From cae8f3cbf61980becc6167a5f1faa5c35f8bbbd2 Mon Sep 17 00:00:00 2001
From: Zimeng Xiong <zxzimeng@gmail.com>
Date: Wed, 14 Jan 2026 08:57:04 -0800
Subject: [PATCH] add K8S note in README, fix broken e2e

---
 README.md                  | 20 ++++++++++++++++++++
 e2e/playwright.config.ts   |  2 +-
 frontend/package-lock.json |  4 ++--
 package-lock.json          |  6 ++++++
 4 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 package-lock.json

diff --git a/README.md b/README.md
index 0c849c8..f30268c 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,8 @@ A self-hosted dashboard and organizer for [Excalidraw](https://github.com/excali
 - [Installation](#installation)
   - [Docker Hub (Recommended)](#dockerhub-recommended)
   - [Docker Build](#docker-build)
+  - [Reverse Proxy / Traefik Setups](#reverse-proxy--traefik-setups-docker)
+  - [Multi-Container / Kubernetes Deployments](#multi-container--kubernetes-deployments)
 - [Development](#development)
   - [Clone the Repository](#clone-the-repository)
   - [Frontend](#frontend)
@@ -134,6 +136,24 @@ frontend:
     - BACKEND_URL=excalidash-backend.default.svc.cluster.local:8000
 ```
 
+### Multi-Container / Kubernetes Deployments
+
+When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set the `CSRF_SECRET` environment variable to the same value across all instances.
+
+```bash
+# Generate a secure secret
+openssl rand -base64 32
+```
+
+```yaml
+# docker-compose.yml or k8s deployment
+backend:
+  environment:
+    - CSRF_SECRET=your-generated-secret-here
+```
+
+Without this, each container generates its own ephemeral CSRF secret, causing token validation failures when requests are routed to different replicas. Single-container deployments work without this setting.
+
 # Development
 
 ## Clone the Repository
diff --git a/e2e/playwright.config.ts b/e2e/playwright.config.ts
index 2f8c17b..f3d13ce 100644
--- a/e2e/playwright.config.ts
+++ b/e2e/playwright.config.ts
@@ -83,7 +83,7 @@ export default defineConfig({
   ],
 
   // Run local dev servers before tests (skip if NO_SERVER or CI)
-  webServer: (process.env.CI || process.env.NO_SERVER) ? undefined : [
+  webServer: (process.env.CI || process.env.NO_SERVER === "true") ? undefined : [
     {
       command: "cd ../backend && npm run dev",
       url: `${BACKEND_URL}/health`,
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 4a5d4a3..f538df8 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "frontend",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "frontend",
-      "version": "0.1.7",
+      "version": "0.1.8",
       "dependencies": {
         "@dnd-kit/core": "^6.3.1",
         "@dnd-kit/utilities": "^3.2.2",
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..fdc7c44
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,6 @@
+{
+  "name": "ExcaliDash",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {}
+}