Merge branch 'main' into fix/correct-resource-names

alexstojda · web-flow · commit 757879917d1f · 2025-10-16T10:52:12.000-04:00
diff --git a/charts/pdp/Chart.yaml b/charts/pdp/Chart.yaml
@@ -1,4 +1,13 @@
 apiVersion: v2
 name: pdp
-description: An official Helm chart for Permit.io PDP (Policy Decision Point)
-version: 0.0.4
+description: An official Helm chart for Permit.io PDP (Policy Decision Point) with OpenShift support
+version: 0.0.5
+keywords:
+  - policy
+  - authorization
+  - security
+  - permit
+  - openshift
+maintainers:
+  - name: Permit.io
+    url: https://permit.io
diff --git a/charts/pdp/templates/deployment.yaml b/charts/pdp/templates/deployment.yaml
@@ -26,10 +26,27 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- if .Values.openshift.enabled }}
+      serviceAccountName: {{ .Values.openshift.serviceAccount.name }}
+      securityContext:
+        runAsNonRoot: {{ .Values.openshift.securityContext.runAsNonRoot }}
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}
       containers:
         - name: permitio-pdp
           image: "{{ .Values.pdp.image.repository }}:{{ .Values.pdp.image.tag }}"
           imagePullPolicy: {{ .Values.pdp.image.pullPolicy }}
+          {{- if .Values.openshift.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: {{ .Values.openshift.securityContext.runAsNonRoot }}
+            seccompProfile:
+              type: RuntimeDefault
+          {{- end }}
           ports:
             - containerPort: {{ .Values.pdp.port }}
           env:
@@ -94,10 +111,16 @@ spec:
               port: 7000
             initialDelaySeconds: 10
             periodSeconds: 10
-          {{- if .Values.pdp.logs_forwarder.enabled }}
           volumeMounts:
+          {{- if .Values.pdp.logs_forwarder.enabled }}
             - name: logs
               mountPath: /tmp/
+          {{- else if .Values.openshift.enabled }}
+            # OpenShift requires explicit writable volumes
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: opa-volume
+              mountPath: /opa
           {{- end }}
         {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluentbit
@@ -114,11 +137,17 @@ spec:
                 fieldRef:
                   fieldPath: metadata.labels['app']
         {{- end }}
-      {{- if .Values.pdp.logs_forwarder.enabled }}
       volumes:
+      {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluent-bit-config
           configMap:
             name: fluentbit-config
         - name: logs
           emptyDir: {}
+      {{- else if .Values.openshift.enabled }}
+        # OpenShift writable volumes
+        - name: tmp-volume
+          emptyDir: {}
+        - name: opa-volume
+          emptyDir: {}
       {{- end }}
diff --git a/charts/pdp/templates/serviceaccount.yaml b/charts/pdp/templates/serviceaccount.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+{{- end }}
+
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+---
+# RoleBinding to allow the ServiceAccount to use the specified SCC
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}-scc-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:{{ .Values.openshift.serviceAccount.sccName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/pdp/values.yaml b/charts/pdp/values.yaml
@@ -26,6 +26,7 @@ pdp:
     # - name: custom_env
     #   value: "custom_env"
   ApiKey: "<your PDP API Key>"
+
   # Use an existing secret for the API key instead of creating one
   # If defined, the chart will not create a secret and will use this existing secret
   # existingApiKeySecret:
@@ -60,3 +61,17 @@ resources:
     memory: "512Mi"
   limits:
     memory: "1Gi"
+
+# OpenShift configuration
+openshift:
+  enabled: false  # Set to true for OpenShift deployments
+  serviceAccount:
+    create: true
+    name: "permitio-pdp-sa"
+    sccName: "restricted-v2"  # OpenShift Security Context Constraint
+  # Security context (SCC will override user/group settings automatically)
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
diff --git a/pdp-server/src/api/authzen/errors.rs b/pdp-server/src/api/authzen/errors.rs
@@ -3,7 +3,6 @@ use axum::{
     response::{IntoResponse, Response},
 };
 use serde::{Deserialize, Serialize};
-use utoipa::ToSchema;
 
 /// AuthZen error codes as defined in the specification
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
@@ -35,14 +34,6 @@ pub struct AuthZenError {
     pub message: String,
 }
 
-/// AuthZen error details for OpenAPI documentation only
-/// This is NOT used in actual responses, only for OpenAPI schema generation
-#[derive(Debug, Serialize, Deserialize, ToSchema)]
-pub struct AuthZenErrorDetails {
-    pub code: String,
-    pub message: String,
-}
-
 impl AuthZenError {
     /// Create a new AuthZen error
     pub fn new(code: AuthZenErrorCode, message: impl Into<String>) -> Self {
diff --git a/pdp-server/src/cache/mod.rs b/pdp-server/src/cache/mod.rs
@@ -1,5 +1,5 @@
 use log::error;
-use serde::{de::DeserializeOwned, Deserialize, Serialize};
+use serde::{de::DeserializeOwned, Serialize};
 use thiserror::Error;
 
 pub mod memory;
@@ -19,12 +19,6 @@ pub enum CacheError {
     Config(String),
 }
 
-#[derive(Debug, Serialize, Deserialize)]
-struct CacheValue {
-    data: String,
-    expires_at: u64,
-}
-
 /// Cache trait defining the interface for all cache implementations.
 ///
 /// This trait represents the contract that all cache backends must fulfill.
diff --git a/pdp-server/src/opa_client/user_permissions.rs b/pdp-server/src/opa_client/user_permissions.rs
@@ -127,6 +127,7 @@ pub struct UserPermissionsResult {
 }
 // Define a newtype wrapper for HashMap<String, UserPermissionsResult>
 #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, ToSchema)]
+#[allow(dead_code)] // Used for OpenAPI documentation generation
 pub struct UserPermissionsResults(pub HashMap<String, UserPermissionsResult>);
 
 // Implement IntoResponse for our newtype

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ pub struct UserPermissionsResult {`
`127`	`127`	`}`
`128`	`128`	`// Define a newtype wrapper for HashMap<String, UserPermissionsResult>`
`129`	`129`	`#[derive(Debug, Serialize, Deserialize, Clone, PartialEq, ToSchema)]`
	`130`	`+#[allow(dead_code)] // Used for OpenAPI documentation generation`
`130`	`131`	`pub struct UserPermissionsResults(pub HashMap<String, UserPermissionsResult>);`
`131`	`132`
`132`	`133`	`// Implement IntoResponse for our newtype`