feat(keycloak): Add security context required for PSS restricted

charts/keycloak/Chart.yaml

 apiVersion: v2
 name: keycloak
-description: (Alpha) A Helm chart for Keycloak on Kubernetes
+description: A Helm chart for Keycloak on Kubernetes
+annotations:
+  artifacthub.io/category: security
 type: application
 home: https://www.keycloak.org/
 icon: https://www.keycloak.org/resources/images/keycloak_icon_512px.svg
 sources:
   - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops
   - https://github.com/keycloak/keycloak
-version: 0.7.2
+version: 0.7.3
 # renovate: image=quay.io/keycloak/keycloak
 appVersion: "22.0.3"
 maintainers:

charts/keycloak/README.md

 # keycloak
 
-![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.1](https://img.shields.io/badge/AppVersion-22.0.1-informational?style=flat-square)
+![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 22.0.3](https://img.shields.io/badge/AppVersion-22.0.3-informational?style=flat-square)
 
-(Alpha) A Helm chart for Keycloak on Kubernetes
+A Helm chart for Keycloak on Kubernetes
 
 **Homepage:** <https://www.keycloak.org/>
 
@@ -60,7 +60,8 @@
 | networkPolicy.create | bool | `false` | Creates a network policy for inifispan communication, does **not** take care of database or ingress communication |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | replicaCount | int | `1` |  |
 | resources.limits.cpu | string | `"1"` |  |
 | resources.limits.memory | string | `"1.5Gi"` |  |
@@ -68,7 +69,6 @@
 | resources.requests.memory | string | `"1Gi"` |  |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
-| securityContext.runAsNonRoot | bool | `true` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap

@@ -90,14 +90,16 @@ should match basic snapshot:
                 capabilities:
                   drop:
                     - ALL
-                runAsNonRoot: true
               startupProbe:
                 failureThreshold: 30
                 httpGet:
                   path: /health/live
                   port: http
                 periodSeconds: 10
-          securityContext: {}
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           serviceAccountName: RELEASE-NAME-keycloak
   2: |
     apiVersion: v1
@@ -262,14 +264,16 @@ should match full snapshot:
                 capabilities:
                   drop:
                     - ALL
-                runAsNonRoot: true
               startupProbe:
                 failureThreshold: 30
                 httpGet:
                   path: /health/live
                   port: http
                 periodSeconds: 10
-          securityContext: {}
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           serviceAccountName: RELEASE-NAME-keycloak
   2: |
     apiVersion: v1

charts/keycloak/values.yaml

@@ -47,15 +47,17 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
   # fsGroup: 2000
 
 securityContext:
+  allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
 
 service:
   type: ClusterIP