From 8d1ad10a33df0fe7708523fd6bf8d672974ea79b Mon Sep 17 00:00:00 2001
From: wkbrd <30599409+wkbrd@users.noreply.github.com>
Date: Mon, 6 Oct 2025 09:28:32 -0400
Subject: [PATCH 1/2] Changes to work with pod security restricted and
 openshift flexible UID support.

---
 charts/questdb/templates/_helpers.tpl     | 42 +++++++++++++++++++++++
 charts/questdb/templates/statefulset.yaml |  6 ++--
 charts/questdb/values.yaml                | 23 +++++++++++--
 3 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl
index 85d5aed..267f979 100644
--- a/charts/questdb/templates/_helpers.tpl
+++ b/charts/questdb/templates/_helpers.tpl
@@ -79,3 +79,45 @@ Generate log.conf file content
 {{ $key }} = {{ $value }}
 {{- end }}
 {{- end }}
+
+{{/*
+Build openshift detection
+*/}}
+{{- define "isOpenshiftEnabled" -}}
+{{- $openshiftEnabledString := (.Values.openshift).enabled | toString -}}
+{{- if eq $openshiftEnabledString "true" -}}
+true
+{{- else if and (eq $openshiftEnabledString "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+true
+{{- end }}
+{{- end }}
+
+{{/*
+Build securityContext
+*/}}
+{{- define "generateSecurityContext" -}}
+{{- $context := .Values.securityContext -}}
+{{- if $context -}}
+{{- if (include "isOpenshiftEnabled" .) -}}
+{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
+{{- end -}}
+{{- else -}}
+{{ $context = dict -}}
+{{- end -}}
+{{ $context | toYaml }}
+{{- end }}
+
+{{/*
+Build podSecurityContext
+*/}}
+{{- define "generatePodSecurityContext" -}}
+{{- $context := .Values.podSecurityContext -}}
+{{- if $context -}}
+{{- if (include "isOpenshiftEnabled" .) -}}
+{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
+{{- end -}}
+{{- else -}}
+{{ $context = dict -}}
+{{- end -}}
+{{ $context | toYaml }}
+{{- end }}
diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml
index a3956c6..a97e0de 100644
--- a/charts/questdb/templates/statefulset.yaml
+++ b/charts/questdb/templates/statefulset.yaml
@@ -29,14 +29,14 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "generatePodSecurityContext" . | nindent 8 }}
       {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
       serviceAccountName: {{ include "questdb.serviceAccountName" . }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- include "generateSecurityContext" . | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
@@ -103,6 +103,8 @@ spec:
         - name: init-db-migration
           image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}"
           command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"]
+          securityContext:
+            {{- include "generateSecurityContext" . | nindent 12 }}
           volumeMounts:
             - name: {{ include "questdb.fullname" . }}
               mountPath: /mnt/questdb
diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml
index 7b7b1d1..0172465 100644
--- a/charts/questdb/values.yaml
+++ b/charts/questdb/values.yaml
@@ -8,8 +8,23 @@ nameOverride: ""
 fullnameOverride: ""
 
 podAnnotations: {}
-podSecurityContext: {}
-securityContext: {}
+podSecurityContext:
+  fsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  runAsNonRoot: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  privileged: false
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+
 extraVolumes: []
 extraVolumeMounts: []
 extraLabels: {}
@@ -121,3 +136,7 @@ dataMigration:
       memory: "256Mi"
     limits:
       memory: "1Gi"
+
+# openshift
+openshift:
+  enabled: detect
\ No newline at end of file

From 56277a188dd70b7e3d3d3941a22eafa7f8fca03b Mon Sep 17 00:00:00 2001
From: wkbrd <30599409+wkbrd@users.noreply.github.com>
Date: Tue, 7 Oct 2025 14:36:37 -0400
Subject: [PATCH 2/2] Simplified volume mount instead of multiple

---
 charts/questdb/templates/statefulset.yaml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml
index a97e0de..75b8739 100644
--- a/charts/questdb/templates/statefulset.yaml
+++ b/charts/questdb/templates/statefulset.yaml
@@ -50,14 +50,7 @@ spec:
           {{- end }}
           volumeMounts:
           - name: {{ include "questdb.fullname" . }}
-            mountPath: {{ .Values.questdb.dataDir }}/db
-            subPath: db/
-          - name: {{ include "questdb.fullname" . }}
-            mountPath: {{ .Values.questdb.dataDir }}/.checkpoint
-            subPath: .checkpoint/
-          - name: {{ include "questdb.fullname" . }}
-            mountPath: {{ .Values.questdb.dataDir }}/snapshot
-            subPath: snapshot/
+            mountPath: {{ .Values.questdb.dataDir }}
           {{- if .Values.questdb.serverConfig.enabled }}
           - name: server-config
             mountPath: {{ .Values.questdb.dataDir }}/conf/server.conf