From 03126d55847718a69f08747846bd718d849c51c5 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Mon, 25 May 2026 15:58:35 -0500
Subject: [PATCH] authentik: add fsGroup:1000 to server + worker so non-root
 uid can write /media

PermissionError: [Errno 13] Permission denied: '/media/public' in tenant_files
migration because Authentik container runs as uid 1000 but Longhorn PVC mounts
root:root by default. fsGroup on Pod securityContext recursively chgrps the
PVC mount to gid 1000 + chmods g+rwx.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/authentik/authentik.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/authentik/authentik.yaml b/apps/authentik/authentik.yaml
index 0915a53..ce95942 100644
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -227,6 +227,11 @@ spec:
       labels:
         app: authentik-server
     spec:
+      securityContext:
+        # Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
+        # root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
+        # non-root container can mkdir /media/public during the tenant_files migration.
+        fsGroup: 1000
       containers:
         - name: server
           image: ghcr.io/goauthentik/server:2024.12.3
@@ -330,6 +335,9 @@ spec:
       labels:
         app: authentik-worker
     spec:
+      securityContext:
+        # Same as server pod — non-root uid 1000 needs PVC group write.
+        fsGroup: 1000
       containers:
         - name: worker
           image: ghcr.io/goauthentik/server:2024.12.3