From 598faeb8db3b70e466b8647c3b6cf592038c1e54 Mon Sep 17 00:00:00 2001
From: Cliff Parsons <cp769u@att.com>
Date: Fri, 26 Oct 2018 17:33:32 -0500
Subject: [PATCH] Make access control annotations more generic.

This patch takes into consideration that there could be multiple
options for mandatory access control in a cluster. The previously
defined Helm toolkit function for generating a MAC annotation can
now be specified generically, like in this example:

  mandatory_access_control:
    type: apparmor
    glance-api:
      init: runtime/default
      glance-api: runtime/default
      glance-perms: runtime/default
      ceph-keyring-placement: runtime/default
    glance-registry:
      init: runtime/default
      glance-registry: runtime/default

If no MAC is required, then the "type" can be set to null,
and no annotation would be generated. The only MAC type supported
at the moment is "apparmor".

Change-Id: I6b45533d73af82e8fff353b0ed9f29f0891f24f1
---
 ...etes_mandatory_access_control_annotation.tpl | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
index 8e1aec62e..d61359cb3 100644
--- a/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -21,7 +21,8 @@ abstract: |
   annotation, but in the future could generate others.
 values: |
   pod:
-    apparmor:
+    mandatory_access_control:
+      type: apparmor
       myPodName:
         myContainerName: localhost/myAppArmor
         mySecondContainerName: localhost/secondProfile # optional
@@ -40,12 +41,22 @@ note: |
 {{- $envAll := index . "envAll" -}}
 {{- $podName := index . "podName" -}}
 {{- $containerNames := index . "containerNames" -}}
-{{- if hasKey (index $envAll.Values.pod "apparmor") $podName -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
 {{- range $name := $containerNames -}}
-{{- $apparmorProfile := index $envAll.Values.pod.apparmor $podName $name -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
 {{- if $apparmorProfile }}
 container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+