From 170f3a9f42a925d1d721ee19b42eaddbf07f1cff Mon Sep 17 00:00:00 2001
From: Morteza E <105240903+mershad-manesh@users.noreply.github.com>
Date: Wed, 16 Aug 2023 15:51:22 -0400
Subject: [PATCH] Add SA,SCC and OpenShift changes

---
 horizon/templates/NOTES.txt                   | 10 ++++
 horizon/templates/_helpers.tpl                | 21 +++++++++
 horizon/templates/opennms-core.sa.yaml        |  7 +++
 horizon/templates/opennms-core.scc.yaml       | 46 +++++++++++++++++++
 .../templates/opennms-core.statefulset.yaml   | 35 ++++++++------
 horizon/values.yaml                           |  3 ++
 6 files changed, 107 insertions(+), 15 deletions(-)
 create mode 100644 horizon/templates/opennms-core.sa.yaml
 create mode 100644 horizon/templates/opennms-core.scc.yaml

diff --git a/horizon/templates/NOTES.txt b/horizon/templates/NOTES.txt
index 2d6ff58..9579311 100644
--- a/horizon/templates/NOTES.txt
+++ b/horizon/templates/NOTES.txt
@@ -1,4 +1,9 @@
+{{- if include "onOpenShift" . }}
+Thank you for installing OpenNMS {{ .Values.core.image.tag | default .Chart.AppVersion }} on RedHat OpenShift.
+{{- else}}
 Thank you for installing OpenNMS {{ .Values.core.image.tag | default .Chart.AppVersion }}.
+{{- end }}
+
 
 Your release is named "{{ .Release.Name }}", used for:
 - Customer/Deployment identifier.
@@ -17,11 +22,16 @@ OpenNMS Core: https://onms-core.{{ include "core.domain" . }}/opennms/index.jsp
 Grafana: https://grafana.{{ include "core.domain" . }}/
 {{- end }}
 
+{{- if include "onOpenShift" . }}
+
+Enjoy! (Replace me with a statement about OpenShift)
+{{- else }}
 To learn more about the release, try:
 
 $ helm status {{ .Release.Name }}
 $ helm get all {{ .Release.Name }}
 $ kubectl get all -n {{ .Release.Name }}
+{{- end }}
 
 {{- if not .Values.core.configuration.alwaysRollDeployment }}
 
diff --git a/horizon/templates/_helpers.tpl b/horizon/templates/_helpers.tpl
index 3a2f40b..98ca5f0 100644
--- a/horizon/templates/_helpers.tpl
+++ b/horizon/templates/_helpers.tpl
@@ -127,3 +127,24 @@ Define Customer/Environment Domain
 {{- define "core.domain" -}}
 {{- printf "%s.%s" .Release.Name .Values.domain -}}
 {{- end }}
+
+{{/*
+SecurityContextConstraints apiVersion
+*/}}
+{{- define "scc.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+security.openshift.io/v1
+{{- end }}
+{{- end }}
+
+{{/*
+Are we running in an OpenShift cluster.
+*/}}
+{{- define "onOpenShift" -}}
+{{- $sccApiVersion := include "scc.apiVersion" . -}}
+{{- if not (empty $sccApiVersion) }}
+{{- printf "true" -}}
+{{- else }}
+{{- printf "false" -}}
+{{- end }}
+{{- end }}
diff --git a/horizon/templates/opennms-core.sa.yaml b/horizon/templates/opennms-core.sa.yaml
new file mode 100644
index 0000000..ae140d4
--- /dev/null
+++ b/horizon/templates/opennms-core.sa.yaml
@@ -0,0 +1,7 @@
+{{- if include "onOpenShift" . }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sneakyminion
+  namespace: {{ .Release.Name }}
+{{- end }}
\ No newline at end of file
diff --git a/horizon/templates/opennms-core.scc.yaml b/horizon/templates/opennms-core.scc.yaml
new file mode 100644
index 0000000..66c3c56
--- /dev/null
+++ b/horizon/templates/opennms-core.scc.yaml
@@ -0,0 +1,46 @@
+{{- if include "onOpenShift" . }}
+---
+kind: SecurityContextConstraints
+metadata:
+  name: opennms-scc
+  namespace: {{ .Release.Name }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities:
+  - NET_BIND_SERVICE
+  - NET_RAW
+  - NET_ADMIN
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+  - NET_RAW
+  - NET_ADMIN
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: MustRunAsRange
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret
+{{- end }}
\ No newline at end of file
diff --git a/horizon/templates/opennms-core.statefulset.yaml b/horizon/templates/opennms-core.statefulset.yaml
index 8303245..e67c0b1 100644
--- a/horizon/templates/opennms-core.statefulset.yaml
+++ b/horizon/templates/opennms-core.statefulset.yaml
@@ -28,17 +28,17 @@ spec:
       {{- if .Values.core.configuration.alwaysRollDeployment }}
         rollme: {{ randAlphaNum 5 | quote }}
       {{- end }}
+        openshift.io/scc: opennms-scc
         kubectl.kubernetes.io/default-container: "onms"
     spec:
       securityContext:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-#         capabilities:
-#           add:
-#            - NET_ADMIN
-#            - NET_RAW
-      #  fsGroup: 10001
+          capabilities:
+            add:
+             - NET_ADMIN
+             - NET_RAW
       terminationGracePeriodSeconds: {{ .Values.core.terminationGracePeriodSeconds | default 120 }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -52,9 +52,9 @@ spec:
         image: {{ .Values.core.configuration.alecImage.repository }}:{{ .Values.core.configuration.alecImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.alecImage.pullPolicy }}
         command: [ cp, /plugins/opennms-alec-plugin.kar, /opennms-deploy ]
-        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-          runAsUser: 10001
-          runAsGroup: 10001
+        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+        #  runAsUser: 10001
+        #  runAsGroup: 10001
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -64,9 +64,9 @@ spec:
         image: {{ .Values.core.configuration.cortexTssImage.repository }}:{{ .Values.core.configuration.cortexTssImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.cortexTssImage.pullPolicy }}
         command: [ cp, /plugins/opennms-cortex-tss-plugin.kar, /opennms-deploy ]
-        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-          runAsUser: 10001
-          runAsGroup: 10001
+        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+        #  runAsUser: 10001
+        #  runAsGroup: 10001
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -105,14 +105,19 @@ spec:
       containers:
       - name: onms
         image: {{ $image }}
+        # TODO:: Move this into Values file 
+        serviceAccountName: sneakyminion 
         securityContext:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-#          capabilities:
-#            add:
-#             - NET_ADMIN
-#             - NET_RAW
+          capabilities:
+            add:
+             - NET_ADMIN
+             - NET_RAW
+        sysctls:
+          - name: net.ipv4.ping_group_range
+            value: 0 429496729
         imagePullPolicy: {{ .Values.core.image.pullPolicy }}
         args:
         - -s
diff --git a/horizon/values.yaml b/horizon/values.yaml
index ecab247..6fbb0c4 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -213,3 +213,6 @@ promtail:
     limits:
       cpu: 50m
       memory: 64Mi
+
+scc: {}
+#  apiVersion: ""