From 36fe912df05ce94848ab1beafb16b721fe06eaa1 Mon Sep 17 00:00:00 2001
From: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
Date: Thu, 21 May 2020 20:24:48 +0000
Subject: [PATCH] Enable Apparmor to Elasticsearch Completed Pods

Change-Id: I52e07c585c50817706e64b8e2f26f73c25587da7
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
---
 .../templates/cron-job-verify-repositories.yaml     |  2 ++
 elasticsearch/templates/deployment-client.yaml      |  2 +-
 .../templates/job-elasticsearch-template.yaml       |  3 +++
 elasticsearch/templates/statefulset-data.yaml       |  2 +-
 elasticsearch/templates/statefulset-master.yaml     |  2 +-
 elasticsearch/values_overrides/apparmor.yaml        | 13 +++++++++++++
 6 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/elasticsearch/templates/cron-job-verify-repositories.yaml b/elasticsearch/templates/cron-job-verify-repositories.yaml
index cf616386a..b9c6b941d 100644
--- a/elasticsearch/templates/cron-job-verify-repositories.yaml
+++ b/elasticsearch/templates/cron-job-verify-repositories.yaml
@@ -37,6 +37,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "verify-repositories" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elasticsearch-verify-repositories" "containerNames" (list "elasticsearch-verify-repositories" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       template:
         metadata:
diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml
index 5021d9a1b..0d166a1e2 100644
--- a/elasticsearch/templates/deployment-client.yaml
+++ b/elasticsearch/templates/deployment-client.yaml
@@ -45,7 +45,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "elasticsearch-client" "containerNames" (list "elasticsearch-client") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "elasticsearch-client" "containerNames" (list "elasticsearch-client" "init" "memory-map-increase" "apache-proxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "client" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/templates/job-elasticsearch-template.yaml b/elasticsearch/templates/job-elasticsearch-template.yaml
index 994e9d11b..a93ee1c79 100644
--- a/elasticsearch/templates/job-elasticsearch-template.yaml
+++ b/elasticsearch/templates/job-elasticsearch-template.yaml
@@ -32,6 +32,9 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "create-templates" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "create-elasticsearch-templates" "containerNames" (list "create-elasticsearch-templates" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "elasticsearch_template" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml
index 8201985d2..048d9fae3 100644
--- a/elasticsearch/templates/statefulset-data.yaml
+++ b/elasticsearch/templates/statefulset-data.yaml
@@ -44,7 +44,7 @@ spec:
       labels:
 {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
-{{ dict "envAll" $envAll "podName" "elasticsearch-data" "containerNames" (list "elasticsearch-data") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "elasticsearch-data" "containerNames" (list "elasticsearch-data" "init" "memory-map-increase") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
diff --git a/elasticsearch/templates/statefulset-master.yaml b/elasticsearch/templates/statefulset-master.yaml
index 25c2e2b39..34a208cdd 100644
--- a/elasticsearch/templates/statefulset-master.yaml
+++ b/elasticsearch/templates/statefulset-master.yaml
@@ -46,7 +46,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc-elasticsearch.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "elasticsearch-master" "containerNames" (list "elasticsearch-master") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "elasticsearch-master" "containerNames" (list "elasticsearch-master" "init" "memory-map-increase") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "master" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/values_overrides/apparmor.yaml b/elasticsearch/values_overrides/apparmor.yaml
index c3adbe280..84b06df57 100644
--- a/elasticsearch/values_overrides/apparmor.yaml
+++ b/elasticsearch/values_overrides/apparmor.yaml
@@ -13,13 +13,26 @@ pod:
       init: runtime/default
     elasticsearch-master:
       elasticsearch-master: runtime/default
+      init: runtime/default
+      memory-map-increase: runtime/default
     elasticsearch-data:
       elasticsearch-data: runtime/default
+      init: runtime/default
+      memory-map-increase: runtime/default
     elasticsearch-client:
       elasticsearch-client: runtime/default
+      init: runtime/default
+      memory-map-increase: runtime/default
+      apache-proxy: runtime/default
     prometheus-elasticsearch-exporter:
       elasticsearch-exporter: runtime/default
       init: runtime/default
     elasticsearch-test:
       init: runtime/default
       elasticsearch-helm-tests: runtime/default
+    create-elasticsearch-templates:
+      create-elasticsearch-templates: runtime/default
+      init: runtime/default
+    elasticsearch-verify-repositories:
+      elasticsearch-verify-repositories: runtime/default
+      init: runtime/default
\ No newline at end of file