feat: share security contexts globally (#30)

## Summary
- add `global.securityContexts` defaults for pod/container security
context inheritance
- merge global + chart-level security contexts when rendering
bootstrapper and node workloads
- refresh chart docs to reflect the new global configuration knobs

## Testing
- bun run check
- bun run typecheck
- bun run test

Author: roderik

charts/network/README.md

@@ -21,10 +21,13 @@ A Helm chart for a blockchain network on Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| global | object | `{"networkNodes":{"faucetArtifactPrefix":"besu-faucet","genesisConfigMapName":"besu-genesis","podPrefix":"","serviceName":"","staticNodesConfigMapName":"besu-static-nodes"}}` | Global configuration shared across subcharts. |
+| global | object | `{"networkNodes":{"faucetArtifactPrefix":"besu-faucet","genesisConfigMapName":"besu-genesis","podPrefix":"","serviceName":"","staticNodesConfigMapName":"besu-static-nodes"},"securityContexts":{"container":{},"pod":{}}}` | Global configuration shared across subcharts. |
 | global.networkNodes | object | `{"faucetArtifactPrefix":"besu-faucet","genesisConfigMapName":"besu-genesis","podPrefix":"","serviceName":"","staticNodesConfigMapName":"besu-static-nodes"}` | Defaults consumed by Besu network node workloads. |
 | global.networkNodes.faucetArtifactPrefix | string | `"besu-faucet"` | Prefix used for faucet ConfigMaps and Secrets. |
 | global.networkNodes.genesisConfigMapName | string | `"besu-genesis"` | ConfigMap name storing the generated genesis.json artifact. |
 | global.networkNodes.podPrefix | string | `""` | StatefulSet prefix used for validator pod hostnames. |
 | global.networkNodes.serviceName | string | `""` | Kubernetes Service name fronting validator pods to align bootstrapper static-nodes output. |
 | global.networkNodes.staticNodesConfigMapName | string | `"besu-static-nodes"` | ConfigMap name storing static-nodes.json entries. |
+| global.securityContexts | object | `{"container":{},"pod":{}}` | Shared pod- and container-level security contexts applied when subcharts omit explicit overrides. |
+| global.securityContexts.container | object | `{}` | Container security context inherited by subcharts when set. |
+| global.securityContexts.pod | object | `{}` | Pod security context inherited by subcharts when set. |

charts/network/charts/network-bootstrapper/templates/job.yaml

@@ -27,19 +27,23 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "network-bootstrapper.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+      {{- $globalValues := (.Values.global | default (dict)) }}
+      {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
+      {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
+      {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- toYaml $podSecurityContext | nindent 8 }}
       {{- end }}
       {{- with .Values.initContainers }}
       initContainers:
 {{- include "network-bootstrapper.renderInitContainers" (dict "context" $ "containers" . "indent" 8) }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
+          {{- if $containerSecurityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml $containerSecurityContext | nindent 12 }}
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/network/charts/network-bootstrapper/values.yaml

@@ -41,11 +41,13 @@ podLabels: {}
 # Pod-level security context applied to all containers in the pod.
 podSecurityContext:
   {}
+  # -- Leave empty to inherit from global.securityContexts.pod.
   # fsGroup: 2000
 
 # Container security context applied to the bootstrapper container.
 securityContext:
   {}
+  # -- Leave empty to inherit from global.securityContexts.container.
   # capabilities:
   #   drop:
   #   - ALL

charts/network/charts/network-nodes/README.md

@@ -107,7 +107,7 @@ A Helm chart for Kubernetes
 | openShiftRoute.wildcardPolicy | string | `""` | Wildcard policy controlling subdomain routing (None or Subdomain). |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | Requested access modes for the PersistentVolumeClaim. |
 | persistence.annotations | object | `{}` |  |
-| persistence.enabled | bool | `false` | Enable persistent volume claims for ledger data. |
+| persistence.enabled | bool | `true` | Enable persistent volume claims for ledger data. |
 | persistence.existingClaim | string | `""` | Name of an existing PersistentVolumeClaim to reuse instead of creating new PVCs. |
 | persistence.mountPath | string | `"/data"` | Container path where the persistent volume is mounted. |
 | persistence.readOnly | bool | `false` | Mount the volume read-only when true. |

charts/network/charts/network-nodes/templates/statefulset-rpc.yaml

@@ -36,6 +36,10 @@ spec:
   {{- $initContainers := .Values.initContainers | default (dict) }}
   {{- $sharedInitContainers := get $initContainers "shared" }}
   {{- $rpcInitContainers := get $initContainers "rpc" }}
+  {{- $globalValues := (.Values.global | default (dict)) }}
+  {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
+  {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
+  {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
   podManagementPolicy: Parallel
   replicas: {{ .Values.rpcReplicaCount }}
   serviceName: {{ include "nodes.fullname" . }}-rpc
@@ -73,9 +77,9 @@ spec:
       {{- if $rpcPriorityClass }}
       priorityClassName: {{ $rpcPriorityClass | quote }}
       {{- end }}
-      {{- with .Values.podSecurityContext }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- toYaml $podSecurityContext | nindent 8 }}
       {{- end }}
       {{- if or $sharedInitContainers $rpcInitContainers }}
       initContainers:
@@ -97,9 +101,9 @@ spec:
 {{- if $log4jEnv }}
 {{ $log4jEnv | nindent 12 }}
 {{- end }}
-          {{- with .Values.securityContext }}
+          {{- if $containerSecurityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml $containerSecurityContext | nindent 12 }}
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/network/charts/network-nodes/templates/statefulset-validator.yaml

@@ -37,6 +37,10 @@ spec:
   {{- $initContainers := .Values.initContainers | default (dict) }}
   {{- $sharedInitContainers := get $initContainers "shared" }}
   {{- $validatorInitContainers := get $initContainers "validator" }}
+  {{- $globalValues := (.Values.global | default (dict)) }}
+  {{- $globalSecurityContexts := dig "securityContexts" $globalValues (dict) }}
+  {{- $podSecurityContext := merge (deepCopy (default (dict) .Values.podSecurityContext)) (dig "pod" $globalSecurityContexts (dict)) }}
+  {{- $containerSecurityContext := merge (deepCopy (default (dict) .Values.securityContext)) (dig "container" $globalSecurityContexts (dict)) }}
   podManagementPolicy: Parallel
   replicas: {{ $validatorReplicaBudget }}
   serviceName: {{ include "nodes.fullname" . }}
@@ -74,9 +78,9 @@ spec:
       {{- if $validatorPriorityClass }}
       priorityClassName: {{ $validatorPriorityClass | quote }}
       {{- end }}
-      {{- with .Values.podSecurityContext }}
+      {{- if $podSecurityContext }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- toYaml $podSecurityContext | nindent 8 }}
       {{- end }}
       {{- if or $sharedInitContainers $validatorInitContainers }}
       initContainers:
@@ -98,9 +102,9 @@ spec:
 {{- if $log4jEnv }}
 {{ $log4jEnv | nindent 12 }}
 {{- end }}
-          {{- with .Values.securityContext }}
+          {{- if $containerSecurityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml $containerSecurityContext | nindent 12 }}
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/network/charts/network-nodes/values.yaml

@@ -169,11 +169,13 @@ priorityClassNames:
 # Pod-level security context shared by all containers.
 podSecurityContext:
   {}
+  # -- Leave empty to inherit from global.securityContexts.pod.
   # fsGroup: 2000
 
 # Container-level security context applied to Besu containers.
 securityContext:
   {}
+  # -- Leave empty to inherit from global.securityContexts.container.
   # capabilities:
   #   drop:
   #   - ALL

charts/network/values.yaml

@@ -14,3 +14,9 @@ global:
     staticNodesConfigMapName: besu-static-nodes
     # -- (string) Prefix used for faucet ConfigMaps and Secrets.
     faucetArtifactPrefix: besu-faucet
+  # -- (object) Shared pod- and container-level security contexts applied when subcharts omit explicit overrides.
+  securityContexts:
+    # -- (object) Pod security context inherited by subcharts when set.
+    pod: {}
+    # -- (object) Container security context inherited by subcharts when set.
+    container: {}