Add SA,SCC and OpenShift changes

horizon/templates/NOTES.txt

@@ -1,4 +1,9 @@
+{{- if include "onOpenShift" . }}
+Thank you for installing OpenNMS {{ .Values.core.image.tag | default .Chart.AppVersion }} on RedHat OpenShift.
+{{- else}}
 Thank you for installing OpenNMS {{ .Values.core.image.tag | default .Chart.AppVersion }}.
+{{- end }}
+
 
 Your release is named "{{ .Release.Name }}", used for:
 - Customer/Deployment identifier.
@@ -17,11 +22,16 @@ OpenNMS Core: https://onms-core.{{ include "core.domain" . }}/opennms/index.jsp
 Grafana: https://grafana.{{ include "core.domain" . }}/
 {{- end }}
 
+{{- if include "onOpenShift" . }}
+
+Enjoy! (Replace me with a statement about OpenShift)
+{{- else }}
 To learn more about the release, try:
 
 $ helm status {{ .Release.Name }}
 $ helm get all {{ .Release.Name }}
 $ kubectl get all -n {{ .Release.Name }}
+{{- end }}
 
 {{- if not .Values.core.configuration.alwaysRollDeployment }}
 

horizon/templates/_helpers.tpl

@@ -127,3 +127,24 @@ Define Customer/Environment Domain
 {{- define "core.domain" -}}
 {{- printf "%s.%s" .Release.Name .Values.domain -}}
 {{- end }}
+
+{{/*
+SecurityContextConstraints apiVersion
+*/}}
+{{- define "scc.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+security.openshift.io/v1
+{{- end }}
+{{- end }}
+
+{{/*
+Are we running in an OpenShift cluster.
+*/}}
+{{- define "onOpenShift" -}}
+{{- $sccApiVersion := include "scc.apiVersion" . -}}
+{{- if not (empty $sccApiVersion) }}
+{{- printf "true" -}}
+{{- else }}
+{{- printf "false" -}}
+{{- end }}
+{{- end }}

horizon/templates/opennms-core.sa.yaml

@@ -0,0 +1,7 @@
+{{- if include "onOpenShift" . }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sneakyminion
+  namespace: {{ .Release.Name }}
+{{- end }}

horizon/templates/opennms-core.scc.yaml

@@ -0,0 +1,46 @@
+{{- if include "onOpenShift" . }}
+---
+kind: SecurityContextConstraints
+metadata:
+  name: opennms-scc
+  namespace: {{ .Release.Name }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities:
+  - NET_BIND_SERVICE
+  - NET_RAW
+  - NET_ADMIN
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+  - NET_RAW
+  - NET_ADMIN
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: MustRunAsRange
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret
+{{- end }}

horizon/templates/opennms-core.statefulset.yaml

@@ -28,17 +28,17 @@ spec:
       {{- if .Values.core.configuration.alwaysRollDeployment }}
         rollme: {{ randAlphaNum 5 | quote }}
       {{- end }}
+        openshift.io/scc: opennms-scc
         kubectl.kubernetes.io/default-container: "onms"
     spec:
       securityContext:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-#         capabilities:
-#           add:
-#            - NET_ADMIN
-#            - NET_RAW
-      #  fsGroup: 10001
+          capabilities:
+            add:
+             - NET_ADMIN
+             - NET_RAW
       terminationGracePeriodSeconds: {{ .Values.core.terminationGracePeriodSeconds | default 120 }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -52,9 +52,9 @@ spec:
         image: {{ .Values.core.configuration.alecImage.repository }}:{{ .Values.core.configuration.alecImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.alecImage.pullPolicy }}
         command: [ cp, /plugins/opennms-alec-plugin.kar, /opennms-deploy ]
-        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-          runAsUser: 10001
-          runAsGroup: 10001
+        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+        #  runAsUser: 10001
+        #  runAsGroup: 10001
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -64,9 +64,9 @@ spec:
         image: {{ .Values.core.configuration.cortexTssImage.repository }}:{{ .Values.core.configuration.cortexTssImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.cortexTssImage.pullPolicy }}
         command: [ cp, /plugins/opennms-cortex-tss-plugin.kar, /opennms-deploy ]
-        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-          runAsUser: 10001
-          runAsGroup: 10001
+        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+        #  runAsUser: 10001
+        #  runAsGroup: 10001
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -105,14 +105,19 @@ spec:
       containers:
       - name: onms
         image: {{ $image }}
+        # TODO:: Move this into Values file 
+        serviceAccountName: sneakyminion 
         securityContext:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-#          capabilities:
-#            add:
-#             - NET_ADMIN
-#             - NET_RAW
+          capabilities:
+            add:
+             - NET_ADMIN
+             - NET_RAW
+        sysctls:
+          - name: net.ipv4.ping_group_range
+            value: 0 429496729
         imagePullPolicy: {{ .Values.core.image.pullPolicy }}
         args:
         - -s

horizon/values.yaml

@@ -213,3 +213,6 @@ promtail:
     limits:
       cpu: 50m
       memory: 64Mi
+
+scc: {}
+#  apiVersion: ""