From dfbf6faf3d969686934ace1e629cdb50af197062 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 1 May 2026 18:50:51 +0000 Subject: [PATCH] priority-pass: backend f4246691 (QR fit fix + persist uploads), add encrypted PVC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backend changes: - transformers.py: QR container now sized to actual qr_bbox + 8% padding (was fixed at 45% of card width). When QR was wider than 45% of card, the leftover-pixel branch color-remapped QR pixels outside the container, breaking the scan. New container always encloses qr_mask. - main.py: persist input + output + json metadata under $UPLOAD_DIR//-{input.,output.png,*.json} for future training. Failure to save is logged, never breaks the API. Infra: - New PVC priority-pass-uploads (1Gi proxmox-lvm-encrypted, 10Gi autoresize cap) — encrypted because boarding passes contain PII. - Deployment strategy → Recreate (RWO requirement). - Volume + volumeMount + UPLOAD_DIR env on backend container. Applied via kubectl (TF state for this stack is empty — see prior commit). New pod priority-pass-77956b64fb rolled out, PVC bound, test transform succeeded, sample written to /data/uploads/ryanair/. [ci skip] --- stacks/priority-pass/main.tf | 39 +++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/stacks/priority-pass/main.tf b/stacks/priority-pass/main.tf index b19777a8..02497af8 100644 --- a/stacks/priority-pass/main.tf +++ b/stacks/priority-pass/main.tf @@ -23,6 +23,26 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } +resource "kubernetes_persistent_volume_claim" "uploads" { + wait_until_bound = false + metadata { + name = "priority-pass-uploads" + namespace = kubernetes_namespace.priority-pass.metadata[0].name + annotations = { + "resize.topolvm.io/threshold" = "80%" + "resize.topolvm.io/increase" = "100%" + "resize.topolvm.io/storage_limit" = "10Gi" + } + } + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "proxmox-lvm-encrypted" + resources { + requests = { storage = "1Gi" } + } + } +} + resource "kubernetes_deployment" "priority-pass" { metadata { name = "priority-pass" @@ -34,6 +54,9 @@ resource "kubernetes_deployment" "priority-pass" { } spec { replicas = 1 + strategy { + type = "Recreate" + } selector { match_labels = { run = "priority-pass" @@ -49,6 +72,12 @@ resource "kubernetes_deployment" "priority-pass" { image_pull_secrets { name = "registry-credentials" } + volume { + name = "uploads" + persistent_volume_claim { + claim_name = kubernetes_persistent_volume_claim.uploads.metadata[0].name + } + } container { name = "frontend" image = "registry.viktorbarzin.me/priority-pass-frontend:ea9176f8" @@ -75,10 +104,18 @@ resource "kubernetes_deployment" "priority-pass" { } container { name = "backend" - image = "registry.viktorbarzin.me/priority-pass-backend:ae1420a0" + image = "registry.viktorbarzin.me/priority-pass-backend:f4246691" port { container_port = 8000 } + env { + name = "UPLOAD_DIR" + value = "/data/uploads" + } + volume_mount { + name = "uploads" + mount_path = "/data/uploads" + } resources { limits = { memory = "512Mi"