From f0a1555aca95275b47141e4fdd8e31da07fcf745 Mon Sep 17 00:00:00 2001
From: Matt Moyer <moyerm@vmware.com>
Date: Thu, 2 Sep 2021 16:08:00 -0500
Subject: [PATCH] Fix broken "read only" fields added in v0.11.0.

These fields were changed as a minor hardening attempt when we switched to Distroless, but I bungled the field names and we never noticed because Kapp doesn't apply API validations.

This change fixes the field names so they act as was originally intended. We should also follow up with a change that validates all of our installation manifest in CI.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
---
 deploy/concierge/deployment.yaml  | 8 +++++---
 deploy/supervisor/deployment.yaml | 7 ++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml
index 74b4ca5b..063dfe93 100644
--- a/deploy/concierge/deployment.yaml
+++ b/deploy/concierge/deployment.yaml
@@ -116,7 +116,6 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ""
     spec:
       securityContext:
-        readOnlyRootFilesystem: true
         runAsUser: #@ data.values.run_as_user
         runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
@@ -132,6 +131,8 @@ spec:
           image: #@ data.values.image_repo + ":" + data.values.image_tag
           #@ end
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           resources:
             requests:
               cpu: "100m"
@@ -148,10 +149,13 @@ spec:
               mountPath: /tmp
             - name: config-volume
               mountPath: /etc/config
+              readOnly: true
             - name: podinfo
               mountPath: /etc/podinfo
+              readOnly: true
             - name: impersonation-proxy
               mountPath: /var/run/secrets/impersonation-proxy.concierge.pinniped.dev/serviceaccount
+              readOnly: true
           env:
             #@ if data.values.https_proxy:
             - name: HTTPS_PROXY
@@ -185,7 +189,6 @@ spec:
             medium: Memory
             sizeLimit: 100Mi
         - name: config-volume
-          readOnly: true
           configMap:
             name: #@ defaultResourceNameWithSuffix("config")
         - name: impersonation-proxy
@@ -195,7 +198,6 @@ spec:
               - key: token
                 path: token
         - name: podinfo
-          readOnly: true
           downwardAPI:
             items:
               - path: "labels"
diff --git a/deploy/supervisor/deployment.yaml b/deploy/supervisor/deployment.yaml
index 8ec9298b..68bda890 100644
--- a/deploy/supervisor/deployment.yaml
+++ b/deploy/supervisor/deployment.yaml
@@ -65,7 +65,6 @@ spec:
       labels: #@ defaultLabel()
     spec:
       securityContext:
-        readOnlyRootFilesystem: true
         runAsUser: #@ data.values.run_as_user
         runAsGroup: #@ data.values.run_as_group
       serviceAccountName: #@ defaultResourceName()
@@ -85,6 +84,8 @@ spec:
             - pinniped-supervisor
             - /etc/podinfo
             - /etc/config/pinniped.yaml
+          securityContext:
+            readOnlyRootFilesystem: true
           resources:
             requests:
               cpu: "100m"
@@ -95,8 +96,10 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /etc/config
+              readOnly: true
             - name: podinfo
               mountPath: /etc/podinfo
+              readOnly: true
           ports:
             - containerPort: 8080
               protocol: TCP
@@ -131,11 +134,9 @@ spec:
             failureThreshold: 3
       volumes:
         - name: config-volume
-          readOnly: true
           configMap:
             name: #@ defaultResourceNameWithSuffix("static-config")
         - name: podinfo
-          readOnly: true
           downwardAPI:
             items:
               - path: "labels"