openshift unprivileged and with arbitrary UIDs and GIDs (#177)

* openshift * raise chart and zammad image version * markdown dash, rm asterisk * rm blank --------- Co-authored-by: Klaus Mueller <[email protected]>
zammad · Mar 21, 2023 · 8088717 · 8088717
1 parent d01cf65
commit 8088717
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/zammad/Chart.yaml b/zammad/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: zammad
-version: 8.2.1
-appVersion: 5.4.0-1
+version: 8.2.2
+appVersion: 5.4.0-10
 description: Zammad is a web based open source helpdesk/customer support system with many features to manage customer communication via several channels like telephone, facebook, twitter, chat and e-mails.
 home: https://zammad.org
 icon: https://raw.githubusercontent.com/zammad/zammad-documentation/main/images/zammad_logo_600x520.png

diff --git a/zammad/README.md b/zammad/README.md
@@ -40,6 +40,58 @@ Don't use an NFS-based storage class for Zammad's persistent volume.
 
 This is relevant to **EFS** for AWS users, as well.
 
+### OpenShift
+
+To run OpenShift unprivileged and with [arbitrary UIDs and GIDs](https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids):
+
+- Add the extraRsyncParams `--no-perms --omit-dir-times`.
+- Set `securityContext` and `zammadConfig.initContainers.zammad.securityContext.runAsUser` empty (not empty string `""` or empty map `{}`).
+- Disable if used:
+  - also `podSecurityContext` in all subcharts.
+  - the privileged [sysctlImage](https://github.com/bitnami/charts/tree/main/bitnami/elasticsearch#default-kernel-settings) in elasticsearch subchart.
+
+```yaml
+securityContext:
+  fsGroup: # must be emtpy
+  runAsUser: # must be emtpy
+  runAsNonRoot: # must be emtpy
+  runAsGroup: # must be emtpy
+
+zammadConfig:
+  initContainers:
+    zammad:
+      extraRsyncParams: "--no-perms --omit-dir-times"
+      securityContext:
+        runAsUser: # must be emtpy
+
+elasticsearch:
+  sysctlImage:
+    enabled: false
+  master:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+
+memcached:
+  podSecurityContext:
+    enabled: false
+  containerSecurityContext:
+    enabled: false
+
+redis:
+  master:
+   podSecurityContext:
+     enabled: false
+   containerSecurityContext:
+     enabled: false
+  replica:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+```
+
 ## Using zammad
 
 Once the zammad pod is ready, it can be accessed using the ingress or port forwarding.