From f6cff262f04fe6f3f520c32ce0fe51f5d4251c10 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 18 Apr 2026 23:22:43 +0000 Subject: [PATCH] broker-sync: chown fidelity_storage_state to broker uid in init container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context First end-to-end test of the broker-sync-fidelity CronJob failed with `PermissionError: [Errno 13] Permission denied: '/data/fidelity_storage_state.json'`. Init container runs as root (uid 0) but the broker-sync container runs as uid 10001; chmod 600 without chown made the file unreadable from the main container. ## This change Added `chown 10001:10001` before the existing `chmod 600` in the `stage-storage-state` init container command. Init container has CAP_CHOWN by default as root, so this succeeds. ## Verification $ kubectl apply -f test-pod.yaml # same init + main pattern $ kubectl logs fidelity-debug -c broker-sync ... broker_sync.providers.fidelity_planviewer.FidelitySessionError: PlanViewer session stale — run `broker-sync fidelity-seed` Init container succeeded + main container read the file + Playwright launched Chromium + navigated to PlanViewer + hit the 15-min idle page → exactly the intended behaviour for a stale session. Next step (out-of-band): Viktor paste a fresh SMS OTP and re-seed via fidelity-seed on Viktor's laptop or the existing chat-driven flow. Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/broker-sync/main.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index fb5915f8..b3c71905 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -669,7 +669,9 @@ resource "kubernetes_cron_job_v1" "fidelity" { spec { restart_policy = "OnFailure" # Materialise the JSON storage_state from the projected Secret - # onto the PVC where Playwright expects to read it. + # onto the PVC where Playwright expects to read it. Init container + # runs as root; the main broker-sync container runs as uid 10001, + # so we chown+chmod 600 to grant read access to the broker user. init_container { name = "stage-storage-state" image = "busybox:1.36" @@ -677,6 +679,7 @@ resource "kubernetes_cron_job_v1" "fidelity" { set -eu mkdir -p /data cp /secrets/fidelity_storage_state /data/fidelity_storage_state.json + chown 10001:10001 /data/fidelity_storage_state.json chmod 600 /data/fidelity_storage_state.json EOT ]