Merge pull request #47 from MaikuMori/1.7.0

Release 1.7.0
MaikuMori · Oct 2, 2024 · 3ed5bcf · 3ed5bcf
2 parents 13506fc + 8051baf
commit 3ed5bcf
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 13 deletions.
diff --git a/charts/gotenberg/CHANGELOG.md b/charts/gotenberg/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## 1.7.0
+
+- Add ability to customize HorizontalPodAutoscaler behavior (Thanks to Anthony | [@anthosz](https://github.com/anthosz))
+- Fix documentation links (Thanks to m² | [@mmoscher](https://github.com/mmoscher))
+- Bump `gotenberg` version `8.9.0` -> `8.11.0`.
+- Add ability to create `ServiceMonitor` (Thanks to Nazar Vovk | [@Vovcharaa](https://github.com/Vovcharaa))
+- Add `allowPrivilegeEscalation: false` to default `securityContext`.
+- Add support for the following flags:
+
+  - `--api-download-from-allow-list`
+  - `--api-download-from-deny-list`
+  - `--api-download-from-max-retry`
+  - `--api-disable-download-from`
+
 ## 1.6.0
 
 - Bump `gotenberg` version `8.8.1` -> `8.9.0`.

diff --git a/charts/gotenberg/Chart.yaml b/charts/gotenberg/Chart.yaml
@@ -16,13 +16,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.6.0"
+version: "1.7.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "8.9.0"
+appVersion: "8.11.0"
 
 keywords:
   - gotenberg

diff --git a/charts/gotenberg/README.md b/charts/gotenberg/README.md
@@ -1,7 +1,7 @@
 # Gotenberg
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/gotenberg)](https://artifacthub.io/packages/helm/maikumori/gotenberg)
-![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.9.0](https://img.shields.io/badge/AppVersion-8.9.0-informational?style=flat-square)
+![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.11.0](https://img.shields.io/badge/AppVersion-8.11.0-informational?style=flat-square)
 
 This is a HELM chart for Gotenberg.
 
@@ -51,13 +51,18 @@ helm upgrade my-release maikumori/gotenberg --install
 | affinity | object | `{}` |  |
 | api.basicAuthPassword | string | `nil` | Set the basic authentication password |
 | api.basicAuthUsername | string | `nil` | Set the basic authentication username |
+| api.disableDownloadFrom | bool | `false` | Disable the download from feature |
 | api.disableHealthCheckLogging | bool | `false` | Disable health check logging |
+| api.downloadFromAllowList | string | `""` | Set the allowed URLs for the download from feature using a regular expression |
+| api.downloadFromDenyList | string | `""` | Set the denied URLs for the download from feature using a regular expression |
+| api.downloadFromMaxRetry | int | `4` | Set the maximum number of retries for the download from feature (default 4) |
 | api.enableBasicAuth | bool | `false` | Enable basic authentication, see also the basicAuthUsername and basicAuthPassword values |
 | api.port | int | `3000` | Set the port on which the API should listen (default 3000) |
 | api.rootPath | string | `""` | Set the root path of the API - for service discovery via URL paths (default "/") |
 | api.timeout | string | `""` | Set the time limit for requests (default 30s) |
 | api.tlsSecretName | string | `""` | Enables TLS on the API server: K8S TLS secret name containing the TLS certificate and key (tls.crt, tls.key) |
 | api.traceHeader | string | `""` | Set the header name to use for identifying requests (default "Gotenberg-Trace") |
+| autoscaling.behavior | object | `{}` |  |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |
@@ -99,6 +104,16 @@ helm upgrade my-release maikumori/gotenberg --install
 | logging.fieldsPrefix | string | `""` | Prepend a specified prefix to each field in the logs |
 | logging.format | string | `""` | Set log format - auto, json, or text (default "auto") |
 | logging.level | string | `""` | Set the log level - error, warn, info, or debug (default "info") |
+| metrics.serviceMonitor.annotations | object | `{}` | Additional annotations for the service monitor |
+| metrics.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor |
+| metrics.serviceMonitor.honorLabels | bool | `false` | HonorLabels chooses the metric’s labels on collisions with target labels |
+| metrics.serviceMonitor.interval | string | `nil` | Interval at which metrics should be scraped |
+| metrics.serviceMonitor.jobLabel | string | `nil` | Optional job label for the target service in Prometheus |
+| metrics.serviceMonitor.labels | object | `{}` | Additional labels for the service monitor |
+| metrics.serviceMonitor.metricRelabelings | list | `[]` | List of metric relabel configs to apply to samples before ingestion |
+| metrics.serviceMonitor.namespace | string | `nil` | Namespace for ServiceMonitor, defaults to release namespace |
+| metrics.serviceMonitor.relabelings | list | `[]` | List of relabel configs to apply to samples before scraping |
+| metrics.serviceMonitor.scrapeTimeout | string | `nil` | Timeout after which the scrape is ended |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | pdb.create | bool | `false` |  |

diff --git a/charts/gotenberg/templates/_helpers.tpl b/charts/gotenberg/templates/_helpers.tpl
@@ -76,9 +76,15 @@ And apply recommended settings from upstream project.
 {{- else}}
 {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
 privileged: false
+allowPrivilegeEscalation: false
+# Issue with Chromium, see: https://github.com/gotenberg/gotenberg/issues/949
+readOnlyRootFilesystem: false
 {{- else -}}
 privileged: false
 runAsUser: 1001
+allowPrivilegeEscalation: false
+# Issue with Chromium, see: https://github.com/gotenberg/gotenberg/issues/949
+readOnlyRootFilesystem: false
 {{- end}}
 {{- end}}
 {{- end}}
diff --git a/charts/gotenberg/templates/deployment.yaml b/charts/gotenberg/templates/deployment.yaml
@@ -65,6 +65,18 @@ spec:
           {{- if .Values.api.enableBasicAuth }}
           - --api-enable-basic-auth
           {{- end }}
+          {{- if .Values.api.downloadFromAllowList }}
+          - --api-download-from-allow-list={{ .Values.api.downloadFromAllowList }}
+          {{- end }}
+          {{- if .Values.api.downloadFromDenyList }}
+          - --api-download-from-deny-list={{ .Values.api.downloadFromDenyList }}
+          {{- end }}
+          {{- if .Values.api.downloadFromMaxRetry }}
+          - --api-download-from-max-retry={{ .Values.api.downloadFromMaxRetry }}
+          {{- end }}
+          {{- if .Values.api.disableDownloadFrom }}
+          - --api-disable-download-from
+          {{- end }}
 
           {{- if .Values.chromium.restartAfter }}
           - --chromium-restart-after={{ .Values.chromium.restartAfter }}

diff --git a/charts/gotenberg/templates/hpa.yaml b/charts/gotenberg/templates/hpa.yaml
@@ -12,6 +12,8 @@ spec:
     name: {{ include "gotenberg.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  behavior:
+    {{- toYaml .Values.autoscaling.behavior | nindent 4 }}
   metrics:
     {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
     - type: Resource

diff --git a/charts/gotenberg/templates/servicemonitor.yaml b/charts/gotenberg/templates/servicemonitor.yaml
@@ -0,0 +1,45 @@
+{{- if and (not .Values.prometheus.disableCollect) .Values.metrics .Values.metrics.serviceMonitor .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gotenberg.fullname" . }}
+  namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace }}
+  labels:
+    {{- include "gotenberg.labels" . | nindent 4 }}
+{{- with .Values.metrics.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.metrics.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+spec:
+  {{- with .Values.metrics.serviceMonitor.jobLabel }}
+  jobLabel: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "gotenberg.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - path: /prometheus/metrics
+      port: http
+      scheme: http
+      {{- with .Values.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.honorLabels }}
+      honorLabels: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.relabelings }}
+      relabelings: {{- toYaml . | nindent 6 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/gotenberg/values.yaml b/charts/gotenberg/values.yaml
@@ -34,8 +34,7 @@ podSecurityContext:
 
 # -- Define the security context for the container. By default will use upstream recommended values.
 # @default -- `{ privileged: false, runAsUser: 1001 }`, except in OpenShift where `runAsUser` is not set.
-securityContext:
-  {}
+securityContext: {}
 
 service:
   type: ClusterIP
@@ -66,6 +65,7 @@ autoscaling:
   enabled: false
   minReplicas: 1
   maxReplicas: 100
+  behavior: {}
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
@@ -123,7 +123,7 @@ ingress:
   #      - chart-example.local
 
 # The API module is an HTTP/1 and HTTP/2 (H2C) server. Other modules may add routes, middlewares, and health checks.
-# https://gotenberg.dev/docs/modules/api
+# https://gotenberg.dev/docs/configuration#api
 api:
   # -- Set the port on which the API should listen (default 3000)
   port: 3000
@@ -143,9 +143,17 @@ api:
   basicAuthUsername:
   # -- Set the basic authentication password
   basicAuthPassword:
+  # -- Set the allowed URLs for the download from feature using a regular expression
+  downloadFromAllowList: ""
+  # -- Set the denied URLs for the download from feature using a regular expression
+  downloadFromDenyList: ""
+  # -- Set the maximum number of retries for the download from feature (default 4)
+  downloadFromMaxRetry: 4
+  # -- Disable the download from feature
+  disableDownloadFrom: false
 
 # The Chromium module interacts with the Chromium browser to convert HTML documents to PDF.
-# https://gotenberg.dev/docs/modules/chromium
+# https://gotenberg.dev/docs/configuration#chromium
 chromium:
   # -- Number of conversions after which Chromium will automatically restart. Set to 0 to disable this feature
   restartAfter: ""
@@ -183,7 +191,7 @@ chromium:
   maxQueueSize: 0
 
 # The LibreOffice module interacts with LibreOffice to convert documents to PDF, thanks to unoconv.
-# https://gotenberg.dev/docs/modules/libreoffice
+# https://gotenberg.dev/docs/configuration#libreoffice
 libreOffice:
   # -- Number of conversions after which LibreOffice will automatically restart. Set to 0 to disable this feature (default 10)
   restartAfter: ""
@@ -197,7 +205,7 @@ libreOffice:
   maxQueueSize: 0
 
 # The PDF Engines module gathers all engines that can manipulate PDF files.
-# https://gotenberg.dev/docs/modules/pdf-engines
+# https://gotenberg.dev/docs/configuration#pdf-engines
 pdfEngines:
   # -- Set the PDF engines and their order - all by default
   engines: ""
@@ -206,7 +214,7 @@ pdfEngines:
 
 # The Webhook module provides a middleware that allows you to upload the output file
 # from multipart/form-data routes to the destination of your choice.
-# https://gotenberg.dev/docs/modules/webhook
+# https://gotenberg.dev/docs/configuration#webhook
 webhook:
   # -- Set the allowed URLs for the webhook feature using a regular expression
   allowList: ""
@@ -228,7 +236,7 @@ webhook:
   disable: false
 
 # The Prometheus module collects metrics from other modules.
-# https://gotenberg.dev/docs/modules/prometheus
+# https://gotenberg.dev/docs/configuration#prometheus
 prometheus:
   # -- Set the interval for collecting modules' metrics (default 1s)
   collectInterval: ""
@@ -240,7 +248,7 @@ prometheus:
   disableRouterLogging: false
 
 # The Logging module provides a logger to Gotenberg.
-# https://gotenberg.dev/docs/modules/logging
+# https://gotenberg.dev/docs/configuration#logging
 logging:
   # -- Set log format - auto, json, or text (default "auto")
   format: ""
@@ -250,7 +258,30 @@ logging:
   fieldsPrefix: ""
 
 # Misc.
-# https://gotenberg.dev/docs/modules/more
+# https://gotenberg.dev/docs/configuration#graceful-shutdown
 gotenberg:
   # -- Set the graceful shutdown duration (default 30s)
   gracefulShutdownDurationSec: 30
+
+metrics:
+  serviceMonitor:
+    # -- Enable ServiceMonitor
+    enabled: false
+    # -- (string) Namespace for ServiceMonitor, defaults to release namespace
+    namespace:
+    # -- (string) Optional job label for the target service in Prometheus
+    jobLabel:
+    # -- (string) Interval at which metrics should be scraped
+    interval:
+    # -- (string) Timeout after which the scrape is ended
+    scrapeTimeout:
+    # -- HonorLabels chooses the metric’s labels on collisions with target labels
+    honorLabels: false
+    # -- List of metric relabel configs to apply to samples before ingestion
+    metricRelabelings: []
+    # -- List of relabel configs to apply to samples before scraping
+    relabelings: []
+    # -- Additional annotations for the service monitor
+    annotations: {}
+    # -- Additional labels for the service monitor
+    labels: {}