feat(helm): add support for ibm openshift

helm/resurfaceio/resurface/Chart.yaml

@@ -1,15 +1,15 @@
 apiVersion: v2
 name: resurface
-version: 3.3.0
+version: 3.4.0
 type: application
 description: Resurface discovers and alerts on quality and security signatures in your API traffic.
 annotations:
-  artifacthub.io/containsSecurityUpdates: "true"
+  artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
+    - kind: added
+      description: Support for IBM OpenShift
     - kind: changed
-      description: Upgrade Resurface image to 3.3.13
-    - kind: changed
-      description: Upgrade HAProxy dependency to 1.24.0
+      description: Upgrade HAProxy dependency to 1.25.1
 keywords:
   - API
   - HTTP
@@ -23,9 +23,9 @@ keywords:
 home: https://resurface.io
 dependencies:
   - name: kubernetes-ingress
-    version: "1.24.0"
+    version: "1.25.1"
     repository: https://haproxytech.github.io/helm-charts
-    condition: ingress.enabled
+    condition: ingress.controller.enabled
 maintainers:
   - name: Ramón Márquez
     email: ramon@resurface.io

helm/resurfaceio/resurface/templates/NOTES.txt

@@ -1,3 +1,4 @@
+{{- $tlsenabled := or .Values.ingress.tls.enabled (eq .Values.provider "ibm-openshift") -}}
 
 Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if .Release.IsUpgrade }}upgraded{{end}}.
 
@@ -7,8 +8,8 @@ Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if .
 · Number of worker nodes: {{ .Values.multinode.workers }}
 {{- end }}
 {{- if .Values.ingress.enabled }}
-· TLS is{{ if not .Values.ingress.tls.enabled }} not{{ end }} enabled.
-· Authentication is{{ if and .Values.ingress.tls.enabled .Values.auth.enabled }} enabled.
+· TLS is{{ if not $tlsenabled }} not{{ end }} enabled.
+· Authentication is{{ if and $tlsenabled .Values.auth.enabled }} enabled.
   · Basic auth is{{ if not .Values.auth.basic.enabled }} not{{end}} enabled.
   · JWT auth is{{ if not .Values.auth.jwt.enabled }} not{{end}} enabled.
   · OAuth 2.0 is{{ if not .Values.auth.oauth2.enabled }} not{{end}} enabled.
@@ -18,16 +19,16 @@ Resurface has been successfully {{ if .Release.IsInstall }}installed{{ else if .
 · Use the following command to list all the resources deployed with this release:
 
 helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
-{{ if and .Values.ingress.enabled .Values.ingress.tls.enabled }}
-· You can find the API Explorer for your Resurface instance here: https://{{ .Values.ingress.tls.host}}/ui
+{{ if and .Values.ingress.enabled $tlsenabled }}
+· You can find the UI for your Resurface instance here: https://{{ .Values.ingress.tls.host }}/ui
 {{- else if .Values.ingress.enabled }}
 
-· Once the EXTERNAL IP for the Ingress Controller has been assigned, you can get the URL of the API Explorer for your Resurface instance by running the following command:
+· Once the EXTERNAL IP for the Ingress Controller has been assigned, you can get the URL of the UI for your Resurface instance by running the following command:
 
 echo http://$(kubectl get svc {{ include "resurface.fullname" . }}-kubernetes-ingress --namespace {{ .Release.Namespace }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")/ui
 
 {{- else }}
-· You can get the URL of the API Explorer for your Resurface instance by running the following command:
+· You can get the URL of the UI for your Resurface instance by running the following command:
 
 echo http://$(kubectl get svc --namespace {{ .Release.Namespace }} coordinator --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}"){{ if ne (int .Values.custom.service.apiexplorer.port) 80 }}:{{ .Values.custom.service.apiexplorer.port | default 7700 }}{{ end }}/
 {{- end }}

helm/resurfaceio/resurface/templates/_helpers.tpl

@@ -56,7 +56,7 @@ Default options: container resources and persistent volumes
 {{- define "resurface.resources" }}
 {{- $provider := toString .Values.provider -}}
 {{- $cpureq := .Values.custom.resources.cpu | default (eq $provider "azure" | ternary 5 6) -}}
-{{- $dbsize := .Values.custom.config.dbsize | default (eq $provider "azure" | ternary 7 9) | int -}}
+{{- $dbsize := .Values.custom.config.dbsize | default (or (eq $provider "ibm-openshift") (eq $provider "azure") | ternary 7 9) | int -}}
 {{- $dbheap := .Values.custom.config.dbheap | default 3 | int -}}
 {{- $dbslabs := .Values.custom.config.dbslabs | default 3 | int -}}
 {{- $memreq := .Values.custom.resources.memory | default (add $dbsize $dbheap) }}
@@ -98,7 +98,7 @@ Coordinator config.properties
 coordinator=true
 discovery.uri=http://localhost:7700
 node-scheduler.include-coordinator=true
-{{ if .Values.ingress.tls.enabled -}}
+{{ if or .Values.ingress.tls.enabled (eq .Values.provider "ibm-openshift") -}}
 http-server.process-forwarded=true
 http-server.authentication.allow-insecure-over-http=true
 {{ include "resurface.config.auth" . -}}

helm/resurfaceio/resurface/templates/ingress.yaml

@@ -4,10 +4,15 @@ kind: Ingress
 metadata:
   name: {{ include "resurface.fullname" . }}-ingress
   annotations:
+    {{- if eq .Values.provider "ibm-openshift" }}
+    route.openshift.io/termination: edge
+    haproxy.router.openshift.io/rewrite-target: /
+    {{- else }}
     haproxy.org/load-balance: "roundrobin"
     {{- if .Values.ingress.importer.expose }}
     haproxy.org/path-rewrite: {{ .Values.ingress.importer.path | default "/fluke" }}/(.*) /\1
     {{- end }}
+    {{- end }}
     {{- if and .Values.ingress.tls.enabled .Values.ingress.tls.autoissue.enabled }}
     cert-manager.io/issuer: {{ include "resurface.fullname" . }}-letsencrypt{{ if .Values.ingress.tls.autoissue.staging }}-staging{{ end }}
     {{- end }}
@@ -17,7 +22,9 @@ spec:
       name: kubernetes-ingress-default-backend
       port:
         number: 8080
+  {{- if ne .Values.provider "ibm-openshift" }}
   ingressClassName: haproxy
+  {{- end }}
   rules:
     - http:
         paths:
@@ -37,10 +44,12 @@ spec:
                 port:
                   name: fluke-svcport
           {{- end }}
-      {{- if .Values.ingress.tls.enabled }}
-      host: {{ .Values.ingress.tls.host }}
+      {{ if .Values.ingress.tls.enabled -}}
+      host: {{ required "A fully qualified domain name is needed when TLS is enabled" .Values.ingress.tls.host }}
+      {{- else if eq .Values.provider "ibm-openshift" -}}
+      host: {{ include "resurface.fullname" . }}.{{ required "The value ingress.tls.host must be set with the ingress subdomain name when running on OpenShift" .Values.ingress.tls.host }}
       {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
+  {{- if and .Values.ingress.tls.enabled (ne .Values.provider "ibm-openshift") }}
   tls:
     - secretName: {{ .Values.ingress.tls.byoc.secretname | default (printf "%s-tls" (include "resurface.fullname" . )) }}
       hosts:

helm/resurfaceio/resurface/templates/sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: resurface-sa
+  namespace: {{ .Release.Namespace }}

helm/resurfaceio/resurface/templates/snifferdaemon.yaml

@@ -21,6 +21,11 @@ spec:
       - name: resurface-logger
         image: resurfaceio/network-sniffer{{ if .Values.sniffer.debug }}-debug:1.0.0{{ else }}:1.2.3{{ end }}
         imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsUser: 0
+          runAsGroup: 0
+          capabilities:
+            add: [ "NET_ADMIN", "NET_RAW" ]
         env:
         - name: USAGE_LOGGERS_URL
           value: {{ .Values.custom.service.flukeserver.port | default 7701 | printf "http://worker.%s:%v/message" (.Release.Namespace) }}

helm/resurfaceio/resurface/templates/stateful-coordinator.yaml

@@ -19,6 +19,7 @@ spec:
         {{- include "resurface.selectorLabels" . | nindent 8 }}
         db.resurface.io/role: coordinator
     spec:
+      serviceAccountName: resurface-sa
       volumes:
         - name: config-volume
           configMap:

helm/resurfaceio/resurface/templates/stateful-worker.yaml

@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "resurface.selectorLabels" . | nindent 8 }}
     spec:
+      serviceAccountName: resurface-sa
       volumes:
         - name: config-volume
           configMap:

helm/resurfaceio/resurface/values.yaml

@@ -5,6 +5,8 @@ provider:
 
 ingress:
   enabled: true
+  controller:
+    enabled: true
   importer:
     expose: true
     path: "/fluke"