From aaeb0b1abbe87fef50c2012119bb3d74706f7216 Mon Sep 17 00:00:00 2001
From: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
Date: Tue, 5 May 2020 01:23:48 +0000
Subject: [PATCH] Enable Apparmor to Grafana Completed pods

This also adds init containers.

Change-Id: Ia70db208a1583b9a44a32d9a3d485ca7dc8a3ce2
Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
---
 grafana/templates/deployment.yaml             |  2 +-
 grafana/templates/job-add-home-dashboard.yaml |  4 ++++
 grafana/templates/job-db-init-session.yaml    |  2 +-
 grafana/templates/job-db-init.yaml            |  4 ++++
 grafana/templates/job-db-session-sync.yaml    |  4 ++++
 grafana/templates/job-set-admin-user.yaml     |  4 ++++
 grafana/values_overrides/apparmor.yaml        | 14 ++++++++++++++
 7 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml
index b26451ffa2..f792e06ab4 100644
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@@ -43,7 +43,7 @@ spec:
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "grafana" "containerNames" (list "grafana") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "grafana" "containerNames" (list "grafana" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "dashboard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/grafana/templates/job-add-home-dashboard.yaml b/grafana/templates/job-add-home-dashboard.yaml
index e874b7c477..ac191b3843 100644
--- a/grafana/templates/job-add-home-dashboard.yaml
+++ b/grafana/templates/job-add-home-dashboard.yaml
@@ -31,6 +31,10 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "grafana" "add_home_dashboard" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "grafana-add-home-dashboard" "containerNames" (list "add-home-dashboard" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
diff --git a/grafana/templates/job-db-init-session.yaml b/grafana/templates/job-db-init-session.yaml
index 68064da19b..26c9be38a6 100644
--- a/grafana/templates/job-db-init-session.yaml
+++ b/grafana/templates/job-db-init-session.yaml
@@ -34,7 +34,7 @@ spec:
       annotations:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "grafana-db-init-session" "containerNames" (list "grafana-db-init-session") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "grafana-db-init-session" "containerNames" (list "grafana-db-init-session" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/grafana/templates/job-db-init.yaml b/grafana/templates/job-db-init.yaml
index e976b8dfe0..5f238137c9 100644
--- a/grafana/templates/job-db-init.yaml
+++ b/grafana/templates/job-db-init.yaml
@@ -31,6 +31,10 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "grafana" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "grafana-db-init" "containerNames" (list "grafana-db-init" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/grafana/templates/job-db-session-sync.yaml b/grafana/templates/job-db-session-sync.yaml
index 5db8e15249..a5be82f2b7 100644
--- a/grafana/templates/job-db-session-sync.yaml
+++ b/grafana/templates/job-db-session-sync.yaml
@@ -31,6 +31,10 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "grafana" "db-session-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "grafana-db-session-sync" "containerNames" (list "grafana-db-session-sync" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "db_session_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/grafana/templates/job-set-admin-user.yaml b/grafana/templates/job-set-admin-user.yaml
index a162cb1e9a..0ae3420a60 100644
--- a/grafana/templates/job-set-admin-user.yaml
+++ b/grafana/templates/job-set-admin-user.yaml
@@ -31,6 +31,10 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "grafana" "set-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "grafana-set-admin-user" "containerNames" (list "grafana-set-admin-password" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "set_admin_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/grafana/values_overrides/apparmor.yaml b/grafana/values_overrides/apparmor.yaml
index f73531d9fd..5de90355d6 100644
--- a/grafana/values_overrides/apparmor.yaml
+++ b/grafana/values_overrides/apparmor.yaml
@@ -3,5 +3,19 @@ pod:
     type: apparmor
     grafana:
       grafana: runtime/default
+      init: runtime/default
     grafana-db-init-session:
       grafana-db-init-session: runtime/default
+      init: runtime/default
+    grafana-add-home-dashboard:
+      add-home-dashboard: runtime/default
+      init: runtime/default
+    grafana-db-init:
+      grafana-db-init: runtime/default
+      init: runtime/default
+    grafana-db-session-sync:
+      grafana-db-session-sync: runtime/default
+      init: runtime/default
+    grafana-set-admin-user:
+      grafana-set-admin-password: runtime/default
+      init: runtime/default
\ No newline at end of file