From 3ab9c83a0e3dced36b3b3ddb7a0ffd8cbad2beb4 Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Mon, 13 Jan 2025 16:48:46 +0000
Subject: [PATCH] Use nfs PersistentVolume for Licensify Helm chart for
 compliance with PSS restricted

Description:
- PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume`
- Refactor the NFS volume to use a `PersistentVolume` of type NFS
- As part of https://github.com/alphagov/govuk-helm-charts/issues/1883
---
 .../templates/clamav/deployment.yaml          |  6 ++----
 charts/licensify/templates/clamav/pv.yaml     | 18 ++++++++++++++++++
 charts/licensify/templates/clamav/pvc.yaml    | 19 +++++++++++++++++++
 charts/licensify/values.yaml                  |  3 +++
 4 files changed, 42 insertions(+), 4 deletions(-)
 create mode 100644 charts/licensify/templates/clamav/pv.yaml
 create mode 100644 charts/licensify/templates/clamav/pvc.yaml

diff --git a/charts/licensify/templates/clamav/deployment.yaml b/charts/licensify/templates/clamav/deployment.yaml
index 013a5848287..83ff2722a8e 100644
--- a/charts/licensify/templates/clamav/deployment.yaml
+++ b/charts/licensify/templates/clamav/deployment.yaml
@@ -63,10 +63,8 @@ spec:
         - name: app-clamav-log
           emptyDir: {}
         - name: app-clamav-db
-          nfs:
-            server: "{{ .Values.assetManagerNFS }}"
-            path: /clamav-db
-            readOnly: true
+          persistentVolumeClaim:
+            claimName: {{ .Values.appName }}-db
       {{- if eq "arm64" .Values.arch }}
       tolerations:
         - key: arch
diff --git a/charts/licensify/templates/clamav/pv.yaml b/charts/licensify/templates/clamav/pv.yaml
new file mode 100644
index 00000000000..d78d6da330d
--- /dev/null
+++ b/charts/licensify/templates/clamav/pv.yaml
@@ -0,0 +1,18 @@
+{{ $app := .Values.clamav }}
+{{ $_ := set .Values "appName" $app.name }}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ .Values.appName }}-db
+  labels:
+    {{- include "licensify.labels" . | nindent 4 }}
+spec:
+  capacity:
+    storage: {{ .Values.nfs.storage }}
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: {{ .Values.assetManagerNFS }}
+    path: /clamav-db
+    readOnly: true
diff --git a/charts/licensify/templates/clamav/pvc.yaml b/charts/licensify/templates/clamav/pvc.yaml
new file mode 100644
index 00000000000..eeda69a40fe
--- /dev/null
+++ b/charts/licensify/templates/clamav/pvc.yaml
@@ -0,0 +1,19 @@
+{{ $app := .Values.clamav }}
+{{ $_ := set .Values "appName" $app.name }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Values.appName }}-db
+  labels:
+    {{- include "licensify.labels" . | nindent 4 }}
+    app: {{ .Values.appName }}
+    app.kubernetes.io/name: {{ .Values.appName }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.nfs.storage }}
+  selector:
+    matchLabels:
+      {{- include "licensify.selectorLabels" . | nindent 6 }}
diff --git a/charts/licensify/values.yaml b/charts/licensify/values.yaml
index 0fe2f29e792..0059719f7ed 100644
--- a/charts/licensify/values.yaml
+++ b/charts/licensify/values.yaml
@@ -39,6 +39,9 @@ nginx:
     requests:
       cpu: 50m
       memory: 512Mi
+nfs:
+  # Value is arbitrary and just for Kubernetes to check PersistentVolume and PersistentVolumeClaim compatibility
+  storage: 15Gi
 
 apps:
   licensifyAdmin: