VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/helm/zddc-server-prod/values.yaml.example
ZDDC 55852a9efb helm: add zddc-server-cache example chart + ZDDC_NO_AUTH on prod/dev 
New chart helm/zddc-server-cache/ deploys zddc-server in client mode
against an upstream master. Mirrors the prod chart's source-build-via-
init-container pattern but with:

- ZDDC_UPSTREAM, ZDDC_MODE, ZDDC_BEARER_FILE, ZDDC_NO_AUTH,
  ZDDC_SKIP_TLS_VERIFY, ZDDC_MIRROR_SUBTREE, ZDDC_MIRROR_MIN_INTERVAL
  wired from values.yaml. Mirror-only env vars conditionally rendered
  (only when mode=mirror) to keep the rendered manifest minimal.
- Bearer token mounted from a separately-created Kubernetes Secret
  (defaultMode 0400) at /etc/zddc/bearer/token. values.yaml.example
  documents the secret-creation flow but contains no token. Secret
  reference can be set to "" to disable bearer auth (only valid for
  upstreams running --no-auth).
- Recreate strategy + replicaCount: 1 (multiple replicas would race
  the cache directory and double the upstream walker traffic).
- TCP-socket probes instead of HTTP — HTTP probes against / would
  fail when both upstream is unreachable AND the cache is empty
  (the cache layer returns 503 + offline header in that state),
  causing crashloops. TCP verifies process liveness without depending
  on upstream reachability or cache contents.
- Mounts a separate cache PVC (operator-provided, like the master's
  data PVC). Sized to the working set you expect to mirror; can be
  much smaller than the master's data volume.

Existing prod and dev charts gain optional ZDDC_NO_AUTH wired from
zddc.env.noAuth (default false → no change to existing rendered
manifests). Useful for trusted-LAN or genuinely-public master
deployments.

Updated docs: helm/README.md gains the cache row in the chart table,
the cache-install quickstart with the secret-creation flow, and the
cache-specific structural notes (Recreate / TCP probes / single-
instance). CLAUDE.md and ARCHITECTURE.md updated to reflect three
charts instead of two.

Verified with helm template rendering: ZDDC_NO_AUTH only renders
when noAuth: true; ZDDC_MIRROR_SUBTREE / ZDDC_MIRROR_MIN_INTERVAL
only render when mode: mirror; bearer volume + ZDDC_BEARER_FILE
only render when bearer.secretName is non-empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 08:33:01 -05:00

121 lines
4.7 KiB
Text
Raw Blame History

# values.yaml.example — zddc-server-prod
#
# Copy to values.yaml (or pass via --values) and customize for your
# environment. Contains NO secrets — secrets like the .zddc admin email
# list, TLS certs (if used), and image-pull credentials must be
# materialised from your secret-management system (sealed-secrets,
# external-secrets, kubectl create secret, etc.) and referenced by name
# below.
# Source-build configuration. The init container clones the repo at
# `gitRef` and compiles cmd/zddc-server. Pin gitRef to a stable tag
# (zddc-server-vX.Y.Z) for production; trying main HEAD risks pulling
# unreleased changes.
zddc:
gitRepo: https://codeberg.org/VARASYS/ZDDC.git
gitRef: zddc-server-v0.0.7 # pin to a stable tag
# ZDDC environment-variable contract — see zddc/README.md
env:
# Path inside the container where ZDDC_ROOT data is mounted.
# The chart wires the data PVC to this path automatically.
rootPath: /srv
# Listening address (plain HTTP — ingress terminates TLS).
addr: ":8080"
# Email-header convention from your authenticating reverse proxy.
emailHeader: X-Auth-Request-Email
# Comma-separated CORS allowlist. Empty (default) disables CORS —
# appropriate for the embedded-tools install path where tools are
# served same-origin by zddc-server itself. Set to a specific origin
# only if browser-loaded pages from a different host call back into
# this server (e.g. self-hosted tools at https://tools.acme.com,
# or the CDN-bootstrap pattern from https://zddc.varasys.io).
corsOrigin: ""
# info / warn / error / debug. Production stays on info; debug logs
# every request's full header map (includes cookies/auth tokens).
logLevel: info
# Index URL segment for the virtual archive index. Default fits
# most deployments; only change if you have a tracking-number
# collision with a real directory named ".archive".
indexPath: ".archive"
# Skip ACL enforcement entirely on this instance. Anyone hitting
# the port reads everything in scope. Only enable for genuinely-
# public archives (and even then, only behind an authenticating
# ingress that doesn't gate on identity for /). Distinct from
# --insecure (which gates the startup check requiring a root .zddc).
# Default false.
noAuth: false
# Bearer-token system. Master automatically self-issues tokens via
# /.tokens (browser) and /.api/tokens (JSON). The token store lives
# at <ZDDC_ROOT>/.zddc.d/tokens/<sha256> on the data PVC; no Helm
# configuration required. Operators sign in via the upstream auth
# proxy, visit /.tokens, copy the displayed token into a 0600 file,
# and pass --bearer-file to any CLI / cache / mirror that needs to
# authenticate against this master. See zddc/README.md "Bearer
# tokens" for the full lifecycle.
# Persistent storage for ZDDC_ROOT. Operators provide their own PVC,
# typically backed by a shared filesystem (NFS, CephFS, SMB) so multiple
# replicas of zddc-server (and your sync tooling) see the same tree.
# This chart does NOT create the PVC — it only references it by name.
data:
pvcName: zddc-root # name of an existing PersistentVolumeClaim
subPath: "" # optional subPath within the PVC
# Service exposure. zddc-server listens on a plain HTTP port; ingress
# (or whatever reverse proxy you put in front) terminates TLS and
# enforces authentication, then forwards to this service.
service:
type: ClusterIP
port: 8080
# Ingress is optional — disabled by default since most deployments wire
# zddc-server into an existing ingress / auth-proxy stack. Enable here
# only if this chart is the only thing in front of the pod.
ingress:
enabled: false
className: ""
host: zddc.example.com
tls:
enabled: false
secretName: zddc-tls # secret you create separately
# Pod resource limits. Sized for a small/medium archive (~10k files).
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Replicas. zddc-server is read-only stateless given a shared filesystem
# behind it, so multiple replicas are safe.
replicaCount: 1
# Build-stage Go image (init container). Pinned digest is recommended
# in production for reproducibility; using a tag means upstream changes
# break your deploy.
buildImage:
repository: docker.io/golang
tag: 1.24-alpine
# digest: sha256:...
# Runtime image (main container). Must contain a basic shell + libc;
# the static binary is copied in by the init container. Alpine is fine.
runtimeImage:
repository: docker.io/alpine
tag: "3.19"
# digest: sha256:...
# Image pull credentials, if your registry requires them. Reference a
# secret you've created separately; do not put credentials in values.
imagePullSecrets: []
# - name: regcred
Reference in a new issue View git blame Copy permalink