From 5c75bb4b9ea8bc2d9f56e1ecb7178a6d9a3660ba Mon Sep 17 00:00:00 2001 From: Nick Douma Date: Sun, 29 Aug 2021 17:20:39 +0200 Subject: [PATCH] [searx] Update to latest version (#1136) * Searx-Checker is no longer a separate tool Signed-off-by: Nick Douma * Reindent files Signed-off-by: Nick Douma * Use newer version of Searx Signed-off-by: Nick Douma * Allow turning off Caddy automatic TLS Signed-off-by: Nick Douma * Bump version and update Chart Readme Signed-off-by: Nick Douma * Update searx changelog --- charts/stable/searx/Chart.yaml | 2 +- charts/stable/searx/README.md | 16 ++- .../stable/searx/README_CHANGELOG.md.gotmpl | 9 ++ charts/stable/searx/templates/common.yaml | 17 --- charts/stable/searx/templates/configmap.yaml | 100 +++++++++--------- charts/stable/searx/values.yaml | 12 +-- 6 files changed, 73 insertions(+), 83 deletions(-) diff --git a/charts/stable/searx/Chart.yaml b/charts/stable/searx/Chart.yaml index 61f806b6..2711b0c8 100644 --- a/charts/stable/searx/Chart.yaml +++ b/charts/stable/searx/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 1.0.0 description: Searx is a privacy-respecting, hackable metasearch engine name: searx -version: 5.0.0 +version: 5.1.0 kubeVersion: ">=1.16.0-0" keywords: - searx diff --git a/charts/stable/searx/README.md b/charts/stable/searx/README.md index a50a67ef..8ac9233b 100644 --- a/charts/stable/searx/README.md +++ b/charts/stable/searx/README.md @@ -1,6 +1,6 @@ # searx -![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) Searx is a privacy-respecting, hackable metasearch engine @@ -77,6 +77,7 @@ N/A | Key | Type | Default | Description | |-----|------|---------|-------------| +| caddy.noTls | bool | `false` | caddy sidecar disable auto tls if behind another loadbalancer or ingress | | caddy.pullPolicy | string | `"IfNotPresent"` | caddy sidecar image pull policy | | caddy.repository | string | `"caddy"` | caddy sidecar image repository | | caddy.tag | string | `"2.2.0-alpine"` | caddy sidecar image tag | @@ -85,7 +86,7 @@ N/A | filtron.tag | string | `"latest"` | filtron sidecar image tag | | image.pullPolicy | string | `"IfNotPresent"` | image pull policy | | image.repository | string | `"searx/searx"` | image repository | -| image.tag | string | `"1.0.0"` | image tag | +| image.tag | string | `"1.0.0-211-968b2899"` | image tag | | ingress.main | object | See values.yaml | Enable and configure ingress settings for the chart under this key. | | morty.pullPolicy | string | `"Always"` | morty sidecar image pull policy | | morty.repository | string | `"dalf/morty"` | morty sidecar image repository | @@ -94,9 +95,6 @@ N/A | searx.baseUrl | string | `"https://searx.DOMAIN"` | External URL where the application is reachable | | searx.existingSecret | string | `nil` | Specify an existing secret that contains the environment variables required for the application configuration. | | searx.mortyKey | string | `"changeme"` | Generate a random key used by Morty (Privacy aware web content sanitizer proxy as a service). Example : `openssl rand -base64 24` | -| searxChecker.pullPolicy | string | `"Always"` | searx-checker sidecar image pull policy | -| searxChecker.repository | string | `"searx/searx-checker"` | searx-checker sidecar image repository | -| searxChecker.tag | string | `"latest"` | searx-checker sidecar image tag | | service | object | See values.yaml | Configures service settings for the chart. | ## Changelog @@ -105,6 +103,14 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +### [5.1.0] + +#### Changed + +- Removed searx-checker container from Helm chart because it's integrated into Searx. +- Added the `caddy.noTls` option to disable automatic Let's Encrypt certificates for situations where Searx is running behind another Ingress controller that handles certificates. +- Changed image tag to `1.0.0-211-968b2899`. + ### [5.0.0] #### Changed diff --git a/charts/stable/searx/README_CHANGELOG.md.gotmpl b/charts/stable/searx/README_CHANGELOG.md.gotmpl index 57551293..5ba20b08 100644 --- a/charts/stable/searx/README_CHANGELOG.md.gotmpl +++ b/charts/stable/searx/README_CHANGELOG.md.gotmpl @@ -9,6 +9,15 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +### [5.1.0] + +#### Changed + +- Removed searx-checker container from Helm chart because it's integrated into Searx. +- Added the `caddy.noTls` option to disable automatic Let's Encrypt certificates for situations where Searx is running behind another Ingress controller that handles certificates. +- Changed image tag to `1.0.0-211-968b2899`. + + ### [5.0.0] #### Changed diff --git a/charts/stable/searx/templates/common.yaml b/charts/stable/searx/templates/common.yaml index 9850f039..f9d827b4 100644 --- a/charts/stable/searx/templates/common.yaml +++ b/charts/stable/searx/templates/common.yaml @@ -19,11 +19,6 @@ persistence: configMap: name: {{ printf "%v-config" (include "common.names.fullname" .) }} - searx-checker: - enabled: true - type: emptyDir - mountPath: "-" - additionalContainers: caddy: name: caddy @@ -36,18 +31,6 @@ additionalContainers: - name: searx-config mountPath: /etc/caddy/Caddyfile subPath: Caddyfile - - name: searx-checker - mountPath: /srv/searx-checker - - searx-checker: - name: searx-checker - image: "{{ .Values.searxChecker.repository }}:{{ .Values.searxChecker.tag }}" - imagePullPolicy: {{ .Values.searxChecker.pullPolicy }} - args: - ["-cron", "-o", "html/data/status.json", "http://localhost:8080"] - volumeMounts: - - name: searx-checker - mountPath: /usr/local/searx-checker/html/data filtron: name: filtron diff --git a/charts/stable/searx/templates/configmap.yaml b/charts/stable/searx/templates/configmap.yaml index 88de52fd..0bd6e348 100644 --- a/charts/stable/searx/templates/configmap.yaml +++ b/charts/stable/searx/templates/configmap.yaml @@ -10,35 +10,38 @@ data: Caddyfile: |- { admin off + {{- if .Values.caddy.noTls }} + auto_https off + {{- end }} } :80 { - log { + log { output discard - } + } - @api { + @api { path /config - path /status - } + path /status + } - @static { + @static { path /static/* - } + } - @notstatic { + @notstatic { not path /static/* - } + } - @morty { + @morty { path /morty/* - } + } - @notmorty { + @notmorty { not path /morty/* - } + } - header { + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -52,6 +55,9 @@ data: X-Frame-Options "SAMEORIGIN" # Disable some features + Permissions-Policy "accelerometer=();ambient-light-sensor=(); autoplay=();camera=();encrypted-media=();focus-without-user-activation=(); geolocation=();gyroscope=();magnetometer=();microphone=();midi=();payment=();picture-in-picture=(); speaker=();sync-xhr=();usb=();vr=()" + + # Disable some features (legacy) Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" # Referer @@ -62,60 +68,52 @@ data: # Remove Server header -Server - } + } - header @api { + header @api { Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Origin "*" - } + } - # Cache - header @static { + # Cache + header @static { # Cache - Cache-Control "public, max-age=31536000" - defer - } + Cache-Control "public, max-age=31536000" + defer + } - header @notstatic { + header @notstatic { # No Cache Cache-Control "no-cache, no-store" Pragma "no-cache" - } + } - # CSP (see http://content-security-policy.com/ ) - header @morty { - Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" - } + # CSP (see http://content-security-policy.com/ ) + header @morty { + Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" + } - header @notmorty { + header @notmorty { Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" - } + } - # Searx-Checker - uri replace /status /searx-checker/status.json - handle /searx-checker/status.json { - root * /srv - file_server - } - - # Morty - handle @morty { + # Morty + handle @morty { reverse_proxy localhost:3000 - } + } - # Filtron - handle { + # Filtron + handle { encode zstd gzip reverse_proxy localhost:4040 { - header_up X-Forwarded-Port {http.request.port} - header_up X-Forwarded-Proto {http.request.scheme} - header_up X-Forwarded-TlsProto {tls_protocol} - header_up X-Forwarded-TlsCipher {tls_cipher} - header_up X-Forwarded-HttpsProto {proto} + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} } - } - + } } rules.json: |- [ @@ -238,7 +236,7 @@ data: "aggregations": ["Header:X-Forwarded-For"], "actions": [ {"name": "block", - "params": {"message": "Rate limit exceeded, try again later."}} + "params": {"message": "Rate limit exceeded, try again later."}} ] }, { @@ -260,7 +258,7 @@ data: "actions": [ {"name": "block", "params": {"message": "Rate limit exceeded, try again later."}} - ] + ] } ] } diff --git a/charts/stable/searx/values.yaml b/charts/stable/searx/values.yaml index a4410905..f0fd73d5 100644 --- a/charts/stable/searx/values.yaml +++ b/charts/stable/searx/values.yaml @@ -9,7 +9,7 @@ image: # -- image repository repository: searx/searx # -- image tag - tag: 1.0.0 + tag: 1.0.0-211-968b2899 # -- image pull policy pullPolicy: IfNotPresent @@ -23,14 +23,6 @@ searx: # Example : `openssl rand -base64 24` mortyKey: "changeme" -searxChecker: - # -- searx-checker sidecar image repository - repository: searx/searx-checker - # -- searx-checker sidecar image tag - tag: latest - # -- searx-checker sidecar image pull policy - pullPolicy: Always - filtron: # -- filtron sidecar image repository repository: dalf/filtron @@ -54,6 +46,8 @@ caddy: tag: 2.2.0-alpine # -- caddy sidecar image pull policy pullPolicy: IfNotPresent + # -- caddy sidecar disable auto tls if behind another loadbalancer or ingress + noTls: false # -- Configures service settings for the chart. # @default -- See values.yaml