VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/helm/zddc-server-prod/values.yaml.example
ZDDC 6b973906c3 feat(server): refuse to start without root .zddc; default CORS to empty 
Two safe-by-default flips, both opt-out via explicit acknowledgement.

1. --insecure / ZDDC_INSECURE=1: zddc-server now refuses to start when
   no <ZDDC_ROOT>/.zddc exists. With no .zddc anywhere in the chain,
   AllowedWithChain falls through to "HasAnyFile=false → allow" and
   the tree is publicly accessible to anonymous callers — almost never
   what an operator wants on a fresh deployment, and previously a
   silent footgun. The flag is the escape hatch for deliberately-
   public archives (no .zddc anywhere by design).

2. ZDDC_CORS_ORIGIN now defaults to empty (CORS disabled) instead of
   the canonical "https://zddc.varasys.io". The embedded-tools install
   path serves tools and data same-origin, so the default never needed
   to permit cross-origin XHRs from a third-party host. Every deployment
   was implicitly trusting zddc.varasys.io to make authenticated XHRs
   on behalf of every logged-in user; if that origin were ever
   compromised, the blast radius extended to every customer server.
   Operators who deliberately use the CDN-bootstrap pattern or self-
   hosted tools at a different host now set the value explicitly.

Helm chart values updated accordingly: prod default is empty; dev
keeps localhost:8000 for tool-iteration workflows. Existing deployments
that depended on the old defaults will need to either set the value
explicitly or pass --insecure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 17:40:34 -05:00

104 lines
3.8 KiB
Text
Raw Blame History

# values.yaml.example — zddc-server-prod
#
# Copy to values.yaml (or pass via --values) and customize for your
# environment. Contains NO secrets — secrets like the .zddc admin email
# list, TLS certs (if used), and image-pull credentials must be
# materialised from your secret-management system (sealed-secrets,
# external-secrets, kubectl create secret, etc.) and referenced by name
# below.
# Source-build configuration. The init container clones the repo at
# `gitRef` and compiles cmd/zddc-server. Pin gitRef to a stable tag
# (zddc-server-vX.Y.Z) for production; trying main HEAD risks pulling
# unreleased changes.
zddc:
gitRepo: https://codeberg.org/VARASYS/ZDDC.git
gitRef: zddc-server-v0.0.7 # pin to a stable tag
# ZDDC environment-variable contract — see zddc/README.md
env:
# Path inside the container where ZDDC_ROOT data is mounted.
# The chart wires the data PVC to this path automatically.
rootPath: /srv
# Listening address (plain HTTP — ingress terminates TLS).
addr: ":8080"
# Email-header convention from your authenticating reverse proxy.
emailHeader: X-Auth-Request-Email
# Comma-separated CORS allowlist. Empty (default) disables CORS —
# appropriate for the embedded-tools install path where tools are
# served same-origin by zddc-server itself. Set to a specific origin
# only if browser-loaded pages from a different host call back into
# this server (e.g. self-hosted tools at https://tools.acme.com,
# or the CDN-bootstrap pattern from https://zddc.varasys.io).
corsOrigin: ""
# info / warn / error / debug. Production stays on info; debug logs
# every request's full header map (includes cookies/auth tokens).
logLevel: info
# Index URL segment for the virtual archive index. Default fits
# most deployments; only change if you have a tracking-number
# collision with a real directory named ".archive".
indexPath: ".archive"
# Persistent storage for ZDDC_ROOT. Operators provide their own PVC,
# typically backed by a shared filesystem (NFS, CephFS, SMB) so multiple
# replicas of zddc-server (and your sync tooling) see the same tree.
# This chart does NOT create the PVC — it only references it by name.
data:
pvcName: zddc-root # name of an existing PersistentVolumeClaim
subPath: "" # optional subPath within the PVC
# Service exposure. zddc-server listens on a plain HTTP port; ingress
# (or whatever reverse proxy you put in front) terminates TLS and
# enforces authentication, then forwards to this service.
service:
type: ClusterIP
port: 8080
# Ingress is optional — disabled by default since most deployments wire
# zddc-server into an existing ingress / auth-proxy stack. Enable here
# only if this chart is the only thing in front of the pod.
ingress:
enabled: false
className: ""
host: zddc.example.com
tls:
enabled: false
secretName: zddc-tls # secret you create separately
# Pod resource limits. Sized for a small/medium archive (~10k files).
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Replicas. zddc-server is read-only stateless given a shared filesystem
# behind it, so multiple replicas are safe.
replicaCount: 1
# Build-stage Go image (init container). Pinned digest is recommended
# in production for reproducibility; using a tag means upstream changes
# break your deploy.
buildImage:
repository: docker.io/golang
tag: 1.24-alpine
# digest: sha256:...
# Runtime image (main container). Must contain a basic shell + libc;
# the static binary is copied in by the init container. Alpine is fine.
runtimeImage:
repository: docker.io/alpine
tag: "3.19"
# digest: sha256:...
# Image pull credentials, if your registry requires them. Reference a
# secret you've created separately; do not put credentials in values.
imagePullSecrets: []
# - name: regcred
Reference in a new issue View git blame Copy permalink