50424fc574
Allow the first-boot admin account to be configured via ADMIN_EMAIL and ADMIN_PASSWORD environment variables. If both are set the account is created with those credentials; otherwise the existing random-password fallback is used. Documented across .env.example, docker-compose.yml, Helm chart (values.yaml, secret.yaml, deployment.yaml), and CLAUDE.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
78 lines
2.4 KiB
YAML
78 lines
2.4 KiB
YAML
|
|
image:
|
|
repository: mauriceboe/trek
|
|
tag: latest
|
|
pullPolicy: IfNotPresent
|
|
|
|
# Optional image pull secrets for private registries
|
|
imagePullSecrets: []
|
|
# - name: my-registry-secret
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 3000
|
|
|
|
env:
|
|
NODE_ENV: production
|
|
PORT: 3000
|
|
# ALLOWED_ORIGINS: ""
|
|
# NOTE: If using ingress, ensure env.ALLOWED_ORIGINS matches the domains in ingress.hosts for proper CORS configuration.
|
|
# ALLOW_INTERNAL_NETWORK: "false"
|
|
# Set to "true" if Immich or other integrated services are hosted on a private/RFC-1918 network address.
|
|
# Loopback (127.x) and link-local/metadata addresses (169.254.x) are always blocked.
|
|
# COOKIE_SECURE: "true"
|
|
# Set to "false" to allow session cookies over plain HTTP (e.g. no ingress TLS). Not recommended for production.
|
|
# OIDC_DISCOVERY_URL: ""
|
|
# Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik).
|
|
|
|
|
|
# Secret environment variables stored in a Kubernetes Secret.
|
|
# JWT_SECRET is managed entirely by the server (auto-generated into the data PVC,
|
|
# rotatable via the admin panel) — it is not configured here.
|
|
secretEnv:
|
|
# At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC, etc.).
|
|
# Recommended: set to a random 32-byte hex value (openssl rand -hex 32).
|
|
# If left empty the server resolves the key automatically:
|
|
# 1. data/.jwt_secret (existing installs — encrypted data stays readable after upgrade)
|
|
# 2. data/.encryption_key auto-generated on first start (fresh installs)
|
|
ENCRYPTION_KEY: ""
|
|
# Initial admin account — only used on first boot when no users exist yet.
|
|
# If both values are non-empty the admin account is created with these credentials.
|
|
# If either is empty a random password is generated and printed to the server log.
|
|
ADMIN_EMAIL: ""
|
|
ADMIN_PASSWORD: ""
|
|
|
|
# If true, a random ENCRYPTION_KEY is generated at install and preserved across upgrades
|
|
generateEncryptionKey: false
|
|
|
|
# If set, use an existing Kubernetes secret that contains ENCRYPTION_KEY
|
|
existingSecret: ""
|
|
existingSecretKey: ENCRYPTION_KEY
|
|
|
|
persistence:
|
|
enabled: true
|
|
data:
|
|
size: 1Gi
|
|
uploads:
|
|
size: 1Gi
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
ingress:
|
|
enabled: false
|
|
annotations: {}
|
|
hosts:
|
|
- host: chart-example.local
|
|
paths:
|
|
- /
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|