Skip to content

PER-12459-openshift-support #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 10, 2025
Merged

PER-12459-openshift-support #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
763c061
PER-12459-openshift-support
EliMoshkovich Jun 9, 2025
0be18be
path changes
EliMoshkovich Jun 9, 2025
2333c91
without tmp path
EliMoshkovich Jun 9, 2025
f9fedef
wip values
EliMoshkovich Jun 9, 2025
4e76ae9
postgres env removed
EliMoshkovich Jun 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion templates/deployment-client.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.openshift.enabled .Values.client.securityContext }}
securityContext:
{{- if .Values.client.securityContext }}
{{- toYaml .Values.client.securityContext | nindent 8 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.securityContext | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.client.opaStartupData }}
volumes:
- name: opa-startup-data
Expand All @@ -32,6 +40,14 @@ spec:
- name: opal-client
image: {{ include "opal.clientImage" . | quote }}
imagePullPolicy: {{ .Values.client.imagePullPolicy | default "IfNotPresent" | quote }}
{{- if or .Values.openshift.enabled .Values.client.containerSecurityContext }}
securityContext:
{{- if .Values.client.containerSecurityContext }}
{{- toYaml .Values.client.containerSecurityContext | nindent 12 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.client.port }}
Expand Down Expand Up @@ -95,4 +111,4 @@ spec:
{{- toYaml .Values.client.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
38 changes: 37 additions & 1 deletion templates/deployment-pgsql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,36 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.openshift.enabled .Values.postgresql.securityContext }}
securityContext:
{{- if .Values.postgresql.securityContext }}
{{- toYaml .Values.postgresql.securityContext | nindent 8 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.securityContext | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.openshift.enabled }}
volumes:
- name: postgres-data
emptyDir: {}
{{- end }}
containers:
- name: pgsql
image: {{ include "opal.pgsqlImage" . | quote }}
imagePullPolicy: IfNotPresent
{{- if or .Values.openshift.enabled .Values.postgresql.containerSecurityContext }}
securityContext:
{{- if .Values.postgresql.containerSecurityContext }}
{{- toYaml .Values.postgresql.containerSecurityContext | nindent 12 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.openshift.enabled }}
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: postgres-data
{{- end }}
ports:
- name: pgsql
containerPort: 5432
Expand All @@ -35,5 +61,15 @@ spec:
value: postgres
- name: POSTGRES_PASSWORD
value: postgres
{{- if .Values.openshift.enabled }}
- name: PGDATA
value: "/var/lib/postgresql/data/pgdata"
{{- end }}
{{- if .Values.postgresql.extraEnv }}
{{- range $name, $value := .Values.postgresql.extraEnv }}
- name: {{ $name }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
36 changes: 35 additions & 1 deletion templates/deployment-server.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,14 @@ spec:
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.openshift.enabled .Values.server.securityContext }}
securityContext:
{{- if .Values.server.securityContext }}
{{- toYaml .Values.server.securityContext | nindent 8 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.securityContext | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.e2e }}
volumes:
- name: e2e
Expand All @@ -29,11 +37,25 @@ spec:
configMap:
name: policy-repo-data
defaultMode: 0755
{{- else if .Values.openshift.enabled }}
volumes:
- name: jwks-dir
emptyDir: {}
{{- end }}

{{- if .Values.e2e }}
initContainers:
- name: git-init
image: {{ include "opal.serverImage" . | quote }}
imagePullPolicy: IfNotPresent
{{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }}
securityContext:
{{- if .Values.server.containerSecurityContext }}
{{- toYaml .Values.server.containerSecurityContext | nindent 12 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- mountPath: /opt/e2e
name: e2e
Expand Down Expand Up @@ -63,13 +85,25 @@ spec:
- name: opal-server
image: {{ include "opal.serverImage" . | quote }}
imagePullPolicy: {{ .Values.server.imagePullPolicy | default "IfNotPresent" | quote }}
{{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }}
securityContext:
{{- if .Values.server.containerSecurityContext }}
{{- toYaml .Values.server.containerSecurityContext | nindent 12 }}
{{- else if .Values.openshift.enabled }}
{{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.e2e }}
volumeMounts:
- mountPath: /opt/e2e/policy-repo-data
name: policy-repo-data
readOnly: true
- mountPath: /opt/e2e
name: e2e
{{- else if .Values.openshift.enabled }}
volumeMounts:
- mountPath: /opal/jwks_dir
name: jwks-dir
{{- end }}
ports:
- name: http
Expand Down Expand Up @@ -139,4 +173,4 @@ spec:
{{- toYaml .Values.server.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
51 changes: 51 additions & 0 deletions values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,44 @@
},
"external_source_url": {"type": "string", "title": "url to external data source"}
}
},
"SecurityContext": {
"type": "object",
"title": "SecurityContext",
"additionalProperties": true,
"properties": {
"runAsUser": { "type": "integer" },
"runAsGroup": { "type": "integer" },
"fsGroup": { "type": "integer" }
}
},
"ContainerSecurityContext": {
"type": "object",
"title": "ContainerSecurityContext",
"additionalProperties": true,
"properties": {
"runAsNonRoot": { "type": "boolean" },
"allowPrivilegeEscalation": { "type": "boolean" }
}
}
},

"type": "object", "required": ["image"],
"properties": {
"openshift": {
"type": "object",
"title": "OpenShift compatibility settings",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"title": "Enable OpenShift compatibility",
"default": false
},
"securityContext": { "$ref": "#/definitions/SecurityContext" },
"containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }
}
},
"image": {
"type": "object", "title": "image", "additionalProperties": false,
"required": ["server", "client", "pgsql"],
Expand Down Expand Up @@ -118,6 +151,8 @@
"type": ["null", "object"], "additionalProperties": false, "title": "opal server settings",
"required": ["port", "policyRepoUrl", "pollingInterval", "dataConfigSources", "broadcastPgsql", "uvicornWorkers", "replicas"],
"properties": {
"securityContext": { "$ref": "#/definitions/SecurityContext" },
"containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
"enabled": {
"type": "boolean", "title": "enable server", "default": true
},
Expand Down Expand Up @@ -181,6 +216,8 @@
"type": ["null", "object"], "additionalProperties": false, "title": "opal client settings",
"required": ["port", "opaPort", "replicas"],
"properties": {
"securityContext": { "$ref": "#/definitions/SecurityContext" },
"containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
"enabled": {
"type": "boolean", "title": "enable client", "default": true
},
Expand Down Expand Up @@ -220,6 +257,20 @@
"title": "when kubelet should pull specified image"
}
}
},
"postgresql": {
"type": ["null", "object"],
"additionalProperties": false,
"title": "PostgreSQL settings",
"properties": {
"securityContext": { "$ref": "#/definitions/SecurityContext" },
"containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" },
"extraEnv": {
"type": "object",
"title": "extra environment variables list",
"default": {}
}
}
}
}
}
23 changes: 22 additions & 1 deletion values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
openshift:
enabled: false
securityContext:
runAsUser: 1010180000
runAsGroup: 1010180000
fsGroup: 1010180000
containerSecurityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false

image:
client:
registry: docker.io
Expand All @@ -21,7 +31,7 @@ server:
# Option #1 - No data sources
config:
entries: []

# Option #2 - Dynamically get data sources
# external_source_url: "https://your-api.com/path/to/api/endpoint"

Expand All @@ -42,6 +52,8 @@ server:
extraEnv: {
# "CUSTOM_ENV_VAR": "VALUE"
}
securityContext: {}
containerSecurityContext: {}

client:
port: 7000
Expand All @@ -50,3 +62,12 @@ client:
# If you need to specify a custom hostname for the opal-sever, configure the serverUrl property
# serverUrl: http://custom-hostname-for-opal:opal-port
extraEnv: {}
securityContext: {}
containerSecurityContext: {}

postgresql:
securityContext: {}
containerSecurityContext: {}
extraEnv: {}

broadcastReplicas: 1
Loading