VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/helm/zddc-server-prod/values.yaml.example
Me Here 2bc582fd9e ZDDC: document-control tools + zddc-server
2026-06-11 13:32:31 -05:00

126 lines
5.1 KiB
Text
Raw Blame History

# values.yaml.example — zddc-server-prod
#
# Copy to values.yaml (or pass via --values) and customize for your
# environment. Contains NO secrets — secrets like the .zddc admin email
# list, TLS certs (if used), and image-pull credentials must be
# materialised from your secret-management system (sealed-secrets,
# external-secrets, kubectl create secret, etc.) and referenced by name
# below.
# Source-build configuration. The init container clones the repo at
# `gitRef` and compiles cmd/zddc-server. Pin gitRef to a stable tag
# (zddc-server-vX.Y.Z) for production; trying main HEAD risks pulling
# unreleased changes.
zddc:
gitRepo: https://codeberg.org/VARASYS/ZDDC.git
gitRef: zddc-server-v0.0.7 # pin to a stable tag
# ZDDC environment-variable contract — see zddc/README.md
env:
# Path inside the container where ZDDC_ROOT data is mounted.
# The chart wires the data PVC to this path automatically.
rootPath: /srv
# Listening address (plain HTTP — ingress terminates TLS).
addr: ":8080"
# Email-header convention from your authenticating reverse proxy.
emailHeader: X-Auth-Request-Email
# Comma-separated CORS allowlist. Empty (default) disables CORS —
# appropriate for the embedded-tools install path where tools are
# served same-origin by zddc-server itself. Set to a specific origin
# only if browser-loaded pages from a different host call back into
# this server (e.g. self-hosted tools at https://tools.acme.com,
# or the CDN-bootstrap pattern from https://zddc.varasys.io).
corsOrigin: ""
# info / warn / error / debug. Production stays on info; debug logs
# every request's full header map (includes cookies/auth tokens).
logLevel: info
# Index URL segment for the virtual archive index. Default fits
# most deployments; only change if you have a tracking-number
# collision with a real directory named ".archive".
indexPath: ".archive"
# Skip ACL enforcement entirely on this instance. Anyone hitting
# the port reads everything in scope. Only enable for genuinely-
# public archives (and even then, only behind an authenticating
# ingress that doesn't gate on identity for /). Distinct from
# --insecure (which gates the startup check requiring a root .zddc).
# Default false.
noAuth: false
# Bearer-token system. Master automatically self-issues tokens via
# /.tokens (browser) and /.api/tokens (JSON). The token store lives
# at <ZDDC_ROOT>/.zddc.d/tokens/<sha256> on the data PVC; no Helm
# configuration required. Operators sign in via the upstream auth
# proxy, visit /.tokens, copy the displayed token into a 0600 file,
# and pass --bearer-file to any CLI / cache / mirror that needs to
# authenticate against this master. See zddc/README.md "Bearer
# tokens" for the full lifecycle.
# Persistent storage for ZDDC_ROOT. Operators provide their own PVC,
# typically backed by a shared filesystem (NFS, CephFS, SMB) so multiple
# replicas of zddc-server (and your sync tooling) see the same tree.
# This chart does NOT create the PVC — it only references it by name.
data:
pvcName: zddc-root # name of an existing PersistentVolumeClaim
subPath: "" # optional subPath within the PVC
# Service exposure. zddc-server listens on a plain HTTP port; ingress
# (or whatever reverse proxy you put in front) terminates TLS and
# enforces authentication, then forwards to this service.
service:
type: ClusterIP
port: 8080
# Ingress is optional — disabled by default since most deployments wire
# zddc-server into an existing ingress / auth-proxy stack. Enable here
# only if this chart is the only thing in front of the pod.
ingress:
enabled: false
className: ""
host: zddc.example.com
tls:
enabled: false
secretName: zddc-tls # secret you create separately
# Pod resource limits. Sized for a small/medium archive (~10k files).
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Replicas. zddc-server is read-only stateless given a shared filesystem
# behind it, so multiple replicas are safe.
replicaCount: 1
# Build-stage Go image (init container). Pinned digest is recommended
# in production for reproducibility; using a tag means upstream changes
# break your deploy.
buildImage:
repository: docker.io/golang
tag: 1.24-alpine
# digest: sha256:...
# Runtime image (main container). Hosts the zddc-server binary copied
# in by the init container, plus the conversion toolchain (pandoc,
# chromium, bubblewrap) used by the /.convert endpoint. Build from
# `zddc/runtime.Containerfile` and publish to your registry; the
# Containerfile documents the build/publish commands. Plain alpine
# does NOT have the conversion tools — the /.convert endpoint will
# serve 503 until you swap in a runtime image that bundles them.
runtimeImage:
repository: codeberg.org/varasys/zddc-server-runtime
tag: "latest"
# digest: sha256:...
# Image pull credentials, if your registry requires them. Reference a
# secret you've created separately; do not put credentials in values.
imagePullSecrets: []
# - name: regcred
Reference in a new issue View git blame Copy permalink