fix

prototypes/ocis/ytt/web-tmp-volume.ytt.yaml

@@ -1,14 +1,29 @@
 #@ load("@ytt:overlay", "overlay")
 
-#! Add a writable /tmp emptyDir to the web Deployment. Without it,
-#! POST/DELETE /branding/logo (multipart spool via os.CreateTemp on
-#! the read-only rootfs) returns 500.
+#! Two fixes for /branding/logo upload (POST/DELETE) on the web pod:
+#!
+#!  1. fsGroupChangePolicy: Always
+#!     The chart mounts an emptyDir at /var/lib/ocis/web/assets/apps,
+#!     so kubelet auto-creates /var/lib/ocis/web/ and assets/ as
+#!     root:root 0755 when establishing the mount point. With the
+#!     chart's default OnRootMismatch policy, kubelet skips chgrp
+#!     recursion (volume root already group 1000), leaving the
+#!     auto-created subdirs unwritable for user 1000. The branding
+#!     handler then can't mkdir themes/owncloud/assets and 500s.
+#!     Always forces recursive chgrp on every pod start.
+#!
+#!  2. /tmp emptyDir
+#!     readOnlyRootFilesystem: true blocks os.CreateTemp default path.
+#!     Multipart upload spool needs /tmp writable.
 
 #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "web"}})
 ---
 spec:
   template:
     spec:
+      securityContext:
+        #@overlay/match missing_ok=True
+        fsGroupChangePolicy: Always
       containers:
         #@overlay/match by=overlay.subset({"name": "web"})
         -

rendered/envs/production/ocis/deployment-web.yaml

@@ -130,7 +130,7 @@ spec:
       nodeSelector: {}
       securityContext:
         fsGroup: 1000
-        fsGroupChangePolicy: OnRootMismatch
+        fsGroupChangePolicy: Always
         seccompProfile:
           type: RuntimeDefault
       volumes: