Merge pull request #159 from ThatsMrTalbot/feat/openshift-security-context-contstraints

cert-manager-prow[bot] · web-flow · commit e9791e8eb9b5 · 2024-07-02T09:52:32.000Z
feat: add RBAC for OpenShift SecurityContextConstraints
diff --git a/deploy/charts/csi-driver-spiffe/README.md b/deploy/charts/csi-driver-spiffe/README.md
@@ -501,5 +501,23 @@ topologySpreadConstraints:
       app.kubernetes.io/instance: cert-manager
       app.kubernetes.io/component: controller
 ```
+#### **openshift.securityContextConstraint.enabled** ~ `boolean,string,null`
+> Default value:
+> ```yaml
+> detect
+> ```
+
+Include RBAC to allow the DaemonSet to "use" the specified  
+SecurityContextConstraints.  
+  
+This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for openshift installs.
+
+#### **openshift.securityContextConstraint.name** ~ `string`
+> Default value:
+> ```yaml
+> privileged
+> ```
+
+Name of the SecurityContextConstraints to create RBAC for.
 
 <!-- /AUTO-GENERATED -->
diff --git a/deploy/charts/csi-driver-spiffe/templates/clusterrole.yaml b/deploy/charts/csi-driver-spiffe/templates/clusterrole.yaml
@@ -8,6 +8,25 @@ rules:
 - apiGroups: ["cert-manager.io"]
   resources: ["certificaterequests"]
   verbs: ["watch", "create", "delete", "list"]
+{{- /* If openshift.securityContextConstraint.enabled is set to "detect" then we 
+       need to check if its an OpenShift cluster. If it is an OpenShift cluster
+       then it is "implicitly" enabled */}}
+{{- $securityContextConstraintImplicitlyEnabled := and (kindIs "string" .Values.openshift.securityContextConstraint.enabled) (eq .Values.openshift.securityContextConstraint.enabled "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+
+{{- /* If openshift.securityContextConstraint.enabled is a bool then we just use 
+       the user provided value. This is referred to here as being "explicitly"
+       enabled */}}
+{{- $securityContextConstraintExplicitlyEnabled := and (kindIs "bool" .Values.openshift.securityContextConstraint.enabled) (.Values.openshift.securityContextConstraint.enabled) }}
+
+{{- /* If the SecurityContextConstraint is either "implicitly" or "explicitly"
+       enabled, we add the extra RBAC. */}}
+{{- $securityContextConstraintEnabled := or $securityContextConstraintImplicitlyEnabled $securityContextConstraintExplicitlyEnabled }}
+{{- if $securityContextConstraintEnabled }}
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: [{{ .Values.openshift.securityContextConstraint.name | quote }}]
+  verbs: ["use"]
+{{- end }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/charts/csi-driver-spiffe/values.schema.json b/deploy/charts/csi-driver-spiffe/values.schema.json
@@ -24,6 +24,9 @@
         "nodeSelector": {
           "$ref": "#/$defs/helm-values.nodeSelector"
         },
+        "openshift": {
+          "$ref": "#/$defs/helm-values.openshift"
+        },
         "priorityClassName": {
           "$ref": "#/$defs/helm-values.priorityClassName"
         },
@@ -558,6 +561,36 @@
       "description": "Kubernetes node selector: node labels for pod assignment.",
       "type": "object"
     },
+    "helm-values.openshift": {
+      "additionalProperties": false,
+      "properties": {
+        "securityContextConstraint": {
+          "$ref": "#/$defs/helm-values.openshift.securityContextConstraint"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.openshift.securityContextConstraint": {
+      "additionalProperties": false,
+      "properties": {
+        "enabled": {
+          "$ref": "#/$defs/helm-values.openshift.securityContextConstraint.enabled"
+        },
+        "name": {
+          "$ref": "#/$defs/helm-values.openshift.securityContextConstraint.name"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.openshift.securityContextConstraint.enabled": {
+      "default": "detect",
+      "description": "Include RBAC to allow the DaemonSet to \"use\" the specified\nSecurityContextConstraints.\n\nThis value can either be a boolean true or false, or the string \"detect\". If set to \"detect\" then the securityContextConstraint is automatically enabled for openshift installs."
+    },
+    "helm-values.openshift.securityContextConstraint.name": {
+      "default": "privileged",
+      "description": "Name of the SecurityContextConstraints to create RBAC for.",
+      "type": "string"
+    },
     "helm-values.priorityClassName": {
       "default": "",
       "description": "Optional priority class to be used for the csi-driver pods.",
diff --git a/deploy/charts/csi-driver-spiffe/values.yaml b/deploy/charts/csi-driver-spiffe/values.yaml
@@ -269,3 +269,17 @@ tolerations: []
 #         app.kubernetes.io/instance: cert-manager
 #         app.kubernetes.io/component: controller
 topologySpreadConstraints: []
+
+openshift:
+  securityContextConstraint: 
+    # Include RBAC to allow the DaemonSet to "use" the specified
+    # SecurityContextConstraints.
+    #
+    # This value can either be a boolean true or false, or the string "detect".
+    # If set to "detect" then the securityContextConstraint is automatically 
+    # enabled for openshift installs.
+    #
+    # +docs:type=boolean,string,null
+    enabled: detect
+    # Name of the SecurityContextConstraints to create RBAC for.
+    name: privileged
