Skip to content

Add compatibility with OKD and OpenShift #887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hlavki wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add compatibility with OKD and OpenShift #887

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0e46f6
add support for compatibility to run this chart in openshift
hlavki Aug 20, 2024
b5f5332
Merge remote-tracking branch 'codecentric/master'
Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions charts/keycloakx/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,3 +85,39 @@ Renders a complete tree, even values that contains template.
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "keycloak.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}

{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "keycloak.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}

{{- if (((.context.Values).compatibility).openshift) -}}
{{- if or (eq .context.Values.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.compatibility.openshift.adaptSecurityContext "auto") (include "keycloak.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}
15 changes: 9 additions & 6 deletions charts/keycloakx/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,9 @@ spec:
- name: dbchecker
image: "{{ .Values.dbchecker.image.repository }}{{- if (.Values.dbchecker.image.digest) -}}@{{ .Values.dbchecker.image.digest }}{{- else -}}:{{ .Values.dbchecker.image.tag }} {{- end }}"
imagePullPolicy: {{ .Values.dbchecker.image.pullPolicy }}
securityContext:
{{- toYaml .Values.dbchecker.securityContext | nindent 12 }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "keycloak.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }}
Copy link
Copy Markdown
Contributor

@dominiquemetz dominiquemetz Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This security context belongs to the dbchecker, which should be set via .Values.dbchecker.securityContext. Please adapt your solution to use this securityContext

{{- end }}
command:
- sh
- -c
Expand All @@ -69,8 +70,9 @@ spec:
{{- end }}
containers:
- name: keycloak
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- if .Values.securityContext.enabled }}
securityContext: {{- include "keycloak.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}{{- if (.Values.image.digest) -}}@{{ .Values.image.digest }}{{- else -}}:{{ .Values.image.tag | default .Chart.AppVersion }} {{- end }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.command }}
Expand Down Expand Up @@ -190,8 +192,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "keycloak.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "keycloak.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
Expand Down
10 changes: 10 additions & 0 deletions charts/keycloakx/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,12 +68,22 @@ rbac:
# - get
# - list

compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: auto

# SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
podSecurityContext:
enabled: true
Copy link
Copy Markdown
Contributor

@dominiquemetz dominiquemetz Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the "enabled" flags necessary for this feature? Why would I need to disable the rendering of the security contexts in the context of OKD and OpenShift support? If not strictly necessary, I would ask you to remove the enabled flag and have no conditional rendering of the securityContexts

fsGroup: 1000

# SecurityContext for the Keycloak container
securityContext:
enabled: true
runAsUser: 1000
runAsNonRoot: true

Expand Down
Loading