fix(helm): make bundled postgres PSA restricted compliant (#1604)

## Summary

Closes #1560

The bundled PostgreSQL deployment now ships with Pod Security Admission
restricted-compliant defaults and exposes both pod-level and
container-level security context values for overrides.

- add default `RuntimeDefault` seccomp profiles for the bundled
PostgreSQL pod and container
- drop all container capabilities by default while keeping
`allowPrivilegeEscalation: false`
- move the bundled PostgreSQL pod and container security contexts into
chart values so users can customize them without patching templates
- extend Helm unit coverage for the new defaults and override paths

## Testing

- `make helm-version`
- `helm unittest helm/kagent`
- `helm lint helm/kagent`

Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>
Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>

Author: officialasishkumar

helm/kagent/templates/postgresql.yaml

@@ -53,17 +53,18 @@ spec:
     spec:
       {{- include "kagent.imagePullSecrets" $ | nindent 6 }}
       serviceAccountName: {{ $fullname }}
+      {{- with $pg.podSecurityContext }}
       securityContext:
-        fsGroup: 999
-        runAsUser: 999
-        runAsGroup: 999
-        runAsNonRoot: true
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: postgresql
           image: {{ include "kagent.postgresql.image" . }}
           imagePullPolicy: {{ $pg.image.pullPolicy }}
+          {{- with $pg.securityContext }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - name: postgresql
               containerPort: 5432
@@ -137,4 +138,3 @@ spec:
     {{- include "kagent.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: database
 {{- end }}
-

helm/kagent/tests/postgresql_test.yaml

@@ -217,12 +217,95 @@ tests:
     template: postgresql.yaml
     documentIndex: 2
     asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 999
       - equal:
           path: spec.template.spec.securityContext.runAsNonRoot
           value: true
       - equal:
           path: spec.template.spec.securityContext.runAsUser
           value: 999
+      - equal:
+          path: spec.template.spec.securityContext.runAsGroup
+          value: 999
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.drop
+          content: ALL
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.seccompProfile.type
+          value: RuntimeDefault
+
+  - it: should allow bundled postgres pod security context override
+    template: postgresql.yaml
+    documentIndex: 2
+    set:
+      database:
+        postgres:
+          bundled:
+            podSecurityContext:
+              fsGroup: 1001
+              runAsUser: 1001
+              runAsGroup: 1001
+              runAsNonRoot: true
+              seccompProfile:
+                type: Localhost
+                localhostProfile: profiles/postgres.json
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1001
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          value: 1001
+      - equal:
+          path: spec.template.spec.securityContext.runAsGroup
+          value: 1001
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          value: Localhost
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.localhostProfile
+          value: profiles/postgres.json
+
+  - it: should allow bundled postgres container security context override
+    template: postgresql.yaml
+    documentIndex: 2
+    set:
+      database:
+        postgres:
+          bundled:
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: false
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: Localhost
+                localhostProfile: profiles/postgres-container.json
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: false
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.drop
+          content: ALL
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.seccompProfile.type
+          value: Localhost
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.seccompProfile.localhostProfile
+          value: profiles/postgres-container.json
 
   - it: should render Service with hardcoded ClusterIP type and port 5432
     template: postgresql.yaml
@@ -341,4 +424,3 @@ tests:
           value:
             - name: secret1
             - name: secret2
-

helm/kagent/values.yaml

@@ -93,6 +93,22 @@ database:
         limits:
           cpu: 500m
           memory: 512Mi
+      # -- Pod-level security context for the bundled PostgreSQL deployment.
+      podSecurityContext:
+        fsGroup: 999
+        runAsUser: 999
+        runAsGroup: 999
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      # -- Container-level security context for the bundled PostgreSQL container.
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
 
 # ==============================================================================
 # RBAC CONFIGURATION
@@ -490,4 +506,3 @@ otel:
         endpoint: ""
         timeout: 15
         insecure: true
-