From 0894f4b1187200088487c34c0874146b36725613 Mon Sep 17 00:00:00 2001
From: Jonathan Mosco <jonny.mosco@gmail.com>
Date: Tue, 8 Oct 2024 14:32:25 -0400
Subject: [PATCH] add suggested SCC settings and add section to README

---
 README.md                              | 34 ++++++++++++++++++++++++++
 charts/localstack/templates/NOTES.txt  |  5 ----
 charts/localstack/templates/role.yaml  |  6 +++--
 charts/localstack/templates/route.yaml | 21 ----------------
 charts/localstack/values.yaml          | 17 ++++++-------
 5 files changed, 45 insertions(+), 38 deletions(-)
 delete mode 100644 charts/localstack/templates/route.yaml

diff --git a/README.md b/README.md
index 185df64..b0fe4a9 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,40 @@ Useful Helm Client Commands:
 * Install a chart: `helm install <name> localstack/<chart>`
 * Upgrade your application: `helm upgrade`
 
+### Using the chart in OpenShift
+
+Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation.
+In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster.
+
+Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator,
+you can also create your own SCCs.
+
+The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are:
+
+* anyuid
+* hostaccess
+* hostmount-anyuid
+* hostnetwork
+* node-exporter
+* nonroot
+* privileged
+* restricted
+
+Example:
+
+
+```yaml
+role:
+  create: true
+
+scc:
+  resourceNames:
+    - privileged
+    - hostnetwork
+```
+
+For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html)
+
 ## Change Log
 
 Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release.
diff --git a/charts/localstack/templates/NOTES.txt b/charts/localstack/templates/NOTES.txt
index 14ad76f..0de1c44 100644
--- a/charts/localstack/templates/NOTES.txt
+++ b/charts/localstack/templates/NOTES.txt
@@ -20,8 +20,3 @@
   echo "visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-{{- if and .Values.openshift .Values.route.enabled }}
-  export ROUTE_URL=$(oc get route localstack-fork --namespace "localstack" -o jsonpath="{.spec.host}")
-  echo http://$ROUTE_URL
-  echo "visit http://$ROUTE_URL to use your application"
-{{- end }}
diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml
index f3a18ba..6dc6157 100644
--- a/charts/localstack/templates/role.yaml
+++ b/charts/localstack/templates/role.yaml
@@ -19,10 +19,12 @@ rules:
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get", "list"]
-{{- if .Values.openshift }}
+{{- if .Values.scc }}
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["anyuid"]
+  resourceNames:
+    {{- range .Values.scc.resourceNames }}
+    - {{ . | quote }}
   verbs: ["use"]
 {{- end }}
 {{- end }}
diff --git a/charts/localstack/templates/route.yaml b/charts/localstack/templates/route.yaml
deleted file mode 100644
index 2d4be6d..0000000
--- a/charts/localstack/templates/route.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{- if and .Values.openshift .Values.route.enabled -}}
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: {{ template "localstack.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "localstack.labels" . | nindent 4 }}
-spec:
-  host: {{ .Values.route.host }}
-  to:
-    kind: Service
-    name: {{ include "localstack.fullname" . }}
-    weight: 100
-  port:
-    targetPort: {{ .Values.route.port }}
-  wildcardPolicy: None
-  tls:
-    {{- toYaml .Values.route.tls | nindent  4 }}
-{{- end }}
-
diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml
index a41756a..f7b065d 100644
--- a/charts/localstack/values.yaml
+++ b/charts/localstack/values.yaml
@@ -19,10 +19,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-## OpenShift.  When set to 'true' it will add SecurityContextConstraings (SCC)
-## to the role
-openshift: false
-
 ## @param extraDeploy Extra objects to deploy (value evaluated as a template)
 ##
 extraDeploy: []
@@ -49,6 +45,13 @@ role:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+## OpenShift Security Context Constraints.  When set to 'true' it will add SecurityContextConstraings (SCC)
+## to the role
+scc:
+  resourceNames:
+    - anyuid
+    - nonroot
+
 podLabels: {}
 
 podAnnotations: {}
@@ -159,12 +162,6 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-## Create a Route resource if using OpenShift
-## Defaults to the 'edge' port of the service on 4566
-route:
-  enabled: false
-  port: edge
-
 persistence:
   ## @param persistence.enabled Enable persistence using Persistent Volume Claims
   ##