From 6eec615b39a12837db0e7af0e6c475a932d07395 Mon Sep 17 00:00:00 2001
From: "Huang, Sophie (sh879n)" <sh879n@att.com>
Date: Wed, 24 Mar 2021 18:02:02 +0000
Subject: [PATCH] Set strict permission on mariadb data dir

For security reasons, strict access permission is given to
the mariadb data directory /var/lib/mysql

Change-Id: I9e55a7e564d66874a35a54a72817fa1237a162e9
---
 mariadb/Chart.yaml                 |  2 +-
 mariadb/templates/statefulset.yaml | 10 +++++-----
 releasenotes/notes/mariadb.yaml    |  1 +
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml
index fe9869bad..1b632a6fe 100644
--- a/mariadb/Chart.yaml
+++ b/mariadb/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.1.11
+version: 0.1.12
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 816cf983f..d2d1c2e36 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -115,11 +115,11 @@ spec:
 {{ tuple $envAll "mariadb" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ dict "envAll" $envAll "application" "server" "container" "perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          command:
-            - chown
-            - -R
-            - "mysql:mysql"
-            - /var/lib/mysql
+          command: ["/bin/sh", "-c"]
+          args:
+            - set -xe;
+              /bin/chown -R "mysql:mysql" /var/lib/mysql;
+              /bin/chmod 700 /var/lib/mysql;
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
diff --git a/releasenotes/notes/mariadb.yaml b/releasenotes/notes/mariadb.yaml
index f3de7c2f7..39e049e94 100644
--- a/releasenotes/notes/mariadb.yaml
+++ b/releasenotes/notes/mariadb.yaml
@@ -12,4 +12,5 @@ mariadb:
   - 0.1.9 Uplift Mariadb-ingress to 0.42.0
   - 0.1.10 Rename mariadb backup identities
   - 0.1.11 Disable mariadb mysql history client logging
+  - 0.1.12 Set strict permission on mariadb data dir
 ...