From 92b454a88ad54874f86438e3efe8d373e6a8fc9b Mon Sep 17 00:00:00 2001
From: Martyn Ranyard <m@rtyn.berlin>
Date: Fri, 20 Jun 2025 09:30:26 +0000
Subject: [PATCH] Sprinkle fsGroupChangePolicy on like magic!

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>
---
 apps-helm/code-server/templates/deployment.yaml | 1 +
 apps-helm/samba4/values.yaml                    | 1 +
 apps-kustomized/nextcloud/deploy.yaml           | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apps-helm/code-server/templates/deployment.yaml b/apps-helm/code-server/templates/deployment.yaml
index 7892a6a..8521895 100644
--- a/apps-helm/code-server/templates/deployment.yaml
+++ b/apps-helm/code-server/templates/deployment.yaml
@@ -32,6 +32,7 @@ spec:
       {{- if .Values.securityContext.enabled }}
       securityContext:
         fsGroup: {{ .Values.securityContext.fsGroup }}
+        fsGroupChangePolicy: "OnRootMismatch" # There's a chmod already, and no other setup is using this volume!
       {{- end }}
       {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
       initContainers:
diff --git a/apps-helm/samba4/values.yaml b/apps-helm/samba4/values.yaml
index ea70b0e..a2e1080 100644
--- a/apps-helm/samba4/values.yaml
+++ b/apps-helm/samba4/values.yaml
@@ -21,6 +21,7 @@ fullnameOverride: ""
 
 podSecurityContext:
   fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
 
 samba:
   global:
diff --git a/apps-kustomized/nextcloud/deploy.yaml b/apps-kustomized/nextcloud/deploy.yaml
index f2ddfac..f95af88 100644
--- a/apps-kustomized/nextcloud/deploy.yaml
+++ b/apps-kustomized/nextcloud/deploy.yaml
@@ -102,6 +102,7 @@ spec:
       schedulerName: default-scheduler
       securityContext:
         fsGroup: 33
+        fsGroupChangePolicy: OnRootMismatch
       terminationGracePeriodSeconds: 30
       volumes:
       - name: nextcloud-main