c9e61859ce
Existing installs no longer need to manually set ENCRYPTION_KEY to their old JWT secret on upgrade — the server falls back to data/.jwt_secret automatically. Update values.yaml, NOTES.txt, and chart README accordingly.
TREK Helm Chart
This is a minimal Helm chart for deploying the TREK app.
Features
- Deploys the TREK container
- Exposes port 3000 via Service
- Optional persistent storage for
/app/dataand/app/uploads - Configurable environment variables and secrets
- Optional generic Ingress support
- Health checks on
/api/health
Usage
helm install trek ./chart \
--set ingress.enabled=true \
--set ingress.hosts[0].host=yourdomain.com
See values.yaml for more options.
Files
Chart.yaml— chart metadatavalues.yaml— configuration valuestemplates/— Kubernetes manifests
Notes
- Ingress is off by default. Enable and configure hosts for your domain.
- PVCs require a default StorageClass or specify one as needed.
JWT_SECRETis managed entirely by the server — auto-generated into the data PVC on first start and rotatable via the admin panel (Settings → Danger Zone). No Helm configuration needed.ENCRYPTION_KEYencrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Recommended: set viasecretEnv.ENCRYPTION_KEYorexistingSecret. If left empty, the server falls back automatically: existing installs usedata/.jwt_secret(no action needed on upgrade); fresh installs auto-generate a key persisted to the data PVC.- If using ingress, you must manually keep
env.ALLOWED_ORIGINSandingress.hostsin sync to ensure CORS works correctly. The chart does not sync these automatically. - Set
env.ALLOW_INTERNAL_NETWORK: "true"if Immich or other integrated services are hosted on a private/RFC-1918 address (e.g. a pod on the same cluster or a NAS on your LAN). Loopback (127.x) and link-local/metadata addresses (169.254.x) remain blocked regardless.