fix: k8s on-premise deployment and session persistence

Database fixes:
- Add hostPath.type=DirectoryOrCreate so kubelet auto-creates /mnt/data/mysql
- Add fsGroup=999 so MySQL process can write to the hostPath volume
- Add MYSQL_ROOT_HOST=% to allow backend pods to authenticate as root
- Fix liveness/readiness probes to include credentials (-p$MYSQL_ROOT_PASSWORD)
- Increase probe initialDelaySeconds (30/60s) for slow first-run init
- Add 15s grace sleep in backend initContainer after MySQL TCP is up
- Add persistentVolumeReclaimPolicy=Retain to prevent accidental data loss
- Explicit accessModes+resources in PVC patch to avoid list merge ambiguity
- Add nodeAffinity comment in PV for multi-node cluster guidance

Ingress/nginx fixes:
- Remove broken rewrite-target=/ that was rewriting all paths (incl /api) to /
- Route /socket.io directly to backend for WebSocket support
- Add /socket.io/ proxy location to both nginx.conf and K8s ConfigMap

Frontend fix:
- Persist currentUser to localStorage on login so page refresh no longer
  clears session and redirects users back to the login page

Tooling:
- Add k8s/overlays/on-premise/deploy.sh for one-command deployment

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

k8s/base/mysql/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   replicas: 1
   strategy:
-    type: Recreate
+    type: Recreate # MySQL requires Recreate since PVC is ReadWriteOnce
   selector:
     matchLabels:
       app.kubernetes.io/name: mysql
@@ -19,6 +19,11 @@ spec:
         app.kubernetes.io/name: mysql
         app.kubernetes.io/component: database
     spec:
+      # fsGroup 999 = mysql group in the container image.
+      # Without this, the hostPath volume is owned by root and MySQL
+      # cannot write to /var/lib/mysql → pod CrashLoops immediately.
+      securityContext:
+        fsGroup: 999
       containers:
         - name: mysql
           image: mysql:8.0
@@ -36,16 +41,9 @@ spec:
                 secretKeyRef:
                   name: mysql-secret
                   key: DB_NAME
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: mysql-secret
-                  key: MYSQL_USER
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: mysql-secret
-                  key: MYSQL_PASSWORD
+            # Allow root to connect from backend pods (any host), not just localhost.
+            - name: MYSQL_ROOT_HOST
+              value: "%"
           volumeMounts:
             - name: mysql-data
               mountPath: /var/lib/mysql
@@ -58,86 +56,26 @@ spec:
               memory: 1Gi
           livenessProbe:
             exec:
-              command: ["mysqladmin", "ping", "-h", "localhost"]
-            initialDelaySeconds: 90
-            periodSeconds: 15
+              command:
+                - sh
+                - -c
+                - mysqladmin ping -h 127.0.0.1 -u root -p"$MYSQL_ROOT_PASSWORD" --silent
+            initialDelaySeconds: 60
+            periodSeconds: 10
             timeoutSeconds: 5
             failureThreshold: 3
           readinessProbe:
             exec:
-              command: ["mysqladmin", "ping", "-h", "localhost"]
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
+              command:
+                - sh
+                - -c
+                - mysqladmin ping -h 127.0.0.1 -u root -p"$MYSQL_ROOT_PASSWORD" --silent
+            # MySQL 8.0 first-run initialization takes 30-60s on slow disks.
+            initialDelaySeconds: 30
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 10
       volumes:
         - name: mysql-data
           persistentVolumeClaim:
             claimName: mysql-data-pvc
-
-# apiVersion: apps/v1
-# kind: Deployment
-# metadata:
-#   name: mysql
-#   labels:
-#     app.kubernetes.io/name: mysql
-#     app.kubernetes.io/component: database
-# spec:
-#   replicas: 1
-#   strategy:
-#     type: Recreate
-#   selector:
-#     matchLabels:
-#       app.kubernetes.io/name: mysql
-#       app.kubernetes.io/component: database
-#   template:
-#     metadata:
-#       labels:
-#         app.kubernetes.io/name: mysql
-#         app.kubernetes.io/component: database
-#     spec:
-#       containers:
-#         - name: mysql
-#           image: mysql:8.0
-#           ports:
-#             - containerPort: 3306
-#               name: mysql
-#           env:
-#             - name: MYSQL_ROOT_PASSWORD
-#               valueFrom:
-#                 secretKeyRef:
-#                   name: mysql-secret
-#                   key: MYSQL_ROOT_PASSWORD
-#             - name: MYSQL_DATABASE
-#               valueFrom:
-#                 secretKeyRef:
-#                   name: mysql-secret
-#                   key: DB_NAME
-#           volumeMounts:
-#             - name: mysql-data
-#               mountPath: /var/lib/mysql
-#           resources:
-#             requests:
-#               cpu: 250m
-#               memory: 512Mi
-#             limits:
-#               cpu: "1"
-#               memory: 1Gi
-#           livenessProbe:
-#             exec:
-#               command: ["mysqladmin", "ping", "-h", "localhost"]
-#             initialDelaySeconds: 90    # was 30 — must survive full init
-#             periodSeconds: 15
-#             timeoutSeconds: 5
-#             failureThreshold: 3
-#           readinessProbe:
-#             exec:
-#               command: ["mysqladmin", "ping", "-h", "localhost"]
-#             initialDelaySeconds: 60    # was 10 — critical fix
-#             periodSeconds: 10
-#             timeoutSeconds: 5
-#             failureThreshold: 5
-#       volumes:
-#         - name: mysql-data
-#           persistentVolumeClaim:
-#             claimName: mysql-data-pvc