From d9aae33801d9e58459199f116b984ea5101c4c50 Mon Sep 17 00:00:00 2001 From: Hamza Masood <47217263+hamza-m-masood@users.noreply.github.com> Date: Fri, 23 Aug 2024 18:00:18 +0100 Subject: [PATCH] feat: adding `adaptSecurityContext` option in values.yaml for OpenShift SCC (#2212) --- charts/camunda-platform-alpha/README.md | 467 +++++++++--------- .../openshift/values.yaml | 247 +-------- .../templates/camunda/constraints.tpl | 8 + .../templates/connectors/deployment.yaml | 4 +- .../templates/console/deployment.yaml | 6 +- .../templates/identity/deployment.yaml | 4 +- .../templates/operate/deployment.yaml | 6 +- .../templates/optimize/deployment.yaml | 6 +- .../templates/tasklist/deployment.yaml | 4 +- .../web-modeler/deployment-restapi.yaml | 4 +- .../web-modeler/deployment-webapp.yaml | 4 +- .../web-modeler/deployment-websockets.yaml | 5 +- .../templates/zeebe-gateway/deployment.yaml | 4 +- .../2/3/4/5/6/7/8/z_compatibility_helpers.tpl | 23 +- .../templates/zeebe/statefulset.yaml | 4 +- .../golden/keycloak-statefulset.golden.yaml | 32 +- .../test/unit/connectors/deployment_test.go | 2 - .../test/unit/console/deployment_test.go | 2 - .../test/unit/identity/deployment_test.go | 2 - .../test/unit/operate/deployment_test.go | 2 - .../test/unit/optimize/deployment_test.go | 2 - .../test/unit/tasklist/deployment_test.go | 2 - .../test/unit/web-modeler/deployment_test.go | 2 - .../unit/zeebe-gateway/deployment_test.go | 2 - .../test/unit/zeebe/statefulset_test.go | 2 - charts/camunda-platform-alpha/values.yaml | 103 ++-- 26 files changed, 346 insertions(+), 603 deletions(-) diff --git a/charts/camunda-platform-alpha/README.md b/charts/camunda-platform-alpha/README.md index 3d4f3b5d2b..49cf20a8b4 100644 --- a/charts/camunda-platform-alpha/README.md +++ b/charts/camunda-platform-alpha/README.md @@ -398,120 +398,122 @@ Please see the corresponding [release guide](../../docs/release.md) to find out ### Global parameters -| Name | Description | Value | -| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | -| `global` | | | -| `global.license` | | | -| `global.license.key` | if set, it will be exposed as "CAMUNDA_LICENSE_KEY" in the apps. | `nil` | -| `global.license.existingSecret` | you can provide an existing secret name for Camunda license secret. | `nil` | -| `global.license.existingSecretKey` | you can provide the key within the existing secret object for Camunda license key. | `nil` | -| `global.multitenancy` | | | -| `global.multitenancy.enabled` | if true, then enable multitenancy in all applicable components. | `false` | -| `global.createReleaseInfo` | Create config that will be used in Camunda Console. | `true` | -| `global.annotations` | Annotations can be used to define common annotations, which should be applied to all deployments | `{}` | -| `global.labels.app` | Name of the application | `camunda-platform` | -| `global.image.registry` | Can be used to set container image registry. | `""` | -| `global.image.tag` | defines the tag / version which should be used in the most of the apps. | `nil` | -| `global.image.pullPolicy` | defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy | `IfNotPresent` | -| `global.image.pullSecrets` | can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | `[]` | -| `global.ingress` | | | -| `global.ingress.enabled` | if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX. | `false` | -| `global.ingress.className` | Ingress.className defines the class or configuration of ingress which should be used by the controller | `nginx` | -| `global.ingress.annotations` | defines the ingress related annotations, consumed mostly by the ingress controller | `{}` | -| `global.ingress.host` | If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. | `""` | -| `global.ingress.pathType` | can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types | `Prefix` | -| `global.ingress.tls` | configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | | -| `global.ingress.tls.enabled` | if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. | `false` | -| `global.ingress.tls.secretName` | defines the secret name which contains the TLS private key and certificate | `camunda-platform` | -| `global.elasticsearch` | | | -| `global.elasticsearch.enabled` | if true, enables elasticsearch for all components | `true` | -| `global.elasticsearch.external` | if true, tries to connect to an external elasticsearch | `false` | -| `global.elasticsearch.tls` | | | -| `global.elasticsearch.tls.enabled` | enable tls for external elasticsearch | `false` | -| `global.elasticsearch.tls.existingSecret` | provide an already existing tls secret for connecting to external elasticsearch | `nil` | -| `global.elasticsearch.auth` | | | -| `global.elasticsearch.auth.username` | the username for external elasticsearch | `nil` | -| `global.elasticsearch.auth.password` | the password for external elasticsearch | `nil` | -| `global.elasticsearch.auth.existingSecret` | you can provide an existing secret for the external elasticsearch password | `nil` | -| `global.elasticsearch.auth.existingSecretKey` | you can provide an existing secret key for the external elasticsearch password | `nil` | -| `global.elasticsearch.disableExporter` | DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled | `false` | -| `global.elasticsearch.url` | Configuration to configure elasticsearch url | | -| `global.elasticsearch.url.protocol` | defines the elasticsearch access protocol. | `http` | -| `global.elasticsearch.url.host` | Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace | `{{ .Release.Name }}-elasticsearch` | -| `global.elasticsearch.url.port` | Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed | `9200` | -| `global.elasticsearch.clusterName` | Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch | `elasticsearch` | -| `global.elasticsearch.prefix` | Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes | `zeebe-record` | -| `global.opensearch` | | | -| `global.opensearch.enabled` | enabled external opensearch | `false` | -| `global.opensearch.aws.enabled` | Enabling AWS IRSA | `false` | -| `global.opensearch.tls` | | | -| `global.opensearch.tls.enabled` | enable tls for external opensearch | `false` | -| `global.opensearch.tls.existingSecret` | provide an already existing tls secret for connecting to external opensearch | `nil` | -| `global.opensearch.auth` | | | -| `global.opensearch.auth.username` | the username for external opensearch | `nil` | -| `global.opensearch.auth.password` | the password for external opensearch | `nil` | -| `global.opensearch.auth.existingSecret` | you can provide an existing secret for the external opensearch password | `nil` | -| `global.opensearch.auth.existingSecretKey` | you can provide an existing secret key for the external opensearch password | `nil` | -| `global.opensearch.url` | Configuration to configure opensearch url | | -| `global.opensearch.url.protocol` | defines the external opensearch access protocol | `https` | -| `global.opensearch.url.host` | defines the external opensearch host, ideally the service name inside the namespace | `nil` | -| `global.opensearch.url.port` | defines the external opensearch port, under which opensearch can be accessed | `443` | -| `global.zeebeClusterName` | ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name. | `{{ .Release.Name }}-zeebe` | -| `global.identity.service.url` | | `nil` | -| `global.identity.keycloak.internal` | It's useful for using existing Keycloak in another namespace with and access it with the combined Ingress. | `false` | -| `global.identity.keycloak.url` | can be used incorporate with "identityKeycloak.enabled: false" to use your own Keycloak instead of the one comes with Camunda Helm chart. | `{}` | -| `global.identity.keycloak.contextPath` | In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'. | `/auth` | -| `global.identity.keycloak.realm` | defines Keycloak realm path used for Camunda. | `/realms/camunda-platform` | -| `global.identity.keycloak.auth` | same as "identityKeycloak.auth" but it's used for existing Keycloak. | `{}` | -| `global.identity.auth` | configuration, to configure identity authentication setup | | -| `global.identity.auth.enabled` | if true, enables the identity authentication otherwise basic-auth will be used on all services. | `true` | -| `global.identity.auth.issuer` | defines the issuer name, which is used by the services to validate the JWT tokens. | `""` | -| `global.identity.auth.issuerBackendUrl` | defines the issuer backend URL, which is used by the services to validate the JWT tokens in a container to container context. | `""` | -| `global.identity.auth.tokenUrl` | defines the token URL, which is used by the services to request JWT tokens. | `""` | -| `global.identity.auth.jwksUrl` | defines the JWKS URL, which is used by the services to validate the JWT tokens. | `""` | -| `global.identity.auth.type` | defines the type of authentication which should be used. Defaults to Keycloak | `KEYCLOAK` | -| `global.identity.auth.publicIssuerUrl` | Can be overwritten if ingress is in use and an external IP is available. | `http://localhost:18080/auth/realms/camunda-platform` | -| `global.identity.auth.connectors` | configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.connectors.clientId` | defines the client id, which is used by Connectors in authentication flows. | `connectors` | -| `global.identity.auth.connectors.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | -| `global.identity.auth.identity` | configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.identity.clientId` | defines the client id, which is used by Identity in authentication flows. | `identity` | -| `global.identity.auth.identity.audience` | defines the audience, which is used by Identity. | `camunda-identity-resource-server` | -| `global.identity.auth.identity.existingSecret` | can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. | `nil` | -| `global.identity.auth.identity.redirectUrl` | defines the redirect URL, which is used by the auth platform to access Identity. | `http://localhost:8085` | -| `global.identity.auth.identity.initialClaimName` | defines the initial claim name, which is used by Identity to configure initial mapping rules, | `oid` | -| `global.identity.auth.identity.initialClaimValue` | defines the initial claim value, which is used by Identity to configure initial mapping rules. | `nil` | -| `global.identity.auth.operate` | configuration to configure Operate authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.operate.clientId` | defines the client id, which is used by Operate in authentication flows. | `operate` | -| `global.identity.auth.operate.audience` | defines the audience, which is used by Operate. | `operate-api` | -| `global.identity.auth.operate.existingSecret` | can be used to reference an existing secret. If not set, a random secret is generated. | `nil` | -| `global.identity.auth.operate.redirectUrl` | defines the redirect URL, which is used by Keycloak to access Operate. | `http://localhost:8081` | -| `global.identity.auth.tasklist` | configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.tasklist.clientId` | defines the client id, which is used by Tasklist in authentication flows. | `tasklist` | -| `global.identity.auth.tasklist.audience` | defines the audience, which is used by Tasklist. | `tasklist-api` | -| `global.identity.auth.tasklist.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | -| `global.identity.auth.tasklist.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. | `http://localhost:8082` | -| `global.identity.auth.optimize` | configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.optimize.clientId` | defines the client id, which is used by Optimize in authentication flows. | `optimize` | -| `global.identity.auth.optimize.audience` | defines the audience, which is used by Optimize. | `optimize-api` | -| `global.identity.auth.optimize.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | -| `global.identity.auth.optimize.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Optimize. | `http://localhost:8083` | -| `global.identity.auth.webModeler` | configuration to configure WebModeler authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.webModeler.clientId` | defines the client id, which is used by WebModeler in authentication flows. | `web-modeler` | -| `global.identity.auth.webModeler.clientApiAudience` | defines the audience which is used by WebModeler's client API. | `web-modeler-api` | -| `global.identity.auth.webModeler.publicApiAudience` | defines the audience which is used by WebModeler's public API. | `web-modeler-public-api` | -| `global.identity.auth.webModeler.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8084` | -| `global.identity.auth.console` | configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.console.clientId` | defines the client id, which is used by Console in authentication flows. | `console` | -| `global.identity.auth.console.audience` | defines the audience which is used by Console's client API. | `console-api` | -| `global.identity.auth.console.wellKnown` | defines the uri for the well known config which is used by Console (optional). | `https://well-known-uri` | -| `global.identity.auth.console.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | -| `global.identity.auth.console.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8080` | -| `global.identity.auth.zeebe` | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts | | -| `global.identity.auth.zeebe.clientId` | defines the client id, which is used by Zeebe in authentication flows. | `zeebe` | -| `global.identity.auth.zeebe.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | -| `global.identity.auth.zeebe.audience` | defines the audience, which is used by Zeebe. | `zeebe-api` | -| `global.identity.auth.zeebe.tokenScope` | defines the token scope, which is used by Zeebe. | `nil` | +| Name | Description | Value | +| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | +| `global` | | | +| `global.license` | | | +| `global.license.key` | if set, it will be exposed as "CAMUNDA_LICENSE_KEY" in the apps. | `nil` | +| `global.license.existingSecret` | you can provide an existing secret name for Camunda license secret. | `nil` | +| `global.license.existingSecretKey` | you can provide the key within the existing secret object for Camunda license key. | `nil` | +| `global.compatibility.openshift.adaptSecurityContext` | | `disabled` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| `global.multitenancy` | | | +| `global.multitenancy.enabled` | if true, then enable multitenancy in all applicable components. | `false` | +| `global.createReleaseInfo` | Create config that will be used in Camunda Console. | `true` | +| `global.annotations` | Annotations can be used to define common annotations, which should be applied to all deployments | `{}` | +| `global.labels.app` | Name of the application | `camunda-platform` | +| `global.image.registry` | Can be used to set container image registry. | `""` | +| `global.image.tag` | defines the tag / version which should be used in the most of the apps. | `nil` | +| `global.image.pullPolicy` | defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy | `IfNotPresent` | +| `global.image.pullSecrets` | can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | `[]` | +| `global.ingress` | | | +| `global.ingress.enabled` | if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX. | `false` | +| `global.ingress.className` | Ingress.className defines the class or configuration of ingress which should be used by the controller | `nginx` | +| `global.ingress.annotations` | defines the ingress related annotations, consumed mostly by the ingress controller | `{}` | +| `global.ingress.host` | If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. | `""` | +| `global.ingress.pathType` | can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types | `Prefix` | +| `global.ingress.tls` | configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | | +| `global.ingress.tls.enabled` | if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. | `false` | +| `global.ingress.tls.secretName` | defines the secret name which contains the TLS private key and certificate | `camunda-platform` | +| `global.elasticsearch` | | | +| `global.elasticsearch.enabled` | if true, enables elasticsearch for all components | `true` | +| `global.elasticsearch.external` | if true, tries to connect to an external elasticsearch | `false` | +| `global.elasticsearch.tls` | | | +| `global.elasticsearch.tls.enabled` | enable tls for external elasticsearch | `false` | +| `global.elasticsearch.tls.existingSecret` | provide an already existing tls secret for connecting to external elasticsearch | `nil` | +| `global.elasticsearch.auth` | | | +| `global.elasticsearch.auth.username` | the username for external elasticsearch | `nil` | +| `global.elasticsearch.auth.password` | the password for external elasticsearch | `nil` | +| `global.elasticsearch.auth.existingSecret` | you can provide an existing secret for the external elasticsearch password | `nil` | +| `global.elasticsearch.auth.existingSecretKey` | you can provide an existing secret key for the external elasticsearch password | `nil` | +| `global.elasticsearch.disableExporter` | DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled | `false` | +| `global.elasticsearch.url` | Configuration to configure elasticsearch url | | +| `global.elasticsearch.url.protocol` | defines the elasticsearch access protocol. | `http` | +| `global.elasticsearch.url.host` | Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace | `{{ .Release.Name }}-elasticsearch` | +| `global.elasticsearch.url.port` | Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed | `9200` | +| `global.elasticsearch.clusterName` | Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch | `elasticsearch` | +| `global.elasticsearch.prefix` | Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes | `zeebe-record` | +| `global.opensearch` | | | +| `global.opensearch.enabled` | enabled external opensearch | `false` | +| `global.opensearch.aws.enabled` | Enabling AWS IRSA | `false` | +| `global.opensearch.tls` | | | +| `global.opensearch.tls.enabled` | enable tls for external opensearch | `false` | +| `global.opensearch.tls.existingSecret` | provide an already existing tls secret for connecting to external opensearch | `nil` | +| `global.opensearch.auth` | | | +| `global.opensearch.auth.username` | the username for external opensearch | `nil` | +| `global.opensearch.auth.password` | the password for external opensearch | `nil` | +| `global.opensearch.auth.existingSecret` | you can provide an existing secret for the external opensearch password | `nil` | +| `global.opensearch.auth.existingSecretKey` | you can provide an existing secret key for the external opensearch password | `nil` | +| `global.opensearch.url` | Configuration to configure opensearch url | | +| `global.opensearch.url.protocol` | defines the external opensearch access protocol | `https` | +| `global.opensearch.url.host` | defines the external opensearch host, ideally the service name inside the namespace | `nil` | +| `global.opensearch.url.port` | defines the external opensearch port, under which opensearch can be accessed | `443` | +| `global.zeebeClusterName` | ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name. | `{{ .Release.Name }}-zeebe` | +| `global.identity.service.url` | | `nil` | +| `global.identity.keycloak.internal` | It's useful for using existing Keycloak in another namespace with and access it with the combined Ingress. | `false` | +| `global.identity.keycloak.url` | can be used incorporate with "identityKeycloak.enabled: false" to use your own Keycloak instead of the one comes with Camunda Helm chart. | `{}` | +| `global.identity.keycloak.contextPath` | In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'. | `/auth` | +| `global.identity.keycloak.realm` | defines Keycloak realm path used for Camunda. | `/realms/camunda-platform` | +| `global.identity.keycloak.auth` | same as "identityKeycloak.auth" but it's used for existing Keycloak. | `{}` | +| `global.identity.auth` | configuration, to configure identity authentication setup | | +| `global.identity.auth.enabled` | if true, enables the identity authentication otherwise basic-auth will be used on all services. | `true` | +| `global.identity.auth.issuer` | defines the issuer name, which is used by the services to validate the JWT tokens. | `""` | +| `global.identity.auth.issuerBackendUrl` | defines the issuer backend URL, which is used by the services to validate the JWT tokens in a container to container context. | `""` | +| `global.identity.auth.tokenUrl` | defines the token URL, which is used by the services to request JWT tokens. | `""` | +| `global.identity.auth.jwksUrl` | defines the JWKS URL, which is used by the services to validate the JWT tokens. | `""` | +| `global.identity.auth.type` | defines the type of authentication which should be used. Defaults to Keycloak | `KEYCLOAK` | +| `global.identity.auth.publicIssuerUrl` | Can be overwritten if ingress is in use and an external IP is available. | `http://localhost:18080/auth/realms/camunda-platform` | +| `global.identity.auth.connectors` | configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.connectors.clientId` | defines the client id, which is used by Connectors in authentication flows. | `connectors` | +| `global.identity.auth.connectors.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.identity` | configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.identity.clientId` | defines the client id, which is used by Identity in authentication flows. | `identity` | +| `global.identity.auth.identity.audience` | defines the audience, which is used by Identity. | `camunda-identity-resource-server` | +| `global.identity.auth.identity.existingSecret` | can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. | `nil` | +| `global.identity.auth.identity.redirectUrl` | defines the redirect URL, which is used by the auth platform to access Identity. | `http://localhost:8085` | +| `global.identity.auth.identity.initialClaimName` | defines the initial claim name, which is used by Identity to configure initial mapping rules, | `oid` | +| `global.identity.auth.identity.initialClaimValue` | defines the initial claim value, which is used by Identity to configure initial mapping rules. | `nil` | +| `global.identity.auth.operate` | configuration to configure Operate authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.operate.clientId` | defines the client id, which is used by Operate in authentication flows. | `operate` | +| `global.identity.auth.operate.audience` | defines the audience, which is used by Operate. | `operate-api` | +| `global.identity.auth.operate.existingSecret` | can be used to reference an existing secret. If not set, a random secret is generated. | `nil` | +| `global.identity.auth.operate.redirectUrl` | defines the redirect URL, which is used by Keycloak to access Operate. | `http://localhost:8081` | +| `global.identity.auth.tasklist` | configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.tasklist.clientId` | defines the client id, which is used by Tasklist in authentication flows. | `tasklist` | +| `global.identity.auth.tasklist.audience` | defines the audience, which is used by Tasklist. | `tasklist-api` | +| `global.identity.auth.tasklist.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.tasklist.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. | `http://localhost:8082` | +| `global.identity.auth.optimize` | configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.optimize.clientId` | defines the client id, which is used by Optimize in authentication flows. | `optimize` | +| `global.identity.auth.optimize.audience` | defines the audience, which is used by Optimize. | `optimize-api` | +| `global.identity.auth.optimize.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.optimize.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Optimize. | `http://localhost:8083` | +| `global.identity.auth.webModeler` | configuration to configure WebModeler authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.webModeler.clientId` | defines the client id, which is used by WebModeler in authentication flows. | `web-modeler` | +| `global.identity.auth.webModeler.clientApiAudience` | defines the audience which is used by WebModeler's client API. | `web-modeler-api` | +| `global.identity.auth.webModeler.publicApiAudience` | defines the audience which is used by WebModeler's public API. | `web-modeler-public-api` | +| `global.identity.auth.webModeler.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8084` | +| `global.identity.auth.console` | configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.console.clientId` | defines the client id, which is used by Console in authentication flows. | `console` | +| `global.identity.auth.console.audience` | defines the audience which is used by Console's client API. | `console-api` | +| `global.identity.auth.console.wellKnown` | defines the uri for the well known config which is used by Console (optional). | `https://well-known-uri` | +| `global.identity.auth.console.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.console.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8080` | +| `global.identity.auth.zeebe` | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.zeebe.clientId` | defines the client id, which is used by Zeebe in authentication flows. | `zeebe` | +| `global.identity.auth.zeebe.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.zeebe.audience` | defines the audience, which is used by Zeebe. | `zeebe-api` | +| `global.identity.auth.zeebe.tokenScope` | defines the token scope, which is used by Zeebe. | `nil` | ### Console Parameters @@ -1276,84 +1278,71 @@ Please see the corresponding [release guide](../../docs/release.md) to find out ### Identity - PostgreSQL Parameters -| Name | Description | Value | -| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `identityPostgresql` | configuration for the PostgreSQL dependency chart used by Identity. For more details, check [Bitnami package for PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters) documentation. | | -| `identityPostgresql.enabled` | Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. | `false` | -| `identityPostgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | -| `identityPostgresql.image.tag` | PostgreSQL image tag | `15.7.0` | -| `identityPostgresql.nameOverride` | the name used for Identity PostgreSQL. | `identity-postgresql` | -| `identityPostgresql.auth.username` | Non-root username | `identity` | -| `identityPostgresql.auth.database` | The database name | `identity` | -| `identityPostgresql.auth.password` | Password for the non-root username | `nil` | -| `identityPostgresql.auth.existingSecret` | Name of an existing secret resource containing the database credentials | `nil` | +| Name | Description | Value | +| ------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `identityPostgresql` | configuration for the PostgreSQL dependency chart used by Identity. For more details, check [Bitnami package for PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters) documentation. | | +| `identityPostgresql.enabled` | Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. | `false` | +| `identityPostgresql.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | +| `identityPostgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | +| `identityPostgresql.image.tag` | PostgreSQL image tag | `15.8.0` | +| `identityPostgresql.nameOverride` | the name used for Identity PostgreSQL. | `identity-postgresql` | +| `identityPostgresql.auth.username` | Non-root username | `identity` | +| `identityPostgresql.auth.database` | The database name | `identity` | +| `identityPostgresql.auth.password` | Password for the non-root username | `nil` | +| `identityPostgresql.auth.existingSecret` | Name of an existing secret resource containing the database credentials | `nil` | ### Identity - Keycloak Parameters -| Name | Description | Value | -| --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | -| `identityKeycloak` | configuration, for the Keycloak dependency chart which is used by Identity. For more details, check [Bitnami package for Keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak#parameters) documentation. | | -| `identityKeycloak.enabled` | Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart | `true` | -| `identityKeycloak.nameOverride` | the name used for Keycloak. | `keycloak` | -| `identityKeycloak.image` | configuration. | | -| `identityKeycloak.image.repository` | image repo | `bitnami/keycloak` | -| `identityKeycloak.image.tag` | image tag | `23.0.7` | -| `identityKeycloak.postgresql` | configuration. | | -| `identityKeycloak.postgresql.image.repository` | image repo | `bitnami/postgresql` | -| `identityKeycloak.postgresql.image.tag` | image tag | `15.7.0` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.enabled` | | `true` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.privileged` | | `false` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem` | | `true` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.runAsNonRoot` | | `true` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.runAsUser` | | `1001` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.capabilities.drop` | | `["ALL"]` | -| `identityKeycloak.postgresql.primary.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | -| `identityKeycloak.postgresql.primary.podSecurityContext.enabled` | | `true` | -| `identityKeycloak.postgresql.primary.podSecurityContext.runAsNonRoot` | | `true` | -| `identityKeycloak.postgresql.primary.podSecurityContext.fsGroup` | | `1001` | -| `identityKeycloak.proxy` | keycloak proxy | `edge` | -| `identityKeycloak.tls` | can be used to enable TLS encryption. Required for HTTPs traffic. | | -| `identityKeycloak.tls.enabled` | enabling tls | `false` | -| `identityKeycloak.initContainers[0].name` | | `copy-camunda-theme` | -| `identityKeycloak.initContainers[0].image` | | `{{ .Values.global.identity.image | default "camunda/identity:latest" }}` | -| `identityKeycloak.initContainers[0].imagePullPolicy` | | `{{ .Values.global.identity.imagePullPolicy | default "Always" }}` | -| `identityKeycloak.initContainers[0].command` | | `["sh","-c","cp -a /app/keycloak-theme/* /mnt"]` | -| `identityKeycloak.initContainers[0].securityContext.privileged` | | `false` | -| `identityKeycloak.initContainers[0].securityContext.readOnlyRootFilesystem` | | `true` | -| `identityKeycloak.initContainers[0].securityContext.allowPrivilegeEscalation` | | `false` | -| `identityKeycloak.initContainers[0].securityContext.runAsNonRoot` | | `true` | -| `identityKeycloak.initContainers[0].securityContext.runAsUser` | | `1001` | -| `identityKeycloak.initContainers[0].securityContext.capabilities.drop` | | `["ALL"]` | -| `identityKeycloak.initContainers[0].securityContext.seccompProfile.type` | | `RuntimeDefault` | -| `identityKeycloak.initContainers[0].volumeMounts[0].name` | | `camunda-theme` | -| `identityKeycloak.initContainers[0].volumeMounts[0].mountPath` | | `/mnt` | -| `identityKeycloak.extraVolumeMounts[0].name` | | `camunda-theme` | -| `identityKeycloak.extraVolumeMounts[0].mountPath` | | `/opt/bitnami/keycloak/themes/identity` | -| `identityKeycloak.extraVolumeMounts[1].mountPath` | | `/opt/bitnami/keycloak/data/tmp` | -| `identityKeycloak.extraVolumeMounts[1].name` | | `data-tmp` | -| `identityKeycloak.containerSecurityContext.privileged` | | `false` | -| `identityKeycloak.containerSecurityContext.readOnlyRootFilesystem` | | `true` | -| `identityKeycloak.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `identityKeycloak.containerSecurityContext.runAsNonRoot` | | `true` | -| `identityKeycloak.containerSecurityContext.runAsUser` | | `1001` | -| `identityKeycloak.containerSecurityContext.capabilities.drop` | | `["ALL"]` | -| `identityKeycloak.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | -| `identityKeycloak.podSecurityContext.runAsNonRoot` | | `true` | -| `identityKeycloak.podSecurityContext.fsGroup` | | `1001` | -| `identityKeycloak.httpRelativePath` | defines the context for Keycloak. This config is valid for Keycloak v19.x.x only | `/auth/` | -| `identityKeycloak.extraEnvVars` | | | -| `identityKeycloak.extraEnvVars[0].name` | | `KEYCLOAK_PROXY_ADDRESS_FORWARDING` | -| `identityKeycloak.extraEnvVars[0].value` | | `{{ .Values.global.ingress.tls.enabled }}` | -| `identityKeycloak.ingress.enabled` | can be used enable ingress record generation for Keycloak. | `false` | -| `identityKeycloak.ingress.tls` | can be used to enable TLS configuration for the host defined at ingress.hostname parameter. | `false` | -| `identityKeycloak.ingress.extraTls` | configuration for additional hostnames to be covered with this ingress record. | `[]` | -| `identityKeycloak.ingress.annotations` | configures annotations to be applied to the ingress record. | `{}` | -| `identityKeycloak.service` | configuration, to configure the service which is deployed along with keycloak | | -| `identityKeycloak.service.type` | can be set to change the service type. | `ClusterIP` | -| `identityKeycloak.auth` | uses the secrets generated by keycloak, to access keycloak. | | -| `identityKeycloak.auth.adminUser` | defines the keycloak administrator user | `admin` | -| `identityKeycloak.auth.existingSecret` | can be used to reuse an existing secret containing authentication information. | `""` | +| Name | Description | Value | +| --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `identityKeycloak` | configuration, for the Keycloak dependency chart which is used by Identity. For more details, check [Bitnami package for Keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak#parameters) documentation. | | +| `identityKeycloak.enabled` | Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart | `true` | +| `identityKeycloak.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | +| `identityKeycloak.nameOverride` | the name used for Keycloak. | `keycloak` | +| `identityKeycloak.image` | configuration. | | +| `identityKeycloak.image.repository` | image repo | `camunda/keycloak` | +| `identityKeycloak.image.tag` | image tag | `23.0.7` | +| `identityKeycloak.postgresql` | configuration. | | +| `identityKeycloak.postgresql.image.repository` | image repo | `bitnami/postgresql` | +| `identityKeycloak.postgresql.image.tag` | image tag | `15.8.0` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.enabled` | | `true` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.privileged` | | `false` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem` | | `true` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.runAsNonRoot` | | `true` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.runAsUser` | | `1001` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.capabilities.drop` | | `["ALL"]` | +| `identityKeycloak.postgresql.primary.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | +| `identityKeycloak.postgresql.primary.podSecurityContext.enabled` | | `true` | +| `identityKeycloak.postgresql.primary.podSecurityContext.runAsNonRoot` | | `true` | +| `identityKeycloak.postgresql.primary.podSecurityContext.fsGroup` | | `1001` | +| `identityKeycloak.proxy` | keycloak proxy | `edge` | +| `identityKeycloak.tls` | can be used to enable TLS encryption. Required for HTTPs traffic. | | +| `identityKeycloak.tls.enabled` | enabling tls | `false` | +| `identityKeycloak.extraVolumeMounts[0].name` | | `data-tmp` | +| `identityKeycloak.extraVolumeMounts[0].mountPath` | | `/opt/bitnami/keycloak/data/tmp` | +| `identityKeycloak.containerSecurityContext.privileged` | | `false` | +| `identityKeycloak.containerSecurityContext.readOnlyRootFilesystem` | | `true` | +| `identityKeycloak.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `identityKeycloak.containerSecurityContext.runAsNonRoot` | | `true` | +| `identityKeycloak.containerSecurityContext.runAsUser` | | `1001` | +| `identityKeycloak.containerSecurityContext.capabilities.drop` | | `["ALL"]` | +| `identityKeycloak.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | +| `identityKeycloak.podSecurityContext.runAsNonRoot` | | `true` | +| `identityKeycloak.podSecurityContext.fsGroup` | | `1001` | +| `identityKeycloak.httpRelativePath` | defines the context for Keycloak. This config is valid for Keycloak v19.x.x only | `/auth/` | +| `identityKeycloak.extraEnvVars` | | | +| `identityKeycloak.extraEnvVars[0].name` | | `KEYCLOAK_PROXY_ADDRESS_FORWARDING` | +| `identityKeycloak.extraEnvVars[0].value` | | `{{ .Values.global.ingress.tls.enabled }}` | +| `identityKeycloak.ingress.enabled` | can be used enable ingress record generation for Keycloak. | `false` | +| `identityKeycloak.ingress.tls` | can be used to enable TLS configuration for the host defined at ingress.hostname parameter. | `false` | +| `identityKeycloak.ingress.extraTls` | configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `identityKeycloak.ingress.annotations` | configures annotations to be applied to the ingress record. | `{}` | +| `identityKeycloak.service` | configuration, to configure the service which is deployed along with keycloak | | +| `identityKeycloak.service.type` | can be set to change the service type. | `ClusterIP` | +| `identityKeycloak.auth` | uses the secrets generated by keycloak, to access keycloak. | | +| `identityKeycloak.auth.adminUser` | defines the keycloak administrator user | `admin` | +| `identityKeycloak.auth.existingSecret` | can be used to reuse an existing secret containing authentication information. | `""` | ### WebModeler Parameters @@ -1625,41 +1614,30 @@ Please see the corresponding [release guide](../../docs/release.md) to find out ### WebModeler - PostgreSQL Parameters -| Name | Description | Value | -| ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `postgresql` | configuration for the postgresql dependency chart used by WebModeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details. | | -| `postgresql.enabled` | if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart | `false` | -| `postgresql.nameOverride` | defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters | `postgresql-web-modeler` | -| `postgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | -| `postgresql.image.tag` | PostgreSQL image tag | `14.12.0` | -| `postgresql.auth` | configuration of the database authentication | | -| `postgresql.auth.username` | defines the name of the database user to be created for WebModeler | `web-modeler` | -| `postgresql.auth.password` | can be used to provide the database user's password; a random password will be generated if left empty / ignored if `postgresql.auth.existingSecret` is set | `""` | -| `postgresql.auth.database` | defines the name of the database to be created for WebModeler | `web-modeler` | -| `postgresql.auth.existingSecret` | can be used to provide the name of an existing secret resource containing the database password | `""` | -| `postgresql.primary.extraVolumes[0].name` | | `tmp` | -| `postgresql.primary.extraVolumes[0].emptyDir` | | `{}` | -| `postgresql.primary.extraVolumes[1].name` | | `config` | -| `postgresql.primary.extraVolumes[1].emptyDir` | | `{}` | -| `postgresql.primary.extraVolumes[2].name` | | `postgresql-tmp` | -| `postgresql.primary.extraVolumes[2].emptyDir` | | `{}` | -| `postgresql.primary.extraVolumeMounts[0].mountPath` | | `/tmp` | -| `postgresql.primary.extraVolumeMounts[0].name` | | `tmp` | -| `postgresql.primary.extraVolumeMounts[1].mountPath` | | `/opt/bitnami/postgresql/conf` | -| `postgresql.primary.extraVolumeMounts[1].name` | | `config` | -| `postgresql.primary.extraVolumeMounts[2].mountPath` | | `/opt/bitnami/postgresql/tmp` | -| `postgresql.primary.extraVolumeMounts[2].name` | | `postgresql-tmp` | -| `postgresql.primary.containerSecurityContext.enabled` | | `true` | -| `postgresql.primary.containerSecurityContext.privileged` | | `false` | -| `postgresql.primary.containerSecurityContext.readOnlyRootFilesystem` | | `true` | -| `postgresql.primary.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `postgresql.primary.containerSecurityContext.runAsNonRoot` | | `true` | -| `postgresql.primary.containerSecurityContext.runAsUser` | | `1001` | -| `postgresql.primary.containerSecurityContext.capabilities.drop` | | `["ALL"]` | -| `postgresql.primary.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | -| `postgresql.primary.podSecurityContext.enabled` | | `true` | -| `postgresql.primary.podSecurityContext.runAsNonRoot` | | `true` | -| `postgresql.primary.podSecurityContext.fsGroup` | | `1001` | +| Name | Description | Value | +| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `postgresql` | configuration for the postgresql dependency chart used by WebModeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details. | | +| `postgresql.enabled` | if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart | `false` | +| `postgresql.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | +| `postgresql.nameOverride` | defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters | `postgresql-web-modeler` | +| `postgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | +| `postgresql.image.tag` | PostgreSQL image tag | `14.13.0` | +| `postgresql.auth` | configuration of the database authentication | | +| `postgresql.auth.username` | defines the name of the database user to be created for WebModeler | `web-modeler` | +| `postgresql.auth.password` | can be used to provide the database user's password; a random password will be generated if left empty / ignored if `postgresql.auth.existingSecret` is set | `""` | +| `postgresql.auth.database` | defines the name of the database to be created for WebModeler | `web-modeler` | +| `postgresql.auth.existingSecret` | can be used to provide the name of an existing secret resource containing the database password | `""` | +| `postgresql.primary.containerSecurityContext.enabled` | | `true` | +| `postgresql.primary.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `postgresql.primary.containerSecurityContext.privileged` | | `false` | +| `postgresql.primary.containerSecurityContext.readOnlyRootFilesystem` | | `true` | +| `postgresql.primary.containerSecurityContext.runAsNonRoot` | | `true` | +| `postgresql.primary.containerSecurityContext.runAsUser` | | `1001` | +| `postgresql.primary.containerSecurityContext.capabilities.drop` | | `["ALL"]` | +| `postgresql.primary.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | +| `postgresql.primary.podSecurityContext.enabled` | | `true` | +| `postgresql.primary.podSecurityContext.runAsNonRoot` | | `true` | +| `postgresql.primary.podSecurityContext.fsGroup` | | `1001` | ### Connectors Parameters @@ -1765,26 +1743,27 @@ Please see the corresponding [release guide](../../docs/release.md) to find out ### Elasticsearch Parameters -| Name | Description | Value | -| ---------------------------------------------------------------------- | ------------ | ------------------------------- | -| `elasticsearch` | | | -| `elasticsearch.enabled` | | `true` | -| `elasticsearch.image.repository` | | `bitnami/elasticsearch` | -| `elasticsearch.image.tag` | | `8.14.3` | -| `elasticsearch.master.containerSecurityContext.readOnlyRootFilesystem` | | `true` | -| `elasticsearch.master.masterOnly` | | `false` | -| `elasticsearch.master.heapSize` | | `1024m` | -| `elasticsearch.master.persistence.size` | | `64Gi` | -| `elasticsearch.master.resources.requests.cpu` | cpu request | `1` | -| `elasticsearch.master.resources.requests.memory` | request | `2Gi` | -| `elasticsearch.master.resources.limits.cpu` | cpu limit | `2` | -| `elasticsearch.master.resources.limits.memory` | memory limit | `2Gi` | -| `elasticsearch.master.extraEnvVars[0].name` | env | `ELASTICSEARCH_ENABLE_REST_TLS` | -| `elasticsearch.master.extraEnvVars[0].value` | env value | `false` | -| `elasticsearch.sysctlImage.enabled` | | `true` | -| `elasticsearch.data.replicaCount` | | `0` | -| `elasticsearch.coordinating.replicaCount` | | `0` | -| `elasticsearch.ingest.enabled` | | `false` | +| Name | Description | Value | +| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +| `elasticsearch` | | | +| `elasticsearch.enabled` | | `true` | +| `elasticsearch.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | +| `elasticsearch.image.repository` | | `bitnami/elasticsearch` | +| `elasticsearch.image.tag` | | `8.15.0` | +| `elasticsearch.master.containerSecurityContext.readOnlyRootFilesystem` | | `true` | +| `elasticsearch.master.masterOnly` | | `false` | +| `elasticsearch.master.heapSize` | | `1024m` | +| `elasticsearch.master.persistence.size` | | `64Gi` | +| `elasticsearch.master.resources.requests.cpu` | cpu request | `1` | +| `elasticsearch.master.resources.requests.memory` | request | `2Gi` | +| `elasticsearch.master.resources.limits.cpu` | cpu limit | `2` | +| `elasticsearch.master.resources.limits.memory` | memory limit | `2Gi` | +| `elasticsearch.master.extraEnvVars[0].name` | env | `ELASTICSEARCH_ENABLE_REST_TLS` | +| `elasticsearch.master.extraEnvVars[0].value` | env value | `false` | +| `elasticsearch.sysctlImage.enabled` | | `true` | +| `elasticsearch.data.replicaCount` | | `0` | +| `elasticsearch.coordinating.replicaCount` | | `0` | +| `elasticsearch.ingest.enabled` | | `false` | ### Prometheus Parameters diff --git a/charts/camunda-platform-alpha/openshift/values.yaml b/charts/camunda-platform-alpha/openshift/values.yaml index 6f943f3856..0e51f79012 100644 --- a/charts/camunda-platform-alpha/openshift/values.yaml +++ b/charts/camunda-platform-alpha/openshift/values.yaml @@ -1,247 +1,12 @@ ## # This is a minimal sample values file to get you started with an Openshift cluster using the recommended default # policies. Using these values, you will be able to deploy the chart using the least permissive SCC, "restricted". -# -# Everywhere we assign "null" to a value is to ensure that default values of one of the charts, or of its dependencies, -# will not cause issues with the "restricted" SCC (e.g. assign a fixed UID or GID). Additionally, we want to make sure -# that all volume mounts are mounted with the minimum required permissions. You can omit these everywhere if you will -# use a different SCC such as nonroot or anyuid. ## --- -# -# Identity. -# - -# omit the values below if identity.enabled is false -identity: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# omit the values below if identityKeycloak.enabled is false -identityKeycloak: - global: - compatibility: - ## Compatibility adaptations for Openshift - openshift: - ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - adaptSecurityContext: force - initContainers: - - name: copy-camunda-theme - image: "{{ .Values.global.identity.image | default \"camunda/identity:latest\" }}" - imagePullPolicy: "{{ .Values.global.identity.imagePullPolicy | default \"Always\" }}" - command: ["sh", "-c", "cp -a /app/keycloak-theme/* /mnt"] - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: camunda-theme - mountPath: /mnt - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # omit the values below if identityKeycloak.postgresql.enabled is false - postgresql: - # omit the values below if identityKeycloak.postgresql.primary.enabled is false - primary: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # omit the values below if identityKeycloak.postgresql.readReplicas.enabled is false - readReplicas: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # omit the values below if identityKeycloak.postgresql.metrics.enabled is false - metrics: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# omit the values below if identityPostgresql.enabled is false -identityPostgresql: - global: - compatibility: - ## Compatibility adaptations for Openshift - openshift: - ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - adaptSecurityContext: force - # omit the values below if identityPostgresql.primary.enabled is false - primary: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # omit the values below if identityPostgresql.readReplicas.enabled is false - readReplicas: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # omit the values below if identityPostgresql.metrics.enabled is false - metrics: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Connectors. -# - -# omit the values below if identity.enabled is false -connectors: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Operate. -# - -# omit the values below if operate.enabled is false -operate: - configMap: - defaultMode: 0444 - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Optimize. -# - -# omit the values below if optimize.enabled is false -optimize: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Tasklist. -# - -# omit the values below if tasklist.enabled is false -tasklist: - configMap: - defaultMode: 0444 - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# WebModeler. -# - -# omit the values below if webModeler.enabled is false -webModeler: - restapi: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - webapp: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - websockets: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -postgresql: - global: - compatibility: - ## Compatibility adaptations for Openshift - openshift: - ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - adaptSecurityContext: force - primary: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - readReplicas: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - metrics: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Zeebe. -# - -# omit the values below if zeebe.enabled is false -zeebe: - configMap: - defaultMode: 0555 - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# omit the values below if zeebe-gateway.enabled is false -zeebeGateway: - configMap: - defaultMode: 0444 - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Console -# -# omit the values below if console.enabled is false -console: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - -# -# Elasticsearch. -# - -# omit the values below if elasticsearch.enabled is false -elasticsearch: - global: - compatibility: - ## Compatibility adaptations for Openshift - openshift: - ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - adaptSecurityContext: force - master: - podSecurityContext: - fsGroup: null - containerSecurityContext: - runAsUser: null - # If needed, OpenShift TuneD operator will be used to set sysctl vm.max_map_count. - # Apply the manifest "openshift-tuned.yaml" before install Camunda 8 chart. - sysctlImage: - enabled: false - commonLabels: - tuned.openshift.io/elasticsearch: "" +global: + compatibility: + ## Compatibility adaptations for Openshift + openshift: + ## Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + adaptSecurityContext: force diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl index 80e10db182..a04aa34486 100644 --- a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl +++ b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl @@ -51,6 +51,14 @@ Fail with a message if global.identity.auth.identity.existingSecret is set and g {{- end }} {{- end }} +{{/* +Fail with a message if adaptSecurityContext has any value other than "force" or "disabled". +*/}} +{{- if not (has .Values.global.compatibility.openshift.adaptSecurityContext (list "force" "disabled")) }} + {{- $errorMessage := "[camunda][error] Invalid value for adaptSecurityContext. The value must be either 'force' or 'disabled'." -}} + {{ printf "\n%s" $errorMessage | trimSuffix "\n" | fail }} +{{- end }} + {{/* Fail with a message if Identity is disabled and identityKeycloak is enabled. */}} diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml index aab2162023..e3503fedb9 100644 --- a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml @@ -32,7 +32,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.connectors) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.connectors.containerSecurityContext }} - securityContext: {{- toYaml .Values.connectors.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - containerPort: {{ .Values.connectors.service.serverPort }} @@ -172,7 +172,7 @@ spec: dnsPolicy: {{ .Values.connectors.dnsPolicy | quote }} {{- end }} {{- if .Values.connectors.podSecurityContext }} - securityContext: {{- toYaml .Values.connectors.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.connectors.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.connectors.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/console/deployment.yaml b/charts/camunda-platform-alpha/templates/console/deployment.yaml index d31495cd91..21a2609a65 100644 --- a/charts/camunda-platform-alpha/templates/console/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/console/deployment.yaml @@ -38,15 +38,13 @@ spec: {{- if .Values.console.dnsPolicy }} dnsPolicy: {{ .Values.console.dnsPolicy | quote }} {{- end }} - securityContext: - {{- toYaml .Values.console.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.podSecurityContext "context" $) | nindent 8 }} containers: - name: {{ .Chart.Name }} image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.console) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.console.containerSecurityContext }} - securityContext: - {{- toYaml .Values.console.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.console.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml index 1eef2541e6..22fa5cd94a 100644 --- a/charts/camunda-platform-alpha/templates/identity/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/identity/deployment.yaml @@ -33,7 +33,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.identity) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.identity.containerSecurityContext }} - securityContext: {{- toYaml .Values.identity.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -323,7 +323,7 @@ spec: dnsPolicy: {{ .Values.identity.dnsPolicy | quote }} {{- end }} {{- if .Values.identity.podSecurityContext }} - securityContext: {{- toYaml .Values.identity.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.identity.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.identity.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/operate/deployment.yaml b/charts/camunda-platform-alpha/templates/operate/deployment.yaml index 03e3e2c495..c7b7206ddc 100644 --- a/charts/camunda-platform-alpha/templates/operate/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/operate/deployment.yaml @@ -38,7 +38,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }} command: ['/bin/sh', '/usr/local/operate/bin/migrate'] {{- if .Values.operate.containerSecurityContext }} - securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} @@ -101,7 +101,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.operate) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.operate.containerSecurityContext }} - securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -334,7 +334,7 @@ spec: dnsPolicy: {{ .Values.operate.dnsPolicy | quote }} {{- end }} {{- if .Values.operate.podSecurityContext }} - securityContext: {{- toYaml .Values.operate.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.operate.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.operate.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml index 5c28ea86d6..701678f100 100644 --- a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml @@ -38,7 +38,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }} command: ['./upgrade/upgrade.sh', '--skip-warning'] {{- if .Values.optimize.containerSecurityContext }} - securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -121,7 +121,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.optimize) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.optimize.containerSecurityContext }} - securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -320,7 +320,7 @@ spec: dnsPolicy: {{ .Values.optimize.dnsPolicy | quote }} {{- end }} {{- if .Values.optimize.podSecurityContext }} - securityContext: {{- toYaml .Values.optimize.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.optimize.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.optimize.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml index 41bb96a5eb..a5ffb6f040 100644 --- a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml @@ -36,7 +36,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.tasklist) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.tasklist.containerSecurityContext }} - securityContext: {{- toYaml .Values.tasklist.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -270,7 +270,7 @@ spec: dnsPolicy: {{ .Values.tasklist.dnsPolicy | quote }} {{- end }} {{- if .Values.tasklist.podSecurityContext }} - securityContext: {{- toYaml .Values.tasklist.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.tasklist.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.tasklist.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml index efb807041c..b202fcb970 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/deployment-restapi.yaml @@ -31,7 +31,7 @@ spec: image: {{ include "webModeler.restapi.image" . | quote }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.webModeler.restapi.containerSecurityContext }} - securityContext: {{- toYaml .Values.webModeler.restapi.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.restapi.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -157,7 +157,7 @@ spec: dnsPolicy: {{ .Values.webModeler.restapi.dnsPolicy | quote }} {{- end }} {{- if .Values.webModeler.restapi.podSecurityContext }} - securityContext: {{- toYaml .Values.webModeler.restapi.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.restapi.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.webModeler.restapi.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml index 578f536b3b..6dfbc4ec28 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/deployment-webapp.yaml @@ -31,7 +31,7 @@ spec: image: {{ include "webModeler.webapp.image" . | quote }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.webModeler.webapp.containerSecurityContext }} - securityContext: {{- toYaml .Values.webModeler.webapp.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.webapp.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -150,7 +150,7 @@ spec: dnsPolicy: {{ .Values.webModeler.webapp.dnsPolicy | quote }} {{- end }} {{- if .Values.webModeler.webapp.podSecurityContext }} - securityContext: {{- toYaml .Values.webModeler.webapp.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.webapp.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.webModeler.webapp.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml b/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml index f1767367b0..2982ee8190 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/deployment-websockets.yaml @@ -31,8 +31,7 @@ spec: image: {{ include "webModeler.websockets.image" . | quote }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.webModeler.websockets.containerSecurityContext }} - securityContext: - {{- toYaml .Values.webModeler.websockets.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.websockets.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -137,7 +136,7 @@ spec: dnsPolicy: {{ .Values.webModeler.websockets.dnsPolicy | quote }} {{- end }} {{- if .Values.webModeler.websockets.podSecurityContext }} - securityContext: {{- toYaml .Values.webModeler.websockets.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.webModeler.websockets.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.webModeler.websockets.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml b/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml index 46eb61d198..cd30a098d4 100644 --- a/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/zeebe-gateway/deployment.yaml @@ -114,7 +114,7 @@ spec: {{ .Values.zeebeGateway.extraVolumeMounts | toYaml | nindent 12 }} {{- end }} {{- if .Values.zeebeGateway.containerSecurityContext }} - securityContext: {{- toYaml .Values.zeebeGateway.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebeGateway.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.zeebeGateway.startupProbe.enabled }} startupProbe: @@ -177,7 +177,7 @@ spec: dnsPolicy: {{ .Values.zeebeGateway.dnsPolicy | quote }} {{- end }} {{- if .Values.zeebeGateway.podSecurityContext }} - securityContext: {{- toYaml .Values.zeebeGateway.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebeGateway.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.zeebeGateway.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl b/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl index c1d8fde9b9..cab8cd484e 100644 --- a/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl +++ b/charts/camunda-platform-alpha/templates/zeebe/1/2/3/4/5/6/7/8/z_compatibility_helpers.tpl @@ -2,7 +2,7 @@ TODO: Remove the whole file just before 8.6 release. NOTE: We need to load this file first thing before all other resources to support backward compatibility. - Helm prioritizes files that are deeply nested in subdirectories when it's determining the render order. + Helm prioritizes files that are deeply nested in subdirectories when it is determining the render order. see the sort function in Helm: https://github.com/helm/helm/blob/d58d7b376265338e059ff11c71267b5a6cf504c3/pkg/engine/engine.go#L347-L356 @@ -66,7 +66,28 @@ Zeebe Gateway. {{- $_ := set .Values.zeebeGateway.ingress "grpc" (deepCopy $zgIngress | mergeOverwrite .Values.zeebeGateway.ingress.grpc) -}} {{- end -}} +{{/* +OpenShift. +The `elasticsearch.sysctlImage` container adjusts the virtual memory and file descriptors of the machine needed for Elasticsearch. +By default, the `sysctlImage` container will fail on OpenShift because it requires privileged mode. +Also, recent OpenShift versions (> 4.10) have adjusted the virtual memory of the machine by default. +*/}} +{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" -}} + {{- $_ := set .Values.elasticsearch.sysctlImage "enabled" false -}} +{{- end -}} + +{{/* +OpenShift. +The label `tuned.openshift.io/elasticsearch` is added to ensure compatibility with the previous Camunda Helm charts. +Without this label, the Helm upgrade will fail for OpenShift because it is already set for the volumeClaimTemplate. +*/}} + +{{- if eq .Values.global.compatibility.openshift.adaptSecurityContext "force" -}} + {{- if not (hasKey .Values.elasticsearch.commonLabels "tuned.openshift.io/elasticsearch") -}} + {{- $_ := set .Values.elasticsearch.commonLabels "tuned.openshift.io/elasticsearch" "" -}} + {{- end -}} +{{- end -}} {{/* Elasticsearch. diff --git a/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml b/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml index d96402f83c..48c5db0f13 100644 --- a/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml +++ b/charts/camunda-platform-alpha/templates/zeebe/statefulset.yaml @@ -48,7 +48,7 @@ spec: image: {{ include "camundaPlatform.imageByParams" (dict "base" .Values.global "overlay" .Values.zeebe) }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} {{- if .Values.zeebe.containerSecurityContext }} - securityContext: {{- toYaml .Values.zeebe.containerSecurityContext | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebe.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CAMUNDA_LICENSE_KEY @@ -254,7 +254,7 @@ spec: dnsPolicy: {{ .Values.zeebe.dnsPolicy | quote }} {{- end }} {{- if .Values.zeebe.podSecurityContext }} - securityContext: {{- toYaml .Values.zeebe.podSecurityContext | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.zeebe.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- with .Values.zeebe.nodeSelector }} nodeSelector: diff --git a/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml b/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml index ae11fe3ed3..5e391163b2 100644 --- a/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml +++ b/charts/camunda-platform-alpha/test/unit/camunda/golden/keycloak-statefulset.golden.yaml @@ -60,7 +60,7 @@ spec: enableServiceLinks: true initContainers: - name: init-quarkus-directory - image: docker.io/bitnami/keycloak:23.0.7 + image: docker.io/camunda/keycloak:23.0.7 imagePullPolicy: IfNotPresent command: - /bin/bash @@ -88,30 +88,9 @@ spec: - name: empty-dir mountPath: /quarkus subPath: app-quarkus-dir - - command: - - sh - - -c - - cp -a /app/keycloak-theme/* /mnt - image: 'camunda/identity:latest' - imagePullPolicy: 'Always' - name: copy-camunda-theme - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /mnt - name: camunda-theme containers: - name: keycloak - image: docker.io/bitnami/keycloak:23.0.7 + image: docker.io/camunda/keycloak:23.0.7 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -185,15 +164,10 @@ spec: - name: empty-dir mountPath: /opt/bitnami/keycloak/lib/quarkus subPath: app-quarkus-dir - - mountPath: /opt/bitnami/keycloak/themes/identity - name: camunda-theme - mountPath: /opt/bitnami/keycloak/data/tmp name: data-tmp volumes: - name: empty-dir emptyDir: {} - emptyDir: {} - name: data-tmp - - emptyDir: - sizeLimit: 10Mi - name: camunda-theme \ No newline at end of file + name: data-tmp \ No newline at end of file diff --git a/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go b/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go index 94ca98fdaa..b26923e203 100644 --- a/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/connectors/deployment_test.go @@ -334,7 +334,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { SetValues: map[string]string{ "connectors.enabled": "true", "connectors.containerSecurityContext.privileged": "true", - "connectors.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -347,7 +346,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/console/deployment_test.go b/charts/camunda-platform-alpha/test/unit/console/deployment_test.go index f6e50dfb0d..3592b451a8 100644 --- a/charts/camunda-platform-alpha/test/unit/console/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/console/deployment_test.go @@ -450,7 +450,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { SetValues: map[string]string{ "console.enabled": "true", "console.containerSecurityContext.privileged": "true", - "console.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -463,7 +462,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/identity/deployment_test.go b/charts/camunda-platform-alpha/test/unit/identity/deployment_test.go index 5e224585d2..92aba30274 100644 --- a/charts/camunda-platform-alpha/test/unit/identity/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/identity/deployment_test.go @@ -450,7 +450,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "identity.containerSecurityContext.privileged": "true", - "identity.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -463,7 +462,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/operate/deployment_test.go b/charts/camunda-platform-alpha/test/unit/operate/deployment_test.go index 6540752aa0..714bce3e0c 100644 --- a/charts/camunda-platform-alpha/test/unit/operate/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/operate/deployment_test.go @@ -412,7 +412,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "operate.containerSecurityContext.privileged": "true", - "operate.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -425,7 +424,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/optimize/deployment_test.go b/charts/camunda-platform-alpha/test/unit/optimize/deployment_test.go index cf6bc71428..4db403fa28 100644 --- a/charts/camunda-platform-alpha/test/unit/optimize/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/optimize/deployment_test.go @@ -413,7 +413,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "optimize.containerSecurityContext.privileged": "true", - "optimize.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -426,7 +425,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/tasklist/deployment_test.go b/charts/camunda-platform-alpha/test/unit/tasklist/deployment_test.go index bebb7d8f4a..409f5df810 100644 --- a/charts/camunda-platform-alpha/test/unit/tasklist/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/tasklist/deployment_test.go @@ -275,7 +275,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "tasklist.containerSecurityContext.privileged": "true", - "tasklist.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -288,7 +287,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } func (s *deploymentTemplateTest) TestContainerSetContainerCommand() { diff --git a/charts/camunda-platform-alpha/test/unit/web-modeler/deployment_test.go b/charts/camunda-platform-alpha/test/unit/web-modeler/deployment_test.go index cbe3578052..491f74197c 100644 --- a/charts/camunda-platform-alpha/test/unit/web-modeler/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/web-modeler/deployment_test.go @@ -473,7 +473,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { "webModeler.enabled": "true", "webModeler.restapi.mail.fromAddress": "example@example.com", "webModeler." + s.component + ".containerSecurityContext.privileged": "true", - "webModeler." + s.component + ".containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -486,7 +485,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } // https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector diff --git a/charts/camunda-platform-alpha/test/unit/zeebe-gateway/deployment_test.go b/charts/camunda-platform-alpha/test/unit/zeebe-gateway/deployment_test.go index 983baf81f8..a6cb26e1e5 100644 --- a/charts/camunda-platform-alpha/test/unit/zeebe-gateway/deployment_test.go +++ b/charts/camunda-platform-alpha/test/unit/zeebe-gateway/deployment_test.go @@ -438,7 +438,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "zeebeGateway.containerSecurityContext.privileged": "true", - "zeebeGateway.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -451,7 +450,6 @@ func (s *deploymentTemplateTest) TestContainerSetSecurityContext() { // then securityContext := deployment.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } func (s *deploymentTemplateTest) TestContainerSetServiceAccountName() { diff --git a/charts/camunda-platform-alpha/test/unit/zeebe/statefulset_test.go b/charts/camunda-platform-alpha/test/unit/zeebe/statefulset_test.go index d3f6ea4eef..f23f15dcd0 100644 --- a/charts/camunda-platform-alpha/test/unit/zeebe/statefulset_test.go +++ b/charts/camunda-platform-alpha/test/unit/zeebe/statefulset_test.go @@ -536,7 +536,6 @@ func (s *statefulSetTest) TestContainerSetSecurityContext() { options := &helm.Options{ SetValues: map[string]string{ "zeebe.containerSecurityContext.privileged": "true", - "zeebe.containerSecurityContext.capabilities.add[0]": "NET_ADMIN", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -549,7 +548,6 @@ func (s *statefulSetTest) TestContainerSetSecurityContext() { // then securityContext := statefulSet.Spec.Template.Spec.Containers[0].SecurityContext s.Require().True(*securityContext.Privileged) - s.Require().EqualValues("NET_ADMIN", securityContext.Capabilities.Add[0]) } func (s *statefulSetTest) TestContainerSetServiceAccountName() { diff --git a/charts/camunda-platform-alpha/values.yaml b/charts/camunda-platform-alpha/values.yaml index d6374b1942..8870a6257e 100644 --- a/charts/camunda-platform-alpha/values.yaml +++ b/charts/camunda-platform-alpha/values.yaml @@ -46,7 +46,16 @@ global: existingSecret: ## @param global.license.existingSecretKey you can provide the key within the existing secret object for Camunda license key. existingSecretKey: - + ## @param global.compatibility.openshift.adaptSecurityContext + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## Multitenancy configuration. ## @extra global.multitenancy multitenancy: @@ -2240,6 +2249,16 @@ identityPostgresql: ## @param identityPostgresql.enabled Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. ## enabled: false + global: + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param identityPostgresql.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" # https://hub.docker.com/r/bitnami/postgresql/tags ## @param identityPostgresql.image.repository PostgreSQL repo ## @param identityPostgresql.image.tag PostgreSQL image tag @@ -2276,6 +2295,16 @@ identityPostgresql: identityKeycloak: ## @param identityKeycloak.enabled Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart enabled: true + global: + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param identityKeycloak.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" ## @param identityKeycloak.nameOverride the name used for Keycloak. nameOverride: "keycloak" @@ -2283,7 +2312,7 @@ identityKeycloak: # https://hub.docker.com/r/bitnami/keycloak/tags image: ## @param identityKeycloak.image.repository image repo - repository: bitnami/keycloak + repository: camunda/keycloak ## @param identityKeycloak.image.tag image tag tag: 23.0.7 @@ -2337,53 +2366,13 @@ identityKeycloak: ## @skip identityKeycloak.extraVolumes [object] Extra volumes for keycloak ## @skip identityKeycloak.extraVolumes[0].name ## @skip identityKeycloak.extraVolumes[0].emptyDir - ## @skip identityKeycloak.extraVolumes[1].name - ## @skip identityKeycloak.extraVolumes[1].emptyDir extraVolumes: - name: data-tmp emptyDir: {} - - name: camunda-theme - emptyDir: - sizeLimit: 10Mi - - initContainers: - ## @param identityKeycloak.initContainers[0].name - ## @param identityKeycloak.initContainers[0].image - ## @param identityKeycloak.initContainers[0].imagePullPolicy - ## @param identityKeycloak.initContainers[0].command - ## @param identityKeycloak.initContainers[0].securityContext.privileged - ## @param identityKeycloak.initContainers[0].securityContext.readOnlyRootFilesystem - ## @param identityKeycloak.initContainers[0].securityContext.allowPrivilegeEscalation - ## @param identityKeycloak.initContainers[0].securityContext.runAsNonRoot - ## @param identityKeycloak.initContainers[0].securityContext.runAsUser - ## @param identityKeycloak.initContainers[0].securityContext.capabilities.drop - ## @param identityKeycloak.initContainers[0].securityContext.seccompProfile.type - ## @param identityKeycloak.initContainers[0].volumeMounts[0].name - ## @param identityKeycloak.initContainers[0].volumeMounts[0].mountPath - - name: copy-camunda-theme - image: "{{ .Values.global.identity.image | default \"camunda/identity:latest\" }}" - imagePullPolicy: "{{ .Values.global.identity.imagePullPolicy | default \"Always\" }}" - command: ["sh", "-c", "cp -a /app/keycloak-theme/* /mnt"] - securityContext: - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1001 - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - volumeMounts: - - name: camunda-theme - mountPath: /mnt + ## @param identityKeycloak.extraVolumeMounts[0].name ## @param identityKeycloak.extraVolumeMounts[0].mountPath - ## @param identityKeycloak.extraVolumeMounts[1].mountPath - ## @param identityKeycloak.extraVolumeMounts[1].name extraVolumeMounts: - - name: camunda-theme - mountPath: /opt/bitnami/keycloak/themes/identity - name: data-tmp mountPath: /opt/bitnami/keycloak/data/tmp @@ -3076,6 +3065,16 @@ postgresql: ## @param postgresql.enabled if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart # Note: If WebModeler is enabled, and WebModeler Postgresql is disabled, the external database configuration must be set under "webModeler.restapi.externalDatabase". enabled: false + global: + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param postgresql.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" ## @param postgresql.nameOverride defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters # Note: Don't use "postgresql" which is already used for Keycloak's database. nameOverride: postgresql-web-modeler @@ -3096,6 +3095,14 @@ postgresql: ## @param postgresql.auth.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: "" + ## @param postgresql.primary.containerSecurityContext.enabled + ## @param postgresql.primary.containerSecurityContext.allowPrivilegeEscalation + ## @param postgresql.primary.containerSecurityContext.privileged + ## @param postgresql.primary.containerSecurityContext.readOnlyRootFilesystem + ## @param postgresql.primary.containerSecurityContext.runAsNonRoot + ## @param postgresql.primary.containerSecurityContext.runAsUser + ## @param postgresql.primary.containerSecurityContext.capabilities.drop + ## @param postgresql.primary.containerSecurityContext.seccompProfile.type primary: containerSecurityContext: enabled: true @@ -3371,6 +3378,16 @@ connectors: elasticsearch: ## @param elasticsearch.enabled enabled: true + global: + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param elasticsearch.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" # https://hub.docker.com/r/bitnami/elasticsearch/tags image: ## @param elasticsearch.image.repository