Camunda Helm charts
The camunda-platform
Helm chart can be deployed to OpenShift with a few modifications, primarily revolving around your desired security context constraints. You can find out more about this in our general OpenShift deployment guide.
Compatibility​
We test against the following OpenShift versions and guarantee compatibility with:
OpenShift version | Supported |
---|---|
4.10.x | ✅ |
Any version not explicitly marked in the table above is not tested, and we cannot guarantee compatibility.
Quick start​
Find a quick start guide in the Helm chart repository.
Limitations​
The Elasticsearch
, Keycloak
, and Postgresql
charts all specify default non-root users for security purposes. To deploy these charts through the camunda-platform
chart, these default values must be removed. Unfortunately, due to a longstanding bug in Helm affecting all Helm versions from 3.2.0 and greater, this makes the installation of the chart (when deploying any of these sub-charts) more complex.
Note that this is only an issue if you are deploying Elasticsearch
, Keycloak
(via Identity
), or Postgresql
(via Keycloak
). If you are not deploying these, or not via the camunda-platform
chart, or you are using permissive SCC, this issue does not affect your deployment.
This also affects installations done through the OpenShift console, as it still uses Helm under the hood.
Configuration​
As discussed in the OpenShift deployment guide, you need to configure the pod and container security contexts based on your desired security context constraints (SCC).
Permissive SCC​
To use permissive SCC, install the charts as they are. Follow the general Helm deployment guide.
Restrictive SCC​
To use more restrictive SCC, configure the following minimum set of values for the various applications. The recommendations outlined in the general OpenShift deployment guide are relevant here as well. As the Camunda Platform 8 applications do not define a pod or security context, follow these recommendations, or simply omit defining any.
If you are deploying with SCC where RunAsUser
is MustRunAsRange
(e.g. the default restricted
SCC), and are deploying at least one of Elasticsearch
, Keycloak
, or Postgresql
, it's necessary to unset the default security context of these charts. If this does not apply to you, you can stop here.
This depends on which Helm version you use: 3.1.3 and lower, or 3.2.0 and greater (i.e. one affected by this bug). Find out your Helm version by running the following:
$ helm version
version.BuildInfo{Version:"v3.9.0", GitCommit:"7ceeda6c585217a19a1131663d8cd1f7d641b2a7", GitTreeState:"clean", GoVersion:"go1.17.5"}
Helm 3.1.3 or lower​
If you're running on Helm 3.0.0 up to 3.1.3, you need to add these values to your values.yaml
file, or save them to a new file locally, e.g. openshift.yaml
:
These values are also available in the Helm chart repository.
# omit this section if elasticsearch.enabled is false
elasticsearch:
securityContext:
runAsUser: null
sysctlInitContainer:
enabled: false
podSecurityContext:
fsGroup: null
runAsUser: null
# omit this section if identity.enabled is false
identity:
# omit this section if identity.keycloak.enabled is false
keycloak:
containerSecurityContext:
runAsUser: null
podSecurityContext:
fsGroup: null
runAsUser: null
postgresql:
# omit this section if identity.keycloak.postgresql.primary.enabled is false
primary:
containerSecurityContext:
runAsUser: null
podSecurityContext:
fsGroup: null
runAsUser: null
# omit this section if identity.keycloak.postgresql.readReplicas.enabled is false
readReplicas:
containerSecurityContext:
runAsUser: null
podSecurityContext:
fsGroup: null
runAsUser: null
# omit this section if identity.keycloak.postgresql.metrics.enabled is false
metrics:
containerSecurityContext:
runAsUser: null
podSecurityContext:
fsGroup: null
runAsUser: null
When installing the chart, run the following:
helm install <RELEASE NAME> camunda/camunda-platform --skip-crds -f openshift.yaml -f values.yaml
Helm 3.2.0 and greater​
If you must deploy using Helm 3.2.0 or greater, you have two options. One is to use a SCC which defines the RunAsUser
strategy to be at least RunAsAny
. If that's not possible, then you need to make use of a post-renderer. This workaround is also described in detail in the Helm chart repository.
If using a post-renderer, you must use the post-renderer whenever you are upgrading your release, not only during the initial installation. If you do not, the default values will be used again, which will prevent some services from starting.
While you can use your preferred post-renderer
, we provide one which requires only bash
and sed
to be available locally:
#!/bin/bash -eu
# Expected usage is as an Helm post renderer.
# Example usage:
# $ helm install my-release camunda/camunda-platform --post-renderer ./patch.sh
#
# This script is a Helm chart post-renderer for users on Helm 3.2.0 and greater. It allows removing default
# values set in sub-charts/dependencies, something which should be possible but is currently not working.
# See this issue for more: https://github.com/helm/helm/issues/9136
#
# The result of patching the rendered Helm templates is printed out to STDOUT. Any other logging from the
# script is thus sent to STDERR.
#
# Note to contributors: this post-renderer is used in the integration tests, so make sure that it can be used
# from any working directory.
set -o pipefail
# Perform two passes: once for single quotes, once for double quotes, as it's not specified that string values are
# always output with single or double quotes
sed -e "s/'@@null@@'/null/g" -e 's/"@@null@@"/null/g'
You also need to use a custom values file, where instead of using null
as a value to unset default values, you use a special marker value which will be removed by the post-renderer.
Copy these values to your values file or save them as a separate file, e.g. openshift.yaml
:
These values are also available in the Helm chart repository.
# omit this section if elasticsearch.enabled is false
elasticsearch:
securityContext:
runAsUser: "@@null@@"
sysctlInitContainer:
enabled: false
podSecurityContext:
fsGroup: "@@null@@"
runAsUser: "@@null@@"
# omit this section if identity.enabled is false
identity:
# omit this section if identity.keycloak.enabled is false
keycloak:
containerSecurityContext:
runAsUser: "@@null@@"
podSecurityContext:
fsGroup: "@@null@@"
runAsUser: "@@null@@"
postgresql:
# omit this section if identity.keycloak.postgresql.primary.enabled is false
primary:
containerSecurityContext:
runAsUser: "@@null@@"
podSecurityContext:
fsGroup: "@@null@@"
runAsUser: "@@null@@"
# omit this section if identity.keycloak.postgresql.readReplicas.enabled is false
readReplicas:
containerSecurityContext:
runAsUser: "@@null@@"
podSecurityContext:
fsGroup: "@@null@@"
runAsUser: "@@null@@"
# omit this section if identity.keycloak.postgresql.metrics.enabled is false
metrics:
containerSecurityContext:
runAsUser: "@@null@@"
podSecurityContext:
fsGroup: "@@null@@"
runAsUser: "@@null@@"
Now, when installing the charts, you can do so by running the following:
helm install <RELEASE NAME> camunda/camunda-platform --skip-crds -f openshift.yaml -f values.yaml --post-renderer ./patch.sh