Add securityContext to values.yaml

[theninj4]

👋 I've added securityContext to the postgres section of values.yaml so I can get persistence working. The core issue is how postgres needs to chown its data directory on boot, however not all Kubernetes storage adapters allow the changing of permissions on mounted volumes - I'm using an NFS storage adapter with this limitation - the solution is to start the container with the userID matching the attached volume. This is quite a niche feature, so I've left it out of the default values, and I've tested both with and without any values present.

Preview of the changes:

$ helm template my-audiomuse . | grep -A 4 securityContext
...
--
      securityContext:
        fsGroup: 100
        runAsGroup: 100
        runAsUser: 1024

$ helm template my-audiomuse . | kubectl apply --dry-run=client -f - 
secret/my-audiomuse-audiomuse-ai-jellyfin created (dry run)
secret/my-audiomuse-audiomuse-ai-postgres created (dry run)
secret/my-audiomuse-audiomuse-ai-gemini created (dry run)
secret/my-audiomuse-audiomuse-ai-mistral created (dry run)
secret/my-audiomuse-audiomuse-ai-ai-chat-db created (dry run)
secret/my-audiomuse-audiomuse-ai-navidrome created (dry run)
secret/my-audiomuse-audiomuse-ai-lyrion created (dry run)
configmap/my-audiomuse-audiomuse-ai-env-vars created (dry run)
persistentvolumeclaim/my-audiomuse-audiomuse-ai-postgres-pvc created (dry run)
service/my-audiomuse-audiomuse-ai-flask-service created (dry run)
service/my-audiomuse-audiomuse-ai-postgres created (dry run)
service/my-audiomuse-audiomuse-ai-redis created (dry run)
deployment.apps/my-audiomuse-audiomuse-ai-flask created (dry run)
deployment.apps/my-audiomuse-audiomuse-ai-postgres created (dry run)
deployment.apps/my-audiomuse-audiomuse-ai-redis created (dry run)
deployment.apps/my-audiomuse-audiomuse-ai-worker created (dry run)

$ helm template my-audiomuse . | kubectl apply --dry-run=server -f - 
secret/my-audiomuse-audiomuse-ai-jellyfin created (server dry run)
secret/my-audiomuse-audiomuse-ai-postgres created (server dry run)
secret/my-audiomuse-audiomuse-ai-gemini created (server dry run)
secret/my-audiomuse-audiomuse-ai-mistral created (server dry run)
secret/my-audiomuse-audiomuse-ai-ai-chat-db created (server dry run)
secret/my-audiomuse-audiomuse-ai-navidrome created (server dry run)
secret/my-audiomuse-audiomuse-ai-lyrion created (server dry run)
configmap/my-audiomuse-audiomuse-ai-env-vars created (server dry run)
persistentvolumeclaim/my-audiomuse-audiomuse-ai-postgres-pvc created (server dry run)
service/my-audiomuse-audiomuse-ai-flask-service created (server dry run)
service/my-audiomuse-audiomuse-ai-postgres created (server dry run)
service/my-audiomuse-audiomuse-ai-redis created (server dry run)
deployment.apps/my-audiomuse-audiomuse-ai-flask created (server dry run)
deployment.apps/my-audiomuse-audiomuse-ai-postgres created (server dry run)
deployment.apps/my-audiomuse-audiomuse-ai-redis created (server dry run)
deployment.apps/my-audiomuse-audiomuse-ai-worker created (server dry run)

[NeptuneHub]

Hi @theninj4, thanks for this. A couple of things needed:

Conditional guard: Same as PR #2, please use {{- with }} instead of unconditional rendering to avoid securityContext: null when not set.

Apply to all deployments, not just postgres: Please add configurable securityContext to flask, worker, and redis as well, for consistency.

Defaults for flask and worker: The application till now was always run as root (in future I'll doublecheck if this is stricty required or can be changed), so values.yaml must include safe defaults for flask and worker:

flask:
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0

worker:
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0

This way the current behavior is preserved out of the box, but users can override it if their setup requires it (like your NFS case for postgres). For postgres and redis you can leave the defaults empty so they only apply when explicitly configured.

[NeptuneHub]

Please resolve the conflict with the main branch (I basically merged your other PR). Thanks.