From 2eede3a3d726a4ceddcf6fd1d028683dc666e807 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Thu, 1 Jan 2026 09:04:17 +0900
Subject: [PATCH] FIX(crafty): fix permissions and add backend HTTPS

- Add initContainer to set proper file permissions (chown 1000:0)
- Add fsGroup: 0 for root group permissions
- Add ServersTransport for Traefik backend HTTPS with insecureSkipVerify
- Add traefik.ingress.kubernetes.io/service.serversscheme annotation
---
 crafty/deployment.yaml       | 19 +++++++++++++++++++
 crafty/ingress.yaml          |  2 ++
 crafty/kustomization.yaml    |  1 +
 crafty/serverstransport.yaml |  7 +++++++
 4 files changed, 29 insertions(+)
 create mode 100644 crafty/serverstransport.yaml

diff --git a/crafty/deployment.yaml b/crafty/deployment.yaml
index 59ee474..c58b342 100644
--- a/crafty/deployment.yaml
+++ b/crafty/deployment.yaml
@@ -17,6 +17,25 @@ spec:
       labels:
         app: crafty
     spec:
+      securityContext:
+        fsGroup: 0
+      initContainers:
+      - name: init-permissions
+        image: busybox:latest
+        command: ['sh', '-c', 'chown -R 1000:0 /crafty && chmod -R g+rwX /crafty']
+        volumeMounts:
+        - name: backups
+          mountPath: /crafty/backups
+        - name: logs
+          mountPath: /crafty/logs
+        - name: servers
+          mountPath: /crafty/servers
+        - name: config
+          mountPath: /crafty/app/config
+        - name: import
+          mountPath: /crafty/import
+        securityContext:
+          runAsUser: 0
       containers:
       - name: crafty
         image: registry.gitlab.com/crafty-controller/crafty-4:latest
diff --git a/crafty/ingress.yaml b/crafty/ingress.yaml
index 889a639..4c1cbbf 100644
--- a/crafty/ingress.yaml
+++ b/crafty/ingress.yaml
@@ -6,6 +6,8 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/service.serversscheme: "https"
+    traefik.ingress.kubernetes.io/service.serverstransport: "crafty-insecure@kubernetescrd"
 spec:
   ingressClassName: traefik
   tls:
diff --git a/crafty/kustomization.yaml b/crafty/kustomization.yaml
index 162d985..22860e7 100644
--- a/crafty/kustomization.yaml
+++ b/crafty/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - pvc.yaml
   - deployment.yaml
   - service.yaml
+  - serverstransport.yaml
   - ingress.yaml
diff --git a/crafty/serverstransport.yaml b/crafty/serverstransport.yaml
new file mode 100644
index 0000000..afdb89f
--- /dev/null
+++ b/crafty/serverstransport.yaml
@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: crafty-insecure
+  namespace: crafty
+spec:
+  insecureSkipVerify: true