Merge pull request #186 from minijus/podSecurityContext

pmariglia · web-flow · commit b5f642674a06 · 2026-03-13T10:05:55.000-04:00
feat: add configurable pod security context for nx-cloud chart resources
diff --git a/charts/nx-cloud/Chart.yaml b/charts/nx-cloud/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: nx-cloud
 description: Nx Cloud Helm Chart
 type: application
-version: 1.2.1
+version: 1.2.2
 maintainers:
   - name: nx
     url: "https://nx.app/"
diff --git a/charts/nx-cloud/README.md b/charts/nx-cloud/README.md
@@ -73,7 +73,8 @@ Below is a summary table of configurable values from values.yaml.
 | fileServer.deployment.strategy.rollingUpdate.maxUnavailable | int    | 1                                           | Max unavailable during rolling update.                                    |
 | fileServer.deployment.strategy.rollingUpdate.maxSurge       | int    | 0                                           | Max surge during rolling update.                                          |
 | fileServer.deployment.envFrom                               | list   | []                                          | envFrom sources for file server.                                          |
-| fileServer.deployment.securityContext                       | object | {}                                          | Pod securityContext for file server.                                      |
+| fileServer.deployment.securityContext                       | object | {}                                          | Pod container securityContext for file server.                            |
+| fileServer.deployment.podSecurityContext                  | object | {}                                          | Pod securityContext for file server.                                      |
 | fileServer.deployment.affinity                              | object | {}                                          | Affinity rules for file server.                                           |
 | fileServer.deployment.tolerations                           | list   | []                                          | Tolerations for file server.                                              |
 | fileServer.deployment.nodeSelector                          | object | {}                                          | Node selector for file server.                                            |
@@ -111,7 +112,8 @@ Below is a summary table of configurable values from values.yaml.
 | aggregator.cronjob.env                                      | object | {}                                          | Environment variables for aggregator.                                     |
 | aggregator.cronjob.envValueFrom                             | object | {}                                          | env valueFrom references for aggregator.                                  |
 | aggregator.cronjob.envFrom                                  | list   | []                                          | envFrom sources for aggregator.                                           |
-| aggregator.cronjob.securityContext                          | object | {}                                          | Pod securityContext for aggregator.                                       |
+| aggregator.cronjob.securityContext                          | object | {}                                          | Pod container securityContext for aggregator.                             |
+| aggregator.cronjob.podSecurityContext                       | object | {}                                          | Pod securityContext for aggregator.                                       |
 | aggregator.cronjob.affinity                                 | object | {}                                          | Affinity rules for aggregator.                                            |
 | aggregator.cronjob.tolerations                              | list   | []                                          | Tolerations for aggregator.                                               |
 | aggregator.cronjob.nodeSelector                             | object | {}                                          | Node selector for aggregator.                                             |
@@ -149,7 +151,8 @@ Below is a summary table of configurable values from values.yaml.
 | frontend.deployment.strategy.rollingUpdate.maxUnavailable   | int    | 0                                           | Max unavailable during rolling update.                                    |
 | frontend.deployment.strategy.rollingUpdate.maxSurge         | int    | 1                                           | Max surge during rolling update.                                          |
 | frontend.deployment.envFrom                                 | list   | []                                          | envFrom sources for frontend.                                             |
-| frontend.deployment.securityContext                         | object | {}                                          | Pod securityContext for frontend.                                         |
+| frontend.deployment.securityContext                         | object | {}                                          | Pod container securityContext for frontend.                               |
+| frontend.deployment.podSecurityContext                      | object | {}                                          | Pod securityContext for frontend.                                         |
 | frontend.deployment.affinity                                | object | {}                                          | Affinity rules for frontend.                                              |
 | frontend.deployment.tolerations                             | list   | []                                          | Tolerations for frontend.                                                 |
 | frontend.deployment.nodeSelector                            | object | {}                                          | Node selector for frontend.                                               |
@@ -209,7 +212,8 @@ Below is a summary table of configurable values from values.yaml.
 | api.deployment.strategy.rollingUpdate.maxUnavailable        | int    | 0                                           | Max unavailable during rolling update.                                    |
 | api.deployment.strategy.rollingUpdate.maxSurge              | int    | 1                                           | Max surge during rolling update.                                          |
 | api.deployment.envFrom                                      | list   | []                                          | envFrom sources for API.                                                  |
-| api.deployment.securityContext                              | object | {}                                          | Pod securityContext for API.                                              |
+| api.deployment.securityContext                              | object | {}                                          | Pod container securityContext for API.                                    |
+| api.deployment.podSecurityContext                           | object | {}                                          | Pod securityContext for API.                                              |
 | api.deployment.affinity                                     | object | {}                                          | Affinity rules for API.                                                   |
 | api.deployment.tolerations                                  | list   | []                                          | Tolerations for API.                                                      |
 | api.deployment.nodeSelector                                 | object | {}                                          | Node selector for API.                                                    |
diff --git a/charts/nx-cloud/templates/aggregator/cronjob.yaml b/charts/nx-cloud/templates/aggregator/cronjob.yaml
@@ -29,6 +29,10 @@ spec:
           {{- if .Values.aggregator.serviceAccount.create }}
           serviceAccountName: {{ .Values.aggregator.serviceAccount.name }}
           {{- end }}
+          {{- with .Values.aggregator.cronjob.podSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           {{- with .Values.aggregator.cronjob.nodeSelector }}
           nodeSelector:
             {{- toYaml . | nindent 12 }}
diff --git a/charts/nx-cloud/templates/api/deployment.yaml b/charts/nx-cloud/templates/api/deployment.yaml
@@ -35,6 +35,10 @@ spec:
       {{- if .Values.api.serviceAccount.create }}
       serviceAccountName: {{ .Values.api.serviceAccount.name }}
       {{- end }}
+      {{- with .Values.api.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if or .Values.config.agentConfigs .Values.api.deployment.volumes }}
       volumes:
         {{- if .Values.config.agentConfigs }}
diff --git a/charts/nx-cloud/templates/file-server/deployment.yaml b/charts/nx-cloud/templates/file-server/deployment.yaml
@@ -35,8 +35,9 @@ spec:
       {{- if .Values.fileServer.serviceAccount.create }}
       serviceAccountName: {{ .Values.fileServer.serviceAccount.name }}
       {{- end }}
-      {{- if .Values.fileServer.deployment.securityContext }}
-      securityContext: {{- toYaml .Values.fileServer.deployment.securityContext | nindent 8 }}
+      {{- with .Values.fileServer.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.fileServer.deployment.nodeSelector }}
       nodeSelector:
diff --git a/charts/nx-cloud/templates/frontend/deployment.yaml b/charts/nx-cloud/templates/frontend/deployment.yaml
@@ -38,6 +38,10 @@ spec:
       {{- if .Values.frontend.serviceAccount.create }}
       serviceAccountName: {{ .Values.frontend.serviceAccount.name }}
       {{- end }}
+      {{- with .Values.frontend.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if or .Values.config.agentConfigs .Values.frontend.deployment.volumes }}
       volumes:
         {{- if .Values.config.agentConfigs }}
diff --git a/charts/nx-cloud/values.schema.json b/charts/nx-cloud/values.schema.json
@@ -268,6 +268,9 @@
             "securityContext": {
               "type": "object"
             },
+            "podSecurityContext": {
+              "type": "object"
+            },
             "affinity": {
               "type": "object"
             },
@@ -727,6 +730,9 @@
         "securityContext": {
           "type": "object"
         },
+        "podSecurityContext": {
+          "type": "object"
+        },
         "affinity": {
           "type": "object"
         },
diff --git a/charts/nx-cloud/values.yaml b/charts/nx-cloud/values.yaml
@@ -69,6 +69,7 @@ fileServer:
     envFrom: []
 
     securityContext: {}
+    podSecurityContext: {}
 
     affinity: {}
     tolerations: []
@@ -140,6 +141,7 @@ aggregator:
     envFrom: []
 
     securityContext: {}
+    podSecurityContext: {}
 
     affinity: {}
     tolerations: []
@@ -205,6 +207,7 @@ frontend:
     envFrom: []
 
     securityContext: {}
+    podSecurityContext: {}
 
     affinity: {}
     tolerations: []
@@ -309,6 +312,7 @@ api:
     envFrom: []
 
     securityContext: {}
+    podSecurityContext: {}
 
     affinity: {}
     tolerations: []
