From f908ad4f574c91f5515d08121606e3bf3e97cbd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beat=20Sch=C3=A4rz?= <beatschaerz@hotmail.com>
Date: Thu, 27 Nov 2025 15:28:28 +0100
Subject: [PATCH] add possiblity to turn off securityContext on pod and
 container level

---
 .../templates/deployment.yaml                  |  8 ++++++--
 charts/plugin-barman-cloud/values.schema.json  | 18 ++++++++++++++++--
 charts/plugin-barman-cloud/values.yaml         |  4 ++++
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/charts/plugin-barman-cloud/templates/deployment.yaml b/charts/plugin-barman-cloud/templates/deployment.yaml
index f80ef36781..56d602d8b4 100644
--- a/charts/plugin-barman-cloud/templates/deployment.yaml
+++ b/charts/plugin-barman-cloud/templates/deployment.yaml
@@ -77,8 +77,10 @@ spec:
             port: 9090
         resources:
           {{- toYaml .Values.resources | nindent 10 }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+          {{- toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end}}
         volumeMounts:
         - mountPath: /server
           name: server
@@ -87,8 +89,10 @@ spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
+      {{- if .Values.podSecurityContext.enabled }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml (omit .Values.podSecurityContext "enabled") | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "plugin-barman-cloud.serviceAccountName" . }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
diff --git a/charts/plugin-barman-cloud/values.schema.json b/charts/plugin-barman-cloud/values.schema.json
index 112c01ae19..8ace7046a8 100644
--- a/charts/plugin-barman-cloud/values.schema.json
+++ b/charts/plugin-barman-cloud/values.schema.json
@@ -111,6 +111,12 @@
           "title": "capabilities",
           "type": "object"
         },
+        "enabled": {
+          "default": true,
+          "required": [],
+          "title": "enabled",
+          "type": "boolean"
+        },
         "readOnlyRootFilesystem": {
           "default": true,
           "required": [],
@@ -151,7 +157,8 @@
         "runAsUser",
         "runAsGroup",
         "seccompProfile",
-        "capabilities"
+        "capabilities",
+        "enabled"
       ],
       "title": "containerSecurityContext",
       "type": "object"
@@ -274,6 +281,12 @@
     "podSecurityContext": {
       "description": "Security Context for the whole pod.",
       "properties": {
+        "enabled": {
+          "default": true,
+          "required": [],
+          "title": "enabled",
+          "type": "boolean"
+        },
         "runAsNonRoot": {
           "default": true,
           "required": [],
@@ -297,6 +310,7 @@
         }
       },
       "required": [
+        "enabled",
         "runAsNonRoot",
         "seccompProfile"
       ],
@@ -479,4 +493,4 @@
     "certificate"
   ],
   "type": "object"
-}
\ No newline at end of file
+}
diff --git a/charts/plugin-barman-cloud/values.yaml b/charts/plugin-barman-cloud/values.yaml
index ea37056316..a98eb9789a 100644
--- a/charts/plugin-barman-cloud/values.yaml
+++ b/charts/plugin-barman-cloud/values.yaml
@@ -111,6 +111,8 @@ podLabels: {}
 
 # -- Container Security Context.
 containerSecurityContext:
+  # -- Specifies whether to set securityContext field on Container
+  enabled: true
   allowPrivilegeEscalation: false
   readOnlyRootFilesystem: true
   runAsUser: 10001
@@ -123,6 +125,8 @@ containerSecurityContext:
 
 # -- Security Context for the whole pod.
 podSecurityContext:
+  # -- Specifies whether to set securityContext field on Pod
+  enabled: true
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault