diff --git a/prototypes/ocis/ytt/web-tmp-volume.ytt.yaml b/prototypes/ocis/ytt/web-tmp-volume.ytt.yaml index 4916733..88df30a 100644 --- a/prototypes/ocis/ytt/web-tmp-volume.ytt.yaml +++ b/prototypes/ocis/ytt/web-tmp-volume.ytt.yaml @@ -1,14 +1,29 @@ #@ load("@ytt:overlay", "overlay") -#! Add a writable /tmp emptyDir to the web Deployment. Without it, -#! POST/DELETE /branding/logo (multipart spool via os.CreateTemp on -#! the read-only rootfs) returns 500. +#! Two fixes for /branding/logo upload (POST/DELETE) on the web pod: +#! +#! 1. fsGroupChangePolicy: Always +#! The chart mounts an emptyDir at /var/lib/ocis/web/assets/apps, +#! so kubelet auto-creates /var/lib/ocis/web/ and assets/ as +#! root:root 0755 when establishing the mount point. With the +#! chart's default OnRootMismatch policy, kubelet skips chgrp +#! recursion (volume root already group 1000), leaving the +#! auto-created subdirs unwritable for user 1000. The branding +#! handler then can't mkdir themes/owncloud/assets and 500s. +#! Always forces recursive chgrp on every pod start. +#! +#! 2. /tmp emptyDir +#! readOnlyRootFilesystem: true blocks os.CreateTemp default path. +#! Multipart upload spool needs /tmp writable. #@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "web"}}) --- spec: template: spec: + securityContext: + #@overlay/match missing_ok=True + fsGroupChangePolicy: Always containers: #@overlay/match by=overlay.subset({"name": "web"}) - diff --git a/rendered/envs/production/ocis/deployment-web.yaml b/rendered/envs/production/ocis/deployment-web.yaml index 11dd302..85d42aa 100644 --- a/rendered/envs/production/ocis/deployment-web.yaml +++ b/rendered/envs/production/ocis/deployment-web.yaml @@ -130,7 +130,7 @@ spec: nodeSelector: {} securityContext: fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch + fsGroupChangePolicy: Always seccompProfile: type: RuntimeDefault volumes: