From 63cd13f25e1c8c48cae5e095807c85e4bf9f4a64 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 10:39:59 +0100 Subject: [PATCH 1/8] Allow more volumes --- chart/templates/api/deployment.yaml | 16 ++++++++++++++- chart/templates/auth/deployment.yaml | 24 +++++++++++++++++----- chart/templates/front/deployment.yaml | 20 +++++++++++++----- chart/templates/scanner/deployment.yaml | 14 +++++++++++++ chart/templates/transcoder/deployment.yaml | 14 +++++++++++++ chart/values.yaml | 4 ++++ 6 files changed, 81 insertions(+), 11 deletions(-) diff --git a/chart/templates/api/deployment.yaml b/chart/templates/api/deployment.yaml index 5880280c..270d2142 100644 --- a/chart/templates/api/deployment.yaml +++ b/chart/templates/api/deployment.yaml @@ -14,7 +14,7 @@ metadata: spec: replicas: {{ .Values.api.replicaCount }} {{- with .Values.api.updateStrategy }} - strategy: + strategy: {{- toYaml . | nindent 4 }} {{- end }} selector: @@ -63,15 +63,23 @@ spec: - name: IMAGES_PATH value: "/images" - name: PGUSER + {{- if .Values.global.postgres.shared.userOverride }} + value: {{ .Values.global.postgres.shared.userOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.userKey .Values.global.postgres.kyoo_api.kyoo_api.userKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_api.kyoo_api.existingSecret }} + {{- end }} - name: PGPASSWORD + {{- if .Values.global.postgres.shared.passwordOverride }} + value: {{ .Values.global.postgres.shared.passwordOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.passwordKey .Values.global.postgres.kyoo_api.kyoo_api.passwordKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_api.kyoo_api.existingSecret }} + {{- end }} - name: PGDATABASE value: {{ default .Values.global.postgres.kyoo_api.database .Values.global.postgres.shared.databaseOverride | quote }} - name: PGHOST @@ -108,6 +116,9 @@ spec: - name: apiimagedata mountPath: /images {{- end }} + {{- with .Values.global.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.api.kyoo_api.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -129,6 +140,9 @@ spec: claimName: {{ include "kyoo.apiimagedata.fullname" . }} {{- end }} {{- end }} + {{- with .Values.global.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.api.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/auth/deployment.yaml b/chart/templates/auth/deployment.yaml index 1656869b..5090b6ea 100644 --- a/chart/templates/auth/deployment.yaml +++ b/chart/templates/auth/deployment.yaml @@ -14,7 +14,7 @@ metadata: spec: replicas: {{ .Values.auth.replicaCount }} {{- with .Values.auth.updateStrategy }} - strategy: + strategy: {{- toYaml . | nindent 4 }} {{- end }} selector: @@ -79,15 +79,23 @@ spec: value: {{ $entry.claims | quote }} {{- end }} - name: PGUSER + {{- if .Values.global.postgres.shared.userOverride }} + value: {{ .Values.global.postgres.shared.userOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.userKey .Values.global.postgres.kyoo_auth.kyoo_auth.userKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_auth.kyoo_auth.existingSecret }} + {{- end }} - name: PGPASSWORD + {{- if .Values.global.postgres.shared.passwordOverride }} + value: {{ .Values.global.postgres.shared.passwordOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.passwordKey .Values.global.postgres.kyoo_auth.kyoo_auth.passwordKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_auth.kyoo_auth.existingSecret }} + {{- end }} - name: PGDATABASE value: {{ default .Values.global.postgres.kyoo_auth.database .Values.global.postgres.shared.databaseOverride | quote }} - name: PGHOST @@ -149,10 +157,13 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - {{- if or .Values.auth.kyoo_auth.extraVolumeMounts .Values.kyoo.auth.privatekey.existingSecret }} + {{- if or .Values.global.extraVolumeMounts .Values.auth.kyoo_auth.extraVolumeMounts .Values.kyoo.auth.privatekey.existingSecret }} volumeMounts: + {{- with .Values.global.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.auth.kyoo_auth.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} + {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.kyoo.auth.privatekey.existingSecret }} - name: private-key @@ -167,10 +178,13 @@ spec: initContainers: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- if or .Values.auth.extraVolumes .Values.kyoo.auth.privatekey.existingSecret }} + {{- if or .Values.global.extraVolumes .Values.auth.extraVolumes .Values.kyoo.auth.privatekey.existingSecret }} volumes: + {{- with .Values.global.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.auth.extraVolumes }} - {{- toYaml . | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.kyoo.auth.privatekey.existingSecret }} - name: private-key diff --git a/chart/templates/front/deployment.yaml b/chart/templates/front/deployment.yaml index 5343216d..005070d1 100644 --- a/chart/templates/front/deployment.yaml +++ b/chart/templates/front/deployment.yaml @@ -14,7 +14,7 @@ metadata: spec: replicas: {{ .Values.front.replicaCount }} {{- with .Values.front.updateStrategy }} - strategy: + strategy: {{- toYaml . | nindent 4 }} {{- end }} selector: @@ -77,9 +77,14 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.front.kyoo_front.extraVolumeMounts }} + {{- if or .Values.global.extraVolumeMounts .Values.front.kyoo_front.extraVolumeMounts }} volumeMounts: - {{- toYaml . | nindent 12 }} + {{- with .Values.global.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.front.kyoo_front.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} {{- with .Values.front.extraContainers }} {{- tpl (toYaml .) $ | nindent 8 }} @@ -88,7 +93,12 @@ spec: initContainers: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- with .Values.front.extraVolumes }} + {{- if or .Values.global.extraVolumes .Values.front.extraVolumes }} volumes: - {{- toYaml . | nindent 8 }} + {{- with .Values.global.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.front.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/chart/templates/scanner/deployment.yaml b/chart/templates/scanner/deployment.yaml index 7862acc4..37a826aa 100644 --- a/chart/templates/scanner/deployment.yaml +++ b/chart/templates/scanner/deployment.yaml @@ -74,15 +74,23 @@ spec: name: {{ .Values.contentdatabase.tmdb.existingSecret }} optional: true - name: PGUSER + {{- if .Values.global.postgres.shared.userOverride }} + value: {{ .Values.global.postgres.shared.userOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.userKey .Values.global.postgres.kyoo_scanner.kyoo_scanner.userKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_scanner.kyoo_scanner.existingSecret }} + {{- end }} - name: PGPASSWORD + {{- if .Values.global.postgres.shared.passwordOverride }} + value: {{ .Values.global.postgres.shared.passwordOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.passwordKey .Values.global.postgres.kyoo_scanner.kyoo_scanner.passwordKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_scanner.kyoo_scanner.existingSecret }} + {{- end }} - name: PGDATABASE value: {{ default .Values.global.postgres.kyoo_scanner.database .Values.global.postgres.shared.databaseOverride | quote }} - name: PGHOST @@ -115,6 +123,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + {{- with .Values.global.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.media.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -129,6 +140,9 @@ spec: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} volumes: + {{- with .Values.global.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.media.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/transcoder/deployment.yaml b/chart/templates/transcoder/deployment.yaml index 03ea6334..36e1458d 100644 --- a/chart/templates/transcoder/deployment.yaml +++ b/chart/templates/transcoder/deployment.yaml @@ -81,15 +81,23 @@ spec: - name: GOCODER_SAFE_PATH value: {{ .Values.media.baseMountPath | quote }} - name: PGUSER + {{- if .Values.global.postgres.shared.userOverride }} + value: {{ .Values.global.postgres.shared.userOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.userKey .Values.global.postgres.kyoo_transcoder.kyoo_transcoder.userKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_transcoder.kyoo_transcoder.existingSecret }} + {{- end }} - name: PGPASSWORD + {{- if .Values.global.postgres.shared.passwordOverride }} + value: {{ .Values.global.postgres.shared.passwordOverride | quote }} + {{- else }} valueFrom: secretKeyRef: key: {{ default .Values.global.postgres.shared.passwordKey .Values.global.postgres.kyoo_transcoder.kyoo_transcoder.passwordKey }} name: {{ default .Values.global.postgres.shared.existingSecret .Values.global.postgres.kyoo_transcoder.kyoo_transcoder.existingSecret }} + {{- end }} - name: PGDATABASE value: {{ default .Values.global.postgres.kyoo_transcoder.database .Values.global.postgres.shared.databaseOverride | quote }} - name: PGHOST @@ -122,6 +130,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: + {{- with .Values.global.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.media.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -143,6 +154,9 @@ spec: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} volumes: + {{- with .Values.global.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.media.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index a06c04d9..613d8848 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -14,6 +14,8 @@ global: podAnnotations: {} podLabels: {} extraEnv: [] + extraVolumes: [] + extraVolumeMounts: [] # kyoo connectivity & subchart settings for postgres # subchart configuration can be found at .postgresql @@ -33,6 +35,8 @@ global: port: 5432 # setting the database here will override the other database settings databaseOverride: ~ + userOverride: ~ + passwordOverride: ~ # base setting for specifying existingSecret for all kyoo workloads existingSecret: bigsecret # base setting for specifying userKey for all kyoo workloads From 36775d7a9772418d2a5bb0eda59ec2c52821db63 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 12:36:22 +0100 Subject: [PATCH 2/8] Add sslmodeOverride --- chart/templates/api/deployment.yaml | 2 +- chart/templates/auth/deployment.yaml | 2 +- chart/templates/scanner/deployment.yaml | 2 +- chart/templates/transcoder/deployment.yaml | 2 +- chart/values.yaml | 1 + 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/chart/templates/api/deployment.yaml b/chart/templates/api/deployment.yaml index 270d2142..58632fb4 100644 --- a/chart/templates/api/deployment.yaml +++ b/chart/templates/api/deployment.yaml @@ -87,7 +87,7 @@ spec: - name: PGPORT value: {{ default .Values.global.postgres.shared.port .Values.global.postgres.kyoo_api.port | quote }} - name: PGSSLMODE - value: {{ .Values.global.postgres.kyoo_api.sslmode | quote }} + value: {{ default .Values.global.postgres.kyoo_api.sslmode .Values.global.postgres.shared.sslmodeOverride | quote }} {{- with (concat .Values.global.extraEnv .Values.api.kyoo_api.extraEnv) }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/auth/deployment.yaml b/chart/templates/auth/deployment.yaml index 5090b6ea..0fc08893 100644 --- a/chart/templates/auth/deployment.yaml +++ b/chart/templates/auth/deployment.yaml @@ -103,7 +103,7 @@ spec: - name: PGPORT value: {{ default .Values.global.postgres.shared.port .Values.global.postgres.kyoo_auth.port | quote }} - name: PGSSLMODE - value: {{ .Values.global.postgres.kyoo_auth.sslmode | quote }} + value: {{ default .Values.global.postgres.kyoo_auth.sslmode .Values.global.postgres.shared.sslmodeOverride | quote }} {{- if .Values.kyoo.auth.privatekey.existingSecret }} - name: RSA_PRIVATE_KEY_PATH value: /mnt/private_key/private_key.pem diff --git a/chart/templates/scanner/deployment.yaml b/chart/templates/scanner/deployment.yaml index 37a826aa..c6e331e5 100644 --- a/chart/templates/scanner/deployment.yaml +++ b/chart/templates/scanner/deployment.yaml @@ -98,7 +98,7 @@ spec: - name: PGPORT value: {{ default .Values.global.postgres.shared.port .Values.global.postgres.kyoo_scanner.port | quote }} - name: PGSSLMODE - value: {{ .Values.global.postgres.kyoo_scanner.sslmode | quote }} + value: {{ default .Values.global.postgres.kyoo_scanner.sslmode .Values.global.postgres.shared.sslmodeOverride | quote }} {{- with (concat .Values.global.extraEnv .Values.scanner.kyoo_scanner.extraEnv) }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/transcoder/deployment.yaml b/chart/templates/transcoder/deployment.yaml index 36e1458d..71f819f2 100644 --- a/chart/templates/transcoder/deployment.yaml +++ b/chart/templates/transcoder/deployment.yaml @@ -105,7 +105,7 @@ spec: - name: PGPORT value: {{ default .Values.global.postgres.shared.port .Values.global.postgres.kyoo_transcoder.port | quote }} - name: PGSSLMODE - value: {{ .Values.global.postgres.kyoo_transcoder.sslmode | quote }} + value: {{ default .Values.global.postgres.kyoo_transcoder.sslmode .Values.global.postgres.shared.sslmodeOverride | quote }} {{- with (concat .Values.global.extraEnv .Values.transcoder.kyoo_transcoder.extraEnv) }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 613d8848..8a09a57a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,6 +37,7 @@ global: databaseOverride: ~ userOverride: ~ passwordOverride: ~ + sslmodeOverride: ~ # base setting for specifying existingSecret for all kyoo workloads existingSecret: bigsecret # base setting for specifying userKey for all kyoo workloads From c1afbfef7f999cf846decdde4ab07131c5e19806 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 13:44:50 +0100 Subject: [PATCH 3/8] Fix db connection of auth --- api/src/logtape.ts | 4 ++-- auth/main.go | 22 ++-------------------- auth/otel.go | 1 - transcoder/src/metadata.go | 17 +---------------- 4 files changed, 5 insertions(+), 39 deletions(-) diff --git a/api/src/logtape.ts b/api/src/logtape.ts index eaaa818b..2966e5ea 100644 --- a/api/src/logtape.ts +++ b/api/src/logtape.ts @@ -23,7 +23,7 @@ export async function setupLogging() { const minLevel = aliasMap[minLevelRaw] ?? minLevelRaw; return withFilter( redactByField(getConsoleSink(), { - fieldPatterns: [/password/i, /secret/i, /apikey/i], + fieldPatterns: [/password/i, /secret/i, /apikey/i, /ca/i, /cert/i], action: () => "[REDACTED]", }), getLevelFilter(parseLogLevel(minLevel)), @@ -38,7 +38,7 @@ export async function setupLogging() { const minLevel = aliasMap[minLevelRaw] ?? minLevelRaw; return withFilter( redactByField(getOpenTelemetrySink({ loggerProvider }), { - fieldPatterns: [/password/i, /secret/i, /apikey/i], + fieldPatterns: [/password/i, /secret/i, /apikey/i, /ca/i, /cert/i], action: () => "[REDACTED]", }), getLevelFilter(parseLogLevel(minLevel)), diff --git a/auth/main.go b/auth/main.go index 16299045..fbb6ccaa 100644 --- a/auth/main.go +++ b/auth/main.go @@ -3,12 +3,10 @@ package main import ( "context" "encoding/base64" - "errors" "fmt" "log/slog" "net/http" "os" - "os/user" "slices" "sort" "strings" @@ -103,10 +101,10 @@ func GetenvOr(env string, def string) string { } func OpenDatabase(ctx context.Context) (*pgxpool.Pool, error) { - connectionString := GetenvOr("POSTGRES_URL", "") + connectionString := os.Getenv("POSTGRES_URL") config, err := pgxpool.ParseConfig(connectionString) if err != nil { - return nil, errors.New("failed to create postgres config from environment variables") + return nil, fmt.Errorf("failed to create postgres config from environment variables: %v", err) } // Set default values @@ -116,22 +114,6 @@ func OpenDatabase(ctx context.Context) (*pgxpool.Pool, error) { if config.ConnConfig.Database == "" { config.ConnConfig.Database = "kyoo" } - // The pgx library will set the username to the name of the current user if not provided via - // environment variable or connection string. Make a best-effort attempt to see if the user - // was explicitly specified, without implementing full connection string parsing. If not, set - // the username to the default value of "kyoo". - if os.Getenv("PGUSER") == "" { - currentUserName, _ := user.Current() - // If the username matches the current user and it's not in the connection string, then it was set - // by the pgx library. This doesn't cover the case where the system username happens to be in some other part - // of the connection string, but this cannot be checked without full connection string parsing. - if currentUserName.Username == config.ConnConfig.User && !strings.Contains(connectionString, currentUserName.Username) { - config.ConnConfig.User = "kyoo" - } - } - if config.ConnConfig.Password == "" { - config.ConnConfig.Password = "password" - } if _, ok := config.ConnConfig.RuntimeParams["application_name"]; !ok { config.ConnConfig.RuntimeParams["application_name"] = "keibi" } diff --git a/auth/otel.go b/auth/otel.go index 8f34ef18..21801906 100644 --- a/auth/otel.go +++ b/auth/otel.go @@ -37,7 +37,6 @@ func setupOtel(ctx context.Context) (func(context.Context) error, error) { resource.WithAttributes(semconv.ServiceNameKey.String("kyoo.auth")), resource.WithFromEnv(), resource.WithTelemetrySDK(), - resource.WithProcess(), resource.WithOS(), resource.WithContainer(), resource.WithHost(), diff --git a/transcoder/src/metadata.go b/transcoder/src/metadata.go index e2885698..6170736c 100644 --- a/transcoder/src/metadata.go +++ b/transcoder/src/metadata.go @@ -6,8 +6,6 @@ import ( "errors" "fmt" "os" - "os/user" - "strings" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/s3" @@ -78,7 +76,7 @@ func (s *MetadataService) setupDb() (*pgxpool.Pool, error) { connectionString := os.Getenv("POSTGRES_URL") config, err := pgxpool.ParseConfig(connectionString) if err != nil { - return nil, errors.New("failed to create postgres config from environment variables") + return nil, fmt.Errorf("failed to create postgres config from environment variables: %v", err) } // Set default values @@ -88,19 +86,6 @@ func (s *MetadataService) setupDb() (*pgxpool.Pool, error) { if config.ConnConfig.Database == "" { config.ConnConfig.Database = "kyoo" } - // The pgx library will set the username to the name of the current user if not provided via - // environment variable or connection string. Make a best-effort attempt to see if the user - // was explicitly specified, without implementing full connection string parsing. If not, set - // the username to the default value of "kyoo". - if os.Getenv("PGUSER") == "" { - currentUserName, _ := user.Current() - // If the username matches the current user and it's not in the connection string, then it was set - // by the pgx library. This doesn't cover the case where the system username happens to be in some other part - // of the connection string, but this cannot be checked without full connection string parsing. - if currentUserName.Username == config.ConnConfig.User && !strings.Contains(connectionString, currentUserName.Username) { - config.ConnConfig.User = "kyoo" - } - } if _, ok := config.ConnConfig.RuntimeParams["application_name"]; !ok { config.ConnConfig.RuntimeParams["application_name"] = "gocoder" } From 6e3ba34fe526e17185587cdc07a42937abe48a7e Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 14:07:01 +0100 Subject: [PATCH 4/8] Add global security context --- chart/templates/api/deployment.yaml | 2 +- chart/templates/auth/deployment.yaml | 2 +- chart/templates/front/deployment.yaml | 2 +- chart/templates/scanner/deployment.yaml | 2 +- chart/templates/traefikproxy/deployment.yaml | 2 +- chart/templates/transcoder/deployment.yaml | 2 +- chart/values.yaml | 18 ++++++++++-------- 7 files changed, 16 insertions(+), 14 deletions(-) diff --git a/chart/templates/api/deployment.yaml b/chart/templates/api/deployment.yaml index 58632fb4..1be6e3c6 100644 --- a/chart/templates/api/deployment.yaml +++ b/chart/templates/api/deployment.yaml @@ -107,7 +107,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.api.kyoo_api.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.api.kyoo_api.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/auth/deployment.yaml b/chart/templates/auth/deployment.yaml index 0fc08893..15e92357 100644 --- a/chart/templates/auth/deployment.yaml +++ b/chart/templates/auth/deployment.yaml @@ -153,7 +153,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.auth.kyoo_auth.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.auth.kyoo_auth.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/front/deployment.yaml b/chart/templates/front/deployment.yaml index 005070d1..eea984c0 100644 --- a/chart/templates/front/deployment.yaml +++ b/chart/templates/front/deployment.yaml @@ -73,7 +73,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.front.kyoo_front.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.front.kyoo_front.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/scanner/deployment.yaml b/chart/templates/scanner/deployment.yaml index c6e331e5..88fe88db 100644 --- a/chart/templates/scanner/deployment.yaml +++ b/chart/templates/scanner/deployment.yaml @@ -118,7 +118,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.scanner.kyoo_scanner.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.scanner.kyoo_scanner.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/traefikproxy/deployment.yaml b/chart/templates/traefikproxy/deployment.yaml index 97c3a911..34c8178f 100644 --- a/chart/templates/traefikproxy/deployment.yaml +++ b/chart/templates/traefikproxy/deployment.yaml @@ -78,7 +78,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.traefikproxy.traefik.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.traefikproxy.traefik.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/templates/transcoder/deployment.yaml b/chart/templates/transcoder/deployment.yaml index 71f819f2..cce5f9a5 100644 --- a/chart/templates/transcoder/deployment.yaml +++ b/chart/templates/transcoder/deployment.yaml @@ -125,7 +125,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.transcoder.kyoo_transcoder.containerSecurityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.containerSecurityContext) .Values.transcoder.kyoo_transcoder.containerSecurityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 8a09a57a..3a640e4d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -13,6 +13,8 @@ global: persistentVolumeClaimAnnotations: {} podAnnotations: {} podLabels: {} + securityContext: {} + containerSecurityContext: {} extraEnv: [] extraVolumes: [] extraVolumeMounts: [] @@ -442,14 +444,14 @@ traefikproxy: containerSecurityContext: {} extraVolumeMounts: [] extraArgs: - - '--entryPoints.web.address=:80/tcp' - - '--entryPoints.websecure.address=:443/tcp' - - '--entryPoints.web.forwardedHeaders.insecure=true' - - '--entryPoints.websecure.forwardedHeaders.insecure=true' - - '--api.dashboard=true' - - '--api.insecure=true' - - '--log.level=INFO' - - '--providers.file.filename=/dynamic_config/dynamic_config.yaml' + - "--entryPoints.web.address=:80/tcp" + - "--entryPoints.websecure.address=:443/tcp" + - "--entryPoints.web.forwardedHeaders.insecure=true" + - "--entryPoints.websecure.forwardedHeaders.insecure=true" + - "--api.dashboard=true" + - "--api.insecure=true" + - "--log.level=INFO" + - "--providers.file.filename=/dynamic_config/dynamic_config.yaml" extraEnv: [] image: repository: docker.io/traefik From 1a30049d754983b348ebb14e1b6db6b71c99e7cd Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 15:41:49 +0100 Subject: [PATCH 5/8] Fix transcoder otel --- transcoder/otel.go | 1 - 1 file changed, 1 deletion(-) diff --git a/transcoder/otel.go b/transcoder/otel.go index 019d2e20..abd6f5a5 100644 --- a/transcoder/otel.go +++ b/transcoder/otel.go @@ -37,7 +37,6 @@ func setupOtel(ctx context.Context) (func(context.Context) error, error) { resource.WithAttributes(semconv.ServiceNameKey.String("kyoo.transcoder")), resource.WithFromEnv(), resource.WithTelemetrySDK(), - resource.WithProcess(), resource.WithOS(), resource.WithContainer(), resource.WithHost(), From 51e4dba5cca926d395a6ef8509003556d634e2e3 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 16:40:24 +0100 Subject: [PATCH 6/8] Add `securityContext` at component level --- chart/templates/api/deployment.yaml | 2 +- chart/templates/auth/deployment.yaml | 2 +- chart/templates/front/deployment.yaml | 2 +- chart/templates/scanner/deployment.yaml | 2 +- chart/templates/traefikproxy/deployment.yaml | 2 +- chart/templates/transcoder/deployment.yaml | 2 +- chart/values.yaml | 6 ++++++ 7 files changed, 12 insertions(+), 6 deletions(-) diff --git a/chart/templates/api/deployment.yaml b/chart/templates/api/deployment.yaml index 1be6e3c6..7a9b5b60 100644 --- a/chart/templates/api/deployment.yaml +++ b/chart/templates/api/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.api.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/auth/deployment.yaml b/chart/templates/auth/deployment.yaml index 15e92357..29fa5e2f 100644 --- a/chart/templates/auth/deployment.yaml +++ b/chart/templates/auth/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.auth.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/front/deployment.yaml b/chart/templates/front/deployment.yaml index eea984c0..b6f62a8d 100644 --- a/chart/templates/front/deployment.yaml +++ b/chart/templates/front/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.front.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/scanner/deployment.yaml b/chart/templates/scanner/deployment.yaml index 88fe88db..af432bb3 100644 --- a/chart/templates/scanner/deployment.yaml +++ b/chart/templates/scanner/deployment.yaml @@ -38,7 +38,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.scanner.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/traefikproxy/deployment.yaml b/chart/templates/traefikproxy/deployment.yaml index 34c8178f..7ca548f5 100644 --- a/chart/templates/traefikproxy/deployment.yaml +++ b/chart/templates/traefikproxy/deployment.yaml @@ -39,7 +39,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.traefikproxy.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/transcoder/deployment.yaml b/chart/templates/transcoder/deployment.yaml index cce5f9a5..29d9a32d 100644 --- a/chart/templates/transcoder/deployment.yaml +++ b/chart/templates/transcoder/deployment.yaml @@ -48,7 +48,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.global.securityContext }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.transcoder.securityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 3a640e4d..90da66de 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -210,6 +210,7 @@ api: # default to recreate for better user experience with ReadWriteOnce volumes updateStrategy: type: Recreate + securityContext: {} podLabels: {} deploymentAnnotations: {} podAnnotations: {} @@ -260,6 +261,7 @@ auth: tag: ~ replicaCount: 1 updateStrategy: ~ + securityContext: {} podLabels: {} deploymentAnnotations: {} podAnnotations: {} @@ -294,6 +296,7 @@ front: tag: ~ replicaCount: 1 updateStrategy: ~ + securityContext: {} podLabels: {} deploymentAnnotations: {} podAnnotations: {} @@ -335,6 +338,7 @@ scanner: # scanner does not support multiple replicas replicaCount: 1 updateStrategy: ~ + securityContext: {} podLabels: {} deploymentAnnotations: {} podAnnotations: {} @@ -395,6 +399,7 @@ transcoder: # default to recreate for better user experience with ReadWriteOnce volumes & hardware resources updateStrategy: type: Recreate + securityContext: {} podLabels: {} deploymentAnnotations: {} podAnnotations: {} @@ -458,6 +463,7 @@ traefikproxy: tag: v3.6.10 replicaCount: 1 updateStrategy: ~ + securityContext: {} podLabels: {} configmapAnnotations: {} deploymentAnnotations: {} From 8d3174b0b2234426b1a573da37c61da22ec0bf54 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 16:58:22 +0100 Subject: [PATCH 7/8] Fix auth ci --- .github/workflows/auth-hurl.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/auth-hurl.yml b/.github/workflows/auth-hurl.yml index da3c0fa4..d4db2c7f 100644 --- a/.github/workflows/auth-hurl.yml +++ b/.github/workflows/auth-hurl.yml @@ -52,6 +52,8 @@ jobs: hurl --error-format long --variable host=http://localhost:4568/auth tests/* env: PGHOST: localhost + PGUSER: kyoo + PGPASSWORD: password FIRST_USER_CLAIMS: '{"permissions": ["users.read"]}' KEIBI_APIKEY_HURL: 1234apikey KEIBI_APIKEY_HURL_CLAIMS: '{"permissions": ["apikeys.write", "apikeys.read"]}' From 1056e888c2a5c3f9cce9c163aad432c25d75e8ee Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Thu, 19 Mar 2026 17:17:14 +0100 Subject: [PATCH 8/8] Fix external id menu always opening --- front/src/ui/details/header.tsx | 39 ++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/front/src/ui/details/header.tsx b/front/src/ui/details/header.tsx index 5c2947f0..781304f9 100644 --- a/front/src/ui/details/header.tsx +++ b/front/src/ui/details/header.tsx @@ -312,25 +312,28 @@ const ExternalIdChip = ({ size="small" outline className="m-1" - onPress={() => - setPopup( - - {withLinks - .sort((a, b) => - (a.label ?? a.link!).localeCompare(b.label ?? b.link!), + onPress={ + withLinks.length > 1 + ? () => + setPopup( + + {withLinks + .sort((a, b) => + (a.label ?? a.link!).localeCompare(b.label ?? b.link!), + ) + .map((x) => ( + + {x.label ?? x.link} + + ))} + , ) - .map((x) => ( - - {x.label ?? x.link} - - ))} - , - ) + : undefined } /> );