chore: Allow overriding securityContext (#88)

daniil-nedostup · MykolaMarusenko · commit e5eefd1563db · 2025-06-17T16:35:09.000+03:00
diff --git a/deploy-templates/README.md b/deploy-templates/README.md
@@ -65,9 +65,11 @@ A Helm chart for KubeRocketCI Gerrit Operator
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry |
 | name | string | `"gerrit-operator"` | component name |
 | nodeSelector | object | `{}` |  |
+| podSecurityContext | object | `{"runAsNonRoot":true}` | Pod Security Context Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | projectSyncInterval | string | `"1h"` | Format: golang time.Duration-formatted string |
 | resources.limits.memory | string | `"192Mi"` |  |
 | resources.requests.cpu | string | `"50m"` |  |
 | resources.requests.memory | string | `"64Mi"` |  |
+| securityContext | object | `{"allowPrivilegeEscalation":false}` | Container Security Context Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | tolerations | list | `[]` |  |
 
diff --git a/deploy-templates/templates/operator_deployment.yaml b/deploy-templates/templates/operator_deployment.yaml
@@ -19,8 +19,9 @@ spec:
         name: {{ .Values.name }}
     spec:
       serviceAccountName: "edp-{{ .Values.name }}"
-      securityContext:
-        runAsNonRoot: true
+      {{- if .Values.podSecurityContext }}
+      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
@@ -31,8 +32,9 @@ spec:
           imagePullPolicy: "{{ .Values.imagePullPolicy }}"
           command:
             - {{ .Values.name }}
-          securityContext:
-            allowPrivilegeEscalation: false
+          {{- if .Values.securityContext }}
+          securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: WATCH_NAMESPACE
               valueFrom:
diff --git a/deploy-templates/values.yaml b/deploy-templates/values.yaml
@@ -50,6 +50,16 @@ resources:
     cpu: 50m
     memory: 64Mi
 
+# -- Pod Security Context
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext:
+  runAsNonRoot: true
+
+# -- Container Security Context
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  allowPrivilegeEscalation: false
+
 gerrit:
   # --  Flag to enable/disable Gerrit deploy
   deploy: true
