[helm] Give backend permission to write to mounted backend-data pvc

[imnasnainaec]

Something about the spawning of PVCs in a Helm install has changed so that a fresh install on QA doesn't give the backend permission to write to its mounted backend-data PVC. That prevents LIFT upload, audio recording, avatars, restore-script, and adding speaker consent.

Here is the permission of /home/app/.CombineFiles in the various settings:

setting	permissions	owner	group	note
prod	drwxr-xr-x	app	app	don't know how it got this way
qa deployed without this fix	drwxr-xr-x	root	root	permission denied
qa deployed with this fix	drwxrwsr-x	root	app	different from prod, but works

---

This change is 

Summary by CodeRabbit

• Chores
  • Updated Kubernetes deployment configuration with enhanced security settings for file system permissions in the container environment.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change adds a pod-level securityContext configuration with fsGroup: 999 to the backend Deployment template in the Helm chart. This modifies the security posture of deployed pods by setting filesystem group ownership for mounted volumes.

Changes

Cohort / File(s)	Summary
Kubernetes Deployment Security Configuration deploy/helm/thecombine/charts/backend/templates/deployment-backend.yaml	Added pod-level securityContext with fsGroup: 999 to enforce filesystem group permissions on mounted volumes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A tiny paw print in the code we go,
Security context, fsGroup aglow,
Volumes now guarded with care and grace,
Group 999 secures each file's place! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a securityContext with fsGroup to give the backend pod proper permissions for writing to the mounted backend-data PVC.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/deploy-backend-mount-perms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.94%. Comparing base (e0c5628) to head (703fd40).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4231   +/-   ##
=======================================
  Coverage   75.94%   75.94%           
=======================================
  Files         303      303           
  Lines       11352    11352           
  Branches     1407     1407           
=======================================
  Hits         8621     8621           
  Misses       2330     2330           
  Partials      401      401           

Flag	Coverage Δ
backend	87.23% <ø> (ø)
frontend	66.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jasonleenaylor]

@jasonleenaylor reviewed 1 file and all commit messages, and made 1 comment.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on imnasnainaec).