Openshift support

EliMoshkovich · EliMoshkovich · commit 3d04f4abca35 · 2025-09-09T20:41:15.000-07:00
diff --git a/charts/pdp/Chart.yaml b/charts/pdp/Chart.yaml
@@ -1,4 +1,13 @@
 apiVersion: v2
 name: pdp
-description: An official Helm chart for Permit.io PDP (Policy Decision Point)
-version: 0.0.4
+description: An official Helm chart for Permit.io PDP (Policy Decision Point) with OpenShift support
+version: 0.0.5
+keywords:
+  - policy
+  - authorization
+  - security
+  - permit
+  - openshift
+maintainers:
+  - name: Permit.io
+    url: https://permit.io
diff --git a/charts/pdp/templates/deployment.yaml b/charts/pdp/templates/deployment.yaml
@@ -22,10 +22,83 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- if .Values.openshift.enabled }}
+      serviceAccountName: {{ .Values.openshift.serviceAccount.name }}
+      # OpenShift-compatible pod security context
+      securityContext:
+        {{- if .Values.openshift.securityContext.pod.runAsNonRoot }}
+        runAsNonRoot: {{ .Values.openshift.securityContext.pod.runAsNonRoot }}
+        {{- end }}
+        {{- if .Values.openshift.securityContext.pod.runAsUser }}
+        runAsUser: {{ .Values.openshift.securityContext.pod.runAsUser }}
+        {{- end }}
+        {{- if .Values.openshift.securityContext.pod.runAsGroup }}
+        runAsGroup: {{ .Values.openshift.securityContext.pod.runAsGroup }}
+        {{- end }}
+        {{- if .Values.openshift.securityContext.pod.fsGroup }}
+        fsGroup: {{ .Values.openshift.securityContext.pod.fsGroup }}
+        {{- end }}
+        seccompProfile:
+          type: RuntimeDefault
+      {{- else }}
+      # Standard Kubernetes security context
+      securityContext:
+        {{- if .Values.securityContext.standard.pod.runAsNonRoot }}
+        runAsNonRoot: {{ .Values.securityContext.standard.pod.runAsNonRoot }}
+        {{- end }}
+        {{- if .Values.securityContext.standard.pod.runAsUser }}
+        runAsUser: {{ .Values.securityContext.standard.pod.runAsUser }}
+        {{- end }}
+        {{- if .Values.securityContext.standard.pod.runAsGroup }}
+        runAsGroup: {{ .Values.securityContext.standard.pod.runAsGroup }}
+        {{- end }}
+        {{- if .Values.securityContext.standard.pod.fsGroup }}
+        fsGroup: {{ .Values.securityContext.standard.pod.fsGroup }}
+        {{- end }}
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}
       containers:
         - name: permitio-pdp
           image: "{{ .Values.pdp.image.repository }}:{{ .Values.pdp.image.tag }}"
           imagePullPolicy: {{ .Values.pdp.image.pullPolicy }}
+          {{- if .Values.openshift.enabled }}
+          # OpenShift-compatible container security context
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            {{- if .Values.openshift.securityContext.container.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.openshift.securityContext.container.runAsNonRoot }}
+            {{- end }}
+            {{- if .Values.openshift.securityContext.container.runAsUser }}
+            runAsUser: {{ .Values.openshift.securityContext.container.runAsUser }}
+            {{- end }}
+            {{- if .Values.openshift.securityContext.container.runAsGroup }}
+            runAsGroup: {{ .Values.openshift.securityContext.container.runAsGroup }}
+            {{- end }}
+            seccompProfile:
+              type: RuntimeDefault
+          {{- else }}
+          # Standard Kubernetes container security context
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            {{- if .Values.securityContext.standard.container.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.securityContext.standard.container.runAsNonRoot }}
+            {{- end }}
+            {{- if .Values.securityContext.standard.container.runAsUser }}
+            runAsUser: {{ .Values.securityContext.standard.container.runAsUser }}
+            {{- end }}
+            {{- if .Values.securityContext.standard.container.runAsGroup }}
+            runAsGroup: {{ .Values.securityContext.standard.container.runAsGroup }}
+            {{- end }}
+            seccompProfile:
+              type: RuntimeDefault
+          {{- end }}
           ports:
             - containerPort: {{ .Values.pdp.port }}
           env:
@@ -90,10 +163,16 @@ spec:
               port: 7000
             initialDelaySeconds: 10
             periodSeconds: 10
-          {{- if .Values.pdp.logs_forwarder.enabled }}
           volumeMounts:
+          {{- if .Values.pdp.logs_forwarder.enabled }}
             - name: logs
               mountPath: /tmp/
+          {{- else if .Values.openshift.enabled }}
+            # OpenShift filesystem permissions volume mounts
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: opa-volume
+              mountPath: /opa
           {{- end }}
         {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluentbit
@@ -110,11 +189,17 @@ spec:
                 fieldRef:
                   fieldPath: metadata.labels['app']
         {{- end }}
-      {{- if .Values.pdp.logs_forwarder.enabled }}
       volumes:
+      {{- if .Values.pdp.logs_forwarder.enabled }}
         - name: fluent-bit-config
           configMap:
             name: fluentbit-config
         - name: logs
           emptyDir: {}
+      {{- else if .Values.openshift.enabled }}
+        # OpenShift filesystem permissions volumes
+        - name: tmp-volume
+          emptyDir: {}
+        - name: opa-volume
+          emptyDir: {}
       {{- end }}
diff --git a/charts/pdp/templates/serviceaccount.yaml b/charts/pdp/templates/serviceaccount.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+{{- end }}
+
+{{- if and .Values.openshift.enabled .Values.openshift.serviceAccount.create }}
+---
+# RoleBinding to allow the ServiceAccount to use the specified SCC
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.openshift.serviceAccount.name }}-scc-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pdp.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.openshift.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:{{ .Values.openshift.serviceAccount.sccName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/pdp/values.yaml b/charts/pdp/values.yaml
@@ -3,10 +3,9 @@ annotations: {}
 
 pdp:
   pdpEnvs:
-    []
-    # - name: custom_env
-    #   value: "custom_env"
-  ApiKey: "<your PDP API Key>"
+    - name: PDP_CONTROL_PLANE
+      value: "http://permit-backend-v2:8000"
+  ApiKey: "permit_key_kymHPKiIiUGklAMnSJfqEE9YRNCsFn52SQzFO2eCnwLfnEgQ7kg8HvuV7MOedG30IfGinaAgq9nYSoJTOArJf6"
   # Use an existing secret for the API key instead of creating one
   # If defined, the chart will not create a secret and will use this existing secret
   # existingApiKeySecret:
@@ -41,3 +40,40 @@ resources:
     memory: "512Mi"
   limits:
     memory: "1Gi"
+
+# OpenShift configuration
+openshift:
+  enabled: false  # Set to true for OpenShift deployments
+  # ServiceAccount configuration for OpenShift compatibility
+  serviceAccount:
+    create: true
+    name: "permitio-pdp-sa"
+    sccName: "restricted-v2"  # OpenShift Security Context Constraint
+  # Security context configuration for OpenShift
+  securityContext:
+    # Pod security context (applied to all containers in pod)
+    pod:
+      runAsNonRoot: true
+      # runAsUser: null  # OpenShift SCC assigns UID automatically
+      # runAsGroup: null  # OpenShift SCC assigns GID automatically  
+      # fsGroup: null  # OpenShift SCC assigns fsGroup automatically
+    # Container security context (applied to individual containers)
+    container:
+      runAsNonRoot: true
+      # runAsUser: null  # OpenShift SCC assigns UID automatically
+      # runAsGroup: null  # OpenShift SCC assigns GID automatically
+
+# Standard Kubernetes security contexts (used when openshift.enabled: false)
+securityContext:
+  standard:
+    # Pod security context (applied to all containers in pod)
+    pod:
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
+    # Container security context (applied to individual containers)
+    container:
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
