From 5ad45700f4a3287d7f55a6f5d75777b3ae744030 Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Wed, 12 Jun 2019 10:38:01 -0500
Subject: [PATCH] Barbican: Add security context to chart and read-only-fs

This PS adds the security context macros to the barbican chart,
and sets the default to read-only-rootfs

Change-Id: I2dad0a50b23f2d202d6cd89b96d308321001fbe9
---
 barbican/templates/deployment-api.yaml | 4 ++--
 barbican/values.yaml                   | 9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index 1b1a5f4e14..79474d6898 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -46,6 +46,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "barbican" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -57,8 +58,7 @@ spec:
         - name: barbican-api
 {{ tuple $envAll "barbican_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: {{ .Values.pod.user.barbican.uid }}
+{{ dict "envAll" $envAll "application" "barbican" "container" "barbican_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/barbican.sh
             - start
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 09210a4c72..bd8b6e09b3 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -50,9 +50,14 @@ images:
       - image_repo_sync
 
 pod:
-  user:
+  security_context:
     barbican:
-      uid: 42424
+      pod:
+        runAsUser: 42424
+      container:
+        barbican_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: