[common] Fix/set securitycontext based on targetplatform to comply with openshift clusters (CloudPirates-io#166)

* Add a helper function to render the securitycontext based on the target platform for openshift compatibility

* Bump Chartversion

* Fix openshift detection function

* Remove unneeded indent

* Add Readme to common helm chart

* Add newline to common values.yaml

* Revert SecurityContext changes that the github action check dosn't fails

* Bump zookeeper and nginx Chart version

---------

Co-authored-by: Pascal Freund <[email protected]>

Author: pascalfreundsrf

charts/common/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: common
 description: A library chart for common templates and helper functions
 type: library
-version: 1.0.0
+version: 1.1.0
 appVersion: "1.0.0"
 
 home: https://www.cloudpirates.io

charts/common/README.md

@@ -0,0 +1,24 @@
+# Common Helm Chart
+
+### Example config for OpenShift Clusters
+The `_helpers.tpl` detects for `route.openshift.io/v1` to determine the target platform.
+If the target platform is Openshift, following fields are beeing removed if you use `{{ include "common.renderContainerSecurityContext" . }}` or `{{ include "common.renderPodSecurityContext" . }}` in the Chart to render the SecurityContext.
+```yaml
+fsGroup:
+runAsUser:
+runAsGroup:
+seLinuxOptions:
+```
+
+Example usage:
+```yaml
+apiVersion: apps/v1
+kind: StatefulSet
+spec:
+  template:
+    spec:
+      securityContext: {{ include "common.renderPodSecurityContext" . }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext: {{ include "common.renderContainerSecurityContext" . }}
+```

charts/common/templates/_helpers.tpl

@@ -247,4 +247,42 @@ imagePullSecrets:
   - name: {{ . }}
     {{- end }}
   {{- end }}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Detect if the target platform is OpenShift (via .Values.targetPlatform or API group).
+Usage: {{ include "common.isOpenshift" . }}
+*/}}
+{{- define "common.isOpenshift" -}}
+{{- if or (eq (lower (default "" .Values.targetPlatform)) "openshift") (.Capabilities.APIVersions.Has "route.openshift.io/v1") -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end }}
+
+{{/*
+Render podSecurityContext, omitting runAsUser, runAsGroup, fsGroup, and seLinuxOptions if OpenShift is detected.
+Usage: {{ include "common.renderPodSecurityContext" . }}
+*/}}
+{{- define "common.renderPodSecurityContext" -}}
+{{- $isOpenshift := include "common.isOpenshift" . | trim }}
+{{- if eq $isOpenshift "true" }}
+{{- omit .Values.podSecurityContext "runAsUser" "runAsGroup" "fsGroup" "seLinuxOptions" | toYaml }}
+{{- else }}
+{{- toYaml .Values.podSecurityContext | nindent 8 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Render containerSecurityContext, omitting runAsUser, runAsGroup, and seLinuxOptions if OpenShift is detected.
+Usage: {{ include "common.renderContainerSecurityContext" . }}
+*/}}
+{{- define "common.renderContainerSecurityContext" -}}
+{{- $isOpenshift := include "common.isOpenshift" . | trim }}
+{{- if eq $isOpenshift "true" }}
+{{- omit .Values.containerSecurityContext "runAsUser" "runAsGroup" "seLinuxOptions" | toYaml }}
+{{- else }}
+{{- toYaml .Values.containerSecurityContext | nindent 12 }}
+{{- end }}
+{{- end }}

charts/common/values.yaml

@@ -1,2 +1,2 @@
 # This is a library chart, so it doesn't define any values.
-# All values are defined in the consuming charts.
+# All values are defined in the consuming charts.

charts/nginx/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: nginx
 description: Nginx is a high-performance HTTP server and reverse proxy.
 type: application
-version: 0.1.7
+version: 0.1.8
 appVersion: "1.29.1"
 keywords:
   - nginx

charts/nginx/templates/deployment.yaml

@@ -263,4 +263,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}

charts/zookeeper/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: zookeeper
 description: Apache ZooKeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services.
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "3.9.3"
 keywords:
   - zookeeper

charts/zookeeper/README.md

@@ -23,18 +23,6 @@ To install with custom values:
 helm install my-zookeeper ./charts/zookeeper -f values.yaml
 ```
 
-#### Example config for OpenShift Clusters
-To run this chart in an OpenShift cluster, the following security values must be empty:
-```yaml
-zookeeper:
-  containerSecurityContext:
-    runAsUser:
-    runAsGroup:
-    seLinuxOptions:
-  podSecurityContext:
-    fsGroup:
-```
-
 
 ### Getting Started
 

charts/zookeeper/values.yaml

@@ -78,6 +78,7 @@ metrics:
     ## @param metrics.service.ports.port Zookeeper metrics service port
     port: 7000
 
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 ## @section MariaDB Container Security Context
 containerSecurityContext:
   ## @param containerSecurityContext.runAsUser Set MariaDB container's Security Context runAsUser
@@ -102,6 +103,7 @@ containerSecurityContext:
   seccompProfile:
     type: RuntimeDefault
 
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 ## @section Security Context
 podSecurityContext:
   ## @param podSecurityContext.fsGroup Group ID for the volumes of the pod