History

perf3ct 93211bec6e feat(server): implement better jwt generation and cpu core usage		2025-08-16 18:18:42 +00:00
..
templates	feat(server): implement better jwt generation and cpu core usage	2025-08-16 18:18:42 +00:00
.helmignore	feat(helm): set up bones for helm chart	2025-06-13 23:01:05 +00:00
Chart.yaml	chore(deps): update helm release common to v4.2.0	2025-08-14 18:59:54 +00:00
README.md	feat(server): implement better jwt generation and cpu core usage	2025-08-16 18:18:42 +00:00
values.yaml	feat(server): implement better jwt generation and cpu core usage	2025-08-16 18:18:42 +00:00

README.md

Readur Helm Chart

This Helm chart deploys Readur on Kubernetes using the bjw-s common library chart.

Installation

helm repo add readur https://readur.github.io/charts
helm install readur readur/readur

Configuration

JWT Secret

The JWT secret is automatically generated and persisted if not provided. You have three options:

Auto-generation (Recommended): Don't set any JWT configuration, and a secure secret will be auto-generated
Custom value: Set jwtSecret.value in your values
Existing secret: Reference an existing Kubernetes secret with jwtSecret.existingSecret

# Option 1: Auto-generate (default)
jwtSecret:
  existingSecret: ""
  value: ""

# Option 2: Provide custom value
jwtSecret:
  value: "your-secure-secret-here"

# Option 3: Use existing Kubernetes secret
jwtSecret:
  existingSecret: "my-jwt-secret"

The auto-generated secret is preserved across upgrades using the helm.sh/resource-policy: keep annotation.

Database Configuration

Configure the database connection using either a direct URL or an existing secret:

# Option 1: Direct URL (not recommended for production)
database:
  url: "postgresql://user:password@postgres/readur"

# Option 2: Use existing secret (recommended)
database:
  existingSecret: "readur-database-secret"

If using an existing secret, it should contain a DATABASE_URL key.

Persistence

The chart configures two persistent volumes:

persistence:
  uploads:
    enabled: true
    size: 10Gi
    storageClass: ""  # Uses default if not specified
  
  watch:
    enabled: true
    size: 5Gi
    storageClass: ""

Ingress

Enable ingress to expose Readur:

ingress:
  main:
    enabled: true
    className: nginx
    hosts:
      - host: readur.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: readur-tls
        hosts:
          - readur.example.com

Security Considerations

JWT Secret: The auto-generated JWT secret is stored in a Kubernetes Secret and persists across upgrades
Database Credentials: Use Kubernetes Secrets for database credentials in production
File Permissions: An init container sets proper permissions for upload/watch directories
Non-root User: The container runs as UID 1000 (non-root) for security

Upgrading

When upgrading the chart, the JWT secret is preserved automatically. If you need to rotate the secret:

Delete the existing secret: kubectl delete secret <release-name>-jwt
Upgrade the chart: helm upgrade readur readur/readur

Full Configuration

See values.yaml for all available configuration options.