fix(cdn): use custom nonroot nginx container with fancy index

2024-09-14 23:08:48 -04:00 · 2024-09-14 23:08:48 -04:00 · d4e5a254a7
parent f98c57befd
commit d4e5a254a7
1 changed files with 42 additions and 31 deletions
--- a/kubernetes/main/apps/default/cdn/helm-release.yaml
+++ b/kubernetes/main/apps/default/cdn/helm-release.yaml
@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@ -8,58 +9,68 @@ spec:
  chart:
    spec:
      chart: app-template
-      version: 1.3.x
+      version: 3.4.0
      sourceRef:
        kind: HelmRepository
        name: bjws-charts
        namespace: flux-system

  values:
-    image:
-      repository: oci.seedno.de/seednode/nginx
-      tag: latest
+    controllers:
+      main:
+        pod:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65533
+            fsGroup: 10000
+            fsGroupChangePolicy: OnRootMismatch

-    args:
-    - -c
-    - /config/nginx.conf
+        containers:
+          main:
+            image:
+              repository: git.seanomik.net/seanomik/nginx
+              tag: 1.27.1
+              pullPolicy: Always
+
+            resources:
+              requests:
+                memory: 500Mi
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities: { drop: ["ALL"] }

    service:
-      main:
+      app:
+        controller: main
        ports:
          http:
            port: 6544

-    probes:
-      liveness:
-        enabled: false
-
    ingress:
      main:
-        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
-          - host: &host "cdn.${SECRET_NEW_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-            
+        - host: "cdn.seanomik.net"
+          paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+
    persistence:
-      data:
-        enabled: true
-        type: hostPath
-        hostPath: /mnt/MainPool/Kubernetes/cdn/data
-        readOnly: true
-        mountPath: /data
      config:
-        enabled: true
        type: configMap
        name: nginx-cdn-configmap
+        globalMounts:
+        - path: /etc/nginx/nginx.conf
+          subPath: nginx.conf

-    resources:
-      requests:
-        cpu: 1m
+      storage:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/cdn/data
+        globalMounts:
+        - path: /data