# Installing on OpenShift

Running Akamas on OpenShift requires some Helm configurations to be applied.

The installation is provided as a set of templates packaged in a chart archive managed by [Helm](https://helm.sh/). Custom values are applied to ensure Akamas complies with the default `restricted-v2` security context constraints.

## OpenShift requirements

OpenShift version 4.x.

{% hint style="info" %}
Before proceeding with the installation make sure you meet the [Kubernetes requirements](https://docs.akamas.io/akamas-docs/3.6/installing/kubernetes/prerequisites)
{% endhint %}

## Installation

The installation can be done offline and online as described in the section [Install Akamas](https://docs.akamas.io/akamas-docs/3.6/installing/kubernetes/install-akamas). Choose the one that better suits your cluster access policies.

The following snippet must be added to the `akamas.yaml` to install Akamas on OpenShift.

{% code title="akamas.yaml" %}

```yaml
airflow:
  uid: null
  gid: null

postgresql:
  primary:
    containerSecurityContext:
      enabled: false

    podSecurityContext:
      enabled: false

  shmVolume:
    enabled: false

kibana:
  podSecurityContext:
    fsGroup: null

  securityContext:
    runAsUser: null

elasticsearch:
  sysctlInitContainer:
    enabled: false

  securityContext:
    runAsUser: null

  podSecurityContext:
    fsGroup: null
    runAsUser: null
```

{% endcode %}

## Access Akamas - Ingress to route

Besides the methods described in [Accessing Akamas](https://docs.akamas.io/akamas-docs/3.6/installing/kubernetes/accessing-akamas), you can use the OpenShift default ingress controller to create the required routes. Add the following snippet to the `akamas.yaml` file.

{% code title="akamas.yaml" %}

```yaml
ingress:
  enabled: true

  annotations:
    route.openshift.io/termination: edge
    haproxy.router.openshift.io/timeout: 1200s

  className: ""

  tls:
    - {}
```

{% endcode %}

Once the Helm command is invoked, ensure the routes have been created by running:

```
oc get routes
```

The output must list the Akamas routes with different paths.

### Toolbox

The toolbox optional component requires privileged access to run on OpenShift; the toolbox uses a dedicated service account, named `toolbox` by default. You can grant privileged access by issuing the following command.

```bash
#This command assumes the akamas namespace is named "akamas"
# and the service account default name "toolbox" is used
oc adm policy add-scc-to-user privileged system:serviceaccount:akamas:toolbox
```