From 1dc04c9fc50af1bc1df50fce131a14fc2fb63336 Mon Sep 17 00:00:00 2001 From: timotheereausanofi Date: Fri, 20 Mar 2026 11:34:52 +0100 Subject: [PATCH] fix(grafana): disable init-chown-data for Pod Security / k3s Made-with: Cursor --- gitops/docs/OBSERVABILITY.md | 4 ++++ gitops/observability/values.yaml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/gitops/docs/OBSERVABILITY.md b/gitops/docs/OBSERVABILITY.md index ef6bf17..e377b6b 100644 --- a/gitops/docs/OBSERVABILITY.md +++ b/gitops/docs/OBSERVABILITY.md @@ -28,6 +28,10 @@ Grafana’s **dashboard sidecar** loads ConfigMap **`…-dashboard-onelab-logs`* - **Line filter** — regex applied to log line content (`.*` = all). - Stat panels: total lines, heuristic **error** / **warning** counts (tuned for typical text logs, not strict JSON parsing). +### Grafana pod: `init-chown-data` CrashLoopBackOff + +The upstream chart runs an init container as **root** to `chown` `/var/lib/grafana`. Clusters with **Pod Security Admission** (often on k3s) commonly block that. This repo sets **`grafana.initChownData.enabled: false`**; the Grafana pod keeps **`fsGroup: 472`** so the PVC is usually group-writable. If Grafana still cannot write to disk, delete the Grafana PVC once after the change or relax PSA for namespace `onelab`. + ## Access Grafana An **Ingress** named **`grafana-onelab`** is created by the umbrella chart (`templates/ingress-grafana-onelab.yaml`), Traefik + cert-manager, matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`: diff --git a/gitops/observability/values.yaml b/gitops/observability/values.yaml index 37a57c8..825b4ee 100644 --- a/gitops/observability/values.yaml +++ b/gitops/observability/values.yaml @@ -109,6 +109,9 @@ grafanaOnelabIngress: grafana: adminUser: admin adminPassword: changeme + # Root+CHOWN init breaks under Pod Security / restricted policies (k3s). fsGroup:472 on the pod is enough for most PVCs. + initChownData: + enabled: false # Load dashboards from ConfigMaps labeled grafana_dashboard (see templates/configmap-dashboard-onelab-logs.yaml). sidecar: dashboards: