Add isOpenshift parameter to rcloneproxy chart

README.md

@@ -15,7 +15,7 @@ helm repo add appcat https://charts.appcat.ch
 
 | Downloads & Changelog | Chart |
 | --- | --- |
-| [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/rcloneproxy-0.0.1/total)](https://github.com/vshn/appcat-charts/releases/tag/rcloneproxy-0.0.1) | [rcloneproxy](charts/rcloneproxy/README.md) |
+| [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/rcloneproxy-0.0.2/total)](https://github.com/vshn/appcat-charts/releases/tag/rcloneproxy-0.0.2) | [rcloneproxy](charts/rcloneproxy/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/vshnmariadb-0.0.12/total)](https://github.com/vshn/appcat-charts/releases/tag/vshnmariadb-0.0.12) | [vshnmariadb](charts/vshnmariadb/README.md) |
 | [![chart downloads](https://img.shields.io/github/downloads/vshn/appcat-charts/vshnpostgresql-0.6.0/total)](https://github.com/vshn/appcat-charts/releases/tag/vshnpostgresql-0.6.0) | [vshnpostgresql](charts/vshnpostgresql/README.md) |
 

charts/rcloneproxy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: rcloneproxy
 description: A Helm chart for deploying rclone as an intermediate s3 proxy
 type: application
-version: 0.0.1
+version: 0.0.2
 maintainers:
   - name: Schedar Team
     email: info@vshn.ch

charts/rcloneproxy/README.md

@@ -1,6 +1,6 @@
 # rcloneproxy
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying rclone as an intermediate s3 proxy
 
@@ -18,7 +18,7 @@ Common/Useful Link references from values.yaml
 [prometheus-operator]: https://github.com/coreos/prometheus-operator
 # rcloneproxy
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying rclone as an intermediate s3 proxy
 
@@ -51,6 +51,7 @@ A Helm chart for deploying rclone as an intermediate s3 proxy
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"ghcr.io/rclone/rclone"` | Image repository for rclone |
 | image.tag | string | `"1.73.0"` | Configure the image tag |
+| isOpenshift | bool | `false` | Set to true when deploying on OpenShift |
 | podSecurityContext | object | `{"enabled":true,"fsGroup":65532,"fsGroupChangePolicy":"OnRootMismatch","seLinuxOptions":{}}` | Pod security context configuration |
 | podSecurityContext.enabled | bool | `true` | Enable pod security context |
 | podSecurityContext.fsGroup | int | `65532` | FSGroup for volume ownership |

charts/rcloneproxy/templates/deployment.yaml

@@ -16,6 +16,11 @@ spec:
     spec:
       {{- if .Values.podSecurityContext.enabled }}
       securityContext:
+        {{- if .Values.isOpenshift }}
+        fsGroupChangePolicy: OnRootMismatch
+        seLinuxOptions:
+          type: spc_t
+        {{- else }}
         {{- if .Values.podSecurityContext.fsGroup }}
         fsGroup: {{ .Values.podSecurityContext.fsGroup }}
         {{- end }}
@@ -26,13 +31,23 @@ spec:
         seLinuxOptions:
           {{- toYaml .Values.podSecurityContext.seLinuxOptions | nindent 10 }}
         {{- end }}
+        {{- end }}
       {{- end }}
       initContainers:
         - name: generate-config
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.containerSecurityContext.enabled }}
           securityContext:
+            {{- if .Values.isOpenshift }}
+            {{- /* OpenShift: Let SCC assign runAsUser */}}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            {{- else }}
             {{- if .Values.containerSecurityContext.runAsUser }}
             runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
             {{- end }}
@@ -49,6 +64,7 @@ spec:
             capabilities:
               {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
             {{- end }}
+            {{- end }}
           {{- end }}
           command:
             - /bin/sh
@@ -128,6 +144,14 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.containerSecurityContext.enabled }}
           securityContext:
+            {{- if .Values.isOpenshift }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            {{- else }}
             {{- if .Values.containerSecurityContext.runAsUser }}
             runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
             {{- end }}
@@ -144,6 +168,7 @@ spec:
             capabilities:
               {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
             {{- end }}
+            {{- end }}
           {{- end }}
           command:
             - /bin/sh

charts/rcloneproxy/values.yaml

@@ -44,6 +44,9 @@ resources:
     memory: "512Mi"
     cpu: "25m"
 
+# -- Set to true when deploying on OpenShift
+isOpenshift: false
+
 # -- Pod security context configuration
 podSecurityContext:
   # -- Enable pod security context