From 7cff4abcc132e92300595c523e0a50b8bc1aaf3d Mon Sep 17 00:00:00 2001
From: Kirill Thirteen <kirill_peretrukhin@epam.com>
Date: Mon, 12 Jun 2023 15:20:42 +0300
Subject: [PATCH] Improve Openshift support, allow to use existing SCCs

- Add ability to provide existing SecurityContextConstraints name
  instead of create new one
- Add ability to add annotations for SecrutiryContextConstraints
  resource, created with the chart
- Add common labels for SecurityContextConstraints
- Improve variables naming
- Bump up chart version

Signed-off-by: Kirill Thirteen <kirill_peretrukhin@epam.com>
---
 charts/fluent-bit/Chart.yaml                 |  4 ++--
 charts/fluent-bit/templates/_helpers.tpl     | 11 +++++++++++
 charts/fluent-bit/templates/clusterrole.yaml |  4 ++--
 charts/fluent-bit/templates/scc.yaml         | 16 ++++++++++------
 charts/fluent-bit/values.yaml                | 10 ++++++----
 5 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/charts/fluent-bit/Chart.yaml b/charts/fluent-bit/Chart.yaml
index bf2564c2..a6fa5b7a 100644
--- a/charts/fluent-bit/Chart.yaml
+++ b/charts/fluent-bit/Chart.yaml
@@ -5,7 +5,7 @@ keywords:
   - logging
   - fluent-bit
   - fluentd
-version: 0.30.4
+version: 0.30.5
 appVersion: 2.1.4
 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
 home: https://fluentbit.io/
@@ -23,4 +23,4 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: added
-      description: "Use Helm release specific Grafana dashboard filenames."
+      description: "Add ability to use existing SecurityContextConstraints in OpenShift, for the fluent-bit chart."
diff --git a/charts/fluent-bit/templates/_helpers.tpl b/charts/fluent-bit/templates/_helpers.tpl
index 2cba2a78..b62ffa98 100644
--- a/charts/fluent-bit/templates/_helpers.tpl
+++ b/charts/fluent-bit/templates/_helpers.tpl
@@ -125,3 +125,14 @@ autoscaling/v2beta2
 autoscaling/v2
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create the name of OpenShift SecurityContextConstraints to use
+*/}}
+{{- define "fluent-bit.openShift.securityContextConstraints.name" -}}
+{{- if .Values.openShift.securityContextConstraints.create -}}
+  {{ default (include "fluent-bit.fullname" .) .Values.openShift.securityContextConstraints.name }}
+{{- else if .Values.openShift.securityContextConstraints.existingName -}}
+  {{- printf "%s" .Values.openShift.securityContextConstraints.existingName -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/fluent-bit/templates/clusterrole.yaml b/charts/fluent-bit/templates/clusterrole.yaml
index 94ff4ae4..8ad67b98 100644
--- a/charts/fluent-bit/templates/clusterrole.yaml
+++ b/charts/fluent-bit/templates/clusterrole.yaml
@@ -29,13 +29,13 @@ rules:
     verbs:
       - use
   {{- end }}
-  {{- if and .Values.openShift.enabled .Values.openShift.securityContextConstraints.create }}
+  {{- if or .Values.openShift.securityContextConstraints.create .Values.openShift.securityContextConstraints.existingName }}
   - apiGroups:
       - security.openshift.io
     resources:
       - securitycontextconstraints
     resourceNames:
-      - {{ include "fluent-bit.fullname" . }}
+      - {{ include "fluent-bit.openShift.securityContextConstraints.name" . }}
     verbs:
       - use
   {{- end }}
diff --git a/charts/fluent-bit/templates/scc.yaml b/charts/fluent-bit/templates/scc.yaml
index 300a8ed1..222c074b 100644
--- a/charts/fluent-bit/templates/scc.yaml
+++ b/charts/fluent-bit/templates/scc.yaml
@@ -1,12 +1,14 @@
-{{- if and .Values.openShift.enabled .Values.openShift.securityContextConstraints.create }}
-apiVersion: security.openshift.io/v1
+{{- if and .Values.openShift.securityContextConstraints.create }}
+apiVersion: security.openShift.io/v1
 kind: SecurityContextConstraints
 metadata:
-  name: {{ include "fluent-bit.fullname" . }}
-{{- if .Values.openShift.securityContextConstraints.annotations }}
+  name: {{ include "fluent-bit.openShift.securityContextConstraints.name" . }}
+  labels:
+    {{- include "fluent-bit.labels" . | nindent 4 }}
+  {{- with .Values.openShift.securityContextConstraints.annotations }}
   annotations:
-    {{- toYaml .Values.openShift.securityContextConstraints.annotations | nindent 4 }}
-{{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 allowPrivilegedContainer: true
 allowPrivilegeEscalation: true
 allowHostDirVolumePlugin: true
@@ -30,8 +32,10 @@ supplementalGroups:
   type: RunAsAny
 volumes:
   - configMap
+  - downwardAPI
   - emptyDir
   - hostPath
   - persistentVolumeClaim
+  - projected
   - secret
 {{- end }}
diff --git a/charts/fluent-bit/values.yaml b/charts/fluent-bit/values.yaml
index 6b651282..28468c1c 100644
--- a/charts/fluent-bit/values.yaml
+++ b/charts/fluent-bit/values.yaml
@@ -44,13 +44,15 @@ podSecurityPolicy:
   create: false
   annotations: {}
 
+# OpenShift-specific configuration
 openShift:
-  # Sets Openshift support
-  enabled: false
-  # Creates SCC for Fluent-bit when Openshift support is enabled
   securityContextConstraints:
-    create: true
+    # Create SCC for Fluent-bit and allow use it
+    create: false
+    name: ""
     annotations: {}
+    # Use existing SCC in cluster, rather then create new one
+    existingName: ""
 
 podSecurityContext: {}
 #   fsGroup: 2000