From d2eafece5809e39428e28e2fba9d77733790853b Mon Sep 17 00:00:00 2001
From: Nico Koprowski <nico.koprowski@abat.de>
Date: Tue, 14 Jan 2025 15:35:12 +0800
Subject: [PATCH] fix(charts): add security profiles to BPDM deployment
 containers

- adds seccomp and app armor profiles
- security context configuration now affects also initcontainers
---
 charts/bpdm/CHANGELOG.md                              |  3 +++
 charts/bpdm/Chart.yaml                                |  2 +-
 .../charts/bpdm-cleaning-service-dummy/CHANGELOG.md   |  2 ++
 .../charts/bpdm-cleaning-service-dummy/values.yaml    |  2 ++
 charts/bpdm/charts/bpdm-common/CHANGELOG.md           |  6 ++++++
 charts/bpdm/charts/bpdm-common/Chart.yaml             |  2 +-
 .../bpdm/charts/bpdm-common/templates/_deployment.tpl | 11 ++---------
 charts/bpdm/charts/bpdm-gate/CHANGELOG.md             |  2 ++
 charts/bpdm/charts/bpdm-gate/values.yaml              |  4 ++++
 charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md     |  2 ++
 charts/bpdm/charts/bpdm-orchestrator/values.yaml      |  2 ++
 charts/bpdm/charts/bpdm-pool/CHANGELOG.md             |  2 ++
 charts/bpdm/charts/bpdm-pool/values.yaml              |  4 ++++
 13 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/charts/bpdm/CHANGELOG.md b/charts/bpdm/CHANGELOG.md
index cb36d780c..37c96be4f 100644
--- a/charts/bpdm/CHANGELOG.md
+++ b/charts/bpdm/CHANGELOG.md
@@ -15,6 +15,9 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 - update BPDM Cleaning Service Dummy Chart to version 3.3.0
 - update BPDM Bridge Chart to version 3.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profiles for BPDM application containers [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profiles for BPDM application containers [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
+
 
 ## [5.2.0] -  2024-11-28
 
diff --git a/charts/bpdm/Chart.yaml b/charts/bpdm/Chart.yaml
index 1b359ad4d..72de2a022 100644
--- a/charts/bpdm/Chart.yaml
+++ b/charts/bpdm/Chart.yaml
@@ -49,7 +49,7 @@ dependencies:
     alias: bpdm-orchestrator
     condition: bpdm-orchestrator.enabled
   - name: bpdm-common
-    version: 1.0.2
+    version: 1.0.3-SNAPSHOT
   - name: postgresql
     version: 12.12.10
     repository: https://charts.bitnami.com/bitnami
diff --git a/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md b/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md
index fe9ce600f..0731682f9 100644
--- a/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md
+++ b/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [3.2.0] - 2024-11-28
 
diff --git a/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml b/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml
index 27b637d19..b63d9df6b 100644
--- a/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml
+++ b/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml
@@ -40,6 +40,8 @@ springProfiles: []
 securityContext:
   seccompProfile:
     type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true
diff --git a/charts/bpdm/charts/bpdm-common/CHANGELOG.md b/charts/bpdm/charts/bpdm-common/CHANGELOG.md
index 5108abac0..ceac2ff5c 100644
--- a/charts/bpdm/charts/bpdm-common/CHANGELOG.md
+++ b/charts/bpdm/charts/bpdm-common/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
+## [1.0.3] - tbd
+
+### Changed
+
+- Add security context configuration to the deployment's init container
+
 ## [1.0.2] - 2024-10-25
 
 ### Changed
diff --git a/charts/bpdm/charts/bpdm-common/Chart.yaml b/charts/bpdm/charts/bpdm-common/Chart.yaml
index 60b89157a..e34afad8f 100644
--- a/charts/bpdm/charts/bpdm-common/Chart.yaml
+++ b/charts/bpdm/charts/bpdm-common/Chart.yaml
@@ -21,7 +21,7 @@
 apiVersion: v2
 type: library
 name: bpdm-common
-version: 1.0.2
+version: 1.0.3-SNAPSHOT
 description: A library Helm Chart for other BPDM Charts
 home: https://eclipse-tractusx.github.io/docs/kits/Business%20Partner%20Kit/Adoption%20View
 sources:
diff --git a/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl b/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl
index 47a26f198..a22370a9e 100644
--- a/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl
+++ b/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl
@@ -49,7 +49,7 @@ spec:
       # @url: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
       automountServiceAccountToken: false
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -84,14 +84,7 @@ spec:
         - name: startup-delay
           image: busybox:1.28
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            runAsUser: 10001
-            runAsGroup: 10001
-            capabilities:
-              drop:
-                - ALL
+            {{- toYaml .Values.securityContext | nindent 12 }}
           command: ['sh', '-c', "sleep {{ $.Values.startupDelaySeconds }}"]
       {{- with .Values.nodeSelector }}
       nodeSelector:
diff --git a/charts/bpdm/charts/bpdm-gate/CHANGELOG.md b/charts/bpdm/charts/bpdm-gate/CHANGELOG.md
index 12609df2b..7a943abb9 100644
--- a/charts/bpdm/charts/bpdm-gate/CHANGELOG.md
+++ b/charts/bpdm/charts/bpdm-gate/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [6.2.0] - 2024-11-28
 
diff --git a/charts/bpdm/charts/bpdm-gate/values.yaml b/charts/bpdm/charts/bpdm-gate/values.yaml
index 445ff6820..3e2bf5600 100644
--- a/charts/bpdm/charts/bpdm-gate/values.yaml
+++ b/charts/bpdm/charts/bpdm-gate/values.yaml
@@ -38,6 +38,10 @@ podAnnotations: {}
 springProfiles: []
 
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true
diff --git a/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md b/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md
index d571a3524..c01ba8956 100644
--- a/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md
+++ b/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [3.2.0] - 2024-11-28
 
diff --git a/charts/bpdm/charts/bpdm-orchestrator/values.yaml b/charts/bpdm/charts/bpdm-orchestrator/values.yaml
index f55452747..0eedf8091 100644
--- a/charts/bpdm/charts/bpdm-orchestrator/values.yaml
+++ b/charts/bpdm/charts/bpdm-orchestrator/values.yaml
@@ -40,6 +40,8 @@ springProfiles: []
 securityContext:
   seccompProfile:
     type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true
diff --git a/charts/bpdm/charts/bpdm-pool/CHANGELOG.md b/charts/bpdm/charts/bpdm-pool/CHANGELOG.md
index ea215cd71..41c0e0ec2 100644
--- a/charts/bpdm/charts/bpdm-pool/CHANGELOG.md
+++ b/charts/bpdm/charts/bpdm-pool/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [7.2.0] - 2024-11-28
 
diff --git a/charts/bpdm/charts/bpdm-pool/values.yaml b/charts/bpdm/charts/bpdm-pool/values.yaml
index aa8621ff0..7d1b93374 100644
--- a/charts/bpdm/charts/bpdm-pool/values.yaml
+++ b/charts/bpdm/charts/bpdm-pool/values.yaml
@@ -38,6 +38,10 @@ podAnnotations: {}
 springProfiles: []
 
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true