From 7dd2fd2f89bb0cff354fd4b5314e97104455f4e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 6 Mar 2024 10:09:27 +0100 Subject: [PATCH] [bitnami/contour] feat: :sparkles: :lock: Add automatic adaptation for Openshift restricted-v2 SCC (#24072) Signed-off-by: Javier Salmeron Garcia --- bitnami/contour/Chart.lock | 6 +++--- bitnami/contour/README.md | 11 ++++++----- bitnami/contour/templates/certgen/job.yaml | 4 ++-- bitnami/contour/templates/contour/deployment.yaml | 4 ++-- .../contour/templates/default-backend/deployment.yaml | 4 ++-- bitnami/contour/templates/envoy/daemonset.yaml | 8 ++++---- bitnami/contour/templates/envoy/deployment.yaml | 8 ++++---- bitnami/contour/values.yaml | 9 +++++++++ 8 files changed, 32 insertions(+), 22 deletions(-) diff --git a/bitnami/contour/Chart.lock b/bitnami/contour/Chart.lock index 298ffc5562..6a6373fb2e 100644 --- a/bitnami/contour/Chart.lock +++ b/bitnami/contour/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.16.1 -digest: sha256:f808a6fdc9c374d158ad7ff2f2c53a6c409e41da778d768b232dd20f86ef8b47 -generated: "2024-02-21T12:15:42.325363695Z" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T13:34:26.71830669+01:00" diff --git a/bitnami/contour/README.md b/bitnami/contour/README.md index 9dd9a4b952..217be56627 100644 --- a/bitnami/contour/README.md +++ b/bitnami/contour/README.md @@ -62,11 +62,12 @@ helm uninstall my-release ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters diff --git a/bitnami/contour/templates/certgen/job.yaml b/bitnami/contour/templates/certgen/job.yaml index c886bc7cfb..38a3e6da20 100644 --- a/bitnami/contour/templates/certgen/job.yaml +++ b/bitnami/contour/templates/certgen/job.yaml @@ -37,7 +37,7 @@ spec: tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.contour.tolerations "context" $) | nindent 8 }} {{- end }} {{- if .Values.contour.podSecurityContext.enabled }} - securityContext: {{- omit .Values.contour.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.podSecurityContext "context" $) | nindent 8 }} {{- end }} containers: - name: contour @@ -73,7 +73,7 @@ spec: {{- end }} {{- end }} {{- if .Values.contour.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.contour.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.containerSecurityContext "context" $) | nindent 12 }} {{- end }} resources: {{ toYaml .Values.contour.resources | nindent 12 }} restartPolicy: Never diff --git a/bitnami/contour/templates/contour/deployment.yaml b/bitnami/contour/templates/contour/deployment.yaml index 6268be61aa..4642d3b5c6 100644 --- a/bitnami/contour/templates/contour/deployment.yaml +++ b/bitnami/contour/templates/contour/deployment.yaml @@ -221,7 +221,7 @@ spec: {{- end }} {{- end }} {{- if .Values.contour.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.contour.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.contour.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.contour.sidecars "context" $) | nindent 8 }} @@ -229,7 +229,7 @@ spec: dnsPolicy: ClusterFirst serviceAccountName: {{ include "contour.contourServiceAccountName" . }} {{- if .Values.contour.podSecurityContext.enabled }} - securityContext: {{- omit .Values.contour.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.contour.podSecurityContext "context" $) | nindent 8 }} {{- end }} volumes: - name: contourcert diff --git a/bitnami/contour/templates/default-backend/deployment.yaml b/bitnami/contour/templates/default-backend/deployment.yaml index 71c3992465..54aac5f6e5 100644 --- a/bitnami/contour/templates/default-backend/deployment.yaml +++ b/bitnami/contour/templates/default-backend/deployment.yaml @@ -56,7 +56,7 @@ spec: tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.tolerations "context" .) | nindent 8 }} {{- end }} {{- if .Values.defaultBackend.podSecurityContext.enabled }} - securityContext: {{- omit .Values.defaultBackend.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.defaultBackend.podSecurityContext "context" $) | nindent 8 }} {{- end }} automountServiceAccountToken: false serviceAccountName: {{ include "envoy.envoyServiceAccountName" . }} @@ -77,7 +77,7 @@ spec: image: {{ include "common.images.image" ( dict "imageRoot" .Values.defaultBackend.image "global" .Values.global) }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy | quote }} {{- if .Values.defaultBackend.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.defaultBackend.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.defaultBackend.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.defaultBackend.command }} command: {{- include "common.tplvalues.render" (dict "value" .Values.defaultBackend.command "context" $) | nindent 12 }} diff --git a/bitnami/contour/templates/envoy/daemonset.yaml b/bitnami/contour/templates/envoy/daemonset.yaml index af077b5454..4462f308c1 100644 --- a/bitnami/contour/templates/envoy/daemonset.yaml +++ b/bitnami/contour/templates/envoy/daemonset.yaml @@ -59,7 +59,7 @@ spec: hostNetwork: {{ .Values.envoy.hostNetwork }} dnsPolicy: {{ .Values.envoy.dnsPolicy }} {{- if .Values.envoy.podSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.podSecurityContext "context" $) | nindent 8 }} {{- end }} containers: {{- if .Values.envoy.shutdownManager.enabled }} @@ -89,7 +89,7 @@ spec: {{- end }} {{- end }} {{- if .Values.envoy.shutdownManager.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.shutdownManager.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.shutdownManager.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.envoy.lifecycleHooks }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.envoy.lifecycleHooks "context" $) | nindent 12 }} @@ -139,7 +139,7 @@ spec: image: {{ include "common.images.image" ( dict "imageRoot" .Values.envoy.image "global" .Values.global ) }} imagePullPolicy: {{ .Values.envoy.image.pullPolicy }} {{- if .Values.envoy.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CONTOUR_NAMESPACE @@ -306,7 +306,7 @@ spec: {{- end }} {{- end }} {{- if .Values.envoy.initConfig.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.initConfig.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.initConfig.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.envoy.initContainers }} {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.initContainers "context" $ ) | nindent 8 }} diff --git a/bitnami/contour/templates/envoy/deployment.yaml b/bitnami/contour/templates/envoy/deployment.yaml index 785ddd7513..0a249ece9e 100644 --- a/bitnami/contour/templates/envoy/deployment.yaml +++ b/bitnami/contour/templates/envoy/deployment.yaml @@ -70,7 +70,7 @@ spec: hostNetwork: {{ .Values.envoy.hostNetwork }} dnsPolicy: {{ .Values.envoy.dnsPolicy }} {{- if .Values.envoy.podSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.podSecurityContext "context" $) | nindent 8 }} {{- end }} containers: {{- if .Values.envoy.shutdownManager.enabled }} @@ -100,7 +100,7 @@ spec: {{- end }} {{- end }} {{- if .Values.envoy.shutdownManager.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.shutdownManager.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.shutdownManager.containerSecurityContext "context" $) | nindent 12 }} {{- end }} lifecycle: preStop: @@ -149,7 +149,7 @@ spec: image: {{ include "common.images.image" ( dict "imageRoot" .Values.envoy.image "global" .Values.global ) }} imagePullPolicy: {{ .Values.envoy.image.pullPolicy }} {{- if .Values.envoy.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: CONTOUR_NAMESPACE @@ -330,7 +330,7 @@ spec: {{- end }} {{- end }} {{- if .Values.envoy.initConfig.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.envoy.initConfig.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.envoy.initConfig.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.envoy.initContainers }} {{- include "common.tplvalues.render" ( dict "value" .Values.envoy.initContainers "context" $ ) | nindent 8 }} diff --git a/bitnami/contour/values.yaml b/bitnami/contour/values.yaml index 7c40377549..4db0951fcc 100644 --- a/bitnami/contour/values.yaml +++ b/bitnami/contour/values.yaml @@ -19,6 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ##