feat: Enhance Security Context Compatibility and OpenShift Support + Add Dynamic Configuration Options to Vault Helm Chart #300
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JuryA
changed the title
JuryA
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the Vault Helm chart with dynamic security context handling, adds new configuration options, and improves OpenShift compatibility.
- Introduces a
renderSecurityContexthelper and replaces hardcoded securityContexts in the StatefulSet. - Adds
global.openshiftdetection,omitEmptySeLinuxOptions, and per-pod/container securityContext parameters invalues.yaml. - Updates README and helper templates to document and wire in the new options.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| vault/values.yaml | Added global.compatibility, podSecurityContext, and containerSecurityContext parameters; updated component blocks. |
| vault/templates/statefulset.yaml | Replaced static securityContext blocks with calls to compatibility helpers. |
| vault/templates/_helpers.tpl | Added vault.bank-vaults.containerSecurityContext helper. |
| vault/templates/_compatibility.tpl | Added isOpenshift and renderSecurityContext compatibility logic. |
| vault/README.md | Expanded chart values table to include new security and configuration options. |
Comments suppressed due to low confidence (4)
vault/values.yaml:368
- This description is applied to
vaultConfig.containerSecurityContext(the vault-config init container), but mentions ‘unsealer’. Update the text to reference the vault-config container.
# -- (object) SecurityContext capabilities to add to the unsealer container
vault/values.yaml:387
- This description is under
vaultConfigurer.containerSecurityContextand should reference the vault-configurer container instead of ‘unsealer’.
# -- (object) SecurityContext capabilities to add to the unsealer container
vault/README.md:209
- The description for
vaultConfig.containerSecurityContextshould mention the vault-config init container, not the unsealer.
| `vaultConfig.containerSecurityContext` | object | `{"enabled":false}` | SecurityContext capabilities to add to the unsealer container |
vault/README.md:211
- The description for
vaultConfigurer.containerSecurityContextshould refer to the vault-configurer container rather than the unsealer.
| `vaultConfigurer.containerSecurityContext` | object | `{"enabled":false}` | SecurityContext capabilities to add to the unsealer container |
|
@lgecse Have you had a chance to review my code request? |
csatib02
added
the
kind/enhancement
BlaxXGit
reviewed
Jun 26, 2025
…mpty `seLinuxOptions` in securityContexts Signed-off-by: Jiří Altman <[email protected]>
…curity contexts Signed-off-by: Jiří Altman <[email protected]>
…ate with IPC_LOCK capability adaptation Signed-off-by: Jiří Altman <[email protected]>
…global.openshift` Signed-off-by: Jiří Altman <[email protected]>
…h `podSecurityContext` Signed-off-by: Jiří Altman <[email protected]>
…th with `containerSecurityContext` - move `IPC_LOCK` capability and read-only root filesystem to helper template Signed-off-by: Jiří Altman <[email protected]>
…er container Signed-off-by: Jiří Altman <[email protected]>
Signed-off-by: Jiří Altman <[email protected]>
…y context Ensure the Helm chart correctly merges the `IPC_LOCK` capability into the existing security context capabilities: - Use `mergeOverwrite` instead of `set` to combine existing capabilities with `IPC_LOCK`. - Correct the lookup path for `disable_mlock` from `dig "vault" "config" "disable_mlock"` to `dig "config" "disable_mlock"`. ## Impact: - Adds the `IPC_LOCK` capability to the container security context when `disable_mlock` is `false`. - Configures the Vault container's security context with the intended capabilities. - Reads the `disable_mlock` setting from the correct location. Signed-off-by: Jiří Altman <[email protected]>
- Added new parameters for container and pod security contexts - Enhanced configuration options for CertManager and pod disruption budgets - Updated existing parameters for clarity and consistency Signed-off-by: Jiří Altman <[email protected]>
JuryA
force-pushed
the
configurable-sec-contexts
branch
from
473577e to
c71af0d
Compare
Replaced direct merging of the inner "capabilities" dictionary with merging of a complete `_securityContext` dictionary containing the "capabilities" field. Signed-off-by: Jiří Altman <[email protected]>
Signed-off-by: Jiří Altman <[email protected]>
BlaxXGit
approved these changes
Jul 3, 2025
BlaxXGit
approved these changes
Jul 3, 2025
There was a problem hiding this comment.
✅ Verified: Security Context Bug Fixed
I've tested your latest commits and can confirm that the security context bug I reported has been successfully resolved. Great work on implementing the fix!
🧪 Test Results
Test Case 1: disable_mlock: true with drop: ALL capabilities
helm template vault . -f test-security.yaml | grep -A 5 -B 5 "IPC_LOCK"
# Result: No matches found ✅Test Case 2: disable_mlock: false with drop: ALL capabilities
securityContext:
capabilities:
add:
- IPC_LOCK # ✅ Correctly added when needed
drop:
- ALL # ✅ User config preserved🎯 Key Improvements Confirmed
- IPC_LOCK logic works correctly: Only added when
disable_mlock: false - User capabilities preserved:
drop: ALLno longer gets overwritten - mergeOverwrite approach: Clean implementation that maintains forward compatibility
The vault.bank-vaults.containerSecurityContext helper now properly handles both scenarios while preserving all user-defined security context properties.
Thanks for addressing this critical security configuration issue! 🙌
|
@ramizpolic @csatib02 Could you please prioritise completing the review? I've resolved all outstanding issues, with @BlaxXGit already confirming and approving them. I'm heading off on an extended trip without access to a computer, so I'd really appreciate finalising this beforehand. If that’s not possible, you may need to handle the merge independently later, which I'd like to avoid if we can. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This pull request introduces significant updates to the Vault Helm chart, focusing on improving security context compatibility, adding new configuration options, and enhancing OpenShift support. The changes include the addition of dynamic security context rendering, new parameters for container and pod configurations, and updates to the StatefulSet template to ensure compatibility across different platforms.
Security Context Enhancements:
vault.compatibility.renderSecurityContexthelper invault/templates/_compatibility.tplto dynamically adapt security contexts based on the deployment platform (e.g., OpenShift). This includes removing incompatible fields likefsGroup,runAsUser, andrunAsGroupwhen necessary.vault/templates/statefulset.yamlto use the new compatibility helper, ensuring platform-specific adjustments forvault-config,vault-unsealer,vault-configurer, andprometheus-statsd-exporter. [1] [2] [3] [4]OpenShift Support:
global.openshiftparameter invault/values.yaml, allowing valuestrue,false, orautoto specify or detect OpenShift deployment automatically.vault.compatibility.renderSecurityContextto adapt security contexts for OpenShift's restricted-v1 SCC.Helm Chart Configuration:
vault/README.mdto include new options such ascontainerSecurityContext,podSecurityContext,certManager, andpriorityClassName. These additions enhance flexibility for deployments and improve security.StatefulSet Template Updates:
vault/templates/statefulset.yamlwith calls to compatibility helpers, ensuring dynamic adjustments based on platform-specific requirements. [1] [2]Bank-Vaults Integration:
vault.bank-vaults.containerSecurityContexthelper invault/templates/_helpers.tplto include theIPC_LOCKcapability whenvault.config.disable_mlockis not enabled. This ensures proper functionality of Bank-Vaults with enhanced security.Fixes #275 (partly), bank-vaults/bank-vaults#1442
Notes for reviewer
Signed-off-by: Jiří Altman [email protected]