[chart/redis-ha]Openshift Security Context (#286)

* init * Doc * Update Chart.yaml Signed-off-by: Aaron Layfield <[email protected]> --------- Signed-off-by: Aaron Layfield <[email protected]> Co-authored-by: Baptiste Noleau <[email protected]> Co-authored-by: Aaron Layfield <[email protected]>
DandyDeveloper · Nov 5, 2024 · 2da0f3d · 2da0f3d
1 parent 7fa457d
commit 2da0f3d
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 15 deletions.
diff --git a/charts/redis-ha/Chart.yaml b/charts/redis-ha/Chart.yaml
@@ -5,7 +5,7 @@ keywords:
 - redis
 - keyvalue
 - database
-version: 4.27.8
+version: 4.28.0
 appVersion: 7.2.4
 description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management
 icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png

diff --git a/charts/redis-ha/README.md b/charts/redis-ha/README.md
@@ -61,6 +61,7 @@ The following table lists the configurable parameters of the Redis chart and the
 | Parameter                 | Description                                                                                                                                                                                              | Default                                                                                    |
 |:--------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
 | `global.priorityClassName`| Default priority class for all components (HAProxy Deployment and Redis StatefulSet)                                                                                                                     | `""`                                                                                       |
+| `global.compatibility.openshift.adaptSecurityContext`| Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `"auto"`                                                                                       |
 | `image.repository`        | Redis image repository                 | `redis`                                                                                  |
 | `image.tag`        | Redis image tag                            | `6.2.5-alpine`                                                                              |
 | `image.pullPolicy`        | Redis image pull policy                          | `IfNotPresent`                                                                   |

diff --git a/charts/redis-ha/templates/_helpers.tpl b/charts/redis-ha/templates/_helpers.tpl
@@ -92,3 +92,39 @@ Return the appropriate apiVersion for poddisruptionbudget.
 {{- print "policy/v1beta1" -}}
 {{- end -}}
 {{- end -}}
+
+{{/* 
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "compatibility.isOpenshift" .context)) -}}
+    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+    {{- if not .secContext.seLinuxOptions -}}
+    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/redis-ha/templates/redis-ha-statefulset.yaml b/charts/redis-ha/templates/redis-ha-statefulset.yaml
@@ -105,7 +105,7 @@ spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
-      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+      securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 8 }}
       serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }}
       initContainers:
@@ -120,12 +120,12 @@ spec:
           mountPath: /host-sys
         {{- end }}
         command: {{ toYaml .Values.sysctlImage.command | nindent 10 }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
       {{- end }}
 {{- if and .Values.hostPath.path .Values.hostPath.chown }}
       - name: hostpath-chown
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         command:
         - chown
         - "{{ .Values.containerSecurityContext.runAsUser }}"
@@ -143,7 +143,7 @@ spec:
         - sh
         args:
         - /readonly-config/init.sh
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
 {{- $replicas := int (toString .Values.replicas) -}}
 {{- range $i := until $replicas }}
@@ -231,7 +231,7 @@ spec:
            && if test -s /data/dump.rdb; \
               then cp -v /data/dump.rdb /data/dump.rdb_orig; fi \
            && mv -v /data/dump.rdb_ /data/dump.rdb"
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         envFrom:
         - secretRef:
           {{- if .Values.restore.existingSecret }}
@@ -262,7 +262,7 @@ spec:
         {{- else }}
           - /data/conf/redis.conf
         {{- end }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         {{- if .Values.auth }}
         env:
         - name: AUTH
@@ -361,7 +361,7 @@ spec:
         {{- else }}
           - /data/conf/sentinel.conf
         {{- end }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
 {{- if or .Values.auth .Values.sentinel.auth}}
         env:
   {{- if .Values.auth }}
@@ -459,7 +459,7 @@ spec:
           - sh
         args:
           - /readonly-config/fix-split-brain.sh
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
 {{- $replicas := int (toString .Values.replicas) -}}
 {{- range $i := until $replicas }}
@@ -509,7 +509,7 @@ spec:
         {{- range $key, $value := .Values.exporter.extraArgs }}
           - --{{ $key }}={{ $value }}
         {{- end }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
           - name: REDIS_ADDR
           {{- if .Values.exporter.sslEnabled }}

diff --git a/charts/redis-ha/templates/redis-haproxy-deployment.yaml b/charts/redis-ha/templates/redis-haproxy-deployment.yaml
@@ -49,8 +49,8 @@ spec:
       {{- else }}
       serviceAccountName: {{ .Values.haproxy.serviceAccountName }}
       {{- end }}
+      securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.securityContext "context" $) | nindent 8 }}
       automountServiceAccountToken: {{ .Values.haproxy.serviceAccount.automountToken }}
-      securityContext: {{ toYaml .Values.haproxy.securityContext | nindent 8 }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       tolerations:
@@ -103,7 +103,7 @@ spec:
         - sh
         args:
         - /readonly/haproxy_init.sh
-        securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }}
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
         volumeMounts:
         - name: config-volume
           mountPath: /readonly
@@ -117,7 +117,7 @@ spec:
       - name: haproxy
         image: {{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag }}
         imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }}
-        securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }}
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
     {{- if or .Values.auth .Values.sentinel.auth}}
         env:
       {{- if .Values.auth }}

diff --git a/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml b/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml
@@ -21,7 +21,7 @@ spec:
       mountPath: /readonly-config
       readOnly: true
     resources: {{ toYaml .Values.configmapTest.resources | nindent 6 }}
-    securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }}
+    securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
   {{- end }}

diff --git a/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml b/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml
@@ -21,7 +21,7 @@ spec:
       - -c
       - redis-cli -h {{ template "redis-ha.fullname" . }}-haproxy -p {{ .Values.redis.port }} info server
     resources: {{ toYaml .Values.haproxy.tests.resources | nindent 6 }}
-    securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }}
+    securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
   {{- end }}

diff --git a/charts/redis-ha/values.yaml b/charts/redis-ha/values.yaml
@@ -2,6 +2,9 @@
 global:
   # -- Default priority class for all components
   priorityClassName: ""
+  compatibility:
+    openshift:
+      adaptSecurityContext: auto
 
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/