PER-12459-openshift-support (#68)

* PER-12459-openshift-support

* path changes

* without tmp path

* wip values

* postgres env removed

Author: EliMoshkovich

templates/deployment-client.yaml

@@ -21,6 +21,14 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if or .Values.openshift.enabled .Values.client.securityContext }}
+      securityContext:
+        {{- if .Values.client.securityContext }}
+        {{- toYaml .Values.client.securityContext | nindent 8 }}
+        {{- else if .Values.openshift.enabled }}
+        {{- toYaml .Values.openshift.securityContext | nindent 8 }}
+        {{- end }}
+      {{- end }}
       {{- if .Values.client.opaStartupData }}
       volumes:
         - name: opa-startup-data
@@ -32,6 +40,14 @@ spec:
         - name: opal-client
           image: {{ include "opal.clientImage" . | quote }}
           imagePullPolicy: {{ .Values.client.imagePullPolicy | default "IfNotPresent" | quote }}
+          {{- if or .Values.openshift.enabled .Values.client.containerSecurityContext }}
+          securityContext:
+            {{- if .Values.client.containerSecurityContext }}
+            {{- toYaml .Values.client.containerSecurityContext | nindent 12 }}
+            {{- else if .Values.openshift.enabled }}
+            {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.client.port }}
@@ -95,4 +111,4 @@ spec:
             {{- toYaml .Values.client.resources | nindent 12 }}
           {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/deployment-pgsql.yaml

@@ -20,10 +20,36 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if or .Values.openshift.enabled .Values.postgresql.securityContext }}
+      securityContext:
+        {{- if .Values.postgresql.securityContext }}
+        {{- toYaml .Values.postgresql.securityContext | nindent 8 }}
+        {{- else if .Values.openshift.enabled }}
+        {{- toYaml .Values.openshift.securityContext | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.openshift.enabled }}
+      volumes:
+        - name: postgres-data
+          emptyDir: {}
+      {{- end }}
       containers:
         - name: pgsql
           image: {{ include "opal.pgsqlImage" . | quote }}
           imagePullPolicy: IfNotPresent
+          {{- if or .Values.openshift.enabled .Values.postgresql.containerSecurityContext }}
+          securityContext:
+            {{- if .Values.postgresql.containerSecurityContext }}
+            {{- toYaml .Values.postgresql.containerSecurityContext | nindent 12 }}
+            {{- else if .Values.openshift.enabled }}
+            {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.openshift.enabled }}
+          volumeMounts:
+            - mountPath: /var/lib/postgresql/data
+              name: postgres-data
+          {{- end }}
           ports:
             - name: pgsql
               containerPort: 5432
@@ -35,5 +61,15 @@ spec:
               value: postgres
             - name: POSTGRES_PASSWORD
               value: postgres
+            {{- if .Values.openshift.enabled }}
+            - name: PGDATA
+              value: "/var/lib/postgresql/data/pgdata"
+            {{- end }}
+            {{- if .Values.postgresql.extraEnv }}
+            {{- range $name, $value := .Values.postgresql.extraEnv }}
+            - name: {{ $name }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/deployment-server.yaml

@@ -21,6 +21,14 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if or .Values.openshift.enabled .Values.server.securityContext }}
+      securityContext:
+        {{- if .Values.server.securityContext }}
+        {{- toYaml .Values.server.securityContext | nindent 8 }}
+        {{- else if .Values.openshift.enabled }}
+        {{- toYaml .Values.openshift.securityContext | nindent 8 }}
+        {{- end }}
+      {{- end }}
       {{- if .Values.e2e }}
       volumes:
         - name: e2e
@@ -29,11 +37,25 @@ spec:
           configMap:
             name: policy-repo-data
             defaultMode: 0755
+      {{- else if .Values.openshift.enabled }}
+      volumes:
+        - name: jwks-dir
+          emptyDir: {}
+      {{- end }}
 
+      {{- if .Values.e2e }}
       initContainers:
         - name: git-init
           image: {{ include "opal.serverImage" . | quote }}
           imagePullPolicy: IfNotPresent
+          {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }}
+          securityContext:
+            {{- if .Values.server.containerSecurityContext }}
+            {{- toYaml .Values.server.containerSecurityContext | nindent 12 }}
+            {{- else if .Values.openshift.enabled }}
+            {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- end }}
           volumeMounts:
             - mountPath: /opt/e2e
               name: e2e
@@ -63,13 +85,25 @@ spec:
         - name: opal-server
           image: {{ include "opal.serverImage" . | quote }}
           imagePullPolicy: {{ .Values.server.imagePullPolicy | default "IfNotPresent" | quote }}
+          {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }}
+          securityContext:
+            {{- if .Values.server.containerSecurityContext }}
+            {{- toYaml .Values.server.containerSecurityContext | nindent 12 }}
+            {{- else if .Values.openshift.enabled }}
+            {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- end }}
           {{- if .Values.e2e }}
           volumeMounts:
             - mountPath: /opt/e2e/policy-repo-data
               name: policy-repo-data
               readOnly: true
             - mountPath: /opt/e2e
               name: e2e
+          {{- else if .Values.openshift.enabled }}
+          volumeMounts:
+            - mountPath: /opal/jwks_dir
+              name: jwks-dir
           {{- end }}
           ports:
             - name: http
@@ -139,4 +173,4 @@ spec:
             {{- toYaml .Values.server.resources | nindent 12 }}
           {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

values.schema.json

@@ -28,11 +28,44 @@
         },
         "external_source_url": {"type": "string", "title": "url to external data source"}
       }
+    },
+    "SecurityContext": {
+      "type": "object",
+      "title": "SecurityContext",
+      "additionalProperties": true,
+      "properties": {
+        "runAsUser": { "type": "integer" },
+        "runAsGroup": { "type": "integer" },
+        "fsGroup": { "type": "integer" }
+      }
+    },
+    "ContainerSecurityContext": {
+      "type": "object",
+      "title": "ContainerSecurityContext",
+      "additionalProperties": true,
+      "properties": {
+        "runAsNonRoot": { "type": "boolean" },
+        "allowPrivilegeEscalation": { "type": "boolean" }
+      }
     }
   },
 
   "type": "object", "required": ["image"],
   "properties": {
+    "openshift": {
+      "type": "object",
+      "title": "OpenShift compatibility settings",
+      "additionalProperties": false,
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "title": "Enable OpenShift compatibility",
+          "default": false
+        },
+        "securityContext": { "$ref": "#/definitions/SecurityContext" },
+        "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }
+      }
+    },
     "image": {
       "type": "object", "title": "image", "additionalProperties": false,
       "required": ["server", "client", "pgsql"],
@@ -118,6 +151,8 @@
       "type": ["null", "object"], "additionalProperties": false, "title": "opal server settings",
       "required": ["port", "policyRepoUrl", "pollingInterval", "dataConfigSources", "broadcastPgsql", "uvicornWorkers", "replicas"],
       "properties": {
+        "securityContext": { "$ref": "#/definitions/SecurityContext" },
+        "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
         "enabled": {
           "type": "boolean", "title": "enable server", "default": true
         },
@@ -181,6 +216,8 @@
       "type": ["null", "object"], "additionalProperties": false, "title": "opal client settings",
       "required": ["port", "opaPort", "replicas"],
       "properties": {
+        "securityContext": { "$ref": "#/definitions/SecurityContext" },
+        "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
         "enabled": {
           "type": "boolean", "title": "enable client", "default": true
         },
@@ -220,6 +257,20 @@
           "title": "when kubelet should pull specified image"
         }
       }
+    },
+    "postgresql": {
+      "type": ["null", "object"],
+      "additionalProperties": false,
+      "title": "PostgreSQL settings",
+      "properties": {
+        "securityContext": { "$ref": "#/definitions/SecurityContext" },
+        "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
+        "extraEnv": {
+          "type": "object",
+          "title": "extra environment variables list",
+          "default": {}
+        }
+      }
     }
   }
 }

values.yaml

@@ -1,3 +1,13 @@
+openshift:
+  enabled: false
+  securityContext:
+    runAsUser: 1010180000
+    runAsGroup: 1010180000
+    fsGroup: 1010180000
+  containerSecurityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+
 image:
   client:
     registry: docker.io
@@ -21,7 +31,7 @@ server:
     # Option #1 - No data sources
     config:
       entries: []
-
+    
     # Option #2 - Dynamically get data sources
     # external_source_url: "https://your-api.com/path/to/api/endpoint"
 
@@ -42,6 +52,8 @@ server:
   extraEnv: {
     # "CUSTOM_ENV_VAR": "VALUE"
   }
+  securityContext: {}
+  containerSecurityContext: {}
 
 client:
   port: 7000
@@ -50,3 +62,12 @@ client:
   # If you need to specify a custom hostname for the opal-sever, configure the serverUrl property
   # serverUrl: http://custom-hostname-for-opal:opal-port
   extraEnv: {}
+  securityContext: {}
+  containerSecurityContext: {}
+
+postgresql:
+  securityContext: {}
+  containerSecurityContext: {}
+  extraEnv: {}
+
+broadcastReplicas: 1