FIX(crafty): fix permissions and add backend HTTPS

- Add initContainer to set proper file permissions (chown 1000:0)
- Add fsGroup: 0 for root group permissions
- Add ServersTransport for Traefik backend HTTPS with insecureSkipVerify
- Add traefik.ingress.kubernetes.io/service.serversscheme annotation

crafty/deployment.yaml

@@ -17,6 +17,25 @@ spec:
       labels:
         app: crafty
     spec:
+      securityContext:
+        fsGroup: 0
+      initContainers:
+      - name: init-permissions
+        image: busybox:latest
+        command: ['sh', '-c', 'chown -R 1000:0 /crafty && chmod -R g+rwX /crafty']
+        volumeMounts:
+        - name: backups
+          mountPath: /crafty/backups
+        - name: logs
+          mountPath: /crafty/logs
+        - name: servers
+          mountPath: /crafty/servers
+        - name: config
+          mountPath: /crafty/app/config
+        - name: import
+          mountPath: /crafty/import
+        securityContext:
+          runAsUser: 0
       containers:
       - name: crafty
         image: registry.gitlab.com/crafty-controller/crafty-4:latest

crafty/ingress.yaml

@@ -6,6 +6,8 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/service.serversscheme: "https"
+    traefik.ingress.kubernetes.io/service.serverstransport: "crafty-insecure@kubernetescrd"
 spec:
   ingressClassName: traefik
   tls:

crafty/kustomization.yaml

@@ -5,4 +5,5 @@ resources:
   - pvc.yaml
   - deployment.yaml
   - service.yaml
+  - serverstransport.yaml
   - ingress.yaml

crafty/serverstransport.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: crafty-insecure
+  namespace: crafty
+spec:
+  insecureSkipVerify: true