fix(helm): use the same scc as olm (#488)

razvan · web-flow · commit ce3ecdd59021 · 2024-08-16T14:11:32.000Z
* fix(helm): use the same scc as olm

* fix indentation
diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml
@@ -1,3 +1,40 @@
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+---
+    apiVersion: security.openshift.io/v1
+    kind: SecurityContextConstraints
+    metadata:
+      name: stackable-secret-operator-scc
+      annotations:
+        kubernetes.io/description: SCC for Stackable secret operator
+    allowHostDirVolumePlugin: true
+    allowHostIPC: false
+    allowHostNetwork: false
+    allowHostPID: false
+    allowHostPorts: false
+    allowPrivilegeEscalation: true
+    allowPrivilegedContainer: true # Needed because otherwise we get spec.template.spec.containers[0].volumeMounts.mountPropagation: Forbidden: Bidirectional mount propagation is available only to privileged containers
+    allowedCapabilities: null
+    defaultAddCapabilities: null
+    fsGroup:
+      type: RunAsAny
+    groups: []
+    priority: null
+    readOnlyRootFilesystem: false
+    requiredDropCapabilities:
+    - MKNOD
+    runAsUser:
+      type: RunAsAny
+    seLinuxContext:
+      type: MustRunAs
+    supplementalGroups:
+      type: RunAsAny
+    users: []
+    volumes:
+    - downwardAPI
+    - projected
+    - hostPath
+    - emptyDir
+{{ end  }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -67,11 +104,13 @@ rules:
       - podlisteners
     verbs:
       - get
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
-    - security.openshift.io
+      - security.openshift.io
     resourceNames:
-    - privileged
+      - stackable-secret-operator-scc
     resources:
-    - securitycontextconstraints
+      - securitycontextconstraints
     verbs:
-    - use
+      - use
+{{ end  }}
