fix: add fsGroup to podSecurityContext for PVC write access

Pods running as UID 1000 could not write to PVC-backed /data mount
because the volume filesystem was owned by root. Setting fsGroup: 1000
tells Kubernetes to chown volume contents to GID 1000, resolving the
periodic state save permission error.

Author: privsim

helm/disentangle/values.yaml

@@ -84,6 +84,7 @@ pow:
 # Pod-level security context
 podSecurityContext:
   runAsNonRoot: true
+  fsGroup: 1000
   seccompProfile:
     type: RuntimeDefault
 

tests/golden/custom-resources.yaml

@@ -133,6 +133,7 @@ spec:
     spec:
       serviceAccountName: golden-test-disentangle
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault

tests/golden/default.yaml

@@ -133,6 +133,7 @@ spec:
     spec:
       serviceAccountName: golden-test-disentangle
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault

tests/golden/full-features.yaml

@@ -133,6 +133,7 @@ spec:
     spec:
       serviceAccountName: golden-test-disentangle
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -244,6 +245,7 @@ spec:
         spec:
           restartPolicy: OnFailure
           securityContext:
+            fsGroup: 1000
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault

tests/golden/minimal.yaml

@@ -133,6 +133,7 @@ spec:
     spec:
       serviceAccountName: golden-test-disentangle
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault

tests/golden/no-serviceaccount.yaml

@@ -121,6 +121,7 @@ spec:
     spec:
       serviceAccountName: default
       securityContext:
+        fsGroup: 1000
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault