feat(helm-chart): make charts Openshift compliant (#3415)

Signed-off-by: John Allberg <[email protected]> Co-authored-by: odubajDT <[email protected]>
keptn · Apr 23, 2024 · 32f077a · 32f077a
1 parent c5d2b99
commit 32f077a
Show file tree

Hide file tree

Showing 22 changed files with 15,890 additions and 13 deletions.
diff --git a/.github/scripts/.helm-tests/Openshift/result.yaml b/.github/scripts/.helm-tests/Openshift/result.yaml
diff --git a/.github/scripts/.helm-tests/Openshift/values.yaml b/.github/scripts/.helm-tests/Openshift/values.yaml
@@ -0,0 +1,3 @@
+global:
+  openShift:
+    enabled: true
diff --git a/.github/scripts/.helm-tests/default/result.yaml b/.github/scripts/.helm-tests/default/result.yaml
@@ -15399,8 +15399,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:
@@ -15596,8 +15596,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/lifecycle-only/result.yaml b/.github/scripts/.helm-tests/lifecycle-only/result.yaml
@@ -11965,8 +11965,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml b/.github/scripts/.helm-tests/lifecycle-with-certs/result.yaml
@@ -12266,8 +12266,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/local-global-precedence/result.yaml b/.github/scripts/.helm-tests/local-global-precedence/result.yaml
@@ -15725,8 +15725,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:
@@ -15937,8 +15937,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/metrics-only-with-apiservice-disabled/result.yaml b/.github/scripts/.helm-tests/metrics-only-with-apiservice-disabled/result.yaml
@@ -3200,8 +3200,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/metrics-only/result.yaml b/.github/scripts/.helm-tests/metrics-only/result.yaml
@@ -3221,8 +3221,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/.github/scripts/.helm-tests/metrics-with-certs/result.yaml b/.github/scripts/.helm-tests/metrics-with-certs/result.yaml
@@ -3522,8 +3522,8 @@ spec:
             - ALL
           privileged: false
           runAsGroup: 65532
-          runAsNonRoot: true
           runAsUser: 65532
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
         volumeMounts:

diff --git a/chart/README.md b/chart/README.md
@@ -25,3 +25,4 @@ metrics, observability, health checks, with pre- and post-deployment evaluations
 | `global.commonLabels`           | Common labels to add to all Keptn resources. Evaluated as a template      | `{}`      |
 | `global.commonAnnotations`      | Common annotations to add to all Keptn resources. Evaluated as a template | `{}`      |
 | `global.caInjectionAnnotations` | CA injection annotations for cert-manager.io configuration                | `{}`      |
+| `global.openShift.enabled`      | Enable this value to install on Openshift                                 | `false`   |
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -31,3 +31,6 @@ global:
   commonAnnotations: {}
   ## @param global.caInjectionAnnotations CA injection annotations for cert-manager.io configuration
   caInjectionAnnotations: {}
+  openShift:
+    ## @param global.openShift.enabled Enable this value to install on Openshift
+    enabled: false
diff --git a/docs/docs/installation/configuration/Openshift.md b/docs/docs/installation/configuration/Openshift.md
@@ -0,0 +1,23 @@
+---
+comments: true
+---
+
+# Installing on Openshift
+
+To install on OpenShift, set the value `global.openShift.enabled` in the `values.yaml` file to true.
+In practice this means that `runAsUser` and `runAsGroup` are removed, since
+Openshift sets those automatically.
+
+You can set the `global.openShift.enabled` parameter when running the `helm install` command:
+
+```shell
+helm install keptn keptn/keptn -n keptn-system --create-namespace --set global.openShift.enabled=true
+```
+
+or you can define it in your `values.yaml` file:
+
+```yaml
+global:
+  openShift:
+    enabled: true
+```
diff --git a/keptn-cert-manager/chart/README.md b/keptn-cert-manager/chart/README.md
@@ -16,6 +16,7 @@ resource.
 | `global.commonLabels`           | Common labels to add to all Keptn resources. Evaluated as a template      | `{}`      |
 | `global.commonAnnotations`      | Common annotations to add to all Keptn resources. Evaluated as a template | `{}`      |
 | `global.caInjectionAnnotations` | CA injection annotations for cert-manager.io configuration                | `{}`      |
+| `global.openShift.enabled`      | Enable this value to install on Openshift                                 | `false`   |
 
 ### Keptn Certificate Operator common
 

diff --git a/keptn-cert-manager/chart/templates/deployment.yaml b/keptn-cert-manager/chart/templates/deployment.yaml
@@ -56,10 +56,12 @@ spec:
             capabilities: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.capabilities "context" $) | nindent 14 }}
             readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem
             }}
+            {{- if not .Values.global.openShift.enabled }}
             runAsGroup: {{ .Values.containerSecurityContext.runAsGroup
             }}
             runAsUser: {{ .Values.containerSecurityContext.runAsUser
             }}
+            {{- end }}
             seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.seccompProfile
             "context" $) | nindent 14 }}
         {{- if .Values.livenessProbe }}

diff --git a/keptn-cert-manager/chart/values.yaml b/keptn-cert-manager/chart/values.yaml
@@ -20,6 +20,9 @@ global:
   commonAnnotations: {}
   ## @param global.caInjectionAnnotations CA injection annotations for cert-manager.io configuration
   caInjectionAnnotations: { }
+  openShift:
+    ## @param global.openShift.enabled Enable this value to install on Openshift
+    enabled: false
 
 
 # yamllint disable rule:line-length

diff --git a/lifecycle-operator/chart/README.md b/lifecycle-operator/chart/README.md
@@ -20,6 +20,7 @@ and application health checks
 | `global.commonLabels`                                   | Common labels to add to all Keptn resources. Evaluated as a template                                                                                          | `{}`                |
 | `global.commonAnnotations`                              | Common annotations to add to all Keptn resources. Evaluated as a template                                                                                     | `{}`                |
 | `global.caInjectionAnnotations`                         | CA injection annotations for cert-manager.io configuration                                                                                                    | `{}`                |
+| `global.openShift.enabled`                              | Enable this value to install on Openshift                                                                                                                     | `false`             |
 | `lifecycleOperatorConfig.health.healthProbeBindAddress` | setup on what address to start the default health handler                                                                                                     | `:8081`             |
 | `lifecycleOperatorConfig.leaderElection.leaderElect`    | enable leader election for multiple replicas of the lifecycle operator                                                                                        | `true`              |
 | `lifecycleOperatorConfig.leaderElection.resourceName`   | define LeaderElectionID                                                                                                                                       | `6b866dd9.keptn.sh` |

diff --git a/lifecycle-operator/chart/templates/deployment.yaml b/lifecycle-operator/chart/templates/deployment.yaml
@@ -127,12 +127,14 @@ spec:
             "context" $) | nindent 12 }}
           privileged: {{ .Values.lifecycleOperator.containerSecurityContext.privileged
             }}
+          {{- if not .Values.global.openShift.enabled }}
           runAsGroup: {{ .Values.lifecycleOperator.containerSecurityContext.runAsGroup
             }}
-          runAsNonRoot: {{ .Values.lifecycleOperator.containerSecurityContext.runAsNonRoot
-            }}
           runAsUser: {{ .Values.lifecycleOperator.containerSecurityContext.runAsUser
             }}
+          {{- end }}
+          runAsNonRoot: {{ .Values.lifecycleOperator.containerSecurityContext.runAsNonRoot
+            }}
           seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleOperator.containerSecurityContext.seccompProfile
             "context" $) | nindent 12 }}
         volumeMounts:
@@ -224,7 +226,9 @@ spec:
             }}
           runAsNonRoot: {{ .Values.scheduler.containerSecurityContext.runAsNonRoot
             }}
+          {{- if not .Values.global.openShift.enabled }}
           runAsUser: {{ .Values.scheduler.containerSecurityContext.runAsUser }}
+          {{- end }}
           seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.scheduler.containerSecurityContext.seccompProfile
             "context" $) | nindent 12 }}
         volumeMounts:

diff --git a/lifecycle-operator/chart/values.yaml b/lifecycle-operator/chart/values.yaml
@@ -26,6 +26,9 @@ global:
   ## @param global.caInjectionAnnotations CA injection annotations for cert-manager.io configuration
   ##
   caInjectionAnnotations: { }
+  openShift:
+    ## @param global.openShift.enabled Enable this value to install on Openshift
+    enabled: false
 
 lifecycleOperatorConfig:
   health:

diff --git a/metrics-operator/chart/README.md b/metrics-operator/chart/README.md
@@ -22,6 +22,7 @@ Prometheus, Dynatrace, DataDog and K8s metric server...
 | `global.commonLabels`           | Common labels to add to all Keptn resources. Evaluated as a template      | `{}`      |
 | `global.commonAnnotations`      | Common annotations to add to all Keptn resources. Evaluated as a template | `{}`      |
 | `global.caInjectionAnnotations` | CA injection annotations for cert-manager.io configuration                | `{}`      |
+| `global.openShift.enabled`      | Enable this value to install on Openshift                                 | `false`   |
 
 ### Keptn Metrics Operator common
 

diff --git a/metrics-operator/chart/templates/deployment.yaml b/metrics-operator/chart/templates/deployment.yaml
@@ -83,12 +83,14 @@ spec:
             "context" $) | nindent 12 }}
           privileged: {{ .Values.containerSecurityContext.privileged
             }}
+          {{- if not .Values.global.openShift.enabled }}
           runAsGroup: {{ .Values.containerSecurityContext.runAsGroup
             }}
-          runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot
-            }}
           runAsUser: {{ .Values.containerSecurityContext.runAsUser
             }}
+          {{- end }}
+          runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot
+            }}
           seccompProfile: {{- include "common.tplvalues.render" (dict "value" .Values.containerSecurityContext.seccompProfile
             "context" $) | nindent 12 }}
         volumeMounts:

diff --git a/metrics-operator/chart/values.yaml b/metrics-operator/chart/values.yaml
@@ -26,6 +26,9 @@ global:
   ## @param global.caInjectionAnnotations CA injection annotations for cert-manager.io configuration
   ##
   caInjectionAnnotations: { }
+  openShift:
+    ## @param global.openShift.enabled Enable this value to install on Openshift
+    enabled: false
 
 ## @section Keptn Metrics Operator common
 ## @extra   operatorService.ports[0] webhook port (must correspond to Mutating Webhook Configurations)

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -125,6 +125,7 @@ nav:
               - vCluster installation: docs/installation/configuration/vcluster.md
               - Keptn + cert-manager.io: docs/installation/configuration/cert-manager.md
               - Deploy Keptn via ArgoCD: docs/installation/configuration/argocd.md
+              - Deploy Keptn on OpenShift: docs/installation/configuration/Openshift.md
           - Installation Tips and Tricks: docs/installation/tips-tricks.md
           - Troubleshooting Guide: docs/installation/troubleshooting.md
           - Kubernetes cluster: docs/installation/k8s.md