Merge branch 'v2' into feat-resources-limits

helm/flowforge/README.md

@@ -44,6 +44,8 @@ If using an external PostgreSQL Database you will need to create the database an
  - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`.
  - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`)
  - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container
+ - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod
+
 
 note: `forge.projectSelector` and `forge.managementSelector` defaults mean that you must have at least 2 nodes in your cluster and they need to be labeled before installing.
 
@@ -77,6 +79,7 @@ To use STMP to send email
   - `forge.broker.public_url` URL to access the broker from outside the cluster (default `ws://mqtt.[forge.domain]`, uses `wss://` if `forge.https` is `true`)
   - `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod
   - `forge.broker.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the broker container
+  - `forge.broker.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker pod
 
 ### Telemetry
 
@@ -125,6 +128,7 @@ Enables FlowForge Telemetry
 - `forge.fileStore.context.options` Options to pass to Persistent Context Driver (See [file-server](https://github.com/flowforge/flowforge-file-server) for details)
 - `forge.fileStore.context.quota` Sets the maximum number of bytes that a project can store in Persistent Context (default `1048576`)
 - `forge.fileStore.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the file-server container
+- `forge.fileStore.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file pod
 
 ### Private Certificate Authority
 

helm/flowforge/templates/broker.yaml

@@ -60,9 +60,7 @@ spec:
         app: flowforge-broker
     spec:
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        {{- toYaml .Values.forge.broker.podSecurityContext | nindent 8 }}
       containers:
       - name: broker
         image: iegomez/mosquitto-go-auth

helm/flowforge/templates/deployment.yaml

@@ -22,9 +22,7 @@ spec:
     spec:
       serviceAccountName: flowforge
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        {{- toYaml .Values.forge.podSecurityContext | nindent 8 }}
       containers:
       - name: forge
         {{- if .Values.forge.image }}

helm/flowforge/templates/file-storage.yml

@@ -61,9 +61,7 @@ spec:
         app: flowforge-file
     spec:
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        {{- toYaml .Values.forge.fileStore.podSecurityContext | nindent 8 }}
       containers:
       - name: file-storage
         image: {{ .Values.forge.registry }}{{- if .Values.forge.registry -}}/{{- end -}}flowforge/file-server:{{ .Chart.AppVersion }}

helm/flowforge/values.schema.json

@@ -241,6 +241,26 @@
                                         },
                                         "memory": {
                                             "type": ["number","string"]
+                        "podSecurityContext": {
+                            "type": "object",
+                            "properties": {
+                                "runAsUser": {
+                                    "type": "integer"
+                                },
+                                "runAsGroup": {
+                                    "type": "integer"
+                                },
+                                "fsGroup": {
+                                    "type": "integer"
+                                },
+                                "seccompProfile": {
+                                    "type": "object",
+                                    "properties": {
+                                        "type": {
+                                            "type": "string"
+                                        },
+                                        "localhostProfile": {
+                                            "type": "string"
                                         }
                                     }
                                 }
@@ -343,6 +363,26 @@
                                         },
                                         "memory": {
                                             "type": ["number","string"]
+                        "podSecurityContext": {
+                            "type": "object",
+                            "properties": {
+                                "runAsUser": {
+                                    "type": "integer"
+                                },
+                                "runAsGroup": {
+                                    "type": "integer"
+                                },
+                                "fsGroup": {
+                                    "type": "integer"
+                                },
+                                "seccompProfile": {
+                                    "type": "object",
+                                    "properties": {
+                                        "type": {
+                                            "type": "string"
+                                        },
+                                        "localhostProfile": {
+                                            "type": "string"
                                         }
                                     }
                                 }
@@ -460,6 +500,26 @@
                                 },
                                 "memory": {
                                     "type": ["number","string"]
+                "podSecurityContext": {
+                    "type": "object",
+                    "properties": {
+                        "runAsUser": {
+                            "type": "integer"
+                        },
+                        "runAsGroup": {
+                            "type": "integer"
+                        },
+                        "fsGroup": {
+                            "type": "integer"
+                        },
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                },
+                                "localhostProfile": {
+                                    "type": "string"
                                 }
                             }
                         }

helm/flowforge/values.yaml

@@ -21,6 +21,12 @@ forge:
         enabled: false
   broker:
     enabled: false
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      seccompProfile:
+        type: RuntimeDefault
   fileStore:
     enabled: false
     type: localfs
@@ -36,6 +42,12 @@ forge:
         username: forge
         password: Zai1Wied
         database: ff-context
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      seccompProfile:
+        type: RuntimeDefault
   support:
     enabled: false
 
@@ -55,6 +67,13 @@ forge:
     enabled: false
     reportOnly: false
 
+  podSecurityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+
 postgresql:
   auth:
     postgresPassword: Moomiet0