diff --git a/README.md b/README.md index 9e67c97..324bddb 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,30 @@ All settings can be set with the `--set name=value` flag on `helm install`. Some ### Kellnr -Check the [documentation](https://kellnr.io/documentation) and the [values.yaml](./charts/kellnr/values.yaml) for possible configuration values. +Check the [documentation](https://kellnr.io/documentation) and the [values.yaml](./charts/kellnr/values.yaml) for possible configuration values. + +#### Cookie signing key + +Kellnr uses a cookie signing key to sign its session cookie. + +| Setting | Required | Description | Default | +|----------------------------------|----------|-------------------------------------------------------------------------------------------------------------------|---------| +| kellnr.registry.cookieSigningKey | No | Cookie signing key used for `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`. Must be at least 64 characters. | "" | + +Notes: + +- If `secret.enabled: true` and `kellnr.registry.cookieSigningKey` is empty, the chart will **not** set `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`. + +- If `secret.enabled: false` (ConfigMap mode), you should set `kellnr.registry.cookieSigningKey` explicitly (otherwise the env var is not set). + +Example: + +````yaml +kellnr: + registry: + cookieSigningKey: "" +```` + ### Service diff --git a/charts/kellnr/Chart.yaml b/charts/kellnr/Chart.yaml index eb1e6a8..ad7c8ac 100644 --- a/charts/kellnr/Chart.yaml +++ b/charts/kellnr/Chart.yaml @@ -13,9 +13,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 4.3.6 +version: 4.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "5.10.1" +appVersion: "5.11.0" diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl index 413f39b..4dd3368 100644 --- a/charts/kellnr/templates/_helpers.tpl +++ b/charts/kellnr/templates/_helpers.tpl @@ -71,3 +71,24 @@ Decide the proxy port number to use if set to auto {{- default 80 .Values.kellnr.origin.port }} {{- end }} {{- end }} + +{{/* +Cookie signing key used by Kellnr. +- If user provided a value, enforce min length (>= 64 bytes/chars) and return it. +- If not provided, return empty string so the env var can be omitted entirely. + +Note: Helm templates don't have a "bytes" unit here; we can only validate string length. +*/}} +{{- define "kellnr.cookieSigningKey" -}} +{{- $key := default "" .Values.kellnr.registry.cookieSigningKey -}} +{{- if ne $key "" -}} + {{- if lt (len $key) 64 -}} + {{- fail "kellnr.registry.cookieSigningKey must be at least 64 characters" -}} + {{- end -}} + {{- $key -}} +{{- else -}} + {{- "" -}} +{{- end -}} +{{- end }} + + diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml index aea36a9..b1b067b 100644 --- a/charts/kellnr/templates/config.yaml +++ b/charts/kellnr/templates/config.yaml @@ -11,7 +11,11 @@ data: KELLNR_REGISTRY__MAX_CRATE_SIZE: {{ .Values.kellnr.registry.maxCrateSize | quote }} KELLNR_REGISTRY__MAX_DB_CONNECTIONS: {{ .Values.kellnr.registry.maxDbConnections | quote }} KELLNR_REGISTRY__AUTH_REQUIRED: {{ .Values.kellnr.registry.authRequired | quote }} +{{- if .Values.kellnr.registry.cookieSigningKey }} + KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ .Values.kellnr.registry.cookieSigningKey | quote }} +{{- end }} {{- if .Values.kellnr.registry.requiredCrateFields }} + KELLNR_REGISTRY__REQUIRED_CRATE_FIELDS: {{ .Values.kellnr.registry.requiredCrateFields | quote }} {{- end }} KELLNR_REGISTRY__NEW_CRATES_RESTRICTED: {{ .Values.kellnr.registry.newCratesRestricted | quote }} diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml index 88a82ee..529d46e 100644 --- a/charts/kellnr/templates/secret-config.yaml +++ b/charts/kellnr/templates/secret-config.yaml @@ -12,6 +12,12 @@ stringData: KELLNR_REGISTRY__CACHE_SIZE: {{ .Values.kellnr.registry.cacheSize | quote }} KELLNR_REGISTRY__MAX_CRATE_SIZE: {{ .Values.kellnr.registry.maxCrateSize | quote }} KELLNR_REGISTRY__AUTH_REQUIRED: {{ .Values.kellnr.registry.authRequired | quote }} +{{- $cookieKey := include "kellnr.cookieSigningKey" . -}} +{{- if ne $cookieKey "" }} + KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ $cookieKey | quote }} +{{- end }} + + KELLNR_DOCS__ENABLED: {{ .Values.kellnr.docs.enabled | quote }} KELLNR_DOCS__MAX_SIZE: {{ .Values.kellnr.docs.maxSize | quote }} KELLNR_PROXY__ENABLED: {{ .Values.kellnr.proxy.enabled | quote }} diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml index 63f4372..4ae486e 100644 --- a/charts/kellnr/values.yaml +++ b/charts/kellnr/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# For more than 1 replica, it is recommended +# to set the "cookieSigningKey", to share auth. +# cookies for the UI between the replicas. replicaCount: 1 strategy: @@ -31,8 +34,7 @@ serviceAccount: podAnnotations: {} -podSecurityContext: - {} +podSecurityContext: {} # fsGroup: 2000 securityContext: @@ -71,6 +73,12 @@ kellnr: requiredCrateFields: "" # Comma-separated list of fields, e.g. "description,license,repository" newCratesRestricted: false maxDbConnections: 0 # 0 means no limit + + # Used to sign the session cookie. Must be at least 64 bytes. + # If empty, a random 64-byte value is generated by the chart (when `secret.enabled: true`). + # When `secret.enabled: false`, you should set this to a fixed value. + cookieSigningKey: "" + docs: enabled: false maxSize: 100 @@ -178,8 +186,7 @@ dns: searches: - "" -resources: - {} +resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following