fix: add gateway to ingress mode validation, validate required fields

Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: pgdog-control
 description: PgDog Control
 type: application
-version: 0.2.2
+version: 0.2.3
 appVersion: "v2026-05-21"

templates/deployment.yaml

@@ -48,12 +48,10 @@ spec:
       {{- else }}
       automountServiceAccountToken: false
       {{- end }}
+      {{- with .Values.control.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        seccompProfile:
-          type: RuntimeDefault
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -62,10 +60,10 @@ spec:
       - name: control
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- with .Values.control.containerSecurityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         env:
         - name: CONTROL_CONFIG
           value: /etc/pgdog-control/control.toml

templates/httproute.yaml

@@ -1,4 +1,10 @@
 {{- if and .Values.ingress.enabled (eq (.Values.ingress.mode | default "default") "gateway") }}
+{{- if not .Values.ingress.gateway.name }}
+{{- fail "ingress.gateway.name is required when ingress.mode=gateway" }}
+{{- end }}
+{{- if not .Values.ingress.gateway.namespace }}
+{{- fail "ingress.gateway.namespace is required when ingress.mode=gateway" }}
+{{- end }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
@@ -16,8 +22,8 @@ spec:
   parentRefs:
   - group: gateway.networking.k8s.io
     kind: Gateway
-    name: {{ .Values.ingress.gateway.name }}
-    namespace: {{ .Values.ingress.gateway.namespace }}
+    name: {{ .Values.ingress.gateway.name | quote }}
+    namespace: {{ .Values.ingress.gateway.namespace | quote }}
     {{- with .Values.ingress.gateway.sectionName }}
     sectionName: {{ . }}
     {{- end }}

templates/ingress.yaml

@@ -1,7 +1,7 @@
 {{- if .Values.ingress.enabled }}
 {{- $mode := .Values.ingress.mode | default "default" }}
-{{- if not (has $mode (list "aws" "nginx" "default")) }}
-{{- fail (printf "ingress.mode must be one of: aws, nginx, default (got %q)" $mode) }}
+{{- if not (has $mode (list "aws" "nginx" "gateway" "default")) }}
+{{- fail (printf "ingress.mode must be one of: aws, nginx, gateway, default (got %q)" $mode) }}
 {{- end }}
 {{- if eq $mode "default" }}
 apiVersion: networking.k8s.io/v1

templates/redis-deployment.yaml

@@ -17,21 +17,17 @@ spec:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
     spec:
       automountServiceAccountToken: false
+      {{- with .Values.redis.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 999
-        runAsGroup: 999
-        fsGroup: 999
-        seccompProfile:
-          type: RuntimeDefault
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - name: redis
         image: redis:7-alpine
+        {{- with .Values.redis.containerSecurityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop: ["ALL"]
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: 6379
           name: redis

values.yaml

@@ -50,6 +50,21 @@ control:
     limits:
       memory: "4Gi"
       cpu: "1000m"
+  # Pod-level securityContext for the control deployment.
+  # Defaults are PSS Restricted compliant.
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+  # Container-level securityContext for the control container.
+  # Defaults are PSS Restricted compliant.
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop: ["ALL"]
   # Runtime configuration written to /etc/pgdog-control/control.toml.
   # Mirrors control2/src/config.rs. Every field is optional — anything left
   # unset falls back to the Rust-side default. Field names match the TOML
@@ -99,6 +114,22 @@ redis:
     limits:
       memory: "256Mi"
       cpu: "500m"
+  # Pod-level securityContext for the Redis deployment.
+  # Defaults are PSS Restricted compliant.
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 999
+    runAsGroup: 999
+    fsGroup: 999
+    seccompProfile:
+      type: RuntimeDefault
+  # Container-level securityContext for the Redis container.
+  # Defaults are PSS Restricted compliant.
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop: ["ALL"]
 
 networkPolicy:
   enabled: false