From d4e5a254a7440b5af5f9a8579c55a5a86f8c5b24 Mon Sep 17 00:00:00 2001
From: SeanOMik <seanomik@gmail.com>
Date: Sat, 14 Sep 2024 23:08:48 -0400
Subject: [PATCH] fix(cdn): use custom nonroot nginx container with fancy index

---
 .../main/apps/default/cdn/helm-release.yaml   | 73 +++++++++++--------
 1 file changed, 42 insertions(+), 31 deletions(-)

diff --git a/kubernetes/main/apps/default/cdn/helm-release.yaml b/kubernetes/main/apps/default/cdn/helm-release.yaml
index a10246a..0b3c5a3 100644
--- a/kubernetes/main/apps/default/cdn/helm-release.yaml
+++ b/kubernetes/main/apps/default/cdn/helm-release.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -8,58 +9,68 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 1.3.x
+      version: 3.4.0
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
 
   values:
-    image:
-      repository: oci.seedno.de/seednode/nginx
-      tag: latest
+    controllers:
+      main:
+        pod:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65533
+            fsGroup: 10000
+            fsGroupChangePolicy: OnRootMismatch
 
-    args:
-    - -c
-    - /config/nginx.conf
+        containers:
+          main:
+            image:
+              repository: git.seanomik.net/seanomik/nginx
+              tag: 1.27.1
+              pullPolicy: Always
+
+            resources:
+              requests:
+                memory: 500Mi
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities: { drop: ["ALL"] }
 
     service:
-      main:
+      app:
+        controller: main
         ports:
           http:
             port: 6544
 
-    probes:
-      liveness:
-        enabled: false
-
     ingress:
       main:
-        enabled: true
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
-          - host: &host "cdn.${SECRET_NEW_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-            
+        - host: "cdn.seanomik.net"
+          paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+
     persistence:
-      data:
-        enabled: true
-        type: hostPath
-        hostPath: /mnt/MainPool/Kubernetes/cdn/data
-        readOnly: true
-        mountPath: /data
       config:
-        enabled: true
         type: configMap
         name: nginx-cdn-configmap
+        globalMounts:
+        - path: /etc/nginx/nginx.conf
+          subPath: nginx.conf
 
-    resources:
-      requests:
-        cpu: 1m
\ No newline at end of file
+      storage:
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/cdn/data
+        globalMounts:
+        - path: /data