From 5e1a919721facd2441785dde8e96c04495ef9d1e Mon Sep 17 00:00:00 2001 From: gilgamezh Date: Fri, 5 Jun 2026 09:22:01 +0200 Subject: [PATCH] fix(nzbget): render newshosting creds via init container nzbget does not expand OS env vars in nzbget.conf (its ${...} only references other nzbget options), so the previous secretKeyRef-as-env approach left the literal ${NEWSHOSTING_USER} in the config and auth failed with 400 DENIED. Add initContainers support to the chart and an init step that seds the Server1 (newshosting) block into nzbget.conf on every start: non-secret settings in git, username/password from the usenet-creds Secret. Rotating the secret + restarting re-renders the creds; no password lands in git. Co-Authored-By: Claude Opus 4.8 --- .../nzbget/templates/deployment.yaml | 4 ++ helm-values/nzbget_values.yaml | 57 ++++++++++++++----- 2 files changed, 47 insertions(+), 14 deletions(-) diff --git a/custom_helm_charts/nzbget/templates/deployment.yaml b/custom_helm_charts/nzbget/templates/deployment.yaml index b303d50..a24acf3 100644 --- a/custom_helm_charts/nzbget/templates/deployment.yaml +++ b/custom_helm_charts/nzbget/templates/deployment.yaml @@ -21,6 +21,10 @@ spec: spec: volumes: {{ toYaml .Values.volumes | indent 6 }} + {{- with .Values.initContainers }} + initContainers: +{{ toYaml . | indent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/helm-values/nzbget_values.yaml b/helm-values/nzbget_values.yaml index e52e620..ad1ae3e 100644 --- a/helm-values/nzbget_values.yaml +++ b/helm-values/nzbget_values.yaml @@ -22,20 +22,49 @@ env: value: "http://gluetun.default.svc.cluster.local:8888" - name: NO_PROXY value: "localhost,127.0.0.1,.svc,.cluster.local" - # Newshosting usenet provider credentials, sourced from the out-of-band - # `usenet-creds` Secret (not in git, same pattern as gluetun-wireguard). - # Referenced in nzbget.conf as ${NEWSHOSTING_USER} / ${NEWSHOSTING_PASS} - # so the password never lives in plaintext in the config file. - - name: NEWSHOSTING_USER - valueFrom: - secretKeyRef: - name: usenet-creds - key: NEWSHOSTING_USER - - name: NEWSHOSTING_PASS - valueFrom: - secretKeyRef: - name: usenet-creds - key: NEWSHOSTING_PASS + +# nzbget cannot read server credentials from environment variables (its +# ${...} config syntax only references other nzbget options, not env). So an +# init container renders the Server1 (newshosting) block into nzbget.conf on +# every start: the non-secret settings live here in git, while the username +# and password come from the out-of-band `usenet-creds` Secret (same pattern +# as gluetun-wireguard — secret not committed). Rotating the secret + a pod +# restart re-renders the creds. No provider password is ever stored in git. +initContainers: + - name: render-newshosting + image: lscr.io/linuxserver/nzbget:latest + command: + - sh + - -c + - | + f=/config/nzbget.conf + [ -f "$f" ] || { echo "nzbget.conf absent; main container will seed defaults"; exit 0; } + sed -i \ + -e "s|^Server1.Active=.*|Server1.Active=yes|" \ + -e "s|^Server1.Name=.*|Server1.Name=newshosting|" \ + -e "s|^Server1.Host=.*|Server1.Host=news.newshosting.com|" \ + -e "s|^Server1.Port=.*|Server1.Port=563|" \ + -e "s|^Server1.Encryption=.*|Server1.Encryption=yes|" \ + -e "s|^Server1.Connections=.*|Server1.Connections=30|" \ + -e "s|^Server1.Username=.*|Server1.Username=${NEWSHOSTING_USER}|" \ + -e "s|^Server1.Password=.*|Server1.Password=${NEWSHOSTING_PASS}|" \ + "$f" + echo "rendered newshosting Server1 block into nzbget.conf" + env: + - name: NEWSHOSTING_USER + valueFrom: + secretKeyRef: + name: usenet-creds + key: NEWSHOSTING_USER + - name: NEWSHOSTING_PASS + valueFrom: + secretKeyRef: + name: usenet-creds + key: NEWSHOSTING_PASS + volumeMounts: + - name: plex-data + mountPath: /config + subPath: configs/nzbget service: type: ClusterIP