From 75333ef36cd0f3685427bcf11a53531b07bceaa3 Mon Sep 17 00:00:00 2001
From: Simon Larsen <simonlarsen@oneuptime.com>
Date: Sun, 7 Sep 2025 13:03:09 +0100
Subject: [PATCH] feat: Add pod security context configuration for ClickHouse
 and Redis StatefulSets

---
 .../templates/clickhouse-statefulset.yaml     |  7 +++++++
 .../templates/redis-statefulset.yaml          |  7 +++++++
 HelmChart/Public/oneuptime/values.yaml        | 20 +++++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml b/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml
index 83ff38a637..67de18a2cb 100644
--- a/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml
@@ -44,10 +44,17 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.clickhouse.podSecurityContext }}
+      {{- with .Values.clickhouse.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else if .Values.podSecurityContext }}
       {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- end }}
       containers:
       - name: clickhouse
         image: "{{ .Values.clickhouse.image.repository }}:{{ .Values.clickhouse.image.tag }}"
diff --git a/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml b/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml
index 58fd0410b0..c017f3b8f1 100644
--- a/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml
@@ -38,10 +38,17 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.redis.master.podSecurityContext }}
+      {{- with .Values.redis.master.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else if .Values.podSecurityContext }}
       {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- end }}
       containers:
       - name: redis
         image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}"
diff --git a/HelmChart/Public/oneuptime/values.yaml b/HelmChart/Public/oneuptime/values.yaml
index dd2305c7de..fd171bab70 100644
--- a/HelmChart/Public/oneuptime/values.yaml
+++ b/HelmChart/Public/oneuptime/values.yaml
@@ -134,6 +134,16 @@ clickhouse:
   nodeSelector: {}
   tolerations: []
   affinity: {}
+  # Optional: override global security contexts just for the ClickHouse pod/container
+  # podSecurityContext:
+  #   runAsUser: 101
+  #   runAsGroup: 101
+  #   fsGroup: 101
+  # containerSecurityContext:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   capabilities:
+  #     drop: ["ALL"]
   resources: {}
   # Custom ClickHouse configuration
   configuration: |-
@@ -195,6 +205,16 @@ redis:
     nodeSelector: {}
     tolerations: []
     affinity: {}
+  # Optional: override global security contexts just for the Redis pod/container
+  # podSecurityContext:
+  #   runAsUser: 999
+  #   runAsGroup: 999
+  #   fsGroup: 999
+  # containerSecurityContext:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   capabilities:
+  #     drop: ["ALL"]
     resources: {}
   commonConfiguration: |-
    appendonly no