l4gdev · uro · May 4, 2026 · May 4, 2026 · May 4, 2026
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -12,44 +12,36 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v4
         with:
-          version: v3.8.1
+          version: v3.16.3
 
       - name: Add dependency chart repos
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami
 
-      - uses: actions/setup-python@v2
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.7
+          python-version: '3.12'
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.2.1
+        uses: helm/chart-testing-action@v2.6.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
           changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
           if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Run chart-testing (lint)
         id: lint
         run: ct lint --config ct.yaml --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false
         if: steps.list-changed.outputs.changed == 'true'
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.3.0
-        if: steps.list-changed.outputs.changed == 'true'
-
-      - name: Run chart-testing (install)
-        id: install
-        run: ct install --config ct.yaml --target-branch ${{ github.event.repository.default_branch }}
-        if: steps.list-changed.outputs.changed == 'true'
diff --git a/charts/bulwark-mail/Chart.yaml b/charts/bulwark-mail/Chart.yaml
@@ -2,9 +2,9 @@ apiVersion: v2
 name: bulwark-mail
 description: Helm chart for Bulwark Mail — a self-hosted JMAP webmail with native Ingress and multi-host TLS
 type: application
-version: 0.2.1
+version: 0.2.2
 appVersion: "1.6.0"
-icon: https://raw.githubusercontent.com/bulwarkmail/webmail/main/public/favicon.ico
+icon: https://raw.githubusercontent.com/bulwarkmail/webmail/main/public/icon-192x192.png
 home: https://github.com/l4gdev/helm-charts/tree/main/charts/bulwark-mail
 sources:
   - https://github.com/bulwarkmail/webmail
@@ -21,7 +21,7 @@ keywords:
   - self-hosted
 kubeVersion: ">=1.23.0-0"
 annotations:
-  artifacthub.io/category: communication
+  artifacthub.io/category: networking
   artifacthub.io/license: AGPL-3.0
   artifacthub.io/links: |
     - name: Chart Source
@@ -32,6 +32,8 @@ annotations:
   artifacthub.io/prerelease: "false"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
+    - kind: fixed
+      description: Replaced 404 favicon icon URL with valid icon-192x192.png and switched category from invalid "communication" to "networking" so ArtifactHub indexing succeeds
     - kind: added
       description: README + values.yaml comments now warn that `config.jmapServerUrl` is exposed to the browser via `/api/config` and must be publicly resolvable; cluster-internal Service names produce "Unable to reach the server"
     - kind: added

diff --git a/charts/ente-photos/Chart.yaml b/charts/ente-photos/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
   - name: L4G
     email: contact@l4g.dev
 type: application
-version: 0.1.1
+version: 0.2.0
 appVersion: "latest"
 
 annotations:
@@ -37,6 +37,16 @@ annotations:
   artifacthub.io/prerelease: "false"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
+    - kind: added
+      description: New web.albums component (port 3002) so public album sharing works (#2)
+    - kind: added
+      description: museum.customCA for mounting a private CA bundle for S3/SMTP TLS verification (#1)
+    - kind: fixed
+      description: Web frontends no longer all default to port 3000 — accounts/auth/cast/share/albums each use the correct entrypoint port inside ghcr.io/ente-io/web
+    - kind: changed
+      description: museum.config.apps.publicAlbums, publicLocker, accounts auto-derive from the matching web ingress when not set explicitly
+    - kind: fixed
+      description: JWT secret is now generated and documented as URL-safe base64 to match Ente's b64.URLEncoding decoder (#3)
     - kind: added
       description: Added values schema file, fixed logo url
     - kind: added

diff --git a/charts/ente-photos/README.md b/charts/ente-photos/README.md
@@ -216,6 +216,64 @@ credentials:
 
 ## Web Frontends
 
+The `ghcr.io/ente-io/web` image bundles every Ente frontend on a separate internal port.
+The chart maps each `web.<app>` block to the right port; do not change `containerPort` unless you know what you are doing.
+
+| `web.<app>` | Internal port | Purpose |
+| --- | --- | --- |
+| `photos` | 3000 | Main photos web app |
+| `accounts` | 3001 | Account management |
+| `albums` | 3002 | **Public album sharing — what `museum.config.apps.publicAlbums` must point at** |
+| `auth` | 3003 | 2FA codes (Ente Auth) |
+| `cast` | 3004 | Chromecast |
+| `share` | 3005 | Public file/locker sharing (via Ente desktop/mobile clients) |
+
+### Public album sharing (issue #2)
+
+When a user creates a public album link, the photos web app produces a URL like `https://albums.example.com/?t=TOKEN`.
+That domain MUST route to the `web.albums` deployment (port 3002).
+Pointing it at `web.photos` (the default photos app on port 3000) lands users on a login screen, which is what older deployments of this chart did.
+
+Minimum config that makes album sharing work:
+
+```yaml
+web:
+  photos:
+    ingress:
+      enabled: true
+      hosts: [{ host: photos.example.com, paths: [{ path: /, pathType: Prefix }] }]
+      tls: [{ secretName: photos-tls, hosts: [photos.example.com] }]
+  albums:
+    enabled: true
+    ingress:
+      enabled: true
+      hosts: [{ host: albums.example.com, paths: [{ path: /, pathType: Prefix }] }]
+      tls: [{ secretName: albums-tls, hosts: [albums.example.com] }]
+```
+
+`museum.config.apps.publicAlbums` is auto-derived from `web.albums.ingress.hosts[0].host`, so you do not need to set it manually unless your albums domain lives outside the cluster.
+
+### Custom CA for outbound TLS (issue #1)
+
+When the museum talks to S3 or SMTP over TLS with a private CA (self-hosted MinIO, internal cert authority), drop the CA bundle into a Secret:
+
+```bash
+kubectl create secret generic ente-custom-ca --from-file=ca.crt=./my-ca.crt
+```
+
+…and enable it:
+
+```yaml
+museum:
+  customCA:
+    enabled: true
+    existingSecret: ente-custom-ca
+    key: ca.crt
+```
+
+The chart mounts it at `/etc/ssl/certs/custom-ca-bundle.crt` and sets `SSL_CERT_FILE` to that path.
+Go's `crypto/x509` reads `SSL_CERT_FILE` automatically, so the museum will trust certs signed by this CA on subsequent S3/SMTP requests without an init container or `update-ca-certificates` rebuild.
+
 ### Disabling Frontends
 
 If you only need the API server (e.g., using mobile apps only):
@@ -228,6 +286,8 @@ web:
     enabled: false
   accounts:
     enabled: false
+  albums:
+    enabled: false
   share:
     enabled: false
 ```