From 5ef48e7cb89181bf73e8f538c61ecfdf0eee8442 Mon Sep 17 00:00:00 2001 From: Florian Schwab <231497+ydkn@users.noreply.github.com> Date: Mon, 10 Feb 2025 10:44:36 +0100 Subject: [PATCH 1/8] quote smtp from, return and reply addresses (#162) --- templates/configmap-env.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index fe365a7..5327d04 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -137,10 +137,10 @@ data: SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.from_address }} - SMTP_FROM_ADDRESS: {{ . }} + SMTP_FROM_ADDRESS: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.return_path }} - SMTP_RETURN_PATH: {{ . }} + SMTP_RETURN_PATH: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.openssl_verify_mode }} SMTP_OPENSSL_VERIFY_MODE: {{ . }} @@ -149,7 +149,7 @@ data: SMTP_PORT: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.reply_to }} - SMTP_REPLY_TO: {{ . }} + SMTP_REPLY_TO: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.server }} SMTP_SERVER: {{ . }} From 2d2d10c6b33ccce3db891abe0f2563a421b7224e Mon Sep 17 00:00:00 2001 From: Sem Schilder Date: Mon, 24 Feb 2025 12:25:51 +0100 Subject: [PATCH 2/8] Make sure to quote replica db port value (#165) --- templates/configmap-env.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 5327d04..64f6681 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -19,7 +19,7 @@ data: REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }} {{- end }} {{- if .Values.postgresql.readReplica.port }} - REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port }} + REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }} {{- end }} {{- if .Values.postgresql.readReplica.auth.database }} REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }} From 18272009b2b67953d98a724adc2dcd811ebbbe51 Mon Sep 17 00:00:00 2001 From: Sem Schilder Date: Mon, 3 Mar 2025 08:53:59 +0100 Subject: [PATCH 3/8] Update mastodon version (#166) --- Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 5008330..01f754e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time # you make changes to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 5.5.2 +version: 5.5.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: "v4.2.13" +appVersion: "v4.2.17" dependencies: - name: elasticsearch From cbd5259b698f799d1e24af1d1fd54eb89bd433d0 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Tue, 4 Mar 2025 16:21:46 +0100 Subject: [PATCH 4/8] Create new pre/post migrate jobs (#163) --- templates/_db-migrate.tpl | 107 ++++++++++++++++++++++++++++++ templates/_helpers.tpl | 27 ++++++++ templates/_secrets.tpl | 72 ++++++++++++++++++++ templates/configmap-env.yaml | 15 +---- templates/job-db-migrate.yaml | 94 +------------------------- templates/job-db-pre-migrate.yaml | 1 + templates/job-db-prepare.yaml | 4 ++ templates/secret-prepare.yml | 4 ++ templates/secrets.yaml | 57 +--------------- values.yaml | 7 +- 10 files changed, 226 insertions(+), 162 deletions(-) create mode 100644 templates/_db-migrate.tpl create mode 100644 templates/_secrets.tpl create mode 100644 templates/job-db-pre-migrate.yaml create mode 100644 templates/job-db-prepare.yaml create mode 100644 templates/secret-prepare.yml diff --git a/templates/_db-migrate.tpl b/templates/_db-migrate.tpl new file mode 100644 index 0000000..042faf3 --- /dev/null +++ b/templates/_db-migrate.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for DB migration pre- and post-install/upgrade jobs. +*/}} +{{- define "mastodon.dbMigrateJob" -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- if .prepare }} + name: {{ include "mastodon.fullname" . }}-db-prepare + {{- else if .preDeploy }} + name: {{ include "mastodon.fullname" . }}-db-pre-migrate + {{- else }} + name: {{ include "mastodon.fullname" . }}-db-post-migrate + {{- end }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- if .prepare }} + "helm.sh/hook": pre-install + {{- else if .preDeploy }} + "helm.sh/hook": pre-upgrade + {{- else }} + "helm.sh/hook": post-install,post-upgrade + {{- end }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-2" +spec: + template: + metadata: + name: {{ include "mastodon.fullname" . }}-db-migrate + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + containers: + - name: {{ include "mastodon.fullname" . }}-db-migrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bundle + - exec + - rake + {{- if .prepare }} + - db:prepare + {{- else }} + - db:migrate + {{- end }} + envFrom: + - secretRef: + {{- if and .prepare (not .Values.mastodon.secrets.existingSecret) }} + name: {{ template "mastodon.secretName" . }}-prepare + {{- else }} + name: {{ template "mastodon.secretName" . }} + {{- end }} + env: + - name: "DB_HOST" + value: {{ template "mastodon.postgres.host" . }} + - name: "DB_PORT" + value: {{ template "mastodon.postgres.port" . }} + - name: "DB_NAME" + value: {{ .Values.postgresql.auth.database }} + - name: "DB_USER" + value: {{ .Values.postgresql.auth.username }} + - name: "DB_PASS" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.postgresql.secretName" . }} + key: password + - name: "REDIS_HOST" + value: {{ template "mastodon.redis.host" . }} + - name: "REDIS_PORT" + value: {{ .Values.redis.port | default "6379" | quote }} + {{- if .Values.redis.sidekiq.enabled }} + {{- if .Values.redis.sidekiq.hostname }} + - name: SIDEKIQ_REDIS_HOST + value: {{ .Values.redis.sidekiq.hostname }} + {{- end }} + {{- if .Values.redis.sidekiq.port }} + - name: SIDEKIQ_REDIS_PORT + value: {{ .Values.redis.sidekiq.port | quote }} + {{- end }} + {{- end }} + {{- if .Values.redis.cache.enabled }} + {{- if .Values.redis.cache.hostname }} + - name: CACHE_REDIS_HOST + value: {{ .Values.redis.cache.hostname }} + {{- end }} + {{- if .Values.redis.cache.port }} + - name: CACHE_REDIS_PORT + value: {{ .Values.redis.cache.port | quote }} + {{- end }} + {{- end }} + - name: "REDIS_DRIVER" + value: "ruby" + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.redis.secretName" . }} + key: redis-password + {{- if .preDeploy }} + - name: "SKIP_POST_DEPLOYMENT_MIGRATIONS" + value: "true" + {{- end }} +{{- end }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ff7dcfc..91409e0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -121,6 +121,33 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Establish which values we will use for remote connections +*/}} +{{- define "mastodon.postgres.host" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}} +{{- else }} +{{- printf "%s" .Values.postgresql.postgresqlHostname -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.port" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%d" 5432 | int | quote -}} +{{- else }} +{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}} +{{- end }} +{{- end }} + +{{- define "mastodon.redis.host" -}} +{{- if .Values.redis.enabled }} +{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}} +{{- else }} +{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}} +{{- end }} +{{- end }} + {{/* Get the mastodon secret. */}} diff --git a/templates/_secrets.tpl b/templates/_secrets.tpl new file mode 100644 index 0000000..0bbaa20 --- /dev/null +++ b/templates/_secrets.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for mastodon secrets object. +*/}} +{{- define "mastodon.secrets.object" -}} +apiVersion: v1 +kind: Secret +metadata: + {{- if .prepare }} + name: {{ template "mastodon.fullname" . }}-prepare + {{- else }} + name: {{ template "mastodon.fullname" . }} + {{- end }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- if .prepare }} + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-3" + {{- end }} +type: Opaque +data: + {{- if .Values.mastodon.s3.enabled }} + {{- if not .Values.mastodon.s3.existingSecret }} + AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" + AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" + {{- end }} + {{- end }} + {{- if not .Values.mastodon.secrets.existingSecret }} + {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} + SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" + {{- else }} + SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.otp_secret) }} + OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" + {{- else }} + OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} + VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" + {{- else }} + VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} + VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" + {{- else }} + VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} + {{- end }} + {{- end }} + {{- if not .Values.postgresql.enabled }} + {{- if not .Values.postgresql.auth.existingSecret }} + password: "{{ .Values.postgresql.auth.password | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 64f6681..ad0a0a9 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -5,13 +5,8 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} data: - {{- if .Values.postgresql.enabled }} - DB_HOST: {{ template "mastodon.postgresql.fullname" . }} - DB_PORT: "5432" - {{- else }} - DB_HOST: {{ .Values.postgresql.postgresqlHostname }} - DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }} - {{- end }} + DB_HOST: {{ template "mastodon.postgres.host" . }} + DB_PORT: {{ template "mastodon.postgres.port" . }} DB_NAME: {{ .Values.postgresql.auth.database }} DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} @@ -66,11 +61,7 @@ data: MALLOC_ARENA_MAX: "2" NODE_ENV: "production" RAILS_ENV: "production" - {{- if .Values.redis.enabled }} - REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master - {{- else }} - REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }} - {{- end }} + REDIS_HOST: {{ template "mastodon.redis.host" . }} REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} {{- if .Values.redis.sidekiq.enabled }} {{- if .Values.redis.sidekiq.hostname }} diff --git a/templates/job-db-migrate.yaml b/templates/job-db-migrate.yaml index 9b0745f..da7503a 100644 --- a/templates/job-db-migrate.yaml +++ b/templates/job-db-migrate.yaml @@ -1,93 +1 @@ -{{- if .Values.mastodon.hooks.dbMigrate.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - labels: - {{- include "mastodon.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "-2" -spec: - template: - metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - {{- with .Values.jobAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - restartPolicy: Never - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname - {{- end }} - volumes: - - name: assets - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.assets" . }} - - name: system - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.system" . }} - {{- end }} - containers: - - name: {{ include "mastodon.fullname" . }}-db-migrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bundle - - exec - - rake - - db:migrate - envFrom: - - configMapRef: - name: {{ include "mastodon.fullname" . }}-env - - secretRef: - name: {{ template "mastodon.secretName" . }} - env: - - name: "DB_PASS" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} - key: password - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} - key: redis-password - {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} - - name: "SIDEKIQ_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.sidekiq.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} - - name: "CACHE_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.cache.secretName" . }} - key: redis-password - {{- end }} - - name: "PORT" - value: {{ .Values.mastodon.web.port | quote }} - {{- if (not .Values.mastodon.s3.enabled) }} - volumeMounts: - - name: assets - mountPath: /opt/mastodon/public/assets - - name: system - mountPath: /opt/mastodon/public/system - {{- end }} -{{- end -}} +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }} diff --git a/templates/job-db-pre-migrate.yaml b/templates/job-db-pre-migrate.yaml new file mode 100644 index 0000000..2f29716 --- /dev/null +++ b/templates/job-db-pre-migrate.yaml @@ -0,0 +1 @@ +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }} diff --git a/templates/job-db-prepare.yaml b/templates/job-db-prepare.yaml new file mode 100644 index 0000000..5f0b5ab --- /dev/null +++ b/templates/job-db-prepare.yaml @@ -0,0 +1,4 @@ +# Does not work with included database because of helm install order. +{{- if not .Values.postgresql.enabled }} +{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }} +{{- end }} diff --git a/templates/secret-prepare.yml b/templates/secret-prepare.yml new file mode 100644 index 0000000..8cfac53 --- /dev/null +++ b/templates/secret-prepare.yml @@ -0,0 +1,4 @@ +# Does not work with included database because of helm install order. +{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}} +{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }} +{{- end }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 0eec2ab..584177c 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -1,58 +1,3 @@ {{- if (include "mastodon.createSecret" .) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -type: Opaque -data: - {{- if .Values.mastodon.s3.enabled }} - {{- if not .Values.mastodon.s3.existingSecret }} - AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" - AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" - {{- end }} - {{- end }} - {{- if not .Values.mastodon.secrets.existingSecret }} - {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} - SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" - {{- else }} - SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.otp_secret) }} - OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" - {{- else }} - OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} - VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" - {{- else }} - VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} - VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" - {{- else }} - VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} - {{- end }} - {{- end }} - {{- if not .Values.postgresql.enabled }} - {{- if not .Values.postgresql.auth.existingSecret }} - password: "{{ .Values.postgresql.auth.password | b64enc }}" - {{- end }} - {{- end }} +{{- include "mastodon.secrets.object" . }} {{- end }} diff --git a/values.yaml b/values.yaml index 1bf977d..7ad93af 100644 --- a/values.yaml +++ b/values.yaml @@ -24,6 +24,9 @@ mastodon: # @ignored email: not@example.com hooks: + # Whether to perform DB migrations on `helm install|upgrade`. + # Please note that initial DB schema creation on `helm install` does not + # work when using the included database (postgresql.enabled=true). dbMigrate: enabled: true assetsPrecompile: @@ -523,7 +526,9 @@ elasticsearch: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters postgresql: # -- disable if you want to use an existing db; in which case the values below - # must match those of that external postgres instance + # must match those of that external postgres instance. + # Please note that certain features do not work when enabling the included + # database, namely automatic schema creation when the app is first installed. enabled: true # postgresqlHostname: preexisting-postgresql # postgresqlPort: 5432 From 98801d7c09880d4d80e81c8753420db418f2be27 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Tue, 4 Mar 2025 17:47:01 +0100 Subject: [PATCH 5/8] Fix asset upload (#167) --- templates/job-assets-copy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/job-assets-copy.yaml b/templates/job-assets-copy.yaml index d35a7bc..2ac51fa 100644 --- a/templates/job-assets-copy.yaml +++ b/templates/job-assets-copy.yaml @@ -7,7 +7,7 @@ metadata: {{- include "mastodon.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-weight": "-1" spec: template: From ac8cd229d8ada9fd57b2eb51ba94f32291365bd3 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Tue, 4 Mar 2025 18:01:51 +0100 Subject: [PATCH 6/8] Added additional DB connection fields to deal with connection pooler migrations (#169) --- templates/_db-migrate.tpl | 6 +++--- templates/_helpers.tpl | 27 +++++++++++++++++++++++++++ values.yaml | 10 ++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/templates/_db-migrate.tpl b/templates/_db-migrate.tpl index 042faf3..c3792c7 100644 --- a/templates/_db-migrate.tpl +++ b/templates/_db-migrate.tpl @@ -57,11 +57,11 @@ spec: {{- end }} env: - name: "DB_HOST" - value: {{ template "mastodon.postgres.host" . }} + value: {{ template "mastodon.postgres.direct.host" . }} - name: "DB_PORT" - value: {{ template "mastodon.postgres.port" . }} + value: {{ template "mastodon.postgres.direct.port" . }} - name: "DB_NAME" - value: {{ .Values.postgresql.auth.database }} + value: {{ template "mastodon.postgres.direct.database" . }} - name: "DB_USER" value: {{ .Values.postgresql.auth.username }} - name: "DB_PASS" diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 91409e0..b34ff95 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -140,6 +140,33 @@ Establish which values we will use for remote connections {{- end }} {{- end }} +{{/* +Establish which values we will use for direct remote DB connections +*/}} +{{- define "mastodon.postgres.direct.host" -}} +{{- if .Values.postgresql.direct.hostname }} +{{- printf "%s" .Values.postgresql.direct.hostname -}} +{{- else }} +{{- printf "%s" (include "mastodon.postgres.host" .) -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.direct.port" -}} +{{- if .Values.postgresql.direct.port }} +{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}} +{{- else }} +{{- printf "%s" (include "mastodon.postgres.port" .) -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.direct.database" -}} +{{- if .Values.postgresql.direct.database }} +{{- printf "%s" .Values.postgresql.direct.database -}} +{{- else }} +{{- printf "%s" .Values.postgresql.auth.database -}} +{{- end }} +{{- end }} + {{- define "mastodon.redis.host" -}} {{- if .Values.redis.enabled }} {{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}} diff --git a/values.yaml b/values.yaml index 7ad93af..5b1ec64 100644 --- a/values.yaml +++ b/values.yaml @@ -532,6 +532,16 @@ postgresql: enabled: true # postgresqlHostname: preexisting-postgresql # postgresqlPort: 5432 + + # If using a connection pooler such as pgbouncer, please specify a hostname/IP + # that serves as a "direct" connection to the database, rather than going + # through the connection pooler. This is required for migrations to work + # properly. + direct: + hostname: + port: + database: + auth: database: mastodon_production username: mastodon From 8ea5eadf9985837652c18d11a0f4f19ce9f4e0ca Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Tue, 4 Mar 2025 22:33:26 +0100 Subject: [PATCH 7/8] Fix some helm typos (comments interfering with manifests) (#172) --- templates/job-db-prepare.yaml | 1 - templates/secret-prepare.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/job-db-prepare.yaml b/templates/job-db-prepare.yaml index 5f0b5ab..5e9a6a2 100644 --- a/templates/job-db-prepare.yaml +++ b/templates/job-db-prepare.yaml @@ -1,4 +1,3 @@ -# Does not work with included database because of helm install order. {{- if not .Values.postgresql.enabled }} {{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }} {{- end }} diff --git a/templates/secret-prepare.yml b/templates/secret-prepare.yml index 8cfac53..375f047 100644 --- a/templates/secret-prepare.yml +++ b/templates/secret-prepare.yml @@ -1,4 +1,3 @@ -# Does not work with included database because of helm install order. {{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}} {{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }} {{- end }} From 1120b745e6b51ab84b9b9150ba4b1e5b5a164d88 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Thu, 6 Mar 2025 09:53:04 +0100 Subject: [PATCH 8/8] Add puma metrics for web and sidekiq pods (#170) --- templates/deployment-sidekiq.yaml | 19 +++++++++++++++++ templates/deployment-web.yaml | 35 +++++++++++++++++++++++++++++++ values.yaml | 18 ++++++++++++++++ 3 files changed, 72 insertions(+) diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index 1b3042d..5951bd6 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -206,6 +206,25 @@ spec: - name: OTEL_SERVICE_NAME_SEPARATOR value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}" {{- end }} + {{- if $context.Values.mastodon.metrics.prometheus.enabled }} + - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED + value: "true" + - name: MASTODON_PROMETHEUS_EXPORTER_LOCAL + value: "true" + - name: MASTODON_PROMETHEUS_EXPORTER_HOST + value: "0.0.0.0" + - name: MASTODON_PROMETHEUS_EXPORTER_PORT + value: "{{ $context.Values.mastodon.metrics.prometheus.port }}" + {{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }} + - name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS + value: "true" + {{- end }} + {{- end }} + {{- if $context.Values.mastodon.metrics.prometheus.enabled }} + ports: + - name: prometheus + containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }} + {{- end }} volumeMounts: {{- if (not $context.Values.mastodon.s3.enabled) }} - name: assets diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml index d787c3f..078bb5f 100644 --- a/templates/deployment-web.yaml +++ b/templates/deployment-web.yaml @@ -196,6 +196,20 @@ spec: - name: OTEL_SERVICE_NAME_SEPARATOR value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}" {{- end }} + {{- if .Values.mastodon.metrics.prometheus.enabled }} + - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED + value: "true" + - name: PROMETHEUS_EXPORTER_HOST + value: "127.0.0.1" + - name: PROMETHEUS_EXPORTER_PORT + value: "{{ .Values.mastodon.metrics.prometheus.port }}" + {{- if .Values.mastodon.metrics.prometheus.web.detailed }} + - name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS + value: "true" + {{- end }} + {{- end }} + - name: TEST_ENV_VALUE + value: {{ .Values.mastodon.metrics.statsd.address }} volumeMounts: {{- if (not .Values.mastodon.s3.enabled) }} - name: assets @@ -233,6 +247,27 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.mastodon.metrics.prometheus.enabled }} + - name: prometheus-exporter + image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}" + command: + - ./bin/prometheus_exporter + args: + - "--bind" + - "0.0.0.0" + - "--port" + - "{{ .Values.mastodon.metrics.prometheus.port }}" + resources: + requests: + cpu: "0.1" + memory: "180M" + limits: + cpu: "0.5" + memory: "250M" + ports: + - name: prometheus + containerPort: {{ .Values.mastodon.metrics.prometheus.port }} + {{- end }} {{- include "mastodon.statsdExporterContainer" $ | indent 8 }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/values.yaml b/values.yaml index 5b1ec64..bcb6a44 100644 --- a/values.yaml +++ b/values.yaml @@ -434,6 +434,24 @@ mastodon: enabled: false port: 9102 + # Settings for Prometheus metrics. NOTE: Only available in Mastodon v4.4. + # For more information, see: + # https://docs.joinmastodon.org/admin/config/#prometheus + prometheus: + enabled: false + # Port for the exporter to listen on + port: 9394 + + # Prometheus for web pods + web: + # Collect per-controller/action metrics for every request + detailed: false + + # Prometheus for sidekiq pods + sidekiq: + # Collect per-job metrics for every job + detailed: false + # Open Telemetry configuration for all deployments. Component-specific # configuration will override these values. otel: