Feedback on installation with Kubernetes and nginx reverse proxy

[eric-b]

Data

• v1.7.2
• Database Engine: postgresql.
• Operating system: docker image ghcr.io/go-shiori/shiori:v1.7.2 (with Kubernetes)

Describe the bug / actual behavior

I noticed two inconsistencies in documentation related to nginx reverse proxy and Kubernetes deployment.

Nginx reverse proxy configuration

Documented configuration for nginx reverse proxy does not work (only change is my local service name):

location /shiori {
    proxy_pass http://shiori-service:8080/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

With related configuration of container:

spec:
  template:
    spec:
      containers:
      - name: shiori
        image: ghcr.io/go-shiori/shiori:v1.7.2
        command: ["/usr/bin/shiori", "server", "--webroot", "/shiori"]
        ports:
        - containerPort: 8080
        env:
          - name: SHIORI_HTTP_ROOT_PATH
            value: "/shiori"

With this configuration, root endpoint works but any asset (css, scripts) fails with HTTP 404.

To make it work, I had to add a trailing slash to the location:

location /shiori/ {
    proxy_pass http://shiori-service:8080/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
} 

Security context documented for filesystem in container does not work

With documented security context, archive won't work, with these logs (look for permission denied):

2024/12/28 13:00:52 File download not successful for image URL: https://techcrunch.com/wp-content/uploads/2024/12/data-breach-2024-roundup.jpg?resize=1200,675                                                                                                                                                                                             │
│ 2024/12/28 13:00:53 File download not successful for image URL: https://techcrunch.com/wp-content/uploads/2015/02/cropped-cropped-favicon-gradient.png?w=192                                                                                                                                                                                               │
│ time="2024-12-28T13:00:53Z" level=error msg="error downloading bookmark cache" bookmark_id=1 error="failed to create temp archive: open /tmp/archive1354283793: permission denied" url="https://techcrunch.com/2024/12/26/badly-handled-data-breaches-2024/"                                                                                               │
│ time="2024-12-28T13:00:55Z" level=info msg="10.42.0.1 - shiori-deployment-679d47fdb-bhmqc [28/Dec/2024:13:00:55 +0000] \"PUT /api/v1/bookmarks/cache\" 200 416 \"http://.../shiori/\" \"Mozilla/5.0..." (3459ms)"

Kubernetes manifest used is following. Notice commented lines on securityContext (it works without it, it does not work with it):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: shiori-deployment
  labels:
    app: shiori
spec:
  replicas: 1
  selector:
    matchLabels:
      app: shiori
  template:
    metadata:
      labels:
        app: shiori
    spec:
      # securityContext:
      #   runAsUser: 1000
      #   runAsGroup: 1000
      #   fsGroup: 1000
      volumes:
      - name: shiori-data
        persistentVolumeClaim:
          claimName: shiori-pvc
      containers:
      - name: shiori
        imagePullPolicy: IfNotPresent
        image: ghcr.io/go-shiori/shiori:v1.7.2
        command: ["/usr/bin/shiori", "server", "--webroot", "/shiori"]
        ports:
        - containerPort: 8080
        volumeMounts:
        - mountPath: /shiori
          name: shiori-data
        env:
          - name: SHIORI_DIR
            value: /shiori
          - name: SHIORI_HTTP_ROOT_PATH
            value: "/shiori"

As a side note, there are other inconsistencies in documented manifest: HTTP_ROOT_PATH should be SHIORI_HTTP_ROOT_PATH (I guess), and "serve" should be "server"

[fmartingr]

/tmp folder docs fixed by #1040