Intel Changes

danc094codetogether · danc094codetogether · commit 340698685fdb · 2025-09-29T16:14:10.000-06:00
diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml
@@ -27,6 +27,56 @@ spec:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
+      {{- if .Values.openshift.enabled }}
+      # OpenShift
+      {{- else if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
+      {{- if .Values.securityContext.readOnlyRootFilesystem }}
+      initContainers:
+        - name: prepare-runtime
+          image: busybox:1.36
+          command: ["/bin/sh","-c"]
+          args:
+            {{- if .Values.openshift.enabled }}
+            - |
+              set -eu
+              for d in \
+                /run \
+                /var/log/nginx \
+                /var/cache/nginx
+              do
+                install -d -m 0775 "$d"
+              done
+            {{- else }}
+            - |
+              set -eu
+              for d in \
+                /run \
+                /var/log/nginx \
+                /var/cache/nginx
+              do
+                install -d -m 0775 "$d"
+              done
+              chown -R {{ default 1000 .Values.securityContext.runAsUser }}:{{ default 1000 .Values.securityContext.runAsGroup | default 1000 }} \
+                /run /var/log/nginx /var/cache/nginx
+            {{- end }}
+          securityContext:
+            {{- if .Values.openshift.enabled }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            {{- else }}
+            runAsUser: 0
+            runAsGroup: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+            {{- end }}
+          volumeMounts:
+            - { name: codetogether-runtime, mountPath: /run }
+            - { name: codetogether-runtime, mountPath: /var/log/nginx }
+            - { name: codetogether-runtime, mountPath: /var/cache/nginx }
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml
@@ -132,14 +132,24 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {} #defaults to
+# Enable if deploying in OpenShift
+openshift:
+  enabled: false
 
+securityContext: {} #defaults
   # capabilities:
   #   drop:
   #   - ALL
-  #readOnlyRootFilesystem: true  # enable for read-only setup
-  # runAsNonRoot: true           # false for non-root user
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsNonRoot: true
+  # runAsUser: 1000 # Use '0' for root user, in vanilla k8s you can use any non-root uid
+  # runAsGroup: 1000
+  # In openshift, dont set runAsUser or runAsGroup, let OpenShift assign the values
+
+podSecurityContext: {}
+# In OpenShift will inject automatically
+  #fsGroup: 1000
+  #fsGroupChangePolicy: "OnRootMismatch"
 
 ai:
   enabled: false
