From 0d74cf80ff78da7986c99fbd056d07f93646ecb1 Mon Sep 17 00:00:00 2001 From: Jon Mosco Date: Thu, 15 Aug 2024 08:06:16 -0400 Subject: [PATCH 1/4] add openshift resources, route condition, and usage note - Added OpenShift resources to the chart. - Introduced a conditional for the OpenShift route. - Included port in the route values. - Added a note to describe how to retrieve the route URL. --- charts/localstack/templates/NOTES.txt | 7 ++++++- charts/localstack/templates/role.yaml | 6 ++++++ charts/localstack/templates/route.yaml | 21 +++++++++++++++++++++ charts/localstack/values.yaml | 10 ++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 charts/localstack/templates/route.yaml diff --git a/charts/localstack/templates/NOTES.txt b/charts/localstack/templates/NOTES.txt index 3132aae..14ad76f 100644 --- a/charts/localstack/templates/NOTES.txt +++ b/charts/localstack/templates/NOTES.txt @@ -17,6 +17,11 @@ {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace | quote }} -l "app.kubernetes.io/name={{ include "localstack.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace | quote }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" + echo "visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT {{- end }} +{{- if and .Values.openshift .Values.route.enabled }} + export ROUTE_URL=$(oc get route localstack-fork --namespace "localstack" -o jsonpath="{.spec.host}") + echo http://$ROUTE_URL + echo "visit http://$ROUTE_URL to use your application" +{{- end }} diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml index 4c8587d..f3a18ba 100644 --- a/charts/localstack/templates/role.yaml +++ b/charts/localstack/templates/role.yaml @@ -19,4 +19,10 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list"] +{{- if .Values.openshift }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["anyuid"] + verbs: ["use"] +{{- end }} {{- end }} diff --git a/charts/localstack/templates/route.yaml b/charts/localstack/templates/route.yaml new file mode 100644 index 0000000..2d4be6d --- /dev/null +++ b/charts/localstack/templates/route.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.openshift .Values.route.enabled -}} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "localstack.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "localstack.labels" . | nindent 4 }} +spec: + host: {{ .Values.route.host }} + to: + kind: Service + name: {{ include "localstack.fullname" . }} + weight: 100 + port: + targetPort: {{ .Values.route.port }} + wildcardPolicy: None + tls: + {{- toYaml .Values.route.tls | nindent 4 }} +{{- end }} + diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml index 8622b49..a41756a 100644 --- a/charts/localstack/values.yaml +++ b/charts/localstack/values.yaml @@ -19,6 +19,10 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +## OpenShift. When set to 'true' it will add SecurityContextConstraings (SCC) +## to the role +openshift: false + ## @param extraDeploy Extra objects to deploy (value evaluated as a template) ## extraDeploy: [] @@ -155,6 +159,12 @@ ingress: # hosts: # - chart-example.local +## Create a Route resource if using OpenShift +## Defaults to the 'edge' port of the service on 4566 +route: + enabled: false + port: edge + persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims ## From 0894f4b1187200088487c34c0874146b36725613 Mon Sep 17 00:00:00 2001 From: Jonathan Mosco Date: Tue, 8 Oct 2024 14:32:25 -0400 Subject: [PATCH 2/4] add suggested SCC settings and add section to README --- README.md | 34 ++++++++++++++++++++++++++ charts/localstack/templates/NOTES.txt | 5 ---- charts/localstack/templates/role.yaml | 6 +++-- charts/localstack/templates/route.yaml | 21 ---------------- charts/localstack/values.yaml | 17 ++++++------- 5 files changed, 45 insertions(+), 38 deletions(-) delete mode 100644 charts/localstack/templates/route.yaml diff --git a/README.md b/README.md index 185df64..b0fe4a9 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,40 @@ Useful Helm Client Commands: * Install a chart: `helm install localstack/` * Upgrade your application: `helm upgrade` +### Using the chart in OpenShift + +Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation. +In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster. + +Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, +you can also create your own SCCs. + +The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are: + +* anyuid +* hostaccess +* hostmount-anyuid +* hostnetwork +* node-exporter +* nonroot +* privileged +* restricted + +Example: + + +```yaml +role: + create: true + +scc: + resourceNames: + - privileged + - hostnetwork +``` + +For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html) + ## Change Log Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release. diff --git a/charts/localstack/templates/NOTES.txt b/charts/localstack/templates/NOTES.txt index 14ad76f..0de1c44 100644 --- a/charts/localstack/templates/NOTES.txt +++ b/charts/localstack/templates/NOTES.txt @@ -20,8 +20,3 @@ echo "visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT {{- end }} -{{- if and .Values.openshift .Values.route.enabled }} - export ROUTE_URL=$(oc get route localstack-fork --namespace "localstack" -o jsonpath="{.spec.host}") - echo http://$ROUTE_URL - echo "visit http://$ROUTE_URL to use your application" -{{- end }} diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml index f3a18ba..6dc6157 100644 --- a/charts/localstack/templates/role.yaml +++ b/charts/localstack/templates/role.yaml @@ -19,10 +19,12 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list"] -{{- if .Values.openshift }} +{{- if .Values.scc }} - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] - resourceNames: ["anyuid"] + resourceNames: + {{- range .Values.scc.resourceNames }} + - {{ . | quote }} verbs: ["use"] {{- end }} {{- end }} diff --git a/charts/localstack/templates/route.yaml b/charts/localstack/templates/route.yaml deleted file mode 100644 index 2d4be6d..0000000 --- a/charts/localstack/templates/route.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.openshift .Values.route.enabled -}} -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: {{ template "localstack.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "localstack.labels" . | nindent 4 }} -spec: - host: {{ .Values.route.host }} - to: - kind: Service - name: {{ include "localstack.fullname" . }} - weight: 100 - port: - targetPort: {{ .Values.route.port }} - wildcardPolicy: None - tls: - {{- toYaml .Values.route.tls | nindent 4 }} -{{- end }} - diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml index a41756a..f7b065d 100644 --- a/charts/localstack/values.yaml +++ b/charts/localstack/values.yaml @@ -19,10 +19,6 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -## OpenShift. When set to 'true' it will add SecurityContextConstraings (SCC) -## to the role -openshift: false - ## @param extraDeploy Extra objects to deploy (value evaluated as a template) ## extraDeploy: [] @@ -49,6 +45,13 @@ role: # If not set and create is true, a name is generated using the fullname template name: "" +## OpenShift Security Context Constraints. When set to 'true' it will add SecurityContextConstraings (SCC) +## to the role +scc: + resourceNames: + - anyuid + - nonroot + podLabels: {} podAnnotations: {} @@ -159,12 +162,6 @@ ingress: # hosts: # - chart-example.local -## Create a Route resource if using OpenShift -## Defaults to the 'edge' port of the service on 4566 -route: - enabled: false - port: edge - persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims ## From 4ac10b9876037d1a7dbb1c2b4c2ebb24ce8f8565 Mon Sep 17 00:00:00 2001 From: Jonathan Mosco Date: Wed, 16 Oct 2024 17:03:06 -0400 Subject: [PATCH 3/4] change to using extraRules --- README.md | 11 +++++------ charts/localstack/templates/role.yaml | 17 ++++++++++------- charts/localstack/values.yaml | 7 ------- 3 files changed, 15 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index b0fe4a9..15b5f40 100644 --- a/README.md +++ b/README.md @@ -103,15 +103,14 @@ The cluster contains several default security context constraints (SCCs). The av Example: - ```yaml role: create: true - -scc: - resourceNames: - - privileged - - hostnetwork + extraRoles: + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["anyuid"] + verbs: ["use"] ``` For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html) diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml index 6dc6157..507905c 100644 --- a/charts/localstack/templates/role.yaml +++ b/charts/localstack/templates/role.yaml @@ -19,12 +19,15 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list"] -{{- if .Values.scc }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: - {{- range .Values.scc.resourceNames }} - - {{ . | quote }} - verbs: ["use"] +{{- if .Values.role.extraRoles }} + {{- range .Values.role.extraRoles }} +- apiGroups: {{ toJson .apiGroups | nindent 2 }} + resources: {{ toJson .resources | nindent 2 }} + {{- if .resourceNames }} + resourceNames: {{ toJson .resourceNames | nindent 2 }} + {{- end }} + verbs: {{ toJson .verbs | nindent 2 }} + {{- end }} {{- end }} {{- end }} + diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml index f7b065d..8622b49 100644 --- a/charts/localstack/values.yaml +++ b/charts/localstack/values.yaml @@ -45,13 +45,6 @@ role: # If not set and create is true, a name is generated using the fullname template name: "" -## OpenShift Security Context Constraints. When set to 'true' it will add SecurityContextConstraings (SCC) -## to the role -scc: - resourceNames: - - anyuid - - nonroot - podLabels: {} podAnnotations: {} From 78a55528559e64e7797b11e1021532b0759f3a39 Mon Sep 17 00:00:00 2001 From: Alexander Rashed Date: Fri, 18 Oct 2024 09:45:30 +0200 Subject: [PATCH 4/4] properly include extraRoles --- README.md | 1 - charts/localstack/templates/role.yaml | 9 +-------- charts/localstack/test-values.yaml | 8 ++++++++ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 15b5f40..08a5b3e 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,6 @@ Example: ```yaml role: - create: true extraRoles: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml index 507905c..3abc6b0 100644 --- a/charts/localstack/templates/role.yaml +++ b/charts/localstack/templates/role.yaml @@ -20,14 +20,7 @@ rules: resources: ["services"] verbs: ["get", "list"] {{- if .Values.role.extraRoles }} - {{- range .Values.role.extraRoles }} -- apiGroups: {{ toJson .apiGroups | nindent 2 }} - resources: {{ toJson .resources | nindent 2 }} - {{- if .resourceNames }} - resourceNames: {{ toJson .resourceNames | nindent 2 }} - {{- end }} - verbs: {{ toJson .verbs | nindent 2 }} - {{- end }} +{{ include "common.tplvalues.render" (dict "value" .Values.role.extraRoles "context" $) }} {{- end }} {{- end }} diff --git a/charts/localstack/test-values.yaml b/charts/localstack/test-values.yaml index 3c7a456..5c42114 100644 --- a/charts/localstack/test-values.yaml +++ b/charts/localstack/test-values.yaml @@ -57,3 +57,11 @@ ingress: # enable kubernetes lambda executor (only pro) # lambda: # executor: "kubernetes" + +# add extra roles for OpenShift +# role: +# extraRoles: +# - apiGroups: ["security.openshift.io"] +# resources: ["securitycontextconstraints"] +# resourceNames: ["anyuid"] +# verbs: ["use"] \ No newline at end of file