fix: add gateway to ingress mode validation, validate required fields#7
Merged
levkk merged 4 commits intoMay 28, 2026
Merged
Conversation
The ingress.mode validation in ingress.yaml rejects "gateway" even though httproute.yaml renders for that mode. Also add required-field validation for gateway.name and gateway.namespace — without these the HTTPRoute renders with empty parentRefs.
Move hardcoded securityContext from deployment templates to values.yaml with PSS Restricted compliant defaults. Operators can now override pod and container securityContext without monkey-patching. New values: control.podSecurityContext (default: runAsNonRoot, uid 1000, seccomp) control.containerSecurityContext (default: no priv esc, drop ALL) redis.podSecurityContext (default: runAsNonRoot, uid 999, seccomp) redis.containerSecurityContext (default: no priv esc, readonly rootfs, drop ALL)
…edis comments - Add readOnlyRootFilesystem: true to control containerSecurityContext defaults (matches redis, tested working on EKS staging) - Add comments above redis securityContext values for parity with control - Quote gateway name/namespace in httproute.yaml for defensive correctness
levkk
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes pgdog-control chart fully PSS Restricted compliant out of the box, with configurable securityContext via values so operators don't need to monkey-patch deployments.
Changes
1. Configurable securityContext via values (new)
Move hardcoded securityContext from deployment templates to
values.yamlwith PSS Restricted compliant defaults:Operators can override any field — e.g.
control.podSecurityContext.runAsUser=65532for clusters that prefer thenobodyUID.2. Gateway mode validation bug fix
ingress.yamlrejectsingress.mode: gateway(must be one of: aws, nginx, default) even thoughhttproute.yamlrenders for that mode. Add"gateway"to the allowed list and add required-field validation forgateway.name/gateway.namespace.3. Version bump to 0.2.3
Test plan
control.podSecurityContext.runAsUser=65532)/healthzas uid=1000 (EKS staging-2)ingress.mode=gatewaywith name/namespace — renders HTTPRouteingress.mode=gatewaywithout name — fails with clear erroringress.mode=invalid— fails with updated mode listingress.mode=nginx— no regression🤖 Generated with Claude Code