You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat!: restructure config/secret handling, harden chart, and add CI (v6.0.0) (#78)
* feat(chart)!: split config into ConfigMap + Secret and harden defaults
BREAKING CHANGE: `secret.enabled` and `secret.useExisting` are removed.
Non-sensitive settings now always render into a ConfigMap and sensitive ones
(admin password/token, cookie signing key, S3 keys, OAuth2 client secret) into
a Secret, both mounted into the pod. Use `secret.existingSecret` to bring your
own Secret (e.g. SOPS-encrypted).
- Move the cookie signing key into the Secret; allow sourcing it from an
existing Secret via kellnr.registry.cookieSigningKeySecretRef (#67)
- Mount ConfigMap and Secret simultaneously; add extraEnvVars / extraEnvVarsCM
/ extraEnvVarsSecret escape hatches (#68, #61)
- Add startup/liveness/readiness probes against /api/v1/health
- Disable ServiceAccount token automount by default
- Expose registry download* and s3 *Timeout settings
- Add values.schema.json and a `helm test` connection hook
- Bump chart to 6.0.0 and document the upgrade
* ci: validate charts on PRs and modernize the release workflow
- Add lint-test workflow running chart-testing lint plus a kind-based
install that exercises the new `helm test` hook on pull requests
- Add .github/ct.yaml (target-branch, chart-dirs, skip maintainer check)
- Scope release triggers to main, apply least-privilege per-job permissions,
and add a concurrency group
- Bump chart-releaser-action v1.2.1->v1.7.0, create-pull-request v6->v8,
setup-helm v4->v5, checkout v4->v6
* ci: add yamllint config matching the chart comment style
ct lint runs yamllint, whose comments rule requires two spaces before inline
comments; the chart uses the `value # default` one-space style throughout.
Add a yamllint config (relaxed comments rule) and point ct at it via lint-conf.
* docs: document the v6.0.0 ConfigMap/Secret split in the README
Add a "Configuration storage (ConfigMap and Secret)" section covering
secret.existingSecret and pointing to the extra-env settings.
* docs: link the v6.0.0 blog post from the upgrade notes
- A `values.schema.json` now validates values at install/template time (e.g. it
98
+
requires `kellnr.origin.hostname`).
99
+
59
100
#### Chart version 5.0.0
60
101
61
102
The default data directory changed from `/opt/kdata` to `/var/lib/kellnr` to align with the new Kellnr Docker image defaults. If you're upgrading an existing installation and were using the default data directory, explicitly set `kellnr.registry.dataDir=/opt/kdata` in your values to maintain compatibility with your existing persistent volume.
62
103
104
+
## Testing
105
+
106
+
After installing or upgrading, you can run the chart's built-in smoke test, which
107
+
checks that Kellnr's `/api/v1/health` endpoint is reachable through its Service:
108
+
109
+
```bash
110
+
helm test kellnr
111
+
```
112
+
63
113
## Configuration
64
114
65
115
All settings can be set with the `--set name=value` flag on `helm install`. Some settings are required and have to be provided other are recommended for security reasons.
@@ -68,28 +118,79 @@ All settings can be set with the `--set name=value` flag on `helm install`. Some
68
118
69
119
Check the [documentation](https://kellnr.io/documentation) and the [values.yaml](./charts/kellnr/values.yaml) for possible configuration values.
70
120
121
+
#### Configuration storage (ConfigMap and Secret)
122
+
123
+
The chart renders Kellnr's configuration into two objects, both mounted into the pod
124
+
via `envFrom`:
125
+
126
+
- a **ConfigMap** (`configMap.name`) holding the non-sensitive settings, and
127
+
- a **Secret** (`secret.name`) holding the sensitive ones: the admin password and
128
+
token, the cookie signing key, the S3 keys, and the OAuth2 client secret.
| kellnr.registry.cookieSigningKey | No | Inline cookie signing key for `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`. Must be at least 64 characters. | "" |
149
+
| kellnr.registry.cookieSigningKeySecretRef.name | No | Name of an existing Secret holding the key. Takes precedence over the inline value when set. | "" |
150
+
| kellnr.registry.cookieSigningKeySecretRef.key | No | Key within that Secret. | "cookieSigningKey" |
78
151
79
152
Notes:
80
153
81
-
- If `secret.enabled: true` and `kellnr.registry.cookieSigningKey`is empty, the chart will **not** set `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`.
82
-
83
-
- If `secret.enabled: false` (ConfigMap mode), you should set `kellnr.registry.cookieSigningKey` explicitly (otherwise the env var is not set).
154
+
- If neither value is set, Kellnr generates a random key on startup (per pod).
155
+
- Provide the key inline to have the chart store it in its Secret, **or** point
156
+
`cookieSigningKeySecretRef` at a Secret you manage yourself.
84
157
85
-
Example:
158
+
Inline example:
86
159
87
160
````yaml
88
161
kellnr:
89
162
registry:
90
163
cookieSigningKey: "<at least 64 characters>"
91
164
````
92
165
166
+
Existing-secret example:
167
+
168
+
````yaml
169
+
kellnr:
170
+
registry:
171
+
cookieSigningKeySecretRef:
172
+
name: my-cookie-secret
173
+
key: cookieSigningKey
174
+
````
175
+
176
+
#### Extra environment variables
177
+
178
+
To inject arbitrary environment variables or mount your own ConfigMap/Secret alongside
0 commit comments