From 483d6f0047fde4c7e86ed0e6580ed86f0d113688 Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Tue, 28 Jan 2020 16:30:19 -0600
Subject: [PATCH] Add  Docker default AppArmor profile to mariadb

Change-Id: I256f169d6ff2de71b7218ab522bac9975d971c41
---
 mariadb/templates/deployment-error.yaml   | 1 +
 mariadb/templates/deployment-ingress.yaml | 1 +
 mariadb/templates/statefulset.yaml        | 1 +
 mariadb/values_overrides/apparmor.yaml    | 9 +++++++++
 4 files changed, 12 insertions(+)
 create mode 100644 mariadb/values_overrides/apparmor.yaml

diff --git a/mariadb/templates/deployment-error.yaml b/mariadb/templates/deployment-error.yaml
index 115212df3..4550453b1 100644
--- a/mariadb/templates/deployment-error.yaml
+++ b/mariadb/templates/deployment-error.yaml
@@ -42,6 +42,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-ingress-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "mariadb-ingress-error-pages" "containerNames" (list "ingress-error-pages") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       shareProcessNamespace: true
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/mariadb/templates/deployment-ingress.yaml b/mariadb/templates/deployment-ingress.yaml
index 4d015ad2b..94cb76cf7 100644
--- a/mariadb/templates/deployment-ingress.yaml
+++ b/mariadb/templates/deployment-ingress.yaml
@@ -139,6 +139,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-ingress-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "mariadb-ingress" "containerNames" (list "ingress") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       shareProcessNamespace: true
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 0f6f81d13..e31d4ac51 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -101,6 +101,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
         mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "mariadb-server" "containerNames" (list "mariadb") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       shareProcessNamespace: true
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/mariadb/values_overrides/apparmor.yaml b/mariadb/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..a73f65b09
--- /dev/null
+++ b/mariadb/values_overrides/apparmor.yaml
@@ -0,0 +1,9 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    mariadb-ingress-error-pages:
+      ingress-error-pages: runtime/default
+    mariadb-ingress:
+      ingress: runtime/default
+    mariadb-server:
+      mariadb: runtime/default