Skip to content

Not Compatible with OpenShift (Hardcoded runAsUser 999 and runAsGroup 999) #236

@speedythesnail

Description

@speedythesnail

Your environment

Chart Version: 2.0.1

Helm Version: v3.17.2

Kubernetes Version: 1.32
OpenShift Version: 4.19.2

What happened?

Deploying 1Password Connect Helm Chart in OpenShift, via ArgoCD, as I've done with a Kubernetes cluster provisioned with KubeSpray.

Unfortunately, your helm chart has the runAs user and group hardcoded to 999, which is an issue with OpenShift clusters. OpenShift generates dynamic runAs per app / ns.

What did you expect to happen?

Same values would result in good installation.

Steps to reproduce

  1. Install your chart using helm in any OpenShift environment.

Notes & Logs

I have forked your repo and removed the runAsUser and runAsGroup by making it "parameterized" and setting an empty value, enabling OpenShift to determine these.
connect-deployment, containers: connect-sync, '{{ .Values.connect.api.name }}'

          securityContext:
            {{- if .Values.connect.securityContext.runAsUser }}
            runAsUser: {{ .Values.connect.securityContext.runAsUser }}
            {{- end }}
            {{- if .Values.connect.securityContext.runAsGroup }}
            runAsGroup: {{ .Values.connect.securityContext.runAsGroup }}
            {{- end }}
            {{- if .Values.connect.securityContext.allowPrivilegeEscalation }}
            allowPrivilegeEscalation: false
            {{- end }}

Once I did that, the pods deployed and now I get the following error:

Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: cannot create directory "/.op" and the parent directories: mkdir /.op: permission denied
Usage:
  connect-api [flags]
Flags:
  -h, --help      help for connect-api
  -v, --version   version for connect-api

Better security configuration and parameterization of your chart should resolve this issue, as well as a change in the container's file owners, maybe via an init container.

I am working on getting this working this weekend, I might have something to contribute later.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions