feat(chart): update dependencies (PostgreSQL to v18.6.2, Valkey to v5.4.11)

feat(aiapi): add new Helm chart for New API and CLIProxyAPI deployment
feat(deployment): add pod annotations support and update chart version to 0.0.10
2026-06-06 05:31:06 +00:00 · 2026-05-01 22:34:12 +08:00 · 2026-05-01 22:20:19 +08:00 · 2026-02-13 17:37:19 +08:00 · 2025-11-04 11:15:49 +08:00 · 2025-08-01 18:19:29 +08:00
@@ -1,5 +1,10 @@
-helm charts
+## helm charts

+```shell
 helm repo add devcm https://devcm-repo.github.io/helm-charts
+```

-pgedge
+### charts
+- aiapi
+- tailscale-derp
+- rustdesk-server
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: aiapi
+description: New API and CLIProxyAPI Helm Chart
+home: https://devcm-repo.github.io/helm-charts/
+sources:
+  - https://github.com/devcm-repo/helm-charts
+maintainers:
+  - name: dev.cm
+    email: admin@dev.cm
+    url: https://github.com/devcm-repo
+version: 0.0.2
+appVersion: latest
+dependencies:
+  - name: postgresql
+    version: 18.6.2
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: postgresql.enabled
+  - name: valkey
+    version: 5.4.11
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: valkey.enabled
@@ -0,0 +1,70 @@
+# aiapi
+
+Deploys New API and CLIProxyAPI. PostgreSQL and Valkey are provided through upstream Bitnami Helm chart dependencies by default.
+
+```shell
+helm dependency update ./charts/aiapi
+helm install aiapi ./charts/aiapi
+```
+
+For production, override at least:
+
+- `newapi.sessionSecret`
+- `postgresql.auth.password`
+- `cliproxyapi.config`
+- `newapi.frontendBaseUrl`
+
+Use the bundled dependencies:
+
+```yaml
+postgresql:
+  enabled: true
+  auth:
+    username: newapi
+    password: change-me
+    database: newapi
+
+valkey:
+  enabled: true
+  architecture: standalone
+  auth:
+    enabled: false
+```
+
+Use external PostgreSQL and Valkey/Redis by disabling the dependencies and providing the New API environment variables as values:
+
+```yaml
+postgresql:
+  enabled: false
+valkey:
+  enabled: false
+
+newapi:
+  database:
+    dsn: postgres://newapi:password@postgres.example.com:5432/newapi?sslmode=require
+  cache:
+    redisConnString: redis://:password@valkey.example.com:6379/0
+```
+
+For production, prefer storing the complete connection strings in an existing Kubernetes Secret:
+
+```yaml
+postgresql:
+  enabled: false
+valkey:
+  enabled: false
+
+newapi:
+  database:
+    existingSecret:
+      name: aiapi-external-connections
+      key: SQL_DSN
+  cache:
+    existingSecret:
+      name: aiapi-external-connections
+      key: REDIS_CONN_STRING
+```
+
+`newapi.database.*` renders `SQL_DSN`; `newapi.cache.*` renders `REDIS_CONN_STRING`. The older `newapi.sqlDsn` and `newapi.redisConnString` values still work for compatibility.
+
+`cliproxyapi.ingress` is disabled by default. If exposing it under `/cpa`, add the rewrite annotations required by your Ingress controller and set `remote-management.allow-remote` in `cliproxyapi.config` intentionally.
@@ -0,0 +1,44 @@
+{{- define "aiapi.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "aiapi.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name (include "aiapi.name" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "aiapi.labels" -}}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/name: {{ include "aiapi.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "aiapi.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "aiapi.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "aiapi.dependencyFullname" -}}
+{{- $root := index . "root" -}}
+{{- $values := default dict (index . "values") -}}
+{{- $name := default (index . "name") $values.nameOverride -}}
+{{- if $values.fullnameOverride -}}
+{{- $values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else if contains $name $root.Release.Name -}}
+{{- $root.Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" $root.Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "aiapi.postgresql.fullname" -}}
+{{- include "aiapi.dependencyFullname" (dict "root" . "values" .Values.postgresql "name" "postgresql") -}}
+{{- end -}}
+
+{{- define "aiapi.valkey.primaryFullname" -}}
+{{- printf "%s-primary" (include "aiapi.dependencyFullname" (dict "root" . "values" .Values.valkey "name" "valkey")) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cliproxyapi
+spec:
+  replicas: {{ .Values.cliproxyapi.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "aiapi.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: cliproxyapi
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "aiapi.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: cliproxyapi
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: cliproxyapi
+          image: "{{ .Values.cliproxyapi.image.repository }}:{{ .Values.cliproxyapi.image.tag }}"
+          imagePullPolicy: {{ .Values.cliproxyapi.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.cliproxyapi.port }}
+              protocol: TCP
+          env:
+            - name: TZ
+              value: {{ .Values.tz | quote }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+          livenessProbe:
+            tcpSocket:
+              port: http
+          {{- with .Values.cliproxyapi.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /CLIProxyAPI/config.yaml
+              subPath: config.yaml
+            - name: data
+              mountPath: /root/.cli-proxy-api
+              subPath: auths
+            - name: data
+              mountPath: /CLIProxyAPI/logs
+              subPath: logs
+      volumes:
+        - name: config
+          secret:
+            secretName: "{{ include "aiapi.fullname" . }}"
+            items:
+              - key: cliproxyapi-config.yaml
+                path: config.yaml
+        - name: data
+          {{- if .Values.cliproxyapi.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
@@ -0,0 +1,32 @@
+{{- if .Values.cliproxyapi.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cliproxyapi
+  {{- with .Values.cliproxyapi.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.cliproxyapi.ingress.className }}
+  ingressClassName: {{ .Values.cliproxyapi.ingress.className }}
+  {{- end }}
+  {{- with .Values.cliproxyapi.ingress.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.cliproxyapi.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.cliproxyapi.ingress.path }}
+            pathType: {{ .Values.cliproxyapi.ingress.pathType }}
+            backend:
+              service:
+                name: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+                port:
+                  number: {{ .Values.cliproxyapi.service.port }}
+{{- end }}
@@ -0,0 +1,140 @@
+{{- $sqlDsn := default .Values.newapi.sqlDsn .Values.newapi.database.dsn -}}
+{{- $sqlDsnSecretName := .Values.newapi.database.existingSecret.name -}}
+{{- $redisConnString := default .Values.newapi.redisConnString .Values.newapi.cache.redisConnString -}}
+{{- $redisConnStringSecretName := .Values.newapi.cache.existingSecret.name -}}
+{{- $postgresqlExistingSecret := dig "auth" "existingSecret" "" .Values.postgresql -}}
+{{- $postgresqlPasswordKey := dig "auth" "secretKeys" "userPasswordKey" "password" .Values.postgresql -}}
+{{- $valkeyExistingSecret := dig "auth" "existingSecret" "" .Values.valkey -}}
+{{- $valkeyPasswordKey := dig "auth" "existingSecretPasswordKey" "valkey-password" .Values.valkey -}}
+{{- if and (not .Values.postgresql.enabled) (empty $sqlDsn) (empty $sqlDsnSecretName) -}}
+{{- fail "newapi.database.dsn or newapi.database.existingSecret.name is required when postgresql.enabled is false" -}}
+{{- end -}}
+{{- if and (not .Values.valkey.enabled) (empty $redisConnString) (empty $redisConnStringSecretName) -}}
+{{- fail "newapi.cache.redisConnString or newapi.cache.existingSecret.name is required when valkey.enabled is false" -}}
+{{- end -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-newapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: newapi
+spec:
+  replicas: {{ .Values.newapi.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "aiapi.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: newapi
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "aiapi.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: newapi
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: newapi
+          image: "{{ .Values.newapi.image.repository }}:{{ .Values.newapi.image.tag }}"
+          imagePullPolicy: {{ .Values.newapi.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.newapi.port }}
+              protocol: TCP
+          env:
+            - name: TZ
+              value: {{ .Values.tz | quote }}
+            - name: SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ include "aiapi.fullname" . }}"
+                  key: newapi-session-secret
+            - name: FRONTEND_BASE_URL
+              value: {{ .Values.newapi.frontendBaseUrl | quote }}
+            {{- if $sqlDsnSecretName }}
+            - name: SQL_DSN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $sqlDsnSecretName | quote }}
+                  key: {{ default "SQL_DSN" .Values.newapi.database.existingSecret.key | quote }}
+            {{- else if $sqlDsn }}
+            - name: SQL_DSN
+              value: {{ $sqlDsn | quote }}
+            {{- else }}
+            - name: POSTGRES_USER
+              value: {{ .Values.postgresql.auth.username | quote }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "aiapi.postgresql.fullname" .) $postgresqlExistingSecret | quote }}
+                  key: {{ $postgresqlPasswordKey | quote }}
+            - name: SQL_DSN
+              value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@{{ include "aiapi.postgresql.fullname" . }}:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable"
+            {{- end }}
+            {{- if $redisConnStringSecretName }}
+            - name: REDIS_CONN_STRING
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $redisConnStringSecretName | quote }}
+                  key: {{ default "REDIS_CONN_STRING" .Values.newapi.cache.existingSecret.key | quote }}
+            {{- else if $redisConnString }}
+            - name: REDIS_CONN_STRING
+              value: {{ $redisConnString | quote }}
+            {{- else }}
+            {{- if .Values.valkey.auth.enabled }}
+            - name: VALKEY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "aiapi.dependencyFullname" (dict "root" . "values" .Values.valkey "name" "valkey")) $valkeyExistingSecret | quote }}
+                  key: {{ $valkeyPasswordKey | quote }}
+            - name: REDIS_CONN_STRING
+              value: "redis://:$(VALKEY_PASSWORD)@{{ include "aiapi.valkey.primaryFullname" . }}:6379/0"
+            {{- else }}
+            - name: REDIS_CONN_STRING
+              value: "redis://{{ include "aiapi.valkey.primaryFullname" . }}:6379/0"
+            {{- end }}
+            {{- end }}
+            {{- with .Values.newapi.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+          livenessProbe:
+            tcpSocket:
+              port: http
+          {{- with .Values.newapi.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              subPath: data
+            - name: data
+              mountPath: /app/logs
+              subPath: logs
+      volumes:
+        - name: data
+          {{- if .Values.newapi.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: "{{ include "aiapi.fullname" . }}-newapi"
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
@@ -0,0 +1,32 @@
+{{- if .Values.newapi.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-newapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: newapi
+  {{- with .Values.newapi.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.newapi.ingress.className }}
+  ingressClassName: {{ .Values.newapi.ingress.className }}
+  {{- end }}
+  {{- with .Values.newapi.ingress.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.newapi.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.newapi.ingress.path }}
+            pathType: {{ .Values.newapi.ingress.pathType }}
+            backend:
+              service:
+                name: "{{ include "aiapi.fullname" . }}-newapi"
+                port:
+                  number: {{ .Values.newapi.service.port }}
+{{- end }}
@@ -0,0 +1,45 @@
+{{- if .Values.newapi.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-newapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: newapi
+  {{- with .Values.persistence.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.newapi.persistence.size | quote }}
+{{- end }}
+---
+{{- if .Values.cliproxyapi.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cliproxyapi
+  {{- with .Values.persistence.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  {{- if .Values.persistence.storageClass }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.cliproxyapi.persistence.size | quote }}
+{{- end }}
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "aiapi.fullname" . }}"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  newapi-session-secret: {{ .Values.newapi.sessionSecret | quote }}
+  cliproxyapi-config.yaml: |-
+    {{- .Values.cliproxyapi.config | nindent 4 }}
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-newapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: newapi
+  {{- with .Values.newapi.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.newapi.service.type }}
+  selector:
+    {{- include "aiapi.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: newapi
+  ports:
+    - name: http
+      port: {{ .Values.newapi.service.port }}
+      targetPort: http
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ include "aiapi.fullname" . }}-cliproxyapi"
+  labels:
+    {{- include "aiapi.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cliproxyapi
+  {{- with .Values.cliproxyapi.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.cliproxyapi.service.type }}
+  selector:
+    {{- include "aiapi.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: cliproxyapi
+  ports:
+    - name: http
+      port: {{ .Values.cliproxyapi.service.port }}
+      targetPort: http
+      protocol: TCP
@@ -0,0 +1,154 @@
+tz: Asia/Shanghai
+
+global:
+  defaultStorageClass: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+nodeSelector: {}
+affinity: {}
+podAnnotations: {}
+
+persistence:
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  annotations: {}
+
+newapi:
+  replicas: 1
+  image:
+    repository: calciumion/new-api
+    tag: latest
+    pullPolicy: IfNotPresent
+  port: 3000
+  frontendBaseUrl: https://aiapi.dev.cm
+  sessionSecret: change-me
+  # Deprecated: use newapi.database.dsn or newapi.database.existingSecret.
+  sqlDsn: ""
+  # Deprecated: use newapi.cache.redisConnString or newapi.cache.existingSecret.
+  redisConnString: ""
+  database:
+    dsn: ""
+    existingSecret:
+      name: ""
+      key: SQL_DSN
+  cache:
+    redisConnString: ""
+    existingSecret:
+      name: ""
+      key: REDIS_CONN_STRING
+  extraEnv:
+    - name: MEMORY_CACHE_ENABLED
+      value: "true"
+    - name: BATCH_UPDATE_ENABLED
+      value: "true"
+    - name: REDIS_POOL_SIZE
+      value: "50"
+    - name: RELAY_MAX_IDLE_CONNS
+      value: "1000"
+    - name: RELAY_MAX_IDLE_CONNS_PER_HOST
+      value: "200"
+  resources: {}
+  persistence:
+    enabled: true
+    size: 2Gi
+  service:
+    type: ClusterIP
+    port: 3000
+    annotations: {}
+  ingress:
+    enabled: true
+    className: ""
+    host: aiapi.dev.cm
+    path: /
+    pathType: Prefix
+    annotations: {}
+    tls: []
+
+cliproxyapi:
+  replicas: 1
+  image:
+    repository: eceasy/cli-proxy-api
+    tag: latest
+    pullPolicy: IfNotPresent
+  port: 8080
+  resources: {}
+  persistence:
+    enabled: true
+    size: 1Gi
+  service:
+    type: ClusterIP
+    port: 8080
+    annotations: {}
+  ingress:
+    enabled: false
+    className: ""
+    host: aiapi.dev.cm
+    path: /cpa
+    pathType: Prefix
+    annotations: {}
+    tls: []
+  config: |
+    host: "0.0.0.0"
+    port: 8080
+
+    api-keys:
+      - "change-me"
+
+    remote-management:
+      allow-remote: false
+      secret-key: "change-me"
+      disable-control-panel: false
+      disable-auto-update-panel: false
+      panel-github-repository: "https://github.com/router-for-me/Cli-Proxy-API-Management-Center"
+
+    auth-dir: "~/.cli-proxy-api"
+
+    commercial-mode: true
+    debug: false
+
+    logging-to-file: true
+    logs-max-total-size-mb: 100
+    usage-statistics-enabled: true
+    request-retry: 1
+    max-retry-interval: 5
+    nonstream-keepalive-interval: 300
+
+    streaming:
+      keepalive-seconds: 300
+      bootstrap-retries: 1
+
+    quota-exceeded:
+      switch-project: true
+      switch-preview-model: true
+      antigravity-credits: true
+
+    routing:
+      strategy: "round-robin"
+      session-affinity: false
+      session-affinity-ttl: "1h"
+
+postgresql:
+  enabled: true
+  auth:
+    username: newapi
+    password: change-me
+    database: newapi
+  primary:
+    resources: {}
+    persistence:
+      enabled: true
+      size: 10Gi
+
+valkey:
+  enabled: true
+  architecture: standalone
+  auth:
+    enabled: false
+  primary:
+    resources: {}
+    persistence:
+      enabled: true
+      size: 2Gi
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: rustdesk-server
+description: RustDesk Server Helm Chart
+home: https://devcm-repo.github.io/helm-charts/
+sources:
+  - https://github.com/devcm-repo/helm-charts
+maintainers:
+  - name: dev.cm
+    email: admin@dev.cm
+    url: https://github.com/devcm-repo
+icon: https://rustdesk.com/favicon.ico
+version: 0.0.7
+appVersion: latest
@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.rustdeskServer.podAnnotations }}
+        {{- toYaml .Values.rustdeskServer.podAnnotations | nindent 8 }}
+        {{- end }}
+      labels:
+        app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+    spec:
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: api
+              containerPort: 21114
+              protocol: TCP
+            - name: websocket-id
+              containerPort: 21118
+              protocol: TCP
+            - name: websocket-relay
+              containerPort: 21119
+              protocol: TCP
+            - name: signal
+              containerPort: 21115
+              hostPort: {{ .Values.rustdeskServer.ports.signal }}
+              protocol: TCP
+            - name: id
+              containerPort: 21116
+              hostPort: {{ .Values.rustdeskServer.ports.id }}
+              protocol: TCP
+            - name: id-udp
+              containerPort: 21116
+              hostPort: {{ .Values.rustdeskServer.ports.id }}
+              protocol: UDP
+            - name: relay
+              containerPort: 21117
+              hostPort: {{ .Values.rustdeskServer.ports.relay }}
+              protocol: TCP
+          env:
+            - name: ENCRYPTED_ONLY
+              value: "{{ if .Values.rustdeskServer.encryptedOnly }}1{{ else }}0{{ end }}"
+            - name: MUST_LOGIN
+              value: "{{ if .Values.rustdeskServer.mustLogin }}Y{{ else }}N{{ end }}"
+            - name: RELAY
+              value: "{{ .Values.rustdeskServer.server }}:{{ .Values.rustdeskServer.ports.relay }}"
+            - name: RUSTDESK_API_RUSTDESK_ID_SERVER
+              value: "{{ .Values.rustdeskApi.server }}"
+            - name: RUSTDESK_API_RUSTDESK_RELAY_SERVER
+              value: "{{ .Values.rustdeskApi.server }}"
+            - name: RUSTDESK_API_RUSTDESK_API_SERVER
+              value: "https://{{ .Values.rustdeskApi.server }}"
+            - name : RUSTDESK_API_RUSTDESK_WS_HOST
+              value: "wss://{{ .Values.rustdeskApi.server }}"
+            {{- if .Values.rustdeskServer.extraEnvs }}
+            {{- range .Values.rustdeskServer.extraEnvs }}
+            - name: {{ .name }}
+              value: "{{ .value }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+              subPath: server
+            - name: data
+              mountPath: /app/data
+              subPath: api
+
+      volumes:
+        - name: data
+        {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-{{ .Chart.Name }}-data"
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+
@@ -0,0 +1,39 @@
+{{- if .Values.rustdeskApi.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  annotations:
+    {{- if .Values.rustdeskApi.ingress.annotations }}
+    {{- toYaml .Values.rustdeskApi.ingress.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.rustdeskApi.ingress.className }}
+  ingressClassName: {{ .Values.rustdeskApi.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.rustdeskApi.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+                port:
+                  number: {{ .Values.rustdeskApi.ports.api }}
+          - path: /ws/id
+            pathType: Prefix
+            backend:
+              service:
+                name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+                port:
+                  number: {{ .Values.rustdeskServer.ports.websocketId }}
+          - path: /ws/relay
+            pathType: Prefix
+            backend:
+              service:
+                name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+                port:
+                  number: {{ .Values.rustdeskServer.ports.websocketRelay }}
+{{- end }}
@@ -0,0 +1,24 @@
+{{- if .Values.persistence.enabled }}
+{{- $pvcName := printf "%s-%s-data" .Release.Name .Chart.Name }}
+{{- if or (not .Values.persistence.checkExisting) (not (lookup "v1" "PersistentVolumeClaim" .Release.Namespace $pvcName)) }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ $pvcName }}
+  {{- if .Values.persistence.data.annotations }}
+  annotations:
+    {{- range $key, $value := .Values.persistence.data.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.data.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.data.size }}
+  {{- if .Values.persistence.data.storageClass }}
+  storageClassName: {{ .Values.persistence.data.storageClass }}
+  {{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  {{- if not (empty .Values.rustdeskApi.service.annotations) }}
+  annotations: {{- toYaml .Values.rustdeskApi.service.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  type: "{{ .Values.rustdeskApi.service.type }}"
+  selector:
+    app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  ports:
+    - name: api
+      port: {{ .Values.rustdeskApi.ports.api }}
+      targetPort: 21114
+      protocol: TCP
+    - name: websocket-id
+      port: {{ .Values.rustdeskServer.ports.websocketId }}
+      targetPort: 21118
+      protocol: TCP
+    - name: websocket-relay
+      port: {{ .Values.rustdeskServer.ports.websocketRelay }}
+      targetPort: 21119
+      protocol: TCP
@@ -0,0 +1,42 @@
+image:
+  name: lejianwen/rustdesk-server-s6
+  tag: latest
+  pullPolicy: IfNotPresent
+
+nodeSelector: {}
+
+affinity: {}
+
+persistence:
+  enabled: true
+  checkExisting: true
+  data:
+    storageClass: ""
+    size: 2Gi
+    accessMode: ReadWriteOnce
+    annotations:
+      helm.sh/resource-policy: keep
+
+rustdeskServer:
+  encryptedOnly: true
+  mustLogin: false
+  server: "rustdesk-server.example.com"
+  ports:
+    signal: 21115
+    id: 21116
+    relay: 21117
+    websocketId: 21118
+    websocketRelay: 21119
+
+rustdeskApi:
+  server: "rustdesk-api.example.com"
+  ports:
+    api: 21114
+  service:
+    type: ClusterIP
+    annotations: {}
+  ingress:
+    enabled: true
+    className: ""
+    host: "rustdesk-api.example.com"
+    annotations: {}
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: tailscale-derp
+description: Tailscale DERP Relay Server Helm Chart
+home: https://devcm-repo.github.io/helm-charts/
+sources:
+  - https://github.com/devcm-repo/helm-charts
+maintainers:
+  - name: dev.cm
+    email: admin@dev.cm
+    url: https://github.com/devcm-repo
+icon: https://tailscale.com/files/apple-touch-icon.png
+version: 0.0.10
+appVersion: v1.90.6
@@ -0,0 +1,41 @@
+# tailscale-derp Helm Chart
+
+This Helm Chart is a Tailscale container deployment for a tailnet relay server (DERP).
+
+## Installing the Helm Chart
+
+```shell
+helm repo add tailscale https://devcm-repo.github.io/helm-charts
+helm install tailscale-derp tailscale/tailscale-derp
+```
+
+## Helm Chart Configuration Examples
+
+A working configuration:
+
+```yaml
+hostname: derp.dev.cm
+
+nodeSelector:
+  topology.kubernetes.io/region: cn-hk
+```
+
+## Helm Chart Values
+
+| Key | Description | Default |
+|---|---|---|
+| `image.name` | Name of the container image to use. | `docker.io/sspreitzer/tailscale-derp` |
+| `image.pullPolicy` | Kubernetes pullPolicy to use for starting the container image. | `IfNotPresent` |
+| `service.type` | Kubernetes Service type. | `LoadBalancer` |
+| `service.annotations` | A map/dict of Kubernetes Service annotations. | `{}` |
+| `hostNetwork` | This service will be disabled when hostNetwork is enableds. | `false` |
+| `nodeSelector` | A map/dict of Kubernetes Pod nodeSelector node labels. | `{}` |
+| `extraVolumes` | Extra volumes to add to the deployment. | `[]` |
+| `extraVolumeMounts` | Extra volume mounts to add to the container. Normally used with `extraVolumes`. | `[]` |
+| `affinity` | A map/dict of Kubernetes Pod affinity rules. | `{}` |
+| `derp.hostname` | Derp server hostname. | `'derp.examples.com'` |
+| `derp.verify_clients` | Derp server will enable authentication. | `true` |
+| `derp.certdir` | Start a derper with your own certificate. | `` |
+| `derp.http_port` | The port on which to serve HTTP. Set to -1 to disable. | `80` |
+| `derp.https_port` | The port on which to serve HTTPS. | `443` |
+| `derp.stun_port` | The UDP port on which to serve STUN. | `3478` |
@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
+        {{- end }}
+      labels:
+        app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+    spec:
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      containers:
+        - name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+          image: "{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          ports:
+            {{- if gt (int .Values.derp.http_port) -1 }}
+            - name: http
+              hostPort: {{ .Values.derp.http_port }}
+              containerPort: {{ .Values.derp.http_port }}
+              protocol: TCP
+            {{- end }}
+            - name: https
+              hostPort: {{ .Values.derp.https_port }}
+              containerPort: {{ .Values.derp.https_port }}
+              protocol: TCP
+            - name: stun
+              hostPort: {{ .Values.derp.stun_port }}
+              containerPort: {{ .Values.derp.stun_port }}
+              protocol: UDP
+          args:
+            - "--hostname={{ .Values.derp.hostname }}"
+            - "--verify-clients={{ .Values.derp.verify_clients }}"
+            {{- if .Values.derp.certdir }}
+            - "--certmode=manual"
+            - "--certdir={{ .Values.derp.certdir }}"
+            {{- end }}
+            {{- if .Values.derp.http_port }}
+            - "--http-port={{ .Values.derp.http_port }}"
+            {{- end }}
+            {{- if .Values.derp.https_port }}
+            - "--a=:{{ .Values.derp.https_port }}"
+            {{- end }}
+            {{- if .Values.derp.stun_port }}
+            - "--stun-port={{ .Values.derp.stun_port }}"
+            {{- end }}
+          volumeMounts:
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- if .Values.derp.verify_clients }}
+            - mountPath: /var/run/tailscale/tailscaled.sock
+              name: tailscale-socket
+            {{- end }}
+      volumes:
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- if .Values.derp.verify_clients }}
+        - hostPath:
+            path: /run/tailscale/tailscaled.sock
+            type: Socket
+          name: tailscale-socket
+        {{- end }}
+
@@ -0,0 +1,26 @@
+{{- if not .Values.hostNetwork }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  {{- if not (empty .Values.service.annotations) }}
+  annotations: {{- toYaml .Values.service.annotations | nindent 4 }} 
+  {{- end }}
+spec:
+  type: "{{ .Values.service.type }}"
+  selector:
+    app: "{{ .Release.Name }}-{{ .Chart.Name }}"
+  ports:
+    {{- if gt (int .Values.derp.http_port) -1 }}
+    - name: http
+      port: {{ .Values.derp.http_port }}
+      targetPort: {{ .Values.derp.http_port }}
+    {{- end }}
+    - name: https
+      port: {{ .Values.derp.https_port }}
+      targetPort: {{ .Values.derp.https_port }}
+    - name: stun
+      port: {{ .Values.derp.stun_port }}
+      targetPort: {{ .Values.derp.stun_port }}
+      protocol: UDP
+{{- end }}
@@ -0,0 +1,20 @@
+image:
+  name: docker.io/devcm/tailscale-derp
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  annotations: {}
+
+hostNetwork: false
+
+nodeSelector: {}
+
+affinity: {}
+
+derp:
+  hostname: derp.examples.com
+  verify_clients: false
+  http_port: 80
+  https_port: 443
+  stun_port: 3478
@@ -0,0 +1,2 @@
+apiVersion: v1
+entries: