homarr-labs · steled · Dec 23, 2025 · Dec 23, 2025 · Dec 23, 2025 · Dec 23, 2025
@@ -43,7 +43,7 @@ jobs:
 
           cp charts/homarr/README.md "$DEST/helm.md"
           sed -i '1s/# Homarr/# Helm/' "$DEST/helm.md"
-          
+
           cd target-repo
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"

@@ -3,7 +3,7 @@ name: homarr
 description: A Helm chart to deploy homarr for Kubernetes
 home: https://homarr-labs.github.io/charts/charts/homarr/
 type: application
-version: 8.10.0
+version: 8.11.0
 # renovate datasource=docker depName=ghcr.io/homarr-labs/homarr
 appVersion: "v1.51.0"
 icon: https://raw.githubusercontent.com/homarr-labs/charts/refs/heads/main/charts/homarr/icon.svg
@@ -21,8 +21,8 @@ annotations:
     fingerprint: 36F9A886ABA6AA4C1588B942E7EC1AA0EFD54840
     url: https://homarr-labs.github.io/charts/pgp_keys.asc
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Update ghcr.io/homarr-labs/homarr docker tag to v1.51.0
+    - kind: added
+      description: support for nginx readOnlyRootFilesystem
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/homarr-labs/homarr

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/homarr-labs/charts/refs/heads/main/charts/homarr/icon.svg" align="right" width="92" alt="homarr logo">
 
-![Version: 8.10.0](https://img.shields.io/badge/Version-8.10.0-informational?style=flat)
+![Version: 8.11.0](https://img.shields.io/badge/Version-8.11.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: v1.51.0](https://img.shields.io/badge/AppVersion-v1.51.0-informational?style=flat)
 
@@ -418,11 +418,11 @@ All available values are listed on the [artifacthub](https://artifacthub.io/pack
 | envSecrets.dbEncryption.key | string | `"db-encryption-key"` | Secret key for SECRET_ENCRYPTION_KEY can be generated with `openssl rand -hex 32` |
 | fullnameOverride | string | `""` | Overrides chart's fullname |
 | hostAliases | list | `[]` | Add static entries to /etc/hosts in the Pod. This is useful in the following cases: - You are running in a dual-stack cluster (IPv4 + IPv6) and want to force usage of IPv4 for specific hostnames - Your application is having DNS resolution issues or IPv6 preference issues - You need to override or simulate DNS entries without changing global DNS - You are running in an air-gapped or isolated environment without external DNS Example: hostAliases:   - ip: "192.168.1.10"     hostnames:       - "example.com"       - "example.internal" |
-| httproute | object | `{"enabled":false,"hostnames":["chart-example.local"],"parentRefs":[{"name":"my-gateway","namespace":"default"}],"rules":[{"backendRefs":[{"name":"homarr","port":8080}],"filters":[],"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]}` | Gateway API HTTPRoute configuration |
+| httproute | object | `{"enabled":false,"hostnames":["chart-example.local"],"parentRefs":[{"name":"my-gateway","namespace":"default"}],"rules":[{"backendRefs":[{"name":"homarr","port":7575}],"filters":[],"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]}` | Gateway API HTTPRoute configuration |
 | httproute.enabled | bool | `false` | Enable HTTPRoute |
 | httproute.hostnames | list | `["chart-example.local"]` | Hostnames this route matches (similar to ingress.hosts.host) |
 | httproute.parentRefs | list | `[{"name":"my-gateway","namespace":"default"}]` | References to the parent Gateway(s) this route attaches to. Each item must include at least a `name`, and optionally a `namespace`. |
-| httproute.rules | list | `[{"backendRefs":[{"name":"homarr","port":8080}],"filters":[],"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]` | List of routing rules. Each rule can include: - matches: path/header/query matching - filters: optional transformations (redirects, header modifications, etc.) - backendRefs: one or more Kubernetes Services to forward traffic to |
+| httproute.rules | list | `[{"backendRefs":[{"name":"homarr","port":7575}],"filters":[],"matches":[{"path":{"type":"PathPrefix","value":"/"}}]}]` | List of routing rules. Each rule can include: - matches: path/header/query matching - filters: optional transformations (redirects, header modifications, etc.) - backendRefs: one or more Kubernetes Services to forward traffic to |
 | httproute.rules[0].filters | list | `[]` | Optional filters for this rule (default: empty) |
 | httproute.rules[0].matches[0].path.type | string | `"PathPrefix"` | Path match type. One of: Exact, PathPrefix, RegularExpression |
 | httproute.rules[0].matches[0].path.value | string | `"/"` | Path value to match |

@@ -10,3 +10,43 @@ data:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
+
+{{- if and .Values.securityContext .Values.securityContext.readOnlyRootFilesystem }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "homarr.fullname" . }}-nginx
+  labels:
+    {{- include "homarr.labels" . | nindent 4 }}
+data:
+  nginx.conf: |
+    events {
+        worker_connections 1024;
+    }
+
+    http {
+        server {
+            listen 7575;
+            listen [::]:7575;
+
+            # Route websockets traffic to port 3001
+            location /websockets {
+                proxy_pass http://${HOSTNAME}:3001;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                proxy_set_header Host $http_host;
+            }
+
+            # Route all other traffic to port 3000
+            location / {
+                proxy_pass http://${HOSTNAME}:3000;
+                proxy_set_header Host $http_host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+                client_max_body_size 32M;
+            }
+        }
+    }
+{{- end }}
@@ -160,6 +160,26 @@ spec:
             - name: {{ .Values.persistence.homarrDatabase.name }}
               mountPath: {{ .Values.persistence.homarrDatabase.mountPath }}
           {{- end }}
+          {{- if and .Values.securityContext .Values.securityContext.readOnlyRootFilesystem }}
+            - name: nginx-cache
+              mountPath: /var/cache/nginx
+            - name: nginx-etc
+              mountPath: /etc/nginx
+            - name: nginx-lib
+              mountPath: /var/lib/nginx
+            - name: nginx-lib-logs
+              mountPath: /var/lib/nginx/logs
+            - name: nginx-lib-tmp
+              mountPath: /var/lib/nginx/tmp
+            - name: nginx-log
+              mountPath: /var/log/nginx
+            - name: nginx-run
+              mountPath: /run/nginx
+            - name: nginx-template
+              mountPath: /etc/nginx/templates
+              readOnly: true
+          {{- end }}
+
 
       volumes:
       {{- if .Values.persistence.homarrTrustedCerts.enabled }}
@@ -180,6 +200,25 @@ spec:
           persistentVolumeClaim:
             claimName: {{ .Values.persistence.homarrDatabase.name }}
       {{- end }}
+      {{- if and .Values.securityContext .Values.securityContext.readOnlyRootFilesystem }}
+        - name: nginx-cache
+          emptyDir: {}
+        - name: nginx-etc
+          emptyDir: {}
+        - name: nginx-lib
+          emptyDir: {}
+        - name: nginx-lib-logs
+          emptyDir: {}
+        - name: nginx-lib-tmp
+          emptyDir: {}
+        - name: nginx-log
+          emptyDir: {}
+        - name: nginx-run
+          emptyDir: {}
+        - name: nginx-template
+          configMap:
+            name: {{ include "homarr.fullname" . }}-nginx
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

@@ -173,7 +173,7 @@ livenessProbe:
     path: /api/health/live
     # -- The port on which the liveness check will be performed. This must be the same as the container port exposed by the application.
     port: 7575
-    # -- Initial delay before readiness probe is executed. increase this value if the pod is slow to fully start. 
+    # -- Initial delay before readiness probe is executed. increase this value if the pod is slow to fully start.
 
 readinessProbe:
   # -- Failure threshold for readiness probe - number of consecutive failures before pod is considered unready
@@ -232,7 +232,7 @@ httproute:
       filters: []
       backendRefs:
         - name: homarr
-          port: 8080
+          port: 7575
 
 # Ingress configuration
 ingress: