tidy up 2

Signed-off-by: Ahmed AbouZaid <[email protected]>
camunda · Sep 2, 2024 · b17ebbe · b17ebbe
1 parent 8cad63e
commit b17ebbe
Show file tree

Hide file tree

Showing 25 changed files with 358 additions and 367 deletions.
diff --git a/charts/camunda-platform-alpha/README.md b/charts/camunda-platform-alpha/README.md
diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl
@@ -51,6 +51,14 @@ Fail with a message if global.identity.auth.identity.existingSecret is set and g
   {{- end }}
 {{- end }}
 
+{{/*
+Fail with a message if adaptSecurityContext has any value other than "force" or "disabled".
+*/}}
+{{- if not (has .Values.global.compatibility.openshift.adaptSecurityContext (list "force" "disabled")) }}
+  {{- $errorMessage := "[camunda][error] Invalid value for adaptSecurityContext. The value must be either 'force' or 'disabled'." -}}
+  {{ printf "\n%s" $errorMessage | trimSuffix "\n" | fail }}
+{{- end }}
+
 {{/*
 Fail with a message if Identity is disabled and identityKeycloak is enabled.
 */}}

diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml
@@ -32,7 +32,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.connectors) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.connectors.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.connectors.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           ports:
             - containerPort: {{ .Values.connectors.service.serverPort }}
@@ -172,7 +172,7 @@ spec:
       dnsPolicy: {{ .Values.connectors.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.connectors.podSecurityContext }}
-      securityContext: {{- toYaml .Values.connectors.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.connectors.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/console/deployment.yaml b/charts/camunda-platform-alpha/templates/console/deployment.yaml
@@ -38,15 +38,13 @@ spec:
       {{- if .Values.console.dnsPolicy }}
       dnsPolicy: {{ .Values.console.dnsPolicy | quote }}
       {{- end }}
-      securityContext:
-        {{- toYaml .Values.console.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.podSecurityContext "context" $) | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.console) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.console.containerSecurityContext }}
-          securityContext:
-            {{- toYaml .Values.console.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY

diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml
@@ -33,7 +33,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.identity) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.identity.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.identity.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: {{ .Values.identity.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.identity.podSecurityContext }}
-      securityContext: {{- toYaml .Values.identity.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.identity.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/operate/deployment.yaml b/charts/camunda-platform-alpha/templates/operate/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }}
           command: ['/bin/sh', '/usr/local/operate/bin/migrate']
           {{- if .Values.operate.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }}
@@ -101,7 +101,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.operate.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: {{ .Values.operate.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.operate.podSecurityContext }}
-      securityContext: {{- toYaml .Values.operate.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.operate.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }}
           command: ['./upgrade/upgrade.sh', '--skip-warning']
           {{- if .Values.optimize.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -121,7 +121,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.optimize.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: {{ .Values.optimize.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.optimize.podSecurityContext }}
-      securityContext: {{- toYaml .Values.optimize.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.optimize.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml
@@ -36,7 +36,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.tasklist) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.tasklist.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.tasklist.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -270,7 +270,7 @@ spec:
       dnsPolicy: {{ .Values.tasklist.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.tasklist.podSecurityContext }}
-      securityContext: {{- toYaml .Values.tasklist.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.tasklist.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml
@@ -31,7 +31,7 @@ spec:
           image: {{ include "webModeler.restapi.image" . | quote }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.webModeler.restapi.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.webModeler.restapi.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.restapi.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -157,7 +157,7 @@ spec:
       dnsPolicy: {{ .Values.webModeler.restapi.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.webModeler.restapi.podSecurityContext }}
-      securityContext: {{- toYaml .Values.webModeler.restapi.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.restapi.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.webModeler.restapi.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml
@@ -31,7 +31,7 @@ spec:
           image: {{ include "webModeler.webapp.image" . | quote }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.webModeler.webapp.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.webModeler.webapp.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.webapp.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -152,7 +152,7 @@ spec:
       dnsPolicy: {{ .Values.webModeler.webapp.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.webModeler.webapp.podSecurityContext }}
-      securityContext: {{- toYaml .Values.webModeler.webapp.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.webapp.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.webModeler.webapp.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml
@@ -31,8 +31,7 @@ spec:
           image: {{ include "webModeler.websockets.image" . | quote }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.webModeler.websockets.containerSecurityContext }}
-          securityContext:
-          {{- toYaml .Values.webModeler.websockets.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.websockets.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -137,7 +136,7 @@ spec:
       dnsPolicy: {{ .Values.webModeler.websockets.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.webModeler.websockets.podSecurityContext }}
-      securityContext: {{- toYaml .Values.webModeler.websockets.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.websockets.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.webModeler.websockets.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml b/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml
@@ -114,7 +114,7 @@ spec:
             {{ .Values.zeebeGateway.extraVolumeMounts | toYaml | nindent 12 }}
             {{- end }}
           {{- if .Values.zeebeGateway.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.zeebeGateway.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebeGateway.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           {{- if .Values.zeebeGateway.startupProbe.enabled }}
           startupProbe:
@@ -177,7 +177,7 @@ spec:
       dnsPolicy: {{ .Values.zeebeGateway.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.zeebeGateway.podSecurityContext }}
-      securityContext: {{- toYaml .Values.zeebeGateway.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebeGateway.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.zeebeGateway.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl b/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl
@@ -2,7 +2,7 @@
 TODO: Remove the whole file just before 8.6 release.
 NOTE: We need to load this file first thing before all other resources to support backward compatibility.
 
-      Helm prioritizes files that are deeply nested in subdirectories when it's determining the render order.
+      Helm prioritizes files that are deeply nested in subdirectories when it is determining the render order.
       see the sort function in Helm:
       https://github.com/helm/helm/blob/d58d7b376265338e059ff11c71267b5a6cf504c3/pkg/engine/engine.go#L347-L356
       
@@ -66,7 +66,28 @@ Zeebe Gateway.
     {{- $_ := set .Values.zeebeGateway.ingress "grpc" (deepCopy $zgIngress | mergeOverwrite .Values.zeebeGateway.ingress.grpc) -}}
 {{- end -}}
 
+{{/*
+OpenShift.
+The `elasticsearch.sysctlImage` container adjusts the virtual memory and file descriptors of the machine needed for Elasticsearch.
+By default, the `sysctlImage` container will fail on OpenShift because it requires privileged mode.
+Also, recent OpenShift versions (> 4.10) have adjusted the virtual memory of the machine by default.
+*/}}
+{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" -}}
+    {{- $_ := set .Values.elasticsearch.sysctlImage "enabled" false -}}
+{{- end -}}
+
 
+{{/*
+OpenShift.
+The label `tuned.openshift.io/elasticsearch` is added to ensure compatibility with the previous Camunda Helm charts.
+Without this label, the Helm upgrade will fail for OpenShift because it is already set for the volumeClaimTemplate.
+*/}}
+
+{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" -}}
+    {{- if not (hasKey .Values.elasticsearch.commonLabels "tuned.openshift.io/elasticsearch") -}}
+        {{- $_ := set .Values.elasticsearch.commonLabels "tuned.openshift.io/elasticsearch" "" -}}
+    {{- end -}}
+{{- end -}}
 {{/*
 Elasticsearch.
 
@@ -91,4 +112,4 @@ Notes:
     {{- $esHost := ($esURL.host | splitList ":" | first) | default .Values.global.elasticsearch.host | default (print .Release.Name "-elasticsearch") -}}
     {{- $esPort := ($esURL.host | splitList ":" | last) | default .Values.global.elasticsearch.port | default "9200" -}}
     {{- $_ := set .Values.global.elasticsearch "url" (dict "protocol" $esProtocol "host" $esHost "port" $esPort) -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml b/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml
@@ -48,7 +48,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.zeebe) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.zeebe.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.zeebe.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebe.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -254,7 +254,7 @@ spec:
       dnsPolicy: {{ .Values.zeebe.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.zeebe.podSecurityContext }}
-      securityContext: {{- toYaml .Values.zeebe.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebe.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.zeebe.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml b/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml
@@ -60,7 +60,7 @@ spec:
       enableServiceLinks: true
       initContainers:
         - name: prepare-write-dirs
-          image: docker.io/bitnami/keycloak:25.0.4
+          image: docker.io/camunda/keycloak:25.0.4
           imagePullPolicy: IfNotPresent
           command:
             - /bin/bash
@@ -100,30 +100,9 @@ spec:
           volumeMounts:
            - name: empty-dir
              mountPath: /emptydir
-        - command:
-          - sh
-          - -c
-          - cp -a /app/keycloak-theme/* /mnt
-          image: 'camunda/identity:latest'
-          imagePullPolicy: 'Always'
-          name: copy-camunda-theme
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            privileged: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1001
-            seccompProfile:
-              type: RuntimeDefault
-          volumeMounts:
-          - mountPath: /mnt
-            name: camunda-theme
       containers:
         - name: keycloak
-          image: docker.io/bitnami/keycloak:25.0.4
+          image: docker.io/camunda/keycloak:25.0.4
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
@@ -213,15 +192,10 @@ spec:
             - name: empty-dir
               mountPath: /opt/bitnami/keycloak/data
               subPath: app-data-dir
-            - mountPath: /opt/bitnami/keycloak/themes/identity
-              name: camunda-theme
             - mountPath: /opt/bitnami/keycloak/data/tmp
               name: data-tmp
       volumes:
         - name: empty-dir
           emptyDir: {}
         - emptyDir: {}
-          name: data-tmp
-        - emptyDir:
-            sizeLimit: 10Mi
-          name: camunda-theme
+          name: data-tmp
diff --git a/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go b/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go
@@ -334,7 +334,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() {
 		SetValues: map[string]string{
 			"connectors.enabled":                                      "true",
 			"connectors.containerSecurityContext.privileged":          "true",
-			"connectors.containerSecurityContext.capabilities.add[0]": "NET_ADMIN",
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
 	}
@@ -347,7 +346,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() {
 	// then
 	securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext
 	s.Require().True(*securityContext.Privileged)
-	s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0])
 }
 
 // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector

diff --git a/charts/camunda-platform-alpha/test/unit/console/deployment_test.go b/charts/camunda-platform-alpha/test/unit/console/deployment_test.go
@@ -450,7 +450,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() {
 		SetValues: map[string]string{
 			"console.enabled": "true",
 			"console.containerSecurityContext.privileged":          "true",
-			"console.containerSecurityContext.capabilities.add[0]": "NET_ADMIN",
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
 	}
@@ -463,7 +462,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() {
 	// then
 	securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext
 	s.Require().True(*securityContext.Privileged)
-	s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0])
 }
 
 // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector