fix: inherit global security defaults (#31)

## Summary
- seed pod/container security contexts with global defaults before
applying chart-specific overrides
- keep local chart values authoritative while falling back to global kit
settings for empty maps
- document refresh occurs via existing helm-docs automation

## Testing
- bun run check
- bun run typecheck
- bun run test

## Summary by Sourcery

Seed Helm chart pod and container security contexts with new global
defaults while preserving chart-specific overrides, update default
persistence setting, and refresh chart documentation.

Enhancements:
- Introduce global.securityContexts.pod and .container in network chart
values for fallback security contexts
- Merge global and local security context settings in bootstrapper,
network-nodes, and validator templates
- Enable persistent volumes by default for the network-nodes chart

Documentation:
- Add documentation for global.securityContexts in values.yaml and
READMEs
- Refresh chart documentation via helm-docs automation

Author: roderik

charts/network/charts/network-bootstrapper/templates/_helpers.tpl

@@ -77,3 +77,15 @@ Accepts either a YAML string or a list of init container maps and indents output
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Resolve pod and container security contexts by layering chart values over global defaults.
+*/}}
+{{- define "network-bootstrapper.securityContexts" -}}
+{{- $root := . -}}
+{{- $globalValues := ($root.Values.global | default (dict)) -}}
+{{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) -}}
+{{- $pod := mergeOverwrite (deepCopy (dig "pod" $globalSecurityContexts (dict))) (default (dict) $root.Values.podSecurityContext) -}}
+{{- $container := mergeOverwrite (deepCopy (dig "container" $globalSecurityContexts (dict))) (default (dict) $root.Values.securityContext) -}}
+{{- dict "pod" $pod "container" $container | toYaml -}}
+{{- end -}}

charts/network/charts/network-bootstrapper/templates/job.yaml

@@ -27,10 +27,9 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "network-bootstrapper.serviceAccountName" . }}
-      {{- $globalValues := (.Values.global | default (dict)) }}
-      {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
-      {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
-      {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
+      {{- $securityContexts := include "network-bootstrapper.securityContexts" . | fromYaml }}
+      {{- $podSecurityContext := index $securityContexts "pod" }}
+      {{- $containerSecurityContext := index $securityContexts "container" }}
       {{- if $podSecurityContext }}
       securityContext:
         {{- toYaml $podSecurityContext | nindent 8 }}

charts/network/charts/network-nodes/templates/_helpers.tpl

@@ -126,3 +126,15 @@ Accepts either a YAML string or a list of init container maps and indents output
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Resolve pod and container security contexts using global defaults plus chart overrides.
+*/}}
+{{- define "nodes.securityContexts" -}}
+{{- $root := . -}}
+{{- $globalValues := ($root.Values.global | default (dict)) -}}
+{{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) -}}
+{{- $pod := mergeOverwrite (deepCopy (dig "pod" $globalSecurityContexts (dict))) (default (dict) $root.Values.podSecurityContext) -}}
+{{- $container := mergeOverwrite (deepCopy (dig "container" $globalSecurityContexts (dict))) (default (dict) $root.Values.securityContext) -}}
+{{- dict "pod" $pod "container" $container | toYaml -}}
+{{- end -}}

charts/network/charts/network-nodes/templates/statefulset-rpc.yaml

@@ -36,10 +36,9 @@ spec:
   {{- $initContainers := .Values.initContainers | default (dict) }}
   {{- $sharedInitContainers := get $initContainers "shared" }}
   {{- $rpcInitContainers := get $initContainers "rpc" }}
-  {{- $globalValues := (.Values.global | default (dict)) }}
-  {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
-  {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
-  {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
+  {{- $securityContexts := include "nodes.securityContexts" . | fromYaml }}
+  {{- $podSecurityContext := index $securityContexts "pod" }}
+  {{- $containerSecurityContext := index $securityContexts "container" }}
   podManagementPolicy: Parallel
   replicas: {{ .Values.rpcReplicaCount }}
   serviceName: {{ include "nodes.fullname" . }}-rpc

charts/network/charts/network-nodes/templates/statefulset-validator.yaml

@@ -37,10 +37,9 @@ spec:
   {{- $initContainers := .Values.initContainers | default (dict) }}
   {{- $sharedInitContainers := get $initContainers "shared" }}
   {{- $validatorInitContainers := get $initContainers "validator" }}
-  {{- $globalValues := (.Values.global | default (dict)) }}
-  {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
-  {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
-  {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
+  {{- $securityContexts := include "nodes.securityContexts" . | fromYaml }}
+  {{- $podSecurityContext := index $securityContexts "pod" }}
+  {{- $containerSecurityContext := index $securityContexts "container" }}
   podManagementPolicy: Parallel
   replicas: {{ $validatorReplicaBudget }}
   serviceName: {{ include "nodes.fullname" . }}