Merge pull request #108 from steadybit/refa/helm-no-hardcoded-uid

refa: improve helm chart for openshift

charts/steadybit-extension-host/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: steadybit-extension-host
 description: Steadybit host extension Helm chart for Kubernetes.
-version: 1.1.28
+version: 1.1.30
 appVersion: v1.2.25
 home: https://www.steadybit.com/
 icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

charts/steadybit-extension-host/templates/_helpers.tpl

@@ -0,0 +1,13 @@
+{{- /*
+will omit attribute from the passed in object depending on the KubeVersion
+*/}}
+{{- define "omitForKuberVersion" -}}
+{{- $top := index . 0 -}}
+{{- $versionConstraint := index . 1 -}}
+{{- $dict := index . 2 -}}
+{{- $toOmit := index . 3 -}}
+{{- if semverCompare $versionConstraint $top.Capabilities.KubeVersion.Version -}}
+{{- $dict := omit $dict $toOmit -}}
+{{- end -}}
+{{- $dict | toYaml  -}}
+{{- end -}}

charts/steadybit-extension-host/templates/daemonset.yaml

@@ -114,19 +114,10 @@ spec:
             httpGet:
               path: /health/readiness
               port: {{ .Values.containerPorts.health }}
+          {{- with (include "omitForKuberVersion" (list . "<1.30-0" .Values.containerSecurityContext "appArmorProfile" )) }}
           securityContext:
-            {{- if semverCompare ">=1.30-0" .Capabilities.KubeVersion.Version}}
-            appArmorProfile:
-              type: Unconfined
-            {{- end }}
-            seccompProfile:
-              type: Unconfined
-            capabilities:
-              add: {{ toJson .Values.securityContext.capabilities.add }}
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 10000
-            runAsGroup: 10000
+          {{- . | nindent 12 }}
+          {{- end }}
       volumes:
         - name: tmp-dir
           emptyDir: {}

charts/steadybit-extension-host/templates/scc-clusterrole.yaml

@@ -0,0 +1,15 @@
+{{- if or .Values.securityContextConstraint.create (and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (eq .Values.securityContextConstraint.create nil)) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "system:openshift:scc:{{ .Values.securityContextConstraint.name }}"
+rules:
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - {{ .Values.securityContextConstraint.name }}
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+{{- end -}}

charts/steadybit-extension-host/templates/scc-rolebinding.yaml

@@ -0,0 +1,15 @@
+{{- if or .Values.securityContextConstraint.create (and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (eq .Values.securityContextConstraint.create nil)) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "system:openshift:scc:{{ .Values.securityContextConstraint.name }}"
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "system:openshift:scc:{{ .Values.securityContextConstraint.name }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.name }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

charts/steadybit-extension-host/templates/scc.yaml

@@ -0,0 +1,20 @@
+{{- if or .Values.securityContextConstraint.create (and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (eq .Values.securityContextConstraint.create nil)) -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ .Values.securityContextConstraint.name }}
+priority: null
+allowedCapabilities:
+  {{- .Values.containerSecurityContext.capabilities.add | toYaml | nindent 2 }}
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: true
+allowHostDirVolumePlugin: true
+allowPrivilegeEscalation: true
+runAsUser:
+  type: MustRunAsNonRoot
+seccompProfiles:
+  - unconfined
+seLinuxContext:
+  type: MustRunAs
+{{- end -}}