Use NFS PersistentVolume for asset-manager clamav for compliance with…

… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
alphagov · Jan 17, 2025 · d72eb43 · d72eb43
1 parent d138532
commit d72eb43
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 7 deletions.
diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml
@@ -37,9 +37,8 @@ spec:
         readOnlyRootFilesystem: true
   volumes:
     - name: clam-virus-db
-      nfs:
-        server: "{{ .Values.assetManagerNFS }}"
-        path: /clamav-db
+      persistentVolumeClaim:
+        claimName: {{ include "licensify.name" . }}-{{ .Values.appName }}-db
     - name: etc-clamav
       configMap:
         name: {{ $fullName }}-etc-clamav

diff --git a/charts/asset-manager/templates/clamav-pv.yaml b/charts/asset-manager/templates/clamav-pv.yaml
@@ -0,0 +1,21 @@
+{{- define "asset-manager.freshclam.podspec" }}
+{{- $fullName := include "asset-manager.fullname" . }}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ $fullName }}-freshclam-db
+  labels:
+    {{- include "asset-manager.labels" . | nindent 4 }}
+    app: {{ .Values.fullName }}
+    app.kubernetes.io/name: {{ .Values.fullName }}-freshclam-db
+    app.kubernetes.io/component: {{ .Values.fullName }}-freshclam-db #V Verify this
+spec:
+  capacity:
+    storage: {{ .Values.nfs.storage }}
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: "{{ .Values.assetManagerNFS }}"
+    path: /clamav-db
+    readOnly: true
diff --git a/charts/asset-manager/templates/clamav-pvc.yaml b/charts/asset-manager/templates/clamav-pvc.yaml
@@ -0,0 +1,21 @@
+{{- define "asset-manager.freshclam.podspec" }}
+{{- $fullName := include "asset-manager.fullname" . }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ $fullName }}-freshclam-db
+  labels:
+    {{- include "asset-manager.labels" . | nindent 4 }}
+    app: {{ $fullName }}-freshclam
+    app.kubernetes.io/name: {{ $fullName }}-freshclam-db # Verify this
+    app.kubernetes.io/component: {{ $fullName }}-freshclam-db # Verify this
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.nfs.storage }}
+  selector:
+    matchLabels:
+      {{- include "asset-manager.selectorLabels" . | nindent 6 }}
diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml
@@ -45,10 +45,8 @@ spec:
             server: "{{ .Values.assetManagerNFS }}"
             path: /asset-manager
         - name: clam-virus-db
-          nfs:
-            server: "{{ .Values.assetManagerNFS }}"
-            path: /clamav-db
-            readOnly: true
+          persistentVolumeClaim:
+            claimName: { { include "licensify.name" . } }-{{ .Values.appName }}-db
         - name: etc-clamav
           configMap:
             name: {{ $fullName }}-etc-clamav

diff --git a/charts/asset-manager/values.yaml b/charts/asset-manager/values.yaml
@@ -141,3 +141,5 @@ redis:
   redisUrlOverride:
     app: ""
     workers: ""
+nfs:
+  storage: 15Gi