chore(immich): Only pass secrets to containers that need them and mount files only where needed (#9697)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

Doing some env cleanup based on
https://github.com/immich-app/immich/pull/2814

- Moves services in values.yaml so references always resolve.
- Removes all media mounts from machinelearning, it uses http now.
- Removes Env Vars from containers that do not need them
- Removes secret/configmap mounts from containers that do not need them.
- Reduces added capabilities.
- Removes dead variables

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This commit is contained in:
Stavros Kois
2023-06-20 23:11:23 +03:00
committed by GitHub
parent 1338b67038
commit 90199af33d
12 changed files with 153 additions and 141 deletions

View File

@@ -22,7 +22,7 @@ name: immich
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/immich
- https://github.com/immich-app/immich
version: 7.0.16
version: 7.1.0
annotations:
truecharts.org/catagories: |
- media

View File

@@ -38,28 +38,25 @@ questions:
type: int
show_if: [["disable_reverse_geocoding", "=", false]]
default: 3
- variable: mapbox_enable
label: Enable MapBox
schema:
type: boolean
default: false
- variable: mapbox_key
label: MaxBox Key
schema:
type: string
private: true
show_if: [["maxbox_enable", "=", false]]
default: ""
- variable: log_level
label: Log Level
schema:
type: string
default: simple
default: log
enum:
- value: log
description: log
- value: simple
description: simple
description: simple (Switch to log ASAP)
- value: warn
description: warn
- value: error
description: error
- value: verbose
description: verbose
- value: debug
description: debug
- variable: enable_ml
label: Enable Machine Learning Container
schema:

View File

@@ -1,10 +1,8 @@
{{- define "immich.config" -}}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{- $secretName := printf "%s-secret" $fname -}}
{{- $jwtSecret := randAlphaNum 32 -}}
{{- $typesenseKey := randAlphaNum 32 -}}
{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{- $jwtSecret = index .data "JWT_SECRET" | b64dec -}}
{{- $typesenseKey = index .data "TYPESENSE_API_KEY" | b64dec -}}
{{- end }}
@@ -13,31 +11,42 @@ configmap:
enabled: true
data:
PORT: {{ .Values.service.web.ports.web.port | quote }}
NODE_ENV: production
IMMICH_SERVER_URL: {{ printf "http://%v-server:%v" $fname .Values.service.server.ports.server.port }}
PUBLIC_IMMICH_SERVER_URL: {{ printf "http://%v-server:%v" $fname .Values.service.server.ports.server.port }}
{{- with .Values.immich.public_login_page_message }}
PUBLIC_LOGIN_PAGE_MESSAGE: {{ . }}
{{- end }}
server-config:
enabled: true
data:
{{/* User Defined */}}
DISABLE_REVERSE_GEOCODING: {{ .Values.immich.disable_reverse_geocoding | quote }}
REVERSE_GEOCODING_PRECISION: {{ .Values.immich.reverse_geocoding_precision | quote }}
ENABLE_MAPBOX: {{ .Values.immich.mapbox_enable | quote }}
SERVER_PORT: {{ .Values.service.server.ports.server.port | quote }}
micro-config:
enabled: true
data:
MICROSERVICES_PORT: {{ .Values.service.microservices.ports.microservices.port | quote }}
DISABLE_REVERSE_GEOCODING: {{ .Values.immich.disable_reverse_geocoding | quote }}
REVERSE_GEOCODING_PRECISION: {{ .Values.immich.reverse_geocoding_precision | quote }}
REVERSE_GEOCODING_DUMP_DIRECTORY: {{ .Values.persistence.microcache.targetSelector.microservices.microservices.mountPath }}
{{- if .Values.immich.enable_ml }}
ml-config:
enabled: true
data:
NODE_ENV: production
MACHINE_LEARNING_PORT: {{ .Values.service.machinelearning.ports.machinelearning.port | quote }}
MACHINE_LEARNING_CACHE_FOLDER: {{ .Values.persistence.mlcache.targetSelector.machinelearning.machinelearning.mountPath }}
TRANSFORMERS_CACHE: {{ .Values.persistence.mlcache.targetSelector.machinelearning.machinelearning.mountPath }}
{{- end }}
{{/* Server and Microservices */}}
common-config:
enabled: true
data:
IMMICH_WEB_URL: {{ printf "http://%v-web:%v" $fname .Values.service.web.ports.web.port }}
IMMICH_SERVER_URL: {{ printf "http://%v-server:%v" $fname .Values.service.server.ports.server.port }}
NODE_ENV: production
LOG_LEVEL: {{ .Values.immich.log_level }}
{{- if .Values.immich.enable_ml }}
IMMICH_MACHINE_LEARNING_URL: {{ printf "http://%v-machinelearning:%v" $fname .Values.service.machinelearning.ports.machinelearning.port }}
{{- else }}
@@ -45,24 +54,16 @@ configmap:
{{- end }}
TYPESENSE_ENABLED: {{ .Values.immich.enable_typesense | quote }}
{{- if .Values.immich.enable_typesense }}
TYPESENSE_URL: {{ printf "http://%v-typesense:%v" $fname .Values.service.typesense.ports.typesense.port }}
TYPESENSE_PROTOCOL: http
TYPESENSE_HOST: {{ printf "%v-typesense" $fname }}
TYPESENSE_PORT: {{ .Values.service.typesense.ports.typesense.port | quote }}
{{- end }}
{{/*
Its unclear where this URL is being used, but poking in their code, seems to be used internally?
Its set to the value of IMMICH_SERVER_URL on their compose. If something doesnt work remotely,
This is the place to start looking
https://github.com/immich-app/immich/blob/b5d75e20167b92de12cc50a816da214779cb0807/web/src/api/api.ts#L55
*/}}
PUBLIC_IMMICH_SERVER_URL: {{ printf "http://%v-server:%v" $fname .Values.service.server.ports.server.port }}
NODE_ENV: production
{{/* User Defined */}}
{{- with .Values.immich.public_login_page_message }}
PUBLIC_LOGIN_PAGE_MESSAGE: {{ . }}
{{- end }}
LOG_LEVEL: {{ .Values.immich.log_level }}
proxy-config:
enabled: true
data:
IMMICH_WEB_URL: {{ printf "http://%v-web:%v" $fname .Values.service.web.ports.web.port }}
IMMICH_SERVER_URL: {{ printf "http://%v-server:%v" $fname .Values.service.server.ports.server.port }}
secret:
typesense-secret:
@@ -71,15 +72,13 @@ secret:
{{/* Secret Key */}}
TYPESENSE_API_KEY: {{ $typesenseKey }}
TYPESENSE_DATA_DIR: {{ .Values.persistence.typesense.targetSelector.typesense.typesense.mountPath }}
secret:
enabled: true
data:
{{/* Secret Key */}}
JWT_SECRET: {{ $jwtSecret }}
TYPESENSE_API_KEY: {{ $typesenseKey }}
{{- with .Values.immich.mapbox_key }}
MAPBOX_KEY: {{ . }}
{{- end }}
{{/* Server and Microservices */}}
deps-secret:
enabled: true
data:

View File

@@ -1,27 +1,25 @@
{{/* Define the machinelearning container */}}
{{- define "immich.machinelearning" -}}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{- $serverUrl := printf "http://%v-server:%v/server-info/ping" $fname .Values.service.server.ports.server.port }}
enabled: true
type: Deployment
podSpec:
initContainers:
wait-server:
{{- include "immich.wait" (dict "variable" "IMMICH_SERVER_URL" "path" "server-info/ping") | nindent 6 }}
{{/* Wait for server */}}
{{- include "immich.wait" (dict "url" $serverUrl) | nindent 6 }}
containers:
machinelearning:
enabled: true
primary: true
imageSelector: mlImage
securityContext:
capabilities:
disableS6Caps: true
envFrom:
- configMapRef:
name: common-config
- configMapRef:
name: server-config
- configMapRef:
name: ml-config
- secretRef:
name: deps-secret
- secretRef:
name: secret
probes:
readiness:
enabled: true
@@ -39,16 +37,3 @@ podSpec:
path: /ping
port: {{ .Values.service.machinelearning.ports.machinelearning.port }}
{{- end -}}
{{- define "immich.machinelearning.service" -}}
enabled: true
type: ClusterIP
targetSelector: machinelearning
ports:
machinelearning:
enabled: true
primary: true
port: 10003
protocol: http
targetSelector: machinelearning
{{- end -}}

View File

@@ -1,16 +1,22 @@
{{- define "immich.microservices" -}}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{- $serverUrl := printf "http://%v-server:%v/server-info/ping" $fname .Values.service.server.ports.server.port }}
enabled: true
type: Deployment
podSpec:
initContainers:
wait-server:
{{- include "immich.wait" (dict "variable" "IMMICH_SERVER_URL" "path" "server-info/ping") | nindent 6 }}
{{/* Wait for server */}}
{{- include "immich.wait" (dict "url" $serverUrl) | nindent 6 }}
containers:
microservices:
enabled: true
primary: true
imageSelector: image
args: start-microservices.sh
securityContext:
capabilities:
disableS6Caps: true
envFrom:
- secretRef:
name: secret
@@ -18,8 +24,6 @@ podSpec:
name: deps-secret
- configMapRef:
name: common-config
- configMapRef:
name: server-config
- configMapRef:
name: micro-config
probes:
@@ -48,16 +52,3 @@ podSpec:
- |
ps -a | grep -v grep | grep -q microservices
{{- end -}}
{{- define "immich.microservices.service" -}}
enabled: true
type: ClusterIP
targetSelector: microservices
ports:
microservices:
enabled: true
primary: true
port: 10004
protocol: http
targetSelector: microservices
{{- end -}}

View File

@@ -1,18 +1,31 @@
{{- define "immich.proxy" -}}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{- $serverUrl := printf "http://%v-server:%v/server-info/ping" $fname .Values.service.server.ports.server.port }}
{{- $webUrl := printf "http://%v-web:%v/robots.txt" $fname .Values.service.web.ports.web.port }}
enabled: true
type: Deployment
podSpec:
initContainers:
wait-server:
{{- include "immich.wait" (dict "variable" "IMMICH_SERVER_URL" "path" "server-info/ping") | nindent 6 }}
{{/* Wait for server */}}
{{- include "immich.wait" (dict "url" $serverUrl) | nindent 6 }}
{{/* Wait for web, otherwise nginx will fail to find host */}}
{{- include "immich.wait" (dict "url" $webUrl) | nindent 6 }}
containers:
proxy:
enabled: true
primary: true
imageSelector: proxyImage
securityContext:
capabilities:
disableS6Caps: true
add:
- CHOWN
- SETUID
- SETGID
envFrom:
- configMapRef:
name: common-config
name: proxy-config
probes:
readiness:
enabled: true

View File

@@ -3,6 +3,9 @@ enabled: true
primary: true
imageSelector: image
args: start-server.sh
securityContext:
capabilities:
disableS6Caps: true
envFrom:
- configMapRef:
name: server-config

View File

@@ -8,6 +8,9 @@ podSpec:
enabled: true
primary: true
imageSelector: typesenseImage
securityContext:
capabilities:
disableS6Caps: true
envFrom:
- secretRef:
name: typesense-secret
@@ -31,16 +34,3 @@ podSpec:
path: /health
port: {{ .Values.service.typesense.ports.typesense.port }}
{{- end -}}
{{- define "immich.typesense.service" -}}
enabled: true
type: ClusterIP
targetSelector: typesense
ports:
typesense:
enabled: true
primary: true
port: 10002
protocol: http
targetSelector: typesense
{{- end -}}

View File

@@ -1,20 +1,16 @@
{{- define "immich.wait" -}}
{{- $path := .path | default "" }}
{{- $variable := .variable }}
{{- $url := .url }}
enabled: true
type: init
imageSelector: alpineImage
envFrom:
- configMapRef:
name: common-config
command:
- /bin/ash
- -c
- |
echo "Pinging [${{ $variable }}/{{ $path }}] until it is ready..."
until wget --spider --quiet "${{ $variable }}/{{ $path }}"; do
echo "Waiting for [${{ $variable }}/{{ $path }}] to be ready..."
echo "Pinging [{{ $url }}] until it is ready..."
until wget --spider --quiet "{{ $url }}"; do
echo "Waiting for [{{ $url }}] to be ready..."
sleep 2
done
echo "URL [${{ $variable }}/{{ $path }}] is ready!"
echo "URL [{{ $url }}] is ready!"
{{- end -}}

View File

@@ -1,23 +1,28 @@
{{/* Define the web container */}}
{{- define "immich.web" -}}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{- $serverUrl := printf "http://%v-server:%v/server-info/ping" $fname .Values.service.server.ports.server.port }}
enabled: true
type: Deployment
podSpec:
initContainers:
wait-server:
{{- include "immich.wait" (dict "variable" "IMMICH_SERVER_URL" "path" "server-info/ping") | nindent 6 }}
{{/* Wait for server */}}
{{- include "immich.wait" (dict "url" $serverUrl) | nindent 6 }}
containers:
web:
enabled: true
primary: true
imageSelector: webImage
securityContext:
capabilities:
disableS6Caps: true
add:
- SETUID
- SETGID
envFrom:
- configMapRef:
name: common-config
- configMapRef:
name: web-config
- secretRef:
name: deps-secret
probes:
readiness:
enabled: true
@@ -35,16 +40,3 @@ podSpec:
path: /robots.txt
port: {{ .Values.service.web.ports.web.port }}
{{- end -}}
{{- define "immich.web.service" -}}
enabled: true
type: ClusterIP
targetSelector: web
ports:
web:
enabled: true
primary: true
port: 10000
protocol: http
targetSelector: web
{{- end -}}

View File

@@ -1,27 +1,42 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.v1.common.loader.init" . }}
{{- $fname := (include "tc.v1.common.lib.chart.names.fullname" .) -}}
{{/* Render Proxy Workload */}}
{{- $_ := set .Values.workload "proxy" (include "immich.proxy" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.containers "main" (include "immich.server" . | fromYaml) -}}
{{- if .Values.immich.enable_typesense -}}
{{- $_ := set .Values.workload.main.podSpec.initContainers "wait-typesense" (include "immich.wait" (dict "variable" "TYPESENSE_URL" "path" "health") | fromYaml) -}}
{{/* Append init container to server, to make sure typesense is ready before starting */}}
{{- $url := printf "http://%v-typesense:%v/health" $fname .Values.service.typesense.ports.typesense.port -}}
{{- $_ := set .Values.workload.main.podSpec.initContainers "wait-typesense" (include "immich.wait" (dict "url" $url) | fromYaml) -}}
{{- end -}}
{{- $_ := set .Values.service "web" (include "immich.web.service" . | fromYaml) -}}
{{/* Render Web Workload */}}
{{- $_ := set .Values.workload "web" (include "immich.web" . | fromYaml) -}}
{{- $_ := set .Values.service "microservices" (include "immich.microservices.service" . | fromYaml) -}}
{{/* Render Microservices Workload */}}
{{- $_ := set .Values.workload "microservices" (include "immich.microservices" . | fromYaml) -}}
{{- if .Values.immich.enable_ml -}}
{{- $_ := set .Values.service "machinelearning" (include "immich.machinelearning.service" . | fromYaml) -}}
{{/* Enable Machine Learning Service */}}
{{- $_ := set .Values.service.machinelearning "enabled" true -}}
{{/* Render Machine Learning Workload */}}
{{- $_ := set .Values.workload "machinelearning" (include "immich.machinelearning" . | fromYaml) -}}
{{- else -}}
{{/* Disable Machine Learning Service */}}
{{- $_ := set .Values.service.machinelearning "enabled" false -}}
{{- end -}}
{{- if .Values.immich.enable_typesense -}}
{{- $_ := set .Values.service "typesense" (include "immich.typesense.service" . | fromYaml) -}}
{{/* Enable Typesense Service */}}
{{- $_ := set .Values.service.typesense "enabled" true -}}
{{/* Render Typesense Workload */}}
{{- $_ := set .Values.workload "typesense" (include "immich.typesense" . | fromYaml) -}}
{{- else -}}
{{/* Disable Typesense Service */}}
{{- $_ := set .Values.service.typesense "enabled" false -}}
{{- end -}}
{{/* Render configuration for immich

View File

@@ -32,10 +32,7 @@ immich:
public_login_page_message: Immich
disable_reverse_geocoding: false
reverse_geocoding_precision: 3
# simple | verbose
log_level: simple
mapbox_enable: false
mapbox_key: ""
log_level: log
service:
main:
@@ -59,6 +56,50 @@ service:
port: 10001
protocol: http
targetSelector: main
web:
enabled: true
type: ClusterIP
targetSelector: web
ports:
web:
enabled: true
primary: true
port: 10000
protocol: http
targetSelector: web
microservices:
enabled: true
type: ClusterIP
targetSelector: microservices
ports:
microservices:
enabled: true
primary: true
port: 10004
protocol: http
targetSelector: microservices
machinelearning:
enabled: true
type: ClusterIP
targetSelector: machinelearning
ports:
machinelearning:
enabled: true
primary: true
port: 10003
protocol: http
targetSelector: machinelearning
typesense:
enabled: true
type: ClusterIP
targetSelector: typesense
ports:
typesense:
enabled: true
primary: true
port: 10002
protocol: http
targetSelector: typesense
persistence:
mlcache:
@@ -91,8 +132,6 @@ persistence:
main: {}
microservices:
microservices: {}
machinelearning:
machinelearning: {}
uploads:
enabled: true
mountPath: /usr/src/app/upload/upload
@@ -102,8 +141,6 @@ persistence:
main: {}
microservices:
microservices: {}
machinelearning:
machinelearning: {}
thumbs:
enabled: true
mountPath: /usr/src/app/upload/thumbs
@@ -113,8 +150,6 @@ persistence:
main: {}
microservices:
microservices: {}
machinelearning:
machinelearning: {}
profile:
enabled: true
mountPath: /usr/src/app/upload/profile
@@ -124,8 +159,6 @@ persistence:
main: {}
microservices:
microservices: {}
machinelearning:
machinelearning: {}
video:
enabled: true
mountPath: /usr/src/app/upload/encoded-video
@@ -135,8 +168,6 @@ persistence:
main: {}
microservices:
microservices: {}
machinelearning:
machinelearning: {}
cnpg:
main: