Helm chart version bump

Update to the nuxt-client image version 0.1.2

Update the security_service.py to set the tmpUrl only once

Align the README.md with the Chart.yaml version

Author: gfenoy

zoo-project-dru/Chart.yaml

@@ -23,7 +23,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.7
+version: 0.9.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -78,7 +78,9 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: "Update the ZOO-Project docker image to tag dru-ad6563d64c564268778263ad41fed9f9d18d07ca"
+      description: "Update to the nuxt-client image version 0.1.2"
+    - kind: changed
+      description: "Update the security_service.py to set the tmpUrl only once"
     - kind: changed
       description: "Align the README.md with the Chart.yaml version"
 

zoo-project-dru/README.md

@@ -24,7 +24,7 @@ To install the chart with the release name `my-zoo-project-dru`:
 
 ````bash
 helm repo add zoo-project https://zoo-project.github.io/charts/
-helm install my-zoo-project-dru zoo-project/zoo-project-dru --version 0.9.7
+helm install my-zoo-project-dru zoo-project/zoo-project-dru --version 0.9.8
 ````
 
 ## Parameters
@@ -1069,7 +1069,7 @@ sensible defaults aligned to the UID/GID baked in the official upstream images:
 | redis       | 999       | 1000       | 1000    | matches `redis:*-alpine`                 |
 | postgresql  | 70        | 70         | 70      | matches `postgres:*-alpine`              |
 | kubeProxy   | 65534     | 65534      | 65534   | `nobody`, readOnlyRootFilesystem enabled |
-| webui       | 1001      | 1001       | 1001    | `appuser` in `nuxt-client >= 0.1.1`      |
+| webui       | 1000      | 1000       | 1000    | `node` in `nuxt-client >= 0.1.2`      |
 
 All container-level `securityContext` blocks set `allowPrivilegeEscalation: false`,
 `runAsNonRoot: true` and drop all Linux capabilities (`capabilities.drop: [ALL]`).

zoo-project-dru/files/zoo-project/security_service.py

@@ -56,6 +56,7 @@ def securityIn(conf, inputs, outputs):
         if i.count("SERVICES_NAMESPACE"):
             if not(has_rpath):
                 rPath += conf["renv"][i]
+                conf["main"]["tmpUrl"]=conf["main"]["tmpUrl"].replace("/temp", "/"+conf["renv"][i]+"/temp")
                 has_rpath=True
             if "auth_env" not in conf:
                 conf["auth_env"] = {"user": conf["renv"][i], "cwd": rPath}
@@ -67,7 +68,6 @@ def securityIn(conf, inputs, outputs):
             # conf["lenv"]["cwd"]=rPath
             conf["zooServicesNamespace"] = {"namespace": conf["renv"][i], "cwd": rPath}
             conf["main"]["tmpPath"] = rPath + "/temp"
-            conf["main"]["tmpUrl"]=conf["main"]["tmpUrl"].replace("/temp", "/"+conf["renv"][i]+"/temp")
         if i.count("QUERY_STRING") and conf["renv"][i].count("/package"):
             if conf["renv"]["HTTP_ACCEPT"] == "application/cwl+json":
                 zoo.info("Conversion to cwl+json should happen in securityOut")

zoo-project-dru/templates/dp-webui.yaml

@@ -55,11 +55,74 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          command: [ "/bin/sh","-c" ]
-          # Run npm run build and then npm run start everytime the container starts
-          args: [ "npm run build ; npm run start" ]
+          {{- with .Values.webui.command }}
+          command:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.webui.args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.webui.image.pullPolicy }}
+          env:
+            - name: HOST
+              value: "0.0.0.0"
+            - name: PORT
+              value: {{ .Values.webui.port | quote }}
+            - name: NITRO_HOST
+              value: "0.0.0.0"
+            - name: NITRO_PORT
+              value: {{ .Values.webui.port | quote }}
+            # Nuxt 3 runtimeConfig.public.<KEY> is overridden at runtime by env
+            # var NUXT_PUBLIC_<KEY>. We keep the original names too because some
+            # libs (nuxt-auth, sidebase) read AUTH_ORIGIN / NEXTAUTH_URL directly
+            # from process.env.
+            - name: NUXT_PUBLIC_NUXT_ZOO_BASEURL
+              value: {{ $hosturl | quote }}
+            - name: NUXT_ZOO_BASEURL
+              value: {{ $hosturl | quote }}
+            - name: NUXT_PUBLIC_NUXT_OIDC_ISSUER
+              value: {{ .Values.webui.oidc.issuer | quote }}
+            - name: NUXT_OIDC_ISSUER
+              value: {{ .Values.webui.oidc.issuer | quote }}
+            - name: NUXT_PUBLIC_NUXT_OIDC_CLIENT_ID
+              value: {{ .Values.webui.oidc.clientId | quote }}
+            - name: NUXT_OIDC_CLIENT_ID
+              value: {{ .Values.webui.oidc.clientId | quote }}
+            {{- with .Values.webui.oidc.clientSecret }}
+            - name: NUXT_OIDC_CLIENT_SECRET
+              value: {{ . | quote }}
+            {{- end }}
+            - name: NUXT_PUBLIC_AUTH_ORIGIN
+              value: {{ .Values.webui.url | quote }}
+            - name: AUTH_ORIGIN
+              value: {{ .Values.webui.url | quote }}
+            - name: NUXT_PUBLIC_NEXTAUTH_URL
+              value: {{ .Values.webui.url | quote }}
+            - name: NEXTAUTH_URL
+              value: {{ .Values.webui.url | quote }}
+            - name: NUXT_BASE_URL
+              value: {{ .Values.webui.url | quote }}
+            - name: NUXT_AUTH_SECRET
+              value: {{ default "client_secret_basic" .Values.webui.authSecret | quote }}
+            - name: NUXT_PUBLIC_ZOO_OGCAPI_REQUIRES_BEARER_TOKEN
+              value: {{ default "true" .Values.webui.requiresBearerToken | quote }}
+            - name: ZOO_OGCAPI_REQUIRES_BEARER_TOKEN
+              value: {{ default "true" .Values.webui.requiresBearerToken | quote }}
+            - name: NUXT_PUBLIC_SUBSCRIBERURL
+              value: "http://{{ .Release.Name }}-service/cgi-bin/publish.py"
+            - name: SUBSCRIBERURL
+              value: "http://{{ .Release.Name }}-service/cgi-bin/publish.py"
+            - name: NODE_TLS_REJECT_UNAUTHORIZED
+              value: {{ default "0" .Values.webui.nodeTlsRejectUnauthorized | quote }}
+            {{- with .Values.webui.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with .Values.webui.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - name: webui-http
               containerPort: {{ .Values.webui.port }}
@@ -81,20 +144,16 @@ spec:
             timeoutSeconds: 15
             failureThreshold: 3
           resources: {}
+          {{- with .Values.webui.volumeMounts }}
           volumeMounts:
-            - name: bin-config
-              mountPath: /usr/src/app/.env
-              subPath: env_nuxt.sample
-            - name: bin-config
-              mountPath: /usr/src/app/env_sample
-              subPath: env_nuxt.sample
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
 
       restartPolicy: Always
+      {{- with .Values.webui.volumes }}
       volumes:
-        - name: bin-config
-          configMap:
-            name: {{ .Release.Name }}-bin-config
-            defaultMode: 0777
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 
 status: {}
 {{- end }}

zoo-project-dru/values.yaml

@@ -602,21 +602,36 @@ webui:
   image:
     repository: zooproject/nuxt-client
     pullPolicy: IfNotPresent
-    tag: 0.1.1
+    tag: 0.1.2
+  # Override container command/args. Defaults to image CMD which runs
+  # `node .output/server/index.mjs` for the multi-stage slim image.
+  command: []
+  args: []
+  # Optional Nuxt runtime config — read from process.env at server startup.
+  authSecret: ""
+  requiresBearerToken: "true"
+  nodeTlsRejectUnauthorized: "0"
+  # Extra env vars and envFrom (Secrets/ConfigMaps) appended to the webui container.
+  extraEnv: []
+  envFrom: []
+  # Optional volume mounts/volumes. Empty by default — the slim image
+  # does not need the bin-config ConfigMap (env vars passed via env:).
+  volumeMounts: []
+  volumes: []
   enforce: false
-  # Pod-level security context for the webui pod
-  # The nuxt-client >= 0.1.1 image runs as 'appuser' (uid 1001, gid 1001) and
-  # /usr/src/app is owned by that user, so no init copy is required.
+  # Pod-level security context for the webui pod.
+  # The slim multi-stage nuxt-client image runs as the built-in `node`
+  # user (uid 1000, gid 1000); /usr/src/app/.output is owned by it.
   podSecurityContext:
     runAsNonRoot: true
-    runAsUser: 1001
-    runAsGroup: 1001
-    fsGroup: 1001
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
   # Container-level security context for the webui container
   securityContext:
     runAsNonRoot: true
-    runAsUser: 1001
-    runAsGroup: 1001
+    runAsUser: 1000
+    runAsGroup: 1000
     allowPrivilegeEscalation: false
     capabilities:
       drop: