From 831e14d03fc71acf2c82febc792e26e155ef8d39 Mon Sep 17 00:00:00 2001
From: "DODDA, PRATEEK REDDY (PD2839)" <pd2839@att.com>
Date: Tue, 30 Jun 2020 15:26:03 -0500
Subject: [PATCH] Add missing security context to Barbican test pods/containers

This updates the barbican chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: Ibb85435c1fa9fe577bc7a14d97e0acaf9b9513a2
---
 barbican/templates/pod-test.yaml | 2 ++
 barbican/values.yaml             | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/barbican/templates/pod-test.yaml b/barbican/templates/pod-test.yaml
index 2dd7f30fa0..314c3902fb 100644
--- a/barbican/templates/pod-test.yaml
+++ b/barbican/templates/pod-test.yaml
@@ -34,6 +34,7 @@ metadata:
 {{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
   serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   nodeSelector:
     {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
   restartPolicy: Never
@@ -42,6 +43,7 @@ spec:
   containers:
     - name: barbican-test
 {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "barbican_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 42463f4f95..41183f1fb8 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -59,6 +59,13 @@ pod:
         barbican_api:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 42424
+      container:
+        barbican_test:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: