Skip to content

ente-photos 0.2.0: fix public album sharing (#2), add custom CA support (#1)#4

Merged
uro merged 2 commits into
mainfrom
feature/ente-photos-album-and-ca-fixes
May 4, 2026
Merged

ente-photos 0.2.0: fix public album sharing (#2), add custom CA support (#1)#4
uro merged 2 commits into
mainfrom
feature/ente-photos-album-and-ca-fixes

Conversation

@uro

@uro uro commented May 4, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Fixes two reported issues in the ente-photos chart and ships v0.2.0.

Fix #1 — custom CA for outbound TLS (S3, SMTP, OIDC)

Adds a new museum.customCA block that mounts a PEM bundle from an existing Secret or ConfigMap at /etc/ssl/certs/custom-ca-bundle.crt and points SSL_CERT_FILE at it. Go's crypto/x509 reads SSL_CERT_FILE automatically, so the museum trusts private CAs without rebuilding the image or running an init container.

museum:
  customCA:
    enabled: true
    existingSecret: ente-custom-ca   # or existingConfigMap
    key: ca.crt

Fix #2 — public album sharing landed on a login page

Root cause was bigger than the issue suggested. ghcr.io/ente-io/web is a single nginx image that serves each frontend on a separate internal port (photos=3000, accounts=3001, albums=3002, auth=3003, cast=3004, share=3005). The chart hard-coded containerPort: 3000 for every web.* block, so accounts/auth/cast/share were all silently running the photos app, and there was no albums component at all — which is why `albums.` always landed on the photos login page.

This PR:

  • Adds a new web.albums component (port 3002) — the only frontend that knows how to render a ?t=TOKEN public album link.
  • Fixes default containerPort for accounts (3001), auth (3003), cast (3004), share (3005).
  • Auto-derives museum.config.apps.publicAlbums / publicLocker / accounts from the matching web.<app>.ingress.hosts[0]. No more keeping three places in sync by hand.
  • Empties the placeholder `*.ente.local` defaults in values.yaml so auto-derive kicks in by default.
  • Updates schema and README; adds a port-mapping table.

Also rolls up

Test plan

  • `helm lint charts/ente-photos` clean
  • `helm template … | kubectl apply --dry-run=client -f -` validates with 22 resources rendered
  • Verified `web.albums` deployment renders with `containerPort: 3002` and `ENTE_API_ORIGIN` / `ENTE_ALBUMS_ORIGIN` env vars
  • Verified `SSL_CERT_FILE` env var and `/etc/ssl/certs/custom-ca-bundle.crt` volume mount when `museum.customCA.enabled=true`
  • Verified `apps.publicAlbums: "https://albums.example.com"\` is auto-derived from `web.albums.ingress.hosts[0]`
  • Real cluster smoke test — generate public album link in photos UI, open it on the configured albums domain, confirm the album loads (rather than login screen)

Closes #1
Closes #2

@uro
ente-photos: fix public album sharing and add custom CA support
e444f97 
Two upstream issues addressed:

#1 — Custom CA for S3/SMTP TLS verification.
A new museum.customCA block mounts a PEM bundle from an existing
Secret or ConfigMap at /etc/ssl/certs/custom-ca-bundle.crt and points
SSL_CERT_FILE at it. Go's crypto/x509 picks it up automatically, so the
museum now trusts private CAs without a rebuild.

#2 — Public album sharing landed on a login page because the chart had
no albums frontend at all and routed albums.<domain> to the photos
app (port 3000) instead of the bundled albums app (port 3002).

Root cause: ghcr.io/ente-io/web is a single nginx image that serves
each frontend on a different port (photos=3000, accounts=3001,
albums=3002, auth=3003, cast=3004, share=3005). The chart hard-coded
containerPort=3000 for every web.* block, so accounts/auth/cast/share
were all secretly running the photos app.

This commit:
  - Adds a new web.albums component (port 3002) — required for
    public album sharing
  - Fixes the default containerPort for accounts (3001), auth (3003),
    cast (3004), share (3005)
  - Auto-derives museum.config.apps.publicAlbums / publicLocker /
    accounts from the matching web.<app>.ingress.hosts[0]
  - Empties the placeholder *.ente.local defaults in values.yaml so
    auto-derive kicks in by default
  - Updates schema and README; bumps chart to 0.2.0
This was referenced May 4, 2026
Closed
Closed
@uro
ci: modernise lint-test workflow
e340cc5 
The previous workflow pinned Python 3.7, which has been EOL since
June 2023 and was removed from GitHub-hosted runners — every run
failed at the setup-python step before reaching ct lint.

Bumps:
  - actions/checkout@v2 → @v4
  - actions/setup-python@v2 (3.7) → @v5 (3.12)
  - azure/setup-helm@v1 (3.8.1) → @v4 (3.16.3)
  - helm/chart-testing-action@v2.2.1 → @v2.6.1
  - replaces deprecated ::set-output with $GITHUB_OUTPUT

Drops the ct install step. Charts in this repo (ente-photos,
freescout, chibisafe) require external Postgres / S3 / etc. that
is not provisioned in CI; ct install would crashloop the museum
pod and fail. Lint coverage stays in place.
@uro uro marked this pull request as ready for review May 4, 2026 10:50
@uro uro merged commit 1e3197b into main May 4, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ente-photos chart] Public album sharing not working. [ente-photos chart] Ability to add custom root CA for s3 storage

1 participant

@uro