From 96f80a0385564ebd0b6bebfa19d9c7fa6cee7768 Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Thu, 16 Jan 2025 18:18:57 +0000
Subject: [PATCH] Use NFS PersistentVolume for asset-manager clamav for
 compliance with PSS restricted

Description:
- PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS
- Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim`
- As part of https://github.com/alphagov/govuk-helm-charts/issues/1883
---
 charts/app-config/values-integration.yaml     |  1 -
 charts/app-config/values-production.yaml      |  1 -
 charts/app-config/values-staging.yaml         |  1 -
 .../templates/_freshclam_podspec.yaml         |  5 ++---
 charts/asset-manager/templates/clamav-pv.yaml | 21 +++++++++++++++++++
 .../asset-manager/templates/clamav-pvc.yaml   | 21 +++++++++++++++++++
 .../templates/worker-deployment.yaml          |  6 ++----
 charts/asset-manager/values.yaml              |  2 ++
 charts/licensify/templates/clamav/pv.yaml     |  3 +++
 charts/licensify/templates/clamav/pvc.yaml    |  1 +
 10 files changed, 52 insertions(+), 10 deletions(-)
 create mode 100644 charts/asset-manager/templates/clamav-pv.yaml
 create mode 100644 charts/asset-manager/templates/clamav-pvc.yaml

diff --git a/charts/app-config/values-integration.yaml b/charts/app-config/values-integration.yaml
index ab4ad17ba88..e1b173100a0 100644
--- a/charts/app-config/values-integration.yaml
+++ b/charts/app-config/values-integration.yaml
@@ -1510,7 +1510,6 @@ govukApplications:
 
   - name: licensify
     chartPath: charts/licensify
-    namespace: licensify
     imageValues:
       - "licensify-admin"
       - "licensify-backend"
diff --git a/charts/app-config/values-production.yaml b/charts/app-config/values-production.yaml
index f1d5cc48037..fdb1d80ed8b 100644
--- a/charts/app-config/values-production.yaml
+++ b/charts/app-config/values-production.yaml
@@ -1544,7 +1544,6 @@ govukApplications:
 
   - name: licensify
     chartPath: charts/licensify
-    namespace: licensify
     imageValues:
       - "licensify-admin"
       - "licensify-backend"
diff --git a/charts/app-config/values-staging.yaml b/charts/app-config/values-staging.yaml
index 8c282caef9d..07c91390c35 100644
--- a/charts/app-config/values-staging.yaml
+++ b/charts/app-config/values-staging.yaml
@@ -1564,7 +1564,6 @@ govukApplications:
 
   - name: licensify
     chartPath: charts/licensify
-    namespace: licensify
     imageValues:
       - "licensify-admin"
       - "licensify-backend"
diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml
index 6c01b038bca..ee96d0c1147 100644
--- a/charts/asset-manager/templates/_freshclam_podspec.yaml
+++ b/charts/asset-manager/templates/_freshclam_podspec.yaml
@@ -37,9 +37,8 @@ spec:
         readOnlyRootFilesystem: true
   volumes:
     - name: clam-virus-db
-      nfs:
-        server: "{{ .Values.assetManagerNFS }}"
-        path: /clamav-db
+      persistentVolumeClaim:
+        claimName: { { include "licensify.name" . } }-{{ .Values.appName }}-db
     - name: etc-clamav
       configMap:
         name: {{ $fullName }}-etc-clamav
diff --git a/charts/asset-manager/templates/clamav-pv.yaml b/charts/asset-manager/templates/clamav-pv.yaml
new file mode 100644
index 00000000000..1f72637c341
--- /dev/null
+++ b/charts/asset-manager/templates/clamav-pv.yaml
@@ -0,0 +1,21 @@
+{{- define "asset-manager.freshclam.podspec" }}
+{{- $fullName := include "asset-manager.fullname" . }}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ $fullName }}-freshclam-db
+  labels:
+    {{- include "asset-manager.labels" . | nindent 4 }}
+    app: {{ .Values.fullName }}
+    app.kubernetes.io/name: {{ .Values.fullName }}-freshclam-db
+    app.kubernetes.io/component: {{ .Values.fullName }}-freshclam-db #V Verify this
+spec:
+  capacity:
+    storage: {{ .Values.nfs.storage }}
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: "{{ .Values.assetManagerNFS }}"
+    path: /clamav-db
+    readOnly: true
diff --git a/charts/asset-manager/templates/clamav-pvc.yaml b/charts/asset-manager/templates/clamav-pvc.yaml
new file mode 100644
index 00000000000..a53bd3f95ae
--- /dev/null
+++ b/charts/asset-manager/templates/clamav-pvc.yaml
@@ -0,0 +1,21 @@
+{{- define "asset-manager.freshclam.podspec" }}
+{{- $fullName := include "asset-manager.fullname" . }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ $fullName }}-freshclam-db
+  labels:
+    {{- include "asset-manager.labels" . | nindent 4 }}
+    app: {{ $fullName }}-freshclam
+    app.kubernetes.io/name: {{ $fullName }}-freshclam-db # Verify this
+    app.kubernetes.io/component: {{ $fullName }}-freshclam-db # Verify this
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.nfs.storage }}
+  selector:
+    matchLabels:
+      {{- include "asset-manager.selectorLabels" . | nindent 6 }}
diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml
index 8b051663ca2..8050c92f647 100644
--- a/charts/asset-manager/templates/worker-deployment.yaml
+++ b/charts/asset-manager/templates/worker-deployment.yaml
@@ -45,10 +45,8 @@ spec:
             server: "{{ .Values.assetManagerNFS }}"
             path: /asset-manager
         - name: clam-virus-db
-          nfs:
-            server: "{{ .Values.assetManagerNFS }}"
-            path: /clamav-db
-            readOnly: true
+          persistentVolumeClaim:
+            claimName: { { include "licensify.name" . } }-{{ .Values.appName }}-db
         - name: etc-clamav
           configMap:
             name: {{ $fullName }}-etc-clamav
diff --git a/charts/asset-manager/values.yaml b/charts/asset-manager/values.yaml
index c3b9edeeac5..522ff6fc737 100644
--- a/charts/asset-manager/values.yaml
+++ b/charts/asset-manager/values.yaml
@@ -141,3 +141,5 @@ redis:
   redisUrlOverride:
     app: ""
     workers: ""
+nfs:
+  storage: 15Gi # This may not be the same for the other NFS. Consider adding more keys here
diff --git a/charts/licensify/templates/clamav/pv.yaml b/charts/licensify/templates/clamav/pv.yaml
index e5c190cf5d7..36e4bf9dd51 100644
--- a/charts/licensify/templates/clamav/pv.yaml
+++ b/charts/licensify/templates/clamav/pv.yaml
@@ -6,6 +6,9 @@ metadata:
   name: {{ include "licensify.name" . }}-{{ .Values.appName }}-db
   labels:
     {{- include "licensify.labels" . | nindent 4 }}
+    app: {{ .Values.appName }}
+    app.kubernetes.io/name: {{ .Values.appName }}
+    app.kubernetes.io/component: {{ .Values.appName }} # Verify this
 spec:
   capacity:
     storage: {{ .Values.nfs.storage }}
diff --git a/charts/licensify/templates/clamav/pvc.yaml b/charts/licensify/templates/clamav/pvc.yaml
index 3c7cbfb2069..30565200158 100644
--- a/charts/licensify/templates/clamav/pvc.yaml
+++ b/charts/licensify/templates/clamav/pvc.yaml
@@ -8,6 +8,7 @@ metadata:
     {{- include "licensify.labels" . | nindent 4 }}
     app: {{ .Values.appName }}
     app.kubernetes.io/name: {{ .Values.appName }}
+    app.kubernetes.io/component: {{ .Values.appName }} # Verify this
 spec:
   storageClassName: ""
   accessModes: