Merge pull request #1497 from alphagov/nsabri1/update-clamav-config

Updating ClamAV configuration:
alphagov · Nov 29, 2023 · 8287899 · 8287899
2 parents 06beef8 + 750939d
commit 8287899
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 4 deletions.
diff --git a/charts/app-config/values-integration.yaml b/charts/app-config/values-integration.yaml
@@ -153,12 +153,13 @@ govukApplications:
               - path: /media/
               - path: /auth/gds  # Viewing draft assets requires user auth.
       assetManagerNFS: &assets-nfs assets.blue.integration.govuk-internal.digital
+      clamMountConfigPath: /usr/local/etc
       nginxConfigMap:
         create: false
         name: asset-manager-nginx-conf
       extraEnv:
         - name: ASSET_MANAGER_CLAMSCAN_PATH
-          value: /usr/bin/clamdscan
+          value: /usr/local/bin/clamdscan
         - name: GDS_SSO_OAUTH_ID
           valueFrom:
             secretKeyRef:

diff --git a/charts/asset-manager/templates/_freshclam_podspec.yaml b/charts/asset-manager/templates/_freshclam_podspec.yaml
@@ -28,7 +28,7 @@ spec:
         - name: clam-virus-db
           mountPath: /var/lib/clamav
         - name: etc-clamav
-          mountPath: /etc/clamav
+          mountPath: {{ .Values.clamMountConfigPath }}
       securityContext:
         allowPrivilegeEscalation: false
         readOnlyRootFilesystem: true

diff --git a/charts/asset-manager/templates/clamav-configmap.yaml b/charts/asset-manager/templates/clamav-configmap.yaml
@@ -37,5 +37,7 @@ data:
     Foreground yes
     LogTime yes
     LogVerbose yes
+    DatabaseDirectory /var/lib/clamav
+    DatabaseOwner app
     # Avoid peaky RAM usage. clamd will complain anyway if something's wrong with the database.
     TestDatabases no
diff --git a/charts/asset-manager/templates/worker-deployment.yaml b/charts/asset-manager/templates/worker-deployment.yaml
@@ -69,7 +69,7 @@ spec:
             - name: asset-manager-efs
               mountPath: &uploads-path /mnt/asset-manager
             - name: etc-clamav
-              mountPath: /etc/clamav
+              mountPath: {{ .Values.clamMountConfigPath }}
             {{- with .Values.appExtraVolumeMounts }}
               {{ . | toYaml | trim | nindent 12 }}
             {{- end }}
@@ -123,7 +123,7 @@ spec:
             - name: clamd-tmp
               mountPath: /tmp
             - name: etc-clamav
-              mountPath: /etc/clamav
+              mountPath: {{ .Values.clamMountConfigPath }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
diff --git a/charts/asset-manager/values.yaml b/charts/asset-manager/values.yaml
@@ -79,6 +79,9 @@ clamdResources:
     cpu: 500m
     memory: 2000Mi
 
+# clamMountConfigPath is the path to which the clamav.conf and freshclam.conf are mounted
+clamMountConfigPath: "/etc/clamav"
+
 # assetManagerNFS is the address of the NFSv4 (or Amazon EFS) server where uploaded
 assetManagerNFS: "asset-manager-efs.dev.gov.uk"