mauriceboe · bl4ko · Apr 27, 2026
diff --git a/charts/trek/templates/_helpers.tpl b/charts/trek/templates/_helpers.tpl
@@ -16,3 +16,30 @@ Create a default fully qualified app name.
 {{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "trek.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "trek.labels" -}}
+helm.sh/chart: {{ include "trek.chart" . }}
+{{ include "trek.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "trek.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "trek.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/charts/trek/templates/deployment.yaml b/charts/trek/templates/deployment.yaml
@@ -4,6 +4,7 @@ metadata:
   name: {{ include "trek.fullname" . }}
   labels:
     app: {{ include "trek.name" . }}
+    {{- include "trek.labels" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
@@ -16,19 +17,29 @@ spec:
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
       labels:
         app: {{ include "trek.name" . }}
+        {{- include "trek.selectorLabels" . | nindent 8 }}
     spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- range .Values.imagePullSecrets }}
         - name: {{ .name }}
         {{- end }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        fsGroup: 1000
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
       containers:
         - name: trek
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           {{- with .Values.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -80,6 +91,18 @@ spec:
               port: 3000
             initialDelaySeconds: 5
             periodSeconds: 10
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: data
           persistentVolumeClaim:

diff --git a/charts/trek/templates/ingress.yaml b/charts/trek/templates/ingress.yaml
@@ -5,6 +5,7 @@ metadata:
   name: {{ include "trek.fullname" . }}
   labels:
     app: {{ include "trek.name" . }}
+    {{- include "trek.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

diff --git a/charts/trek/templates/networkpolicy.yaml b/charts/trek/templates/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "trek.fullname" . }}
+  labels:
+    app: {{ include "trek.name" . }}
+    {{- include "trek.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "trek.name" . }}
+  policyTypes:
+    - Ingress
+    {{- if .Values.networkPolicy.egress }}
+    - Egress
+    {{- end }}
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- else }}
+  ingress:
+    - ports:
+        - port: 3000
+          protocol: TCP
+  {{- end }}
+  {{- if .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/trek/templates/service.yaml b/charts/trek/templates/service.yaml
@@ -4,6 +4,7 @@ metadata:
   name: {{ include "trek.fullname" . }}
   labels:
     app: {{ include "trek.name" . }}
+    {{- include "trek.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:

diff --git a/charts/trek/values.yaml b/charts/trek/values.yaml
@@ -90,6 +90,28 @@ generateEncryptionKey: false
 existingSecret: ""
 existingSecretKey: ENCRYPTION_KEY
 
+# Pod-level security context (applied to the pod spec)
+podSecurityContext:
+  fsGroup: 1000
+
+# Container-level security context (applied to the trek container)
+# NOTE: The default entrypoint runs `chown` as root before dropping to
+# the `node` user (UID 1000) via su-exec. Setting `runAsNonRoot: true`
+# will prevent the container from starting unless the entrypoint is
+# changed or an initContainer handles the ownership fix.
+# Compatible subset for policy compliance without breaking the entrypoint:
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   seccompProfile:
+#     type: RuntimeDefault
+securityContext: {}
+
+# Priority class name for the pod
+# See: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+priorityClassName: ""
+
 persistence:
   enabled: true
   data:
@@ -105,6 +127,36 @@ resources:
     cpu: 500m
     memory: 512Mi
 
+# Node selector for pod scheduling
+# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+nodeSelector: {}
+
+# Tolerations for pod scheduling
+# See: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+tolerations: []
+
+# Affinity rules for pod scheduling
+# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+affinity: {}
+
+# Network policy configuration
+networkPolicy:
+  enabled: false
+  # Ingress rules — by default allows traffic on port 3000 from all sources.
+  # Override to restrict to specific namespaces or pod selectors.
+  # Example: allow only from ingress namespace:
+  #   ingress:
+  #     - from:
+  #         - namespaceSelector:
+  #             matchLabels:
+  #               kubernetes.io/metadata.name: ingress-nginx
+  #       ports:
+  #         - port: 3000
+  ingress: []
+  # Egress rules — by default allows all outbound traffic.
+  # Set to restrict outbound connections (e.g. DNS-only).
+  egress: []
+
 ingress:
   enabled: false
   className: ""