Can't change namespace for nfs

[coderDem]

Suggestion

Hello,

the provisioning script tries to set namespace wide security constraints, and for obivous devsecops considerations our account is only limited to namespace-wide definitions of SecurityContextConstraints, see the following error:

│ Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource SecurityContextConstraints "jira-nfs-server" **in namespace ""**: securitycontextconstraints.security.openshift.io "jira-nfs-server" is forbidden: User "XXXXX" cannot get resource "securitycontextconstraints" in API group "security.openshift.io" at the cluster scope
│
│   with module.jira[0].module.nfs.helm_release.nfs,
│   on modules\kubernetes\nfs\helm.tf line 1, in resource "helm_release" "nfs":
│    1: resource "helm_release" "nfs" {

We tried passing the namespace name over the values.yaml in the helm chart as a normal key/pair value, but were unsuccessful. Could you please tell us how we could achieve this ?

Thank you very much in advance :

Product

Jira

Code of Conduct

• I agree to follow this project's Code of Conduct

[bianchi2]

hi @coderDem did you try to install this helm chart outside Terraform with --debug? There's nothing in it that would deal with SCC which is OpenShift API resource, and I struggle to understand why in your case Helm chart wants to get SCC which is a cluster-wide (non-namespaces resource).

With that being said, I'd like to kindly remind you about support boundaries for the Terraform project and that OpenShift isn't among officially supported platforms.

[coderDem]

Hello @bianchi2

thank you for your fast response.
We could deploy the helm chart by hand on our cluster see here:

NAME            NAMESPACE       REVISION        UPDATED                                         STATUS          CHART                   APP VERSION
nfs-server      tfdp-tf-one     1               2022-07-19 09:55:27.4377295 +0200 CEST          deployed        nfs-server-0.2.0        2.0       
postgresql      tfdp-tf-one     1               2022-07-15 14:17:33.027522 +0200 CEST           deployed        postgresql-11.6.16      14.4.0    
vaultatruvia    tfdp-tf-one     1               2022-07-13 17:38:39.274439597 +0200 CEST        deployed        vault-0.18.0            1.9.0 

But we still get the error. We don't know why the helmchart provider from Atlassian tries to get access to cluster-wide SecuityConstraintsContext objects ... and doesnt even seem to pass on the namespace name to the helm chart it is supposed to be deployed to, we have sent a request on the linked slack channel on the atlassian website for the tf deployment script for datacenter#server Atlassian products and are keeping our fingers crossed for a fast response xD

[bianchi2]

@coderDem there are no SCCs in NFS Helm chart templates. Can you confirm you haven't modified templates to add SCC objects to solve some permission issues on OpenShift (i.e. you are using Helm chart as is?)?

I’d probably enable debug mode for Helm provider https://registry.terraform.io/providers/hashicorp/helm/latest/docs#argument-reference in here https://github.com/atlassian-labs/data-center-terraform/blob/b16ecd5a47d31c8f6f9600e156c470cf352bb64f/providers.tf#L21

What I expect then is helm printing what exact resource already exists and this will shed some light on the issue and further debugging

[coderDem]

Hello @bianchi2

thank you for your reply. We are now know we need get a SecurityObject for our user and get the possibility to bind it,
to start the nfs server.

[bianchi2]

I suspect it's related to allowing anyuid since nfs server won't start as a user with a 1000008something uid (a range is per namespace)? Other than that I do not see anything in NFS stateful set that would prevent it from starting in OpenShift (not privileged, no host volume mounts, no direct volume mounts etc)

[coderDem]

Hello @bianchi2

we are now not using the NFS anymore and using: PersistentVolumeClaims for this.
So I will close this issue.