From bfeff5c7de94ebf7c5fc3d5334d8074539da7c2e Mon Sep 17 00:00:00 2001 From: 0hlov3 Date: Sun, 19 Nov 2023 20:18:21 +0100 Subject: [PATCH] Updates privatebin chart --- charts/privatebin/Chart.yaml | 4 +- charts/privatebin/templates/configmap.yaml | 209 +++++++++++--------- charts/privatebin/templates/deployment.yaml | 2 +- charts/privatebin/values.yaml | 61 ++++-- 4 files changed, 166 insertions(+), 110 deletions(-) diff --git a/charts/privatebin/Chart.yaml b/charts/privatebin/Chart.yaml index d153aac..25e98fa 100644 --- a/charts/privatebin/Chart.yaml +++ b/charts/privatebin/Chart.yaml @@ -8,8 +8,8 @@ keywords: - pastebin - self-destroy type: application -version: 0.1.0 -appVersion: "1.5.1" +version: 0.1.1 +appVersion: "1.6.0" maintainers: - name: fSocietySocial email: dev@fsociety.social diff --git a/charts/privatebin/templates/configmap.yaml b/charts/privatebin/templates/configmap.yaml index 03c9537..f1d6e57 100644 --- a/charts/privatebin/templates/configmap.yaml +++ b/charts/privatebin/templates/configmap.yaml @@ -10,96 +10,71 @@ data: ; config file for PrivateBin ; ; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration. - [main] ; (optional) set a project name to be displayed on the website - ; name = "PrivateBin" - {{- if .Values.config.name }} - name: {{ .Values.config.name |default "PrivateBin" | quote }} - {{- end}} - - ; The full URL, with the domain name and directories that point to the PrivateBin files - ; This URL is essential to allow Opengraph images to be displayed on social networks - ; basepath = "" - + name = "{{ .Values.config.name }}" + ; The full URL, with the domain name and directories that point to the + ; PrivateBin files, including an ending slash (/). This URL is essential to + ; allow Opengraph images to be displayed on social networks. + basepath = "{{.Values.config.basepath}}" ; enable or disable the discussion feature, defaults to true - discussion = {{ .Values.config.discussion | default true }} - + discussion = {{ .Values.config.discussion }} ; preselect the discussion feature, defaults to false - opendiscussion = {{ .Values.config.opendiscussion | default false }} - + opendiscussion = {{ .Values.config.opendiscussion }} ; enable or disable the password feature, defaults to true - password = {{ .Values.config.enablepassword | default true }} - + password = {{ .Values.config.password }} ; enable or disable the file upload feature, defaults to false - fileupload = {{ .Values.config.fileupload | default false }} - + fileupload = {{ .Values.config.fileupload }} ; preselect the burn-after-reading feature, defaults to false - burnafterreadingselected = {{ .Values.config.burnafterreadingselected | default false }} - + burnafterreadingselected = {{ .Values.config.burnafterreadingselected }} ; which display mode to preselect by default, defaults to "plaintext" ; make sure the value exists in [formatter_options] - defaultformatter = {{ .Values.config.defaultformatter | default "plaintext" | quote }} - + defaultformatter = "{{ .Values.config.defaultformatter }}" ; (optional) set a syntax highlighting theme, as found in css/prettify/ - {{- if .Values.config.syntaxhighlightingtheme }} - syntaxhighlightingtheme = {{ .Values.config.syntaxhighlightingtheme | default "sons-of-obsidian" | quote }} - {{- end }} - + ; syntaxhighlightingtheme = "{{ .Values.config.syntaxhighlightingtheme }}" ; size limit per paste or comment in bytes, defaults to 10 Mebibytes - sizelimit = {{ .Values.config.sizelimit | default 10485760 }} - + sizelimit = {{ .Values.config.sizelimit }} ; template to include, default is "bootstrap" (tpl/bootstrap.php) - template = {{ .Values.config.template | default "bootstrap" | quote }} - + template = "{{ .Values.config.template }}" ; (optional) info text to display ; use single, instead of double quotes for HTML attributes - {{- if .Values.config.info }} - info = {{ .Values.config.info | default "More information on the project page." | quote }} - {{- end }} - + ;info = "More information on the project page." ; (optional) notice to display ; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service." - {{- if .Values.config.notice }} - notice = {{ .Values.config.notice | default "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service." | quote }} - {{- end }} - ; by default PrivateBin will guess the visitors language based on the browsers ; settings. Optionally you can enable the language selection menu, which uses ; a session cookie to store the choice until the browser is closed. - languageselection = {{ .Values.config.languageselection | default false }} - + languageselection = {{ .Values.config.languageselection }} ; set the language your installs defaults to, defaults to English ; if this is set and language selection is disabled, this will be the only language {{- if .Values.config.languagedefault }} - languagedefault = {{ .Values.config.languagedefault | default "en" | quote }} + languagedefault = "{{ .Values.config.languagedefault }}" {{- end }} - - ; (optional) URL shortener address to offer after a new paste is created - ; it is suggested to only use this with self-hosted shorteners as this will leak - ; the pastes encryption key - ; urlshortener = "https://shortener.example.com/api?link=" + ; (optional) URL shortener address to offer after a new paste is created. + ; It is suggested to only use this with self-hosted shorteners as this will leak + ; the pastes encryption key. {{- if .Values.config.urlshortener }} - urlshortener = {{ .Values.config.urlshortener | default "https://shortener.example.com/api?link=" | quote }} + urlshortener = "{{ .Values.config.urlshortener }}" {{- end }} - ; (optional) Let users create a QR code for sharing the paste URL with one click. ; It works both when a new paste is created and when you view a paste. - ; qrcode = true {{- if .Values.config.qrcode }} - qrcode = {{ .Values.config.qrcode | default true }} + qrcode = {{ .Values.config.qrcode }} + {{- end }} + ; (optional) Let users send an email sharing the paste URL with one click. + ; It works both when a new paste is created and when you view a paste. + {{- if .Values.config.email }} + email = {{ .Values.config.email }} {{- end }} - ; (optional) IP based icons are a weak mechanism to detect if a comment was from - ; a different user when the same username was used in a comment. It might be - ; used to get the IP of a non anonymous comment poster if the server salt is - ; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs. - ; Can be set to one these values: "none" / "vizhash" / "identicon" (default). - ; icon = "none" + ; a different user when the same username was used in a comment. It might get + ; used to get the IP of a comment poster if the server salt is leaked and a + ; SHA512 HMAC rainbow table is generated for all (relevant) IPs. + ; Can be set to one these values: + ; "none" / "identicon" (default) / "jdenticon" / "vizhash". {{- if .Values.config.icon }} - icon = {{ .Values.config.icon | default "none" | quote }} + icon = "{{ .Values.config.icon }}" {{- end }} - ; Content Security Policy headers allow a website to restrict what sources are ; allowed to be accessed in its context. You need to change this if you added ; custom scripts from third-party domains to your templates, e.g. tracking @@ -116,42 +91,33 @@ data: ; async functions and display an error if not and for Chrome to enable ; webassembly support (used for zlib compression). You can remove it if Chrome ; doesn't need to be supported and old browsers don't need to be warned. - ; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" {{- if .Values.config.cspheader }} - cspheader = {{ .Values.config.cspheader | default "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" | quote }} + cspheader = "{{ .Values.config.cspheader }}" {{- end }} - ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of ; sha256 in HMAC for the deletion token - ; zerobincompatibility = false {{- if .Values.config.zerobincompatibility }} - zerobincompatibility = {{ .Values.config.zerobincompatibility | default false }} + ; zerobincompatibility = {{ .Values.config.zerobincompatibility }} {{- end }} - ; Enable or disable the warning message when the site is served over an insecure ; connection (insecure HTTP instead of HTTPS), defaults to true. ; Secure transport methods like Tor and I2P domains are automatically whitelisted. ; It is **strongly discouraged** to disable this. - ; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information. - ; httpwarning = true + ; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information. {{- if .Values.config.httpwarning }} - httpwarning = {{ .Values.config.httpwarning | default true }} + httpwarning = {{ .Values.config.httpwarning }} {{- end }} - ; Pick compression algorithm or disable it. Only applies to pastes/comments ; created after changing the setting. ; Can be set to one these values: "none" / "zlib" (default). - ; compression = "zlib" {{- if .Values.config.compression }} - compression = {{ .Values.config.compression | default "zlib" | quote }} + compression = "{{ .Values.config.compression }}" {{- end }} - [expire] ; expire value that is selected per default ; make sure the value exists in [expire_options] - default = {{ .Values.config.defaultexpire | default "1week" | quote }} - + default = "{{ .Values.config.expire.default }}" [expire_options] ; Set each one of these to the number of seconds in the expiration period, ; or 0 if it should never expire @@ -164,54 +130,50 @@ data: 1month = 2592000 1year = 31536000 never = 0 - [formatter_options] ; Set available formatters, their order and their labels - plaintext = {{ .Values.config.formatterOptions.plaintext | default "Plain Text" | quote }} - syntaxhighlighting = {{ .Values.config.formatterOptions.syntaxhighlighting | default "Source Code" | quote }} - markdown = "Markdown" {{ .Values.config.formatterOptions.markdown | default "Markdown" | quote }} - + plaintext = "{{ .Values.config.formatter_options.plaintext }}" + syntaxhighlighting = "{{ .Values.config.formatter_options.syntaxhighlighting }}" + markdown = "{{ .Values.config.formatter_options.markdown }}" [traffic] ; time limit between calls from the same IP address in seconds ; Set this to 0 to disable rate limiting. - limit = {{ .Values.config.limit | default 10 }} - - ; Set ips (v4|v6) which should be exempted for the rate-limit. CIDR also supported. Needed to be comma separated. - ; Unset for enabling and invalid values will be ignored - ; eg: exemptedIp = '1.2.3.4,10.10.10/24' - + limit = {{ .Values.config.traffic.limit }} + ; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted + ; from the rate-limit. Invalid IPs will be ignored. If multiple values are to + ; be exempted, the list needs to be comma separated. Leave unset to disable + ; exemptions. + ; exempted = "1.2.3.4,10.10.10/24" + ; (optional) If you want only some source IP addresses (v4 or v6) or subnets + ; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be + ; ignored. If multiple values are to be exempted, the list needs to be comma + ; separated. Leave unset to allow anyone to create pastes. + ; creators = "1.2.3.4,10.10.10/24" ; (optional) if your website runs behind a reverse proxy or load balancer, ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR ; header = "X_FORWARDED_FOR" - {{- if .Values.config.header }} - header = {{ .Values.config.header | default "X_FORWARDED_FOR" | quote }} - {{- end }} - [purge] ; minimum time limit between two purgings of expired pastes, it is only ; triggered when pastes are created ; Set this to 0 to run a purge every time a paste is created. - limit = {{ .Values.config.purgelimit | default 300 }} - + limit = 300 ; maximum amount of expired pastes to delete in one purge ; Set this to 0 to disable purging. Set it higher, if you are running a large ; site - batchsize = {{ .Values.config.batchsize | default 10 }} - + batchsize = 10 [model] ; name of data model class to load and directory for storage ; the default model "Filesystem" stores everything in the filesystem - class = {{ .Values.config.modelclass | default "Filesystem" | quote }} + class = Filesystem [model_options] dir = PATH "data" - ;[model] ; example of a Google Cloud Storage configuration ;class = GoogleCloudStorage ;[model_options] ;bucket = "my-private-bin" ;prefix = "pastes" - + ;uniformacl = false ;[model] ; example of DB configuration for MySQL ;class = Database @@ -221,7 +183,6 @@ data: ;usr = "privatebin" ;pwd = "Z3r0P4ss" ;opt[12] = true ; PDO::ATTR_PERSISTENT - ;[model] ; example of DB configuration for SQLite ;class = Database @@ -230,4 +191,60 @@ data: ;usr = null ;pwd = null ;opt[12] = true ; PDO::ATTR_PERSISTENT + ;[model] + ; example of DB configuration for PostgreSQL + ;class = Database + ;[model_options] + ;dsn = "pgsql:host=localhost;dbname=privatebin" + ;tbl = "privatebin_" ; table prefix + ;usr = "privatebin" + ;pwd = "Z3r0P4ss" + ;opt[12] = true ; PDO::ATTR_PERSISTENT + ;[model] + ; example of S3 configuration for Rados gateway / CEPH + ;class = S3Storage + ;[model_options] + ;region = "" + ;version = "2006-03-01" + ;endpoint = "https://s3.my-ceph.invalid" + ;use_path_style_endpoint = true + ;bucket = "my-bucket" + ;accesskey = "my-rados-user" + ;secretkey = "my-rados-pass" + ;[model] + ; example of S3 configuration for AWS + ;class = S3Storage + ;[model_options] + ;region = "eu-central-1" + ;version = "latest" + ;bucket = "my-bucket" + ;accesskey = "access key id" + ;secretkey = "secret access key" + ;[model] + ; example of S3 configuration for AWS using its SDK default credential provider chain + ; if relying on environment variables, the AWS SDK will look for the following: + ; - AWS_ACCESS_KEY_ID + ; - AWS_SECRET_ACCESS_KEY + ; - AWS_SESSION_TOKEN (if needed) + ; for more details, see https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain + ;class = S3Storage + ;[model_options] + ;region = "eu-central-1" + ;version = "latest" + ;bucket = "my-bucket" + [yourls] + ; When using YOURLS as a "urlshortener" config item: + ; - By default, "urlshortener" will point to the YOURLS API URL, with or without + ; credentials, and will be visible in public on the PrivateBin web page. + ; Only use this if you allow short URL creation without credentials. + ; - Alternatively, using the parameters in this section ("signature" and + ; "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin + ; instance with "shortenviayourls?link=" appended. For example: + ; urlshortener = "${basepath}shortenviayourls?link=" + ; This URL will in turn call YOURLS on the server side, using the URL from + ; "apiurl" and the "access signature" from the "signature" parameters below. + ; (optional) the "signature" (access key) issued by YOURLS for the using account + ; signature = "" + ; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL + ; apiurl = "https://yourls.example.com/yourls-api.php" {{- end }} \ No newline at end of file diff --git a/charts/privatebin/templates/deployment.yaml b/charts/privatebin/templates/deployment.yaml index e827001..24a298f 100644 --- a/charts/privatebin/templates/deployment.yaml +++ b/charts/privatebin/templates/deployment.yaml @@ -31,7 +31,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: privatebin diff --git a/charts/privatebin/values.yaml b/charts/privatebin/values.yaml index f9704b3..05667aa 100644 --- a/charts/privatebin/values.yaml +++ b/charts/privatebin/values.yaml @@ -5,11 +5,50 @@ replicaCount: 1 image: - repository: nginx + registry: docker.io + repository: privatebin/nginx-fpm-alpine pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" +config: + # The following values are used to configure the privatebin container + # + name: "PrivateBin" + basepath: "https://privatebin.example.com/" + discussion: true + opendiscussion: false + password: true + fileupload: false + burnafterreadingselected: false + defaultformatter: plaintext + syntaxhighlightingtheme: sons-of-obsidian + sizelimit: 10485760 + template: bootstrap + languageselection: false + # languagedefault: en + # urlshortener: "https://shortener.example.com/api?link=" + # qrcode: true + # email: true + # icon: none + # cspheader: "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" + # zerobincompatibility: false + # httpwarning: true + # compression: "zlib" + expire: + default: "1week" + formatter_options: + plaintext: "Plain Text" + syntaxhighlighting: "Source Code" + markdown: "Markdown" + traffic: + limit: 10 + +persistence: + enabled: false + capacity: 1Gi + # storageclassname: default + imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -28,31 +67,31 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 82 + fsGroup: 82 + readOnlyRootFilesystem: true service: type: ClusterIP - port: 80 + port: 8080 ingress: enabled: false className: "" annotations: {} - # kubernetes.io/ingress.class: nginx + # cert-manager.io/cluster-issuer: letsencrypt-prod # kubernetes.io/tls-acme: "true" + # kubernetes.io/ingress.class: nginx hosts: - host: chart-example.local paths: - path: / pathType: ImplementationSpecific tls: [] - # - secretName: chart-example-tls + # - secretName: tls-privatebin-general # hosts: # - chart-example.local