evertrust · antoninguyot · Mar 25, 2026 · Mar 25, 2026
@@ -97,10 +97,18 @@ spec:
             envFrom: 
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if .Values.backup.extraVolumeMounts }}
+            volumeMounts:
+            {{- include "common.tplvalues.render" (dict "value" .Values.backup.extraVolumeMounts "context" $) | nindent 14 }}
+            {{- end }}
             resources: {{- toYaml .Values.backup.resources | nindent 14 }}
           restartPolicy: Never
           {{- if .Values.backup.podSecurityContext.enabled }}
           securityContext: {{- omit .Values.backup.podSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
+          {{- if .Values.backup.extraVolumes }}
+          volumes:
+          {{- include "common.tplvalues.render" (dict "value" .Values.backup.extraVolumes "context" $) | nindent 12 }}
+          {{- end }}
       backoffLimit: {{ .Values.backup.backoffLimit }}
 {{- end -}}
@@ -24,6 +24,9 @@ spec:
       {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.upgrade.image) "context" $) | nindent 6 }}
       serviceAccountName: {{ template "stream.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.upgrade.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.upgrade.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       {{- if .Values.upgrade.nodeSelector }}
       nodeSelector: {{- toYaml .Values.upgrade.nodeSelector | nindent 8 }}
       {{- end }}
@@ -34,6 +37,9 @@ spec:
         - name: stream-upgrade
           image: {{ include "common.images.image" (dict "imageRoot" .Values.upgrade.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.upgrade.image.pullPolicy | default "IfNotPresent" | quote }}
+          {{- if .Values.upgrade.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.upgrade.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           args: [
               "-y",
               "-m", "$(MONGODB_URI)",
@@ -51,6 +57,14 @@ spec:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.externalDatabase.secretName "context" $) }}
                   key: {{ include "common.secrets.key" (dict "existingSecret" .Values.externalDatabase.secretKey "key" "mongoUri") }}
+          {{- if .Values.upgrade.extraVolumeMounts }}
+          volumeMounts:
+          {{- include "common.tplvalues.render" (dict "value" .Values.upgrade.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+      {{- if .Values.upgrade.extraVolumes }}
+      volumes:
+      {{- include "common.tplvalues.render" (dict "value" .Values.upgrade.extraVolumes "context" $) | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
   backoffLimit: 0
 {{- end }}
@@ -0,0 +1,91 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: job workload features
+templates:
+  - backup.yml
+  - upgrade.yml
+tests:
+  - it: should render backup extra volumes and volume mounts
+    template: backup.yml
+    set:
+      backup:
+        enabled: true
+        extraVolumes:
+          - name: mongodb-certificates
+            secret:
+              secretName: mongodb-certificates
+        extraVolumeMounts:
+          - name: mongodb-certificates
+            mountPath: /etc/mongodb/certs
+            readOnly: true
+    asserts:
+      - isKind:
+          of: CronJob
+      - contains:
+          path: spec.jobTemplate.spec.template.spec.volumes
+          content:
+            name: mongodb-certificates
+            secret:
+              secretName: mongodb-certificates
+      - contains:
+          path: spec.jobTemplate.spec.template.spec.containers[0].volumeMounts
+          content:
+            name: mongodb-certificates
+            mountPath: /etc/mongodb/certs
+            readOnly: true
+
+  - it: should render upgrade security contexts extra volumes and volume mounts
+    template: upgrade.yml
+    set:
+      upgrade:
+        force: true
+        podSecurityContext:
+          enabled: true
+          fsGroup: 2000
+        containerSecurityContext:
+          enabled: true
+          runAsUser: 2000
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        extraVolumes:
+          - name: mongodb-certificates
+            secret:
+              secretName: mongodb-certificates
+        extraVolumeMounts:
+          - name: mongodb-certificates
+            mountPath: /etc/mongodb/certs
+            readOnly: true
+    asserts:
+      - isKind:
+          of: Job
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            fsGroup: 2000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsUser: 2000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: mongodb-certificates
+            secret:
+              secretName: mongodb-certificates
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: mongodb-certificates
+            mountPath: /etc/mongodb/certs
+            readOnly: true
@@ -635,12 +635,44 @@ upgrade:
     requests:
       memory: 512Mi
       cpu: 500m
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param upgrade.podSecurityContext.enabled Enabled Stream pods' Security Context
+  ## @param upgrade.podSecurityContext.fsGroup Set Stream pod's Security Context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context (only main container)
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ## @param upgrade.containerSecurityContext.enabled Enabled Stream containers' Security Context
+  ## @param upgrade.containerSecurityContext.runAsUser Set Stream container's Security Context runAsUser
+  ## @param upgrade.containerSecurityContext.runAsNonRoot Set Stream container's Security Context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
   ## @param upgrade.from Sets to the version you're upgrading from. If empty, the chart will try to infer the version from the database.
   ##
   from: ""
   ## @param upgrade.to Sets the version you're upgrading to. If empty, the chart will use Chart.AppVersion.
   ##
   to: ""
+  ## @param upgrade.extraVolumes Optionally specify extra list of additional volumes for upgrade pods
+  ## extraVolumes:
+  ##   - name: certificates
+  ##     secret:
+  ##       secretName: mongodb-x509
+  ##
+  extraVolumes: []
+  ## @param upgrade.extraVolumeMounts Optionally specify extra list of additional volumeMounts for upgrade containers
+  ## extraVolumeMounts:
+  ##   - name: certificates
+  ##     mountPath: /certs
+  ##     readOnly: true
+  ##
+  extraVolumeMounts: []
   ## @param upgrade.nodeSelector [object]  Node labels for upgrade pod assignment
   ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
   ##
@@ -750,6 +782,20 @@ backup:
   environment: []
   ## @param backup.envFrom [array] Extra env vars passed to the backup pods
   envFrom: []
+  ## @param backup.extraVolumes Optionally specify extra list of additional volumes for backup pods
+  ## extraVolumes:
+  ##   - name: certificates
+  ##     secret:
+  ##       secretName: mongodb-x509
+  ##
+  extraVolumes: []
+  ## @param backup.extraVolumeMounts Optionally specify extra list of additional volumeMounts for backup containers
+  ## extraVolumeMounts:
+  ##   - name: certificates
+  ##     mountPath: /certs
+  ##     readOnly: true
+  ##
+  extraVolumeMounts: []
   ## @param backup.nodeSelector [object]  Node labels for backup pod assignment
   ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
   ##