From d65181de78675889d2f5996deeeef325fc7adcfb Mon Sep 17 00:00:00 2001
From: Felix Wolf <felix.wolf@blueworld-gmbh.de>
Date: Sun, 3 May 2026 02:16:02 +0200
Subject: [PATCH] fix(ocis-backup): Fix S3 backup permissions and update config
 IDs

Adds `fsGroup` to the S3 backup cronjob's security context to ensure proper volume ownership. Increases the SSH key secret's `defaultMode` to grant group read access, resolving permission failures when reading the SSH key.
---
 prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml             | 3 ++-
 rendered/envs/production/ocis/configmap-auth-service.yaml  | 2 +-
 rendered/envs/production/ocis/configmap-graph.yaml         | 2 +-
 rendered/envs/production/ocis/configmap-storage-users.yaml | 2 +-
 rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml  | 3 ++-
 5 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
index b6e79cc..9d422c3 100644
--- a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
+++ b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
@@ -31,6 +31,7 @@ spec:
             runAsNonRoot: true
             runAsUser: 1009
             runAsGroup: 1009
+            fsGroup: 1009
             seccompProfile:
               type: RuntimeDefault
           containers:
@@ -108,4 +109,4 @@ spec:
                 items:
                   - key: ssh-key
                     path: ssh-key
-                defaultMode: 0400
+                defaultMode: 0440
diff --git a/rendered/envs/production/ocis/configmap-auth-service.yaml b/rendered/envs/production/ocis/configmap-auth-service.yaml
index 01317a2..d547d60 100644
--- a/rendered/envs/production/ocis/configmap-auth-service.yaml
+++ b/rendered/envs/production/ocis/configmap-auth-service.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  service-account-id: af9235cc-560a-4135-8d16-788aa729b35f
+  service-account-id: 6e0e0096-95c0-428e-802d-494cd15a70c2
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/rendered/envs/production/ocis/configmap-graph.yaml b/rendered/envs/production/ocis/configmap-graph.yaml
index e51a3ef..e1f9c18 100644
--- a/rendered/envs/production/ocis/configmap-graph.yaml
+++ b/rendered/envs/production/ocis/configmap-graph.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  application-id: 105ef2f0-3450-491e-9df3-9d3567f2377c
+  application-id: 0f44b6c4-08bf-40fd-92c4-fd20a5359244
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/rendered/envs/production/ocis/configmap-storage-users.yaml b/rendered/envs/production/ocis/configmap-storage-users.yaml
index f7d05bf..0f7777d 100644
--- a/rendered/envs/production/ocis/configmap-storage-users.yaml
+++ b/rendered/envs/production/ocis/configmap-storage-users.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  storage-uuid: aa2eff14-4594-407b-b06b-aaf7e22a95d1
+  storage-uuid: 0960ac4f-5101-4abf-a28c-6b8202b505fd
 kind: ConfigMap
 metadata:
   annotations:
diff --git a/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml b/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
index 16c6c8a..37715c9 100644
--- a/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
+++ b/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
@@ -82,6 +82,7 @@ spec:
                   readOnly: true
           restartPolicy: OnFailure
           securityContext:
+            fsGroup: 1009
             runAsGroup: 1009
             runAsNonRoot: true
             runAsUser: 1009
@@ -91,7 +92,7 @@ spec:
           volumes:
             - name: storagebox-ssh
               secret:
-                defaultMode: 256
+                defaultMode: 288
                 items:
                   - key: ssh-key
                     path: ssh-key