From e1c9a352303cd98be11d8936be76f196b85198d9 Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Mon, 22 Apr 2019 17:27:17 -0500
Subject: [PATCH] Grafana: Add security context to chart and read-only-fs

This PS adds the security context macros to the grafana chart,
and moves the default to read-only-rootfs for all containers

Change-Id: Ie79e3bfc6af07b16cd53eddae17eceac3d9f8613
---
 grafana/templates/deployment.yaml          |  4 +--
 grafana/templates/job-db-init-session.yaml |  2 ++
 grafana/templates/job-db-init.yaml         |  2 ++
 grafana/templates/job-db-session-sync.yaml |  2 ++
 grafana/templates/job-set-admin-user.yaml  |  4 +--
 grafana/templates/pod-helm-tests.yaml      |  2 ++
 grafana/values.yaml                        | 33 +++++++++++++++++++++-
 7 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/grafana/templates/deployment.yaml b/grafana/templates/deployment.yaml
index 6e92f6ef26..1040dc99a8 100644
--- a/grafana/templates/deployment.yaml
+++ b/grafana/templates/deployment.yaml
@@ -45,7 +45,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
-{{ dict "envAll" $envAll "application" "grafana" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ dict "envAll" $envAll "application" "dashboard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.grafana.node_selector_key }}: {{ .Values.labels.grafana.node_selector_value | quote }}
@@ -55,7 +55,7 @@ spec:
         - name: grafana
 {{ tuple $envAll "grafana" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.grafana | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "grafana" "container" "grafana" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" $envAll "application" "dashboard" "container" "grafana" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/grafana.sh
             - start
diff --git a/grafana/templates/job-db-init-session.yaml b/grafana/templates/job-db-init-session.yaml
index 3da57de84d..e22be23878 100644
--- a/grafana/templates/job-db-init-session.yaml
+++ b/grafana/templates/job-db-init-session.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "grafana" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,6 +43,7 @@ spec:
         - name: grafana-db-init-session
 {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init_session | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "db_init" "container" "grafana_db_init_session" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: ROOT_DB_CONNECTION
               valueFrom:
diff --git a/grafana/templates/job-db-init.yaml b/grafana/templates/job-db-init.yaml
index bc8523a86b..e976b8dfe0 100644
--- a/grafana/templates/job-db-init.yaml
+++ b/grafana/templates/job-db-init.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "grafana" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,6 +43,7 @@ spec:
         - name: grafana-db-init
 {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "db_init" "container" "grafana_db_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: ROOT_DB_CONNECTION
               valueFrom:
diff --git a/grafana/templates/job-db-session-sync.yaml b/grafana/templates/job-db-session-sync.yaml
index 2e48322350..5db8e15249 100644
--- a/grafana/templates/job-db-session-sync.yaml
+++ b/grafana/templates/job-db-session-sync.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "grafana" "db-session-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "db_session_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,6 +43,7 @@ spec:
         - name: grafana-db-session-sync
 {{ tuple $envAll "grafana_db_session_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_session_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "db-session-sync" "container" "grafana_db_session_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: DB_CONNECTION
               valueFrom:
diff --git a/grafana/templates/job-set-admin-user.yaml b/grafana/templates/job-set-admin-user.yaml
index ad39a184e9..a162cb1e9a 100644
--- a/grafana/templates/job-set-admin-user.yaml
+++ b/grafana/templates/job-set-admin-user.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "grafana" "set-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "set_admin_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,8 +43,7 @@ spec:
         - name: grafana-set-admin-password
 {{ tuple $envAll "grafana" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.set_admin_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "set_admin_user" "container" "grafana_set_admin_password" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/set-admin-password.sh
           env:
diff --git a/grafana/templates/pod-helm-tests.yaml b/grafana/templates/pod-helm-tests.yaml
index da7fe85e55..9a1188b56c 100644
--- a/grafana/templates/pod-helm-tests.yaml
+++ b/grafana/templates/pod-helm-tests.yaml
@@ -31,6 +31,7 @@ metadata:
     "helm.sh/hook": test-success
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   serviceAccountName: {{ $serviceAccountName }}
   nodeSelector:
     {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@@ -41,6 +42,7 @@ spec:
     - name: {{.Release.Name}}-helm-tests
 {{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "helm_tests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       command:
         - /tmp/helm-tests.sh
       env:
diff --git a/grafana/values.yaml b/grafana/values.yaml
index 274740940e..47b58e9a09 100644
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -44,13 +44,44 @@ labels:
 
 pod:
   security_context:
-    grafana:
+    dashboard:
       pod:
         runAsUser: 104
       container:
         grafana:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+    db_init:
+      pod:
+        runAsUser: 104
+      container:
+        grafana_db_init_session:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        grafana_db_init:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    db_session_sync:
+      pod:
+        runAsUser: 104
+      container:
+        grafana_db_session_sync:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    set_admin_user:
+      pod:
+        runAsUser: 104
+      container:
+        grafana_set_admin_password:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 104
+      container:
+        helm_tests:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: