allow defining extraRoles (#125)

Co-authored-by: Alexander Rashed <[email protected]>

README.md

@@ -82,6 +82,38 @@ Useful Helm Client Commands:
 * Install a chart: `helm install <name> localstack/<chart>`
 * Upgrade your application: `helm upgrade`
 
+### Using the chart in OpenShift
+
+Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation.
+In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster.
+
+Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator,
+you can also create your own SCCs.
+
+The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are:
+
+* anyuid
+* hostaccess
+* hostmount-anyuid
+* hostnetwork
+* node-exporter
+* nonroot
+* privileged
+* restricted
+
+Example:
+
+```yaml
+role:
+  extraRoles:
+    - apiGroups: ["security.openshift.io"]
+      resources: ["securitycontextconstraints"]
+      resourceNames: ["anyuid"]
+      verbs: ["use"]
+```
+
+For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html)
+
 ## Change Log
 
 Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release.

charts/localstack/templates/NOTES.txt

@@ -17,6 +17,6 @@
 {{- else if contains "ClusterIP" .Values.service.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace | quote }} -l "app.kubernetes.io/name={{ include "localstack.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace | quote }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
+  echo "visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}

charts/localstack/templates/role.yaml

@@ -19,4 +19,8 @@ rules:
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get", "list"]
+{{- if .Values.role.extraRoles }}
+{{ include "common.tplvalues.render" (dict "value" .Values.role.extraRoles "context" $) }}
 {{- end }}
+{{- end }}
+

charts/localstack/test-values.yaml

@@ -57,3 +57,11 @@ ingress:
 # enable kubernetes lambda executor (only pro)
 # lambda:
 #   executor: "kubernetes"
+
+# add extra roles for OpenShift
+# role:
+#   extraRoles:
+#     - apiGroups: ["security.openshift.io"]
+#       resources: ["securitycontextconstraints"]
+#       resourceNames: ["anyuid"]
+#       verbs: ["use"]