add https config for photoprism (#2196)

* add https config for photoprism * handle portal * add site url on ui * fix key * fix paths
2026-04-14 10:40:31 +08:00 · 2024-02-20 12:01:21 +02:00
parent 5e91b2724f
commit a77f8727ba
7 changed files with 191 additions and 7 deletions
--- a/library/ix-dev/charts/photoprism/Chart.yaml
+++ b/library/ix-dev/charts/photoprism/Chart.yaml
@@ -3,7 +3,7 @@ description: AI-powered app for browsing, organizing & sharing your photo collec
 annotations:
  title: PhotoPrism
 type: application
-version: 2.0.2
+version: 2.0.3
 apiVersion: v2
 appVersion: '231128'
 kubeVersion: '>=1.16.0-0'
--- a/library/ix-dev/charts/photoprism/ci/https-values.yaml
+++ b/library/ix-dev/charts/photoprism/ci/https-values.yaml
@@ -0,0 +1,105 @@
+photoprismNetwork:
+  certificateID: 1
+  webPort: 30489
+
+photoprismConfig:
+  siteURL: https://photoprism.ix.dev:30489
+  public: true
+
+photoprismID:
+  user: 1000
+  group: 1000
+
+photoprismStorage:
+  import:
+    type: pvc
+  originals:
+    type: pvc
+  storage:
+    type: pvc
+
+ixCertificates:
+  "1":
+    certificate: |
+      -----BEGIN CERTIFICATE-----
+      MIIEdjCCA16gAwIBAgIDYFMYMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
+      ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
+      VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
+      HhcNMjEwODMwMjMyMzU0WhcNMjMxMjAzMjMyMzU0WjBuMQswCQYDVQQDDAJhZDEL
+      MAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxDTALBgNVBAcMBGFzZGYxDTALBgNV
+      BAoMBGFkc2YxDTALBgNVBAsMBGFzZGYxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
+      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7+1xOHRQyOnQTHFcrdasX
+      Zl0gzutVlA890a1wiQpdD5dOtCLo7+eqVYjqVKo9W8RUIArXWmBu/AbkH7oVFWC1
+      P973W1+ArF5sA70f7BZgqRKJTIisuIFIlRETgfnP2pfQmHRZtGaIJRZI4vQCdYgW
+      2g0KOvvNcZJCVq1OrhKiNiY1bWCp66DGg0ic6OEkZFHTm745zUNQaf2dNgsxKU0H
+      PGjVLJI//yrRFAOSBUqgD4c50krnMF7fU/Fqh+UyOu8t6Y/HsySh3urB+Zie331t
+      AzV6QV39KKxRflNx/yuWrtIEslGTm+xHKoCYJEk/nZ3mX8Y5hG6wWAb7A/FuDVg3
+      AgMBAAGjggEdMIIBGTAnBgNVHREEIDAehwTAqAADhwTAqAAFhwTAqAC2hwTAqACB
+      hwTAqACSMB0GA1UdDgQWBBQ4G2ff4tgZl4vmo4xCfqmJhdqShzAMBgNVHRMBAf8E
+      AjAAMIGYBgNVHSMEgZAwgY2AFLlYf9L99nxJDcpCM/LT3V5hQ/a3oXCkbjBsMQww
+      CgYDVQQDDANhc2QxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQH
+      DAJhZjENMAsGA1UECgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkB
+      FgdhQGEuY29tggNgUxcwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/
+      BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQA6FpOInEHB5iVk3FP67GybJ29vHZTD
+      KQHbQgmg8s4L7qIsA1HQ+DMCbdylpA11x+t/eL/n48BvGw2FNXpN6uykhLHJjbKR
+      h8yITa2KeD3LjLYhScwIigXmTVYSP3km6s8jRL6UKT9zttnIHyXVpBDya6Q4WTMx
+      fmfC6O7t1PjQ5ZyVtzizIUP8ah9n4TKdXU4A3QIM6WsJXpHb+vqp1WDWJ7mKFtgj
+      x5TKv3wcPnktx0zMPfLb5BTSE9rc9djcBG0eIAsPT4FgiatCUChe7VhuMnqskxEz
+      MymJLoq8+mzucRwFkOkR2EIt1x+Irl2mJVMeBow63rVZfUQBD8h++LqB
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIEhDCCA2ygAwIBAgIDYFMXMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
+      ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
+      VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
+      HhcNMjEwODMwMjMyMDQ1WhcNMzEwODI4MjMyMDQ1WjBsMQwwCgYDVQQDDANhc2Qx
+      CzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQHDAJhZjENMAsGA1UE
+      CgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkBFgdhQGEuY29tMIIB
+      IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq//c0hEEr83CS1pMgsHX50jt
+      2MqIbcf63UUNJTiYpUUvUQSFJFc7m/dr+RTZvu97eDCnD5K2qkHHvTPaPZwY+Djf
+      iy7N641Sz6u/y3Yo3xxs1Aermsfedh48vusJpjbkT2XS44VjbkrpKcWDNVpp3Evd
+      M7oJotXeUsZ+imiyVCfr4YhoY5gbGh/r+KN9Wf9YKoUyfLLZGwdZkhtX2zIbidsL
+      Thqi9YTaUHttGinjiBBum234u/CfvKXsfG3yP2gvBGnlvZnM9ktv+lVffYNqlf7H
+      VmB1bKKk84HtzuW5X76SGAgOG8eHX4x5ZLI1WQUuoQOVRl1I0UCjBtbz8XhwvQID
+      AQABo4IBLTCCASkwLQYDVR0RBCYwJIcEwKgABYcEwKgAA4cEwKgAkocEwKgAtYcE
+      wKgAgYcEwKgAtjAdBgNVHQ4EFgQUuVh/0v32fEkNykIz8tPdXmFD9rcwDwYDVR0T
+      AQH/BAUwAwEB/zCBmAYDVR0jBIGQMIGNgBS5WH/S/fZ8SQ3KQjPy091eYUP2t6Fw
+      pG4wbDEMMAoGA1UEAwwDYXNkMQswCQYDVQQGEwJVUzENMAsGA1UECAwEYXNkZjEL
+      MAkGA1UEBwwCYWYxDTALBgNVBAoMBGFzZGYxDDAKBgNVBAsMA2FzZDEWMBQGCSqG
+      SIb3DQEJARYHYUBhLmNvbYIDYFMXMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
+      BQcDAjAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKEocOmVuWlr
+      zegtKYMe8NhHIkFY9oVn5ym6RHNOJpPH4QF8XYC3Z5+iC5yGh4P/jVe/4I4SF6Ql
+      PtofU0jNq5vzapt/y+m008eXqPQFmoUOvu+JavoRVcRx2LIP5AgBA1mF56CSREsX
+      TkuJAA9IUQ8EjnmAoAeKINuPaKxGDuU8BGCMqr/qd564MKNf9XYL+Fb2rlkA0O2d
+      2No34DQLgqSmST/LAvPM7Cbp6knYgnKmGr1nETCXasg1cueHLnWWTvps2HiPp2D/
+      +Fq0uqcZLu4Mdo0CPs4e5sHRyldEnRSKh0DVLprq9zr/GMipmPLJUsT5Jed3sj0w
+      M7Y3vwxshpo=
+      -----END CERTIFICATE-----
+    privatekey: |
+      -----BEGIN PRIVATE KEY-----
+      MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7+1xOHRQyOnQT
+      HFcrdasXZl0gzutVlA890a1wiQpdD5dOtCLo7+eqVYjqVKo9W8RUIArXWmBu/Abk
+      H7oVFWC1P973W1+ArF5sA70f7BZgqRKJTIisuIFIlRETgfnP2pfQmHRZtGaIJRZI
+      4vQCdYgW2g0KOvvNcZJCVq1OrhKiNiY1bWCp66DGg0ic6OEkZFHTm745zUNQaf2d
+      NgsxKU0HPGjVLJI//yrRFAOSBUqgD4c50krnMF7fU/Fqh+UyOu8t6Y/HsySh3urB
+      +Zie331tAzV6QV39KKxRflNx/yuWrtIEslGTm+xHKoCYJEk/nZ3mX8Y5hG6wWAb7
+      A/FuDVg3AgMBAAECggEAapt30rj9DitGTtxAt13pJMEhyYxvvD3WkvmJwguF/Bbu
+      eW0Ba1c668fMeRCA54FWi1sMqusPS4HUqqUvk+tmyAOsAF4qgD/A4MMSC7uJSVI5
+      N/JWhJWyhCY94/FPakiO1nbPbVw41bcqtzU2qvparpME2CtxSCbDiqm7aaag3Kqe
+      EF0fGSUdZ+TYl9JM05+eIyiX+UY19Fg0OjTHMn8nGpxcNTfDBdQ68TKvdo/dtIKL
+      PLKzJUNNdM8odC4CvQtfGMqaslwZwXkiOl5VJcW21ncj/Y0ngEMKeD/i65ZoqGdR
+      0FKCQYEAGtM2FvJcZQ92Wsw7yj2bK2MSegVUyLK32QKBgQDe8syVCepPzRsfjfxA
+      6TZlWcGuTZLhwIx97Ktw3VcQ1f4rLoEYlv0xC2VWBORpzIsJo4I/OLmgp8a+Ga8z
+      FkVRnq90dV3t4NP9uJlHgcODHnOardC2UUka4olBSCG6zmK4Jxi34lOxhGRkshOo
+      L4IBeOIB5g+ZrEEXkzfYJHESRQKBgQDX2YhFhGIrT8BAnC5BbXbhm8h6Bhjz8DYL
+      d+qhVJjef7L/aJxViU0hX9Ba2O8CLK3FZeREFE3hJPiJ4TZSlN4evxs5p+bbNDcA
+      0mhRI/o3X4ac6IxdRebyYnCOB/Cu94/MzppcZcotlCekKNike7eorCcX4Qavm7Pu
+      MUuQ+ifmSwKBgEnchoqZzlbBzMqXb4rRuIO7SL9GU/MWp3TQg7vQmJerTZlgvsQ2
+      wYsOC3SECmhCq4117iCj2luvOdihCboTFsQDnn0mpQe6BIF6Ns3J38wAuqv0CcFd
+      DKsrge1uyD3rQilgSoAhKzkUc24o0PpXQurZ8YZPgbuXpbj5vPaOnCdBAoGACYc7
+      wb3XS4wos3FxhUfcwJbM4b4VKeeHqzfu7pI6cU/3ydiHVitKcVe2bdw3qMPqI9Wc
+      nvi6e17Tbdq4OCsEJx1OiVwFD9YdO3cOTc6lw/3+hjypvZBRYo+/4jUthbu96E+S
+      dtOzehGZMmDvN0uSzupSi3ZOgkAAUFpyuIKickMCgYAId0PCRjonO2thn/R0rZ7P
+      //L852uyzYhXKw5/fjFGhQ6LbaLgIRFaCZ0L2809u0HFnNvJjHv4AKP6j+vFQYYY
+      qQ+66XnfsA9G/bu4MDS9AX83iahD9IdLXQAy8I19prAbpVumKegPbMnNYNB/TYEc
+      3G15AKCXo7jjOUtHY01DCQ==
+      -----END PRIVATE KEY-----
--- a/library/ix-dev/charts/photoprism/questions.yaml
+++ b/library/ix-dev/charts/photoprism/questions.yaml
@@ -29,6 +29,12 @@ questions:
    schema:
      type: dict
      attrs:
+        - variable: siteURL
+          label: Site URL
+          description: The URL for Photoprism.
+          schema:
+            type: string
+            default: ""
        - variable: public
          label: Public
          description: |
@@ -148,6 +154,14 @@ questions:
          schema:
            type: boolean
            default: false
+        - variable: certificateID
+          label: Certificate
+          description: The certificate to use for Photoprism
+          schema:
+            type: int
+            "null": true
+            $ref:
+              - "definitions/certificate"

  - variable: photoprismStorage
    label: ""
--- a/library/ix-dev/charts/photoprism/templates/_persistance.tpl
+++ b/library/ix-dev/charts/photoprism/templates/_persistance.tpl
@@ -37,4 +37,27 @@ persistence:
        photoprism:
          mountPath: {{ $storage.mountPath }}
  {{- end }}
+
+  {{- if .Values.photoprismNetwork.certificateID }}
+  cert:
+    enabled: true
+    type: secret
+    objectName: photoprism-cert
+    defaultMode: "0600"
+    items:
+      - key: tls.key
+        path: tls.key
+      - key: tls.crt
+        path: tls.crt
+    targetSelector:
+      photoprism:
+        photoprism:
+          mountPath: /photoprism/storage/config/certificates
+          readOnly: true
+
+scaleCertificate:
+  photoprism-cert:
+    enabled: true
+    id: {{ .Values.photoprismNetwork.certificateID }}
+    {{- end -}}
 {{- end -}}
--- a/library/ix-dev/charts/photoprism/templates/_photoprism.tpl
+++ b/library/ix-dev/charts/photoprism/templates/_photoprism.tpl
@@ -35,6 +35,17 @@ workload:
            PHOTOPRISM_STORAGE_PATH: /photoprism/storage
            PHOTOPRISM_ORIGINALS_PATH: /photoprism/originals
            PHOTOPRISM_IMPORT_PATH: /photoprism/import
+            {{- with .Values.photoprismConfig.siteURL }}
+            PHOTOPRISM_SITE_URL: {{ . }}
+            {{- end -}}
+            {{- if .Values.photoprismNetwork.certificateID }}
+              {{- if not .Values.photoprismConfig.siteURL -}}
+                {{- fail "Site URL is required when using a certificate" -}}
+              {{- end }}
+            PHOTOPRISM_DISABLE_TLS: false
+            PHOTOPRISM_TLS_CERT: tls.crt
+            PHOTOPRISM_TLS_KEY: tls.key
+            {{- end }}
          fixedEnv:
            PUID: {{ .Values.photoprismID.user }}
          {{ with .Values.photoprismConfig.additionalEnvs }}
@@ -45,19 +56,23 @@ workload:
            {{ end }}
          {{ end }}
          probes:
+            {{- $prot := "http" -}}
+            {{- if .Values.photoprismNetwork.certificateID -}}
+              {{- $prot = "https" -}}
+            {{- end }}
            liveness:
              enabled: true
-              type: http
+              type: {{ $prot }}
              path: /
              port: {{ .Values.photoprismNetwork.webPort }}
            readiness:
              enabled: true
-              type: http
+              type: {{ $prot }}
              path: /
              port: {{ .Values.photoprismNetwork.webPort }}
            startup:
              enabled: true
-              type: http
+              type: {{ $prot }}
              path: /
              port: {{ .Values.photoprismNetwork.webPort }}

--- a/library/ix-dev/charts/photoprism/templates/_portal.tpl
+++ b/library/ix-dev/charts/photoprism/templates/_portal.tpl
@@ -1,12 +1,37 @@
 {{- define "photoprism.portal" -}}
+  {{- $proto := "http" -}}
+  {{- if .Values.photoprismNetwork.certificateID -}}
+    {{- $proto = "https" -}}
+  {{- end -}}
+
+  {{- $host := "$node_ip" -}}
+  {{- with .Values.photoprismConfig.siteURL -}} {{/* Trim protocol and trailing slash */}}
+    {{- $host = (. | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/") -}}
+    {{- $host = mustRegexReplaceAll "(.*):[0-9]+" $host "${1}" -}}
+  {{- end -}}
+
+  {{- $port := .Values.photoprismNetwork.webPort }}
+
+  {{- with .Values.photoprismConfig.siteURL -}} {{/* If URL is defined */}}
+    {{- $p := (. | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/") -}}
+    {{- $p = split ":" $p -}}
+    {{- if $p._1 -}} {{/* If port is defined */}}
+      {{- $port = $p._1 -}}
+    {{- else -}}
+      {{- $port = "80" -}}
+      {{- if eq $proto "https" -}}
+        {{- $port = "443" -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: portal
 data:
-  port: {{ .Values.photoprismNetwork.webPort | quote }}
+  protocol: {{ $proto }}
  path: "/"
-  protocol: "http"
-  host: $node_ip
+  host: {{ $host }}
+  port: {{ $port | quote }}
 {{- end -}}
--- a/library/ix-dev/charts/photoprism/values.yaml
+++ b/library/ix-dev/charts/photoprism/values.yaml
@@ -15,10 +15,12 @@ podOptions:
 photoprismConfig:
  public: false
  password: ''
+  siteURL: ''
  additionalEnvs: []

 photoprismNetwork:
  webPort: 20800
+  certificateID:
  hostNetwork: false

 photoprismID: