Skip to content

Commit

Permalink
Use NFS PersistentVolume for asset-manager clamav for compliance with…
Browse files Browse the repository at this point in the history 
… PSS restricted

Description:
- PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS
- Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim`
- As part of #1883
  • Loading branch information
@nimalank7
nimalank7 committed Jan 17, 2025
1 parent d138532 commit 96f80a0
Show file tree
Hide file tree
Showing 10 changed files with 52 additions and 10 deletions.
1 change: 0 additions & 1 deletion charts/app-config/values-integration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1510,7 +1510,6 @@ govukApplications:

- name: licensify
chartPath: charts/licensify
namespace: licensify
imageValues:
- "licensify-admin"
- "licensify-backend"
Expand Down
1 change: 0 additions & 1 deletion charts/app-config/values-production.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1544,7 +1544,6 @@ govukApplications:

- name: licensify
chartPath: charts/licensify
namespace: licensify
imageValues:
- "licensify-admin"
- "licensify-backend"
Expand Down
1 change: 0 additions & 1 deletion charts/app-config/values-staging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1564,7 +1564,6 @@ govukApplications:

- name: licensify
chartPath: charts/licensify
namespace: licensify
imageValues:
- "licensify-admin"
- "licensify-backend"
Expand Down
5 changes: 2 additions & 3 deletions charts/asset-manager/templates/_freshclam_podspec.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,8 @@ spec:
readOnlyRootFilesystem: true
volumes:
- name: clam-virus-db
nfs:
server: "{{ .Values.assetManagerNFS }}"
path: /clamav-db
persistentVolumeClaim:
claimName: { { include "licensify.name" . } }-{{ .Values.appName }}-db
- name: etc-clamav
configMap:
name: {{ $fullName }}-etc-clamav
Expand Down
21 changes: 21 additions & 0 deletions charts/asset-manager/templates/clamav-pv.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- define "asset-manager.freshclam.podspec" }}
{{- $fullName := include "asset-manager.fullname" . }}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ $fullName }}-freshclam-db
labels:
{{- include "asset-manager.labels" . | nindent 4 }}
app: {{ .Values.fullName }}
app.kubernetes.io/name: {{ .Values.fullName }}-freshclam-db
app.kubernetes.io/component: {{ .Values.fullName }}-freshclam-db #V Verify this
spec:
capacity:
storage: {{ .Values.nfs.storage }}
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
server: "{{ .Values.assetManagerNFS }}"
path: /clamav-db
readOnly: true
21 changes: 21 additions & 0 deletions charts/asset-manager/templates/clamav-pvc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- define "asset-manager.freshclam.podspec" }}
{{- $fullName := include "asset-manager.fullname" . }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ $fullName }}-freshclam-db
labels:
{{- include "asset-manager.labels" . | nindent 4 }}
app: {{ $fullName }}-freshclam
app.kubernetes.io/name: {{ $fullName }}-freshclam-db # Verify this
app.kubernetes.io/component: {{ $fullName }}-freshclam-db # Verify this
spec:
storageClassName: ""
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.nfs.storage }}
selector:
matchLabels:
{{- include "asset-manager.selectorLabels" . | nindent 6 }}
6 changes: 2 additions & 4 deletions charts/asset-manager/templates/worker-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,8 @@ spec:
server: "{{ .Values.assetManagerNFS }}"
path: /asset-manager
- name: clam-virus-db
nfs:
server: "{{ .Values.assetManagerNFS }}"
path: /clamav-db
readOnly: true
persistentVolumeClaim:
claimName: { { include "licensify.name" . } }-{{ .Values.appName }}-db
- name: etc-clamav
configMap:
name: {{ $fullName }}-etc-clamav
Expand Down
2 changes: 2 additions & 0 deletions charts/asset-manager/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,3 +141,5 @@ redis:
redisUrlOverride:
app: ""
workers: ""
nfs:
storage: 15Gi # This may not be the same for the other NFS. Consider adding more keys here

Check warning on line 145 in charts/asset-manager/values.yaml

View workflow job for this annotation

GitHub Actions / yamllint 

145:17 [comments] too few spaces before comment

Check failure on line 145 in charts/asset-manager/values.yaml

View workflow job for this annotation

GitHub Actions / chart-testing 

145:17 [comments] too few spaces before comment
3 changes: 3 additions & 0 deletions charts/licensify/templates/clamav/pv.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ metadata:
name: {{ include "licensify.name" . }}-{{ .Values.appName }}-db
labels:
{{- include "licensify.labels" . | nindent 4 }}
app: {{ .Values.appName }}
app.kubernetes.io/name: {{ .Values.appName }}
app.kubernetes.io/component: {{ .Values.appName }} # Verify this
spec:
capacity:
storage: {{ .Values.nfs.storage }}
Expand Down
1 change: 1 addition & 0 deletions charts/licensify/templates/clamav/pvc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
{{- include "licensify.labels" . | nindent 4 }}
app: {{ .Values.appName }}
app.kubernetes.io/name: {{ .Values.appName }}
app.kubernetes.io/component: {{ .Values.appName }} # Verify this
spec:
storageClassName: ""
accessModes:
Expand Down

0 comments on commit 96f80a0

Please sign in to comment.