From 2e02a90d73de6866514284c9494cec28a10ed046 Mon Sep 17 00:00:00 2001 From: Michael Schnerring <3743342+schnerring@users.noreply.github.com> Date: Mon, 27 Jun 2022 11:38:25 +0200 Subject: [PATCH] feat(privatebin): Add PrivateBin to incubator (#2971) * Add PrivateBin to incubator privatebin: fix linting errors privatebin: fix privatebin.secrets definition * privatebin: implement PR suggestions Add tc.common.loader.apply Add postgresql dependency to Chart.yaml Change chart version to 0.0.1 Fix probes Change service port Omit default securityContext values Add non-default podSecurityContext to values.yaml Remove obsolete App Config Storage and ingress from questions.yaml * privatebin: mount secret volume * privatebin: remove fs, gcs, mysql, and sqlite from conf.php * Expose privatebin options in {values,questions}.yaml * privatebin: remove /tmp volume * privatebin: add nginx/php sizelimit configs * privatebin: cleanup secrets conditionals * privatebin: fix configMap vols * Re-add ingress; remove persistenceBasic/persistenceAdvanced * privatebin: add empty options to enums where necessary * privatebin: remove required constraints from bool questions * update port * bump Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> --- charts/incubator/privatebin/Chart.yaml | 34 ++ charts/incubator/privatebin/questions.yaml | 562 ++++++++++++++++++ .../privatebin/templates/_configmap.tpl | 16 + .../privatebin/templates/_secrets.tpl | 224 +++++++ .../privatebin/templates/common.yaml | 11 + charts/incubator/privatebin/values.yaml | 108 ++++ 6 files changed, 955 insertions(+) create mode 100644 charts/incubator/privatebin/Chart.yaml create mode 100644 charts/incubator/privatebin/questions.yaml create mode 100644 charts/incubator/privatebin/templates/_configmap.tpl create mode 100644 charts/incubator/privatebin/templates/_secrets.tpl create mode 100644 charts/incubator/privatebin/templates/common.yaml create mode 100644 charts/incubator/privatebin/values.yaml diff --git a/charts/incubator/privatebin/Chart.yaml b/charts/incubator/privatebin/Chart.yaml new file mode 100644 index 00000000000..f50b19e1e5f --- /dev/null +++ b/charts/incubator/privatebin/Chart.yaml @@ -0,0 +1,34 @@ +apiVersion: v2 +appVersion: "1.4.0" +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 10.1.4 + - condition: postgresql.enabled + name: postgresql + repository: https://charts.truecharts.org/ + version: 8.0.18 +deprecated: false +description: PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. +home: https://github.com/truecharts/apps/tree/master/charts/incubator/privatebin +icon: https://truecharts.org/_static/img/appicons/privatebin.png +keywords: + - privatebin + - pastebin +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: privatebin +sources: + - https://privatebin.info/ + - https://github.com/PrivateBin/PrivateBin + - https://hub.docker.com/r/privatebin/pdo +type: application +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - productivity + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/charts/incubator/privatebin/questions.yaml b/charts/incubator/privatebin/questions.yaml new file mode 100644 index 00000000000..01982226303 --- /dev/null +++ b/charts/incubator/privatebin/questions.yaml @@ -0,0 +1,562 @@ +# Include{groups} +portals: + open: + protocols: + - "$kubernetes-resource_configmap_portal_protocol" + host: + - "$kubernetes-resource_configmap_portal_host" + ports: + - "$kubernetes-resource_configmap_portal_port" +questions: + - variable: portal + group: "Container Image" + label: "Configure Portal Button" + schema: + type: dict + hidden: true + attrs: + - variable: enabled + label: "Enable" + description: "enable the portal button" + schema: + hidden: true + editable: false + type: boolean + default: true +# Include{global} + + - variable: controller + group: "Controller" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: advanced + label: "Show Advanced Controller Settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: type + description: "Please specify type of workload to deploy" + label: "(Advanced) Controller Type" + schema: + type: string + default: "deployment" + required: true + enum: + - value: "deployment" + description: "Deployment" + - value: "statefulset" + description: "Statefulset" + - value: "daemonset" + description: "Daemonset" + - variable: replicas + description: "Number of desired pod replicas" + label: "Desired Replicas" + schema: + type: int + default: 1 + required: true + - variable: strategy + description: "Please specify type of workload to deploy" + label: "(Advanced) Update Strategy" + schema: + type: string + default: "Recreate" + required: true + enum: + - value: "Recreate" + description: "Recreate: Kill existing pods before creating new ones" + - value: "RollingUpdate" + description: "RollingUpdate: Create new pods and then kill old ones" + - value: "OnDelete" + description: "(Legacy) OnDelete: ignore .spec.template changes" +# Include{controllerExpert} + + - variable: privatebin + group: "Container Configuration" + label: "PrivateBin Custom Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: "name" + description: "Set a project name to be displayed on the website" + schema: + type: string + default: "" + - variable: basepath + label: "basepath" + description: "The full URL, with the domain name and directories that point to the PrivateBin files. This URL is essential to allow Opengraph images to be displayed on social networks." + schema: + type: string + default: "" + - variable: discussion + label: "discussion" + description: "Enable or disable the discussion feature" + schema: + type: boolean + default: true + - variable: opendiscussion + label: "opendiscussion" + description: "Preselect the discussion feature" + schema: + type: boolean + default: false + - variable: password + label: "password" + description: "Enable or disable the password feature" + schema: + type: boolean + default: true + - variable: fileupload + label: "fileupload" + description: "Enable or disable the file upload feature" + schema: + type: boolean + default: false + - variable: burnafterreadingselected + label: "burnafterreadingselected" + description: "Preselect the burn-after-reading feature" + schema: + type: boolean + default: false + - variable: defaultformatter + label: "defaultformatter" + description: "Which display mode to preselect by default" + schema: + type: string + default: "plaintext" + required: true + enum: + - value: "plaintext" + description: "Plain Text" + - value: "syntaxhighlighting" + description: "Source Code" + - value: "markdown" + description: "Markdown" + - variable: syntaxhighlightingtheme + label: "syntaxhighlightingtheme" + description: "Set a syntax highlighting theme" + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "desert" + description: "Desert" + - value: "doxy" + description: "Doxy" + - value: "prettify" + description: "Default" + - value: "sons-of-obsidian" + description: "Sons-Of-Obsidian" + - value: "sunburst" + description: "Sunburst" + - variable: sizelimit + label: "sizelimit" + description: "Size limit per paste or comment in bytes" + schema: + type: int + default: 10485760 + required: true + - variable: template + label: "template" + description: "Template to use" + schema: + type: string + default: "bootstrap" + required: true + enum: + - value: "bootstrap" + description: "bootstrap" + - value: "bootstrap-page" + description: "bootstrap-page" + - value: "bootstrap-dark" + description: "bootstrap-dark" + - value: "bootstrap-dark-page" + description: "bootstrap-dark-page" + - value: "bootstrap-compact" + description: "bootstrap-compact" + - value: "bootstrap-compact-page" + description: "bootstrap-compact-page" + - value: "page" + description: "page" + - variable: info + label: "info" + description: "Info text to display. Use single, instead of double quotes for HTML attributes." + schema: + type: string + default: "" + - variable: notice + label: "notice" + description: "Notice to display" + schema: + type: string + default: "" + - variable: languageselection + label: "languageselection" + description: "By default PrivateBin will guess the visitors language based on the browsers settings. Optionally you can enable the language selection menu, which uses a session cookie to store the choice until the browser is closed." + schema: + type: boolean + default: false + - variable: languagedefault + label: "languagedefault" + description: "Set the language your installs defaults to, defaults to English. If this is set and language selection is disabled, this will be the only language." + schema: + type: string + default: "" + - variable: urlshortener + label: "urlshortener" + description: "URL shortener address to offer after a new paste is created. It is suggested to only use this with self-hosted shorteners as this will leak the pastes encryption key." + schema: + type: string + default: "" + - variable: qrcode + label: "qrcode" + description: "Let users create a QR code for sharing the paste URL with one click. It works both when a new paste is created and when you view a paste." + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "true" + description: "true" + - value: "false" + description: "false" + - variable: icon + label: "icon" + description: "IP based icons are a weak mechanism to detect if a comment was from. a different user when the same username was used in a comment. It might be used to get the IP of a non anonymous comment poster if the server salt is leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs." + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "none" + description: "none" + - value: "vizhash" + description: "vizhash" + - value: "identicon" + description: "identicon" + - variable: cspheader + label: "cspheader" + description: "Content Security Policy headers allow a website to restrict what sources are allowed to be accessed in its context. You need to change this if you added custom scripts from third-party domains to your templates, e.g. tracking scripts or run your site behind certain DDoS-protection services. Check the documentation at https://content-security-policy.com/" + schema: + type: string + default: "" + - variable: zerobincompatibility + label: "zerobincompatibility" + description: "Stay compatible with PrivateBin Alpha 0.19, less secure. f enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of sha256 in HMAC for the deletion token." + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "true" + description: "true" + - value: "false" + description: "false" + - variable: httpwarning + label: "httpwarning" + description: "Enable or disable the warning message when the site is served over an insecure connection (insecure HTTP instead of HTTPS). Secure transport methods like Tor and I2P domains are automatically whitelisted. It is **strongly discouraged** to disable this." + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "true" + description: "true" + - value: "false" + description: "false" + - variable: compression + label: "compression" + description: "Pick compression algorithm or disable it. Only applies to pastes/comments created after changing the setting." + schema: + type: string + default: "" + enum: + - value: "" + description: "PrivateBin Default" + - value: "none" + description: "none" + - value: "zlib" + description: "zlib" + - variable: expire + label: "Expire Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: default + label: "default" + description: "Expire value that is selected per default" + schema: + type: string + default: "" + required: true + enum: + - value: "" + description: "PrivateBin Default" + - value: "5min" + description: "5min" + - value: "10min" + description: "10min" + - value: "1hour" + description: "1hour" + - value: "1day" + description: "1day" + - value: "1week" + description: "1week" + - value: "1month" + description: "1month" + - value: "1year" + description: "1year" + - value: "never" + description: "never" + - variable: traffic + label: "Traffic Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: limit + label: "limit" + description: "Time limit between calls from the same IP address in seconds" + schema: + type: int + default: 10 + required: true + - variable: exempted + label: "exempted" + description: "Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted from the rate-limit. Invalid IPs will be ignored. If multiple values are to be exempted, the list needs to be comma separated. Leave unset to disable exemptions." + schema: + type: string + default: "" + - variable: creators + label: "creators" + description: "If you want only some source IP addresses (v4 or v6) or subnets (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be ignored. If multiple values are to be exempted, the list needs to be comma separated. Leave unset to allow anyone to create pastes." + schema: + type: string + default: "" + - variable: header + label: "header" + description: "If your website runs behind a reverse proxy or load balancer, set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR" + schema: + type: string + default: "" + - variable: purge + label: "Purge Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: limit + label: "limit" + description: "Minimum time limit between two purgings of expired pastes, it is only triggered when pastes are created" + schema: + type: int + default: 300 + required: true + - variable: batchsize + label: "batchsize" + description: "Maximum amount of expired pastes to delete in one purge. Set this to 0 to disable purging. Set it higher, if you are running a large site." + schema: + type: int + default: 10 + required: true + +# Include{containerConfig} + + - variable: service + group: "Networking and Services" + label: "Configure Service(s)" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Service" + description: "The Primary service on which the healthcheck runs, often the webUI" + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: main + label: "Main Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10248 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTP" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 8080 + + - variable: serviceexpert + group: "Networking and Services" + label: "Show Expert Config" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + group: "Networking and Services" + label: "Host-Networking (Complicated)" + schema: + type: boolean + default: false + +# Include{serviceExpert} + +# Include{serviceList} + +# Include{persistenceList} + + - variable: ingress + label: "" + group: "Ingress" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Ingress" + schema: + additional_attrs: true + type: dict + attrs: + +# Include{ingressDefault} + +# Include{ingressTLS} + +# Include{ingressTraefik} + +# Include{ingressExpert} + +# Include{ingressList} + +# Include{security} + + - variable: advancedSecurity + label: "Show Advanced Security Settings" + group: "Security and Permissions" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: securityContext + label: "Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: privileged + label: "Privileged mode" + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: "ReadOnly Root Filesystem" + schema: + type: boolean + default: true + - variable: allowPrivilegeEscalation + label: "Allow Privilege Escalation" + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: "runAsNonRoot" + schema: + type: boolean + default: true +# Include{securityContextAdvanced} + + - variable: podSecurityContext + group: "Security and Permissions" + label: "Pod Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: runAsUser + label: "runAsUser" + description: "The UserID of the user running the application" + schema: + type: int + default: 65534 + - variable: runAsGroup + label: "runAsGroup" + description: "The groupID this App of the user running the application" + schema: + type: int + default: 82 + - variable: fsGroup + label: "fsGroup" + description: "The group that should own ALL storage." + schema: + type: int + default: 82 +# Include{podSecurityContextAdvanced} + +# Include{resources} + +# Include{advanced} + +# Include{addons} diff --git a/charts/incubator/privatebin/templates/_configmap.tpl b/charts/incubator/privatebin/templates/_configmap.tpl new file mode 100644 index 00000000000..553a394c6c6 --- /dev/null +++ b/charts/incubator/privatebin/templates/_configmap.tpl @@ -0,0 +1,16 @@ +{{/* Calculate PHP and NGINX file size limits from PrivateBin configuration */}} +{{- define "privatebin.configmap" -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "tc.common.names.fullname" . }}-config +data: + sizelimits-php.ini: |- + upload_max_filesize = {{ .Values.privatebin.main.sizelimit }} + post_max_size = {{ .Values.privatebin.main.sizelimit }} + memory_limit = {{ mul .Values.privatebin.main.sizelimit 2 }} + sizelimits-nginx.conf: |- + client_max_body_size {{ add (div (div .Values.privatebin.main.sizelimit 1024) 1024) 5 }}M; + +{{- end }} diff --git a/charts/incubator/privatebin/templates/_secrets.tpl b/charts/incubator/privatebin/templates/_secrets.tpl new file mode 100644 index 00000000000..20c3ff00885 --- /dev/null +++ b/charts/incubator/privatebin/templates/_secrets.tpl @@ -0,0 +1,224 @@ +{{/* + Custom PrivateBin configuration. See also: + https://github.com/PrivateBin/docker-nginx-fpm-alpine#custom-configuration + + The default configuration file can be found here: + https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php +*/}} +{{- define "privatebin.secrets" -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "tc.common.names.fullname" . }}-secret + labels: + {{- include "tc.common.labels" . | nindent 4 }} +stringData: + conf.php: |- + ;