Openshift Configuration

Openshift is designed to use a randomly generated user ID and group ID (UID/GID) for the runAsUser and fsGroup fields of the Pod- and container-level security contexts.

By default, the security contexts in the chart use values corresponding to the user and group IDs under which the product runs. You can unset the fsGroup and runAsUser securityContext fields in your custom values, allowing OpenShift to set them as expected.

Unset fsGroup and runAsUser at the pod level

In the global section of the values.yaml file, add the following stanza:

global:
  workload:
    securityContext:
      fsGroup: null
      runAsUser: null

This will unset fsGroup and runAsUser in the Pod-level security context. Pods that require initContainers will have to also unset runAsUser in the container-level security context.

initContainers: unset runAsUser at the container level

Some of the product deployments use initContainers for various operations, such as waiting for other services to be available or configuration actions. These containers, while part of the workload, have the security context set at the container - not pod - level. The values listed above apply only to the Pod-level security context. To unset runAsUser for any pingtoolkit initContainers so Openshift can take over, also add the following stanza:

global:
  externalImage:
    pingtoolkit:
      securityContext:
        runAsUser: null

For example, here is a complete block for configuring pingaccess-admin with a waitFor initContainer:

global:
  workload:
    securityContext:
      fsGroup: null
      runAsUser: null
  externalImage:
    pingtoolkit:
      securityContext:
        runAsUser: null

pingaccess-admin:
  enabled: true
  privateCert:
    generate: true
  envs:
    SERVER_PROFILE_URL: https://github.com/pingidentity/pingidentity-server-profiles.git
    SERVER_PROFILE_PATH: baseline/pingaccess
  container:
    waitFor:
      pingfederate-engine:
        service: https
        timeoutSeconds: 300