FigJam Diagram: Jellyseerr — Media Request Management (expires 2026-04-13)
Jellyseerr is the media request front-end for the cluster. Users browse movies and TV shows, submit requests, and Jellyseerr routes them automatically to Radarr (movies) or Sonarr (TV). It is the primary user-facing interface for requesting new media.
| Public URL | https://jellyseerr.k3s.strommen.systems |
| Namespace | media |
| Image | ghcr.io/seerr-team/seerr:v3.1.0 |
| Auth | Authentik forwardAuth (via public-ingress namespace) + Jellyseerr native accounts |
| Port | 5055 |
Jellyseerr uses a split ingress pattern:
| Route | Namespace | Auth |
|---|---|---|
jellyseerr.k3s.strommen.systems |
public-ingress (IngressRoute) |
Authentik authentik-forward-auth middleware |
The IngressRoute lives in public-ingress/public-ingress.yaml — not in media namespace — because all public routes are centralized there.
TLS is provided by the wildcard certificate public-wildcard-tls (*.k3s.strommen.systems).
| Volume | Type | Mount | Purpose |
|---|---|---|---|
jellyseerr-config |
2Gi Longhorn PVC (RWO) | /app/config |
Jellyseerr configuration, users, request history |
Runs as UID/GID 1000/1000 (runAsNonRoot: true). An initContainer (alpine:3.21) runs chown -R 1000:1000 /config to fix PVC permissions on first start.
| Requests | Limits | |
|---|---|---|
| CPU | 100m | 1 core |
| Memory | 256Mi | 1Gi |
Both liveness and readiness probes hit /api/v1/status on port 5055:
Jellyseerr is configured internally to forward approved requests:
http://radarr.media.svc.cluster.local:7878http://sonarr.media.svc.cluster.local:8989API keys for Radarr and Sonarr are stored in Jellyseerr's config (on the PVC) — set via the Jellyseerr web UI, not Kubernetes secrets.
Jellyseerr has no Kubernetes Secrets — all configuration (Radarr/Sonarr API keys, Jellyfin connection, user accounts, request history) is stored in the app's config files inside the PVC at /app/config.
The Jellyseerr API key (generated in-app) is consumed externally by:
media-controller-secrets K8s secret (key: jellyseerr-api-key) for automated media discovery and request approvalTo retrieve or rotate: Settings → General → API Key in the Jellyseerr web UI.
All Jellyseerr state lives in the 2Gi Longhorn PVC (jellyseerr-config).
Known Gap: No automated backup CronJob exists for this PVC. Loss of the PVC requires full re-configuration (re-linking Radarr/Sonarr/Jellyfin, re-importing users).
Mitigation: Longhorn daily snapshot at 4:00 AM UTC (7 retained) covers accidental deletion but not full cluster loss. Consider adding a
kubectl cp-based CronJob or Longhorn recurring S3 backup targeting this PVC specifically.
Jellyseerr does not expose a Prometheus /metrics endpoint. Monitoring is alert-only:
| Alert | Condition | Severity |
|---|---|---|
| JellyseerrDown | Pod unhealthy | warning |
Source: kubernetes/apps/media/alerts.yaml. No Grafana dashboard exists for Jellyseerr request metrics.
kubernetes/apps/media/
jellyseerr.yaml -- PVC, Deployment, Service
(orphaned jellyseerr-tls Certificate removed 2026-04-05)
kubernetes/apps/public-ingress/
public-ingress.yaml -- jellyseerr-public IngressRoute + Authentik middleware
TLS: public-wildcard-tls