From d4460d2b4d3e22783bb7bc2efb4e8744e9d50de0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 31 Aug 2025 10:55:49 -0500
Subject: [PATCH] ci: Skip SELinux relabel on start

By default, CRI-O assigns a random SELinux category to every pod, and
then must adjust the label of every file and directory in the persistent
volume to match.  For very large volumes like a Buildroot output
directory, this can take quite some time.  Fortunately, if we assign a
static category, we can tell CRI-O to skip the relabel step.

Unfortunately, Jenkins does not merge the `securityContext` field of the
pod spec when the `yamlMergeStrategy` is set to `merge`.  For our custom
settings to apply, we have to leave the merge strategy at the default,
`override`.
---
 ci/Jenkinsfile      | 1 -
 ci/podTemplate.yaml | 5 +++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
index f3f8e58..e275a13 100644
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -11,7 +11,6 @@ pipeline {
     agent {
         kubernetes {
             yamlFile 'ci/podTemplate.yaml'
-            yamlMergeStrategy merge()
             workspaceVolume persistentVolumeClaimWorkspaceVolume(
                 claimName: 'buildroot-airplaypi'
             )
diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml
index a15cc3b..5366644 100644
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@@ -1,3 +1,6 @@
+metadata:
+  annotations:
+    io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
 spec:
   containers:
   - name: build
@@ -13,6 +16,8 @@ spec:
       subPath: ssh_known_hosts
   securityContext:
     fsGroupChangePolicy: OnRootMismatch
+    seLinuxOptions:
+      level: s0:c596,c675
   volumes:
   - name: ssh-known-hosts
     configMap: