From cc626a4c97ac03c57a6104d416435f0b5eb5c318 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 14:25:42 +0200 Subject: [PATCH 01/15] add spacer in all ressources, remove not required bitnami-common dependency (apps/v1 is default) --- charts/cryptpad/Chart.lock | 6 ------ charts/cryptpad/Chart.yaml | 4 ---- charts/cryptpad/templates/configmap.yaml | 1 + charts/cryptpad/templates/cryptpad.yaml | 4 ++-- charts/cryptpad/templates/hpa.yaml | 5 +++-- charts/cryptpad/templates/ingress.yaml | 1 + charts/cryptpad/templates/service.yaml | 1 + charts/cryptpad/templates/serviceaccount.yaml | 1 + 8 files changed, 9 insertions(+), 14 deletions(-) delete mode 100644 charts/cryptpad/Chart.lock diff --git a/charts/cryptpad/Chart.lock b/charts/cryptpad/Chart.lock deleted file mode 100644 index bed3629..0000000 --- a/charts/cryptpad/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.39.0 -digest: sha256:3eb3792ee943930941c29d63cd9c9ec07b7ce0da04b23e6b6eb4378a7ea9c0a0 -generated: "2026-05-15T15:55:14.210952212+02:00" diff --git a/charts/cryptpad/Chart.yaml b/charts/cryptpad/Chart.yaml index d44b175..a609734 100644 --- a/charts/cryptpad/Chart.yaml +++ b/charts/cryptpad/Chart.yaml @@ -33,7 +33,3 @@ maintainers: email: guilherme.sautner@xwiki.com - name: Arsène Fougerouse email: arsene.fougerouse@xwiki.com -dependencies: - - name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.x.x diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index 706b087..7e40c2b 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index e8bc7a2..11c6df0 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -1,8 +1,8 @@ +--- +apiVersion: apps/v1 {{- if .Values.workloadStateful }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet {{- else }} -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment {{- end }} metadata: diff --git a/charts/cryptpad/templates/hpa.yaml b/charts/cryptpad/templates/hpa.yaml index 4ff6f4c..efef71d 100644 --- a/charts/cryptpad/templates/hpa.yaml +++ b/charts/cryptpad/templates/hpa.yaml @@ -1,4 +1,5 @@ {{- if .Values.autoscaling.enabled }} +--- apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: @@ -8,10 +9,10 @@ metadata: spec: scaleTargetRef: {{- if .Values.workloadStateful }} - apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + apiVersion: apps/v1 kind: StatefulSet {{- else }} - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + apiVersion: apps/v1 kind: Deployment {{- end }} name: {{ include "cryptpad-helm.fullname" . }} diff --git a/charts/cryptpad/templates/ingress.yaml b/charts/cryptpad/templates/ingress.yaml index dd07365..d4f4a87 100644 --- a/charts/cryptpad/templates/ingress.yaml +++ b/charts/cryptpad/templates/ingress.yaml @@ -2,6 +2,7 @@ {{- $fullName := include "cryptpad-helm.fullname" . -}} {{- $svcPort := .Values.service.externalPort -}} {{- $svcWsPort := .Values.service.websocket.externalPort -}} +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/charts/cryptpad/templates/service.yaml b/charts/cryptpad/templates/service.yaml index 5974768..535bb95 100644 --- a/charts/cryptpad/templates/service.yaml +++ b/charts/cryptpad/templates/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: diff --git a/charts/cryptpad/templates/serviceaccount.yaml b/charts/cryptpad/templates/serviceaccount.yaml index 99b8ee8..9c7da56 100644 --- a/charts/cryptpad/templates/serviceaccount.yaml +++ b/charts/cryptpad/templates/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- if .Values.serviceAccount.create -}} +--- apiVersion: v1 kind: ServiceAccount metadata: From d42edbb8edcaa7db3e4cb9c53744168661a1898f Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 14:31:00 +0200 Subject: [PATCH 02/15] add httpRoute resource for GatewayApi Config (alternative to nginx ingress) --- charts/cryptpad/templates/httpRoute.yaml | 55 ++++++++++++++++++++++++ charts/cryptpad/values.yaml | 15 +++++++ 2 files changed, 70 insertions(+) create mode 100644 charts/cryptpad/templates/httpRoute.yaml diff --git a/charts/cryptpad/templates/httpRoute.yaml b/charts/cryptpad/templates/httpRoute.yaml new file mode 100644 index 0000000..420bb13 --- /dev/null +++ b/charts/cryptpad/templates/httpRoute.yaml @@ -0,0 +1,55 @@ +{{- if .Values.httpRoute.enabled -}} +{{- $fullName := include "cryptpad-helm.fullname" . -}} +{{- $svcPort := .Values.service.externalPort -}} +{{- $svcWsPort := .Values.service.websocket.externalPort -}} +{{- if not .Values.httpRoute.parentRefs }} + {{- fail "A valid .Values.httpRoute.parentRefs entry is required when httpRoute.enabled is true" }} +{{- end }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "cryptpad-helm.labels" . | nindent 4 }} + {{- with .Values.httpRoute.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.httpRoute.parentRefs }} + parentRefs: + {{- . | toYaml | nindent 2 }} + {{- end }} + {{- with .Values.httpRoute.hosts }} + hostnames: + {{- toYaml . | nindent 2 }} + {{- end }} + rules: + - matches: + - path: + value: / + type: PathPrefix + backendRefs: + - group: '' + kind: Service + name: {{ $fullName }} + port: {{ $svcPort }} + {{- with .Values.httpRoute.timeouts }} + timeouts: + {{- toYaml . | nindent 6 }} + {{- end }} + - matches: + - path: + value: /cryptpad_websocket + type: PathPrefix + backendRefs: + - group: '' + kind: Service + name: {{ $fullName }} + port: {{ $svcWsPort }} + {{- with .Values.httpRoute.timeouts }} + timeouts: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index 8918439..006145e 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -200,6 +200,21 @@ ingress: tls: [] # - secretName: secret-tls +httpRoute: + enabled: false + annotations: {} + labels: {} + parentRefs: [] + # -- requires cluster enabled default gateway (here envoy as example) + #- name: default-gateway + # namespace: infrastructure-envoy-gateway-default + # sectionName: default + hosts: + - localhost + timeouts: {} + # backendRequest: 120s + + # -- Specify default resources. # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From 5fbeca44da6453a82c05bfb25bb85291f5609d1e Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 14:43:02 +0200 Subject: [PATCH 03/15] fix bug with double entries of Origin keys and also ensure strings are quoted but bool, float and int not --- charts/cryptpad/templates/configmap.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index 7e40c2b..b1ff768 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -37,12 +37,14 @@ data: {{- end}} {{- range $key, $value := .Values.config }} - {{- if and (or (ne $key "httpUnsafeOrigin") (ne $key "httpSafeOrigin")) (ne $key "adminKeys") }} + {{- if and (ne $key "httpUnsafeOrigin") (ne $key "httpSafeOrigin") (ne $key "adminKeys") }} + {{- if or (kindIs "bool" $value) (kindIs "float64" $value) (kindIs "int64" $value) }} + {{ $key }}: {{ $value }}, + {{- else }} {{ $key }}: {{ $value | quote }}, + {{- end }} {{- end }} {{- end }} - - }; application_config.js: | /* From 61265a9b9055d476e75d4290acb34608cd13db42 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 14:53:22 +0200 Subject: [PATCH 04/15] fix hpa - field name change --- charts/cryptpad/templates/hpa.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/cryptpad/templates/hpa.yaml b/charts/cryptpad/templates/hpa.yaml index efef71d..74ac02a 100644 --- a/charts/cryptpad/templates/hpa.yaml +++ b/charts/cryptpad/templates/hpa.yaml @@ -1,6 +1,6 @@ {{- if .Values.autoscaling.enabled }} --- -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "cryptpad-helm.fullname" . }} @@ -23,12 +23,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} From db43d2b002e2447d4888a45787ba36164ab6da05 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 15:34:25 +0200 Subject: [PATCH 05/15] fix ingress sandboxHost (safe/unsafeOrigin) configuration --- charts/cryptpad/templates/_helpers.tpl | 13 ++++++++++++- charts/cryptpad/templates/configmap.yaml | 14 ++++++++++++-- charts/cryptpad/templates/httpRoute.yaml | 5 +++-- charts/cryptpad/templates/ingress.yaml | 19 +++++++++++++++++++ charts/cryptpad/values.yaml | 10 +++++++++- 5 files changed, 55 insertions(+), 6 deletions(-) diff --git a/charts/cryptpad/templates/_helpers.tpl b/charts/cryptpad/templates/_helpers.tpl index 4cfae12..d6a5e8e 100644 --- a/charts/cryptpad/templates/_helpers.tpl +++ b/charts/cryptpad/templates/_helpers.tpl @@ -75,11 +75,22 @@ http://localhost:3000 {{- end }} {{/* -Define sandbox subdomain. Or use first ingress host defined as main domain. +Define sandbox domain (httpSafeOrigin). Uses ingress.sandboxHost or httpRoute.sandboxHost when set, +falling back to the main host only as a last resort (which is insecure for CryptPad). */}} {{- define "cryptpad-helm.sandboxDomain" -}} {{- if .Values.ingress.enabled }} +{{- if .Values.ingress.sandboxHost }} +https://{{ .Values.ingress.sandboxHost }} +{{- else }} https://{{ (index .Values.ingress.hosts 0).host }} +{{- end }} +{{- else if .Values.httpRoute.enabled }} +{{- if .Values.httpRoute.sandboxHost }} +https://{{ .Values.httpRoute.sandboxHost }} +{{- else }} +https://{{ index .Values.httpRoute.hosts 0 }} +{{- end }} {{- else if .Values.config.httpSafeOrigin }} {{- .Values.config.httpSafeOrigin }} {{- else }} diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index b1ff768..c45e7b2 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -19,9 +19,19 @@ data: {{- end}} {{- if .Values.ingress.enabled }} + {{- if .Values.ingress.sandboxHost }} + httpSafeOrigin: 'https://{{ .Values.ingress.sandboxHost }}', + {{- else }} httpSafeOrigin: 'https://{{ (index .Values.ingress.hosts 0).host }}', - {{- else if .Values.config.httpSafeOrigin }} - httpSafeOrigin: {{ .Values.config.httpSafeOrigin | quote }}, + {{- end }} + {{- else if .Values.httpRoute.enabled }} + {{- if .Values.httpRoute.sandboxHost }} + httpSafeOrigin: 'https://{{ .Values.httpRoute.sandboxHost }}', + {{- else }} + httpSafeOrigin: 'https://{{ index .Values.httpRoute.hosts 0 }}', + {{- end }} + {{- else if .Values.config.httpSafeOrigin }} + httpSafeOrigin: {{ .Values.config.httpSafeOrigin | quote }}, {{- else }} httpSafeOrigin: 'http://localhost:3000', {{- end}} diff --git a/charts/cryptpad/templates/httpRoute.yaml b/charts/cryptpad/templates/httpRoute.yaml index 420bb13..500ad02 100644 --- a/charts/cryptpad/templates/httpRoute.yaml +++ b/charts/cryptpad/templates/httpRoute.yaml @@ -21,9 +21,10 @@ spec: parentRefs: {{- . | toYaml | nindent 2 }} {{- end }} - {{- with .Values.httpRoute.hosts }} hostnames: - {{- toYaml . | nindent 2 }} + {{- toYaml .Values.httpRoute.hosts | nindent 2 }} + {{- if .Values.httpRoute.sandboxHost }} + - {{ .Values.httpRoute.sandboxHost | quote }} {{- end }} rules: - matches: diff --git a/charts/cryptpad/templates/ingress.yaml b/charts/cryptpad/templates/ingress.yaml index d4f4a87..d90dbd2 100644 --- a/charts/cryptpad/templates/ingress.yaml +++ b/charts/cryptpad/templates/ingress.yaml @@ -47,4 +47,23 @@ spec: port: number: {{ $svcWsPort }} {{- end }} + {{- if .Values.ingress.sandboxHost }} + - host: {{ .Values.ingress.sandboxHost | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + - path: /cryptpad_websocket + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcWsPort }} + {{- end }} {{- end }} diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index 006145e..cdddb12 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -195,8 +195,13 @@ ingress: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - # if the ingress is enabled, this hostname will be used for httpUnsafeOrigin and httpSafeOrigin + # if the ingress is enabled, this hostname will be used for httpUnsafeOrigin - host: localhost + # -- Separate origin for the CryptPad sandbox iframe (httpSafeOrigin). + # CryptPad requires this to be a *different* domain or subdomain from the main host + # for security isolation. If left empty, the main host is reused (insecure). + # Example: sandbox.cryptpad.example.org + sandboxHost: "" tls: [] # - secretName: secret-tls @@ -211,6 +216,9 @@ httpRoute: # sectionName: default hosts: - localhost + # -- Separate origin for the CryptPad sandbox iframe (httpSafeOrigin). + # Must be a different domain or subdomain from the main host. If empty, main host is reused. + sandboxHost: "" timeouts: {} # backendRequest: 120s From 121e6e5686665a130713471a329346e197b431fa Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 15:51:38 +0200 Subject: [PATCH 06/15] fix wrong rendering of mainPage config setting --- charts/cryptpad/templates/configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index c45e7b2..6e122f8 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -50,6 +50,8 @@ data: {{- if and (ne $key "httpUnsafeOrigin") (ne $key "httpSafeOrigin") (ne $key "adminKeys") }} {{- if or (kindIs "bool" $value) (kindIs "float64" $value) (kindIs "int64" $value) }} {{ $key }}: {{ $value }}, + {{- else if or (kindIs "slice" $value) (kindIs "map" $value) }} + {{ $key }}: {{ $value | toJson }}, {{- else }} {{ $key }}: {{ $value | quote }}, {{- end }} From f25eb2ca05836213418eb613b5ffa12861fe2fbd Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:00:30 +0200 Subject: [PATCH 07/15] refactor ingress/httproute config to centralize it, also having clearer sandboxDomain config --- charts/cryptpad/templates/_helpers.tpl | 26 ++++++++--------------- charts/cryptpad/templates/configmap.yaml | 27 ++---------------------- charts/cryptpad/templates/httpRoute.yaml | 6 +++--- charts/cryptpad/templates/ingress.yaml | 15 ++++++++----- charts/cryptpad/values.yaml | 23 +++++++++----------- 5 files changed, 34 insertions(+), 63 deletions(-) diff --git a/charts/cryptpad/templates/_helpers.tpl b/charts/cryptpad/templates/_helpers.tpl index d6a5e8e..7358650 100644 --- a/charts/cryptpad/templates/_helpers.tpl +++ b/charts/cryptpad/templates/_helpers.tpl @@ -62,11 +62,11 @@ Create the name of the service account to use {{- end }} {{/* -Define main domain. Or use first ingress host defined as main domain. +Define main domain (httpUnsafeOrigin / CPAD_MAIN_DOMAIN). */}} {{- define "cryptpad-helm.mainDomain" -}} -{{- if .Values.ingress.enabled }} -https://{{ (index .Values.ingress.hosts 0).host }} +{{- if .Values.mainDomain }} +https://{{ .Values.mainDomain }} {{- else if .Values.config.httpUnsafeOrigin }} {{- .Values.config.httpUnsafeOrigin }} {{- else }} @@ -75,22 +75,14 @@ http://localhost:3000 {{- end }} {{/* -Define sandbox domain (httpSafeOrigin). Uses ingress.sandboxHost or httpRoute.sandboxHost when set, -falling back to the main host only as a last resort (which is insecure for CryptPad). +Define sandbox domain (httpSafeOrigin / CPAD_SANDBOX_DOMAIN). +Falls back to mainDomain when sandboxDomain is unset (insecure — same origin). */}} {{- define "cryptpad-helm.sandboxDomain" -}} -{{- if .Values.ingress.enabled }} -{{- if .Values.ingress.sandboxHost }} -https://{{ .Values.ingress.sandboxHost }} -{{- else }} -https://{{ (index .Values.ingress.hosts 0).host }} -{{- end }} -{{- else if .Values.httpRoute.enabled }} -{{- if .Values.httpRoute.sandboxHost }} -https://{{ .Values.httpRoute.sandboxHost }} -{{- else }} -https://{{ index .Values.httpRoute.hosts 0 }} -{{- end }} +{{- if .Values.sandboxDomain }} +https://{{ .Values.sandboxDomain }} +{{- else if .Values.mainDomain }} +https://{{ .Values.mainDomain }} {{- else if .Values.config.httpSafeOrigin }} {{- .Values.config.httpSafeOrigin }} {{- else }} diff --git a/charts/cryptpad/templates/configmap.yaml b/charts/cryptpad/templates/configmap.yaml index 6e122f8..6d28c04 100644 --- a/charts/cryptpad/templates/configmap.yaml +++ b/charts/cryptpad/templates/configmap.yaml @@ -10,31 +10,8 @@ data: /* globals module */ module.exports = { - {{- if .Values.ingress.enabled}} - httpUnsafeOrigin: 'https://{{ (index .Values.ingress.hosts 0).host }}', - {{- else if .Values.config.httpUnsafeOrigin }} - httpUnsafeOrigin: {{ .Values.config.httpUnsafeOrigin | quote }}, - {{- else }} - httpUnsafeOrigin: 'http://localhost:3000', - {{- end}} - - {{- if .Values.ingress.enabled }} - {{- if .Values.ingress.sandboxHost }} - httpSafeOrigin: 'https://{{ .Values.ingress.sandboxHost }}', - {{- else }} - httpSafeOrigin: 'https://{{ (index .Values.ingress.hosts 0).host }}', - {{- end }} - {{- else if .Values.httpRoute.enabled }} - {{- if .Values.httpRoute.sandboxHost }} - httpSafeOrigin: 'https://{{ .Values.httpRoute.sandboxHost }}', - {{- else }} - httpSafeOrigin: 'https://{{ index .Values.httpRoute.hosts 0 }}', - {{- end }} - {{- else if .Values.config.httpSafeOrigin }} - httpSafeOrigin: {{ .Values.config.httpSafeOrigin | quote }}, - {{- else }} - httpSafeOrigin: 'http://localhost:3000', - {{- end}} + httpUnsafeOrigin: '{{ include "cryptpad-helm.mainDomain" . | trim }}', + httpSafeOrigin: '{{ include "cryptpad-helm.sandboxDomain" . | trim }}', {{- if .Values.config.adminKeys }} adminKeys: [ diff --git a/charts/cryptpad/templates/httpRoute.yaml b/charts/cryptpad/templates/httpRoute.yaml index 500ad02..0d69308 100644 --- a/charts/cryptpad/templates/httpRoute.yaml +++ b/charts/cryptpad/templates/httpRoute.yaml @@ -22,9 +22,9 @@ spec: {{- . | toYaml | nindent 2 }} {{- end }} hostnames: - {{- toYaml .Values.httpRoute.hosts | nindent 2 }} - {{- if .Values.httpRoute.sandboxHost }} - - {{ .Values.httpRoute.sandboxHost | quote }} + - {{ .Values.mainDomain | quote }} + {{- if .Values.sandboxDomain }} + - {{ .Values.sandboxDomain | quote }} {{- end }} rules: - matches: diff --git a/charts/cryptpad/templates/ingress.yaml b/charts/cryptpad/templates/ingress.yaml index d90dbd2..c2b2289 100644 --- a/charts/cryptpad/templates/ingress.yaml +++ b/charts/cryptpad/templates/ingress.yaml @@ -21,15 +21,21 @@ spec: tls: {{- range .Values.ingress.tls }} - hosts: + {{- if .hosts }} {{- range .hosts }} - {{ . | quote }} {{- end }} + {{- else }} + - {{ $.Values.mainDomain | quote }} + {{- if $.Values.sandboxDomain }} + - {{ $.Values.sandboxDomain | quote }} + {{- end }} + {{- end }} secretName: {{ .secretName }} {{- end }} {{- end }} rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} + - host: {{ .Values.mainDomain | quote }} http: paths: - path: / @@ -46,9 +52,8 @@ spec: name: {{ $fullName }} port: number: {{ $svcWsPort }} - {{- end }} - {{- if .Values.ingress.sandboxHost }} - - host: {{ .Values.ingress.sandboxHost | quote }} + {{- if .Values.sandboxDomain }} + - host: {{ .Values.sandboxDomain | quote }} http: paths: - path: / diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index cdddb12..045e125 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -5,6 +5,15 @@ # -- Number of replicas replicaCount: 1 +# -- Primary hostname for CryptPad (no scheme). Used for httpUnsafeOrigin, CPAD_MAIN_DOMAIN, +# and ingress/httpRoute host rules. Example: cryptpad.example.org +mainDomain: "" + +# -- Sandbox hostname for CryptPad security isolation (no scheme). Used for httpSafeOrigin and +# CPAD_SANDBOX_DOMAIN. Must be a *different* domain or subdomain from mainDomain. +# If empty, mainDomain is reused (insecure). Example: sandbox.cryptpad.example.org +sandboxDomain: "" + # -- Enable to choose witch kind of workload will be used: (true) StatefulSet or (false) for Deployment workloadStateful: true @@ -194,16 +203,9 @@ ingress: annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - hosts: - # if the ingress is enabled, this hostname will be used for httpUnsafeOrigin - - host: localhost - # -- Separate origin for the CryptPad sandbox iframe (httpSafeOrigin). - # CryptPad requires this to be a *different* domain or subdomain from the main host - # for security isolation. If left empty, the main host is reused (insecure). - # Example: sandbox.cryptpad.example.org - sandboxHost: "" tls: [] # - secretName: secret-tls + # hosts: [] # auto-populated from mainDomain/sandboxDomain when empty httpRoute: enabled: false @@ -214,11 +216,6 @@ httpRoute: #- name: default-gateway # namespace: infrastructure-envoy-gateway-default # sectionName: default - hosts: - - localhost - # -- Separate origin for the CryptPad sandbox iframe (httpSafeOrigin). - # Must be a different domain or subdomain from the main host. If empty, main host is reused. - sandboxHost: "" timeouts: {} # backendRequest: 120s From d2d14453e45282ba51d8617f8ca8b025a57b1409 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:14:07 +0200 Subject: [PATCH 08/15] fix readiness probe using wrong path --- charts/cryptpad/templates/cryptpad.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index 11c6df0..0c69d1a 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -128,7 +128,7 @@ spec: readinessProbe: {{- if .Values.probes.readiness.httpGet.enabled }} httpGet: - path: {{ .Values.probes.liveness.httpGet.path }} + path: {{ .Values.probes.readiness.httpGet.path }} port: {{ .Values.service.containerPort }} {{- else }} tcpSocket: From 568bffdecb352b67777cae0849354dbbbf90aebd Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:15:51 +0200 Subject: [PATCH 09/15] fix useless condition, should always be there anyway --- charts/cryptpad/templates/cryptpad.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index 0c69d1a..c403c2c 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -143,16 +143,9 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - {{- if .Values.persistence.enabled }} {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} - name: cryptpad-{{ $dir | replace "/" "-" }} mountPath: /cryptpad/{{ $dir }} - {{- end }} - {{- else if not .Values.workloadStateful }} - {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} - - name: cryptpad-{{ $dir | replace "/" "-" }} - mountPath: /cryptpad/{{ $dir }} - {{- end }} {{- end }} - name: configmaps mountPath: {{ .Values.cpadConfig }} From 49ebfcc29b441372c93e10633471a029e77b9721 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:20:16 +0200 Subject: [PATCH 10/15] use default indents to be conform with other ressources --- charts/cryptpad/templates/pvc.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/cryptpad/templates/pvc.yaml b/charts/cryptpad/templates/pvc.yaml index 89dbdc1..88b2e09 100644 --- a/charts/cryptpad/templates/pvc.yaml +++ b/charts/cryptpad/templates/pvc.yaml @@ -7,11 +7,11 @@ metadata: name: cryptpad-{{ $dir | replace "/" "-" }} {{- with $dirvalues.annotations }} annotations: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- with $dirvalues.labels }} labels: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} spec: accessModes: @@ -23,14 +23,14 @@ spec: {{- end }} {{- with $dirvalues.dataSource }} dataSource: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} resources: requests: storage: {{ $dirvalues.size | quote }} {{- with $dirvalues.selector }} selector: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- end }} From d34e5adadedba83ed64e8ad593cdec58e3d76bc0 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:22:31 +0200 Subject: [PATCH 11/15] fix showing correct domains in NOTES.txt --- charts/cryptpad/templates/NOTES.txt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/cryptpad/templates/NOTES.txt b/charts/cryptpad/templates/NOTES.txt index f585c94..3310189 100644 --- a/charts/cryptpad/templates/NOTES.txt +++ b/charts/cryptpad/templates/NOTES.txt @@ -1,10 +1,14 @@ 1. Get the application URL by running these commands: {{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.mainDomain }} + {{- if .Values.sandboxDomain }} + http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.sandboxDomain }} (sandbox) + {{- end }} +{{- else if .Values.httpRoute.enabled }} + https://{{ .Values.mainDomain }} + {{- if .Values.sandboxDomain }} + https://{{ .Values.sandboxDomain }} (sandbox) {{- end }} -{{- end }} {{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cryptpad-helm.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") From 9f0ed00b2aa466f758ea83bbbaa2dbe74dfaa663 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:25:46 +0200 Subject: [PATCH 12/15] fix - high maxReplicas not feasable, also cryptpad does not support more than one instance anyway? --- charts/cryptpad/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index 045e125..a9eb95c 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -240,7 +240,8 @@ autoscaling: # -- Minimal numbers of replicas minReplicas: 1 # -- Maximum numbers of replicas - maxReplicas: 100 + # TODO: does cryptpad support HA? + maxReplicas: 1 # -- Percentage of the targeted CPU Utilization targetCPUUtilizationPercentage: 80 # -- Percentage of the targeted Memory Utilization From 1c59daf8bea0a636b17ae08d72f86463e733fa69 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:26:37 +0200 Subject: [PATCH 13/15] remove unused labels in httproute --- charts/cryptpad/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/cryptpad/values.yaml b/charts/cryptpad/values.yaml index a9eb95c..49c689d 100644 --- a/charts/cryptpad/values.yaml +++ b/charts/cryptpad/values.yaml @@ -210,7 +210,6 @@ ingress: httpRoute: enabled: false annotations: {} - labels: {} parentRefs: [] # -- requires cluster enabled default gateway (here envoy as example) #- name: default-gateway From 085da1f5171850c210d0f11e6652510510c1a159 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 16:40:07 +0200 Subject: [PATCH 14/15] fix - when using extraVolumeMounts and extraVolumes, then dont create emptyDirs or VolClaims --- charts/cryptpad/templates/cryptpad.yaml | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index c403c2c..9ffdc58 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -144,8 +144,15 @@ spec: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} + {{- $mountPath := printf "/cryptpad/%s" $dir }} + {{- $skip := false }} + {{- range $.Values.extraVolumeMounts }} + {{- if eq .mountPath $mountPath }}{{- $skip = true }}{{- end }} + {{- end }} + {{- if not $skip }} - name: cryptpad-{{ $dir | replace "/" "-" }} - mountPath: /cryptpad/{{ $dir }} + mountPath: {{ $mountPath }} + {{- end }} {{- end }} - name: configmaps mountPath: {{ .Values.cpadConfig }} @@ -228,7 +235,14 @@ spec: {{- end }} {{- else }} {{- range $dir, $dirvalues := .Values.persistence.cryptpad }} - - name: cryptpad-{{ $dir | replace "/" "-" }} + {{- $volName := printf "cryptpad-%s" ($dir | replace "/" "-") }} + {{- $skip := false }} + {{- range $.Values.extraVolumes }} + {{- if eq .name $volName }}{{- $skip = true }}{{- end }} + {{- end }} + {{- if not $skip }} + - name: {{ $volName }} emptyDir: {} - {{- end }} + {{- end }} + {{- end }} {{- end }} From 6cf327e02cff8ab8de38a9c5278d67acecc6a181 Mon Sep 17 00:00:00 2001 From: karl Einziger <227763633+carl-unique@users.noreply.github.com> Date: Thu, 28 May 2026 20:24:22 +0200 Subject: [PATCH 15/15] fix startup problem /tmp not writeable (readonly fs) --- charts/cryptpad/templates/cryptpad.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/cryptpad/templates/cryptpad.yaml b/charts/cryptpad/templates/cryptpad.yaml index 9ffdc58..9f6f27e 100644 --- a/charts/cryptpad/templates/cryptpad.yaml +++ b/charts/cryptpad/templates/cryptpad.yaml @@ -46,6 +46,8 @@ spec: volumeMounts: - name: cryptpad-data mountPath: /cryptpad/data + - mountPath: /tmp + name: tmp args: - | FILE=/cryptpad/data/decrees/decree.ndjson @@ -160,6 +162,8 @@ spec: - name: configmaps mountPath: /cryptpad/customize/application_config.js subPath: application_config.js + - mountPath: /tmp + name: tmp {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -179,6 +183,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: configmaps configMap: name: {{ include "cryptpad-helm.fullname" . }}