From 0d2dbb7f4961eab888e724671cc2a6f382d21f3e Mon Sep 17 00:00:00 2001
From: Tess Flynn <tess@ten7.com>
Date: Thu, 8 Feb 2024 14:27:39 -0600
Subject: [PATCH] Set fsGroup by default, add initContainer when persistence is
 enabled.

---
 charts/pantheon-backup/templates/cronjob.yaml | 12 ++++++++++++
 charts/pantheon-backup/values.yaml            |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/charts/pantheon-backup/templates/cronjob.yaml b/charts/pantheon-backup/templates/cronjob.yaml
index 45c7df7..cd65ee4 100644
--- a/charts/pantheon-backup/templates/cronjob.yaml
+++ b/charts/pantheon-backup/templates/cronjob.yaml
@@ -29,6 +29,18 @@ spec:
           serviceAccountName: {{ include "pantheon-backup.serviceAccountName" . }}
           securityContext:
             {{- toYaml .Values.podSecurityContext | nindent 12 }}
+          {{- if .Values.persistence.enabled }}
+          initContainers:
+            - name: fix-pvc-permissions
+              image: alpine
+              command:
+                - "sh"
+                - "-c"
+                - "chown -R 1000:1000 /backups"
+              volumeMounts:
+                - name: cache
+                  mountPath: /backups
+          {{- end }}
           containers:
           - name: {{ .Chart.Name }}
             securityContext:
diff --git a/charts/pantheon-backup/values.yaml b/charts/pantheon-backup/values.yaml
index 94e358a..f452bdb 100644
--- a/charts/pantheon-backup/values.yaml
+++ b/charts/pantheon-backup/values.yaml
@@ -159,8 +159,8 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name:
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  fsGroup: 1000
 
 securityContext: {}
   # capabilities: