From 9cfb1f8509a2bb6b46b9727695041931aaf326ed Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Wed, 15 Jul 2020 21:04:42 -0500
Subject: [PATCH] Add missing security-context for elasticsearch-data and
 elasticsearch-master

This also implements security-context template to add readOnly-fs flag

Change-Id: Iaeea66dad34a2616c0620eafacc53574ed79a7b5
---
 elasticsearch/templates/statefulset-data.yaml   | 3 +--
 elasticsearch/templates/statefulset-master.yaml | 3 +--
 elasticsearch/values.yaml                       | 4 ++++
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml
index ac5f769c0..41c0a447f 100644
--- a/elasticsearch/templates/statefulset-data.yaml
+++ b/elasticsearch/templates/statefulset-data.yaml
@@ -69,8 +69,7 @@ spec:
         - name: elasticsearch-perms
 {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "data" "container" "elasticsearch_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - chown
             - -R
diff --git a/elasticsearch/templates/statefulset-master.yaml b/elasticsearch/templates/statefulset-master.yaml
index 34a208cdd..3530627d7 100644
--- a/elasticsearch/templates/statefulset-master.yaml
+++ b/elasticsearch/templates/statefulset-master.yaml
@@ -68,8 +68,7 @@ spec:
         - name: elasticsearch-perms
 {{ tuple $envAll "elasticsearch" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "master" "container" "elasticsearch_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - chown
             - -R
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 3c29efcd2..9c5469cdc 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -185,6 +185,8 @@ pod:
         memory_map_increase:
           privileged: true
           readOnlyRootFilesystem: true
+        elasticsearch_perms:
+          readOnlyRootFilesystem: true
         elasticsearch_master:
           privileged: true
           capabilities:
@@ -217,6 +219,8 @@ pod:
         memory_map_increase:
           privileged: true
           readOnlyRootFilesystem: true
+        elasticsearch_perms:
+          readOnlyRootFilesystem: true
         elasticsearch_data:
           privileged: true
           capabilities: