feat(helm): make init/sidecar securityContexts values-driven on webapp

Adds two new values knobs that override the hardcoded securityContext
on the built-in `volume-permissions` init container and `token-syncer`
sidecar:

  webapp:
    initContainers:
      securityContext: {}    # default: { runAsUser: 1000 }
    sidecarContainers:
      securityContext: {}    # default: { runAsUser: 1000, runAsNonRoot: true }

When unset (default), behavior is unchanged. When set, the user's
securityContext fully replaces the chart's hardcoded one — useful for
operators that need stricter pod-security admission contexts (FedRAMP /
FIPS / Pod Security Standards "restricted" requires runAsNonRoot,
allowPrivilegeEscalation: false, capabilities.drop: [ALL],
seccompProfile.type: RuntimeDefault on every container).

Same idiom as the existing webapp.podSecurityContext and webapp.security-
Context (for the webapp container) — adds the missing knobs for the
init container and sidecar.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: ConProgramming

hosting/k8s/helm/templates/webapp.yaml

@@ -77,8 +77,13 @@ spec:
           image: {{ include "trigger-v4.webapp.volumePermissions.image" . }}
           imagePullPolicy: {{ .Values.webapp.volumePermissions.image.pullPolicy }}
           command: ['sh', '-c', 'mkdir -p /home/node/shared']
+          {{- with .Values.webapp.initContainers.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- else }}
           securityContext:
             runAsUser: 1000
+          {{- end }}
           volumeMounts:
             - name: shared
               mountPath: /home/node/shared
@@ -89,9 +94,14 @@ spec:
         - name: token-syncer
           image: {{ include "trigger-v4.webapp.tokenSyncer.image" . }}
           imagePullPolicy: {{ .Values.webapp.tokenSyncer.image.pullPolicy }}
+          {{- with .Values.webapp.sidecarContainers.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- else }}
           securityContext:
             runAsUser: 1000
             runAsNonRoot: true
+          {{- end }}
           command:
             - /bin/bash
             - -c

hosting/k8s/helm/values.yaml

@@ -195,6 +195,21 @@ webapp:
     #   image: busybox
     #   command: [...]
 
+  # Container-level securityContext applied to the built-in
+  # `volume-permissions` init container. When unset, defaults to
+  # `runAsUser: 1000`. Set this to enforce stricter pod-security
+  # admission (e.g. FIPS / FedRAMP / Pod Security Standards "restricted":
+  # `runAsNonRoot: true`, `allowPrivilegeEscalation: false`,
+  # `capabilities.drop: [ALL]`, `seccompProfile.type: RuntimeDefault`).
+  initContainers:
+    securityContext: {}
+
+  # Container-level securityContext applied to the built-in `token-syncer`
+  # sidecar. Same shape + intent as `webapp.initContainers.securityContext`.
+  # Defaults to `{ runAsUser: 1000, runAsNonRoot: true }` when unset.
+  sidecarContainers:
+    securityContext: {}
+
   # ServiceMonitor for Prometheus monitoring
   serviceMonitor:
     enabled: false