diff --git a/templates/deployment-client.yaml b/templates/deployment-client.yaml index 45a982a..2129e30 100644 --- a/templates/deployment-client.yaml +++ b/templates/deployment-client.yaml @@ -21,6 +21,14 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.openshift.enabled .Values.client.securityContext }} + securityContext: + {{- if .Values.client.securityContext }} + {{- toYaml .Values.client.securityContext | nindent 8 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.securityContext | nindent 8 }} + {{- end }} + {{- end }} {{- if .Values.client.opaStartupData }} volumes: - name: opa-startup-data @@ -32,6 +40,14 @@ spec: - name: opal-client image: {{ include "opal.clientImage" . | quote }} imagePullPolicy: {{ .Values.client.imagePullPolicy | default "IfNotPresent" | quote }} + {{- if or .Values.openshift.enabled .Values.client.containerSecurityContext }} + securityContext: + {{- if .Values.client.containerSecurityContext }} + {{- toYaml .Values.client.containerSecurityContext | nindent 12 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} ports: - name: http containerPort: {{ .Values.client.port }} @@ -95,4 +111,4 @@ spec: {{- toYaml .Values.client.resources | nindent 12 }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/deployment-pgsql.yaml b/templates/deployment-pgsql.yaml index bded5c6..d626cc5 100644 --- a/templates/deployment-pgsql.yaml +++ b/templates/deployment-pgsql.yaml @@ -20,10 +20,36 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.openshift.enabled .Values.postgresql.securityContext }} + securityContext: + {{- if .Values.postgresql.securityContext }} + {{- toYaml .Values.postgresql.securityContext | nindent 8 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.securityContext | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.openshift.enabled }} + volumes: + - name: postgres-data + emptyDir: {} + {{- end }} containers: - name: pgsql image: {{ include "opal.pgsqlImage" . | quote }} imagePullPolicy: IfNotPresent + {{- if or .Values.openshift.enabled .Values.postgresql.containerSecurityContext }} + securityContext: + {{- if .Values.postgresql.containerSecurityContext }} + {{- toYaml .Values.postgresql.containerSecurityContext | nindent 12 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.openshift.enabled }} + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: postgres-data + {{- end }} ports: - name: pgsql containerPort: 5432 @@ -35,5 +61,15 @@ spec: value: postgres - name: POSTGRES_PASSWORD value: postgres + {{- if .Values.openshift.enabled }} + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + {{- end }} + {{- if .Values.postgresql.extraEnv }} + {{- range $name, $value := .Values.postgresql.extraEnv }} + - name: {{ $name }} + value: {{ $value | quote }} + {{- end }} + {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/deployment-server.yaml b/templates/deployment-server.yaml index b159ad1..0ad9e6b 100644 --- a/templates/deployment-server.yaml +++ b/templates/deployment-server.yaml @@ -21,6 +21,14 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.openshift.enabled .Values.server.securityContext }} + securityContext: + {{- if .Values.server.securityContext }} + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.securityContext | nindent 8 }} + {{- end }} + {{- end }} {{- if .Values.e2e }} volumes: - name: e2e @@ -29,11 +37,25 @@ spec: configMap: name: policy-repo-data defaultMode: 0755 + {{- else if .Values.openshift.enabled }} + volumes: + - name: jwks-dir + emptyDir: {} + {{- end }} + {{- if .Values.e2e }} initContainers: - name: git-init image: {{ include "opal.serverImage" . | quote }} imagePullPolicy: IfNotPresent + {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }} + securityContext: + {{- if .Values.server.containerSecurityContext }} + {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} volumeMounts: - mountPath: /opt/e2e name: e2e @@ -63,6 +85,14 @@ spec: - name: opal-server image: {{ include "opal.serverImage" . | quote }} imagePullPolicy: {{ .Values.server.imagePullPolicy | default "IfNotPresent" | quote }} + {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }} + securityContext: + {{- if .Values.server.containerSecurityContext }} + {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} + {{- else if .Values.openshift.enabled }} + {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.e2e }} volumeMounts: - mountPath: /opt/e2e/policy-repo-data @@ -70,6 +100,10 @@ spec: readOnly: true - mountPath: /opt/e2e name: e2e + {{- else if .Values.openshift.enabled }} + volumeMounts: + - mountPath: /opal/jwks_dir + name: jwks-dir {{- end }} ports: - name: http @@ -139,4 +173,4 @@ spec: {{- toYaml .Values.server.resources | nindent 12 }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index f138b52..918d189 100644 --- a/values.schema.json +++ b/values.schema.json @@ -28,11 +28,44 @@ }, "external_source_url": {"type": "string", "title": "url to external data source"} } + }, + "SecurityContext": { + "type": "object", + "title": "SecurityContext", + "additionalProperties": true, + "properties": { + "runAsUser": { "type": "integer" }, + "runAsGroup": { "type": "integer" }, + "fsGroup": { "type": "integer" } + } + }, + "ContainerSecurityContext": { + "type": "object", + "title": "ContainerSecurityContext", + "additionalProperties": true, + "properties": { + "runAsNonRoot": { "type": "boolean" }, + "allowPrivilegeEscalation": { "type": "boolean" } + } } }, "type": "object", "required": ["image"], "properties": { + "openshift": { + "type": "object", + "title": "OpenShift compatibility settings", + "additionalProperties": false, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable OpenShift compatibility", + "default": false + }, + "securityContext": { "$ref": "#/definitions/SecurityContext" }, + "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" } + } + }, "image": { "type": "object", "title": "image", "additionalProperties": false, "required": ["server", "client", "pgsql"], @@ -118,6 +151,8 @@ "type": ["null", "object"], "additionalProperties": false, "title": "opal server settings", "required": ["port", "policyRepoUrl", "pollingInterval", "dataConfigSources", "broadcastPgsql", "uvicornWorkers", "replicas"], "properties": { + "securityContext": { "$ref": "#/definitions/SecurityContext" }, + "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, "enabled": { "type": "boolean", "title": "enable server", "default": true }, @@ -181,6 +216,8 @@ "type": ["null", "object"], "additionalProperties": false, "title": "opal client settings", "required": ["port", "opaPort", "replicas"], "properties": { + "securityContext": { "$ref": "#/definitions/SecurityContext" }, + "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, "enabled": { "type": "boolean", "title": "enable client", "default": true }, @@ -220,6 +257,20 @@ "title": "when kubelet should pull specified image" } } + }, + "postgresql": { + "type": ["null", "object"], + "additionalProperties": false, + "title": "PostgreSQL settings", + "properties": { + "securityContext": { "$ref": "#/definitions/SecurityContext" }, + "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, + "extraEnv": { + "type": "object", + "title": "extra environment variables list", + "default": {} + } + } } } } diff --git a/values.yaml b/values.yaml index dd6b9ff..6d55f58 100644 --- a/values.yaml +++ b/values.yaml @@ -1,3 +1,13 @@ +openshift: + enabled: false + securityContext: + runAsUser: 1010180000 + runAsGroup: 1010180000 + fsGroup: 1010180000 + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + image: client: registry: docker.io @@ -21,7 +31,7 @@ server: # Option #1 - No data sources config: entries: [] - + # Option #2 - Dynamically get data sources # external_source_url: "https://your-api.com/path/to/api/endpoint" @@ -42,6 +52,8 @@ server: extraEnv: { # "CUSTOM_ENV_VAR": "VALUE" } + securityContext: {} + containerSecurityContext: {} client: port: 7000 @@ -50,3 +62,12 @@ client: # If you need to specify a custom hostname for the opal-sever, configure the serverUrl property # serverUrl: http://custom-hostname-for-opal:opal-port extraEnv: {} + securityContext: {} + containerSecurityContext: {} + +postgresql: + securityContext: {} + containerSecurityContext: {} + extraEnv: {} + +broadcastReplicas: 1 \ No newline at end of file