Merge pull request 'fix: pass --config to filebrowser (v2.63.x changed default lookup path)' (#5 ) from fix/filebrowser-config-args into main

manifests: pass --config to filebrowser so it reads our ConfigMap
The previous PR pinned filebrowser to v2.63.13 + runAsUser:0 which solved the PVC permission issue, but the pod was still 0/1 Ready because v2.63.x changed the default config-file lookup path: Old (v2-alpine): /.filebrowser.json (matched our existing mount) New (v2.63.13) : /config/settings.json (NOT mounted in this pod) So the new image ran with its built-in defaults (port 80, in-memory db), and the readiness probe on 8080/health timed out. Fix: pass `args: ["-c", "/.filebrowser.json"]` so filebrowser uses the ConfigMap we already mount there. No volumeMount changes needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 12:22:05 +00:00 · 2026-06-06 14:22:04 +02:00 · 2026-06-06 12:17:21 +00:00 · 2026-06-06 14:17:20 +02:00 · 2026-06-06 11:53:55 +00:00 · 2026-06-06 11:45:19 +00:00
2 changed files with 15 additions and 15 deletions
@@ -187,15 +187,7 @@ spec:
              cpu: "50m"
      containers:
        - name: umami
-          # NOTE: pinned to the exact image SHA the working 120d-old pod
-          # is on. v1.38.0 (the latest postgresql-vX.Y.Z) tries to apply
-          # migration `02_add_event_data` which requires an `event` table
-          # that this DB doesn't have -- the DB schema is older than v1
-          # numbered migrations expect. Until we plan a proper migration
-          # (likely to umami v3.x, which is what the dashboard `→ 3.1`
-          # hint suggests), this stays SHA-pinned so Renovate doesn't
-          # touch it and pod restarts don't roll the version forward.
-          image: ghcr.io/umami-software/umami@sha256:28f263fe06f79ebffa5a6a6e9bd33b7a278e9342a88e0bdac812416c9f9e4361
+          image: ghcr.io/umami-software/umami:3.1.0
          ports:
            - containerPort: 3000
          env:
@@ -105,14 +105,22 @@ spec:
      labels:
        app: filebrowser
    spec:
+      # filebrowser v2.63.13 (debian default) runs as a non-root UID by default
+      # and can't write to PVC files left by the previous v2-alpine image (which
+      # ran as root). Force root explicitly so the existing PVC contents are
+      # readable + writable. (The alternative -- chown the PVC then drop perms --
+      # needs a one-shot initContainer; not worth the moving parts here.)
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
      containers:
        - name: filebrowser
-          # NOTE: v2-alpine is a moving tag (Renovate can't track it).
-          # Pinning to v2.63.13 (debian-based default) broke the PVC permissions
-          # (the image runs as a non-root UID and can't write to files left
-          # by the alpine variant). A clean re-pin needs either an initContainer
-          # to chown the PVC, or a fsGroup on the pod spec. Revisit when time permits.
-          image: filebrowser/filebrowser:v2-alpine
+          image: filebrowser/filebrowser:v2.63.13
+          # v2.63.x default config path is `/config/settings.json`; our ConfigMap
+          # is mounted at `/.filebrowser.json`. Tell filebrowser to read it
+          # explicitly so it picks up port 8080 (else it falls back to port 80
+          # and the readiness probe on 8080 fails).
+          args: ["-c", "/.filebrowser.json"]
          ports:
            - containerPort: 8080
          volumeMounts:
Author	SHA1	Message	Date
admin	7b545c1ec7	Merge pull request 'fix: pass --config to filebrowser (v2.63.x changed default lookup path)' (#5 ) from fix/filebrowser-config-args into main	2026-06-06 12:22:05 +00:00
admin	ea66afa960	manifests: pass --config to filebrowser so it reads our ConfigMap The previous PR pinned filebrowser to v2.63.13 + runAsUser:0 which solved the PVC permission issue, but the pod was still 0/1 Ready because v2.63.x changed the default config-file lookup path: Old (v2-alpine): /.filebrowser.json (matched our existing mount) New (v2.63.13) : /config/settings.json (NOT mounted in this pod) So the new image ran with its built-in defaults (port 80, in-memory db), and the readiness probe on 8080/health timed out. Fix: pass `args: ["-c", "/.filebrowser.json"]` so filebrowser uses the ConfigMap we already mount there. No volumeMount changes needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 14:22:04 +02:00
admin	87b062e84a	Merge pull request 'feat: umami 3.1.0 + filebrowser v2.63.13 (root)' (#4 ) from feat/umami-v3-filebrowser-root into main	2026-06-06 12:17:21 +00:00
admin	bd0531e4a8	manifests: umami -> 3.1.0 (v3 line) + filebrowser v2.63.13 with runAsUser:0 umami: Switch from SHA-pinned v3.0.3 to the tagged v3.1.0 release (the v3 line proper -- same schema lineage, normal Prisma minor-version migration). This is the documented forward path that the version- checker hint `postgresql-latest -> 3.1` indicated. The v1.x postgresql-vX.Y.Z line we briefly tried earlier today is a DIFFERENT image lineage with incompatible migrations -- avoid. filebrowser: Re-pin to v2.63.13 (debian-based default) so Renovate can track future bumps. The non-root UID in that image can't write to the existing PVC contents (chowned to root by the previous v2-alpine image), so set pod-level securityContext runAsUser:0 + runAsGroup:0 to keep using the same volume layout without a chown initContainer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 14:17:20 +02:00
admin	dc64bb2d79	Merge pull request 'fix(URGENT): pin umami to exact SHA (v1.38.0 has schema lineage mismatch)' (#3 ) from fix/umami-sha-pin into main	2026-06-06 11:53:55 +00:00
admin	a964dc20a4	Merge pull request 'fix: revert filebrowser to v2-alpine (PVC permission issue with v2.63.13)' (#2 ) from fix/filebrowser-revert into main	2026-06-06 11:45:19 +00:00
admin	e363c6594d	Merge pull request 'manifests: re-pin moving tags (umami / filebrowser)' (#1 ) from fix/version-pins into main	2026-06-06 11:41:51 +00:00