From aaf84605a524a2792eb4527a8cd70a3f39cee5cd Mon Sep 17 00:00:00 2001
From: ange <ange@yw5n.com>
Date: Sat, 3 May 2025 04:24:51 +0000
Subject: [PATCH] bump: v1.11.99 (#7)

Reviewed-on: https://git.gmoker.com/gmoker/element/pulls/7
---
 .env                      |  2 +-
 compose.yaml              |  4 +++-
 manifests/bin/deploy.sh   | 17 ++++++++---------
 manifests/common/app.yaml | 22 ++++++++++++++++------
 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/.env b/.env
index a9b0247..539d3c4 100644
--- a/.env
+++ b/.env
@@ -1,2 +1,2 @@
 PROD_URL=chat.gmoker.com
-IMAGEAPP=docker.io/vectorim/element-web:v1.11.89
+IMAGEAPP=docker.io/vectorim/element-web:v1.11.99
diff --git a/compose.yaml b/compose.yaml
index 46a687a..6cfa2cf 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -4,6 +4,8 @@ services:
     image: "$IMAGEAPP"
     restart: unless-stopped
     ports:
-      - "8080:80"
+      - "8080:8080"
+    environment:
+      - ELEMENT_WEB_PORT=8080
     volumes:
       - ./config/config.json:/app/config.json:ro
diff --git a/manifests/bin/deploy.sh b/manifests/bin/deploy.sh
index 2b49f47..e8b4783 100755
--- a/manifests/bin/deploy.sh
+++ b/manifests/bin/deploy.sh
@@ -3,34 +3,33 @@ set -o pipefail
 
 function kapply() {
     for f in "$@"; do
-        kubectl apply -f <(envsubst < "manifests/$f")
+        kubectl apply --server-side \
+            -f<(envsubst "$(env | sed 's/^/$/')" < "manifests/$f")
     done
 }; export -f kapply
 
 function kcreatesec() {
-    kubectl create secret generic --dry-run=client -oyaml "$@" | kubectl replace -f-
+    kubectl apply --server-side \
+        -f<(kubectl create secret generic --dry-run=client -oyaml "$@")
 }; export -f kcreatesec
 
 function kcreatecm() {
-    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl replace -f-
+    kubectl apply --server-side \
+        -f<(kubectl create configmap --dry-run=client -oyaml "$@")
 }; export -f kcreatecm
 
 function kgseckey() {
     local sec="$1"; shift
     local key="$1"; shift
 
-    if ! kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\" // empty" | base64 -d; then
-        return 1
-    fi
+    kubectl get secret "$sec" -ojson | jq -re ".data.\"$key\"" | base64 -d
 }; export -f kgseckey
 
 function kgcmkey() {
     local cm="$1";  shift
     local key="$1"; shift
 
-    if ! kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\" // empty"; then
-        return 1
-    fi
+    kubectl get configmap "$cm" -ojson | jq -re ".data.\"$key\""
 }; export -f kgcmkey
 
 
diff --git a/manifests/common/app.yaml b/manifests/common/app.yaml
index 1ad43e2..8ca6109 100644
--- a/manifests/common/app.yaml
+++ b/manifests/common/app.yaml
@@ -5,11 +5,18 @@ metadata:
   name: app
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    gethomepage.dev/enabled: "true"
-    gethomepage.dev/instance: "$GITHUB_REF_NAME"
-    gethomepage.dev/name: Element
-    gethomepage.dev/icon: element
-    gethomepage.dev/description: Secure collaboration and messaging
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Frame-Options: SAMEORIGIN";
+      more_set_headers "X-Content-Type-Options: nosniff";
+      more_set_headers "X-XSS-Protection: 1; mode=block";
+      more_set_headers "Content-Security-Policy: frame-ancestors 'self'";
+
+      if ($request_uri = /) {
+        more_set_headers "Cache-Control: no-cache";
+      }
+      if ($request_uri ~* ^/(config\..*\.json|i18n|home|sites|index\.html)$) {
+        more_set_headers "Cache-Control: no-cache, no-store, must-revalidate";
+      }
 spec:
   ingressClassName: nginx
   tls:
@@ -63,7 +70,10 @@ spec:
           image: "$IMAGEAPP"
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
+          env:
+            - name: ELEMENT_WEB_PORT
+              value: "8080"
           volumeMounts:
             - name: config
               mountPath: /app/config.json