[K8S-534] redpanda: remove deprecated securityContext field(s)

Prior to this commit `securityContext` was an amalgam of both pod and container
level security contexts that was haphazardly cherry-picked apart and applied to
all pods and containers.

This commit removes such fields in favor of using `podTemplate` and Kubernetes'
default behavior of inheriting the Pod's SecurityContext when not specified on
the individual container.

Author: chrisseto

.changes/unreleased/charts-redpanda-Added-20250328-153410.yaml

@@ -0,0 +1,8 @@
+project: charts/redpanda
+kind: Added
+body: |-
+    Added a chart wide `podTemplate` field which may be used to control Pod attributes chart wide.
+
+      This field has a lower precedence than `statefulset.podTemplate` and
+      `post_install_job.podTemplate` but will still be merged with them.
+time: 2025-03-28T15:34:10.945119-04:00

.changes/unreleased/charts-redpanda-Changed-20250328-155756.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Changed
+body: The name of the container running redpanda is now always set to `redpanda`.
+time: 2025-03-28T15:57:56.677782-04:00

.changes/unreleased/charts-redpanda-Removed-20250328-153746.yaml

@@ -0,0 +1,12 @@
+project: charts/redpanda
+kind: Removed
+body: |-
+    `statefulset.securityContext`, `statefulset.sideCars.configWatcher.securityContext` have been removed.
+
+      These fields previously served as both PodSecurityContext and SecurityContext
+      across the entire chart which led to confusing semantics that couldn't be
+      fixed without breaking backwards compatiblity.
+
+      The top level `podTemplate` field may be used to control
+      PodSecurityContexts and SecurityContexts across the chart.
+time: 2025-03-28T15:37:46.85088-04:00

charts/redpanda/CHANGELOG.md

@@ -6,6 +6,11 @@ and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
 ## Unreleased
+### Added
+* Added a chart wide `podTemplate` field which may be used to control Pod attributes chart wide.
+
+  This field has a lower precedence than `statefulset.podTemplate` and
+  `post_install_job.podTemplate` but will still be merged with them.
 ### Changed
 * Promoted the config-watcher sidecar into a real go binary that handles user management and simplifies cluster health checks so they no longer fail when the sole issue is that other nodes in the cluster are unavailable. Additionally the new sidecar subsumes the behavior of the `statefulset.sideCars.controllers` stanza which should now be specified via their own `enabled` flags.
 * `clusterDomain` now defaults to `cluster.local.` (A trialing `.` has been added) and the chart no longer adds trailing `.`'s to internal domains.
@@ -25,12 +30,21 @@ and is generated by [Changie](https://github.com/miniscruff/changie).
   Any unexpected values will result in a validation error,previously they would
   have been ignored.
 * Update Console depedency to latest version with breaking change. Please visit Console change-log.
+* The name of the container running redpanda is now always set to `redpanda`.
 ### Removed
 * Connectors sub-chart integration.
 
   The connectors chart may still be deployed separately, though it is not
   officially support. If possible, it is recommended to migrate to redpanda
   connect.
+* `statefulset.securityContext`, `statefulset.sideCars.configWatcher.securityContext` have been removed.
+
+  These fields previously served as both PodSecurityContext and SecurityContext
+  across the entire chart which led to confusing semantics that couldn't be
+  fixed without breaking backwards compatiblity.
+
+  The top level `podTemplate` field may be used to control
+  PodSecurityContexts and SecurityContexts across the chart.
 ### Fixed
 * Reverse order of applying resources to first create ClusterRole and then ClusterRoleBinding.
   When Redpanda custom resource has enabled RBAC the reconciliation was blocked due

charts/redpanda/README.md

@@ -530,6 +530,28 @@ Node selection constraints for scheduling Pods, can override this for StatefulSe
 
 **Default:** `{}`
 
+### [podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podTemplate.annotations)
+
+Annotations to apply (or overwrite the default) to all Pods of this Chart.
+
+**Default:** `{}`
+
+### [podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podTemplate.labels)
+
+Labels to apply (or overwrite the default) to all Pods of this Chart.
+
+**Default:** `{}`
+
+### [podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=podTemplate.spec)
+
+A subset of Kubernetes' PodSpec type that will be merged into the PodSpec of all Pods for this Chart. See [Merge Semantics](#merging-semantics) for details.
+
+**Default:**
+
+```
+{"securityContext":{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101}}
+```
+
 ### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity)
 
 **Default:** `{}`
@@ -935,16 +957,6 @@ Number of Redpanda brokers (Redpanda Data recommends setting this to the number
 
 **Default:** `3`
 
-### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext)
-
-DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext.
-
-**Default:**
-
-```
-{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101}
-```
-
 ### [statefulset.sideCars.brokerDecommissioner.decommissionAfter](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.brokerDecommissioner.decommissionAfter)
 
 **Default:** `"60s"`
@@ -973,12 +985,6 @@ DEPRECATED: Please use statefulset.sideCars.resources
 
 **Default:** `{}`
 
-### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext)
-
-DEPRECATED: Please use statefulset.sideCars.securityContext
-
-**Default:** `{}`
-
 ### [statefulset.sideCars.controllers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers)
 
 DEPRECATED: Please use statefulset.sideCars.brokerDecommissioner and statefulset.sideCars.pvcUnbinder

charts/redpanda/ci/34-security-contexts-novalues.yaml

@@ -14,9 +14,11 @@
 # limitations under the License.
 ---
 statefulset:
-  securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
+  podTemplate:
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
 
 tolerations:
   - key: "example-key"
@@ -40,9 +42,11 @@ affinity:
 
 
 post_install_job:
-  securityContext:
-    # This should override the default above
-    runAsUser: 2000
+  podTemplate:
+    spec:
+      securityContext:
+        # This should override the default above
+        runAsUser: 2000
 
   resources:
     limits:

charts/redpanda/ci/38-post-install-upgrade-merges-novalues.yaml

@@ -14,9 +14,11 @@
 # limitations under the License.
 ---
 statefulset:
-  securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
+  podTemplate:
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
 
 tolerations:
   - key: "example-key"

charts/redpanda/ci/38-post-install-upgrade-no-overrides-novalues.yaml

@@ -324,35 +324,6 @@ func CertSecretName(dot *helmette.Dot, certName string, cert *TLSCert) string {
 	return fmt.Sprintf("%s-%s-cert", Fullname(dot), certName)
 }
 
-// PodSecurityContext returns a subset of [corev1.PodSecurityContext] for the
-// redpanda Statefulset. It is also used as the default PodSecurityContext.
-func PodSecurityContext(dot *helmette.Dot) *corev1.PodSecurityContext {
-	values := helmette.Unwrap[Values](dot.Values)
-
-	sc := ptr.Deref(values.Statefulset.PodSecurityContext, values.Statefulset.SecurityContext)
-
-	return &corev1.PodSecurityContext{
-		FSGroup:             sc.FSGroup,
-		FSGroupChangePolicy: sc.FSGroupChangePolicy,
-	}
-}
-
-// ContainerSecurityContext returns a subset of [corev1.SecurityContext] for
-// the redpanda Statefulset. It is also used as the default
-// ContainerSecurityContext.
-func ContainerSecurityContext(dot *helmette.Dot) corev1.SecurityContext {
-	values := helmette.Unwrap[Values](dot.Values)
-
-	sc := ptr.Deref(values.Statefulset.PodSecurityContext, values.Statefulset.SecurityContext)
-
-	return corev1.SecurityContext{
-		RunAsUser:                sc.RunAsUser,
-		RunAsGroup:               coalesce([]*int64{sc.RunAsGroup, sc.FSGroup}),
-		AllowPrivilegeEscalation: coalesce([]*bool{sc.AllowPrivilegeEscalation, sc.AllowPriviledgeEscalation}),
-		RunAsNonRoot:             sc.RunAsNonRoot,
-	}
-}
-
 //nolint:stylecheck
 func RedpandaAtLeast_22_2_0(dot *helmette.Dot) bool {
 	return redpandaAtLeast(dot, redpanda_22_2_0)
@@ -407,19 +378,6 @@ func cleanForK8s(in string) string {
 	return strings.TrimSuffix(helmette.Trunc(63, in), "-")
 }
 
-// coalesce returns the first non-nil pointer. This is distinct from helmette's
-// Coalesce which returns the first non-EMPTY pointer.
-// It accepts a slice as variadic methods are not currently supported in
-// gotohelm.
-func coalesce[T any](values []*T) *T {
-	for _, v := range values {
-		if v != nil {
-			return v
-		}
-	}
-	return nil
-}
-
 // StrategicMergePatch is a half-baked implementation of Kubernetes' strategic
 // merge patch. It's closer to a merge patch with smart handling of lists
 // that's tailored to the values permitted by [PodTemplate].
@@ -428,7 +386,13 @@ func StrategicMergePatch(overrides PodTemplate, original corev1.PodTemplateSpec)
 	// - No support for Directives
 	// - List merging by key is handled on a case by case basis.
 	// - Can't "unset" optional values in the original due to there being no
-	//   difference between *T being explicitly nil or not yet.
+	//   difference between *T being explicitly nil or not set.
+
+	// Nasty hack to work around mutability issues when using MergeTo on a
+	// deeply nested object. gotohelm doesn't currently have a deepCopy method,
+	// so we marshal to JSON and then unmarshal back into the same type.
+	overridesClone := helmette.FromJSON(helmette.ToJSON(overrides))
+	overrides = helmette.MergeTo[PodTemplate](overridesClone)
 
 	overrideSpec := overrides.Spec
 	if overrideSpec == nil {