charts/charts/overseerr/examples/values-ingress.yaml at 6752d5b024f50659e634d3f3d06b709c29939ae1 · buildsociety/charts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# Ingress Overseerr Configuration
# This example shows Overseerr configured with external access via ingress

overseerr:
  enabled: true

  # Environment configuration
  env:
    PUID: 1000
    PGID: 1000
    TZ: "Europe/London"
    UMASK_SET: "022"
    LOG_LEVEL: "info"
    PORT: "5055"

  # Higher resource configuration for external access
  resources:
    limits:
      cpu: 2000m
      memory: 1Gi
    requests:
      cpu: 500m
      memory: 512Mi

  # Persistence configuration
  persistence:
    config:
      enabled: true
      size: 10Gi
      storageClass: ""

    logs:
      enabled: true
      size: 2Gi
      storageClass: ""

  # Service configuration
  service:
    type: ClusterIP
    port: 5055
    targetPort: 5055

  # Application settings for reverse proxy
  settings:
    baseUrl: ""
    trustProxy: true
    apiRateLimit: true
    apiRateLimitMax: 200
    apiRateLimitWindow: 10

  # Security context
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false

  # Ingress configuration for external access
  ingress:
    enabled: true
    className: "nginx"
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
      nginx.ingress.kubernetes.io/rate-limit: "100"
      nginx.ingress.kubernetes.io/rate-limit-window: "1m"
      nginx.ingress.kubernetes.io/auth-type: basic
      nginx.ingress.kubernetes.io/auth-secret: overseerr-basic-auth
      nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - Overseerr"
    hosts:
      - host: overseerr.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: overseerr-tls
        hosts:
          - overseerr.example.com

  # Homepage integration with external URL
  homepage:
    enabled: true
    group: "Media"
    name: "Overseerr"
    description: "Request Manager (External)"
    widget:
      type: "overseerr"
      url: "https://overseerr.example.com"
      key: "your-api-key-here"

# Pod configuration
pod:
  securityContext:
    fsGroup: 1000

  # Node placement for external access
  nodeSelector:
    node-role.kubernetes.io/worker: "true"

  annotations:
    description: "Overseerr with external access via ingress"
    external.access: "enabled"

# Service account
serviceAccount:
  create: true
  annotations:
    description: "Overseerr external access service account"

# Network policy for controlled external access
networkPolicy:
  enabled: true
  ingress:
    # Allow ingress controller access
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress-nginx
      ports:
        - protocol: TCP
          port: 5055
    # Allow internal cluster access
    - from:
        - namespaceSelector: {}
      ports:
        - protocol: TCP
          port: 5055
  egress:
    # Allow external API calls (TMDb, etc.)
    - to: []
      ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80
    # Allow DNS
    - to: []
      ports:
        - protocol: TCP
          port: 53
        - protocol: UDP
          port: 53
    # Allow connection to Plex and *arr services
    - to:
        - namespaceSelector:
            matchLabels:
              name: media
      ports:
        - protocol: TCP
          port: 32400  # Plex
        - protocol: TCP
          port: 8989   # Sonarr
        - protocol: TCP
          port: 7878   # Radarr
        - protocol: TCP
          port: 8686   # Lidarr

# Monitoring for external access
serviceMonitor:
  enabled: true
  labels:
    app: overseerr
    release: prometheus
  annotations:
    description: "Overseerr external access monitoring"
  interval: "30s"
  scrapeTimeout: "10s"
  path: "/api/v1/status"

# HPA for variable load from external users
hpa:
  enabled: true
  minReplicas: 1
  maxReplicas: 3
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80

# PDB for availability
podDisruptionBudget:
  enabled: true
  minAvailable: 1

# Global settings
global:
  timezone: "Europe/London"