From 94d253bf596a976a85034a1317b896af5b720b6b Mon Sep 17 00:00:00 2001 From: maarous <57574190+maarous@users.noreply.github.com> Date: Fri, 22 Nov 2024 20:31:07 +0100 Subject: [PATCH 1/4] chore(helm): add support for securityContext and resources in sideload container (#7350) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --------- Co-authored-by: Mohamed Amine Arous <“maarous-prestataire@ina.fr”> Co-authored-by: Nicolas Giard --- dev/helm/Chart.yaml | 2 +- dev/helm/README.md | 27 +++++++++++++++------------ dev/helm/templates/deployment.yaml | 4 ++++ dev/helm/values.yaml | 20 ++++++++++++++++++++ 4 files changed, 40 insertions(+), 13 deletions(-) diff --git a/dev/helm/Chart.yaml b/dev/helm/Chart.yaml index 0b8d593a..458defa3 100644 --- a/dev/helm/Chart.yaml +++ b/dev/helm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: wiki # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.2.0 +version: 2.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. AppVersion: latest diff --git a/dev/helm/README.md b/dev/helm/README.md index 87404d76..c1b73e22 100644 --- a/dev/helm/README.md +++ b/dev/helm/README.md @@ -97,16 +97,16 @@ The following table lists the configurable parameters of the Wiki.js chart and t | `image.repository` | Wiki.js image | `requarks/wiki` | | `image.tag` | Wiki.js image tag | `latest` | | `imagePullPolicy` | Image pull policy | `IfNotPresent` | -| `replicacount` | Amount of wiki.js service pods to run | `1` | -| `revisionHistoryLimit` | Total amount of revision history points | `10` | -| `resources.limits` | wiki.js service resource limits | `nil` | -| `resources.requests` | wiki.js service resource requests | `nil` | -| `nodeSelector` | Node labels for wiki.js pod assignment | `{}` | -| `affinity` | Affinity settings for wiki.js pod assignment | `{}` | -| `schedulerName` | Name of an alternate scheduler for wiki.js pod | `nil` | -| `tolerations` | Toleration labels for wiki.jsk pod assignment | `[]` | -| `volumeMounts` | Volume mounts for Wiki.js container | `[]` | -| `volumes` | Volumes for Wiki.js Pod | `[]` | +| `replicacount` | Number of Wiki.js pods to run | `1` | +| `revisionHistoryLimit` | Total number of revision history points | `10` | +| `resources.limits` | Wiki.js service resource limits | `nil` | +| `resources.requests` | Wiki.js service resource requests | `nil` | +| `nodeSelector` | Node labels for the Wiki.js pod assignment | `{}` | +| `affinity` | Affinity settings for the Wiki.js pod assignment | `{}` | +| `schedulerName` | Name of an alternate scheduler for the Wiki.js pod | `nil` | +| `tolerations` | Toleration labels for the Wiki.js pod assignment | `[]` | +| `volumeMounts` | Volume mounts for the Wiki.js container | `[]` | +| `volumes` | Volumes for the Wiki.js pod | `[]` | | `ingress.enabled` | Enable ingress controller resource | `false` | | `ingress.className` | Ingress class name | `""` | | `ingress.annotations` | Ingress annotations | `{}` | @@ -114,7 +114,10 @@ The following table lists the configurable parameters of the Wiki.js chart and t | `ingress.tls` | Ingress TLS configuration | `[]` | | `sideload.enabled` | Enable sideloading of locale files from git | `false` | | `sideload.repoURL` | Git repository URL containing locale files | `https://github.com/Requarks/wiki-localization` | -| `sideload.env` | Environment variables for sideload Container | `{}` | +| `sideload.env` | Environment variables for the sideload container | `{}` | +| `sideload.securityContext` | Security context for the sideload container | `nil` | +| `sideload.resources.limits` | Resource limits for the sideload container | `nil` | +| `sideload.resources.requests` | Resource requests for the sideload container | `nil` | | `nodeExtraCaCerts` | Trusted certificates path | `nil` | | `postgresql.enabled` | Deploy postgres server (see below) | `true` | | `postgresql.postgresqlDatabase` | Postgres database name | `wiki` | @@ -122,7 +125,7 @@ The following table lists the configurable parameters of the Wiki.js chart and t | `postgresql.postgresqlHost` | External postgres host | `nil` | | `postgresql.postgresqlPassword` | External postgres password | `nil` | | `postgresql.existingSecret` | Provide an existing `Secret` for postgres | `nil` | -| `postgresql.existingSecretKey` | The postgres password key in the existing `Secret` | `postgresql-password` | +| `postgresql.existingSecretKey` | The postgres password key in the existing `Secret` | `postgresql-password` | | `postgresql.postgresqlPort` | External postgres port | `5432` | | `postgresql.ssl` | Enable external postgres SSL connection | `false` | | `postgresql.ca` | Certificate of Authority content for postgres | `nil` | diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml index 21db6a82..e6dc786b 100644 --- a/dev/helm/templates/deployment.yaml +++ b/dev/helm/templates/deployment.yaml @@ -27,12 +27,16 @@ spec: {{- if .Values.sideload.enabled }} initContainers: - name: {{ .Chart.Name }}-sideload + securityContext: + {{- toYaml .Values.sideload.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}" imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }} env: {{- toYaml .Values.sideload.env | nindent 12 }} command: [ "sh", "-c" ] args: [ "mkdir -p /wiki/data/sideload && git clone --depth=1 {{ .Values.sideload.repoURL }} /wiki/data/sideload/" ] + resources: + {{- toYaml .Values.sideload.resources | nindent 12 }} {{- end }} containers: - name: {{ .Chart.Name }} diff --git a/dev/helm/values.yaml b/dev/helm/values.yaml index 099a694c..8e5e3667 100644 --- a/dev/helm/values.yaml +++ b/dev/helm/values.yaml @@ -115,6 +115,26 @@ sideload: # - name: HTTPS_PROXY # value: http://my.proxy.com:3128 + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + ## Append extra trusted certificates for node process from extra volume via NODE_EXTRA_CA_CERTS variable # nodeExtraCaCerts: "/path/to/certs.pem" From abc8dce9ccb9b9f90e5681e01abce3929183f6a4 Mon Sep 17 00:00:00 2001 From: Vasily Fedoseyev Date: Wed, 1 Jan 2025 08:18:42 +0300 Subject: [PATCH 2/4] fix: Allow HA_ACTIVE: True to enable HA mode (#7493) --------- Co-authored-by: Nicolas Giard --- server/core/db.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/core/db.js b/server/core/db.js index 25f21ad3..b729282a 100644 --- a/server/core/db.js +++ b/server/core/db.js @@ -222,7 +222,7 @@ module.exports = { * Subscribe to database LISTEN / NOTIFY for multi-instances events */ async subscribeToNotifications () { - const useHA = (WIKI.config.ha === true || WIKI.config.ha === 'true' || WIKI.config.ha === 1 || WIKI.config.ha === '1') + const useHA = (WIKI.config.ha === true || (typeof WIKI.config.ha === 'string' && WIKI.config.ha.toLowerCase() === 'true') || WIKI.config.ha === 1 || WIKI.config.ha === '1') if (!useHA) { return } else if (WIKI.config.db.type !== 'postgres') { From 403e98dced86103cce59583a357865d1ea59ea70 Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Sun, 2 Feb 2025 16:16:52 -0500 Subject: [PATCH 3/4] feat: add git always namespace option --- server/modules/storage/git/definition.yml | 6 ++++++ server/modules/storage/git/storage.js | 14 +++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/server/modules/storage/git/definition.yml b/server/modules/storage/git/definition.yml index 63c095a2..bea279ed 100644 --- a/server/modules/storage/git/definition.yml +++ b/server/modules/storage/git/definition.yml @@ -87,6 +87,12 @@ props: default: './data/repo' hint: 'Path where the local git repository will be created.' order: 30 + alwaysNamespace: + type: Boolean + title: Always Locale Namespace + default: false + hint: 'Whether to put content from the primary language into a subfolder.' + order: 40 gitBinaryPath: type: String title: Git Binary Path diff --git a/server/modules/storage/git/storage.js b/server/modules/storage/git/storage.js index 62401b0d..fcb197bc 100644 --- a/server/modules/storage/git/storage.js +++ b/server/modules/storage/git/storage.js @@ -298,7 +298,7 @@ module.exports = { async created(page) { WIKI.logger.info(`(STORAGE/GIT) Committing new file [${page.localeCode}] ${page.path}...`) let fileName = `${page.path}.${pageHelper.getFileExtension(page.contentType)}` - if (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode) { + if (this.config.alwaysNamespace || (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode)) { fileName = `${page.localeCode}/${fileName}` } const filePath = path.join(this.repoPath, fileName) @@ -320,7 +320,7 @@ module.exports = { async updated(page) { WIKI.logger.info(`(STORAGE/GIT) Committing updated file [${page.localeCode}] ${page.path}...`) let fileName = `${page.path}.${pageHelper.getFileExtension(page.contentType)}` - if (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode) { + if (this.config.alwaysNamespace || (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode)) { fileName = `${page.localeCode}/${fileName}` } const filePath = path.join(this.repoPath, fileName) @@ -342,7 +342,7 @@ module.exports = { async deleted(page) { WIKI.logger.info(`(STORAGE/GIT) Committing removed file [${page.localeCode}] ${page.path}...`) let fileName = `${page.path}.${pageHelper.getFileExtension(page.contentType)}` - if (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode) { + if (this.config.alwaysNamespace || (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode)) { fileName = `${page.localeCode}/${fileName}` } @@ -364,11 +364,11 @@ module.exports = { let sourceFileName = `${page.path}.${pageHelper.getFileExtension(page.contentType)}` let destinationFileName = `${page.destinationPath}.${pageHelper.getFileExtension(page.contentType)}` - if (WIKI.config.lang.namespacing) { - if (WIKI.config.lang.code !== page.localeCode) { + if (this.config.alwaysNamespace || WIKI.config.lang.namespacing) { + if (this.config.alwaysNamespace || WIKI.config.lang.code !== page.localeCode) { sourceFileName = `${page.localeCode}/${sourceFileName}` } - if (WIKI.config.lang.code !== page.destinationLocaleCode) { + if (this.config.alwaysNamespace || WIKI.config.lang.code !== page.destinationLocaleCode) { destinationFileName = `${page.destinationLocaleCode}/${destinationFileName}` } } @@ -483,7 +483,7 @@ module.exports = { page.tags = await pageObject.$relatedQuery('tags') let fileName = `${page.path}.${pageHelper.getFileExtension(page.contentType)}` - if (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode) { + if (this.config.alwaysNamespace || (WIKI.config.lang.namespacing && WIKI.config.lang.code !== page.localeCode)) { fileName = `${page.localeCode}/${fileName}` } WIKI.logger.info(`(STORAGE/GIT) Adding page ${fileName}...`) From 85243e5284e94222769966f560cff6b605bbdb4d Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Tue, 11 Feb 2025 20:46:07 -0500 Subject: [PATCH 4/4] docs: Update SECURITY.md --- SECURITY.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a68b8b9f..0f6a1e66 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,13 +15,7 @@ If you find such vulnerability, it's important to disclose it in a quick and sec **DO NOT CREATE A GITHUB ISSUE / DISCUSSION** to report a potential vulnerability / security problem. Instead, choose one of these options: -### A) Submit a Vulnerability Report *(recommended)* - -Fill in the form on https://github.com/requarks/wiki/security/advisories/new - -### B) Send an email - -Send an email to security@requarks.io. +Submit a Vulnerability Report by filling in the form on https://github.com/requarks/wiki/security/advisories/new Include as much details as possible, such as: - The version(s) of Wiki.js that are impacted