From 0f640c74b2fcf5578d5fbfa3832fffdb8fe06dc1 Mon Sep 17 00:00:00 2001
From: claude <claude@alocoq.fr>
Date: Wed, 3 Jun 2026 11:36:41 +0000
Subject: [PATCH] Prod: provision PVCs out of band (storageClass under operator
 control)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add server-ce/k8s/verso-prod-pvcs.yaml (mongo-data/redis-data/verso-data,
  ReadWriteOnce, storageClassName left for the operator to set — use a Ceph RBD
  block class).
- Drop the inline PVC definitions from deploy-verso-prod.yml so it won't fight
  the operator-provisioned PVCs; the deploy now assumes they already exist.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-verso-prod.yml | 43 ++++------------------
 server-ce/k8s/verso-prod-pvcs.yaml     | 49 ++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 36 deletions(-)
 create mode 100644 server-ce/k8s/verso-prod-pvcs.yaml

diff --git a/.gitea/workflows/deploy-verso-prod.yml b/.gitea/workflows/deploy-verso-prod.yml
index ade9dc1964..d03b91726e 100644
--- a/.gitea/workflows/deploy-verso-prod.yml
+++ b/.gitea/workflows/deploy-verso-prod.yml
@@ -15,7 +15,8 @@ name: Build and Deploy Verso (prod)
 #   - Public self-registration stays off (CE default): friends-only, admin
 #     creates accounts / sends invites.
 #
-# Out of band (do once): create the `verso-smtp` Secret and a verso.alocoq.fr
+# Out of band (do once): create the PVCs (server-ce/k8s/verso-prod-pvcs.yaml,
+# with your storageClass), the `verso-smtp` Secret, and a verso.alocoq.fr
 # Ingress (see server-ce/k8s/verso-prod-ingress.example.yaml) + DNS.
 
 on:
@@ -136,42 +137,12 @@ jobs:
         run: |
           kubectl create namespace verso --dry-run=client -o yaml | kubectl apply -f -
 
-          # PVCs + Mongo/Redis. Applied idempotently — this step must never
-          # delete these, so project data survives every deploy.
+          # Mongo/Redis. Applied idempotently — this step must never delete
+          # these, so project data survives every deploy. The PVCs themselves
+          # are provisioned out of band (server-ce/k8s/verso-prod-pvcs.yaml) so
+          # the storageClass is under your control; this step assumes
+          # mongo-data / redis-data / verso-data already exist.
           cat <<'EOF' | kubectl apply -f -
-          apiVersion: v1
-          kind: PersistentVolumeClaim
-          metadata:
-            name: mongo-data
-            namespace: verso
-          spec:
-            accessModes: [ReadWriteOnce]
-            resources:
-              requests:
-                storage: 10Gi
-          ---
-          apiVersion: v1
-          kind: PersistentVolumeClaim
-          metadata:
-            name: redis-data
-            namespace: verso
-          spec:
-            accessModes: [ReadWriteOnce]
-            resources:
-              requests:
-                storage: 2Gi
-          ---
-          apiVersion: v1
-          kind: PersistentVolumeClaim
-          metadata:
-            name: verso-data
-            namespace: verso
-          spec:
-            accessModes: [ReadWriteOnce]
-            resources:
-              requests:
-                storage: 20Gi
-          ---
           apiVersion: apps/v1
           kind: Deployment
           metadata:
diff --git a/server-ce/k8s/verso-prod-pvcs.yaml b/server-ce/k8s/verso-prod-pvcs.yaml
new file mode 100644
index 0000000000..f32552afb6
--- /dev/null
+++ b/server-ce/k8s/verso-prod-pvcs.yaml
@@ -0,0 +1,49 @@
+# PersistentVolumeClaims for the prod (verso namespace) instance.
+#
+# Provisioned out of band (not by the deploy workflow) so the storageClass is
+# under your control. Create them ONCE, before the first prod deploy:
+#
+#     kubectl apply -f server-ce/k8s/verso-prod-pvcs.yaml
+#
+# Use a Ceph RBD (block) storageClass for all three — every volume here is
+# single-writer ReadWriteOnce (Mongo, Redis, and the single app pod). Set
+# storageClassName below to your RBD class (run `kubectl get storageclass` to
+# find its name). Sizes are starting points; RBD supports online expansion.
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mongo-data
+  namespace: verso
+spec:
+  accessModes: [ReadWriteOnce]
+  # storageClassName: ceph-rbd   # <- set to your RBD (block) storageClass
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-data
+  namespace: verso
+spec:
+  accessModes: [ReadWriteOnce]
+  # storageClassName: ceph-rbd   # <- set to your RBD (block) storageClass
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: verso-data
+  namespace: verso
+# verso-data is mounted at /var/lib/overleaf/data: user files, compiles, output
+# cache, and published-presentation snapshots.
+spec:
+  accessModes: [ReadWriteOnce]
+  # storageClassName: ceph-rbd   # <- set to your RBD (block) storageClass
+  resources:
+    requests:
+      storage: 20Gi