From db34d33fe4c7b841bd915c7f1a5d96ea5bb2777a Mon Sep 17 00:00:00 2001
From: bryopsida <8363252+bryopsida@users.noreply.github.com>
Date: Fri, 14 Feb 2025 07:43:20 -0600
Subject: [PATCH] feat: add ability to set pod level security context

Signed-off-by: bryopsida <8363252+bryopsida@users.noreply.github.com>
---
 deploy/charts/trust-manager/templates/deployment.yaml | 3 +++
 deploy/charts/trust-manager/values.schema.json        | 8 ++++++++
 deploy/charts/trust-manager/values.yaml               | 7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/deploy/charts/trust-manager/templates/deployment.yaml b/deploy/charts/trust-manager/templates/deployment.yaml
index 12964f54..2bf40def 100644
--- a/deploy/charts/trust-manager/templates/deployment.yaml
+++ b/deploy/charts/trust-manager/templates/deployment.yaml
@@ -33,6 +33,9 @@ spec:
       {{- if hasKey .Values "automountServiceAccountToken" }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      {{- if .Values.app.podSecurityContext }}
+      securityContext: {{ toYaml .Values.app.podSecurityContext | nindent 8 }}
+      {{- end }}
       {{- if .Values.defaultPackage.enabled }}
       initContainers:
       - name: cert-manager-package-debian
diff --git a/deploy/charts/trust-manager/values.schema.json b/deploy/charts/trust-manager/values.schema.json
index e58eba3c..20ce191b 100644
--- a/deploy/charts/trust-manager/values.schema.json
+++ b/deploy/charts/trust-manager/values.schema.json
@@ -101,6 +101,9 @@
         "podAnnotations": {
           "$ref": "#/$defs/helm-values.app.podAnnotations"
         },
+        "podSecurityContext": {
+          "$ref": "#/$defs/helm-values.app.podSecurityContext"
+        },
         "podLabels": {
           "$ref": "#/$defs/helm-values.app.podLabels"
         },
@@ -269,6 +272,11 @@
       "description": "Pod annotations to add to trust-manager pods.",
       "type": "object"
     },
+    "helm-values.app.podSecurityContext": {
+      "default": null,
+      "description": "Pod level security context to add to trust-manager pods.",
+      "type": "object"
+    },
     "helm-values.app.podLabels": {
       "default": {},
       "description": "Pod labels to add to trust-manager pods.",
diff --git a/deploy/charts/trust-manager/values.yaml b/deploy/charts/trust-manager/values.yaml
index 338cf24c..79238900 100644
--- a/deploy/charts/trust-manager/values.yaml
+++ b/deploy/charts/trust-manager/values.yaml
@@ -237,6 +237,13 @@ app:
 
   # Pod annotations to add to trust-manager pods.
   podAnnotations: {}
+  
+  # Kubernetes pod level securityContext: see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  # for example:
+  #   podSecurityContext:
+  #     seccompProfile:
+  #       type: RuntimeDefault
+  # podSecurityContext: {}
 
   # +docs:section=Webhook