fix(grafana): disable init-chown-data for Pod Security / k3s

Made-with: Cursor

gitops/docs/OBSERVABILITY.md

@@ -28,6 +28,10 @@ Grafana’s **dashboard sidecar** loads ConfigMap **`…-dashboard-onelab-logs`*
 - **Line filter** — regex applied to log line content (`.*` = all).
 - Stat panels: total lines, heuristic **error** / **warning** counts (tuned for typical text logs, not strict JSON parsing).
 
+### Grafana pod: `init-chown-data` CrashLoopBackOff
+
+The upstream chart runs an init container as **root** to `chown` `/var/lib/grafana`. Clusters with **Pod Security Admission** (often on k3s) commonly block that. This repo sets **`grafana.initChownData.enabled: false`**; the Grafana pod keeps **`fsGroup: 472`** so the PVC is usually group-writable. If Grafana still cannot write to disk, delete the Grafana PVC once after the change or relax PSA for namespace `onelab`.
+
 ## Access Grafana
 
 An **Ingress** named **`grafana-onelab`** is created by the umbrella chart (`templates/ingress-grafana-onelab.yaml`), Traefik + cert-manager, matching the OneLab web UI pattern in `gitops/values/k3s-example.yaml`:

gitops/observability/values.yaml

@@ -109,6 +109,9 @@ grafanaOnelabIngress:
 grafana:
   adminUser: admin
   adminPassword: changeme
+  # Root+CHOWN init breaks under Pod Security / restricted policies (k3s). fsGroup:472 on the pod is enough for most PVCs.
+  initChownData:
+    enabled: false
   # Load dashboards from ConfigMaps labeled grafana_dashboard (see templates/configmap-dashboard-onelab-logs.yaml).
   sidecar:
     dashboards: