From e42ff64f7bd0ea1b729ad0f2071051e6db54748f Mon Sep 17 00:00:00 2001
From: Felix Wolf <felix.wolf@blueworld-gmbh.de>
Date: Sun, 3 May 2026 13:43:32 +0200
Subject: [PATCH] chore(comment): add comment

---
 prototypes/ocis/helm/ocis.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/prototypes/ocis/helm/ocis.yaml b/prototypes/ocis/helm/ocis.yaml
index 85f633c..474d32a 100644
--- a/prototypes/ocis/helm/ocis.yaml
+++ b/prototypes/ocis/helm/ocis.yaml
@@ -102,6 +102,16 @@ services:
         - ReadWriteOnce
 
   web:
+    # GOTCHA: if this PVC is recreated, /branding/logo POST/DELETE will
+    # 500 with "permission denied". The chart mounts an `apps` emptyDir
+    # at /var/lib/ocis/web/assets/apps; kubelet auto-creates the parent
+    # dirs as root:root 0755 *after* fsGroup runs, and local-path's
+    # hostPath PV doesn't get fsGroup recursion — so user 1000 can't
+    # mkdir themes/ to store the uploaded logo. Was masked while ocis
+    # ran as PSS=privileged (root); surfaced after PSS=restricted.
+    # Remediation: one-shot privileged Job in kube-system, hostPath-
+    # mount the local-path PV directory, `chown -R 1000:1000` it.
+    # Permanent fix: switch to a CSI storageClass (hcloud-volumes).
     persistence:
       enabled: true
       storageClassName: local-path