diff --git a/CHANGELOG.md b/CHANGELOG.md
index f8a14f6f8ddbb1865c14c41c6e66953c0c2a3ead..a3936dade3cc9cea20b6676efc1e2749243b3e29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [8.3.0-bb.1] (2024-11-04)
+
+### Changed
+
+- fix template helper to include proper security context
+
 ## [8.3.0-bb.0] (2024-10-23)
 
 ### Changed
diff --git a/README.md b/README.md
index ed8146e260e6b77f5fcd1f16e6907ff09e529fd6..0754fa84ebd1570e4173915aae60f3a183bc26d5 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,14 @@
 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # gitlab
 
-![Version: 8.3.6-bb.0](https://img.shields.io/badge/Version-8.3.6--bb.0-informational?style=flat-square) ![AppVersion: v17.3.6](https://img.shields.io/badge/AppVersion-v17.3.6-informational?style=flat-square)
+![Version: 8.3.6-bb.1](https://img.shields.io/badge/Version-8.3.6--bb.1-informational?style=flat-square) ![AppVersion: v17.3.6](https://img.shields.io/badge/AppVersion-v17.3.6-informational?style=flat-square)
 
 GitLab is the most comprehensive AI-powered DevSecOps Platform.
 
 ## Upstream References
-
 - <https://about.gitlab.com/>
 
-- <https://gitlab.com/gitlab-org/charts/gitlab>
+* <https://gitlab.com/gitlab-org/charts/gitlab>
 
 ## Upstream Release Notes
 
@@ -28,7 +27,7 @@ The [upstream chart's release notes](https://gitlab.com/gitlab-org/charts/gitlab
 
 Install Helm
 
-<https://helm.sh/docs/intro/install/>
+https://helm.sh/docs/intro/install/
 
 ## Deployment
 
@@ -417,9 +416,6 @@ helm install gitlab chart/
 | global.extraEnvFrom | object | `{}` |  |
 | global.job.nameSuffixOverride | string | `nil` |  |
 | global.traefik.apiVersion | string | `""` |  |
-| containerSecurityContext.runAsUser | int | `65534` |  |
-| containerSecurityContext.runAsGroup | int | `65534` |  |
-| containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | upgradeCheck.enabled | bool | `true` |  |
 | upgradeCheck.image.repository | string | `"registry1.dso.mil/ironbank/redhat/ubi/ubi9"` |  |
 | upgradeCheck.image.tag | string | `"9.4"` |  |
@@ -427,7 +423,9 @@ helm install gitlab chart/
 | upgradeCheck.securityContext.runAsUser | int | `65534` |  |
 | upgradeCheck.securityContext.runAsGroup | int | `65534` |  |
 | upgradeCheck.securityContext.fsGroup | int | `65534` |  |
-| upgradeCheck.containerSecurityContext | object | `{}` |  |
+| upgradeCheck.containerSecurityContext.runAsUser | int | `65534` |  |
+| upgradeCheck.containerSecurityContext.runAsGroup | int | `65534` |  |
+| upgradeCheck.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | upgradeCheck.tolerations | list | `[]` |  |
 | upgradeCheck.annotations."sidecar.istio.io/inject" | string | `"true"` |  |
 | upgradeCheck.configMapAnnotations | object | `{}` |  |
@@ -443,11 +441,11 @@ helm install gitlab chart/
 | nginx-ingress-geo.<<.enabled | bool | `false` |  |
 | nginx-ingress.tcpExternalConfig | string | `"true"` |  |
 | nginx-ingress-geo.<<.tcpExternalConfig | string | `"true"` |  |
+| nginx-ingress-geo.controller.<<.addHeaders.Referrer-Policy | string | `"strict-origin-when-cross-origin"` |  |
 | nginx-ingress.controller.addHeaders.Referrer-Policy | string | `"strict-origin-when-cross-origin"` |  |
 | nginx-ingress-geo.<<.controller.addHeaders.Referrer-Policy | string | `"strict-origin-when-cross-origin"` |  |
-| nginx-ingress-geo.controller.<<.addHeaders.Referrer-Policy | string | `"strict-origin-when-cross-origin"` |  |
-| nginx-ingress-geo.<<.controller.config.annotation-value-word-blocklist | string | `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""` |  |
 | nginx-ingress.controller.config.annotation-value-word-blocklist | string | `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""` |  |
+| nginx-ingress-geo.<<.controller.config.annotation-value-word-blocklist | string | `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""` |  |
 | nginx-ingress-geo.controller.<<.config.annotation-value-word-blocklist | string | `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""` |  |
 | nginx-ingress-geo.controller.config.<<.annotation-value-word-blocklist | string | `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""` |  |
 | nginx-ingress-geo.controller.config.<<.hsts | string | `"true"` |  |
@@ -467,86 +465,86 @@ helm install gitlab chart/
 | nginx-ingress-geo.<<.controller.config.server-name-hash-bucket-size | string | `"256"` |  |
 | nginx-ingress.controller.config.server-name-hash-bucket-size | string | `"256"` |  |
 | nginx-ingress-geo.controller.config.<<.use-http2 | string | `"true"` |  |
-| nginx-ingress.controller.config.use-http2 | string | `"true"` |  |
 | nginx-ingress-geo.controller.<<.config.use-http2 | string | `"true"` |  |
+| nginx-ingress.controller.config.use-http2 | string | `"true"` |  |
 | nginx-ingress-geo.<<.controller.config.use-http2 | string | `"true"` |  |
-| nginx-ingress-geo.<<.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` |  |
 | nginx-ingress.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` |  |
 | nginx-ingress-geo.controller.<<.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` |  |
+| nginx-ingress-geo.<<.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` |  |
 | nginx-ingress-geo.controller.config.<<.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` |  |
 | nginx-ingress-geo.<<.controller.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` |  |
+| nginx-ingress-geo.controller.config.<<.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` |  |
 | nginx-ingress.controller.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` |  |
 | nginx-ingress-geo.controller.<<.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` |  |
-| nginx-ingress-geo.controller.config.<<.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` |  |
-| nginx-ingress-geo.controller.config.<<.server-tokens | string | `"false"` |  |
-| nginx-ingress-geo.controller.<<.config.server-tokens | string | `"false"` |  |
-| nginx-ingress.controller.config.server-tokens | string | `"false"` |  |
 | nginx-ingress-geo.<<.controller.config.server-tokens | string | `"false"` |  |
+| nginx-ingress.controller.config.server-tokens | string | `"false"` |  |
+| nginx-ingress-geo.controller.<<.config.server-tokens | string | `"false"` |  |
+| nginx-ingress-geo.controller.config.<<.server-tokens | string | `"false"` |  |
+| nginx-ingress.controller.config.upstream-keepalive-connections | int | `100` |  |
 | nginx-ingress-geo.<<.controller.config.upstream-keepalive-connections | int | `100` |  |
 | nginx-ingress-geo.controller.<<.config.upstream-keepalive-connections | int | `100` |  |
 | nginx-ingress-geo.controller.config.<<.upstream-keepalive-connections | int | `100` |  |
-| nginx-ingress.controller.config.upstream-keepalive-connections | int | `100` |  |
 | nginx-ingress-geo.controller.config.<<.upstream-keepalive-time | string | `"30s"` |  |
-| nginx-ingress-geo.controller.<<.config.upstream-keepalive-time | string | `"30s"` |  |
 | nginx-ingress-geo.<<.controller.config.upstream-keepalive-time | string | `"30s"` |  |
+| nginx-ingress-geo.controller.<<.config.upstream-keepalive-time | string | `"30s"` |  |
 | nginx-ingress.controller.config.upstream-keepalive-time | string | `"30s"` |  |
-| nginx-ingress.controller.config.upstream-keepalive-timeout | int | `5` |  |
 | nginx-ingress-geo.controller.<<.config.upstream-keepalive-timeout | int | `5` |  |
-| nginx-ingress-geo.<<.controller.config.upstream-keepalive-timeout | int | `5` |  |
+| nginx-ingress.controller.config.upstream-keepalive-timeout | int | `5` |  |
 | nginx-ingress-geo.controller.config.<<.upstream-keepalive-timeout | int | `5` |  |
+| nginx-ingress-geo.<<.controller.config.upstream-keepalive-timeout | int | `5` |  |
 | nginx-ingress.controller.config.upstream-keepalive-requests | int | `1000` |  |
+| nginx-ingress-geo.<<.controller.config.upstream-keepalive-requests | int | `1000` |  |
 | nginx-ingress-geo.controller.<<.config.upstream-keepalive-requests | int | `1000` |  |
 | nginx-ingress-geo.controller.config.<<.upstream-keepalive-requests | int | `1000` |  |
-| nginx-ingress-geo.<<.controller.config.upstream-keepalive-requests | int | `1000` |  |
 | nginx-ingress-geo.<<.controller.service.externalTrafficPolicy | string | `"Local"` |  |
-| nginx-ingress-geo.controller.<<.service.externalTrafficPolicy | string | `"Local"` |  |
 | nginx-ingress.controller.service.externalTrafficPolicy | string | `"Local"` |  |
-| nginx-ingress-geo.<<.controller.ingressClassByName | bool | `false` |  |
+| nginx-ingress-geo.controller.<<.service.externalTrafficPolicy | string | `"Local"` |  |
 | nginx-ingress-geo.controller.<<.ingressClassByName | bool | `false` |  |
+| nginx-ingress-geo.<<.controller.ingressClassByName | bool | `false` |  |
 | nginx-ingress.controller.ingressClassByName | bool | `false` |  |
-| nginx-ingress-geo.<<.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` |  |
 | nginx-ingress.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` |  |
+| nginx-ingress-geo.<<.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` |  |
 | nginx-ingress-geo.controller.<<.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` |  |
-| nginx-ingress-geo.controller.<<.resources.requests.cpu | string | `"100m"` |  |
 | nginx-ingress.controller.resources.requests.cpu | string | `"100m"` |  |
 | nginx-ingress-geo.<<.controller.resources.requests.cpu | string | `"100m"` |  |
-| nginx-ingress-geo.controller.<<.resources.requests.memory | string | `"100Mi"` |  |
+| nginx-ingress-geo.controller.<<.resources.requests.cpu | string | `"100m"` |  |
 | nginx-ingress.controller.resources.requests.memory | string | `"100Mi"` |  |
+| nginx-ingress-geo.controller.<<.resources.requests.memory | string | `"100Mi"` |  |
 | nginx-ingress-geo.<<.controller.resources.requests.memory | string | `"100Mi"` |  |
+| nginx-ingress-geo.<<.controller.publishService.enabled | bool | `true` |  |
 | nginx-ingress-geo.controller.<<.publishService.enabled | bool | `true` |  |
 | nginx-ingress.controller.publishService.enabled | bool | `true` |  |
-| nginx-ingress-geo.<<.controller.publishService.enabled | bool | `true` |  |
+| nginx-ingress-geo.controller.<<.replicaCount | int | `2` |  |
 | nginx-ingress-geo.<<.controller.replicaCount | int | `2` |  |
 | nginx-ingress.controller.replicaCount | int | `2` |  |
-| nginx-ingress-geo.controller.<<.replicaCount | int | `2` |  |
+| nginx-ingress-geo.controller.<<.minAvailable | int | `1` |  |
 | nginx-ingress.controller.minAvailable | int | `1` |  |
 | nginx-ingress-geo.<<.controller.minAvailable | int | `1` |  |
-| nginx-ingress-geo.controller.<<.minAvailable | int | `1` |  |
-| nginx-ingress-geo.controller.<<.scope.enabled | bool | `true` |  |
 | nginx-ingress.controller.scope.enabled | bool | `true` |  |
 | nginx-ingress-geo.<<.controller.scope.enabled | bool | `true` |  |
+| nginx-ingress-geo.controller.<<.scope.enabled | bool | `true` |  |
 | nginx-ingress-geo.controller.<<.metrics.enabled | bool | `true` |  |
-| nginx-ingress.controller.metrics.enabled | bool | `true` |  |
 | nginx-ingress-geo.<<.controller.metrics.enabled | bool | `true` |  |
+| nginx-ingress.controller.metrics.enabled | bool | `true` |  |
 | nginx-ingress-geo.controller.<<.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` |  |
 | nginx-ingress.controller.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` |  |
 | nginx-ingress-geo.<<.controller.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` |  |
 | nginx-ingress.controller.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` |  |
 | nginx-ingress-geo.<<.controller.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` |  |
 | nginx-ingress-geo.controller.<<.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` |  |
-| nginx-ingress.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` |  |
 | nginx-ingress-geo.controller.<<.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` |  |
 | nginx-ingress-geo.<<.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` |  |
+| nginx-ingress.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` |  |
 | nginx-ingress-geo.controller.<<.metrics.service.annotations."prometheus.io/port" | string | `"10254"` |  |
 | nginx-ingress-geo.<<.controller.metrics.service.annotations."prometheus.io/port" | string | `"10254"` |  |
 | nginx-ingress.controller.metrics.service.annotations."prometheus.io/port" | string | `"10254"` |  |
+| nginx-ingress-geo.<<.controller.admissionWebhooks.enabled | bool | `false` |  |
 | nginx-ingress.controller.admissionWebhooks.enabled | bool | `false` |  |
 | nginx-ingress-geo.controller.<<.admissionWebhooks.enabled | bool | `false` |  |
-| nginx-ingress-geo.<<.controller.admissionWebhooks.enabled | bool | `false` |  |
 | nginx-ingress-geo.<<.defaultBackend.resources.requests.cpu | string | `"5m"` |  |
 | nginx-ingress.defaultBackend.resources.requests.cpu | string | `"5m"` |  |
-| nginx-ingress-geo.<<.defaultBackend.resources.requests.memory | string | `"5Mi"` |  |
 | nginx-ingress.defaultBackend.resources.requests.memory | string | `"5Mi"` |  |
+| nginx-ingress-geo.<<.defaultBackend.resources.requests.memory | string | `"5Mi"` |  |
 | nginx-ingress.rbac.create | bool | `true` |  |
 | nginx-ingress-geo.<<.rbac.create | bool | `true` |  |
 | nginx-ingress-geo.<<.rbac.scope | bool | `false` |  |
@@ -1127,3 +1125,4 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
 ---
 
 _This file is programatically generated using `helm-docs` and some BigBang-specific templates. The `gluon` repository has [instructions for regenerating package READMEs](https://repo1.dso.mil/big-bang/product/packages/gluon/-/blob/master/docs/bb-package-readme.md)._
+
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index bdb9c2f2723e78f1532d95fd8ae148a4e4cbf645..17e88ab33bfc246d198cde5fbcc0ac05e9c18ebd 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: gitlab
-version: 8.3.6-bb.0
+version: 8.3.6-bb.1
 appVersion: v17.3.6
 description: GitLab is the most comprehensive AI-powered DevSecOps Platform.
 keywords:
diff --git a/chart/templates/upgrade_check_hook.yaml b/chart/templates/upgrade_check_hook.yaml
index 5552ad10e4d4ff9d92f55a0302e6007a2772d6dd..7718bc91b08361269e580f6693816baa968c19b2 100644
--- a/chart/templates/upgrade_check_hook.yaml
+++ b/chart/templates/upgrade_check_hook.yaml
@@ -60,6 +60,7 @@ spec:
       {{- end }}
       securityContext:
         runAsUser: {{ .Values.upgradeCheck.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.upgradeCheck.securityContext.runAsGroup }}
         fsGroup: {{ .Values.upgradeCheck.securityContext.fsGroup }}
       restartPolicy: Never
       {{- include "gitlab.image.pullSecrets" $imageCfg | nindent 6}}
diff --git a/chart/values.yaml b/chart/values.yaml
index 388ce5b69f1b7f2d0e411221365e7e19db651c71..aee59e442f5cc255edfdb2150fb3f630a20276df 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -946,13 +946,6 @@ global:
 
 ## End of global
 
-# Needed for upgradeCheck containerSecurityContext values
-containerSecurityContext:
-  runAsUser: 65534
-  runAsGroup: 65534
-  capabilities:
-    drop:
-      - ALL
 upgradeCheck:
   enabled: true
   image:
@@ -965,12 +958,12 @@ upgradeCheck:
     runAsUser: 65534
     runAsGroup: 65534
     fsGroup: 65534
-  #The below values are used above not nested under upgradeCheck
-  #containerSecurityContext:
-  #  capabilities:
-  #    drop:
-  #      - ALL
-  containerSecurityContext: {}
+  containerSecurityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    capabilities:
+      drop:
+        - ALL
   tolerations: []
   annotations:
     sidecar.istio.io/inject: "true"