From abd0b7dbbca1bfa012bf5562041ae110c51d426c Mon Sep 17 00:00:00 2001
From: Itx-Psycho0 <anuragh3re@gmail.com>
Date: Thu, 7 May 2026 00:54:55 +0530
Subject: [PATCH] fix: add FSGroup to Tekton PipelineRun podTemplate for
 s390x/ppc64le support

Fixes #3515

Remote Quarkus builds were failing on s390x and ppc64le clusters due to
FSGroup permissions not being honored on the build PersistentVolume.

This fix adds a podTemplate with securityContext (including fsGroup) to
both Pack and S2I PipelineRun templates. This ensures all Tekton task pods
inherit proper security context for volume access on architectures where
FSGroup permissions need explicit configuration.

Changes:
- Add podTemplate with securityContext to packRunTemplate
- Add podTemplate with securityContext to packRunTemplatePAC
- Add podTemplate with securityContext to s2iRunTemplate
- Add podTemplate with securityContext to s2iRunTemplatePAC
- Add test to verify podTemplate with securityContext is present

Security context values:
- runAsUser: 1001 (matches Tekton buildpack task)
- runAsGroup: 0 (matches Tekton buildpack task)
- fsGroup: 1002 (ensures volume ownership for non-root users)
---
 pkg/pipelines/tekton/templates_pack.go | 10 ++++
 pkg/pipelines/tekton/templates_s2i.go  | 10 ++++
 pkg/pipelines/tekton/templates_test.go | 81 ++++++++++++++++++++++++++
 3 files changed, 101 insertions(+)

diff --git a/pkg/pipelines/tekton/templates_pack.go b/pkg/pipelines/tekton/templates_pack.go
index d4e73dc4b7..5d6b7859e5 100644
--- a/pkg/pipelines/tekton/templates_pack.go
+++ b/pkg/pipelines/tekton/templates_pack.go
@@ -125,6 +125,11 @@ spec:
       value: "{{.Commit}}"
   pipelineRef:
    name: {{.PipelineName}}
+  podTemplate:
+    securityContext:
+      runAsUser: 1001
+      runAsGroup: 0
+      fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
@@ -185,6 +190,11 @@ spec:
         {{end}}
   pipelineRef:
    name: {{.PipelineName}}
+  podTemplate:
+    securityContext:
+      runAsUser: 1001
+      runAsGroup: 0
+      fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
diff --git a/pkg/pipelines/tekton/templates_s2i.go b/pkg/pipelines/tekton/templates_s2i.go
index 8eb5ccd7a0..4063add270 100644
--- a/pkg/pipelines/tekton/templates_s2i.go
+++ b/pkg/pipelines/tekton/templates_s2i.go
@@ -136,6 +136,11 @@ spec:
       value: "{{.Commit}}"
   pipelineRef:
    name: {{.PipelineName}}
+  podTemplate:
+    securityContext:
+      runAsUser: 1001
+      runAsGroup: 0
+      fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
@@ -203,6 +208,11 @@ spec:
       value: {{.TlsVerify}}
   pipelineRef:
    name: {{.PipelineName}}
+  podTemplate:
+    securityContext:
+      runAsUser: 1001
+      runAsGroup: 0
+      fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
diff --git a/pkg/pipelines/tekton/templates_test.go b/pkg/pipelines/tekton/templates_test.go
index 14cfcfb292..6624540d45 100644
--- a/pkg/pipelines/tekton/templates_test.go
+++ b/pkg/pipelines/tekton/templates_test.go
@@ -1,7 +1,9 @@
 package tekton
 
 import (
+	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/manifestival/manifestival"
@@ -322,3 +324,82 @@ func Test_createAndApplyPipelineRunTemplate(t *testing.T) {
 		})
 	}
 }
+
+func Test_PipelineRunHasPodTemplateSecurityContext(t *testing.T) {
+	tests := []struct {
+		name    string
+		root    string
+		builder string
+		runtime string
+	}{
+		{
+			name:    "pack builder with quarkus",
+			root:    "testdata/testCreatePipelinePackQuarkus",
+			builder: builders.Pack,
+			runtime: "quarkus",
+		},
+		{
+			name:    "s2i builder with quarkus",
+			root:    "testdata/testCreatePipelineS2IQuarkus",
+			builder: builders.S2I,
+			runtime: "quarkus",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			root := tt.root + "Run"
+			defer Using(t, root)()
+
+			f, err := fn.NewFunction(root)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			f.Build.Builder = tt.builder
+			f.Runtime = tt.runtime
+			f.Image = "docker.io/alice/" + f.Name
+			f.Registry = TestRegistry
+
+			// Create the PipelineRun template
+			err = createPipelineRunTemplatePAC(f, make(map[string]string))
+			if err != nil {
+				t.Fatalf("createPipelineRunTemplatePAC() error = %v", err)
+			}
+
+			// Read the generated file and verify it contains podTemplate with securityContext
+			fp := filepath.Join(root, resourcesDirectory, pipelineRunFilenamePAC)
+			content, err := os.ReadFile(fp)
+			if err != nil {
+				t.Fatalf("failed to read generated PipelineRun: %v", err)
+			}
+
+			contentStr := string(content)
+
+			// Verify podTemplate is present
+			if !strings.Contains(contentStr, "podTemplate:") {
+				t.Error("podTemplate not found in generated PipelineRun")
+			}
+
+			// Verify securityContext is present
+			if !strings.Contains(contentStr, "securityContext:") {
+				t.Error("securityContext not found in podTemplate")
+			}
+
+			// Verify fsGroup is set
+			if !strings.Contains(contentStr, "fsGroup: 1002") {
+				t.Error("fsGroup not set to 1002 in securityContext")
+			}
+
+			// Verify runAsUser is set
+			if !strings.Contains(contentStr, "runAsUser: 1001") {
+				t.Error("runAsUser not set to 1001 in securityContext")
+			}
+
+			// Verify runAsGroup is set
+			if !strings.Contains(contentStr, "runAsGroup: 0") {
+				t.Error("runAsGroup not set to 0 in securityContext")
+			}
+		})
+	}
+}