feat: adding adaptSecurityContext option in values.yaml for OpenShi…

…ft SCC (#2212)
camunda · Aug 23, 2024 · d9aae33 · d9aae33
1 parent cf50ee3
commit d9aae33
Show file tree

Hide file tree

Showing 26 changed files with 346 additions and 603 deletions.
diff --git a/charts/camunda-platform-alpha/README.md b/charts/camunda-platform-alpha/README.md
diff --git a/charts/camunda-platform-alpha/openshift/values.yaml b/charts/camunda-platform-alpha/openshift/values.yaml
@@ -1,247 +1,12 @@
 ##
 # This is a minimal sample values file to get you started with an Openshift cluster using the recommended default
 # policies. Using these values, you will be able to deploy the chart using the least permissive SCC, "restricted".
-#
-# Everywhere we assign "null" to a value is to ensure that default values of one of the charts, or of its dependencies,
-# will not cause issues with the "restricted" SCC (e.g. assign a fixed UID or GID). Additionally, we want to make sure
-# that all volume mounts are mounted with the minimum required permissions. You can omit these everywhere if you will
-# use a different SCC such as nonroot or anyuid.
 ##
 ---
 
-#
-# Identity.
-#
-
-# omit the values below if identity.enabled is false
-identity:
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-# omit the values below if identityKeycloak.enabled is false
-identityKeycloak:
-  global:
-    compatibility:
-      ## Compatibility adaptations for Openshift
-      openshift:
-        ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
-        adaptSecurityContext: force
-  initContainers:
-  - name: copy-camunda-theme
-    image: "{{ .Values.global.identity.image | default \"camunda/identity:latest\" }}"
-    imagePullPolicy: "{{ .Values.global.identity.imagePullPolicy | default \"Always\" }}"
-    command: ["sh", "-c", "cp -a /app/keycloak-theme/* /mnt"]
-    securityContext:
-      privileged: false
-      readOnlyRootFilesystem: true
-      allowPrivilegeEscalation: false
-      runAsNonRoot: true
-      capabilities:
-        drop: ["ALL"]
-      seccompProfile:
-        type: RuntimeDefault
-    volumeMounts:
-    - name: camunda-theme
-      mountPath: /mnt
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-  # omit the values below if identityKeycloak.postgresql.enabled is false
-  postgresql:
-    # omit the values below if identityKeycloak.postgresql.primary.enabled is false
-    primary:
-      podSecurityContext:
-        fsGroup: null
-      containerSecurityContext:
-        runAsUser: null
-    # omit the values below if identityKeycloak.postgresql.readReplicas.enabled is false
-    readReplicas:
-      podSecurityContext:
-        fsGroup: null
-      containerSecurityContext:
-        runAsUser: null
-    # omit the values below if identityKeycloak.postgresql.metrics.enabled is false
-    metrics:
-      podSecurityContext:
-        fsGroup: null
-      containerSecurityContext:
-        runAsUser: null
-
-# omit the values below if identityPostgresql.enabled is false
-identityPostgresql:
-  global:
-    compatibility:
-      ## Compatibility adaptations for Openshift
-      openshift:
-        ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
-        adaptSecurityContext: force
-  # omit the values below if identityPostgresql.primary.enabled is false
-  primary:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  # omit the values below if identityPostgresql.readReplicas.enabled is false
-  readReplicas:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  # omit the values below if identityPostgresql.metrics.enabled is false
-  metrics:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-
-#
-# Connectors.
-#
-
-# omit the values below if identity.enabled is false
-connectors:
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# Operate.
-#
-
-# omit the values below if operate.enabled is false
-operate:
-  configMap:
-    defaultMode: 0444
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# Optimize.
-#
-
-# omit the values below if optimize.enabled is false
-optimize:
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# Tasklist.
-#
-
-# omit the values below if tasklist.enabled is false
-tasklist:
-  configMap:
-    defaultMode: 0444
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# WebModeler.
-#
-
-# omit the values below if webModeler.enabled is false
-webModeler:
-  restapi:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  webapp:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  websockets:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-
-postgresql:
-  global:
-    compatibility:
-      ## Compatibility adaptations for Openshift
-      openshift:
-        ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
-        adaptSecurityContext: force
-  primary:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  readReplicas:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  metrics:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-
-#
-# Zeebe.
-#
-
-# omit the values below if zeebe.enabled is false
-zeebe:
-  configMap:
-    defaultMode: 0555
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-# omit the values below if zeebe-gateway.enabled is false
-zeebeGateway:
-  configMap:
-    defaultMode: 0444
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# Console
-#
-# omit the values below if console.enabled is false
-console:
-  podSecurityContext:
-    fsGroup: null
-  containerSecurityContext:
-    runAsUser: null
-
-#
-# Elasticsearch.
-#
-
-# omit the values below if elasticsearch.enabled is false
-elasticsearch:
-  global:
-    compatibility:
-      ## Compatibility adaptations for Openshift
-      openshift:
-        ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
-        adaptSecurityContext: force
-  master:
-    podSecurityContext:
-      fsGroup: null
-    containerSecurityContext:
-      runAsUser: null
-  # If needed, OpenShift TuneD operator will be used to set sysctl vm.max_map_count.
-  # Apply the manifest "openshift-tuned.yaml" before install Camunda 8 chart.
-  sysctlImage:
-    enabled: false
-  commonLabels:
-    tuned.openshift.io/elasticsearch: ""
+global:
+  compatibility:
+    ## Compatibility adaptations for Openshift
+    openshift:
+      ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+      adaptSecurityContext: force
diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl
@@ -51,6 +51,14 @@ Fail with a message if global.identity.auth.identity.existingSecret is set and g
   {{- end }}
 {{- end }}
 
+{{/*
+Fail with a message if adaptSecurityContext has any value other than "force" or "disabled".
+*/}}
+{{- if not (has .Values.global.compatibility.openshift.adaptSecurityContext (list "force" "disabled")) }}
+  {{- $errorMessage := "[camunda][error] Invalid value for adaptSecurityContext. The value must be either 'force' or 'disabled'." -}}
+  {{ printf "\n%s" $errorMessage | trimSuffix "\n" | fail }}
+{{- end }}
+
 {{/*
 Fail with a message if Identity is disabled and identityKeycloak is enabled.
 */}}

diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml
@@ -32,7 +32,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.connectors) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.connectors.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.connectors.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           ports:
             - containerPort: {{ .Values.connectors.service.serverPort }}
@@ -172,7 +172,7 @@ spec:
       dnsPolicy: {{ .Values.connectors.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.connectors.podSecurityContext }}
-      securityContext: {{- toYaml .Values.connectors.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.connectors.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/console/deployment.yaml b/charts/camunda-platform-alpha/templates/console/deployment.yaml
@@ -38,15 +38,13 @@ spec:
       {{- if .Values.console.dnsPolicy }}
       dnsPolicy: {{ .Values.console.dnsPolicy | quote }}
       {{- end }}
-      securityContext:
-        {{- toYaml .Values.console.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.podSecurityContext "context" $) | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.console) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.console.containerSecurityContext }}
-          securityContext:
-            {{- toYaml .Values.console.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY

diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml
@@ -33,7 +33,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.identity) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.identity.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.identity.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -323,7 +323,7 @@ spec:
       dnsPolicy: {{ .Values.identity.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.identity.podSecurityContext }}
-      securityContext: {{- toYaml .Values.identity.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
       {{- with .Values.identity.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/operate/deployment.yaml b/charts/camunda-platform-alpha/templates/operate/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }}
           command: ['/bin/sh', '/usr/local/operate/bin/migrate']
           {{- if .Values.operate.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }}
@@ -101,7 +101,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.operate.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -334,7 +334,7 @@ spec:
       dnsPolicy: {{ .Values.operate.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.operate.podSecurityContext }}
-      securityContext: {{- toYaml .Values.operate.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.operate.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }}
           command: ['./upgrade/upgrade.sh', '--skip-warning']
           {{- if .Values.optimize.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -121,7 +121,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.optimize.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -320,7 +320,7 @@ spec:
       dnsPolicy: {{ .Values.optimize.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.optimize.podSecurityContext }}
-      securityContext: {{- toYaml .Values.optimize.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.optimize.nodeSelector }}
       nodeSelector:

diff --git a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml
@@ -36,7 +36,7 @@ spec:
           image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.tasklist) }}
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           {{- if .Values.tasklist.containerSecurityContext }}
-          securityContext: {{- toYaml .Values.tasklist.containerSecurityContext | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.containerSecurityContext "context" $) | nindent 12 }}
           {{- end }}
           env:
             - name: CAMUNDA_LICENSE_KEY
@@ -270,7 +270,7 @@ spec:
       dnsPolicy: {{ .Values.tasklist.dnsPolicy | quote }}
       {{- end }}
       {{- if .Values.tasklist.podSecurityContext }}
-      securityContext: {{- toYaml .Values.tasklist.podSecurityContext | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.podSecurityContext "context" $) | nindent 8 }}
       {{- end }}
 {{- with .Values.tasklist.nodeSelector }}
       nodeSelector: