fix deploy repo volume permissions

2026-05-15 00:50:13 +08:00 · 2026-05-15 00:50:13 +08:00 · 894c3873a4
commit 894c3873a4
parent 6ba06be47e
2 changed files with 13 additions and 1 deletions
--- a/deploy/README.md
+++ b/deploy/README.md
@ -136,6 +136,15 @@ All services share a single PVC (`shared-data`) via `subPath` mounts:
 | `files`   | `/data/files`   | app                      |
 | `static`  | `/data`         | static-server            |

+Pods run as UID/GID `1000` and set `fsGroup: 1000` so Git processes can create temporary object
+directories under bare repositories. If an existing PVC was previously written by another UID,
+fix ownership once from a maintenance pod:
+
+```bash
+chown -R 1000:1000 /data/repos
+chmod -R u+rwX,g+rwX /data/repos
+```
+
 ## Autoscaling

 All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@ -197,6 +197,9 @@ serviceAccount:
 podSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch

 securityContext:
  capabilities:
@ -206,4 +209,4 @@ securityContext:

 nodeSelector: {}
 tolerations: []
-affinity: {}
+affinity: {}