Keep .Values.executor.securityContext, to prevent making a potentially breaking change

Author: marcleblanc2

charts/sourcegraph-executor/k8s/README.md

@@ -54,6 +54,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 |-----|------|---------|-------------|
 | executor.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
 | executor.configureRbac | bool | `true` | Whether to configure the necessary RBAC resources. Required only once for all executor deployments. |
+| executor.containerSecurityContext | object | `{}` | Override container security context for the executor container. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | executor.debug.keepJobs | string | `"false"` | If true, Kubernetes jobs will not be deleted after they complete. Not recommended for production use as it can hit cluster limits. |
 | executor.debug.keepWorkspaces | string | `"false"` |  |
 | executor.defaultContainerSecurityContext | object | `{"privileged":false}` | Default container security context for the executor container |
@@ -97,7 +98,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.resources.limits.memory | string | `"1Gi"` |  |
 | executor.resources.requests.cpu | string | `"500m"` |  |
 | executor.resources.requests.memory | string | `"200Mi"` |  |
-| executor.securityContext | object | `{}` | Override container security context for the executor container. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
+| executor.securityContext | object | `{}` | (DEPRECATED) Legacy override for container security context. Use containerSecurityContext instead. Kept for backwards compatibility; containerSecurityContext takes precedence if both are set. |
 | executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. |
 | executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |

charts/sourcegraph-executor/k8s/templates/_helpers/_securityContext.tpl

@@ -5,7 +5,10 @@ Security context helpers for container and pod security contexts.
 These helpers implement a 3-tier merge precedence:
 1. Component default (e.g., .Values.executor.defaultContainerSecurityContext)
 2. Global override (e.g., .Values.sourcegraph.containerSecurityContext)
-3. Component override (e.g., .Values.executor.securityContext for container, .Values.executor.podSecurityContext for pod)
+3. Component override (e.g., .Values.executor.containerSecurityContext for container, .Values.executor.podSecurityContext for pod)
+
+For backwards compatibility, .Values.<component>.securityContext is also supported for container
+security context and merged before containerSecurityContext (so containerSecurityContext takes precedence).
 
 Later values override earlier ones, allowing customers to:
 - Set global security context settings that apply to all components
@@ -37,8 +40,9 @@ Parameters:
 {{- end -}}
 {{- $default := $component.defaultContainerSecurityContext | default dict -}}
 {{- $global := $root.Values.sourcegraph.containerSecurityContext | default dict -}}
-{{- $override := $component.securityContext | default dict -}}
-{{- $merged := mustMergeOverwrite (deepCopy $default) $global $override -}}
+{{- $legacyOverride := $component.securityContext | default dict -}}
+{{- $override := $component.containerSecurityContext | default dict -}}
+{{- $merged := mustMergeOverwrite (deepCopy $default) $global $legacyOverride $override -}}
 {{- if $merged | keys | len | ne 0 }}
 {{ "securityContext:" | indent $indent }}
 {{ toYaml $merged | indent (int (add $indent 2)) -}}

charts/sourcegraph-executor/k8s/values.yaml

@@ -112,9 +112,12 @@ executor:
   # -- Default container security context for the executor container
   defaultContainerSecurityContext:
     privileged: false
+  # -- (DEPRECATED) Legacy override for container security context. Use containerSecurityContext instead.
+  # Kept for backwards compatibility; containerSecurityContext takes precedence if both are set.
+  securityContext: {}
   # -- Override container security context for the executor container.
   # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
-  securityContext: {}
+  containerSecurityContext: {}
   # -- Default pod security context for the executor pod
   defaultPodSecurityContext: {}
   # -- Override pod security context for the executor pod