openshift support

[a-dawg]

Describe the Bug

I am not able to run the chart on openshift 4.5
I am getting in the puppetserver logs

Running /docker-entrypoint.d/10-analytics.sh
(/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled; skipping metric submission
Running /docker-entrypoint.d/20-use-templates-initially.sh
Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems
Running /docker-entrypoint.d/30-set-permissions.sh
Running /docker-entrypoint.d/40-update-puppetdb-conf.sh
Running /docker-entrypoint.d/50-set-certname.sh
Running /docker-entrypoint.d/55-set-masterport.sh
Running /docker-entrypoint.d/60-setup-autosign.sh
Running /docker-entrypoint.d/70-set-dns-alt-names.sh
Running /docker-entrypoint.d/80-ca.sh
Running /docker-entrypoint.d/85-setup-storeconfigs.sh
Running /docker-entrypoint.d/90-consul.sh
runuser: failed to user credentials: System error

Expected Behavior

should not be killed

Environment

openshift 4.5

Additional Context

I have tried the commands below with no luck

oc -n puppet adm policy add-scc-to-user privileged -z default
oc adm policy add-scc-to-user anyuid -z deployer -n puppet

[a-dawg]

this issue is related to puppet/puppetserver not being openshift compatible.

[Xtigyro]

@a-dawg Gotcha! Thanks for bringing this up! 💯

Will be added in the next month or two.

CC: @underscorgan @Iristyle @slconley @scottcressi @mwaggett @nwolfe @adrienthebo @dhollinger @raphink @binford2k

[raphink]

@a-dawg FTR we're using puppet/puppetserver on OpenShift, but we do not use the entrypoint scripts. See https://github.com/camptocamp/charts/blob/master/puppetserver/templates/deployment.yaml#L54-L72

[Xtigyro]

@raphink Please feel absolutely free to start the work on adding the OpenShift support to the chart - will be very appreciated. 🥇

P.S. #66 should help the chart to meet some of your earlier requirements.

[pjamenaja]

I just had a chance to deploy Puppet on Openshift 4.5 today and discovered 3 steps need to do to make it works on Openshift.

1. Run command oc adm policy add-scc-to-user privileged -z default -n puppet-server to add "priviledge" SCC to user "default". Please note that the "priviledge" SCC is the most relax security so be careful to use it.
   Ref: https://www.openshift.com/blog/managing-sccs-in-openshift

2. Add "securityContext" to "puppetserver" container, this need to modify the Helm template puppetserver-deployment-masters.yaml.

        securityContext:
          runAsUser: 0
          runAsNonRoot: false
          privileged: true  

3. The same "securityContext" will need to be added to "puppetdb" and "puppetboard" containers in the puppetdb-deployment.yaml as well.

[Xtigyro]

Thanks for the proposition, @a-dawg @pjamenaja! Please feel free to send our way a PR - I'll be happy to review and merge it, afterwards. 🙇‍♂️