From 543fdf7446a995c3c405b82071ec78b473521a26 Mon Sep 17 00:00:00 2001 From: Norman <85173861+norman-zon@users.noreply.github.com> Date: Thu, 1 Dec 2022 06:41:51 +0100 Subject: [PATCH 01/17] allow external redis instance (#6) --- Chart.yaml | 1 + templates/configmap-env.yaml | 6 +++++- values.yaml | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 7080095..ad814a5 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -34,3 +34,4 @@ dependencies: - name: redis version: 16.13.2 repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami + condition: redis.enabled diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 5d0b96d..c33296a 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -32,8 +32,12 @@ data: MALLOC_ARENA_MAX: "2" NODE_ENV: "production" RAILS_ENV: "production" + {{- if .Values.redis.enabled }} REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master - REDIS_PORT: "6379" + {{- else }} + REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }} + {{- end }} + REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} {{- if .Values.mastodon.s3.enabled }} S3_BUCKET: {{ .Values.mastodon.s3.bucket }} S3_ENABLED: "true" diff --git a/values.yaml b/values.yaml index 07171fc..988c1d8 100644 --- a/values.yaml +++ b/values.yaml @@ -167,6 +167,11 @@ postgresql: # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters redis: + # disable if you want to use an existing redis instance; in which case the + # values below must match those of that external redis instance + enabled: true + hostname: "" + port: 6379 # you must set a password; the password generated by the redis chart will be # rotated on each upgrade: password: "" From ae892d539ed35433ceadeadaf87113cca75c2ea7 Mon Sep 17 00:00:00 2001 From: Alex Nordlund Date: Sat, 3 Dec 2022 05:44:39 +0100 Subject: [PATCH 02/17] Refactor chart sidekiq queues (#1) Co-authored-by: Effy Elden Co-authored-by: Sheogorath Co-authored-by: Chris Funderburg --- .github/workflows/test-chart.yml | 14 +- Chart.yaml | 4 +- README.md | 17 ++ templates/_helpers.tpl | 12 + templates/configmap-env.yaml | 325 ++++++++++++++------------- templates/cronjob-media-remove.yaml | 12 + templates/deployment-sidekiq.yaml | 99 ++++---- templates/deployment-streaming.yaml | 16 +- templates/deployment-web.yaml | 16 +- templates/hpa.yaml | 28 --- templates/job-create-admin.yaml | 2 +- templates/tests/test-connection.yaml | 2 +- values.yaml | 168 ++++++++++---- 13 files changed, 405 insertions(+), 310 deletions(-) delete mode 100644 templates/hpa.yaml diff --git a/.github/workflows/test-chart.yml b/.github/workflows/test-chart.yml index b9ff808..a4482b6 100644 --- a/.github/workflows/test-chart.yml +++ b/.github/workflows/test-chart.yml @@ -5,15 +5,9 @@ name: Test chart on: pull_request: - paths: - - "chart/**" - - "!**.md" - - ".github/workflows/test-chart.yml" + paths-ignore: + - "README.md" push: - paths: - - "chart/**" - - "!**.md" - - ".github/workflows/test-chart.yml" branches-ignore: - "dependabot/**" workflow_dispatch: @@ -21,10 +15,6 @@ on: permissions: contents: read -defaults: - run: - working-directory: chart - jobs: lint-templates: runs-on: ubuntu-22.04 diff --git a/Chart.yaml b/Chart.yaml index ad814a5..1ebc973 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.3.0 +version: 4.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: v3.5.3 +appVersion: v4.0.2 dependencies: - name: elasticsearch diff --git a/README.md b/README.md index 78d7536..53f9599 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,23 @@ The variables that _must_ be configured are: - SMTP settings for your mailer in the `mastodon.smtp` group. +If your PersistentVolumeClaim is `ReadWriteOnce` and you're unable to use a S3-compatible service or +run a self-hosted compatible service like [Minio](https://min.io/docs/minio/kubernetes/upstream/index.html) +then you need to set the pod affinity so the web and sidekiq pods are scheduled to the same node. + +Example configuration: +```yaml +podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - rails + topologyKey: kubernetes.io/hostname +``` + # Administration You can run [admin CLI](https://docs.joinmastodon.org/admin/tootctl/) commands in the web deployment. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 207780b..0e1804f 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -136,3 +136,15 @@ Return true if a mastodon secret object should be created {{- true -}} {{- end -}} {{- end -}} + +{{/* +Find highest number of needed database connections to set DB_POOL variable +*/}} +{{- define "mastodon.maxDbPool" -}} +{{/* Default MAX_THREADS for Puma is 5 */}} +{{- $poolSize := 5 }} +{{- range .Values.mastodon.sidekiq.workers }} +{{- $poolSize = max $poolSize .concurrency }} +{{- end }} +{{- $poolSize | quote }} +{{- end }} diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index c33296a..60efedd 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -13,7 +13,7 @@ data: DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }} {{- end }} DB_NAME: {{ .Values.postgresql.auth.database }} - DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }} + DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} DEFAULT_LOCALE: {{ .Values.mastodon.locale }} {{- if .Values.elasticsearch.enabled }} @@ -22,12 +22,15 @@ data: ES_PORT: "9200" {{- end }} LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }} - {{- if .Values.mastodon.web_domain }} - WEB_DOMAIN: {{ .Values.mastodon.web_domain }} + {{- with .Values.mastodon.web_domain }} + WEB_DOMAIN: {{ . }} {{- end }} - {{- if .Values.mastodon.singleUserMode }} + {{- with .Values.mastodon.singleUserMode }} SINGLE_USER_MODE: "true" {{- end }} + {{- with .Values.mastodon.authorizedFetch }} + AUTHORIZED_FETCH: {{ . | quote }} + {{- end }} # https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior MALLOC_ARENA_MAX: "2" NODE_ENV: "production" @@ -44,58 +47,58 @@ data: S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }} S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }} S3_PROTOCOL: "https" - {{- if .Values.mastodon.s3.region }} - S3_REGION: {{ .Values.mastodon.s3.region }} + {{- with .Values.mastodon.s3.region }} + S3_REGION: {{ . }} {{- end }} - {{- if .Values.mastodon.s3.alias_host }} + {{- with .Values.mastodon.s3.alias_host }} S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}} {{- end }} {{- end }} - {{- if .Values.mastodon.smtp.auth_method }} - SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }} + {{- with .Values.mastodon.smtp.auth_method }} + SMTP_AUTH_METHOD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.ca_file }} - SMTP_CA_FILE: {{ .Values.mastodon.smtp.ca_file }} + {{- with .Values.mastodon.smtp.ca_file }} + SMTP_CA_FILE: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.delivery_method }} - SMTP_DELIVERY_METHOD: {{ .Values.mastodon.smtp.delivery_method }} + {{- with .Values.mastodon.smtp.delivery_method }} + SMTP_DELIVERY_METHOD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.domain }} - SMTP_DOMAIN: {{ .Values.mastodon.smtp.domain }} + {{- with .Values.mastodon.smtp.domain }} + SMTP_DOMAIN: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.enable_starttls }} - SMTP_ENABLE_STARTTLS: {{ .Values.mastodon.smtp.enable_starttls | quote }} + {{- with .Values.mastodon.smtp.enable_starttls }} + SMTP_ENABLE_STARTTLS: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.enable_starttls_auto }} - SMTP_ENABLE_STARTTLS_AUTO: {{ .Values.mastodon.smtp.enable_starttls_auto | quote }} + {{- with .Values.mastodon.smtp.enable_starttls_auto }} + SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.from_address }} - SMTP_FROM_ADDRESS: {{ .Values.mastodon.smtp.from_address }} + {{- with .Values.mastodon.smtp.from_address }} + SMTP_FROM_ADDRESS: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.login }} - SMTP_LOGIN: {{ .Values.mastodon.smtp.login }} + {{- with .Values.mastodon.smtp.login }} + SMTP_LOGIN: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.openssl_verify_mode }} - SMTP_OPENSSL_VERIFY_MODE: {{ .Values.mastodon.smtp.openssl_verify_mode }} + {{- with .Values.mastodon.smtp.openssl_verify_mode }} + SMTP_OPENSSL_VERIFY_MODE: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.password }} - SMTP_PASSWORD: {{ .Values.mastodon.smtp.password }} + {{- with .Values.mastodon.smtp.password }} + SMTP_PASSWORD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.port }} - SMTP_PORT: {{ .Values.mastodon.smtp.port | quote }} + {{- with .Values.mastodon.smtp.port }} + SMTP_PORT: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.reply_to }} - SMTP_REPLY_TO: {{ .Values.mastodon.smtp.reply_to }} + {{- with .Values.mastodon.smtp.reply_to }} + SMTP_REPLY_TO: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.server }} - SMTP_SERVER: {{ .Values.mastodon.smtp.server }} + {{- with .Values.mastodon.smtp.server }} + SMTP_SERVER: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.tls }} - SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }} + {{- with .Values.mastodon.smtp.tls }} + SMTP_TLS: {{ . | quote }} {{- end }} STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }} - {{- if .Values.mastodon.streaming.base_url }} - STREAMING_API_BASE_URL: {{ .Values.mastodon.streaming.base_url | quote }} + {{- with .Values.mastodon.streaming.base_url }} + STREAMING_API_BASE_URL: {{ . | quote }} {{- end }} {{- if .Values.externalAuth.oidc.enabled }} OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }} @@ -108,53 +111,53 @@ data: OIDC_CLIENT_SECRET: {{ .Values.externalAuth.oidc.client_secret }} OIDC_REDIRECT_URI: {{ .Values.externalAuth.oidc.redirect_uri }} OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.oidc.assume_email_is_verified | quote }} - {{- if .Values.externalAuth.oidc.client_auth_method }} - OIDC_CLIENT_AUTH_METHOD: {{ .Values.externalAuth.oidc.client_auth_method }} + {{- with .Values.externalAuth.oidc.client_auth_method }} + OIDC_CLIENT_AUTH_METHOD: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.response_type }} - OIDC_RESPONSE_TYPE: {{ .Values.externalAuth.oidc.response_type }} + {{- with .Values.externalAuth.oidc.response_type }} + OIDC_RESPONSE_TYPE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.response_mode }} - OIDC_RESPONSE_MODE: {{ .Values.externalAuth.oidc.response_mode }} + {{- with .Values.externalAuth.oidc.response_mode }} + OIDC_RESPONSE_MODE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.display }} - OIDC_DISPLAY: {{ .Values.externalAuth.oidc.display }} + {{- with .Values.externalAuth.oidc.display }} + OIDC_DISPLAY: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.prompt }} - OIDC_PROMPT: {{ .Values.externalAuth.oidc.prompt }} + {{- with .Values.externalAuth.oidc.prompt }} + OIDC_PROMPT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.send_nonce }} - OIDC_SEND_NONCE: {{ .Values.externalAuth.oidc.send_nonce }} + {{- with .Values.externalAuth.oidc.send_nonce }} + OIDC_SEND_NONCE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.send_scope_to_token_endpoint }} - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.send_scope_to_token_endpoint | quote }} + {{- with .Values.externalAuth.oidc.send_scope_to_token_endpoint }} + OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.oidc.idp_logout_redirect_uri }} - OIDC_IDP_LOGOUT_REDIRECT_URI: {{ .Values.externalAuth.oidc.idp_logout_redirect_uri }} + {{- with .Values.externalAuth.oidc.idp_logout_redirect_uri }} + OIDC_IDP_LOGOUT_REDIRECT_URI: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.http_scheme }} - OIDC_HTTP_SCHEME: {{ .Values.externalAuth.oidc.http_scheme }} + {{- with .Values.externalAuth.oidc.http_scheme }} + OIDC_HTTP_SCHEME: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.host }} - OIDC_HOST: {{ .Values.externalAuth.oidc.host }} + {{- with .Values.externalAuth.oidc.host }} + OIDC_HOST: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.port }} - OIDC_PORT: {{ .Values.externalAuth.oidc.port }} + {{- with .Values.externalAuth.oidc.port }} + OIDC_PORT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.jwks_uri }} - OIDC_JWKS_URI: {{ .Values.externalAuth.oidc.jwks_uri }} + {{- with .Values.externalAuth.oidc.jwks_uri }} + OIDC_JWKS_URI: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.auth_endpoint }} - OIDC_AUTH_ENDPOINT: {{ .Values.externalAuth.oidc.auth_endpoint }} + {{- with .Values.externalAuth.oidc.auth_endpoint }} + OIDC_AUTH_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.token_endpoint }} - OIDC_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.token_endpoint }} + {{- with .Values.externalAuth.oidc.token_endpoint }} + OIDC_TOKEN_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.user_info_endpoint }} - OIDC_USER_INFO_ENDPOINT: {{ .Values.externalAuth.oidc.user_info_endpoint }} + {{- with .Values.externalAuth.oidc.user_info_endpoint }} + OIDC_USER_INFO_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.end_session_endpoint }} - OIDC_END_SESSION_ENDPOINT: {{ .Values.externalAuth.oidc.end_session_endpoint }} + {{- with .Values.externalAuth.oidc.end_session_endpoint }} + OIDC_END_SESSION_ENDPOINT: {{ . }} {{- end }} {{- end }} {{- if .Values.externalAuth.saml.enabled }} @@ -163,54 +166,54 @@ data: SAML_ISSUER: {{ .Values.externalAuth.saml.issuer }} SAML_IDP_SSO_TARGET_URL: {{ .Values.externalAuth.saml.idp_sso_target_url }} SAML_IDP_CERT: {{ .Values.externalAuth.saml.idp_cert | quote }} - {{- if .Values.externalAuth.saml.idp_cert_fingerprint }} - SAML_IDP_CERT_FINGERPRINT: {{ .Values.externalAuth.saml.idp_cert_fingerprint | quote }} + {{- with .Values.externalAuth.saml.idp_cert_fingerprint }} + SAML_IDP_CERT_FINGERPRINT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.name_identifier_format }} - SAML_NAME_IDENTIFIER_FORMAT: {{ .Values.externalAuth.saml.name_identifier_format }} + {{- with .Values.externalAuth.saml.name_identifier_format }} + SAML_NAME_IDENTIFIER_FORMAT: {{ . }} {{- end }} - {{- if .Values.externalAuth.saml.cert }} - SAML_CERT: {{ .Values.externalAuth.saml.cert | quote }} + {{- with .Values.externalAuth.saml.cert }} + SAML_CERT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.private_key }} - SAML_PRIVATE_KEY: {{ .Values.externalAuth.saml.private_key | quote }} + {{- with .Values.externalAuth.saml.private_key }} + SAML_PRIVATE_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.want_assertion_signed }} - SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ .Values.externalAuth.saml.want_assertion_signed | quote }} + {{- with .Values.externalAuth.saml.want_assertion_signed }} + SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.want_assertion_encrypted }} - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ .Values.externalAuth.saml.want_assertion_encrypted | quote }} + {{- with .Values.externalAuth.saml.want_assertion_encrypted }} + SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.assume_email_is_verified }} - SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.saml.assume_email_is_verified | quote }} + {{- with .Values.externalAuth.saml.assume_email_is_verified }} + SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.uid_attribute }} - SAML_UID_ATTRIBUTE: {{ .Values.externalAuth.saml.uid_attribute }} + {{- with .Values.externalAuth.saml.uid_attribute }} + SAML_UID_ATTRIBUTE: {{ . }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.uid }} - SAML_ATTRIBUTES_STATEMENTS_UID: {{ .Values.externalAuth.saml.attributes_statements.uid | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.uid }} + SAML_ATTRIBUTES_STATEMENTS_UID: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.email }} - SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.email | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.email }} + SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.full_name }} - SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ .Values.externalAuth.saml.attributes_statements.full_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.full_name }} + SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.first_name }} - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ .Values.externalAuth.saml.attributes_statements.first_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.first_name }} + SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.last_name }} - SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ .Values.externalAuth.saml.attributes_statements.last_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.last_name }} + SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.verified }} - SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ .Values.externalAuth.saml.attributes_statements.verified | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.verified }} + SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.verified_email }} - SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.verified_email | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.verified_email }} + SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ . | quote }} {{- end }} {{- end }} - {{- if .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in }} - OAUTH_REDIRECT_AT_SIGN_IN: {{ .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in | quote }} + {{- with .Values.externalAuth.oauth_global.omniauth_only }} + OMNIAUTH_ONLY: {{ . | quote }} {{- end }} {{- if .Values.externalAuth.cas.enabled }} CAS_ENABLED: {{ .Values.externalAuth.cas.enabled | quote }} @@ -218,68 +221,68 @@ data: CAS_HOST: {{ .Values.externalAuth.cas.host }} CAS_PORT: {{ .Values.externalAuth.cas.port }} CAS_SSL: {{ .Values.externalAuth.cas.ssl | quote }} - {{- if .Values.externalAuth.cas.validate_url }} - CAS_VALIDATE_URL: {{ .Values.externalAuth.cas.validate_url }} + {{- with .Values.externalAuth.cas.validate_url }} + CAS_VALIDATE_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.callback_url }} - CAS_CALLBACK_URL: {{ .Values.externalAuth.cas.callback_url }} + {{- with .Values.externalAuth.cas.callback_url }} + CAS_CALLBACK_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.logout_url }} - CAS_LOGOUT_URL: {{ .Values.externalAuth.cas.logout_url }} + {{- with .Values.externalAuth.cas.logout_url }} + CAS_LOGOUT_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.login_url }} - CAS_LOGIN_URL: {{ .Values.externalAuth.cas.login_url }} + {{- with .Values.externalAuth.cas.login_url }} + CAS_LOGIN_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.uid_field }} - CAS_UID_FIELD: {{ .Values.externalAuth.cas.uid_field | quote }} + {{- with .Values.externalAuth.cas.uid_field }} + CAS_UID_FIELD: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.ca_path }} - CAS_CA_PATH: {{ .Values.externalAuth.cas.ca_path }} + {{- with .Values.externalAuth.cas.ca_path }} + CAS_CA_PATH: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.disable_ssl_verification }} - CAS_DISABLE_SSL_VERIFICATION: {{ .Values.externalAuth.cas.disable_ssl_verification | quote }} + {{- with .Values.externalAuth.cas.disable_ssl_verification }} + CAS_DISABLE_SSL_VERIFICATION: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.assume_email_is_verified }} - CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.cas.assume_email_is_verified | quote }} + {{- with .Values.externalAuth.cas.assume_email_is_verified }} + CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.uid }} - CAS_UID_KEY: {{ .Values.externalAuth.cas.keys.uid | quote }} + {{- with .Values.externalAuth.cas.keys.uid }} + CAS_UID_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.name }} - CAS_NAME_KEY: {{ .Values.externalAuth.cas.keys.name | quote }} + {{- with .Values.externalAuth.cas.keys.name }} + CAS_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.email }} - CAS_EMAIL_KEY: {{ .Values.externalAuth.cas.keys.email | quote }} + {{- with .Values.externalAuth.cas.keys.email }} + CAS_EMAIL_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.nickname }} - CAS_NICKNAME_KEY: {{ .Values.externalAuth.cas.keys.nickname | quote }} + {{- with .Values.externalAuth.cas.keys.nickname }} + CAS_NICKNAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.first_name }} - CAS_FIRST_NAME_KEY: {{ .Values.externalAuth.cas.keys.first_name | quote }} + {{- with .Values.externalAuth.cas.keys.first_name }} + CAS_FIRST_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.last_name }} - CAS_LAST_NAME_KEY: {{ .Values.externalAuth.cas.keys.last_name | quote }} + {{- with .Values.externalAuth.cas.keys.last_name }} + CAS_LAST_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.location }} - CAS_LOCATION_KEY: {{ .Values.externalAuth.cas.keys.location | quote }} + {{- with .Values.externalAuth.cas.keys.location }} + CAS_LOCATION_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.image }} - CAS_IMAGE_KEY: {{ .Values.externalAuth.cas.keys.image | quote }} + {{- with .Values.externalAuth.cas.keys.image }} + CAS_IMAGE_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.phone }} - CAS_PHONE_KEY: {{ .Values.externalAuth.cas.keys.phone | quote }} + {{- with .Values.externalAuth.cas.keys.phone }} + CAS_PHONE_KEY: {{ . | quote }} {{- end }} {{- end }} - {{- if .Values.externalAuth.pam.enabled }} - PAM_ENABLED: {{ .Values.externalAuth.pam.enabled | quote }} - {{- if .Values.externalAuth.pam.email_domain }} - PAM_EMAIL_DOMAIN: {{ .Values.externalAuth.pam.email_domain }} + {{- with .Values.externalAuth.pam.enabled }} + PAM_ENABLED: {{ . | quote }} + {{- with .Values.externalAuth.pam.email_domain }} + PAM_EMAIL_DOMAIN: {{ . }} {{- end }} - {{- if .Values.externalAuth.pam.default_service }} - PAM_DEFAULT_SERVICE: {{ .Values.externalAuth.pam.default_service }} + {{- with .Values.externalAuth.pam.default_service }} + PAM_DEFAULT_SERVICE: {{ . }} {{- end }} - {{- if .Values.externalAuth.pam.controlled_service }} - PAM_CONTROLLED_SERVICE: {{ .Values.externalAuth.pam.controlled_service }} + {{- with .Values.externalAuth.pam.controlled_service }} + PAM_CONTROLLED_SERVICE: {{ . }} {{- end }} {{- end }} {{- if .Values.externalAuth.ldap.enabled }} @@ -287,32 +290,32 @@ data: LDAP_HOST: {{ .Values.externalAuth.ldap.host }} LDAP_PORT: {{ .Values.externalAuth.ldap.port }} LDAP_METHOD: {{ .Values.externalAuth.ldap.method }} - {{- if .Values.externalAuth.ldap.base }} - LDAP_BASE: {{ .Values.externalAuth.ldap.base }} + {{- with .Values.externalAuth.ldap.base }} + LDAP_BASE: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.bind_on }} - LDAP_BIND_ON: {{ .Values.externalAuth.ldap.bind_on }} + {{- with .Values.externalAuth.ldap.bind_on }} + LDAP_BIND_ON: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.password }} - LDAP_PASSWORD: {{ .Values.externalAuth.ldap.password }} + {{- with .Values.externalAuth.ldap.password }} + LDAP_PASSWORD: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid }} - LDAP_UID: {{ .Values.externalAuth.ldap.uid }} + {{- with .Values.externalAuth.ldap.uid }} + LDAP_UID: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.mail }} - LDAP_MAIL: {{ .Values.externalAuth.ldap.mail }} + {{- with .Values.externalAuth.ldap.mail }} + LDAP_MAIL: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.search_filter }} - LDAP_SEARCH_FILTER: {{ .Values.externalAuth.ldap.search_filter }} + {{- with .Values.externalAuth.ldap.search_filter }} + LDAP_SEARCH_FILTER: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.enabled }} - LDAP_UID_CONVERSION_ENABLED: {{ .Values.externalAuth.ldap.uid_conversion.enabled | quote }} + {{- with .Values.externalAuth.ldap.uid_conversion.enabled }} + LDAP_UID_CONVERSION_ENABLED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.search }} - LDAP_UID_CONVERSION_SEARCH: {{ .Values.externalAuth.ldap.uid_conversion.search }} + {{- with .Values.externalAuth.ldap.uid_conversion.search }} + LDAP_UID_CONVERSION_SEARCH: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.replace }} - LDAP_UID_CONVERSION_REPLACE: {{ .Values.externalAuth.ldap.uid_conversion.replace }} + {{- with .Values.externalAuth.ldap.uid_conversion.replace }} + LDAP_UID_CONVERSION_REPLACE: {{ . }} {{- end }} {{- end }} {{- with .Values.mastodon.metrics.statsd.address }} diff --git a/templates/cronjob-media-remove.yaml b/templates/cronjob-media-remove.yaml index 41f1feb..d70afeb 100644 --- a/templates/cronjob-media-remove.yaml +++ b/templates/cronjob-media-remove.yaml @@ -67,6 +67,18 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} + - name: "AWS_SECRET_ACCESS_KEY" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: AWS_SECRET_ACCESS_KEY + - name: "AWS_ACCESS_KEY_ID" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: AWS_ACCESS_KEY_ID + {{- end }} {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index 94af99b..a03019e 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -1,117 +1,121 @@ +{{- $context := . }} +{{- range .Values.mastodon.sidekiq.workers }} +--- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "mastodon.fullname" . }}-sidekiq + name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }} labels: - {{- include "mastodon.labels" . | nindent 4 }} + {{- include "mastodon.labels" $context | nindent 4 }} + app.kubernetes.io/component: sidekiq-{{ .name }} + app.kubernetes.io/part-of: rails spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if (has "scheduler" .queues) }} + {{- if (gt (int .replicas) 1) }} + {{ fail "The scheduler queue should never have more than 1 replicas" }} + {{- end }} + strategy: + type: Recreate {{- end }} + replicas: {{ .replicas }} selector: matchLabels: - {{- include "mastodon.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: sidekiq + {{- include "mastodon.selectorLabels" $context | nindent 6 }} + app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with $context.Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes - {{- include "mastodon.rollingPodAnnotations" . | nindent 8 }} + {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }} labels: - {{- include "mastodon.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: sidekiq + {{- include "mastodon.selectorLabels" $context | nindent 8 }} + app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails spec: - {{- with .Values.imagePullSecrets }} + {{- with $context.Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + serviceAccountName: {{ include "mastodon.serviceAccountName" $context }} + {{- with (default $context.Values.podSecurityContext $context.Values.mastodon.sidekiq.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} + {{- with (default (default $context.Values.affinity $context.Values.mastodon.sidekiq.affinity) .affinity) }} affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname + {{- toYaml . | nindent 8 }} {{- end }} + {{- if (not $context.Values.mastodon.s3.enabled) }} volumes: - name: assets persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-assets + claimName: {{ template "mastodon.fullname" $context }}-assets - name: system persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-system + claimName: {{ template "mastodon.fullname" $context }}-system {{- end }} containers: - - name: {{ .Chart.Name }} + - name: {{ $context.Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }} + image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}" + imagePullPolicy: {{ $context.Values.image.pullPolicy }} command: - bundle - exec - sidekiq - -c - - {{ .Values.mastodon.sidekiq.concurrency | quote }} + - {{ .concurrency | quote }} + {{- range .queues }} + - -q + - {{ . | quote }} + {{- end }} envFrom: - configMapRef: - name: {{ include "mastodon.fullname" . }}-env + name: {{ include "mastodon.fullname" $context }}-env - secretRef: - name: {{ template "mastodon.secretName" . }} + name: {{ template "mastodon.secretName" $context }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} + name: {{ template "mastodon.postgresql.secretName" $context }} key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} + name: {{ template "mastodon.redis.secretName" $context }} key: redis-password - {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} + {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.s3.existingSecret }} + name: {{ $context.Values.mastodon.s3.existingSecret }} key: AWS_SECRET_ACCESS_KEY - name: "AWS_ACCESS_KEY_ID" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.s3.existingSecret }} + name: {{ $context.Values.mastodon.s3.existingSecret }} key: AWS_ACCESS_KEY_ID {{- end }} - {{- if .Values.mastodon.smtp.existingSecret }} + {{- if $context.Values.mastodon.smtp.existingSecret }} - name: "SMTP_LOGIN" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.smtp.existingSecret }} + name: {{ $context.Values.mastodon.smtp.existingSecret }} key: login optional: true - name: "SMTP_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.smtp.existingSecret }} + name: {{ $context.Values.mastodon.smtp.existingSecret }} key: password {{- end }} - {{- if (not .Values.mastodon.s3.enabled) }} + {{- if (not $context.Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets @@ -119,12 +123,13 @@ spec: mountPath: /opt/mastodon/public/system {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }} + {{- with $context.Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with $context.Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml index 5d56576..dd80404 100644 --- a/templates/deployment-streaming.yaml +++ b/templates/deployment-streaming.yaml @@ -5,9 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} + replicas: {{ .Values.mastodon.streaming.replicas }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -15,7 +13,7 @@ spec: template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -29,13 +27,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + {{- with (default .Values.podSecurityContext .Values.mastodon.streaming.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} containers: - - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} + - name: {{ .Chart.Name }}-streaming + {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -72,7 +70,7 @@ spec: httpGet: path: /api/v1/streaming/health port: streaming - {{- with .Values.resources }} + {{- with (default .Values.resources .Values.mastodon.streaming.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -80,7 +78,7 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }} affinity: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml index ec67481..c1ec232 100644 --- a/templates/deployment-web.yaml +++ b/templates/deployment-web.yaml @@ -5,9 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} + replicas: {{ .Values.mastodon.web.replicas }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -16,7 +14,7 @@ spec: template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -31,7 +29,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + {{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -45,8 +43,8 @@ spec: claimName: {{ template "mastodon.fullname" . }}-system {{- end }} containers: - - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} + - name: {{ .Chart.Name }}-web + {{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -112,7 +110,7 @@ spec: port: http failureThreshold: 30 periodSeconds: 5 - {{- with .Values.resources }} + {{- with (default .Values.resources .Values.mastodon.web.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -120,7 +118,7 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with (default .Values.affinity .Values.mastodon.web.affinity) }} affinity: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/templates/hpa.yaml b/templates/hpa.yaml deleted file mode 100644 index b23b2cb..0000000 --- a/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "mastodon.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/templates/job-create-admin.yaml b/templates/job-create-admin.yaml index f28cdab..3d137f5 100644 --- a/templates/job-create-admin.yaml +++ b/templates/job-create-admin.yaml @@ -55,7 +55,7 @@ spec: - {{ .Values.mastodon.createAdmin.email }} - --confirmed - --role - - admin + - Owner envFrom: - configMapRef: name: {{ include "mastodon.fullname" . }}-env diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml index 09d9816..185c037 100644 --- a/templates/tests/test-connection.yaml +++ b/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "mastodon.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "mastodon.fullname" . }}-web:{{ .Values.service.port }}'] restartPolicy: Never diff --git a/values.yaml b/values.yaml index 988c1d8..0b926b8 100644 --- a/values.yaml +++ b/values.yaml @@ -1,5 +1,3 @@ -replicaCount: 1 - image: repository: tootsuite/mastodon # https://hub.docker.com/r/tootsuite/mastodon/tags @@ -13,28 +11,36 @@ image: pullPolicy: IfNotPresent mastodon: - # create an initial administrator user; the password is autogenerated and will + # -- create an initial administrator user; the password is autogenerated and will # have to be reset createAdmin: + # @ignored enabled: false + # @ignored username: not_gargron + # @ignored email: not@example.com cron: - # run `tootctl media remove` every week + # -- run `tootctl media remove` every week removeMedia: + # @ignored enabled: true + # @ignored schedule: "0 0 * * 0" - # available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 + # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 locale: en local_domain: mastodon.local - # Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation + # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described - # web_domain: mastodon.example.com - # If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. + # Example: mastodon.example.com + web_domain: null + # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. singleUserMode: false + # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch + authorizedFetch: false persistence: assets: - # ReadWriteOnce is more widely supported than ReadWriteMany, but limits + # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits # scalability, since it requires the Rails and Sidekiq pods to run on the # same node. accessMode: ReadWriteOnce @@ -50,14 +56,14 @@ mastodon: enabled: false access_key: "" access_secret: "" - # you can also specify the name of an existing Secret + # -- you can also specify the name of an existing Secret # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY existingSecret: "" bucket: "" - endpoint: https://us-east-1.linodeobjects.com - hostname: us-east-1.linodeobjects.com + endpoint: "" + hostname: "" region: "" - # If you have a caching proxy, enter its base URL here. + # -- If you have a caching proxy, enter its base URL here. alias_host: "" # these must be set manually; autogenerated keys are rotated on each upgrade secrets: @@ -66,12 +72,61 @@ mastodon: vapid: private_key: "" public_key: "" - # you can also specify the name of an existing Secret + # -- you can also specify the name of an existing Secret # with keys SECRET_KEY_BASE and OTP_SECRET and # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY existingSecret: "" sidekiq: - concurrency: 25 + # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext + securityContext: {} + # -- Resources for all Sidekiq Deployments unless overwritten + resources: {} + # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity + affinity: {} + # limits: + # cpu: "1" + # memory: 768Mi + # requests: + # cpu: 250m + # memory: 512Mi + workers: + - name: all-queues + # -- Number of threads / parallel sidekiq jobs that are executed per Pod + concurrency: 25 + # -- Number of Pod replicas deployed by the Deployment + replicas: 1 + # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources + resources: {} + # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity + affinity: {} + # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency + # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument + queues: + - default,8 + - push,6 + - ingress,4 + - mailers,2 + - pull + - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. + #- name: push-pull + # concurrency: 50 + # resources: {} + # replicas: 2 + # queues: + # - push + # - pull + #- name: mailers + # concurrency: 25 + # replicas: 2 + # queues: + # - mailers + #- name: default + # concurrency: 25 + # replicas: 2 + # queues: + # - default smtp: auth_method: plain ca_file: /etc/ssl/certs/ca-certificates.crt @@ -86,24 +141,56 @@ mastodon: tls: false login: password: - # you can also specify the name of an existing Secret + # -- you can also specify the name of an existing Secret # with the keys login and password existingSecret: streaming: port: 4000 - # this should be set manually since os.cpus() returns the number of CPUs on + # -- this should be set manually since os.cpus() returns the number of CPUs on # the node running the pod, which is unrelated to the resources allocated to # the pod by k8s workers: 1 - # The base url for streaming can be set if the streaming API is deployed to + # -- The base url for streaming can be set if the streaming API is deployed to # a different domain/subdomain. - # base_url: wws://streaming.example.com + base_url: null + # -- Number of Streaming Pods running + replicas: 1 + # -- Affinity for Streaming Pods, overwrites .Values.affinity + affinity: {} + # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "500m" + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 128Mi web: port: 3000 + # -- Number of Web Pods running + replicas: 1 + # -- Affinity for Web Pods, overwrites .Values.affinity + affinity: {} + # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Web Container) Resources for Web Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "1" + # memory: 1280Mi + # requests: + # cpu: 250m + # memory: 768Mi metrics: statsd: - # Enable statsd publishing via STATSD_ADDR environment variable + # -- Enable statsd publishing via STATSD_ADDR environment variable address: "" ingress: @@ -121,7 +208,7 @@ ingress: # nginx.ingress.kubernetes.io/proxy-body-size: 40m # for the NGINX ingress controller: # nginx.org/client-max-body-size: 40m - # you can specify the ingressClassName if it differs from the default + # -- you can specify the ingressClassName if it differs from the default ingressClassName: hosts: - host: mastodon.local @@ -132,20 +219,22 @@ ingress: hosts: - mastodon.local -# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters +# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters elasticsearch: # `false` will disable full-text search # # if you enable ES after the initial install, you will need to manually run # RAILS_ENV=production bundle exec rake chewy:sync # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) + # @ignored enabled: true + # @ignored image: tag: 7 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters postgresql: - # disable if you want to use an existing db; in which case the values below + # -- disable if you want to use an existing db; in which case the values below # must match those of that external postgres instance enabled: true # postgresqlHostname: preexisting-postgresql @@ -172,7 +261,7 @@ redis: enabled: true hostname: "" port: 6379 - # you must set a password; the password generated by the redis chart will be + # -- you must set a password; the password generated by the redis chart will be # rotated on each upgrade: password: "" # you can also specify the name of an existing Secret @@ -180,13 +269,14 @@ redis: # auth: # existingSecret: "" +# @ignored service: type: ClusterIP port: 80 externalAuth: oidc: - # OpenID Connect support is proposed in PR #16221 and awaiting merge. + # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. enabled: false # display_name: "example-label" # issuer: https://login.example.space/auth/realms/example-space @@ -236,8 +326,8 @@ externalAuth: # verified: # verified_email: oauth_global: - # Force redirect local login to CAS. Does not function with SAML or LDAP. - oauth_redirect_at_sign_in: false + # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In + omniauth_only: false cas: enabled: false # url: https://sso.myserver.com @@ -283,7 +373,7 @@ externalAuth: # search: "., -" # replace: _ -# https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 +# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 # # if you manually change the UID/GID environment variables, ensure these values # match: @@ -292,25 +382,27 @@ podSecurityContext: runAsGroup: 991 fsGroup: 991 +# @ignored securityContext: {} serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" -# Kubernetes manages pods for jobs and pods for deployments differently, so you might +# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might # need to apply different annotations to the two different sets of pods. The annotations # set with podAnnotations will be added to all deployment-managed pods. podAnnotations: {} -# The annotations set with jobAnnotations will be added to all job pods. +# -- The annotations set with jobAnnotations will be added to all job pods. jobAnnotations: {} +# -- Default resources for all Deployments and jobs unless overwritten resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -323,15 +415,11 @@ resources: {} # cpu: 100m # memory: 128Mi -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - +# @ignored nodeSelector: {} +# @ignored tolerations: [] +# -- Affinity for all pods unless overwritten affinity: {} From 890042fed803979227ff7ee92ce4e12752955af7 Mon Sep 17 00:00:00 2001 From: Roberto Santalla Date: Fri, 27 Jan 2023 21:57:49 +0100 Subject: [PATCH 03/17] allow to opt-out from `rollme` annotation --- templates/_helpers.tpl | 2 ++ values.yaml | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0e1804f..016dfb3 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -55,7 +55,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} Rolling pod annotations */}} {{- define "mastodon.rollingPodAnnotations" -}} +{{- if .Values.revisionPodAnnotation }} rollme: {{ .Release.Revision | quote }} +{{- end }} checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }} checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }} {{- end }} diff --git a/values.yaml b/values.yaml index 0b926b8..63eec7b 100644 --- a/values.yaml +++ b/values.yaml @@ -399,7 +399,11 @@ serviceAccount: # set with podAnnotations will be added to all deployment-managed pods. podAnnotations: {} -# -- The annotations set with jobAnnotations will be added to all job pods. +# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will +# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. +revisionPodAnnotation: true + +# The annotations set with jobAnnotations will be added to all job pods. jobAnnotations: {} # -- Default resources for all Deployments and jobs unless overwritten From aa4cd09550a21ec3c7f0cb7a29ba75f92b76f146 Mon Sep 17 00:00:00 2001 From: Roberto Santalla Date: Fri, 27 Jan 2023 21:56:23 +0100 Subject: [PATCH 04/17] fix location of redis password placeholder --- values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/values.yaml b/values.yaml index 63eec7b..7bdcd61 100644 --- a/values.yaml +++ b/values.yaml @@ -261,12 +261,12 @@ redis: enabled: true hostname: "" port: 6379 - # -- you must set a password; the password generated by the redis chart will be - # rotated on each upgrade: - password: "" - # you can also specify the name of an existing Secret - # with a key of redis-password set to the password you want - # auth: + auth: + # -- you must set a password; the password generated by the redis chart will be + # rotated on each upgrade: + password: "" + # you can also specify the name of an existing Secret + # with a key of redis-password set to the password you want # existingSecret: "" # @ignored From a227f91a7f4018b584c68616024ad6c80fab4c38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Dost=C3=A1l?= Date: Thu, 29 Dec 2022 08:56:11 +0100 Subject: [PATCH 05/17] limited federation mode support --- templates/configmap-env.yaml | 3 +++ values.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 60efedd..2651403 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -31,6 +31,9 @@ data: {{- with .Values.mastodon.authorizedFetch }} AUTHORIZED_FETCH: {{ . | quote }} {{- end }} + {{- with .Values.mastodon.limitedFederationMode }} + LIMITED_FEDERATION_MODE: {{ . | quote }} + {{- end }} # https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior MALLOC_ARENA_MAX: "2" NODE_ENV: "production" diff --git a/values.yaml b/values.yaml index 7bdcd61..9e7c283 100644 --- a/values.yaml +++ b/values.yaml @@ -38,6 +38,8 @@ mastodon: singleUserMode: false # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch authorizedFetch: false + # -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode + limitedFederationMode: false persistence: assets: # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits From 61194296afa8dac0047071bfccedde309ecf7f03 Mon Sep 17 00:00:00 2001 From: Effy Elden Date: Fri, 9 Dec 2022 17:12:31 +1100 Subject: [PATCH 06/17] allow custom S3_PERMISSION env --- templates/configmap-env.yaml | 3 +++ values.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 2651403..804d453 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -50,6 +50,9 @@ data: S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }} S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }} S3_PROTOCOL: "https" + {{- if .Values.mastodon.s3.permission }} + S3_PERMISSION: {{ .Values.mastodon.s3.permission }} + {{- end }} {{- with .Values.mastodon.s3.region }} S3_REGION: {{ . }} {{- end }} diff --git a/values.yaml b/values.yaml index 9e7c283..a1785fa 100644 --- a/values.yaml +++ b/values.yaml @@ -65,6 +65,7 @@ mastodon: endpoint: "" hostname: "" region: "" + permission: "" # -- If you have a caching proxy, enter its base URL here. alias_host: "" # these must be set manually; autogenerated keys are rotated on each upgrade From f5e3c27ab6ab1c92136a3c64f1bbdc1ea40ec595 Mon Sep 17 00:00:00 2001 From: Jim Myhrberg Date: Mon, 5 Dec 2022 20:49:56 +0000 Subject: [PATCH 07/17] feat(helm-chart): add values for various Puma related settings --- templates/deployment-web.yaml | 16 ++++++++++++++++ values.yaml | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml index c1ec232..30308e2 100644 --- a/templates/deployment-web.yaml +++ b/templates/deployment-web.yaml @@ -74,6 +74,22 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if .Values.mastodon.web.minThreads }} + - name: "MIN_THREADS" + value: {{ .Values.mastodon.web.minThreads | quote }} + {{- end }} + {{- if .Values.mastodon.web.maxThreads }} + - name: "MAX_THREADS" + value: {{ .Values.mastodon.web.maxThreads | quote }} + {{- end }} + {{- if .Values.mastodon.web.workers }} + - name: "WEB_CONCURRENCY" + value: {{ .Values.mastodon.web.workers | quote }} + {{- end }} + {{- if .Values.mastodon.web.persistentTimeout }} + - name: "PERSISTENT_TIMEOUT" + value: {{ .Values.mastodon.web.persistentTimeout | quote }} + {{- end }} {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: diff --git a/values.yaml b/values.yaml index a1785fa..16dfadf 100644 --- a/values.yaml +++ b/values.yaml @@ -190,6 +190,12 @@ mastodon: # requests: # cpu: 250m # memory: 768Mi + # -- Puma-specific options. Below values are based on default behavior in + # config/puma.rb when no custom values are provided. + minThreads: "5" + maxThreads: "5" + workers: "2" + persistentTimeout: "20" metrics: statsd: From 41152e0ed3f3248d0b77bb0d297016932f22d276 Mon Sep 17 00:00:00 2001 From: David Sanftenberg Date: Thu, 29 Dec 2022 21:47:07 +0000 Subject: [PATCH 08/17] Fix alias_host break on bad var reference (#34) --- templates/configmap-env.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 804d453..e1b1896 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -57,7 +57,7 @@ data: S3_REGION: {{ . }} {{- end }} {{- with .Values.mastodon.s3.alias_host }} - S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}} + S3_ALIAS_HOST: {{ . }} {{- end }} {{- end }} {{- with .Values.mastodon.smtp.auth_method }} From b4302e04e6d89819da8bd7d5c9c4b30b1420b842 Mon Sep 17 00:00:00 2001 From: Roberto Santalla Date: Fri, 27 Jan 2023 22:05:37 +0100 Subject: [PATCH 09/17] store smtp credentials on a secret --- templates/_helpers.tpl | 11 +++++++++++ templates/configmap-env.yaml | 6 ------ templates/deployment-sidekiq.yaml | 24 +++++++++++------------- templates/secret-smtp.yaml | 16 ++++++++++++++++ values.yaml | 4 ++-- 5 files changed, 40 insertions(+), 21 deletions(-) create mode 100644 templates/secret-smtp.yaml diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 016dfb3..6331a26 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -100,6 +100,17 @@ Get the mastodon secret. {{- end -}} {{- end -}} +{{/* +Get the smtp secret. +*/}} +{{- define "mastodon.smtp.secretName" -}} +{{- if .Values.mastodon.smtp.existingSecret }} + {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}} +{{- else -}} + {{- printf "%s-smtp" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* Get the postgresql secret. */}} diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index e1b1896..54e3874 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -81,15 +81,9 @@ data: {{- with .Values.mastodon.smtp.from_address }} SMTP_FROM_ADDRESS: {{ . }} {{- end }} - {{- with .Values.mastodon.smtp.login }} - SMTP_LOGIN: {{ . }} - {{- end }} {{- with .Values.mastodon.smtp.openssl_verify_mode }} SMTP_OPENSSL_VERIFY_MODE: {{ . }} {{- end }} - {{- with .Values.mastodon.smtp.password }} - SMTP_PASSWORD: {{ . }} - {{- end }} {{- with .Values.mastodon.smtp.port }} SMTP_PORT: {{ . | quote }} {{- end }} diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index a03019e..0736ad6 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -90,6 +90,17 @@ spec: secretKeyRef: name: {{ template "mastodon.redis.secretName" $context }} key: redis-password + - name: "SMTP_LOGIN" + valueFrom: + secretKeyRef: + name: {{ include "mastodon.smtp.secretName" $context }} + key: login + optional: true + - name: "SMTP_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ include "mastodon.smtp.secretName" $context }} + key: password {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: @@ -102,19 +113,6 @@ spec: name: {{ $context.Values.mastodon.s3.existingSecret }} key: AWS_ACCESS_KEY_ID {{- end }} - {{- if $context.Values.mastodon.smtp.existingSecret }} - - name: "SMTP_LOGIN" - valueFrom: - secretKeyRef: - name: {{ $context.Values.mastodon.smtp.existingSecret }} - key: login - optional: true - - name: "SMTP_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ $context.Values.mastodon.smtp.existingSecret }} - key: password - {{- end }} {{- if (not $context.Values.mastodon.s3.enabled) }} volumeMounts: - name: assets diff --git a/templates/secret-smtp.yaml b/templates/secret-smtp.yaml new file mode 100644 index 0000000..98b15f3 --- /dev/null +++ b/templates/secret-smtp.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.mastodon.smtp.existingSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-smtp" (include "common.names.fullname" .) }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} +type: Opaque +data: + {{- with .Values.mastodon.smtp.login }} + login: {{ . | b64enc }} + {{- end }} + {{- with .Values.mastodon.smtp.password }} + password: {{ . | b64enc }} + {{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index 16dfadf..3f65ddf 100644 --- a/values.yaml +++ b/values.yaml @@ -144,8 +144,8 @@ mastodon: tls: false login: password: - # -- you can also specify the name of an existing Secret - # with the keys login and password + # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and + # password must be located in keys named `login` and `password` respectively. existingSecret: streaming: port: 4000 From 9806bbc8b1bb270e0f1d5cc951c5ce4f1077802d Mon Sep 17 00:00:00 2001 From: Roberto Santalla Date: Fri, 27 Jan 2023 22:33:49 +0100 Subject: [PATCH 10/17] add checksum for smtp secret to sidekiq deployments --- templates/deployment-sidekiq.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index 0736ad6..8a0e9e8 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -31,6 +31,7 @@ spec: {{- end }} # roll the pods to pick up any db migrations or other changes {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }} + checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }} labels: {{- include "mastodon.selectorLabels" $context | nindent 8 }} app.kubernetes.io/component: sidekiq-{{ .name }} From 4fda7eea971e7dc09cbd01015444a3897551d3fe Mon Sep 17 00:00:00 2001 From: "Alexander \"Ananace\" Olofsson" Date: Fri, 17 Feb 2023 22:13:19 +0100 Subject: [PATCH 11/17] Fix and improve LDAP configuration (#3) Co-authored-by: Renaud Chaput --- templates/configmap-env.yaml | 13 ++++++++----- values.yaml | 5 +++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 54e3874..5c400db 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -288,13 +288,16 @@ data: {{- if .Values.externalAuth.ldap.enabled }} LDAP_ENABLED: {{ .Values.externalAuth.ldap.enabled | quote }} LDAP_HOST: {{ .Values.externalAuth.ldap.host }} - LDAP_PORT: {{ .Values.externalAuth.ldap.port }} + LDAP_PORT: {{ .Values.externalAuth.ldap.port | quote }} LDAP_METHOD: {{ .Values.externalAuth.ldap.method }} - {{- with .Values.externalAuth.ldap.base }} - LDAP_BASE: {{ . }} + {{- if .Values.externalAuth.ldap.tls_no_verify }} + LDAP_TLS_NO_VERIFY: {{ .Values.externalAuth.ldap.tls_no_verify | quote }} {{- end }} - {{- with .Values.externalAuth.ldap.bind_on }} - LDAP_BIND_ON: {{ . }} + {{- if .Values.externalAuth.ldap.base }} + LDAP_BASE: {{ .Values.externalAuth.ldap.base }} + {{- end }} + {{- if .Values.externalAuth.ldap.bind_dn }} + LDAP_BIND_DN: {{ .Values.externalAuth.ldap.bind_dn }} {{- end }} {{- with .Values.externalAuth.ldap.password }} LDAP_PASSWORD: {{ . }} diff --git a/values.yaml b/values.yaml index 3f65ddf..10c7785 100644 --- a/values.yaml +++ b/values.yaml @@ -369,10 +369,11 @@ externalAuth: ldap: enabled: false # host: myservice.namespace.svc - # port: 389 + # port: 636 # method: simple_tls + # tls_no_verify: true # base: - # bind_on: + # bind_dn: # password: # uid: cn # mail: mail From 6e6f8a36d10c374bb042b13cc416e906f2d2b636 Mon Sep 17 00:00:00 2001 From: Varac Date: Fri, 17 Feb 2023 17:26:34 +0100 Subject: [PATCH 12/17] Fix streaming route Until now, only /api/v1/streaming/ was routed to the streaming pod, while /api/v1/streaming/* was falsely routed to the web pod, which returned 404 for each request. Now everything below /api/v1/streaming will reach the streaming pod. Fixes: #36 --- .gitignore | 1 + templates/ingress.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ee3892e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/templates/ingress.yaml b/templates/ingress.yaml index e5c5e1d..5a3409a 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -52,7 +52,7 @@ spec: {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }} pathType: Prefix {{- end }} - - path: {{ .path }}api/v1/streaming/ + - path: {{ .path }}api/v1/streaming backend: {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }} service: @@ -64,7 +64,7 @@ spec: servicePort: {{ $streamingPort }} {{- end }} {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }} - pathType: Exact + pathType: Prefix {{- end }} {{- end }} {{- end }} From 3934da1d2185b5526798e7dd946a4ded5a0b2c4e Mon Sep 17 00:00:00 2001 From: Cees-Jan Kiewiet Date: Mon, 28 Nov 2022 14:52:41 +0100 Subject: [PATCH 13/17] Add the PREPARED_STATEMENTS environment variable and set it to its default value Being able to control it can be useful in situations where prepared statements don't work as expected. Once such case can be pgbouncer as provided by DigitalOcean for connection pooling. --- templates/configmap-env.yaml | 1 + values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 5c400db..265bd41 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -15,6 +15,7 @@ data: DB_NAME: {{ .Values.postgresql.auth.database }} DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} + PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }} DEFAULT_LOCALE: {{ .Values.mastodon.locale }} {{- if .Values.elasticsearch.enabled }} ES_ENABLED: "true" diff --git a/values.yaml b/values.yaml index 10c7785..711f000 100644 --- a/values.yaml +++ b/values.yaml @@ -202,6 +202,9 @@ mastodon: # -- Enable statsd publishing via STATSD_ADDR environment variable address: "" + # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements + preparedStatements: true + ingress: enabled: true annotations: From 94ffdc8f83307460106845db0fbd5e58fb7d4f5c Mon Sep 17 00:00:00 2001 From: Renaud Chaput Date: Tue, 14 Mar 2023 22:06:30 +0100 Subject: [PATCH 14/17] Update image repository to GHCR (#53) --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 711f000..930a5b3 100644 --- a/values.yaml +++ b/values.yaml @@ -1,6 +1,6 @@ image: - repository: tootsuite/mastodon - # https://hub.docker.com/r/tootsuite/mastodon/tags + repository: ghcr.io/mastodon/mastodon + # https://github.com/mastodon/mastodon/pkgs/container/mastodon # # alternatively, use `latest` for the latest release or `edge` for the image # built from the most recent commit From 1b503bb6b379b4e602c16357a17f97d0c2d0e08a Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Wed, 12 Apr 2023 08:18:09 -0700 Subject: [PATCH 15/17] Added SMTP_RETURN_PATH option --- templates/configmap-env.yaml | 3 +++ values.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 265bd41..fbb8788 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -82,6 +82,9 @@ data: {{- with .Values.mastodon.smtp.from_address }} SMTP_FROM_ADDRESS: {{ . }} {{- end }} + {{- with .Values.mastodon.smtp.return_path }} + SMTP_RETURN_PATH: {{ . }} + {{- end }} {{- with .Values.mastodon.smtp.openssl_verify_mode }} SMTP_OPENSSL_VERIFY_MODE: {{ . }} {{- end }} diff --git a/values.yaml b/values.yaml index 930a5b3..ea9848b 100644 --- a/values.yaml +++ b/values.yaml @@ -137,6 +137,7 @@ mastodon: domain: enable_starttls: 'auto' from_address: notifications@example.com + return_path: openssl_verify_mode: peer port: 587 reply_to: From 8f612abc721bffbf7fe9f5aeb730bc93cf5eb45e Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Wed, 19 Apr 2023 15:31:36 -0700 Subject: [PATCH 16/17] Added deployment annotations to chart --- templates/deployment-sidekiq.yaml | 4 ++++ templates/deployment-streaming.yaml | 4 ++++ templates/deployment-web.yaml | 4 ++++ values.yaml | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index 8a0e9e8..6aac6e8 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -9,6 +9,10 @@ metadata: {{- include "mastodon.labels" $context | nindent 4 }} app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails + annotations: + {{- with $context.Values.deployAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if (has "scheduler" .queues) }} {{- if (gt (int .replicas) 1) }} diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml index dd80404..1e690ac 100644 --- a/templates/deployment-streaming.yaml +++ b/templates/deployment-streaming.yaml @@ -4,6 +4,10 @@ metadata: name: {{ include "mastodon.fullname" . }}-streaming labels: {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- with .Values.deployAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.mastodon.streaming.replicas }} selector: diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml index 30308e2..e707b3c 100644 --- a/templates/deployment-web.yaml +++ b/templates/deployment-web.yaml @@ -4,6 +4,10 @@ metadata: name: {{ include "mastodon.fullname" . }}-web labels: {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- with .Values.deployAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.mastodon.web.replicas }} selector: diff --git a/values.yaml b/values.yaml index ea9848b..c8c5d96 100644 --- a/values.yaml +++ b/values.yaml @@ -408,6 +408,10 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +# Custom annotations to apply to all created deployment objects. These can be +# used to help mastodon interact with other services in the cluster. +deployAnnotations: {} + # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might # need to apply different annotations to the two different sets of pods. The annotations # set with podAnnotations will be added to all deployment-managed pods. From 4b6fd9f7e6273cb2708e5f8e16b87b1d07114eb8 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Thu, 20 Apr 2023 08:15:48 -0700 Subject: [PATCH 17/17] Rename deployment annotations var, allow deploy-specific annotations --- templates/deployment-sidekiq.yaml | 2 +- templates/deployment-streaming.yaml | 2 +- templates/deployment-web.yaml | 2 +- values.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml index 6aac6e8..5dc9244 100644 --- a/templates/deployment-sidekiq.yaml +++ b/templates/deployment-sidekiq.yaml @@ -10,7 +10,7 @@ metadata: app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails annotations: - {{- with $context.Values.deployAnnotations }} + {{- with $context.Values.deploymentAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml index 1e690ac..ea08b1b 100644 --- a/templates/deployment-streaming.yaml +++ b/templates/deployment-streaming.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} annotations: - {{- with .Values.deployAnnotations }} + {{- with (default .Values.deploymentAnnotations .Values.mastodon.streaming.deploymentAnnotations) }} {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml index e707b3c..420c277 100644 --- a/templates/deployment-web.yaml +++ b/templates/deployment-web.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} annotations: - {{- with .Values.deployAnnotations }} + {{- with (default .Values.deploymentAnnotations .Values.mastodon.web.deploymentAnnotations) }} {{- toYaml . | nindent 4 }} {{- end }} spec: diff --git a/values.yaml b/values.yaml index c8c5d96..a4660e2 100644 --- a/values.yaml +++ b/values.yaml @@ -410,7 +410,7 @@ serviceAccount: # Custom annotations to apply to all created deployment objects. These can be # used to help mastodon interact with other services in the cluster. -deployAnnotations: {} +deploymentAnnotations: {} # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might # need to apply different annotations to the two different sets of pods. The annotations