From 3f8e05e88ecad9c7597de9544f9ac741041f4bd7 Mon Sep 17 00:00:00 2001
From: Brett Kochendorfer <bkochendorfer@mozilla.com>
Date: Tue, 29 Aug 2023 16:30:24 -0500
Subject: [PATCH 1/4] Add pod security policy

This adds pod security policy and seccompprofile.
---
 cockroachdb/Chart.yaml                        |  2 +-
 cockroachdb/templates/job-certSelfSigner.yaml |  8 ++++++++
 cockroachdb/templates/job-cleaner.yaml        |  8 ++++++++
 cockroachdb/templates/job.init.yaml           | 14 ++++++++++++++
 cockroachdb/templates/statefulset.yaml        |  2 ++
 5 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/cockroachdb/Chart.yaml b/cockroachdb/Chart.yaml
index db40de10..b46da40a 100644
--- a/cockroachdb/Chart.yaml
+++ b/cockroachdb/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 11.1.7
+version: 11.2.0
 appVersion: 23.1.10
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml
index d3d3b83e..7242a68b 100644
--- a/cockroachdb/templates/job-certSelfSigner.yaml
+++ b/cockroachdb/templates/job-certSelfSigner.yaml
@@ -30,6 +30,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -71,5 +73,11 @@ spec:
             value: {{ .Release.Namespace | quote }}
           - name: CLUSTER_DOMAIN
             value: {{ .Values.clusterDomain}}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "selfcerts.fullname" . }}
 {{- end}}
diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml
index fb02be6f..5b6dc52f 100644
--- a/cockroachdb/templates/job-cleaner.yaml
+++ b/cockroachdb/templates/job-cleaner.yaml
@@ -27,6 +27,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -43,5 +45,11 @@ spec:
           env:
           - name: STATEFULSET_NAME
             value: {{ template "cockroachdb.fullname" . }}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "rotatecerts.fullname" . }}
 {{- end}}
diff --git a/cockroachdb/templates/job.init.yaml b/cockroachdb/templates/job.init.yaml
index 48f47be9..3e61d88a 100644
--- a/cockroachdb/templates/job.init.yaml
+++ b/cockroachdb/templates/job.init.yaml
@@ -40,6 +40,8 @@ spec:
     {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
     {{- if and .Values.init.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -72,6 +74,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
           volumeMounts:
             - name: client-certs
               mountPath: /cockroach-certs/
@@ -247,6 +255,12 @@ spec:
         {{- with .Values.init.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
     {{- if .Values.tls.enabled }}
       volumes:
         - name: client-certs
diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
index c8a11406..49040979 100644
--- a/cockroachdb/templates/statefulset.yaml
+++ b/cockroachdb/templates/statefulset.yaml
@@ -294,6 +294,8 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: "RuntimeDefault"
         {{- end }}
         {{- end }}
         {{- with .Values.statefulset.resources }}

From 21c5f831e4fe94887950f0e3f2580e56865b728b Mon Sep 17 00:00:00 2001
From: Brett Kochendorfer <bkochendorfer@mozilla.com>
Date: Wed, 30 Aug 2023 09:33:27 -0500
Subject: [PATCH 2/4] Add one more pod security context

---
 cockroachdb/templates/statefulset.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
index 49040979..948b2e59 100644
--- a/cockroachdb/templates/statefulset.yaml
+++ b/cockroachdb/templates/statefulset.yaml
@@ -65,6 +65,17 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if .Values.statefulset.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: "RuntimeDefault"
+        {{- end }}
           volumeMounts:
             - name: certs
               mountPath: /cockroach-certs/

From a26b28ae472df7d94f86d44cff3d8db078cabaf6 Mon Sep 17 00:00:00 2001
From: Brett Kochendorfer <bkochendorfer@mozilla.com>
Date: Fri, 15 Sep 2023 13:56:55 -0500
Subject: [PATCH 3/4] Move seccomProfile based on PR feedback

---
 cockroachdb/templates/statefulset.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
index 948b2e59..b997e3ec 100644
--- a/cockroachdb/templates/statefulset.yaml
+++ b/cockroachdb/templates/statefulset.yaml
@@ -73,8 +73,6 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: true
-            seccompProfile:
-              type: "RuntimeDefault"
         {{- end }}
           volumeMounts:
             - name: certs
@@ -367,6 +365,8 @@ spec:
       {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
       {{- if and .Values.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         fsGroup: 1000
         runAsGroup: 1000
         runAsUser: 1000

From 7a585cc725a05dbb0609c158e3891d926ce3dc22 Mon Sep 17 00:00:00 2001
From: Brett Kochendorfer <bkochendorfer@mozilla.com>
Date: Fri, 15 Sep 2023 15:01:44 -0500
Subject: [PATCH 4/4] Remove seccompProfile

---
 cockroachdb/templates/statefulset.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
index b997e3ec..ad34211a 100644
--- a/cockroachdb/templates/statefulset.yaml
+++ b/cockroachdb/templates/statefulset.yaml
@@ -303,8 +303,6 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: true
-            seccompProfile:
-              type: "RuntimeDefault"
         {{- end }}
         {{- end }}
         {{- with .Values.statefulset.resources }}