github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e10f6bf9afbc5dc60a56064a2170036f1a65790f
TREK/chart
History
jubnl e10f6bf9af fix: remove JWT_SECRET env var — server manages it exclusively 
Setting JWT_SECRET via environment variable was broken by design:
the admin panel rotation updates the in-memory binding and persists
the new value to data/.jwt_secret, but an env var would silently
override it on the next restart, reverting the rotation.

The server now always loads JWT_SECRET from data/.jwt_secret
(auto-generating it on first start), making the file the single
source of truth. Rotation is handled exclusively through the admin
panel.

- config.ts: drop process.env.JWT_SECRET fallback and
  JWT_SECRET_IS_GENERATED export; always read from / write to
  data/.jwt_secret
- index.ts: remove the now-obsolete JWT_SECRET startup warning
- .env.example, docker-compose.yml, README: remove JWT_SECRET entries
- Helm chart: remove JWT_SECRET from secretEnv, secret.yaml, and
  deployment.yaml; rename generateJwtSecret → generateEncryptionKey
  and update NOTES.txt and README accordingly
2026-04-01 07:58:05 +02:00
..
templates
fix: remove JWT_SECRET env var — server manages it exclusively
2026-04-01 07:58:05 +02:00
Chart.yaml
feat: add Helm chart for Kubernetes deployment — thanks @another-novelty
2026-03-30 12:27:21 +03:00
README.md
fix: remove JWT_SECRET env var — server manages it exclusively
2026-04-01 07:58:05 +02:00
values.yaml
fix: remove JWT_SECRET env var — server manages it exclusively
2026-04-01 07:58:05 +02:00

README.md

TREK Helm Chart

This is a minimal Helm chart for deploying the TREK app.

Features

  • Deploys the TREK container
  • Exposes port 3000 via Service
  • Optional persistent storage for /app/data and /app/uploads
  • Configurable environment variables and secrets
  • Optional generic Ingress support
  • Health checks on /api/health

Usage

helm install trek ./chart \
  --set ingress.enabled=true \
  --set ingress.hosts[0].host=yourdomain.com

See values.yaml for more options.

Files

  • Chart.yaml — chart metadata
  • values.yaml — configuration values
  • templates/ — Kubernetes manifests

Notes

  • Ingress is off by default. Enable and configure hosts for your domain.
  • PVCs require a default StorageClass or specify one as needed.
  • JWT_SECRET is managed entirely by the server — auto-generated into the data PVC on first start and rotatable via the admin panel (Settings → Danger Zone). No Helm configuration needed.
  • ENCRYPTION_KEY encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Auto-generated and persisted to the data PVC if not provided. Upgrading: if a previous version used JWT_SECRET-derived encryption, set secretEnv.ENCRYPTION_KEY to your old JWT_SECRET value to keep existing encrypted data readable, then re-save credentials via the admin panel.
  • If using ingress, you must manually keep env.ALLOWED_ORIGINS and ingress.hosts in sync to ensure CORS works correctly. The chart does not sync these automatically.
Reference in New Issue View Git Blame Copy Permalink