From 68a3ad1f5762115b43fbee3ced651881bac4b4e2 Mon Sep 17 00:00:00 2001
From: Prateek Dodda <prateek.reddy.dodda@att.com>
Date: Tue, 11 Feb 2020 14:34:17 -0600
Subject: [PATCH] Add Docker default AppArmor profile to deckhand

Depends on https://review.opendev.org/#/c/707475/

Change-Id: I320d02bd987bd8af4448694db2f193f83b010a0f
---
 charts/deckhand/templates/deployment.yaml | 1 +
 charts/deckhand/values.yaml               | 4 ++++
 tools/gate/playbooks/airskiff-deploy.yaml | 8 ++++----
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/charts/deckhand/templates/deployment.yaml b/charts/deckhand/templates/deployment.yaml
index 6cab808a..6c3c3d8d 100644
--- a/charts/deckhand/templates/deployment.yaml
+++ b/charts/deckhand/templates/deployment.yaml
@@ -40,6 +40,7 @@ spec:
 {{ $labels | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "deckhand-api" "containerNames" (list "deckhand-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml
index b0024c9a..36218469 100644
--- a/charts/deckhand/values.yaml
+++ b/charts/deckhand/values.yaml
@@ -325,6 +325,10 @@ conf:
     formatter_simple:
       format: "%(asctime)s.%(msecs)03d %(process)d %(levelname)s: %(message)s"
 pod:
+  mandatory_access_control:
+    type: apparmor
+    deckhand-api:
+      deckhand-api: runtime/default
   security_context:
     deckhand:
       pod:
diff --git a/tools/gate/playbooks/airskiff-deploy.yaml b/tools/gate/playbooks/airskiff-deploy.yaml
index a9f35056..31406382 100644
--- a/tools/gate/playbooks/airskiff-deploy.yaml
+++ b/tools/gate/playbooks/airskiff-deploy.yaml
@@ -30,15 +30,15 @@
       args:
         chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
 
-    - name: Deploy Kubernetes with Minikube
+    - name: Setup Apparmor
       shell: |
-        ./tools/deployment/airskiff/developer/010-deploy-k8s.sh
+        ./tools/deployment/airskiff/developer/009-setup-apparmor.sh
       args:
         chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"
 
-    - name: Setup AppArmor
+    - name: Deploy Kubernetes with Minikube
       shell: |
-        ./tools/deployment/airskiff/developer/015-setup-apparmor.sh
+        ./tools/deployment/airskiff/developer/010-deploy-k8s.sh
       args:
         chdir: "{{ zuul.projects['opendev.org/airship/treasuremap'].src_dir }}"