chore: backport fsGroupChangePolicy

internal/templating/backups/template_podconfig.go

@@ -48,6 +48,16 @@ func GenerateBackupPodConfig(
 						},
 					},
 				}
+				if lValues.PodSecurityContext.OnRootMismatch {
+					fsGroupChangePolicy := corev1.FSGroupChangeOnRootMismatch
+					if podConfig.Spec.Template.Spec.SecurityContext != nil {
+						podConfig.Spec.Template.Spec.SecurityContext.FSGroupChangePolicy = &fsGroupChangePolicy
+					} else {
+						podConfig.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+							FSGroupChangePolicy: &fsGroupChangePolicy,
+						}
+					}
+				}
 				// add the default labels
 				podConfig.ObjectMeta.Labels = map[string]string{
 					"app.kubernetes.io/name":       "k8up-podconfig",

internal/templating/backups/template_podconfig_test.go

@@ -50,7 +50,37 @@ func TestGenerateBackupPodConfig(t *testing.T) {
 					},
 				},
 			},
-			want: "test-resources/result-podconfig1.yaml",
+			want: "test-resources/test-k8up-v1-rootless.yaml",
+		},
+		{
+			name:        "test-k8up-v1-rootless-onrootmismatch",
+			description: "this will generate a podconfig if the environment is configured for rootless workloads",
+			args: args{
+				lValues: generator.BuildValues{
+					Project:         "example-project",
+					Environment:     "environment",
+					EnvironmentType: "production",
+					Namespace:       "myexample-project-environment",
+					BuildType:       "branch",
+					LagoonVersion:   "v2.x.x",
+					Kubernetes:      "generator.local",
+					Branch:          "environment",
+					BackupsEnabled:  true,
+					Backup: generator.BackupConfiguration{
+						K8upVersion: "v2",
+					},
+					FeatureFlags: map[string]bool{
+						"rootlessworkloads": true,
+					},
+					PodSecurityContext: generator.PodSecurityContext{
+						RunAsGroup:     0,
+						RunAsUser:      10000,
+						FsGroup:        10001,
+						OnRootMismatch: true,
+					},
+				},
+			},
+			want: "test-resources/test-k8up-v1-rootless-onrootmismatch.yaml",
 		},
 		{
 			name:        "test-k8up-v1-root",

internal/templating/backups/test-resources/test-k8up-v1-rootless-onrootmismatch.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: k8up.io/v1
+kind: PodConfig
+metadata:
+  annotations:
+    lagoon.sh/branch: environment
+    lagoon.sh/version: v2.x.x
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/instance: k8up-rootless-workload-podconfig
+    app.kubernetes.io/managed-by: build-deploy-tool
+    app.kubernetes.io/name: k8up-podconfig
+    lagoon.sh/buildType: branch
+    lagoon.sh/environment: environment
+    lagoon.sh/environmentType: production
+    lagoon.sh/project: example-project
+    lagoon.sh/service: k8up-rootless-workload-podconfig
+    lagoon.sh/service-type: k8up-podconfig
+    lagoon.sh/template: k8up-podconfig-0.1.0
+  name: k8up-rootless-workload-podconfig
+spec:
+  template:
+    spec:
+      securityContext:
+        fsGroup: 10001
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 0
+        runAsUser: 10000
+status: {}