Terraform
Operate Terraform Enterprise on Red Hat OpenShift
OpenShift Beta
Terraform Enterprise support for Red Hat OpenShift is in beta. Do not deploy beta features in production environments. Provision a dedicated test environment before installing Terraform Enterprise on OpenShift. If you have questions or feedback about the OpenShift beta, contact your HashiCorp account representative.Operating Terraform Enterprise on Red Hat OpenShift is similar to running Terraform Enterprise in other Kubernetes environments.
You must set the openshift.enabled
Helm chart value to true
in your overrides values file so that Terraform Enterprise launches with a security configuration that meets OpenShift's restricted security constraints. Refer to the OpenShift documentation for additional information about the security constraints.
When set to true
, the openshift.enabled
value also sets the TFE_RUN_PIPELINE_KUBERNETES_OPEN_SHIFT_ENABLED
configuration variable to true
.
Security context constraints
The terraform-enterprise
Helm chart launches Terraform Enterprise with the
following security context configuration settings:
securityContext:
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
This configuration is required to comply with the restricted security context constraints in OpenShift environments. These constraints prioritize the security goal of preventing a process from escalating and escaping the container.
Terraform Enterprise uses Linux capabilities to generate independent container IDs so that each service inside the Terraform Enterprise container runs under a unique user ID. This behavior, however, is not allowed under the default securityContext
configuration. Setting the openshift.enabled
value to true
turns off varied user IDs, which enables Terraform Enterprise to start each service as the OpenShift-assigned container entry user ID.
Extend or fork the OpenShift terraform-enterprise
helm chart
The Terraform Enterprise Helm Chart is intended to meet the needs of the majority of our users. Many OpenShift primitives, such as routing, are absent in the terraform-enterprise
Helm chart. You can fork our Helm chart and adapt it to your organization’s requirements. Alternatively, you can use the terraform-enterprise
Helm chart as a sub-chart, thus relegating OpenShift primitives to the parent chart to be deployed around the terraform-enterprise
chart contents.
If you contact HashiCorp support, include your custom Helm chart alongside your support bundle to ensure support has all the information they need.