From 7582b79aeb9fa8f8af9e1c48e3de85f5befb78ae Mon Sep 17 00:00:00 2001
From: Itx-Psycho0 <anuragh3re@gmail.com>
Date: Mon, 1 Jun 2026 22:21:45 +0530
Subject: [PATCH] fix: use taskRunTemplate for podTemplate in Tekton v1
 PipelineRuns

PR #3665 added podTemplate with securityContext to fix s390x/ppc64le
FSGroup issues, but used the v1beta1 API syntax (spec.podTemplate)
instead of the v1 API syntax (spec.taskRunTemplate.podTemplate).

This caused the podTemplate field to be silently ignored by Kubernetes,
making the fix ineffective on both KinD and OCP clusters.

Changes:
- Move podTemplate under taskRunTemplate in packRunTemplate
- Move podTemplate under taskRunTemplate in packRunTemplatePAC
- Move podTemplate under taskRunTemplate in s2iRunTemplate
- Move podTemplate under taskRunTemplate in s2iRunTemplatePAC
- Update test to verify taskRunTemplate is present

This follows the Tekton v1 API migration guide:
https://tekton.dev/docs/pipelines/migrating-v1beta1-to-v1/

Fixes the issue reported by @matejvasek in PR #3665 where the
security context was not being applied on KinD or OCP.

Related: #3665, #3515, #3781
---
 pkg/pipelines/tekton/templates_pack.go | 22 ++++++++++++----------
 pkg/pipelines/tekton/templates_s2i.go  | 22 ++++++++++++----------
 pkg/pipelines/tekton/templates_test.go |  9 +++++++--
 3 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/pkg/pipelines/tekton/templates_pack.go b/pkg/pipelines/tekton/templates_pack.go
index 5d6b7859e5..1ea6ecb7b7 100644
--- a/pkg/pipelines/tekton/templates_pack.go
+++ b/pkg/pipelines/tekton/templates_pack.go
@@ -125,11 +125,12 @@ spec:
       value: "{{.Commit}}"
   pipelineRef:
    name: {{.PipelineName}}
-  podTemplate:
-    securityContext:
-      runAsUser: 1001
-      runAsGroup: 0
-      fsGroup: 1002
+  taskRunTemplate:
+    podTemplate:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 0
+        fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
@@ -190,11 +191,12 @@ spec:
         {{end}}
   pipelineRef:
    name: {{.PipelineName}}
-  podTemplate:
-    securityContext:
-      runAsUser: 1001
-      runAsGroup: 0
-      fsGroup: 1002
+  taskRunTemplate:
+    podTemplate:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 0
+        fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
diff --git a/pkg/pipelines/tekton/templates_s2i.go b/pkg/pipelines/tekton/templates_s2i.go
index 4063add270..b38408e383 100644
--- a/pkg/pipelines/tekton/templates_s2i.go
+++ b/pkg/pipelines/tekton/templates_s2i.go
@@ -136,11 +136,12 @@ spec:
       value: "{{.Commit}}"
   pipelineRef:
    name: {{.PipelineName}}
-  podTemplate:
-    securityContext:
-      runAsUser: 1001
-      runAsGroup: 0
-      fsGroup: 1002
+  taskRunTemplate:
+    podTemplate:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 0
+        fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
@@ -208,11 +209,12 @@ spec:
       value: {{.TlsVerify}}
   pipelineRef:
    name: {{.PipelineName}}
-  podTemplate:
-    securityContext:
-      runAsUser: 1001
-      runAsGroup: 0
-      fsGroup: 1002
+  taskRunTemplate:
+    podTemplate:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 0
+        fsGroup: 1002
   workspaces:
     - name: source-workspace
       persistentVolumeClaim:
diff --git a/pkg/pipelines/tekton/templates_test.go b/pkg/pipelines/tekton/templates_test.go
index 6624540d45..481bdb3c5d 100644
--- a/pkg/pipelines/tekton/templates_test.go
+++ b/pkg/pipelines/tekton/templates_test.go
@@ -376,9 +376,14 @@ func Test_PipelineRunHasPodTemplateSecurityContext(t *testing.T) {
 
 			contentStr := string(content)
 
-			// Verify podTemplate is present
+			// Verify taskRunTemplate is present (Tekton v1 API requirement)
+			if !strings.Contains(contentStr, "taskRunTemplate:") {
+				t.Error("taskRunTemplate not found in generated PipelineRun")
+			}
+
+			// Verify podTemplate is nested under taskRunTemplate
 			if !strings.Contains(contentStr, "podTemplate:") {
-				t.Error("podTemplate not found in generated PipelineRun")
+				t.Error("podTemplate not found in taskRunTemplate")
 			}
 
 			// Verify securityContext is present