[Bug]: Helm chart: split pod and container securityContext values for StatefulSet

[gjorgi-stojanov-fntext]

ChromaDB Version

0.5.x

Kubernetes Version

1.32.x

What happened?

Summary

The chromadb Helm chart currently uses the same values map for both:

• pod spec.securityContext
• container securityContext

This makes it difficult to configure the chart correctly for Kubernetes Pod Security Standards, especially restricted, because pod-level and container-level security context fields are not the same.

Current behavior

In the StatefulSet template, both of these are sourced from the same value:

spec:
  securityContext: {{ toYaml .Values.podSpec.securityContext | nindent 8 }}

and

containers:
  - name: chromadb
    securityContext: {{ .Values.podSpec.securityContext | toYaml | nindent 14 }}

The problem

Some fields belong at the pod level, for example:

-fsGroup
-fsGroupChangePolicy
-seccompProfile

Other fields belong at the container level, for example:

-runAsUser
-runAsGroup
-runAsNonRoot
-readOnlyRootFilesystem
-allowPrivilegeEscalation
-capabilities

When a single values object is reused for both, users cannot cleanly configure a hardened deployment on production environments.

Expected behavior

The chart should support separate values, for example:

podSecurityContext: {}
containerSecurityContext: {}

Environment details

AKS

Logs, Kubectl output, Manifests, etc.