Create global container and pod security context configs

charts/sourcegraph-executor/dind/README.md

@@ -52,23 +52,30 @@ In addition to the documented values, the `executor` and `private-docker-registr
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| dind.containerSecurityContext | object | `{}` | Override container security context for the dind container |
+| dind.defaultContainerSecurityContext | object | `{"privileged":true}` | Default container security context for the dind container |
 | dind.image.registry | string | `"index.docker.io"` |  |
 | dind.image.repository | string | `"docker"` |  |
 | dind.image.tag | string | `"20.10.22-dind"` |  |
+| executor.containerSecurityContext | object | `{}` | Override container security context for the executor container |
+| executor.defaultContainerSecurityContext | object | `{}` | Default container security context for the executor container |
+| executor.defaultPodSecurityContext | object | `{}` | Default pod security context for the executor pod |
 | executor.enabled | bool | `true` |  |
 | executor.env.EXECUTOR_FRONTEND_PASSWORD | object | `{"value":""}` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required. |
 | executor.env.EXECUTOR_FRONTEND_URL | object | `{"value":""}` | The external URL of the Sourcegraph instance. Required. |
 | executor.env.EXECUTOR_QUEUE_NAME | object | `{"value":""}` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAMES is required.** |
 | executor.env.EXECUTOR_QUEUE_NAMES | object | `{"value":""}` | The comma-separated list of names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or EXECUTOR_QUEUE_NAME is required.** |
 | executor.image.defaultTag | string | `"6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508"` |  |
 | executor.image.name | string | `"executor"` |  |
+| executor.podSecurityContext | object | `{}` | Override pod security context for the executor pod |
 | executor.replicaCount | int | `1` |  |
 | privateDockerRegistry.enabled | bool | `true` | Whether to deploy the private registry. Only one registry is needed when deploying multiple executors. More information: https://docs.sourcegraph.com/admin/executors/deploy_executors#using-private-registries |
 | privateDockerRegistry.image.registry | string | `"index.docker.io"` |  |
 | privateDockerRegistry.image.repository | string | `"docker/regisry"` |  |
 | privateDockerRegistry.image.tag | int | `2` |  |
 | privateDockerRegistry.storageSize | string | `"10Gi"` |  |
 | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| sourcegraph.containerSecurityContext | object | `{}` | Global container security context override applied to all containers. Merges with component defaults; component-specific overrides take precedence. |
 | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag |
 | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy |
 | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix |
@@ -79,6 +86,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) |
 | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods |
 | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods |
+| sourcegraph.podSecurityContext | object | `{}` | Global pod security context override applied to all pods. Merges with component defaults; component-specific overrides take precedence. |
 | sourcegraph.priorityClassName | string | `""` | Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets) |
 | sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) |

charts/sourcegraph-executor/dind/templates/_helpers/_securityContext.tpl

@@ -0,0 +1,85 @@
+{{/*
+
+Security context helpers for container and pod security contexts.
+
+These helpers implement a 3-tier merge precedence:
+1. Component default (e.g., .Values.executor.defaultContainerSecurityContext)
+2. Global override (e.g., .Values.sourcegraph.containerSecurityContext)
+3. Component override (e.g., .Values.executor.containerSecurityContext)
+
+Later values override earlier ones, allowing customers to:
+- Set global security context settings that apply to all components
+- Override specific components as needed
+- Retain Sourcegraph's secure defaults when no overrides are specified
+
+*/}}
+
+{{/*
+Container security context with 3-tier merge.
+Outputs "securityContext:" key with merged values, or nothing if empty.
+The output includes a leading newline for proper YAML formatting.
+
+Usage:
+  {{- include "sourcegraph.containerSecurityContext" (list . "executor" 8) }}
+
+Parameters:
+  - $ (root context)
+  - component path segments (one or more strings)
+  - indent level (integer) as the last parameter
+*/}}
+{{- define "sourcegraph.containerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $indent := index . (sub (len .) 1) | int -}}
+{{- $path := slice . 1 (sub (len .) 1) -}}
+{{- $default := $root.Values -}}
+{{- range $path -}}
+{{- $default = index $default . | default dict -}}
+{{- end -}}
+{{- $default = $default.defaultContainerSecurityContext | default dict -}}
+{{- $global := $root.Values.sourcegraph.containerSecurityContext | default dict -}}
+{{- $override := $root.Values -}}
+{{- range $path -}}
+{{- $override = index $override . | default dict -}}
+{{- end -}}
+{{- $override = $override.containerSecurityContext | default dict -}}
+{{- $merged := mustMergeOverwrite (deepCopy $default) $global $override -}}
+{{- if $merged | keys | len | ne 0 }}
+{{ "securityContext:" | indent $indent }}
+{{ toYaml $merged | indent (add $indent 2 | int) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Pod security context with 3-tier merge.
+Outputs "securityContext:" key with merged values, or nothing if empty.
+The output includes a leading newline for proper YAML formatting.
+
+Usage:
+  {{- include "sourcegraph.podSecurityContext" (list . "executor" 6) }}
+
+Parameters:
+  - $ (root context)
+  - component path segments (one or more strings)
+  - indent level (integer) as the last parameter
+*/}}
+{{- define "sourcegraph.podSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $indent := index . (sub (len .) 1) | int -}}
+{{- $path := slice . 1 (sub (len .) 1) -}}
+{{- $default := $root.Values -}}
+{{- range $path -}}
+{{- $default = index $default . | default dict -}}
+{{- end -}}
+{{- $default = $default.defaultPodSecurityContext | default dict -}}
+{{- $global := $root.Values.sourcegraph.podSecurityContext | default dict -}}
+{{- $override := $root.Values -}}
+{{- range $path -}}
+{{- $override = index $override . | default dict -}}
+{{- end -}}
+{{- $override = $override.podSecurityContext | default dict -}}
+{{- $merged := mustMergeOverwrite (deepCopy $default) $global $override -}}
+{{- if $merged | keys | len | ne 0 }}
+{{ "securityContext:" | indent $indent }}
+{{ toYaml $merged | indent (add $indent 2 | int) -}}
+{{- end -}}
+{{- end -}}

charts/sourcegraph-executor/dind/templates/executor/executor.Deployment.yaml

@@ -2,6 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  name: {{ include "executor.name" . }}
   annotations:
     description: Runs sourcegraph executors
     kubectl.kubernetes.io/default-container: executor
@@ -44,10 +45,12 @@ spec:
       {{- end }}
         {{- include "executor.labels" . | nindent 8 }}
     spec:
+      {{- include "sourcegraph.podSecurityContext" (list . "executor" 6) }}
       containers:
         - name: executor
           image: {{ include "sourcegraph.image" (list . "executor") }}
           imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+          {{- include "sourcegraph.containerSecurityContext" (list . "executor" 10) }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -87,8 +90,7 @@ spec:
         - name: dind
           image: "{{ .Values.dind.image.registry}}/{{ .Values.dind.image.repository}}:{{ .Values.dind.image.tag}}"
           imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
-          securityContext:
-            privileged: true
+          {{- include "sourcegraph.containerSecurityContext" (list . "dind" 10) }}
           command:
             - 'dockerd'
             - '--tls=false'

charts/sourcegraph-executor/dind/templates/executor/executor.Service.yaml

@@ -13,7 +13,7 @@ metadata:
     {{- if .Values.executor.serviceLabels }}
     {{- toYaml .Values.executor.serviceLabels | nindent 4 }}
     {{- end }}
-  name: executor
+  name: {{ include "executor.name" . }}
 spec:
   ports:
     - name: http-debug

charts/sourcegraph-executor/dind/tests/executor_test.yaml

@@ -8,16 +8,19 @@ tests:
     set:
       executor:
         enabled: true
+        env:
+          EXECUTOR_QUEUE_NAME:
+            value: "test"
     asserts:
       - containsDocument:
           kind: Deployment
           apiVersion: apps/v1
-          name: executor
+          name: executor-test
         template: executor/executor.Deployment.yaml
       - containsDocument:
           kind: Service
           apiVersion: v1
-          name: executor
+          name: executor-test
         template: executor/executor.Service.yaml
 
   - it: should not render any resources if executor is disabled

charts/sourcegraph-executor/dind/tests/privateDockerRegistry_test.yaml

@@ -1,8 +1,8 @@
 suite: privateDockerRegistry
 templates:
-  - private-docker-registry.Deployment.yaml
-  - private-docker-registry.PersistentVolumeClaim.yaml
-  - private-docker-registry.Service.yaml
+  - private-docker-registry/private-docker-registry.Deployment.yaml
+  - private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml
+  - private-docker-registry/private-docker-registry.Service.yaml
 tests:
   - it: should render the Deployment, Service and PVC if registry is enabled
     set:
@@ -13,17 +13,17 @@ tests:
           kind: Deployment
           apiVersion: apps/v1
           name: private-docker-registry
-        template:  private-docker-registry.Deployment.yaml
+        template: private-docker-registry/private-docker-registry.Deployment.yaml
       - containsDocument:
           kind: Service
           apiVersion: v1
           name: private-docker-registry
-        template: private-docker-registry.Service.yaml
+        template: private-docker-registry/private-docker-registry.Service.yaml
       - containsDocument:
           kind: PersistentVolumeClaim
           apiVersion: v1
           name: private-docker-registry
-        template: private-docker-registry.PersistentVolumeClaim.yaml
+        template: private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml
 
   - it: should not render any resources if registry is disabled
     set:
@@ -33,6 +33,6 @@ tests:
       - hasDocuments:
           count: 0
     templates:
-      - private-docker-registry.Deployment.yaml
-      - private-docker-registry.PersistentVolumeClaim.yaml
-      - private-docker-registry.Service.yaml
+      - private-docker-registry/private-docker-registry.Deployment.yaml
+      - private-docker-registry/private-docker-registry.PersistentVolumeClaim.yaml
+      - private-docker-registry/private-docker-registry.Service.yaml

charts/sourcegraph-executor/dind/values.yaml

@@ -32,6 +32,12 @@ sourcegraph:
   podLabels: {}
   # -- Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets)
   priorityClassName: ""
+  # -- Global container security context override applied to all containers.
+  # Merges with component defaults; component-specific overrides take precedence.
+  containerSecurityContext: {}
+  # -- Global pod security context override applied to all pods.
+  # Merges with component defaults; component-specific overrides take precedence.
+  podSecurityContext: {}
 
 
 storageClass:
@@ -60,6 +66,14 @@ executor:
     defaultTag: 6.0.0@sha256:0be94a7c91f8273db10fdf46718c6596340ab2acc570e7b85353806e67a27508
     name: "executor"
   replicaCount: 1
+  # -- Default container security context for the executor container
+  defaultContainerSecurityContext: {}
+  # -- Override container security context for the executor container
+  containerSecurityContext: {}
+  # -- Default pod security context for the executor pod
+  defaultPodSecurityContext: {}
+  # -- Override pod security context for the executor pod
+  podSecurityContext: {}
   env:
     # -- The external URL of the Sourcegraph instance. Required.
     EXECUTOR_FRONTEND_URL:
@@ -79,6 +93,11 @@ dind:
     registry: index.docker.io
     repository: docker
     tag: 20.10.22-dind
+  # -- Default container security context for the dind container
+  defaultContainerSecurityContext:
+    privileged: true
+  # -- Override container security context for the dind container
+  containerSecurityContext: {}
 
 privateDockerRegistry:
   # -- Whether to deploy the private registry. Only one registry is needed when deploying multiple executors.

charts/sourcegraph-executor/k8s/README.md

@@ -54,9 +54,13 @@ In addition to the documented values, the `executor` and `private-docker-registr
 |-----|------|---------|-------------|
 | executor.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
 | executor.configureRbac | bool | `true` | Whether to configure the necessary RBAC resources. Required only once for all executor deployments. |
+| executor.containerSecurityContext | object | `{}` | Override container security context for the executor container. learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
 | executor.debug.keepJobs | string | `"false"` | If true, Kubernetes jobs will not be deleted after they complete. Not recommended for production use as it can hit cluster limits. |
 | executor.debug.keepWorkspaces | string | `"false"` |  |
+| executor.defaultContainerSecurityContext | object | `{"privileged":false}` | Default container security context for the executor container |
+| executor.defaultPodSecurityContext | object | `{}` | Default pod security context for the executor pod |
 | executor.dockerAddHostGateway | string | `"false"` | For local deployments the host is 'host.docker.internal' and this needs to be true |
+| executor.enabled | bool | `true` | Whether to deploy the executor |
 | executor.extraEnv | string | `nil` | Sets extra environment variables on the executor deployment. See `values.yaml` for the format. |
 | executor.frontendExistingSecret | string | `""` | Name of existing k8s Secret to use for frontend password The name of the secret must match `executor.name`, i.e., the name of the helm release used to deploy the helm chart. The k8s Secret must contain the key `EXECUTOR_FRONTEND_PASSWORD` matching the site config `executors.accessToken` value. `executor.frontendPassword` is ignored if this is enabled. |
 | executor.frontendPassword | string | `""` | The shared secret configured in the Sourcegraph instance site config under executors.accessToken. Required if `executor.frontendExistingSecret`` is not configured. |
@@ -86,17 +90,19 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.maximumRuntimePerJob | string | `"30m"` |  |
 | executor.namespace | string | `"default"` | The namespace in which jobs are generated by the executor. |
 | executor.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) |
+| executor.podSecurityContext | object | `{}` | Override pod security context for the executor pod |
 | executor.queueName | string | `""` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** |
 | executor.queueNames | list | `[]` | The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** |
 | executor.replicas | int | `1` |  |
 | executor.resources.limits.cpu | string | `"1"` |  |
 | executor.resources.limits.memory | string | `"1Gi"` |  |
 | executor.resources.requests.cpu | string | `"500m"` |  |
 | executor.resources.requests.memory | string | `"200Mi"` |  |
-| executor.securityContext | object | `{"fsGroup":null,"privileged":false,"runAsGroup":null,"runAsUser":null}` | The containerSecurityContext for the executor image |
+| executor.securityContext | object | `{}` | (DEPRECATED) Legacy override for container security context. Use containerSecurityContext instead. Kept for backwards compatibility; containerSecurityContext takes precedence if both are set. |
 | executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. |
 | executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| sourcegraph.containerSecurityContext | object | `{}` | Global container security context override applied to all containers. Merges with component defaults; component-specific overrides take precedence. |
 | sourcegraph.image.defaultTag | string | `"{{ .Chart.AppVersion }}"` | Global docker image tag |
 | sourcegraph.image.pullPolicy | string | `"IfNotPresent"` | Global docker image pull policy |
 | sourcegraph.image.repository | string | `"index.docker.io/sourcegraph"` | Global docker image registry or prefix |
@@ -108,6 +114,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | sourcegraph.nodeSelector | object | `{}` | NodeSelector, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) |
 | sourcegraph.podAnnotations | object | `{}` | Add extra annotations to attach to all pods |
 | sourcegraph.podLabels | object | `{}` | Add extra labels to attach to all pods |
+| sourcegraph.podSecurityContext | object | `{}` | Global pod security context override applied to all pods. Merges with component defaults; component-specific overrides take precedence. |
 | sourcegraph.priorityClassName | string | `""` | Assign a priorityClass to all pods (daemonSets, deployments, and statefulSets) |
 | sourcegraph.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | storageClass.allowedTopologies | object | `{}` | Persistent volumes topology configuration, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/storage-classes/#allowed-topologies) |