Add OpenShift Compatibility to Data Flywheel Helm Chart#27
Open
Hadar301 wants to merge 3 commits intoNVIDIA-AI-Blueprints:mainfrom
Open
Add OpenShift Compatibility to Data Flywheel Helm Chart#27Hadar301 wants to merge 3 commits intoNVIDIA-AI-Blueprints:mainfrom
Hadar301 wants to merge 3 commits intoNVIDIA-AI-Blueprints:mainfrom
Conversation
* enable openshift deployment added flag and needed files Signed-off-by: Hadar Cohen <hacohen@redhat.com> * no need to include the chart for nemo Signed-off-by: Hadar Cohen <hacohen@redhat.com> * create secrets only if they have value --------- Signed-off-by: Hadar Cohen <hacohen@redhat.com>
* enable openshift deployment added flag and needed files Signed-off-by: Hadar Cohen <hacohen@redhat.com> * no need to include the chart for nemo Signed-off-by: Hadar Cohen <hacohen@redhat.com> * create secrets only if they have value * add documentation for openshift --------- Signed-off-by: Hadar Cohen <hacohen@redhat.com>
Enable openshift deployment (#1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds full OpenShift deployment support to the Data Flywheel Helm chart, enabling deployment on OpenShift clusters with the restricted-v2 Security Context Constraints (SCC). The implementation is controlled by a feature flag and maintains backward compatibility with standard Kubernetes deployments.
Changes Overview
Added openshift.enabled flag to toggle OpenShift-specific features
Implemented security context configurations compliant with OpenShift restricted-v2 SCC:
Pod-level: runAsNonRoot, seccompProfile (RuntimeDefault)
Container-level: allowPrivilegeEscalation: false, drop all capabilities
Added OpenShift Route configuration for external access (API, MLflow, Kibana, Flower) with TLS support
Configurable storage class override (gp3-csi default)
UBI-based init container image for OpenShift compatibility
data-flywheel.podSecurityContext: Generates OpenShift-compliant pod security context
data-flywheel.containerSecurityContext: Generates OpenShift-compliant container security context
data-flywheel.serviceType: Dynamically selects service type (ClusterIP for OpenShift, NodePort for K8s)
api-route.yaml
mlflow-route.yaml
kibana-route.yaml
flower-route.yaml
All routes support:
Auto-generated or custom hostnames
Edge TLS termination
HTTP to HTTPS redirection
Conditional deployment based on profile settings
Modified all deployments (API, Celery workers, MongoDB, Redis, Elasticsearch, MLflow, Kibana, Flower) to include:
Conditional security contexts when openshift.enabled: true
Init containers for volume preparation using UBI minimal images
Persistent volume mounts with emptyDir volumes for stateful services (MongoDB, Redis)
Service type switching (ClusterIP vs NodePort)
Fixed secret creation to only generate secrets when values are provided
Prevents empty secret creation that could cause deployment issues
Improves security posture by avoiding placeholder credentials
Technical Details
Complies with OpenShift's restricted-v2 SCC without requiring cluster-admin privileges
Allows dynamic UID/GID assignment by OpenShift
Drops all container capabilities and disables privilege escalation
Uses RuntimeDefault seccomp profile
Uses Red Hat UBI minimal image (registry.access.redhat.com/ubi8/ubi-minimal) for OpenShift
Falls back to busybox for standard Kubernetes
Prepares volumes for MongoDB and Redis without requiring root permissions
Breaking Changes
None - all changes are backward compatible and gated behind the openshift.enabled flag.