[Backport 6.1.x] feat: add runAsUser and runAsGroup to executor (#642)

The start of a resolution for
[REL-690](https://linear.app/sourcegraph/issue/REL-690/add-runasuser-runasgroup-fsgroup-to-executor-helm-chart).
Need to test this out to see how it works. There are sample overrides in
[this
thread](https://sourcegraph.slack.com/archives/C0418GDBT7S/p1738581012896529?thread_ts=1738580801.517539&cid=C0418GDBT7S)

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan
Run the example overrides from the thread and see if the executor runs
and doesn't fail. In particular we want a _named_ user that is not
privileged.

 <br> Backport 45e5817 from #632

Co-authored-by: Anish Lakhwara <[email protected]>

Author: sourcegraph-release-bot

charts/sourcegraph-executor/k8s/README.md

@@ -89,6 +89,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.queueName | string | `""` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** |
 | executor.queueNames | list | `[]` | The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** |
 | executor.replicas | int | `1` |  |
+| executor.securityContext | object | `{"fsGroup":null,"privileged":false,"runAsGroup":null,"runAsUser":null}` | The containerSecurityContext for the executor image |
 | executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. |
 | executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |

charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml

@@ -44,12 +44,16 @@ spec:
         {{- include "executor.labels" . | nindent 8 }}
     spec:
       securityContext:
-        fsGroup: {{ .Values.executor.kubernetesJob.fsGroup }}
+        fsGroup: {{ .Values.executor.securityContext.fsGroup }}
+        runAsUser: {{ .Values.executor.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.executor.securityContext.runAsGroup }}
       serviceAccountName: sg-executor
       containers:
         - name: executor
           image: {{ include "sourcegraph.image" (list . "executor") }}
           imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+          securityContext:
+            privileged: {{ .Values.executor.securityContext.privileged }}
           ports:
             - containerPort: 6060
               name: debug

charts/sourcegraph-executor/k8s/values.yaml

@@ -90,6 +90,16 @@ executor:
   namespace: "default"
   # -- The path to the kubeconfig file. If not specified, the in-cluster config is used.
   kubeconfigPath: ""
+  # -- The containerSecurityContext for the executor image
+  securityContext:
+    # @default -- nil; accepts [0, 2147483647]
+    runAsUser: 
+    # @default -- nil; accepts [0, 2147483647]
+    runAsGroup: 
+    # @default -- nil; accepts [0, 2147483647]
+    fsGroup:
+    # @default -- false; accepts [true, false]
+    privileged: false
 
   kubernetesJob:
     # -- The number of seconds after which a Kubernetes job will be terminated.