From b91d297e32f909d7ab657152cbd295ba6c1f68a0 Mon Sep 17 00:00:00 2001
From: Stephen Sullivan <sjsullivan7@gmail.com>
Date: Mon, 3 Nov 2025 17:43:27 +0000
Subject: [PATCH] feat(chart): Make the securityContext for the StatefulSet
 configurable (#62)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--
 Before you open the request please review the following guidelines and tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
 - Please run any tests or examples that can exercise your modified code.

 Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
 -->

### Description of the change

<!-- Describe the scope of your change - i.e. what the change does. -->

This patch adds the ability to **customize the `SecurityContext`** for the `statefulset` of the Gitea Actions `act_runner`.
This allows users to configure pod-level security settings, such as `fsGroup` and `fsGroupChangePolicy`.
The patch introduces `statefulset.podSecurityContext` as a new configurable parameter.

### Benefits

<!-- What benefits will be realized by the code change? -->
This change makes the chart more configurable for different kinds of deployment scenarios.

### Possible drawbacks

<!-- Describe any known limitations with your change -->

### Applicable issues

<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
- Fixes #

### Additional information

<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->

  * The patch only adds the ability to customize the `podSecurityContext` for the `statefulset`. It does not modify any other security settings or introduce new features beyond this customization.
  * The default value for `statefulset.podSecurityContext` is an empty object `{}`, meaning no security context is applied unless the user explicitly defines it.

### ⚠ BREAKING

<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->

### Checklist

<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->

- [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [X] Helm templating unittests are added (required when changing anything in `templates` folder)
- [X] All added template resources MUST render a namespace in metadata

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/62
Reviewed-by: DaanSelen <daanselen@noreply.gitea.com>
Co-authored-by: Stephen Sullivan <sjsullivan7@gmail.com>
Co-committed-by: Stephen Sullivan <sjsullivan7@gmail.com>
---
 README.md                       |  1 +
 templates/statefulset.yaml      |  2 ++
 unittests/helm/statefulset.yaml | 54 +++++++++++++++++++++++++++++++++
 values.yaml                     |  2 ++
 4 files changed, 59 insertions(+)

diff --git a/README.md b/README.md
index a0645da..bb31207 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ You should be good to go!
 | `statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
 | `statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
 | `statefulset.persistence.size`            | Size for persistence to store act runner data                                                                                               | `1Gi`                          |
+| `statefulset.securityContext`             | Customize the SecurityContext                                                                                                               | `{}`                           |
 | `existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
 | `existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
 | `giteaRootURL`                            | URL the act_runner registers and connect with                                                                                               | `""`                           |
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
index 6635af3..a1b550d 100644
--- a/templates/statefulset.yaml
+++ b/templates/statefulset.yaml
@@ -30,6 +30,8 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        {{- toYaml .Values.statefulset.securityContext | nindent 8 }}
       initContainers:
         - name: init-gitea
           image: "{{ include "gitea.actions.init.image" . }}"
diff --git a/unittests/helm/statefulset.yaml b/unittests/helm/statefulset.yaml
index ca38302..a16b1dc 100644
--- a/unittests/helm/statefulset.yaml
+++ b/unittests/helm/statefulset.yaml
@@ -162,6 +162,60 @@ tests:
       - matchRegex:
           path: spec.template.spec.containers[0].env[8].name
           pattern: "GITEA_RUNNER_NAME"
+  - it: Has fsGroup in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroup: 1000
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroup"]
+          value: 1000
+  - it: Has fsGroupChangePolicy in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: OnRootMismatch
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "OnRootMismatch"
+  - it: Has Always in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: Always
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "Always"
   - it: doesn't renders a StatefulSet by default
     template: templates/statefulset.yaml
     asserts:
diff --git a/values.yaml b/values.yaml
index b90ad56..6e89f6d 100644
--- a/values.yaml
+++ b/values.yaml
@@ -31,6 +31,7 @@
 ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
 ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
 ## @param statefulset.persistence.size Size for persistence to store act runner data
+## @param statefulset.securityContext Customize the SecurityContext
 ## @param existingSecret Secret that contains the token
 ## @param existingSecretKey Secret key
 ## @param giteaRootURL URL the act_runner registers and connect with
@@ -45,6 +46,7 @@ statefulset:
   tolerations: []
   affinity: {}
   extraVolumes: []
+  securityContext: {}
 
   actRunner:
     registry: "docker.gitea.com"