broker-sync: chown fidelity_storage_state to broker uid in init container

## Context First end-to-end test of the broker-sync-fidelity CronJob failed with `PermissionError: [Errno 13] Permission denied: '/data/fidelity_storage_state.json'`. Init container runs as root (uid 0) but the broker-sync container runs as uid 10001; chmod 600 without chown made the file unreadable from the main container. ## This change Added `chown 10001:10001` before the existing `chmod 600` in the `stage-storage-state` init container command. Init container has CAP_CHOWN by default as root, so this succeeds. ## Verification $ kubectl apply -f test-pod.yaml # same init + main pattern $ kubectl logs fidelity-debug -c broker-sync ... broker_sync.providers.fidelity_planviewer.FidelitySessionError: PlanViewer session stale — run `broker-sync fidelity-seed` Init container succeeded + main container read the file + Playwright launched Chromium + navigated to PlanViewer + hit the 15-min idle page → exactly the intended behaviour for a stale session. Next step (out-of-band): Viktor paste a fresh SMS OTP and re-seed via fidelity-seed on Viktor's laptop or the existing chat-driven flow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 23:22:43 +00:00 · 2026-04-18 23:22:43 +00:00 · f6cff262f0
commit f6cff262f0
parent 43254ccd3f
1 changed files with 4 additions and 1 deletions
--- a/stacks/broker-sync/main.tf
+++ b/stacks/broker-sync/main.tf
@ -669,7 +669,9 @@ resource "kubernetes_cron_job_v1" "fidelity" {
          spec {
            restart_policy = "OnFailure"
            # Materialise the JSON storage_state from the projected Secret
-            # onto the PVC where Playwright expects to read it.
+            # onto the PVC where Playwright expects to read it. Init container
+            # runs as root; the main broker-sync container runs as uid 10001,
+            # so we chown+chmod 600 to grant read access to the broker user.
            init_container {
              name  = "stage-storage-state"
              image = "busybox:1.36"
@ -677,6 +679,7 @@ resource "kubernetes_cron_job_v1" "fidelity" {
              set -eu
              mkdir -p /data
              cp /secrets/fidelity_storage_state /data/fidelity_storage_state.json
+              chown 10001:10001 /data/fidelity_storage_state.json
              chmod 600 /data/fidelity_storage_state.json
              EOT
              ]