github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f5550dc5066b7ba4f3ce42e7b3a41a8a8918728
TREK/chart
History
jubnl 6f5550dc50 fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation 
Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.

- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
  data/.encryption_key if not set, same pattern as JWT_SECRET);
  switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
  CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
  ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
  persists it to data/.jwt_secret, updates the live in-process binding
  via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
  with a confirmation modal warning that all sessions will be
  invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
  secret.yaml, deployment.yaml, NOTES.txt, README): document
  ENCRYPTION_KEY and its upgrade migration path
2026-04-01 07:57:55 +02:00
..
templates
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
2026-04-01 07:57:55 +02:00
Chart.yaml
feat: add Helm chart for Kubernetes deployment — thanks @another-novelty
2026-03-30 12:27:21 +03:00
README.md
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
2026-04-01 07:57:55 +02:00
values.yaml
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
2026-04-01 07:57:55 +02:00

README.md

TREK Helm Chart

This is a minimal Helm chart for deploying the TREK app.

Features

  • Deploys the TREK container
  • Exposes port 3000 via Service
  • Optional persistent storage for /app/data and /app/uploads
  • Configurable environment variables and secrets
  • Optional generic Ingress support
  • Health checks on /api/health

Usage

helm install trek ./chart \
  --set secretEnv.JWT_SECRET=your_jwt_secret \
  --set ingress.enabled=true \
  --set ingress.hosts[0].host=yourdomain.com

See values.yaml for more options.

Files

  • Chart.yaml — chart metadata
  • values.yaml — configuration values
  • templates/ — Kubernetes manifests

Notes

  • Ingress is off by default. Enable and configure hosts for your domain.
  • PVCs require a default StorageClass or specify one as needed.
  • JWT_SECRET should be set for production use; auto-generated and persisted to the data PVC if not provided.
  • ENCRYPTION_KEY encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Auto-generated and persisted to the data PVC if not provided. Upgrading: if a previous version used JWT_SECRET-derived encryption, set secretEnv.ENCRYPTION_KEY to your old JWT_SECRET value to keep existing encrypted data readable, then re-save credentials via the admin panel.
  • If using ingress, you must manually keep env.ALLOWED_ORIGINS and ingress.hosts in sync to ensure CORS works correctly. The chart does not sync these automatically.
Reference in New Issue View Git Blame Copy Permalink