diff --git a/charts/cryptpad/Chart.lock b/charts/cryptpad/Chart.lock deleted file mode 100644 index bed3629..0000000 --- a/charts/cryptpad/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.39.0 -digest: sha256:3eb3792ee943930941c29d63cd9c9ec07b7ce0da04b23e6b6eb4378a7ea9c0a0 -generated: "2026-05-15T15:55:14.210952212+02:00" diff --git a/charts/cryptpad/Chart.yaml b/charts/cryptpad/Chart.yaml index d44b175..a609734 100644 --- a/charts/cryptpad/Chart.yaml +++ b/charts/cryptpad/Chart.yaml @@ -33,7 +33,3 @@ maintainers: email: guilherme.sautner@xwiki.com - name: Arsène Fougerouse email: arsene.fougerouse@xwiki.com -dependencies: - - name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.x.x diff --git a/charts/cryptpad/templates/NOTES.txt b/charts/cryptpad/templates/NOTES.txt index f585c94..3310189 100644 --- a/charts/cryptpad/templates/NOTES.txt +++ b/charts/cryptpad/templates/NOTES.txt @@ -1,10 +1,14 @@ 1. Get the application URL by running these commands: {{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.mainDomain }} + {{- if .Values.sandboxDomain }} + http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.sandboxDomain }} (sandbox) + {{- end }} +{{- else if .Values.httpRoute.enabled }} + https://{{ .Values.mainDomain }} + {{- if .Values.sandboxDomain }} + https://{{ .Values.sandboxDomain }} (sandbox) {{- end }} -{{- end }} {{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryptpad-helm.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") diff --git a/charts/cryptpad/templates/_helpers.tpl b/charts/cryptpad/templates/_helpers.tpl index 4cfae12..7358650 100644 --- a/charts/cryptpad/templates/_helpers.tpl +++ b/charts/cryptpad/templates/_helpers.tpl @@ -62,11 +62,11 @@ Create the name of the service account to use {{- end }} {{/* -Define main domain. Or use first ingress host defined as main domain. +Define main domain (httpUnsafeOrigin / CPAD_MAIN_DOMAIN). */}} {{- define "cryptpad-helm.mainDomain" -}} -{{- if .Values.ingress.enabled }} -https://{{ (index .Values.ingress.hosts 0).host }} +{{- if .Values.mainDomain }} +https://{{ .Values.mainDomain }} {{- else if .Values.config.httpUnsafeOrigin }} {{- .Values.config.httpUnsafeOrigin }} {{- else }} @@ -75,11 +75,14 @@ http://localhost:3000 {{- end }} {{/* -Define sandbox subdomain. Or use first ingress host defined as main domain. +Define sandbox domain (httpSafeOrigin / CPAD_SANDBOX_DOMAIN). +Falls back to mainDomain when sandboxDomain is unset (insecure — same origin). */}} {{- define "cryptpad-helm.sandboxDomain" -}} -{{- if .Values.ingress.enabled }} -https://{{ (index .Values.ingress.hosts 0).host }} +{{- if .Values.sandboxDomain }} +https://{{ .Values.sandboxDomain }} +{{- else if .Values.mainDomain }} +https://{{ .Values.mainDomain }} {{- else if .Values.config.httpSafeOrigin }} {{- .Values.config.httpSafeOrigin }} {{- else }} diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index 706b087..6d28c04 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ConfigMap metadata: @@ -9,21 +10,8 @@ data: /* globals module */ module.exports = { - {{- if .Values.ingress.enabled}} - httpUnsafeOrigin: 'https://{{ (index .Values.ingress.hosts 0).host }}', - {{- else if .Values.config.httpUnsafeOrigin }} - httpUnsafeOrigin: {{ .Values.config.httpUnsafeOrigin | quote }}, - {{- else }} - httpUnsafeOrigin: 'http://localhost:3000', - {{- end}} - - {{- if .Values.ingress.enabled }} - httpSafeOrigin: 'https://{{ (index .Values.ingress.hosts 0).host }}', - {{- else if .Values.config.httpSafeOrigin }} - httpSafeOrigin: {{ .Values.config.httpSafeOrigin | quote }}, - {{- else }} - httpSafeOrigin: 'http://localhost:3000', - {{- end}} + httpUnsafeOrigin: '{{ include "cryptpad-helm.mainDomain" . | trim }}', + httpSafeOrigin: '{{ include "cryptpad-helm.sandboxDomain" . | trim }}', {{- if .Values.config.adminKeys }} adminKeys: [ @@ -36,12 +24,16 @@ data: {{- end}} {{- range $key, $value := .Values.config }} - {{- if and (or (ne $key "httpUnsafeOrigin") (ne $key "httpSafeOrigin")) (ne $key "adminKeys") }} + {{- if and (ne $key "httpUnsafeOrigin") (ne $key "httpSafeOrigin") (ne $key "adminKeys") }} + {{- if or (kindIs "bool" $value) (kindIs "float64" $value) (kindIs "int64" $value) }} + {{ $key }}: {{ $value }}, + {{- else if or (kindIs "slice" $value) (kindIs "map" $value) }} + {{ $key }}: {{ $value | toJson }}, + {{- else }} {{ $key }}: {{ $value | quote }}, + {{- end }} {{- end }} {{- end }} - - }; application_config.js: | /* diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index e8bc7a2..9f6f27e 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -1,8 +1,8 @@ +--- +apiVersion: apps/v1 {{- if .Values.workloadStateful }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet {{- else }} -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment {{- end }} metadata: @@ -46,6 +46,8 @@ spec: volumeMounts: - name: cryptpad-data mountPath: /cryptpad/data + - mountPath: /tmp + name: tmp args: - | FILE=/cryptpad/data/decrees/decree.ndjson @@ -128,7 +130,7 @@ spec: readinessProbe: {{- if .Values.probes.readiness.httpGet.enabled }} httpGet: - path: {{ .Values.probes.liveness.httpGet.path }} + path: {{ .Values.probes.readiness.httpGet.path }} port: {{ .Values.service.containerPort }} {{- else }} tcpSocket: @@ -143,16 +145,16 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - {{- if .Values.persistence.enabled }} - {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} - - name: cryptpad-{{ $dir | replace "/" "-" }} - mountPath: /cryptpad/{{ $dir }} - {{- end }} - {{- else if not .Values.workloadStateful }} {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} + {{- $mountPath := printf "/cryptpad/%s" $dir }} + {{- $skip := false }} + {{- range $.Values.extraVolumeMounts }} + {{- if eq .mountPath $mountPath }}{{- $skip = true }}{{- end }} + {{- end }} + {{- if not $skip }} - name: cryptpad-{{ $dir | replace "/" "-" }} - mountPath: /cryptpad/{{ $dir }} - {{- end }} + mountPath: {{ $mountPath }} + {{- end }} {{- end }} - name: configmaps mountPath: {{ .Values.cpadConfig }} @@ -160,6 +162,8 @@ spec: - name: configmaps mountPath: /cryptpad/customize/application_config.js subPath: application_config.js + - mountPath: /tmp + name: tmp {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -179,6 +183,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: configmaps configMap: name: {{ include "cryptpad-helm.fullname" . }} @@ -235,7 +241,14 @@ spec: {{- end }} {{- else }} {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} - - name: cryptpad-{{ $dir | replace "/" "-" }} + {{- $volName := printf "cryptpad-%s" ($dir | replace "/" "-") }} + {{- $skip := false }} + {{- range $.Values.extraVolumes }} + {{- if eq .name $volName }}{{- $skip = true }}{{- end }} + {{- end }} + {{- if not $skip }} + - name: {{ $volName }} emptyDir: {} - {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/cryptpad/templates/hpa.yaml b/charts/cryptpad/templates/hpa.yaml index 4ff6f4c..74ac02a 100644 --- a/charts/cryptpad/templates/hpa.yaml +++ b/charts/cryptpad/templates/hpa.yaml @@ -1,5 +1,6 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +--- +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "cryptpad-helm.fullname" . }} @@ -8,10 +9,10 @@ metadata: spec: scaleTargetRef: {{- if .Values.workloadStateful }} - apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + apiVersion: apps/v1 kind: StatefulSet {{- else }} - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + apiVersion: apps/v1 kind: Deployment {{- end }} name: {{ include "cryptpad-helm.fullname" . }} @@ -22,12 +23,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/cryptpad/templates/httpRoute.yaml b/charts/cryptpad/templates/httpRoute.yaml new file mode 100644 index 0000000..0d69308 --- /dev/null +++ b/charts/cryptpad/templates/httpRoute.yaml @@ -0,0 +1,56 @@ +{{- if .Values.httpRoute.enabled -}} +{{- $fullName := include "cryptpad-helm.fullname" . -}} +{{- $svcPort := .Values.service.externalPort -}} +{{- $svcWsPort := .Values.service.websocket.externalPort -}} +{{- if not .Values.httpRoute.parentRefs }} + {{- fail "A valid .Values.httpRoute.parentRefs entry is required when httpRoute.enabled is true" }} +{{- end }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "cryptpad-helm.labels" . | nindent 4 }} + {{- with .Values.httpRoute.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.httpRoute.parentRefs }} + parentRefs: + {{- . | toYaml | nindent 2 }} + {{- end }} + hostnames: + - {{ .Values.mainDomain | quote }} + {{- if .Values.sandboxDomain }} + - {{ .Values.sandboxDomain | quote }} + {{- end }} + rules: + - matches: + - path: + value: / + type: PathPrefix + backendRefs: + - group: '' + kind: Service + name: {{ $fullName }} + port: {{ $svcPort }} + {{- with .Values.httpRoute.timeouts }} + timeouts: + {{- toYaml . | nindent 6 }} + {{- end }} + - matches: + - path: + value: /cryptpad_websocket + type: PathPrefix + backendRefs: + - group: '' + kind: Service + name: {{ $fullName }} + port: {{ $svcWsPort }} + {{- with .Values.httpRoute.timeouts }} + timeouts: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/cryptpad/templates/ingress.yaml b/charts/cryptpad/templates/ingress.yaml index dd07365..c2b2289 100644 --- a/charts/cryptpad/templates/ingress.yaml +++ b/charts/cryptpad/templates/ingress.yaml @@ -2,6 +2,7 @@ {{- $fullName := include "cryptpad-helm.fullname" . -}} {{- $svcPort := .Values.service.externalPort -}} {{- $svcWsPort := .Values.service.websocket.externalPort -}} +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -20,15 +21,39 @@ spec: tls: {{- range .Values.ingress.tls }} - hosts: + {{- if .hosts }} {{- range .hosts }} - {{ . | quote }} {{- end }} + {{- else }} + - {{ $.Values.mainDomain | quote }} + {{- if $.Values.sandboxDomain }} + - {{ $.Values.sandboxDomain | quote }} + {{- end }} + {{- end }} secretName: {{ .secretName }} {{- end }} {{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ .Values.mainDomain | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + - path: /cryptpad_websocket + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcWsPort }} + {{- if .Values.sandboxDomain }} + - host: {{ .Values.sandboxDomain | quote }} http: paths: - path: / diff --git a/charts/cryptpad/templates/pvc.yaml b/charts/cryptpad/templates/pvc.yaml index 89dbdc1..88b2e09 100644 --- a/charts/cryptpad/templates/pvc.yaml +++ b/charts/cryptpad/templates/pvc.yaml @@ -7,11 +7,11 @@ metadata: name: cryptpad-{{ $dir | replace "/" "-" }} {{- with $dirvalues.annotations }} annotations: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- with $dirvalues.labels }} labels: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} spec: accessModes: @@ -23,14 +23,14 @@ spec: {{- end }} {{- with $dirvalues.dataSource }} dataSource: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} resources: requests: storage: {{ $dirvalues.size | quote }} {{- with $dirvalues.selector }} selector: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/cryptpad/templates/service.yaml b/charts/cryptpad/templates/service.yaml index 5974768..535bb95 100644 --- a/charts/cryptpad/templates/service.yaml +++ b/charts/cryptpad/templates/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: diff --git a/charts/cryptpad/templates/serviceaccount.yaml b/charts/cryptpad/templates/serviceaccount.yaml index 99b8ee8..9c7da56 100644 --- a/charts/cryptpad/templates/serviceaccount.yaml +++ b/charts/cryptpad/templates/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- if .Values.serviceAccount.create -}} +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index 8918439..49c689d 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -5,6 +5,15 @@ # -- Number of replicas replicaCount: 1 +# -- Primary hostname for CryptPad (no scheme). Used for httpUnsafeOrigin, CPAD_MAIN_DOMAIN, +# and ingress/httpRoute host rules. Example: cryptpad.example.org +mainDomain: "" + +# -- Sandbox hostname for CryptPad security isolation (no scheme). Used for httpSafeOrigin and +# CPAD_SANDBOX_DOMAIN. Must be a *different* domain or subdomain from mainDomain. +# If empty, mainDomain is reused (insecure). Example: sandbox.cryptpad.example.org +sandboxDomain: "" + # -- Enable to choose witch kind of workload will be used: (true) StatefulSet or (false) for Deployment workloadStateful: true @@ -194,11 +203,21 @@ ingress: annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - hosts: - # if the ingress is enabled, this hostname will be used for httpUnsafeOrigin and httpSafeOrigin - - host: localhost tls: [] # - secretName: secret-tls + # hosts: [] # auto-populated from mainDomain/sandboxDomain when empty + +httpRoute: + enabled: false + annotations: {} + parentRefs: [] + # -- requires cluster enabled default gateway (here envoy as example) + #- name: default-gateway + # namespace: infrastructure-envoy-gateway-default + # sectionName: default + timeouts: {} + # backendRequest: 120s + # -- Specify default resources. # We usually recommend not to specify default resources and to leave this as a conscious @@ -220,7 +239,8 @@ autoscaling: # -- Minimal numbers of replicas minReplicas: 1 # -- Maximum numbers of replicas - maxReplicas: 100 + # TODO: does cryptpad support HA? + maxReplicas: 1 # -- Percentage of the targeted CPU Utilization targetCPUUtilizationPercentage: 80 # -- Percentage of the targeted Memory Utilization