Install using OpenShift

GitGuardian has been tested with OpenShift 4.

Several requirements specific to OpenShift are required for installing GitGuardian application on OpenShift clusters.

Deactivate securityContext

GitGuardian Self-Hosted enforces securityContext directives by default. These settings can conflict with the securityContext requirements for some OpenShift security context constraints (SCCs) and must therefore be disabled.

Security note

Disabling our default securityContext does not mean a securityContext will not be set--it just means the SCC is responsible for setting the securityContext.

With Helm, the securityContext must be disabled in the values:

securityContext:
  enabled: false

loki-minio:
  podSecurityContext:
    enabled: false
  containerSecurityContext:
    enabled: false

loki:
  loki:
    podSecurityContext:
      fsGroup: null
      runAsGroup: null
      runAsUser: null

ggscout:
  securityContext:
    enabled: false

Use OpenShift Route instead of Ingress

OpenShift proposes Route instead of regular Kubernetes Ingress. Helm installations do not enable Ingress by default.

The Route can be defined as:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: gitguardian-helm
spec:
  host: <INSTANCE FQDN>
  path: /
  port:
    targetPort: http
  tls:
    certificate: |
      <CERTIFICATE FULLCHAIN>
    insecureEdgeTerminationPolicy: Redirect
    key: |
      <CERTIFICATE PRIVKEY>
    termination: edge
  to:
    kind: Service
    name: nginx
    weight: 100
  wildcardPolicy: None

Where:

• <INSTANCE FQDN> is the full qualified domain name of your instance
• <CERTIFICATE FULLCHAIN> is the TLS Certificate
• <CERTIFICATE PRIVKEY> is the TLS Certificate's private key

Note that if your GitGuardian instance has been created before October 2023, the service name is called gitguardian instead of nginx

Handle resource quotas per Project

When setting resource quotas per Project, it's essential to ensure that the quotas are sufficient for all your pods. With Helm installations, all resource requests and limits, including those for ephemeral storage, can be fully configured. Refer to our Scaling GitGuardian page for more details.

Ephemeral Storage

Ephemeral Storage is used to clone repositories during Historical Scans. Ensure that your scanner pods are allocated sufficient space to handle the largest repositories.