From 6367b783c7086a5b0d7abbe14b560c01171d6d38 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 22 May 2026 14:41:29 +0000 Subject: [PATCH] broker-sync(imap): fix command name + add fsGroup for sync.db writes Two latent issues found while diagnosing why the May 2026 META vest didn't land: 1. broker-sync-imap CronJob's command was 'broker-sync imap', but the actual CLI subcommand is 'imap-ingest'. Every scheduled run had been failing with 'No such command imap' since day-one. 2. Pod runs as uid=10001 gid=999; PVC /data dir is mode 2775 group=10001. Without fsGroup in the pod's securityContext the pod gets only 'other' (r-x) perms on the dir, so sqlite3 can't create journal/WAL files next to sync.db -- hits 'attempt to write a readonly database'. fsGroup=10001 adds the matching gid to the pod's supplemental groups so writes work. Schwab email-sender regex fix is in broker-sync@d860aef. --- stacks/broker-sync/main.tf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index 59cbcdb1..b27c4eb9 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -271,10 +271,20 @@ resource "kubernetes_cron_job_v1" "imap" { } spec { restart_policy = "OnFailure" + # The broker image's user is uid=10001 gid=999, but the shared + # data PVC's /data root was created with gid=10001 (legacy from + # an earlier image build). Without fsGroup the pod can't write + # to the directory — sqlite3 can't create the journal next to + # sync.db, hits 'attempt to write a readonly database'. + # fsGroup=10001 adds the matching gid to the pod's supplemental + # groups so writes succeed. + security_context { + fs_group = 10001 + } container { name = "broker-sync" image = local.broker_sync_image - command = ["broker-sync", "imap"] + command = ["broker-sync", "imap-ingest"] env { name = "BROKER_SYNC_DATA_DIR"