cloudnative-pg / charts

CloudNativePG Helm Charts
Apache License 2.0
195 stars 97 forks source link

Deployment issues on OpenShift due to container securityContext #446

Open BlueCog opened 1 week ago

BlueCog commented 1 week ago

Summary

When deploying the CloudNativePG Helm chart on OpenShift, we encountered deployment failures caused by the container-level securityContext specified in the chart's values.yaml. OpenShift's security policies restrict the use of certain securityContext fields, leading to conflicts that prevent the pods from starting.

Details

Proposed Solution:

Pull Request:

A pull request implementing this solution has been submitted: https://github.com/cloudnative-pg/charts/pull/445

Additional Context:

We are not utilizing the Operator Lifecycle Manager (OLM) installation method for deploying the CloudNativePG operator. Instead, we have an internal Lifecycle Management (LCM) process that leverages tools like Renovate and ArgoCD to manage our deployments.

sxd commented 1 week ago

Hello @BlueCog

The chart to install the operator it's not meant to be used with OpenShift, for that, there's a supported OLM package, the chart should never be used on OpenShift

Regards,

BlueCog commented 1 week ago

The chart to install the operator it's not meant to be used with OpenShift, for that, there's a supported OLM package, the chart should never be used on OpenShift

Regards,

Thank you for your response.

I wanted to confirm whether this is the official stance regarding the usage of the Helm chart on OpenShift. In our experience, we have successfully installed the CloudNativePG operator on OpenShift with minimal adjustments. Post-installation, we have been able to provision databases and utilize the operator's features without any issues.

Our organization operates in an air-gapped environment, which means that utilizing the Operator Lifecycle Manager (OLM) does not provide direct benefits for us. Implementing OLM would require additional efforts to mirror and maintain the OLM packages within our environment. Moreover, OLM does not fit well with our stringent automated update policy, which is efficiently managed through standalone images and Helm charts, along with tools like Renovate and ArgoCD.

By deploying via Helm charts, we can:

Given these factors, having the option to deploy the operator using Helm charts is highly beneficial for us. The changes proposed in the pull request aim to enhance the Helm chart's compatibility with OpenShift by making the container securityContext optional. This modification does not affect users who deploy in environments without such constraints but provides flexibility for those who do.

We would appreciate it if you could consider our use case and the proposed changes. Supporting the Helm chart deployment on OpenShift would greatly assist organizations like ours that rely on Helm for deployment and have specific operational requirements.

Thank you for your time and consideration. We look forward to your feedback.