From 4c241e12e447960f48477c4b41c861d454b3dc59 Mon Sep 17 00:00:00 2001
From: sergbvso <sergbvso@gmail.com>
Date: Mon, 21 Jul 2025 12:15:16 +0300
Subject: [PATCH] feat: add OpenShift support

Signed-off-by: sergbvso <sergbvso@gmail.com>
---
 charts/pyrra/Chart.yaml                    |  2 +-
 charts/pyrra/README.md                     |  7 ++-
 charts/pyrra/templates/clusterrole.yaml    | 26 +++++++++
 charts/pyrra/templates/configmap.yaml      | 10 ++++
 charts/pyrra/templates/deployment.yaml     | 65 +++++++++++++++++++++-
 charts/pyrra/templates/route.yaml          | 30 ++++++++++
 charts/pyrra/templates/secrets.yaml        | 22 ++++++++
 charts/pyrra/templates/service.yaml        | 12 +++-
 charts/pyrra/templates/serviceaccount.yaml |  8 ++-
 charts/pyrra/values.yaml                   | 14 +++++
 10 files changed, 191 insertions(+), 5 deletions(-)
 create mode 100644 charts/pyrra/templates/configmap.yaml
 create mode 100644 charts/pyrra/templates/route.yaml
 create mode 100644 charts/pyrra/templates/secrets.yaml

diff --git a/charts/pyrra/Chart.yaml b/charts/pyrra/Chart.yaml
index f69def1..1577354 100644
--- a/charts/pyrra/Chart.yaml
+++ b/charts/pyrra/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 0.15.0
+version: 0.16.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/pyrra/README.md b/charts/pyrra/README.md
index 3d07bb5..9cac487 100644
--- a/charts/pyrra/README.md
+++ b/charts/pyrra/README.md
@@ -1,6 +1,6 @@
 # pyrra
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square)
 
 SLO manager and alert generator
 
@@ -44,6 +44,11 @@ The dashboards can be deployed using a ConfigMap and get's automatically [reload
 | ingress.tls | list | `[]` |  |
 | nameOverride | string | `""` | overrides chart name |
 | nodeSelector | object | `{}` | node selector for scheduling server pod |
+| openshift.isOpenshift | bool | `false` | enables common OpenShift support |
+| openshift.openshiftOauth.enabled | bool | `false` | enables OpenShift OAuth-proxy |
+| openshift.openshiftOauth.openshiftOauthProxyImage | string | `"openshift/oauth-proxy:latest"` | OpenShift OAuth-proxy image |
+| openshift.openshiftOauth.sessionSecret | string | `""` | SessionSecret for OpenShift OAuth-proxy, string |
+| openshift.openshiftRoute.enabled | bool | `false` | enables creation of OpenShift route |
 | operatorMetricsAddress | string | `":8080"` | Address to expose operator metrics |
 | podAnnotations | object | `{}` | additional annotations for server pod |
 | podSecurityContext | object | `{}` | additional security context for server pod |
diff --git a/charts/pyrra/templates/clusterrole.yaml b/charts/pyrra/templates/clusterrole.yaml
index bd2740c..f3f3c8a 100644
--- a/charts/pyrra/templates/clusterrole.yaml
+++ b/charts/pyrra/templates/clusterrole.yaml
@@ -44,3 +44,29 @@ rules:
   - get
   - patch
   - update
+{{- if .Values.openshift.isOpenshift }}
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheuses/api
+  resourceNames:
+  - k8s
+  verbs:
+  - get
+  - create
+  - update
+{{- if .Values.openshift.openshiftOauth.enabled }}
+- verbs:
+  - create
+  apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+- verbs:
+  - create
+  apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+{{- end }}
+{{- end }}
diff --git a/charts/pyrra/templates/configmap.yaml b/charts/pyrra/templates/configmap.yaml
new file mode 100644
index 0000000..5308593
--- /dev/null
+++ b/charts/pyrra/templates/configmap.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.openshift.isOpenshift }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "pyrra.fullname" . }}-injected-certs
+  labels:
+    config.openshift.io/inject-trusted-cabundle: "true"
+    {{- include "pyrra.labels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/pyrra/templates/deployment.yaml b/charts/pyrra/templates/deployment.yaml
index 85d3c4f..a2f4a0a 100644
--- a/charts/pyrra/templates/deployment.yaml
+++ b/charts/pyrra/templates/deployment.yaml
@@ -73,9 +73,54 @@ spec:
             {{- with .Values.extraApiArgs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if .Values.openshift.isOpenshift }}
+            - --tls-client-ca-file=/etc/tls/openshift-service-ca.crt/service-ca.crt
+            - --prometheus-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
+            {{- end }}
           ports:
           - name: http
             containerPort: 9099
+          {{- if .Values.openshift.isOpenshift }}
+          volumeMounts:
+            - name: openshift-service-ca-crt
+              mountPath: /etc/tls/openshift-service-ca.crt
+          {{- end }}
+        {{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+        - name: oauth-proxy
+          resources: {}
+          securityContext: {}
+          image: {{ .Values.openshift.openshiftOauth.openshiftOauthProxyImage }}
+          ports:
+            - name: https
+              containerPort: 9091
+              protocol: TCP
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: {{ include "pyrra.fullname" . }}
+              mountPath: /etc/proxy/secrets/session_secret
+              subPath: session_secret
+            - name: {{ include "pyrra.fullname" . }}-injected-certs
+              mountPath: /etc/proxy/certs
+            - name: {{ include "pyrra.fullname" . }}-tls
+              mountPath: /etc/tls/private
+          args:
+            - "-provider=openshift"
+            - "-pass-basic-auth=false"
+            - "-https-address=:9091"
+            - "-http-address="
+            - "-email-domain=*"
+            - "-upstream=http://localhost:9099"
+            - '-openshift-sar={"resource": "clusterrolebinding", "verb": "create"}'
+            - '-openshift-delegate-urls={"/": {"resource": "clusterrolebinding", "verb": "create"}}'
+            - "-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token"
+            - "-cookie-secret-file=/etc/proxy/secrets/session_secret"
+            - "-openshift-service-account={{ include "pyrra.fullname" . }}"
+            - "-openshift-ca=/etc/pki/tls/cert.pem"
+            - "-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+            - "-openshift-ca=/etc/proxy/certs/ca-bundle.crt"
+            - "-tls-cert=/etc/tls/private/tls.crt"
+            - "-tls-key=/etc/tls/private/tls.key"
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -88,9 +133,27 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+      {{- if or (and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1")) .Values.openshift.isOpenshift }}
       volumes:
+      {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
         - name: certs
           secret:
             secretName: {{ include "pyrra.fullname" . }}-webhook-validation
       {{- end }}
+      {{- if .Values.openshift.isOpenshift }}
+        - name: openshift-service-ca-crt
+          configMap:
+            name: openshift-service-ca.crt
+        {{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+        - name: {{ include "pyrra.fullname" . }}
+          secret:
+            secretName: {{ include "pyrra.fullname" . }}
+        - name: {{ include "pyrra.fullname" . }}-injected-certs
+          configMap:
+            name: {{ include "pyrra.fullname" . }}-injected-certs
+        - name: {{ include "pyrra.fullname" . }}-tls
+          secret:
+            secretName: {{ include "pyrra.fullname" . }}-tls
+        {{- end }}
+      {{- end }}
+      {{- end }}
diff --git a/charts/pyrra/templates/route.yaml b/charts/pyrra/templates/route.yaml
new file mode 100644
index 0000000..8b4cef2
--- /dev/null
+++ b/charts/pyrra/templates/route.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftRoute.enabled }}
+---
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: {{ include "pyrra.fullname" . }}
+  annotations:
+    openshift.io/host.generated: 'true'
+    {{- with .Values.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "pyrra.labels" . | nindent 4 }}
+spec:
+  to:
+    kind: Service
+    name: {{ include "pyrra.fullname" . }}
+  port:
+    {{- if .Values.openshift.openshiftOauth.enabled }}
+    targetPort: https
+    {{- else }}
+    targetPort: http
+    {{- end }}
+  tls:
+    {{- if .Values.openshift.openshiftOauth.enabled }}
+    termination: Reencrypt
+    {{- else }}
+    termination: Edge
+    {{- end }}
+{{- end }}
diff --git a/charts/pyrra/templates/secrets.yaml b/charts/pyrra/templates/secrets.yaml
new file mode 100644
index 0000000..45151c4
--- /dev/null
+++ b/charts/pyrra/templates/secrets.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: {{ include "pyrra.fullname" . }}-sa-token
+  labels:
+    {{- include "pyrra.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ include "pyrra.fullname" . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "pyrra.fullname" . }}
+  labels:
+    {{- include "pyrra.labels" . | nindent 4 }}
+data:
+  session_secret: |-
+    {{ .Values.openshift.openshiftOauth.sessionSecret | b64enc }}
+{{- end }}
diff --git a/charts/pyrra/templates/service.yaml b/charts/pyrra/templates/service.yaml
index faaaabb..3f305cd 100644
--- a/charts/pyrra/templates/service.yaml
+++ b/charts/pyrra/templates/service.yaml
@@ -3,15 +3,24 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "pyrra.fullname" . }}
-  {{- with .Values.service.annotations }}
+  {{- if or .Values.service.annotations (and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled) }}
   annotations:
+    {{- with .Values.service.annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+    service.alpha.openshift.io/serving-cert-secret-name: {{ include "pyrra.fullname" . }}-tls
+    {{- end }}
   {{- end }}
   labels:
     {{- include "pyrra.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
+      {{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+    - name: https
+      port: 9091
+      {{- else }}
     - name: internal
       port: 9443
     - name: api
@@ -21,6 +30,7 @@ spec:
       {{- if .Values.service.nodePort }}
       nodePort: {{ .Values.service.nodePort }}
       {{- end }}
+      {{- end }}
     - name: op-metrics
       port: {{ .Values.service.operatorMetricsPort }}
       targetPort: {{ include "pyrra.operatorMetricsPort" . }}
diff --git a/charts/pyrra/templates/serviceaccount.yaml b/charts/pyrra/templates/serviceaccount.yaml
index 4e70e1d..e234c05 100644
--- a/charts/pyrra/templates/serviceaccount.yaml
+++ b/charts/pyrra/templates/serviceaccount.yaml
@@ -6,8 +6,14 @@ metadata:
   name: {{ include "pyrra.serviceAccountName" . }}
   labels:
     {{- include "pyrra.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- if or .Values.serviceAccount.annotations (and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled) }}
   annotations:
+    {{- with .Values.serviceAccount.annotations }}
     {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if and .Values.openshift.isOpenshift .Values.openshift.openshiftOauth.enabled }}
+    serviceaccounts.openshift.io/oauth-redirectreference.primary: >-
+      {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"{{ include "pyrra.fullname" . }}"}}
+    {{- end }}
   {{- end }}
 {{- end }}
diff --git a/charts/pyrra/values.yaml b/charts/pyrra/values.yaml
index c36a172..de0d5f7 100644
--- a/charts/pyrra/values.yaml
+++ b/charts/pyrra/values.yaml
@@ -154,3 +154,17 @@ dashboards:
   labelValue: "1"
   annotations: {}
   extraLabels: {}
+
+openshift:
+  # -- enables common OpenShift support
+  isOpenshift: false
+  openshiftOauth:
+    # -- enables OpenShift OAuth-proxy
+    enabled: false
+    # -- OpenShift OAuth-proxy image
+    openshiftOauthProxyImage: "openshift/oauth-proxy:latest"
+    # -- SessionSecret for OpenShift OAuth-proxy, string
+    sessionSecret: ""
+  openshiftRoute:
+    # -- enables creation of OpenShift route
+    enabled: false