hi could you add an option in helm for restriction loadbalancer source ranges?

example

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
  - port: 8765
    targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8

Hello, as the title already says:

The conf.php is not being applied when I try to deploy it to my cluster, however it does deploy without any problems or issues, but the conf.php is just being ignored in the final deployment.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: privatebin
  namespace: argocd
spec:
  project: test-privatebin
  source:
    chart: privatebin
    repoURL: https://privatebin.github.io/helm-chart/
    targetRevision: 0.21.0
    helm:
      releaseName: test-privatebin
      valuesObject:
        config:          
          conf.php: |-
            [main]      
            name = "Testbin"
            fileupload = false
            discussion = false
            password = true
            burnafterreadingselected = true
            template = "bootstrap"
            notice = "Pastebin Test Deployment"
            languageselection = true
            languagedefault = "en"
            [expire]
            default = "1day"
            [model]
            class = Filesystem
            [model_options]
            dir = PATH "data"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: testprivatebin

When I describe the configmap in the cluster I get the following

│ Annotations:  <none>                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          │
│ Data                                                                                                                                                                                                                                     │
│ ====                                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          │
│ BinaryData                                                                                                                                                                                                                               │
│ ====                                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          

I also entered the pod via shell to see if the config somehow shows up but it nowhere to be found.

At this point I do not know where to look or what may cause this, if someone has an idea please let me know!

Hi!

I have this and I don't see any change in the privatebin UI

replicaCount: 2

configs:          
  config.php: |-
    [main]      
      name = "PrivateBinCompany"
      fileupload = true
      discussion = false

k describe cm privatebin-configs
Name:         privatebin-configs
Namespace:    default
Labels:       app.kubernetes.io/instance=privatebin
              app.kubernetes.io/managed-by=Tiller
              app.kubernetes.io/name=privatebin
              helm.sh/chart=privatebin-0.2.4
Annotations:  <none>

Data
====
config.php:
----
[main]      
  name = "PrivateBinCompany"
  fileupload = true
  discussion = false

Its a bug?

I tried different ways to apply the config but neither works

Thank you

Hello,

I'm currently planning to evolve our PrivateBin instance to have multiples replicas.
I currently use it with a Statefulset and a PVC, however, I noticed that if I add a replica it will create his own PVC which cause issues to open URLs generated with the pod A on the pod B and vice versa.
Does it exist a trick with this chart to solve this behavior? If no, can it be an interesting feature to add?

Thanks in advance !

Hello

When hosting privatebin helm in AKS (Azure) we are getting the following security recommendation:

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

To fix this we just need to add the following config to the pod

    spec:
      automountServiceAccountToken: false

doc: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Could this option be added for this helm chart ?

Hello,

Can you add replicas for controller.kind=StatefulSet in the template according to the documentation like what is available for Deployment) it should be supported

Like what is already done for Deployment
https://github.com/PrivateBin/helm-chart/blob/master/charts/privatebin/templates/deployment.yaml#L17

I have to admit that I have spent most of my time with OpenShift when dealing with Kubernetes environments and am not familiar with Helm. Do I understand the deployment.yaml correctly in that it will attach a volume for the config file, but none for the data (located in /srv/data)? Is there a way to specify that the container image should be run with --read-only (I made sure to mark all paths to be written to as volumes in the Dockerfile)?

Hi, thanks for the chart.

I installed PrivateBin to my k8s cluster but it doesn't work.

Forwarding ports from k8s to my localhost:

$ kc port-forward privatebin-bbb5dbb97-wm4t5 8080:80
...

Then trying to send message:

Also, when I press send button I see a message (for 1 second):

Cannot read property: length of undefined

Could you please advice me what could be wrong or how can I find any logs in k8s pod for debugging?

my conf.php:

    ; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
    [main]
    name = "PrivateBin"
    discussion = false
    opendiscussion = false
    password = false
    fileupload = false
    burnafterreadingselected = true
    defaultformatter = "plaintext"
    syntaxhighlightingtheme = "sons-of-obsidian"
    sizelimit = 10485760
    template = "bootstrap-page"
    languageselection = false
    languagedefault = "en"
    qrcode = false
    icon = none
    httpwarning = true
    compression = zlib
    cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"

    [expire]
    default = "1day"

    [expire_options]
    10min = 600
    1hour = 3600
    1day = 86400
    1week = 604800

    [formatter_options]
    plaintext = "Plain Text"
    syntaxhighlighting = "Source Code"
    markdown = "Markdown"

    [traffic]
    limit = 100
    header = "X_FORWARDED_FOR"
    dir = PATH "data"

    [purge]
    limit = 300
    batchsize = 10
    dir = PATH "data"

    [model]
    class = Filesystem
    [model_options]
    dir = PATH "data"

The initContainer for setting permissions runs the following command:

command:
  - chown
  - -R
  - "65534:82"
  - /srv/cfg

The problem with this is the configMap being mounted as well and the permissions of mounted configMaps can not be changed this way. This means that chown logs some warnings to the console and exits with exit code 1. Exit code 1 means that the container was not successful and is therefore received by k8s as it would fail, resulting in CrashLoops.

To overcome this issue I changed the command to this and added args:

  command: ["/bin/sh","-c"]
  args: ["chown -R 65534:82 /srv/cfg || :"]

The double pipe and the semicolon force the command to always return true, which will allow sh to return an exit code of 0.

If you accept this solution I can create a PR if you like.

Thanks!

AccessMode is set to ReadWriteMany since PR #18

    spec:
      accessModes: [ "ReadWriteMany" ]
...

If RWMany is required maybe it would make sense to note in the documentation that ReadWriteMany for storage backend is required (e.g. NFS), or think about a different option like using object storage somehow (eg filestore).

What steps did you take and what happened:
When creating a StatefulSet kind with standard storageClass, it fails on GCP with this error:

Failed to provision volume with StorageClass "standard": invalid AccessModes [ReadWriteMany]: only AccessModes [ReadWriteOnce ReadOnlyMany] are supported

What did you expect to happen:
The PVC to be created without errors.

Environment:
Kubernetes version: (use kubectl version): client: v1.21.1, server: v1.20.10-gke.1600

Workaround
I had to create and manage the PVC separately with accessmode ReadWriteOnce in order to successfully use persistency. PrivateBin replicas is set to 1.

$ cat privatebin-pvc.yaml 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: storage-privatebin-0
spec:
  storageClassName: standard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  volumeMode: Filesystem

$ kubectl -n privatebin apply -f privatebin-pvc.yaml 
persistentvolumeclaim/storage-privatebin-0 created

Hi,

When you enforce a "good" PSP to deny launch root pods you can't launch privatebin pod.
In fact, container runs as a random non root user (called "nobody" and created in dockerfile), but kubernetes can't determine its UID to check if is different of 0.

Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root

I made a little test like this :

    spec:
      securityContext:
        runAsUser: 65534
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}

It works perfectly because 65534 is the UID of "nobody" user, but it seems not a stable solution because UID is not guaranteed.
Anyone has any idea to make it clean ?
Or we just should make a change in dockerfile to fix an ID ? https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/Dockerfile#L54

The helm project has a tool for releasing charts and maintaining the repo that is a little nicer than our Rakefile.

https://github.com/helm/chart-releaser

Hi!

I read in documentation some way to specify the template (template = style theme??)
https://github.com/PrivateBin/PrivateBin/wiki/Configuration

bootstrap
bootstrap-page
bootstrap-dark
bootstrap-dark-page
bootstrap-compact
bootstrap-compact-page
page

I'm trying but doesn't work, I don't know how should I do it.

This is my configuration

[main]
template = "bootstrap-dark"

Thank you very much

Change from a Deployment to a StatefulSet, so data on disk can persist between pod restarts if desired. This will allow users on kubernetes to have persistent storage without using an outside database.

Helm 3 expects a statefulset to have a serviceName field as per the kubernetes openAPI spec.
However, there is none in the StatefulSet template of the chart and no way to add one.

Workaround is using the --disable-openapi-validation flag for Helm.

See PR #41

Hello,

I see a file darkstrap-0.9.3.css , how to switch this ?

https://github.com/PrivateBin/helm-chart/blob/master/privatebin/templates/statefulset.yaml is incorrectly configured to send traffic to container port 80

your container is listening on 8080

From https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/README.md

• -p 8080:8080 - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments.

currently we don't test the ingress config, which can lead to unexpected bugs

PrivateBin 1.3 has been released, so we should update the helm chart to install it by default. Depends on PrivateBin/docker-nginx-fpm-alpine#6.

Hi!

Hardcoded pathType is blocking newest releases with networking.k8s.io/v1 on GKE. This is important as networking.k8s.io/v1beta1 API will be removed soon.

Translation failed: invalid ingress spec: only "ImplementationSpecific" path type is supported

@bdashrad FYI

In order to get for example HTTP-01 challenge working custom labels should be honored by the ingress template.

values.yaml

ingress:
  enabled: true
  className: external
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    acme.cert-manager.io/http01-edit-in-place: "true"
  labels:
    use-http01-solver: "true" <----

templates/ingress.yaml

...
kind: Ingress
metadata:
  name: {{ $fullName }}
  labels:
    app.kubernetes.io/name: {{ include "privatebin.name" . }}
    helm.sh/chart: {{ include "privatebin.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- with .Values.ingress.labels }} <----
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
...

Please add support for using the GCS privatebin image and using GCS as backend

When trying to install this chart using Helm 3, the following error occurs:

error validating "": error validating data: ValidationError(Deployment.spec): unknown field "serviceName" in io.k8s.api.apps.v1.DeploymentSpec

I believe serviceName is a StatefulSet spec key, not for Deployments.

With the Helm3 release, might be time to update to v2.

• In Chart.yaml, apiVersion bump to "v2" and add a type field for "application".
• test-failure hook annotation value removed, and test-success deprecated. Use test instead

I think those are really the only things to touch, but could use a test.

Now that we have a working helm chart and repository, we should add it to the helm hub to make it easier for other kubernetes users to find. Instructions are here: https://github.com/helm/hub/blob/master/Repositories.md

Please see:

• https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
• https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/

At some point, spec.serviceName became required for StatefulSet resources.

Currently, the helm chart will not install if the value service.controller.kind is set to StatefulSet, because there is no spec.serviceName in templates/statefulset.yaml.

Please consider adding something like the following to templates/statefulset.yaml:

     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
+  serviceName: {{ include "privatebin.name" . }}                                                  
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "privatebin.name" . }}

Thanks for all the hard work on such an awesome project!

Used, if I understand correctly, to update the github page of the helm repo for PB.

Hello, I just made the update from chart 0.8.0 to 0.10.1 in our OpenShift Kubernetes Environment. I am using the :latest image tag.

However, due to the new 'readOnlyRootFileSystem' = true, setting brought to the chart, the pod will not start anymore.
Setting 'readOnlyRootFileSystem' to false, solves the following error:

cp: can't create directory '/run/services': Read-only file system
s6-svscan: fatal: unable to chdir: No such file or directory

I saw the Dockerfile of the image is using the 'VOLUME' command e.g. for /run. However this does not seem to help in K8s.
Maybe some sort of mount for /run, etc... needs to be incorporated for it to work?

An easy fix would be to allow disabling the 'readOnlyRootFileSystem' via values.yaml.

I would like to use this chart with GCS backend but I'm missing an option to add env values (needed for env with path to json service account). Also I need to mount this json file into container. I could probably do it with configs but I would prefer to mount service account from secret.

I can create PR for this I just wanted to know your opinion on this.

The extensions/v1beta1 and networking.k8s.io/v1beta1 API versions of Ingress are no longer served as of v1.22.

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122