  #   sizeLimit: "1Gi"
+  tmpVolume:
+    enabled: false
+    # sizeLimit: "1Gi"
   # Allow running user generated code functions (e.g. scorers/tools)
   allowCodeFunctionExecution: true
   # Brainstore backfill configuration. These defaults are fine for most cases.
@@ -235,6 +235,10 @@ brainstore:
     #   capabilities:
     #     drop:
     #       - ALL
+    # Temporary directory configuration (needed when readOnlyRootFilesystem is true)
+    tmpVolume:
+      enabled: false
+      # sizeLimit: "1Gi"
     cacheDir: "/mnt/tmp/brainstore"
     objectStoreCacheMemoryLimit: "1Gi"
     objectStoreCacheFileSize: "50Gi"
@@ -287,6 +291,10 @@ brainstore:
     #   capabilities:
     #     drop:
     #       - ALL
+    # Temporary directory configuration (needed when readOnlyRootFilesystem is true)
+    tmpVolume:
+      enabled: false
+      # sizeLimit: "1Gi"
     cacheDir: "/mnt/tmp/brainstore"
     objectStoreCacheMemoryLimit: "1Gi"
     objectStoreCacheFileSize: "50Gi"