From b1900bbfc23ab3dde512240b6a384254babeb4b3 Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Tue, 23 Apr 2019 02:13:01 -0500
Subject: [PATCH] Ceph-provisioners: Fix security context

This PS fixes the use of the security context macros for the
ceph-provisioners chart

Change-Id: Iddeb643139f2e7798282e67e319f38d3a22cd10d
---
 .../deployment-cephfs-provisioner.yaml        |  4 +--
 .../templates/deployment-rbd-provisioner.yaml |  4 +--
 .../templates/job-bootstrap.yaml              |  2 ++
 .../templates/job-cephfs-client-key.yaml      |  2 ++
 .../job-namespace-client-key-cleaner.yaml     |  2 ++
 .../templates/job-namespace-client-key.yaml   |  2 ++
 ceph-provisioners/values.yaml                 | 30 +++++++++++++++++--
 7 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
index ffbf6288f..1566e1ad8 100644
--- a/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-cephfs-provisioner.yaml
@@ -149,7 +149,7 @@ spec:
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
     spec:
-{{ dict "envAll" $envAll "application" "cephfs" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "cephfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -161,7 +161,7 @@ spec:
         - name: ceph-cephfs-provisioner
 {{ tuple $envAll "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.cephfs_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "cephfs" "container" "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_cephfs_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: PROVISIONER_NAME
               value: {{ .Values.storageclass.cephfs.provisioner }}
diff --git a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
index 08727fea9..f72769689 100644
--- a/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
+++ b/ceph-provisioners/templates/deployment-rbd-provisioner.yaml
@@ -139,7 +139,7 @@ spec:
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
     spec:
-{{ dict "envAll" $envAll "application" "rbd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -151,7 +151,7 @@ spec:
         - name: ceph-rbd-provisioner
 {{ tuple $envAll "ceph_rbd_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.rbd_provisioner | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "rbd" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "provisioner" "container" "ceph_rbd_provisioner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: PROVISIONER_NAME
               value: {{ .Values.storageclass.rbd.provisioner }}
diff --git a/ceph-provisioners/templates/job-bootstrap.yaml b/ceph-provisioners/templates/job-bootstrap.yaml
index 6542de05d..41bb607ae 100644
--- a/ceph-provisioners/templates/job-bootstrap.yaml
+++ b/ceph-provisioners/templates/job-bootstrap.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,6 +43,7 @@ spec:
         - name: ceph-client-bootstrap
 {{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "ceph_client_bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/bootstrap.sh
           volumeMounts:
diff --git a/ceph-provisioners/templates/job-cephfs-client-key.yaml b/ceph-provisioners/templates/job-cephfs-client-key.yaml
index 2c01f268b..7f689aa86 100644
--- a/ceph-provisioners/templates/job-cephfs-client-key.yaml
+++ b/ceph-provisioners/templates/job-cephfs-client-key.yaml
@@ -90,6 +90,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "cephfs-client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -100,6 +101,7 @@ spec:
         - name:  ceph-storage-keys-generator
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cephfs_client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: DEPLOYMENT_NAMESPACE
               valueFrom:
diff --git a/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml b/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
index f4cca89f8..ac65d7b1a 100644
--- a/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
+++ b/ceph-provisioners/templates/job-namespace-client-key-cleaner.yaml
@@ -61,6 +61,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "client-key-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "client_key_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -71,6 +72,7 @@ spec:
         - name:  ceph-namespace-client-keys-cleaner
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_cleaner" "container" "ceph_namespace_client_keys_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: DEPLOYMENT_NAMESPACE
               valueFrom:
diff --git a/ceph-provisioners/templates/job-namespace-client-key.yaml b/ceph-provisioners/templates/job-namespace-client-key.yaml
index 6c1eda5f2..3863c8928 100644
--- a/ceph-provisioners/templates/job-namespace-client-key.yaml
+++ b/ceph-provisioners/templates/job-namespace-client-key.yaml
@@ -88,6 +88,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "client_key_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -98,6 +99,7 @@ spec:
         - name:  ceph-storage-keys-generator
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "client_key_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: DEPLOYMENT_NAMESPACE
               valueFrom:
diff --git a/ceph-provisioners/values.yaml b/ceph-provisioners/values.yaml
index 9268f0602..10c686fcb 100644
--- a/ceph-provisioners/values.yaml
+++ b/ceph-provisioners/values.yaml
@@ -50,18 +50,42 @@ labels:
 
 pod:
   security_context:
-    cephfs:
+    provisioner:
       pod:
         runAsUser: 99
       container:
         ceph_cephfs_provisioner:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
-    rbd:
+        ceph_rbd_provisioner:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    bootstrap:
       pod:
         runAsUser: 99
       container:
-        ceph_rbd_provisioner:
+        ceph_client_bootstrap:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    cephfs_client_key_generator:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_storage_keys_generator:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    client_key_cleaner:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_namespace_client_keys_cleaner:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    client_key_generator:
+      pod:
+        runAsUser: 99
+      container:
+        ceph_storage_keys_generator:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
   dns_policy: "ClusterFirstWithHostNet"