From b6771e28afb08235fd5d660f75ceff2c7d94fd30 Mon Sep 17 00:00:00 2001
From: Joseph Moukarzel <moukarzeljoseph@gmail.com>
Date: Wed, 15 Apr 2026 15:17:52 +0200
Subject: [PATCH] fix(redis): Support security context

---
 charts/plumber/Chart.yaml                     |  4 ++--
 .../plumber/templates/redis-deployment.yaml   |  8 +++++++
 charts/plumber/values.yaml                    | 21 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/charts/plumber/Chart.yaml b/charts/plumber/Chart.yaml
index 390e590..123a222 100644
--- a/charts/plumber/Chart.yaml
+++ b/charts/plumber/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: plumber
 description: Helm chart for Plumber
 type: application
-version: "1.3.1"
-appVersion: "1.3.1"
+version: "1.3.2"
+appVersion: "1.3.2"
 home: https://github.com/getplumber/platform/
 maintainers:
   - name: devpro
diff --git a/charts/plumber/templates/redis-deployment.yaml b/charts/plumber/templates/redis-deployment.yaml
index 2515e42..4ed3c9a 100644
--- a/charts/plumber/templates/redis-deployment.yaml
+++ b/charts/plumber/templates/redis-deployment.yaml
@@ -34,6 +34,10 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.redis.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: redis
           image: {{ include "plumber.redisImage" . }}
@@ -66,4 +70,8 @@ spec:
             initialDelaySeconds: 5
             periodSeconds: 10
           resources: {}
+          {{- with .Values.redis.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
 {{- end }}
diff --git a/charts/plumber/values.yaml b/charts/plumber/values.yaml
index 3e2238b..f6e9188 100644
--- a/charts/plumber/values.yaml
+++ b/charts/plumber/values.yaml
@@ -282,6 +282,27 @@ redis:
     # -- Pull policy for the Redis image.
     pullPolicy: IfNotPresent
 
+  # -- Security context for the Redis container.
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: [ALL]
+    privileged: false
+    runAsNonRoot: true
+    runAsUser: 999
+    runAsGroup: 999
+    seccompProfile:
+      type: RuntimeDefault
+
+  # -- Security context for the Redis pod.
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 999
+    runAsGroup: 999
+    fsGroup: 999
+    seccompProfile:
+      type: RuntimeDefault
+
   # Connection details for the Redis instance (used whether deployed by this chart or external).
   # When deploy is true and custom.host is empty, the host defaults to <release>-redis-master.
   custom: