docs/self-hosting/kubernetes.md

# Deploy with Kubernetes

Kubernetes may be overkill for a static site, but it can be a great fit if you already standardize on Helm + GitOps.

> [!IMPORTANT]
> **Required Headers for Office File Conversion**
>
> LibreOffice-based tools (Word, Excel, PowerPoint conversion) require these HTTP headers for `SharedArrayBuffer` support:
>
> - `Cross-Origin-Opener-Policy: same-origin`
> - `Cross-Origin-Embedder-Policy: require-corp`
>
> The official BentoPDF nginx images include these headers. In Kubernetes, **Ingress/Gateway controllers are also reverse proxies**, so ensure these headers are preserved (or add them at the edge).

## Prereqs

- Kubernetes cluster
- Helm v3
- A BentoPDF nginx image (e.g. `ghcr.io/alam00000/bentopdf:<tag>`) that serves on **port 8080**

## Deploy with Helm

### Install from this repo (local chart)

```bash
kubectl create namespace bentopdf

helm upgrade --install bentopdf /path/to/bentopdf/chart \
  --namespace bentopdf \
  --set image.repository=ghcr.io/alam00000/bentopdf \
  --set image.tag=latest
```

### Install from GHCR (OCI chart)

If the chart is published to GHCR as an OCI artifact:

```bash
export GHCR_USERNAME="<github-org-or-user>"

helm upgrade --install bentopdf oci://ghcr.io/$GHCR_USERNAME/charts/bentopdf \
  --namespace bentopdf \
  --create-namespace \
  --version 0.1.0 \
  --set image.repository=ghcr.io/alam00000/bentopdf \
  --set image.tag=latest
```

## Expose it

### Port-forward (quick test)

```bash
kubectl -n bentopdf port-forward deploy/bentopdf 8080:8080
```

### Ingress (optional)

Enable Ingress (example for nginx-ingress):

```yaml
ingress:
  enabled: true
  className: nginx
  hosts:
    - host: pdf.example.com
      paths:
        - path: /
          pathType: Prefix
```

### Gateway API (optional)

This chart supports Gateway API `Gateway` + `HTTPRoute`.

Example (Cloudflare Gateway API operator):

```yaml
gateway:
  enabled: true
  name: bento-tunnel
  namespace: bentopdf
  gatewayClassName: cloudflare

httpRoute:
  enabled: true
  parentRefs:
    - name: bento-tunnel
      namespace: bentopdf
      sectionName: http
  hostnames:
    - pdfs.example.com
```

## Ensuring the SharedArrayBuffer headers still work (Ingress/Gateway)

### What "should" happen

BentoPDF’s nginx config sets the required response headers. Most Ingress/Gateway controllers **pass upstream response headers through unchanged**.

### What can break it

- A controller/edge policy that **overrides** or **strips** response headers
- A "security headers" middleware that sets different COOP/COEP values

### How to verify

Run this against your public endpoint:

```bash
curl -I https://pdf.example.com/ | egrep -i 'cross-origin-opener-policy|cross-origin-embedder-policy'
```

You should see:

- `Cross-Origin-Opener-Policy: same-origin`
- `Cross-Origin-Embedder-Policy: require-corp`

### If your Ingress controller does not preserve them

Add the headers at the edge (controller-specific). Example for **nginx-ingress**:

```yaml
ingress:
  enabled: true
  className: nginx
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      add_header Cross-Origin-Opener-Policy "same-origin" always;
      add_header Cross-Origin-Embedder-Policy "require-corp" always;
```

### If you’re using Gateway API and want to force-add headers

Gateway API supports a `ResponseHeaderModifier` filter. You can attach it in `httpRoute.rules[*].filters`:

```yaml
httpRoute:
  enabled: true
  hostnames: [pdf.example.com]
  parentRefs:
    - name: bento-tunnel
      namespace: misc
      sectionName: http
  rules:
    - matches:
        - path: { type: PathPrefix, value: / }
      filters:
        - type: ResponseHeaderModifier
          responseHeaderModifier:
            set:
              - name: Cross-Origin-Opener-Policy
                value: same-origin
              - name: Cross-Origin-Embedder-Policy
                value: require-corp
```

Support for specific filters depends on your Gateway controller; if a filter is ignored, add headers at the edge/controller layer instead.

## Disabling Specific Tools

Use a ConfigMap to disable tools at runtime without rebuilding the image:

```yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: bentopdf-config
  namespace: bentopdf
data:
  config.json: |
    {
      "disabledTools": ["edit-pdf", "sign-pdf", "encrypt-pdf"]
    }
```

Mount it into the served directory:

```yaml
spec:
  containers:
    - name: bentopdf
      volumeMounts:
        - name: config
          mountPath: /usr/share/nginx/html/config.json
          subPath: config.json
          readOnly: true
  volumes:
    - name: config
      configMap:
        name: bentopdf-config
```

Tool IDs are the page URL without `.html` — open any tool and look at the URL (e.g., `edit-pdf`, `merge-pdf`, `compress-pdf`). Disabled tools are hidden from the homepage, search, shortcuts, workflow builder, and direct URL access. See the [Docker guide](/self-hosting/docker#disabling-specific-tools) for the full list of options.
-												docs: add docs for kubernetes deployment

											
										
										
											2026-01-15 13:39:49 +00:00
+								# Deploy with Kubernetes
 								Kubernetes may be overkill for a static site, but it can be a great fit if you already standardize on Helm + GitOps.
 								> [!IMPORTANT]
 								> **Required Headers for Office File Conversion**
-												feat: add support for disabling specific tools in self-hosting

- Introduced build-time and runtime options to disable tools for compliance or security.
- Updated documentation to include instructions for disabling tools in Docker and Kubernetes setups.
- Added translations for disabled tool messages in multiple languages.
- Implemented logic to filter out disabled tools from the toolbox and shortcuts in the application.
- Created utility functions to manage disabled tools configuration.

											
										
										
											2026-03-28 23:45:17 +05:30
+								>
-												docs: add docs for kubernetes deployment

											
										
										
											2026-01-15 13:39:49 +00:00
+								> LibreOffice-based tools (Word, Excel, PowerPoint conversion) require these HTTP headers for `SharedArrayBuffer` support:
-												feat: add support for disabling specific tools in self-hosting

- Introduced build-time and runtime options to disable tools for compliance or security.
- Updated documentation to include instructions for disabling tools in Docker and Kubernetes setups.
- Added translations for disabled tool messages in multiple languages.
- Implemented logic to filter out disabled tools from the toolbox and shortcuts in the application.
- Created utility functions to manage disabled tools configuration.

											
										
										
											2026-03-28 23:45:17 +05:30
+								>
-												docs: add docs for kubernetes deployment

											
										
										
											2026-01-15 13:39:49 +00:00
+								> - `Cross-Origin-Opener-Policy: same-origin`
 								> - `Cross-Origin-Embedder-Policy: require-corp`
-												feat: add support for disabling specific tools in self-hosting

- Introduced build-time and runtime options to disable tools for compliance or security.
- Updated documentation to include instructions for disabling tools in Docker and Kubernetes setups.
- Added translations for disabled tool messages in multiple languages.
- Implemented logic to filter out disabled tools from the toolbox and shortcuts in the application.
- Created utility functions to manage disabled tools configuration.

											
										
										
											2026-03-28 23:45:17 +05:30
+								>
-												docs: add docs for kubernetes deployment

											
										
										
											2026-01-15 13:39:49 +00:00
+								> The official BentoPDF nginx images include these headers. In Kubernetes, **Ingress/Gateway controllers are also reverse proxies**, so ensure these headers are preserved (or add them at the edge).
 								## Prereqs
 								- Kubernetes cluster
 								- Helm v3
 								- A BentoPDF nginx image (e.g. `ghcr.io/alam00000/bentopdf:<tag>`) that serves on **port 8080**
 								## Deploy with Helm
 								### Install from this repo (local chart)
 								```bash
 								kubectl create namespace bentopdf
 								helm upgrade --install bentopdf /path/to/bentopdf/chart \
 								  --namespace bentopdf \
 								  --set image.repository=ghcr.io/alam00000/bentopdf \
 								  --set image.tag=latest
 								```
 								### Install from GHCR (OCI chart)
 								If the chart is published to GHCR as an OCI artifact:
 								```bash
 								export GHCR_USERNAME="<github-org-or-user>"
 								helm upgrade --install bentopdf oci://ghcr.io/$GHCR_USERNAME/charts/bentopdf \
 								  --namespace bentopdf \
 								  --create-namespace \
 								  --version 0.1.0 \
 								  --set image.repository=ghcr.io/alam00000/bentopdf \
 								  --set image.tag=latest
 								```
 								## Expose it
 								### Port-forward (quick test)
 								```bash
 								kubectl -n bentopdf port-forward deploy/bentopdf 8080:8080
 								```
 								### Ingress (optional)
 								Enable Ingress (example for nginx-ingress):
 								```yaml
 								ingress:
 								  enabled: true
 								  className: nginx
 								  hosts:
 								    - host: pdf.example.com
 								      paths:
 								        - path: /
 								          pathType: Prefix
 								```
 								### Gateway API (optional)
 								This chart supports Gateway API `Gateway` + `HTTPRoute`.
 								Example (Cloudflare Gateway API operator):
 								```yaml
 								gateway:
 								  enabled: true
 								  name: bento-tunnel
 								  namespace: bentopdf
 								  gatewayClassName: cloudflare
 								httpRoute:
 								  enabled: true
 								  parentRefs:
 								    - name: bento-tunnel
 								      namespace: bentopdf
 								      sectionName: http
 								  hostnames:
 								    - pdfs.example.com
 								```
 								## Ensuring the SharedArrayBuffer headers still work (Ingress/Gateway)
 								### What "should" happen
 								BentoPDF’s nginx config sets the required response headers. Most Ingress/Gateway controllers **pass upstream response headers through unchanged**.
 								### What can break it
 								- A controller/edge policy that **overrides** or **strips** response headers
 								- A "security headers" middleware that sets different COOP/COEP values
 								### How to verify
 								Run this against your public endpoint:
 								```bash
 								curl -I https://pdf.example.com/ | egrep -i 'cross-origin-opener-policy|cross-origin-embedder-policy'
 								```
 								You should see:
 								- `Cross-Origin-Opener-Policy: same-origin`
 								- `Cross-Origin-Embedder-Policy: require-corp`
 								### If your Ingress controller does not preserve them
 								Add the headers at the edge (controller-specific). Example for **nginx-ingress**:
 								```yaml
 								ingress:
 								  enabled: true
 								  className: nginx
 								  annotations:
 								    nginx.ingress.kubernetes.io/configuration-snippet: |
 								      add_header Cross-Origin-Opener-Policy "same-origin" always;
 								      add_header Cross-Origin-Embedder-Policy "require-corp" always;
 								```
 								### If you’re using Gateway API and want to force-add headers
 								Gateway API supports a `ResponseHeaderModifier` filter. You can attach it in `httpRoute.rules[*].filters`:
 								```yaml
 								httpRoute:
 								  enabled: true
 								  hostnames: [pdf.example.com]
 								  parentRefs:
 								    - name: bento-tunnel
 								      namespace: misc
 								      sectionName: http
 								  rules:
 								    - matches:
 								        - path: { type: PathPrefix, value: / }
 								      filters:
 								        - type: ResponseHeaderModifier
 								          responseHeaderModifier:
 								            set:
 								              - name: Cross-Origin-Opener-Policy
 								                value: same-origin
 								              - name: Cross-Origin-Embedder-Policy
 								                value: require-corp
 								```
 								Support for specific filters depends on your Gateway controller; if a filter is ignored, add headers at the edge/controller layer instead.
-												feat: add support for disabling specific tools in self-hosting

- Introduced build-time and runtime options to disable tools for compliance or security.
- Updated documentation to include instructions for disabling tools in Docker and Kubernetes setups.
- Added translations for disabled tool messages in multiple languages.
- Implemented logic to filter out disabled tools from the toolbox and shortcuts in the application.
- Created utility functions to manage disabled tools configuration.

											
										
										
											2026-03-28 23:45:17 +05:30
 								## Disabling Specific Tools
 								Use a ConfigMap to disable tools at runtime without rebuilding the image:
 								```yaml
 								apiVersion: v1
 								kind: ConfigMap
 								metadata:
 								  name: bentopdf-config
 								  namespace: bentopdf
 								data:
 								  config.json: |
 								    {
 								      "disabledTools": ["edit-pdf", "sign-pdf", "encrypt-pdf"]
 								    }
 								```
 								Mount it into the served directory:
 								```yaml
 								spec:
 								  containers:
 								    - name: bentopdf
 								      volumeMounts:
 								        - name: config
 								          mountPath: /usr/share/nginx/html/config.json
 								          subPath: config.json
 								          readOnly: true
 								  volumes:
 								    - name: config
 								      configMap:
 								        name: bentopdf-config
 								```
 								Tool IDs are the page URL without `.html` — open any tool and look at the URL (e.g., `edit-pdf`, `merge-pdf`, `compress-pdf`). Disabled tools are hidden from the homepage, search, shortcuts, workflow builder, and direct URL access. See the [Docker guide](/self-hosting/docker#disabling-specific-tools) for the full list of options.