Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add openshift resources to chart #125

Merged
merged 4 commits into from
Oct 18, 2024
Merged

add openshift resources to chart #125

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0d74cf8
add openshift resources, route condition, and usage note
jonmosco Aug 15, 2024
0894f4b
add suggested SCC settings and add section to README
jonmosco Oct 8, 2024
4ac10b9
change to using extraRules
jonmosco Oct 16, 2024
78a5552
properly include extraRoles
alexrashed Oct 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,40 @@ Useful Helm Client Commands:
* Install a chart: `helm install <name> localstack/<chart>`
* Upgrade your application: `helm upgrade`

### Using the chart in OpenShift

Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation.
In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster.

Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator,
you can also create your own SCCs.

The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are:

* anyuid
* hostaccess
* hostmount-anyuid
* hostnetwork
* node-exporter
* nonroot
* privileged
* restricted

Example:


```yaml
role:
create: true

scc:
resourceNames:
- privileged
- hostnetwork
```

For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html)

## Change Log

Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release.
Expand Down
5 changes: 0 additions & 5 deletions charts/localstack/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,3 @@
echo "visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}
{{- if and .Values.openshift .Values.route.enabled }}
export ROUTE_URL=$(oc get route localstack-fork --namespace "localstack" -o jsonpath="{.spec.host}")
echo http://$ROUTE_URL
echo "visit http://$ROUTE_URL to use your application"
{{- end }}
6 changes: 4 additions & 2 deletions charts/localstack/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]
{{- if .Values.openshift }}
{{- if .Values.scc }}
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames: ["anyuid"]
resourceNames:
{{- range .Values.scc.resourceNames }}
- {{ . | quote }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be great if we could generalize this even a bit more by allowing arbitrary configs here, similar to the extraEnvVars here:

helm-charts/charts/localstack/templates/deployment.yaml

Lines 188 to 190 in d896940

{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}

Something like extraRoles would allow us to enable the usage in OpenShift, while not committing to a specific derivate.
Waht do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good to me! I will work on these changes. Thanks for the feedback.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just so I understand, if the SCCs were to be created without OpenShift, do you mean something like Pod Security Policies, Pod Security Admission, or custom roles that basically mirror what the SCC would provide?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would really just "move the value template to one level higher", meaning that you would not set the resource names for a pre-defined / hard coded rule, but that you can add arbitrary complete rule entries.

So basically your value file would look something like this:

role:
  extraRules:
    - apiGroups: ["security.openshift.io"]
      resources: ["securitycontextconstraints"]
      resourceNames: ["anyuid"]
      verbs: ["use"]

We already do the same thing with the extraEnvVars linked above (where we even have template evaluation of the entries), so it should be fairly straight forward to implement.

And in the whole chart there would be no mention of OpenShift (because the chart would stay derivate-agnostic).
But it would still be great to have it explained how it works for OpenShift in the readme (thanks for the push on the docs)!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I think i'm getting closer to what you are describing. Let me know if you like this diff.

verbs: ["use"]
{{- end }}
{{- end }}
21 changes: 0 additions & 21 deletions charts/localstack/templates/route.yaml
View file
Open in desktop

This file was deleted.

17 changes: 7 additions & 10 deletions charts/localstack/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,6 @@ imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

## OpenShift. When set to 'true' it will add SecurityContextConstraings (SCC)
## to the role
openshift: false

## @param extraDeploy Extra objects to deploy (value evaluated as a template)
##
extraDeploy: []
Expand All @@ -49,6 +45,13 @@ role:
# If not set and create is true, a name is generated using the fullname template
name: ""

## OpenShift Security Context Constraints. When set to 'true' it will add SecurityContextConstraings (SCC)
## to the role
scc:
resourceNames:
- anyuid
- nonroot

podLabels: {}

podAnnotations: {}
Expand Down Expand Up @@ -159,12 +162,6 @@ ingress:
# hosts:
# - chart-example.local

## Create a Route resource if using OpenShift
## Defaults to the 'edge' port of the service on 4566
route:
enabled: false
port: edge

persistence:
## @param persistence.enabled Enable persistence using Persistent Volume Claims
##
Expand Down