Not Compatible with OpenShift (Hardcoded runAsUser 999 and runAsGroup 999) #236
Description
Your environment
Chart Version: 2.0.1
Helm Version: v3.17.2
Kubernetes Version: 1.32
OpenShift Version: 4.19.2
What happened?
Deploying 1Password Connect Helm Chart in OpenShift, via ArgoCD, as I've done with a Kubernetes cluster provisioned with KubeSpray.
Unfortunately, your helm chart has the runAs user and group hardcoded to 999, which is an issue with OpenShift clusters. OpenShift generates dynamic runAs per app / ns.
What did you expect to happen?
Same values would result in good installation.
Steps to reproduce
- Install your chart using helm in any OpenShift environment.
Notes & Logs
I have forked your repo and removed the runAsUser and runAsGroup by making it "parameterized" and setting an empty value, enabling OpenShift to determine these.
connect-deployment, containers: connect-sync, '{{ .Values.connect.api.name }}'
securityContext:
{{- if .Values.connect.securityContext.runAsUser }}
runAsUser: {{ .Values.connect.securityContext.runAsUser }}
{{- end }}
{{- if .Values.connect.securityContext.runAsGroup }}
runAsGroup: {{ .Values.connect.securityContext.runAsGroup }}
{{- end }}
{{- if .Values.connect.securityContext.allowPrivilegeEscalation }}
allowPrivilegeEscalation: false
{{- end }}
Once I did that, the pods deployed and now I get the following error:
Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: cannot create directory "/.op" and the parent directories: mkdir /.op: permission denied
Usage:
connect-api [flags]
Flags:
-h, --help help for connect-api
-v, --version version for connect-api
Better security configuration and parameterization of your chart should resolve this issue, as well as a change in the container's file owners, maybe via an init container.
I am working on getting this working this weekend, I might have something to contribute later.