forked from github-mirrorer/rtomik-helm-charts
Released v 0.0.2 fixed issue with deployment on kubernetes.
This commit is contained in:
@ -25,12 +25,28 @@ The command deploys Recipya on the Kubernetes cluster in the default configurati
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `my-recipya` deployment:
|
||||
To uninstall/delete the `recipya` deployment:
|
||||
|
||||
```bash
|
||||
helm uninstall recipya -n recipya
|
||||
```
|
||||
|
||||
## Important Configuration Notes
|
||||
|
||||
### Server URL
|
||||
|
||||
When deploying with an ingress, it's **critical** to set `config.server.url` to match your ingress URL (including https if you're using TLS). This ensures that redirects after login work correctly:
|
||||
|
||||
```yaml
|
||||
config:
|
||||
server:
|
||||
url: "https://your-recipya-domain.com"
|
||||
```
|
||||
|
||||
### Ingress Configuration
|
||||
|
||||
This chart includes optimized ingress configurations for Traefik, with support for WebSockets and proper security headers. If you're using a different ingress controller, you may need to adjust annotations accordingly.
|
||||
|
||||
## Parameters
|
||||
|
||||
### Global parameters
|
||||
@ -48,24 +64,22 @@ helm uninstall recipya -n recipya
|
||||
| Name | Description | Value |
|
||||
|-----------------------------------------|--------------------------------------------------|-----------|
|
||||
| `podSecurityContext.fsGroup` | Group ID for the Recipya container | `1000` |
|
||||
| `containerSecurityContext.runAsUser` | User ID for the Recipya container | `1000` |
|
||||
| `containerSecurityContext.runAsGroup` | Group ID for the Recipya container | `1000` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Run containers as non-root | `true` |
|
||||
| `containerSecurityContext` | Security context for the container | `{}` |
|
||||
|
||||
### Recipya configuration parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
|-----------------------------------------|-------------------------------------------------------|----------------|
|
||||
| `config.server.port` | Server port | `8078` |
|
||||
| `config.server.autologin` | Whether to login automatically | `false` |
|
||||
| `config.server.is_demo` | Whether the app is a demo version | `false` |
|
||||
| `config.server.is_prod` | Whether the app is in production | `false` |
|
||||
| `config.server.no_signups` | Whether to disable user account registrations | `false` |
|
||||
| `config.server.url` | Base URL for the application | `http://0.0.0.0` |
|
||||
| `config.email.address` | The email address for SendGrid | `""` |
|
||||
| `config.email.sendgrid` | SendGrid API key | `""` |
|
||||
| `config.documentIntelligence.endpoint` | Azure Document Intelligence endpoint | `""` |
|
||||
| `config.documentIntelligence.key` | Azure Document Intelligence key | `""` |
|
||||
| Name | Description | Value |
|
||||
|-----------------------------------------|-------------------------------------------------------|---------------------|
|
||||
| `config.server.port` | Server port | `8078` |
|
||||
| `config.server.autologin` | Whether to login automatically | `false` |
|
||||
| `config.server.is_demo` | Whether the app is a demo version | `false` |
|
||||
| `config.server.is_prod` | Whether the app is in production | `false` |
|
||||
| `config.server.no_signups` | Whether to disable user account registrations | `false` |
|
||||
| `config.server.url` | Base URL for the application | `http://0.0.0.0` |
|
||||
| `config.email.address` | The email address for SendGrid | `""` |
|
||||
| `config.email.sendgrid` | SendGrid API key | `""` |
|
||||
| `config.documentIntelligence.endpoint` | Azure Document Intelligence endpoint | `""` |
|
||||
| `config.documentIntelligence.key` | Azure Document Intelligence key | `""` |
|
||||
|
||||
### Service parameters
|
||||
|
||||
@ -76,30 +90,88 @@ helm uninstall recipya -n recipya
|
||||
|
||||
### Ingress parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
|--------------------------|--------------------------------------------------|-------------|
|
||||
| `ingress.enabled` | Enable ingress controller resource | `false` |
|
||||
| `ingress.className` | IngressClass that will be used | `""` |
|
||||
| `ingress.hosts[0].host` | Default host for the ingress resource | `chart-example.local` |
|
||||
| `ingress.tls` | Create TLS Secret | `[]` |
|
||||
| Name | Description | Value |
|
||||
|-------------------------------|--------------------------------------------------|------------------------|
|
||||
| `ingress.enabled` | Enable ingress controller resource | `false` |
|
||||
| `ingress.className` | IngressClass that will be used | `"traefik"` |
|
||||
| `ingress.annotations` | Additional ingress annotations | See values.yaml |
|
||||
| `ingress.hosts[0].host` | Default host for the ingress resource | `chart-example.local` |
|
||||
| `ingress.tls` | TLS configuration | `[]` |
|
||||
|
||||
### Persistence parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
|--------------------------------------|------------------------------------------|-----------|
|
||||
| `persistence.enabled` | Enable persistence using PVC | `true` |
|
||||
| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` |
|
||||
| `persistence.size` | PVC Storage Request | `1Gi` |
|
||||
| `persistence.storageClass` | Storage class of backing PVC | `""` |
|
||||
| Name | Description | Value |
|
||||
|--------------------------------------|------------------------------------------|------------------|
|
||||
| `persistence.enabled` | Enable persistence using PVC | `true` |
|
||||
| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` |
|
||||
| `persistence.size` | PVC Storage Request | `1Gi` |
|
||||
| `persistence.storageClass` | Storage class of backing PVC | `""` |
|
||||
|
||||
### Resource parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
|--------------------------|------------------------------------------|-----------|
|
||||
| `resources.limits.cpu` | CPU limit | `500m` |
|
||||
| `resources.limits.memory`| Memory limit | `512Mi` |
|
||||
| `resources.requests.cpu` | CPU request | `100m` |
|
||||
| `resources.requests.memory` | Memory request | `128Mi` |
|
||||
| Name | Description | Value |
|
||||
|-------------------------------|------------------------------------------|-----------|
|
||||
| `resources.limits.cpu` | CPU limit | `500m` |
|
||||
| `resources.limits.memory` | Memory limit | `512Mi` |
|
||||
| `resources.requests.cpu` | CPU request | `100m` |
|
||||
| `resources.requests.memory` | Memory request | `128Mi` |
|
||||
|
||||
### Probe parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
|--------------------------------------|--------------------------------------------|-----------|
|
||||
| `probes.liveness.enabled` | Enable liveness probe | `true` |
|
||||
| `probes.liveness.path` | Path for liveness probe | `/` |
|
||||
| `probes.readiness.enabled` | Enable readiness probe | `true` |
|
||||
| `probes.readiness.path` | Path for readiness probe | `/` |
|
||||
|
||||
## Traefik Ingress Configuration
|
||||
|
||||
The chart includes specially configured middlewares for Traefik to ensure proper functioning of Recipya:
|
||||
|
||||
```yaml
|
||||
ingress:
|
||||
enabled: true
|
||||
className: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.middlewares: recipya-recipya-headers@kubernetescrd
|
||||
traefik.ingress.kubernetes.io/service.sticky: "true"
|
||||
traefik.ingress.kubernetes.io/session-cookie-name: "recipya_session"
|
||||
hosts:
|
||||
- host: recipya.example.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- hosts:
|
||||
- recipya.example.com
|
||||
```
|
||||
|
||||
This configuration includes:
|
||||
|
||||
1. Custom Content Security Policy allowing essential scripts from unpkg.com
|
||||
2. Sticky sessions for maintaining authentication
|
||||
3. Proper headers for proxy operation
|
||||
|
||||
## Content Security Policy Configuration
|
||||
|
||||
The chart includes a custom middleware that configures the proper Content Security Policy for Recipya. This is particularly important as the application requires access to external scripts from unpkg.com:
|
||||
|
||||
```yaml
|
||||
contentSecurityPolicy: >-
|
||||
default-src 'self';
|
||||
script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: https://unpkg.com;
|
||||
style-src 'self' 'unsafe-inline';
|
||||
img-src 'self' data: blob:;
|
||||
font-src 'self' data:;
|
||||
connect-src 'self' ws: wss: *;
|
||||
worker-src 'self' blob:;
|
||||
frame-src 'self';
|
||||
media-src 'self' blob:;
|
||||
object-src 'none';
|
||||
form-action 'self';
|
||||
```
|
||||
|
||||
## Using Existing Secrets
|
||||
|
||||
|
||||
Reference in New Issue
Block a user