From 59d07a1444f782dd6f88a9a9256c946cdebb5ed2 Mon Sep 17 00:00:00 2001
From: alam00000 <adullah.alam.tapadar2000@gmail.com>
Date: Tue, 17 Mar 2026 23:14:34 +0530
Subject: [PATCH] feat: add security context and volume mounts to deployment
 configuration

---
 .trivyignore                    |  3 +++
 chart/templates/deployment.yaml | 22 ++++++++++++++++++++++
 chart/values.yaml               | 13 +++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..1cd45f1
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,3 @@
+# Dockerfile.nonroot intentionally starts as root to support PUID/PGID (LSIO pattern).
+# The entrypoint.sh creates the user at runtime and drops privileges via su-exec.
+DS-0002
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 737e68f..cbe2ca7 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -26,10 +26,18 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.containerPort }}
@@ -50,3 +58,17 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          volumeMounts:
+            - name: nginx-tmp
+              mountPath: /etc/nginx/tmp
+            - name: nginx-cache
+              mountPath: /var/cache/nginx
+            - name: nginx-run
+              mountPath: /var/run
+      volumes:
+        - name: nginx-tmp
+          emptyDir: {}
+        - name: nginx-cache
+          emptyDir: {}
+        - name: nginx-run
+          emptyDir: {}
diff --git a/chart/values.yaml b/chart/values.yaml
index 91ea545..676d38c 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -63,6 +63,19 @@ httpRoute:
             type: PathPrefix
             value: /
 
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 101
+  runAsGroup: 101
+  fsGroup: 101
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+
 resources: {}
 
 livenessProbe: