fix(forte-drop-pg-backup): set MC_CONFIG_DIR so mc can write its config

The backup CronJob runs as uid 65532 (runAsNonRoot). mc defaulted its config dir to $HOME/.mc = /.mc and failed with "mkdir /.mc: permission denied" on the non-writable root fs — every nightly run died before uploading, so there are currently no backups in s3://drops/_pgbackups/. Point MC_CONFIG_DIR at the shared /work emptyDir (writable via fsGroup). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
gitea update
2026-06-11 13:18:20 +02:00 · 2026-06-11 13:03:59 +02:00 · 2026-06-11 10:34:11 +02:00 · 2026-06-11 10:14:25 +02:00 · 2026-06-05 19:38:30 +02:00 · 2026-06-05 13:41:42 +00:00
7 changed files with 64 additions and 8 deletions
@@ -0,0 +1,20 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Install TruffleHog
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
+          | sh -s -- -b /usr/local/bin
+    - name: Secret Scanning
+      run: trufflehog git file://. --fail --no-update --results=verified,unknown
@@ -77,6 +77,12 @@ spec:
              mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
              echo "backup retention pass complete"
            env:
+            # mc writes its config under $MC_CONFIG_DIR; point it at the shared
+            # emptyDir (writable by uid 65532 via fsGroup). Without this it tries
+            # to mkdir /.mc on the read-only-to-nonroot root fs -> "mkdir /.mc:
+            # permission denied" and every run fails before uploading.
+            - name: MC_CONFIG_DIR
+              value: "/work/.mc"
            - name: S3_ENDPOINT
              valueFrom:
                secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
@@ -5,9 +5,9 @@ metadata:
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+#    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+#    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+#    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: forte-drop
    app.kubernetes.io/part-of: apps
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-forte-drop
+  namespace: forte-drop
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+  annotations:
+    keycloak.forteapps.net/source-namespace: "forte-drop"
+stringData:
+  client.json: |
+    {
+      "clientId": "forte-drop",
+      "name": "Forte Drop (web)",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
+      "webOrigins": ["https://drop.forteapps.net"],
+      "defaultClientScopes": ["openid","email","profile"],
+      "secret": {
+        "namespace": "forte-drop",
+        "name": "forte-drop-oidc-credentials",
+        "keys": {
+          "clientId": "client-id",
+          "clientSecret": "client-secret"
+        }
+      }
+    }
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - forte-drop.yaml
+- keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml
@@ -17,7 +17,7 @@ spec:
  sources:
  - repoURL: https://dl.gitea.com/charts
    chart: gitea
-    targetRevision: "12.5.0"
+    targetRevision: "12.6.0"
    helm:
      releaseName: gitea
      valueFiles:
@@ -59,10 +59,6 @@ config:
        href: https://benken.hackathon.forteapps.net
        description: Teknisk kompetanse fra offentlige anbud
        icon: forte
-    - Forte Drop:
-        href: https://drop.forteapps.net
-        description: Self-hosted HTML-drops + MCP for Claude
-        icon: forte
    - Forte Feedback:
        href: https://feedback.forteapps.net
        description: Fortes internal feedback app
Author	SHA1	Message	Date
Sten	df30877b5e	fix(forte-drop-pg-backup): set MC_CONFIG_DIR so mc can write its config / test (pull_request) Successful in 8s Details The backup CronJob runs as uid 65532 (runAsNonRoot). mc defaulted its config dir to $HOME/.mc = /.mc and failed with "mkdir /.mc: permission denied" on the non-writable root fs — every nightly run died before uploading, so there are currently no backups in s3://drops/_pgbackups/. Point MC_CONFIG_DIR at the shared /work emptyDir (writable via fsGroup). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-11 13:18:20 +02:00
danijel.simeunovic	9297398d56	gitea update / test (push) Successful in 8s Details	2026-06-11 13:03:59 +02:00
danijel.simeunovic	b0804e1e6a	scan / test (push) Successful in 11s Details	2026-06-11 10:34:11 +02:00
danijel.simeunovic	8216399155	trufflehog / test (push) Failing after 33s Details	2026-06-11 10:14:25 +02:00
danijel.simeunovic	a70f078bbb	drop drop	2026-06-05 19:38:30 +02:00
danijel.simeunovic	a24e61d538	disable slack notifications for forte-drop Signed-off-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-06-05 13:41:42 +00:00