Openshift support (permitio#287)

* Openshift support

* openshift support added

* openshift

* pre commit fix

* fix securityContext

* fix path volume

* fix permissions issue

Author: EliMoshkovich

charts/pdp/Chart.yaml

@@ -1,4 +1,13 @@
 apiVersion: v2
 name: pdp
-description: An official Helm chart for Permit.io PDP (Policy Decision Point)
-version: 0.0.4
+description: An official Helm chart for Permit.io PDP (Policy Decision Point) with OpenShift support
+version: 0.0.5
+keywords:
+  - policy
+  - authorization
+  - security
+  - permit
+  - openshift
+maintainers:
+  - name: Permit.io
+    url: https://permit.io

charts/pdp/templates/deployment.yaml

@@ -22,10 +22,27 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- if .Values.openshift.enabled }}
+      serviceAccountName: {{ .Values.openshift.serviceAccount.name }}
+      securityContext:
+        runAsNonRoot: {{ .Values.openshift.securityContext.runAsNonRoot }}
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}
       containers:
         - name: permitio-pdp
           image: "{{ .Values.pdp.image.repository }}:{{ .Values.pdp.image.tag }}"
           imagePullPolicy: {{ .Values.pdp.image.pullPolicy }}
+          {{- if .Values.openshift.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: {{ .Values.openshift.securityContext.runAsNonRoot }}
+            seccompProfile:
+              type: RuntimeDefault
+          {{- end }}
           ports:
             - containerPort: {{ .Values.pdp.port }}
           env:
@@ -90,10 +107,16 @@ spec:
               port: 7000
             initialDelaySeconds: 10
             periodSeconds: 10
-          {{- if .Values.pdp.logs_forwarder.enabled }}
           volumeMounts:
+          {{- if .Values.pdp.logs_forwarder.enabled }}
             - name: logs
               mountPath: /tmp/
+          {{- else if .Values.openshift.enabled }}
+            # OpenShift requires explicit writable volumes
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: opa-volume
+              mountPath: /opa
           {{- end }}
         {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluentbit
@@ -110,11 +133,17 @@ spec:
                 fieldRef:
                   fieldPath: metadata.labels['app']
         {{- end }}
-      {{- if .Values.pdp.logs_forwarder.enabled }}
       volumes:
+      {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluent-bit-config
           configMap:
             name: fluentbit-config
         - name: logs
           emptyDir: {}
+      {{- else if .Values.openshift.enabled }}
+        # OpenShift writable volumes
+        - name: tmp-volume
+          emptyDir: {}
+        - name: opa-volume
+          emptyDir: {}
       {{- end }}

charts/pdp/templates/serviceaccount.yaml

@@ -0,0 +1,29 @@
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+{{- end }}
+
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+---
+# RoleBinding to allow the ServiceAccount to use the specified SCC
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}-scc-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:{{ .Values.openshift.serviceAccount.sccName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/pdp/values.yaml

@@ -7,6 +7,7 @@ pdp:
     # - name: custom_env
     #   value: "custom_env"
   ApiKey: "<your PDP API Key>"
+
   # Use an existing secret for the API key instead of creating one
   # If defined, the chart will not create a secret and will use this existing secret
   # existingApiKeySecret:
@@ -41,3 +42,17 @@ resources:
     memory: "512Mi"
   limits:
     memory: "1Gi"
+
+# OpenShift configuration
+openshift:
+  enabled: false  # Set to true for OpenShift deployments
+  serviceAccount:
+    create: true
+    name: "permitio-pdp-sa"
+    sccName: "restricted-v2"  # OpenShift Security Context Constraint
+  # Security context (SCC will override user/group settings automatically)
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001