diff --git a/charts/gotenberg/CHANGELOG.md b/charts/gotenberg/CHANGELOG.md index ca4aa2a..d2035ef 100644 --- a/charts/gotenberg/CHANGELOG.md +++ b/charts/gotenberg/CHANGELOG.md @@ -1,5 +1,19 @@ # Changelog +## 1.7.0 + +- Add ability to customize HorizontalPodAutoscaler behavior (Thanks to Anthony | [@anthosz](https://github.com/anthosz)) +- Fix documentation links (Thanks to m² | [@mmoscher](https://github.com/mmoscher)) +- Bump `gotenberg` version `8.9.0` -> `8.11.0`. +- Add ability to create `ServiceMonitor` (Thanks to Nazar Vovk | [@Vovcharaa](https://github.com/Vovcharaa)) +- Add `allowPrivilegeEscalation: false` to default `securityContext`. +- Add support for the following flags: + + - `--api-download-from-allow-list` + - `--api-download-from-deny-list` + - `--api-download-from-max-retry` + - `--api-disable-download-from` + ## 1.6.0 - Bump `gotenberg` version `8.8.1` -> `8.9.0`. diff --git a/charts/gotenberg/Chart.yaml b/charts/gotenberg/Chart.yaml index 3aa92f9..786768f 100644 --- a/charts/gotenberg/Chart.yaml +++ b/charts/gotenberg/Chart.yaml @@ -16,13 +16,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "1.6.0" +version: "1.7.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "8.9.0" +appVersion: "8.11.0" keywords: - gotenberg diff --git a/charts/gotenberg/README.md b/charts/gotenberg/README.md index 85c0c40..762c84e 100644 --- a/charts/gotenberg/README.md +++ b/charts/gotenberg/README.md @@ -1,7 +1,7 @@ # Gotenberg [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/gotenberg)](https://artifacthub.io/packages/helm/maikumori/gotenberg) -![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.9.0](https://img.shields.io/badge/AppVersion-8.9.0-informational?style=flat-square) +![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.11.0](https://img.shields.io/badge/AppVersion-8.11.0-informational?style=flat-square) This is a HELM chart for Gotenberg. @@ -51,13 +51,18 @@ helm upgrade my-release maikumori/gotenberg --install | affinity | object | `{}` | | | api.basicAuthPassword | string | `nil` | Set the basic authentication password | | api.basicAuthUsername | string | `nil` | Set the basic authentication username | +| api.disableDownloadFrom | bool | `false` | Disable the download from feature | | api.disableHealthCheckLogging | bool | `false` | Disable health check logging | +| api.downloadFromAllowList | string | `""` | Set the allowed URLs for the download from feature using a regular expression | +| api.downloadFromDenyList | string | `""` | Set the denied URLs for the download from feature using a regular expression | +| api.downloadFromMaxRetry | int | `4` | Set the maximum number of retries for the download from feature (default 4) | | api.enableBasicAuth | bool | `false` | Enable basic authentication, see also the basicAuthUsername and basicAuthPassword values | | api.port | int | `3000` | Set the port on which the API should listen (default 3000) | | api.rootPath | string | `""` | Set the root path of the API - for service discovery via URL paths (default "/") | | api.timeout | string | `""` | Set the time limit for requests (default 30s) | | api.tlsSecretName | string | `""` | Enables TLS on the API server: K8S TLS secret name containing the TLS certificate and key (tls.crt, tls.key) | | api.traceHeader | string | `""` | Set the header name to use for identifying requests (default "Gotenberg-Trace") | +| autoscaling.behavior | object | `{}` | | | autoscaling.enabled | bool | `false` | | | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | @@ -99,6 +104,16 @@ helm upgrade my-release maikumori/gotenberg --install | logging.fieldsPrefix | string | `""` | Prepend a specified prefix to each field in the logs | | logging.format | string | `""` | Set log format - auto, json, or text (default "auto") | | logging.level | string | `""` | Set the log level - error, warn, info, or debug (default "info") | +| metrics.serviceMonitor.annotations | object | `{}` | Additional annotations for the service monitor | +| metrics.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor | +| metrics.serviceMonitor.honorLabels | bool | `false` | HonorLabels chooses the metric’s labels on collisions with target labels | +| metrics.serviceMonitor.interval | string | `nil` | Interval at which metrics should be scraped | +| metrics.serviceMonitor.jobLabel | string | `nil` | Optional job label for the target service in Prometheus | +| metrics.serviceMonitor.labels | object | `{}` | Additional labels for the service monitor | +| metrics.serviceMonitor.metricRelabelings | list | `[]` | List of metric relabel configs to apply to samples before ingestion | +| metrics.serviceMonitor.namespace | string | `nil` | Namespace for ServiceMonitor, defaults to release namespace | +| metrics.serviceMonitor.relabelings | list | `[]` | List of relabel configs to apply to samples before scraping | +| metrics.serviceMonitor.scrapeTimeout | string | `nil` | Timeout after which the scrape is ended | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | pdb.create | bool | `false` | | diff --git a/charts/gotenberg/templates/_helpers.tpl b/charts/gotenberg/templates/_helpers.tpl index c4b1ebe..9e3dab2 100644 --- a/charts/gotenberg/templates/_helpers.tpl +++ b/charts/gotenberg/templates/_helpers.tpl @@ -76,9 +76,15 @@ And apply recommended settings from upstream project. {{- else}} {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} privileged: false +allowPrivilegeEscalation: false +# Issue with Chromium, see: https://github.com/gotenberg/gotenberg/issues/949 +readOnlyRootFilesystem: false {{- else -}} privileged: false runAsUser: 1001 +allowPrivilegeEscalation: false +# Issue with Chromium, see: https://github.com/gotenberg/gotenberg/issues/949 +readOnlyRootFilesystem: false {{- end}} {{- end}} {{- end}} diff --git a/charts/gotenberg/templates/deployment.yaml b/charts/gotenberg/templates/deployment.yaml index 5b47450..fed4c92 100644 --- a/charts/gotenberg/templates/deployment.yaml +++ b/charts/gotenberg/templates/deployment.yaml @@ -65,6 +65,18 @@ spec: {{- if .Values.api.enableBasicAuth }} - --api-enable-basic-auth {{- end }} + {{- if .Values.api.downloadFromAllowList }} + - --api-download-from-allow-list={{ .Values.api.downloadFromAllowList }} + {{- end }} + {{- if .Values.api.downloadFromDenyList }} + - --api-download-from-deny-list={{ .Values.api.downloadFromDenyList }} + {{- end }} + {{- if .Values.api.downloadFromMaxRetry }} + - --api-download-from-max-retry={{ .Values.api.downloadFromMaxRetry }} + {{- end }} + {{- if .Values.api.disableDownloadFrom }} + - --api-disable-download-from + {{- end }} {{- if .Values.chromium.restartAfter }} - --chromium-restart-after={{ .Values.chromium.restartAfter }} diff --git a/charts/gotenberg/templates/hpa.yaml b/charts/gotenberg/templates/hpa.yaml index 9969c2e..0f4cc18 100644 --- a/charts/gotenberg/templates/hpa.yaml +++ b/charts/gotenberg/templates/hpa.yaml @@ -12,6 +12,8 @@ spec: name: {{ include "gotenberg.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} + behavior: + {{- toYaml .Values.autoscaling.behavior | nindent 4 }} metrics: {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Resource diff --git a/charts/gotenberg/templates/servicemonitor.yaml b/charts/gotenberg/templates/servicemonitor.yaml new file mode 100644 index 0000000..b4ecdd7 --- /dev/null +++ b/charts/gotenberg/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- if and (not .Values.prometheus.disableCollect) .Values.metrics .Values.metrics.serviceMonitor .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gotenberg.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace }} + labels: + {{- include "gotenberg.labels" . | nindent 4 }} +{{- with .Values.metrics.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + {{- with .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gotenberg.selectorLabels" . | nindent 6 }} + endpoints: + - path: /prometheus/metrics + port: http + scheme: http + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- toYaml . | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/charts/gotenberg/values.yaml b/charts/gotenberg/values.yaml index 37e498b..fd7aab9 100644 --- a/charts/gotenberg/values.yaml +++ b/charts/gotenberg/values.yaml @@ -34,8 +34,7 @@ podSecurityContext: # -- Define the security context for the container. By default will use upstream recommended values. # @default -- `{ privileged: false, runAsUser: 1001 }`, except in OpenShift where `runAsUser` is not set. -securityContext: - {} +securityContext: {} service: type: ClusterIP @@ -66,6 +65,7 @@ autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 + behavior: {} targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 @@ -123,7 +123,7 @@ ingress: # - chart-example.local # The API module is an HTTP/1 and HTTP/2 (H2C) server. Other modules may add routes, middlewares, and health checks. -# https://gotenberg.dev/docs/modules/api +# https://gotenberg.dev/docs/configuration#api api: # -- Set the port on which the API should listen (default 3000) port: 3000 @@ -143,9 +143,17 @@ api: basicAuthUsername: # -- Set the basic authentication password basicAuthPassword: + # -- Set the allowed URLs for the download from feature using a regular expression + downloadFromAllowList: "" + # -- Set the denied URLs for the download from feature using a regular expression + downloadFromDenyList: "" + # -- Set the maximum number of retries for the download from feature (default 4) + downloadFromMaxRetry: 4 + # -- Disable the download from feature + disableDownloadFrom: false # The Chromium module interacts with the Chromium browser to convert HTML documents to PDF. -# https://gotenberg.dev/docs/modules/chromium +# https://gotenberg.dev/docs/configuration#chromium chromium: # -- Number of conversions after which Chromium will automatically restart. Set to 0 to disable this feature restartAfter: "" @@ -183,7 +191,7 @@ chromium: maxQueueSize: 0 # The LibreOffice module interacts with LibreOffice to convert documents to PDF, thanks to unoconv. -# https://gotenberg.dev/docs/modules/libreoffice +# https://gotenberg.dev/docs/configuration#libreoffice libreOffice: # -- Number of conversions after which LibreOffice will automatically restart. Set to 0 to disable this feature (default 10) restartAfter: "" @@ -197,7 +205,7 @@ libreOffice: maxQueueSize: 0 # The PDF Engines module gathers all engines that can manipulate PDF files. -# https://gotenberg.dev/docs/modules/pdf-engines +# https://gotenberg.dev/docs/configuration#pdf-engines pdfEngines: # -- Set the PDF engines and their order - all by default engines: "" @@ -206,7 +214,7 @@ pdfEngines: # The Webhook module provides a middleware that allows you to upload the output file # from multipart/form-data routes to the destination of your choice. -# https://gotenberg.dev/docs/modules/webhook +# https://gotenberg.dev/docs/configuration#webhook webhook: # -- Set the allowed URLs for the webhook feature using a regular expression allowList: "" @@ -228,7 +236,7 @@ webhook: disable: false # The Prometheus module collects metrics from other modules. -# https://gotenberg.dev/docs/modules/prometheus +# https://gotenberg.dev/docs/configuration#prometheus prometheus: # -- Set the interval for collecting modules' metrics (default 1s) collectInterval: "" @@ -240,7 +248,7 @@ prometheus: disableRouterLogging: false # The Logging module provides a logger to Gotenberg. -# https://gotenberg.dev/docs/modules/logging +# https://gotenberg.dev/docs/configuration#logging logging: # -- Set log format - auto, json, or text (default "auto") format: "" @@ -250,7 +258,30 @@ logging: fieldsPrefix: "" # Misc. -# https://gotenberg.dev/docs/modules/more +# https://gotenberg.dev/docs/configuration#graceful-shutdown gotenberg: # -- Set the graceful shutdown duration (default 30s) gracefulShutdownDurationSec: 30 + +metrics: + serviceMonitor: + # -- Enable ServiceMonitor + enabled: false + # -- (string) Namespace for ServiceMonitor, defaults to release namespace + namespace: + # -- (string) Optional job label for the target service in Prometheus + jobLabel: + # -- (string) Interval at which metrics should be scraped + interval: + # -- (string) Timeout after which the scrape is ended + scrapeTimeout: + # -- HonorLabels chooses the metric’s labels on collisions with target labels + honorLabels: false + # -- List of metric relabel configs to apply to samples before ingestion + metricRelabelings: [] + # -- List of relabel configs to apply to samples before scraping + relabelings: [] + # -- Additional annotations for the service monitor + annotations: {} + # -- Additional labels for the service monitor + labels: {}