From 72dfa2c60c95031c00c46459d69558a4237db0aa Mon Sep 17 00:00:00 2001 From: Maurice Date: Mon, 29 Jun 2026 20:56:40 +0200 Subject: [PATCH] docs(helm): clean up existingClaim notes Strip stray zero-width characters from the persistence docs, move the PVC note out of the ENCRYPTION_KEY usage block into its own Persistence section in NOTES.txt, and document that persistence.enabled=false falls back to an ephemeral emptyDir. --- charts/README.md | 3 ++- charts/trek/templates/NOTES.txt | 7 ++++++- charts/trek/values.yaml | 4 +++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/charts/README.md b/charts/README.md index 5d6cb812..a54ec9b1 100644 --- a/charts/README.md +++ b/charts/README.md @@ -40,7 +40,8 @@ See `values.yaml` for more options. ## Notes - Ingress is off by default. Enable and configure hosts for your domain. - PVCs use the cluster's default StorageClass. Set `persistence.data.storageClassName` and/or `persistence.uploads.storageClassName` to bind a specific class. -- If you want to use your own PVCs, set `persistence.data.existingClaim` or `persistence.uploads.existingClaim` to bind it. The other PVCs values ​​will be ignored (size, storageClassName, annotations). +- To use your own PVCs, set `persistence.data.existingClaim` and/or `persistence.uploads.existingClaim`. The other values for that volume (size, storageClassName, annotations) are then ignored. +- With `persistence.enabled: false`, the data and uploads volumes use an `emptyDir` — storage is ephemeral and lost on pod restart. Intended for testing only. - `JWT_SECRET` is managed entirely by the server — auto-generated into the data PVC on first start and rotatable via the admin panel (Settings → Danger Zone). No Helm configuration needed. - `ENCRYPTION_KEY` encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Recommended: set via `secretEnv.ENCRYPTION_KEY` or `existingSecret`. If left empty, the server falls back automatically: existing installs use `data/.jwt_secret` (no action needed on upgrade); fresh installs auto-generate a key persisted to the data PVC. - If using ingress, you must manually keep `env.ALLOWED_ORIGINS` and `ingress.hosts` in sync to ensure CORS works correctly. The chart does not sync these automatically. diff --git a/charts/trek/templates/NOTES.txt b/charts/trek/templates/NOTES.txt index 0c7d2111..0c11d0dc 100644 --- a/charts/trek/templates/NOTES.txt +++ b/charts/trek/templates/NOTES.txt @@ -18,7 +18,12 @@ - Generate a random key at install: `--set generateEncryptionKey=true` - Use an existing secret: `--set existingSecret=my-k8s-secret` - Use a custom key name in the existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_ENC_KEY` - - Use your own PVCs, set `persistence.data.existingClaim` or `persistence.uploads.existingClaim` to bind it. The other PVCs values ​​will be ignored (size, storageClassName, annotations). 4. Only one method should be used at a time. If both `generateEncryptionKey` and `existingSecret` are set, `existingSecret` takes precedence. Ensure the referenced secret and key exist in the namespace. + +5. Persistence: + - To bind your own PVCs, set `persistence.data.existingClaim` and/or `persistence.uploads.existingClaim`. + The other values for that volume (size, storageClassName, annotations) are then ignored. + - With `persistence.enabled=false` the volumes use an emptyDir — storage is ephemeral and is lost + when the pod restarts. Use only for testing. diff --git a/charts/trek/values.yaml b/charts/trek/values.yaml index e01bb7d5..e141aa88 100644 --- a/charts/trek/values.yaml +++ b/charts/trek/values.yaml @@ -101,17 +101,19 @@ existingSecret: "" existingSecretKey: ENCRYPTION_KEY persistence: + # When disabled, volumes fall back to an ephemeral emptyDir (data lost on pod restart). enabled: true data: size: 1Gi # Leave empty to use the cluster's default StorageClass; set to bind a specific class. storageClassName: "" - # Specify an existing PVC to use. The other values ​​will be ignored. + # Bind an existing PVC. The other values (size, storageClassName, annotations) are then ignored. existingClaim: "" annotations: {} uploads: size: 1Gi storageClassName: "" + # Specify an existing PVC to bind. The other values are then ignored. existingClaim: "" annotations: {}