helm: Fix containerSecurityContext to run PostgreSQL as non-root.

alexmv · alexmv · commit 6ef5c6c3faa3 · 2025-11-06T11:42:50.000-05:00
Fixes: #470.
diff --git a/kubernetes/chart/zulip/README.md b/kubernetes/chart/zulip/README.md
@@ -96,7 +96,9 @@ Now you're ready to follow [the installation instructions above](#installation).
 | postgresql.auth.username | string | `"zulip"` |  |
 | postgresql.image.repository | string | `"zulip/zulip-postgresql"` |  |
 | postgresql.image.tag | int | `14` |  |
-| postgresql.primary.containerSecurityContext.runAsUser | int | `0` |  |
+| postgresql.primary.containerSecurityContext.readOnlyRootFilesystem | bool | `false` |  |
+| postgresql.primary.containerSecurityContext.runAsGroup | int | `70` |  |
+| postgresql.primary.containerSecurityContext.runAsUser | int | `70` |  |
 | rabbitmq.auth.username | string | `"zulip"` |  |
 | rabbitmq.persistence.enabled | bool | `false` |  |
 | redis.architecture | string | `"standalone"` |  |
diff --git a/kubernetes/chart/zulip/values.yaml b/kubernetes/chart/zulip/values.yaml
@@ -200,7 +200,12 @@ sidecars: []
 postgresql:
   primary:
     containerSecurityContext:
-      runAsUser: 0
+      # 70 is the standard uid/gid of the "postgres" user in Alpine, which is
+      # used as the base for zulip/zulip-postgresql
+      # https://github.com/docker-library/postgres/blob/23987751b63ce745bd27b1119ab29dc4a1ffd728/Dockerfile-alpine.template#L7
+      runAsUser: 70
+      runAsGroup: 70
+      readOnlyRootFilesystem: false
   ## We need to override the Postgresql image to get all the plugins Zulip needs
   image:
     repository: zulip/zulip-postgresql
