adjusted helm

AlexejPenner · AlexejPenner · commit 5ae40573bd74 · 2025-11-19T22:11:42.000+01:00
diff --git a/helm/README.md b/helm/README.md
@@ -92,6 +92,26 @@ You can add additional exclusions using the `additionalNoProxy` list. The NO_PRO
 - IPv6 addresses (e.g., "::1")
 - IPv6 ranges in CIDR notation (e.g., "fe80::/10")
 
+### Database Persistence
+
+When using database persistence with a local SQLite database, the chart automatically configures the necessary permissions. The `podSecurityContext.fsGroup` is set to 1000 by default to ensure the ZenML container (running as UID 1000) can write to the persistent volume.
+
+Example configuration:
+
+```yaml
+zenml:
+  database:
+    persistence:
+      enabled: true
+      size: "10Gi"
+      # storageClassName: ""  # Optional: use default storage class if not specified
+
+# podSecurityContext.fsGroup is set to 1000 by default
+# This ensures the container can write to the persistent volume
+```
+
+If you override `podSecurityContext`, ensure that `fsGroup: 1000` is set when using persistent volumes, otherwise the container will not be able to write to the mounted volume and will crash.
+
 ## Telemetry
 
 The ZenML server collects anonymous usage data to help us improve the product. You can opt out by setting `zenml.analyticsOptIn` to false.
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -314,6 +314,10 @@ zenml:
     # If set to true, path where the local database is created will be
     # mounted as a persistent volume so the data is not lost on pod restarts.
     # Only relevant for local sqlite database.
+    # When persistence is enabled, ensure that podSecurityContext.fsGroup
+    # is set to 1000 (this is the default) so that the ZenML container can write to
+    # the persistent volume. The container runs as UID 1000, and without fsGroup
+    # set, the PVC will be mounted with root:root ownership, causing permission errors.
     persistence:
       enabled: false
       size: 1Gi
@@ -1173,8 +1177,14 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 1000 # if you're using a PVC for backup, this should necessarily be set.
+podSecurityContext:
+  # fsGroup must be set to 1000 when using persistent volumes (database persistence or backup PVCs)
+  # to ensure the ZenML container (running as UID 1000) can write to the mounted volumes.
+  # This is set by default to prevent permission issues.
+  fsGroup: 1000
+  # fsGroupChangePolicy controls when fsGroup ownership changes are applied.
+  # "OnRootMismatch" only changes ownership if the root of the volume doesn't match the fsGroup.
+  fsGroupChangePolicy: "OnRootMismatch"
 
 securityContext:
   runAsNonRoot: true
