Giter Site home page Giter Site logo

helm-chart's Introduction

PrivateBin

Current version: 1.7.4

PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data.

Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode.

This is a fork of ZeroBin, originally developed by Sébastien Sauvage. PrivateBin was refactored to allow easier and cleaner extensions and has many additional features. It is, however, still fully compatible to the original ZeroBin 0.19 data storage scheme. Therefore, such installations can be upgraded to PrivateBin without losing any data.

What PrivateBin provides

  • As a server administrator you don't have to worry if your users post content that is considered illegal in your country. You have plausible deniability of any of the pastes content. If requested or enforced, you can delete any paste from your system.

  • Pastebin-like system to store text documents, code samples, etc.

  • Encryption of data sent to server.

  • Possibility to set a password which is required to read the paste. It further protects a paste and prevents people stumbling upon your paste's link from being able to read it without the password.

What it doesn't provide

  • As a user you have to trust the server administrator not to inject any malicious code. For security, a PrivateBin installation has to be used over HTTPS! Otherwise you would also have to trust your internet provider, and any jurisdiction the traffic passes through. Additionally the instance should be secured by HSTS. It can use traditional certificate authorities and/or use a DNSSEC protected DANE record.

  • The "key" used to encrypt the paste is part of the URL. If you publicly post the URL of a paste that is not password-protected, anyone can read it. Use a password if you want your paste to remain private. In that case, make sure to use a strong password and share it privately and end-to-end-encrypted.

  • A server admin can be forced to hand over access logs to the authorities. PrivateBin encrypts your text and the discussion contents, but who accessed a paste (first) might still be disclosed via access logs.

  • In case of a server breach your data is secure as it is only stored encrypted on the server. However, the server could be abused or the server admin could be legally forced into sending malicious code to their users, which logs the decryption key and sends it to a server when a user accesses a paste. Therefore, do not access any PrivateBin instance if you think it has been compromised. As long as no user accesses this instance with a previously generated URL, the content can't be decrypted.

Options

Some features are optional and can be enabled or disabled in the configuration file:

  • Password protection

  • Discussions, anonymous or with nicknames and IP based identicons or vizhashes

  • Expiration times, including a "forever" and "burn after reading" option

  • Markdown format support for HTML formatted pastes, including preview function

  • Syntax highlighting for source code using prettify.js, including 4 prettify themes

  • File upload support, image, media and PDF preview (disabled by default, size limit adjustable)

  • Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin" to choose from and it is easy to adapt these to your own websites layout or create your own.

  • Translation system and automatic browser language detection (if enabled in browser)

  • Language selection (disabled by default, as it uses a session cookie)

  • QR code for paste URLs, to easily transfer them over to mobile devices

Further resources

Run into any issues? Have ideas for further developments? Please report them!

helm-chart's People

Contributors

baliame avatar bdashrad avatar bo0ts avatar danilakazakevich avatar dependabot[bot] avatar elrido avatar esys avatar franeksaww avatar jeff-french avatar jjouanno-kwaku-it avatar joffreychambrin avatar rlex avatar roy-urbint avatar rugk avatar spagno avatar stevefan1999-personal avatar v-theo avatar vampouille avatar xaving avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

helm-chart's Issues

restriction load balancer

hi could you add an option in helm for restriction loadbalancer source ranges?

example

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
  - port: 8765
    targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8

config is not being applied after deployment via argocd

Hello, as the title already says:

The conf.php is not being applied when I try to deploy it to my cluster, however it does deploy without any problems or issues, but the conf.php is just being ignored in the final deployment.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: privatebin
  namespace: argocd
spec:
  project: test-privatebin
  source:
    chart: privatebin
    repoURL: https://privatebin.github.io/helm-chart/
    targetRevision: 0.21.0
    helm:
      releaseName: test-privatebin
      valuesObject:
        config:          
          conf.php: |-
            [main]      
            name = "Testbin"
            fileupload = false
            discussion = false
            password = true
            burnafterreadingselected = true
            template = "bootstrap"
            notice = "Pastebin Test Deployment"
            languageselection = true
            languagedefault = "en"
            [expire]
            default = "1day"
            [model]
            class = Filesystem
            [model_options]
            dir = PATH "data"
  destination:
    server: "https://kubernetes.default.svc"
    namespace: testprivatebin

When I describe the configmap in the cluster I get the following

│ Annotations:  <none>                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          │
│ Data                                                                                                                                                                                                                                     │
│ ====                                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          │
│ BinaryData                                                                                                                                                                                                                               │
│ ====                                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                          

I also entered the pod via shell to see if the config somehow shows up but it nowhere to be found.

At this point I do not know where to look or what may cause this, if someone has an idea please let me know!

No way to change the configs

Hi!

I have this and I don't see any change in the privatebin UI

replicaCount: 2

configs:          
  config.php: |-
    [main]      
      name = "PrivateBinCompany"
      fileupload = true
      discussion = false
k describe cm privatebin-configs
Name:         privatebin-configs
Namespace:    default
Labels:       app.kubernetes.io/instance=privatebin
              app.kubernetes.io/managed-by=Tiller
              app.kubernetes.io/name=privatebin
              helm.sh/chart=privatebin-0.2.4
Annotations:  <none>

Data
====
config.php:
----
[main]      
  name = "PrivateBinCompany"
  fileupload = true
  discussion = false

Its a bug?

I tried different ways to apply the config but neither works

Thank you

Share PVC between pods in HA setup

Hello,

I'm currently planning to evolve our PrivateBin instance to have multiples replicas.
I currently use it with a Statefulset and a PVC, however, I noticed that if I add a replica it will create his own PVC which cause issues to open URLs generated with the pod A on the pod B and vice versa.
Does it exist a trick with this chart to solve this behavior? If no, can it be an interesting feature to add?

Thanks in advance !

Disable automounting API credentials

Hello

When hosting privatebin helm in AKS (Azure) we are getting the following security recommendation:

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

To fix this we just need to add the following config to the pod

    spec:
      automountServiceAccountToken: false

doc: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Could this option be added for this helm chart ?

Could not create paste: server error or not responding

Hi, thanks for the chart.

I installed PrivateBin to my k8s cluster but it doesn't work.

Forwarding ports from k8s to my localhost:

$ kc port-forward privatebin-bbb5dbb97-wm4t5 8080:80
...

Then trying to send message:
Screen Shot 2019-10-09 at 12 52 19

Also, when I press send button I see a message (for 1 second):

Cannot read property: length of undefined

Could you please advice me what could be wrong or how can I find any logs in k8s pod for debugging?

my conf.php:

    ; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
    [main]
    name = "PrivateBin"
    discussion = false
    opendiscussion = false
    password = false
    fileupload = false
    burnafterreadingselected = true
    defaultformatter = "plaintext"
    syntaxhighlightingtheme = "sons-of-obsidian"
    sizelimit = 10485760
    template = "bootstrap-page"
    languageselection = false
    languagedefault = "en"
    qrcode = false
    icon = none
    httpwarning = true
    compression = zlib
    cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"

    [expire]
    default = "1day"

    [expire_options]
    10min = 600
    1hour = 3600
    1day = 86400
    1week = 604800

    [formatter_options]
    plaintext = "Plain Text"
    syntaxhighlighting = "Source Code"
    markdown = "Markdown"

    [traffic]
    limit = 100
    header = "X_FORWARDED_FOR"
    dir = PATH "data"

    [purge]
    limit = 300
    batchsize = 10
    dir = PATH "data"

    [model]
    class = Filesystem
    [model_options]
    dir = PATH "data"

initContainer fails when using StatefulSet option

The initContainer for setting permissions runs the following command:

command:
  - chown
  - -R
  - "65534:82"
  - /srv/cfg

The problem with this is the configMap being mounted as well and the permissions of mounted configMaps can not be changed this way. This means that chown logs some warnings to the console and exits with exit code 1. Exit code 1 means that the container was not successful and is therefore received by k8s as it would fail, resulting in CrashLoops.

To overcome this issue I changed the command to this and added args:

  command: ["/bin/sh","-c"]
  args: ["chown -R 65534:82 /srv/cfg || :"]

The double pipe and the semicolon force the command to always return true, which will allow sh to return an exit code of 0.

If you accept this solution I can create a PR if you like.

Thanks!

ReadWriteMany AccessMode unsupported for PVCs on GCP/GKE when deploying with Helm

AccessMode is set to ReadWriteMany since PR #18

    spec:
      accessModes: [ "ReadWriteMany" ]
...

If RWMany is required maybe it would make sense to note in the documentation that ReadWriteMany for storage backend is required (e.g. NFS), or think about a different option like using object storage somehow (eg filestore).

What steps did you take and what happened:
When creating a StatefulSet kind with standard storageClass, it fails on GCP with this error:

Failed to provision volume with StorageClass "standard": invalid AccessModes [ReadWriteMany]: only AccessModes [ReadWriteOnce ReadOnlyMany] are supported

What did you expect to happen:
The PVC to be created without errors.

Environment:
Kubernetes version: (use kubectl version): client: v1.21.1, server: v1.20.10-gke.1600

Workaround
I had to create and manage the PVC separately with accessmode ReadWriteOnce in order to successfully use persistency. PrivateBin replicas is set to 1.

$ cat privatebin-pvc.yaml 
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: storage-privatebin-0
spec:
  storageClassName: standard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  volumeMode: Filesystem

$ kubectl -n privatebin apply -f privatebin-pvc.yaml 
persistentvolumeclaim/storage-privatebin-0 created

Security considerations about Pod user

Hi,

When you enforce a "good" PSP to deny launch root pods you can't launch privatebin pod.
In fact, container runs as a random non root user (called "nobody" and created in dockerfile), but kubernetes can't determine its UID to check if is different of 0.

Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root

I made a little test like this :

    spec:
      securityContext:
        runAsUser: 65534
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}

It works perfectly because 65534 is the UID of "nobody" user, but it seems not a stable solution because UID is not guaranteed.
Anyone has any idea to make it clean ?
Or we just should make a change in dockerfile to fix an ID ? https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/Dockerfile#L54

Dark Mode ?

Hello,

I see a file darkstrap-0.9.3.css , how to switch this ?

wrong containerPort in templates/statefulset.yaml

https://github.com/PrivateBin/helm-chart/blob/master/privatebin/templates/statefulset.yaml is incorrectly configured to send traffic to container port 80

your container is listening on 8080

From https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/README.md

  • -p 8080:8080 - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments.

Add ingress testing

currently we don't test the ingress config, which can lead to unexpected bugs

Honor custom labels on ingress definition

In order to get for example HTTP-01 challenge working custom labels should be honored by the ingress template.

values.yaml

ingress:
  enabled: true
  className: external
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    acme.cert-manager.io/http01-edit-in-place: "true"
  labels:
    use-http01-solver: "true" <----

templates/ingress.yaml

...
kind: Ingress
metadata:
  name: {{ $fullName }}
  labels:
    app.kubernetes.io/name: {{ include "privatebin.name" . }}
    helm.sh/chart: {{ include "privatebin.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    {{- with .Values.ingress.labels }} <----
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
...

Upgrade to Helm api v2

With the Helm3 release, might be time to update to v2.

  • In Chart.yaml, apiVersion bump to "v2" and add a type field for "application".
  • test-failure hook annotation value removed, and test-success deprecated. Use test instead

I think those are really the only things to touch, but could use a test.

serviceName needs to be added to templates/statefulset.yaml

Please see:

At some point, spec.serviceName became required for StatefulSet resources.

Currently, the helm chart will not install if the value service.controller.kind is set to StatefulSet, because there is no spec.serviceName in templates/statefulset.yaml.

Please consider adding something like the following to templates/statefulset.yaml:

     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
+  serviceName: {{ include "privatebin.name" . }}                                                  
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "privatebin.name" . }}

Thanks for all the hard work on such an awesome project!

Chart 0.10.x broken in OpenShift Kubernetes because of 'readOnlyRootFileSystem'

Hello, I just made the update from chart 0.8.0 to 0.10.1 in our OpenShift Kubernetes Environment. I am using the :latest image tag.

However, due to the new 'readOnlyRootFileSystem' = true, setting brought to the chart, the pod will not start anymore.
Setting 'readOnlyRootFileSystem' to false, solves the following error:

cp: can't create directory '/run/services': Read-only file system
s6-svscan: fatal: unable to chdir: No such file or directory

I saw the Dockerfile of the image is using the 'VOLUME' command e.g. for /run. However this does not seem to help in K8s.
Maybe some sort of mount for /run, etc... needs to be incorporated for it to work?

An easy fix would be to allow disabling the 'readOnlyRootFileSystem' via values.yaml.

Add option to add env values + secret mount

I would like to use this chart with GCS backend but I'm missing an option to add env values (needed for env with path to json service account). Also I need to mount this json file into container. I could probably do it with configs but I would prefer to mount service account from secret.

I can create PR for this I just wanted to know your opinion on this.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.