Refactor chart sidekiq queues (#1)

Co-authored-by: Effy Elden <effy@effy.space>
Co-authored-by: Sheogorath <sheogorath@shivering-isles.com>
Co-authored-by: Chris Funderburg <chris@funderburg.me>

.github/workflows/test-chart.yml

@@ -5,15 +5,9 @@ name: Test chart
 
 on:
   pull_request:
-    paths:
+    paths-ignore:
-      - "chart/**"
+      - "README.md"
-      - "!**.md"
-      - ".github/workflows/test-chart.yml"
   push:
-    paths:
-      - "chart/**"
-      - "!**.md"
-      - ".github/workflows/test-chart.yml"
     branches-ignore:
       - "dependabot/**"
   workflow_dispatch:
@@ -21,10 +15,6 @@ on:
 permissions:
   contents: read
 
-defaults:
-  run:
-    working-directory: chart
-
 jobs:
   lint-templates:
     runs-on: ubuntu-22.04

Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.3.0
+version: 4.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v3.5.3
+appVersion: v4.0.2
 
 dependencies:
   - name: elasticsearch

README.md

@@ -19,6 +19,23 @@ The variables that _must_ be configured are:
 
 - SMTP settings for your mailer in the `mastodon.smtp` group.
 
+If your PersistentVolumeClaim is `ReadWriteOnce` and you're unable to use a S3-compatible service or
+run a self-hosted compatible service like [Minio](https://min.io/docs/minio/kubernetes/upstream/index.html)
+then you need to set the pod affinity so the web and sidekiq pods are scheduled to the same node.
+
+Example configuration:
+```yaml
+podAffinity:
+  requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchExpressions:
+          - key: app.kubernetes.io/part-of
+            operator: In
+            values:
+              - rails
+      topologyKey: kubernetes.io/hostname
+```
+
 # Administration
 
 You can run [admin CLI](https://docs.joinmastodon.org/admin/tootctl/) commands in the web deployment.

templates/_helpers.tpl

@@ -136,3 +136,15 @@ Return true if a mastodon secret object should be created
     {{- true -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Find highest number of needed database connections to set DB_POOL variable
+*/}}
+{{- define "mastodon.maxDbPool" -}}
+{{/* Default MAX_THREADS for Puma is 5 */}}
+{{- $poolSize := 5 }}
+{{- range .Values.mastodon.sidekiq.workers }}
+{{- $poolSize = max $poolSize .concurrency }}
+{{- end }}
+{{- $poolSize | quote }}
+{{- end }}

templates/configmap-env.yaml

@@ -13,7 +13,7 @@ data:
   DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
   {{- end }}
   DB_NAME: {{ .Values.postgresql.auth.database }}
-  DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }}
+  DB_POOL: {{ include "mastodon.maxDbPool" . }}
   DB_USER: {{ .Values.postgresql.auth.username }}
   DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
   {{- if .Values.elasticsearch.enabled }}
@@ -22,12 +22,15 @@ data:
   ES_PORT: "9200"
   {{- end }}
   LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
-  {{- if .Values.mastodon.web_domain }}
+  {{- with .Values.mastodon.web_domain }}
-  WEB_DOMAIN: {{ .Values.mastodon.web_domain }}
+  WEB_DOMAIN: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.singleUserMode }}
+  {{- with .Values.mastodon.singleUserMode }}
   SINGLE_USER_MODE: "true"
   {{- end }}
+  {{- with .Values.mastodon.authorizedFetch }}
+  AUTHORIZED_FETCH: {{ . | quote }}
+  {{- end }}
   # https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior
   MALLOC_ARENA_MAX: "2"
   NODE_ENV: "production"
@@ -44,58 +47,58 @@ data:
   S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
   S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
   S3_PROTOCOL: "https"
-  {{- if .Values.mastodon.s3.region }}
+  {{- with .Values.mastodon.s3.region }}
-  S3_REGION: {{ .Values.mastodon.s3.region }}
+  S3_REGION: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.s3.alias_host }}
+  {{- with .Values.mastodon.s3.alias_host }}
   S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}}
   {{- end }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.auth_method }}
+  {{- with .Values.mastodon.smtp.auth_method }}
-  SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }}
+  SMTP_AUTH_METHOD: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.ca_file }}
+  {{- with .Values.mastodon.smtp.ca_file }}
-  SMTP_CA_FILE: {{ .Values.mastodon.smtp.ca_file }}
+  SMTP_CA_FILE: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.delivery_method }}
+  {{- with .Values.mastodon.smtp.delivery_method }}
-  SMTP_DELIVERY_METHOD: {{ .Values.mastodon.smtp.delivery_method }}
+  SMTP_DELIVERY_METHOD: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.domain }}
+  {{- with .Values.mastodon.smtp.domain }}
-  SMTP_DOMAIN: {{ .Values.mastodon.smtp.domain }}
+  SMTP_DOMAIN: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.enable_starttls }}
+  {{- with .Values.mastodon.smtp.enable_starttls }}
-  SMTP_ENABLE_STARTTLS: {{ .Values.mastodon.smtp.enable_starttls | quote }}
+  SMTP_ENABLE_STARTTLS: {{ . | quote }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.enable_starttls_auto }}
+  {{- with .Values.mastodon.smtp.enable_starttls_auto }}
-  SMTP_ENABLE_STARTTLS_AUTO: {{ .Values.mastodon.smtp.enable_starttls_auto | quote }}
+  SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.from_address }}
+  {{- with .Values.mastodon.smtp.from_address }}
-  SMTP_FROM_ADDRESS: {{ .Values.mastodon.smtp.from_address }}
+  SMTP_FROM_ADDRESS: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.login }}
+  {{- with .Values.mastodon.smtp.login }}
-  SMTP_LOGIN: {{ .Values.mastodon.smtp.login }}
+  SMTP_LOGIN: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.openssl_verify_mode }}
+  {{- with .Values.mastodon.smtp.openssl_verify_mode }}
-  SMTP_OPENSSL_VERIFY_MODE: {{ .Values.mastodon.smtp.openssl_verify_mode }}
+  SMTP_OPENSSL_VERIFY_MODE: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.password }}
+  {{- with .Values.mastodon.smtp.password }}
-  SMTP_PASSWORD: {{ .Values.mastodon.smtp.password }}
+  SMTP_PASSWORD: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.port }}
+  {{- with .Values.mastodon.smtp.port }}
-  SMTP_PORT: {{ .Values.mastodon.smtp.port | quote }}
+  SMTP_PORT: {{ . | quote }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.reply_to }}
+  {{- with .Values.mastodon.smtp.reply_to }}
-  SMTP_REPLY_TO: {{ .Values.mastodon.smtp.reply_to }}
+  SMTP_REPLY_TO: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.server }}
+  {{- with .Values.mastodon.smtp.server }}
-  SMTP_SERVER: {{ .Values.mastodon.smtp.server }}
+  SMTP_SERVER: {{ . }}
   {{- end }}
-  {{- if .Values.mastodon.smtp.tls }}
+  {{- with .Values.mastodon.smtp.tls }}
-  SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }}
+  SMTP_TLS: {{ . | quote }}
   {{- end }}
   STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
-  {{- if .Values.mastodon.streaming.base_url }}
+  {{- with .Values.mastodon.streaming.base_url }}
-  STREAMING_API_BASE_URL: {{ .Values.mastodon.streaming.base_url | quote }}
+  STREAMING_API_BASE_URL: {{ . | quote }}
   {{- end }}
   {{- if .Values.externalAuth.oidc.enabled }}
   OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
@@ -108,53 +111,53 @@ data:
   OIDC_CLIENT_SECRET: {{ .Values.externalAuth.oidc.client_secret }}
   OIDC_REDIRECT_URI: {{ .Values.externalAuth.oidc.redirect_uri }}
   OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.oidc.assume_email_is_verified | quote }}
-  {{- if .Values.externalAuth.oidc.client_auth_method }}
+  {{- with .Values.externalAuth.oidc.client_auth_method }}
-  OIDC_CLIENT_AUTH_METHOD: {{ .Values.externalAuth.oidc.client_auth_method }}
+  OIDC_CLIENT_AUTH_METHOD: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.response_type }}
+  {{- with .Values.externalAuth.oidc.response_type }}
-  OIDC_RESPONSE_TYPE: {{ .Values.externalAuth.oidc.response_type }}
+  OIDC_RESPONSE_TYPE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.response_mode }}
+  {{- with .Values.externalAuth.oidc.response_mode }}
-  OIDC_RESPONSE_MODE: {{ .Values.externalAuth.oidc.response_mode }}
+  OIDC_RESPONSE_MODE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.display }}
+  {{- with .Values.externalAuth.oidc.display }}
-  OIDC_DISPLAY: {{ .Values.externalAuth.oidc.display }}
+  OIDC_DISPLAY: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.prompt }}
+  {{- with .Values.externalAuth.oidc.prompt }}
-  OIDC_PROMPT: {{ .Values.externalAuth.oidc.prompt }}
+  OIDC_PROMPT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.send_nonce }}
+  {{- with .Values.externalAuth.oidc.send_nonce }}
-  OIDC_SEND_NONCE: {{ .Values.externalAuth.oidc.send_nonce }}
+  OIDC_SEND_NONCE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.send_scope_to_token_endpoint }}
+  {{- with .Values.externalAuth.oidc.send_scope_to_token_endpoint }}
-  OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.send_scope_to_token_endpoint | quote }}
+  OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.idp_logout_redirect_uri }}
+  {{- with .Values.externalAuth.oidc.idp_logout_redirect_uri }}
-  OIDC_IDP_LOGOUT_REDIRECT_URI: {{ .Values.externalAuth.oidc.idp_logout_redirect_uri }}
+  OIDC_IDP_LOGOUT_REDIRECT_URI: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.http_scheme }}
+  {{- with .Values.externalAuth.oidc.http_scheme }}
-  OIDC_HTTP_SCHEME: {{ .Values.externalAuth.oidc.http_scheme }}
+  OIDC_HTTP_SCHEME: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.host }}
+  {{- with .Values.externalAuth.oidc.host }}
-  OIDC_HOST: {{ .Values.externalAuth.oidc.host }}
+  OIDC_HOST: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.port }}
+  {{- with .Values.externalAuth.oidc.port }}
-  OIDC_PORT: {{ .Values.externalAuth.oidc.port }}
+  OIDC_PORT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.jwks_uri }}
+  {{- with .Values.externalAuth.oidc.jwks_uri }}
-  OIDC_JWKS_URI: {{ .Values.externalAuth.oidc.jwks_uri }}
+  OIDC_JWKS_URI: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.auth_endpoint }}
+  {{- with .Values.externalAuth.oidc.auth_endpoint }}
-  OIDC_AUTH_ENDPOINT: {{ .Values.externalAuth.oidc.auth_endpoint }}
+  OIDC_AUTH_ENDPOINT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.token_endpoint }}
+  {{- with .Values.externalAuth.oidc.token_endpoint }}
-  OIDC_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.token_endpoint }}
+  OIDC_TOKEN_ENDPOINT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.user_info_endpoint }}
+  {{- with .Values.externalAuth.oidc.user_info_endpoint }}
-  OIDC_USER_INFO_ENDPOINT: {{ .Values.externalAuth.oidc.user_info_endpoint }}
+  OIDC_USER_INFO_ENDPOINT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.oidc.end_session_endpoint }}
+  {{- with .Values.externalAuth.oidc.end_session_endpoint }}
-  OIDC_END_SESSION_ENDPOINT: {{ .Values.externalAuth.oidc.end_session_endpoint }}
+  OIDC_END_SESSION_ENDPOINT: {{ . }}
   {{- end }}
   {{- end }}
   {{- if .Values.externalAuth.saml.enabled }}
@@ -163,54 +166,54 @@ data:
   SAML_ISSUER: {{ .Values.externalAuth.saml.issuer }}
   SAML_IDP_SSO_TARGET_URL: {{ .Values.externalAuth.saml.idp_sso_target_url }}
   SAML_IDP_CERT: {{ .Values.externalAuth.saml.idp_cert | quote }}
-  {{- if .Values.externalAuth.saml.idp_cert_fingerprint }}
+  {{- with .Values.externalAuth.saml.idp_cert_fingerprint }}
-  SAML_IDP_CERT_FINGERPRINT: {{ .Values.externalAuth.saml.idp_cert_fingerprint | quote }}
+  SAML_IDP_CERT_FINGERPRINT: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.name_identifier_format }}
+  {{- with .Values.externalAuth.saml.name_identifier_format }}
-  SAML_NAME_IDENTIFIER_FORMAT: {{ .Values.externalAuth.saml.name_identifier_format }}
+  SAML_NAME_IDENTIFIER_FORMAT: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.cert }}
+  {{- with .Values.externalAuth.saml.cert }}
-  SAML_CERT: {{ .Values.externalAuth.saml.cert | quote }}
+  SAML_CERT: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.private_key }}
+  {{- with .Values.externalAuth.saml.private_key }}
-  SAML_PRIVATE_KEY: {{ .Values.externalAuth.saml.private_key | quote }}
+  SAML_PRIVATE_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.want_assertion_signed }}
+  {{- with .Values.externalAuth.saml.want_assertion_signed }}
-  SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ .Values.externalAuth.saml.want_assertion_signed | quote }}
+  SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.want_assertion_encrypted }}
+  {{- with .Values.externalAuth.saml.want_assertion_encrypted }}
-  SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ .Values.externalAuth.saml.want_assertion_encrypted | quote }}
+  SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.assume_email_is_verified }}
+  {{- with .Values.externalAuth.saml.assume_email_is_verified }}
-  SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.saml.assume_email_is_verified | quote }}
+  SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.uid_attribute }}
+  {{- with .Values.externalAuth.saml.uid_attribute }}
-  SAML_UID_ATTRIBUTE: {{ .Values.externalAuth.saml.uid_attribute }}
+  SAML_UID_ATTRIBUTE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.uid }}
+  {{- with .Values.externalAuth.saml.attributes_statements.uid }}
-  SAML_ATTRIBUTES_STATEMENTS_UID: {{ .Values.externalAuth.saml.attributes_statements.uid | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_UID: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.email }}
+  {{- with .Values.externalAuth.saml.attributes_statements.email }}
-  SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.email | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.full_name }}
+  {{- with .Values.externalAuth.saml.attributes_statements.full_name }}
-  SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ .Values.externalAuth.saml.attributes_statements.full_name | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.first_name }}
+  {{- with .Values.externalAuth.saml.attributes_statements.first_name }}
-  SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ .Values.externalAuth.saml.attributes_statements.first_name | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.last_name }}
+  {{- with .Values.externalAuth.saml.attributes_statements.last_name }}
-  SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ .Values.externalAuth.saml.attributes_statements.last_name | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.verified }}
+  {{- with .Values.externalAuth.saml.attributes_statements.verified }}
-  SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ .Values.externalAuth.saml.attributes_statements.verified | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.saml.attributes_statements.verified_email }}
+  {{- with .Values.externalAuth.saml.attributes_statements.verified_email }}
-  SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.verified_email | quote }}
+  SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ . | quote }}
   {{- end }}
   {{- end }}
-  {{- if .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in }}
+  {{- with .Values.externalAuth.oauth_global.omniauth_only }}
-  OAUTH_REDIRECT_AT_SIGN_IN: {{ .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in | quote }}
+  OMNIAUTH_ONLY: {{ . | quote }}
   {{- end }}
   {{- if .Values.externalAuth.cas.enabled }}
   CAS_ENABLED: {{ .Values.externalAuth.cas.enabled | quote }}
@@ -218,68 +221,68 @@ data:
   CAS_HOST: {{ .Values.externalAuth.cas.host }}
   CAS_PORT: {{ .Values.externalAuth.cas.port }}
   CAS_SSL: {{ .Values.externalAuth.cas.ssl | quote }}
-  {{- if .Values.externalAuth.cas.validate_url }}
+  {{- with .Values.externalAuth.cas.validate_url }}
-  CAS_VALIDATE_URL: {{ .Values.externalAuth.cas.validate_url }}
+  CAS_VALIDATE_URL: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.callback_url }}
+  {{- with .Values.externalAuth.cas.callback_url }}
-  CAS_CALLBACK_URL: {{ .Values.externalAuth.cas.callback_url }}
+  CAS_CALLBACK_URL: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.logout_url }}
+  {{- with .Values.externalAuth.cas.logout_url }}
-  CAS_LOGOUT_URL: {{ .Values.externalAuth.cas.logout_url }}
+  CAS_LOGOUT_URL: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.login_url }}
+  {{- with .Values.externalAuth.cas.login_url }}
-  CAS_LOGIN_URL: {{ .Values.externalAuth.cas.login_url }}
+  CAS_LOGIN_URL: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.uid_field }}
+  {{- with .Values.externalAuth.cas.uid_field }}
-  CAS_UID_FIELD: {{ .Values.externalAuth.cas.uid_field | quote }}
+  CAS_UID_FIELD: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.ca_path }}
+  {{- with .Values.externalAuth.cas.ca_path }}
-  CAS_CA_PATH: {{ .Values.externalAuth.cas.ca_path }}
+  CAS_CA_PATH: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.disable_ssl_verification }}
+  {{- with .Values.externalAuth.cas.disable_ssl_verification }}
-  CAS_DISABLE_SSL_VERIFICATION: {{ .Values.externalAuth.cas.disable_ssl_verification | quote }}
+  CAS_DISABLE_SSL_VERIFICATION: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.assume_email_is_verified }}
+  {{- with .Values.externalAuth.cas.assume_email_is_verified }}
-  CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.cas.assume_email_is_verified | quote }}
+  CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.uid }}
+  {{- with .Values.externalAuth.cas.keys.uid }}
-  CAS_UID_KEY: {{ .Values.externalAuth.cas.keys.uid | quote }}
+  CAS_UID_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.name }}
+  {{- with .Values.externalAuth.cas.keys.name }}
-  CAS_NAME_KEY: {{ .Values.externalAuth.cas.keys.name | quote }}
+  CAS_NAME_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.email }}
+  {{- with .Values.externalAuth.cas.keys.email }}
-  CAS_EMAIL_KEY: {{ .Values.externalAuth.cas.keys.email | quote }}
+  CAS_EMAIL_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.nickname }}
+  {{- with .Values.externalAuth.cas.keys.nickname }}
-  CAS_NICKNAME_KEY: {{ .Values.externalAuth.cas.keys.nickname | quote }}
+  CAS_NICKNAME_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.first_name }}
+  {{- with .Values.externalAuth.cas.keys.first_name }}
-  CAS_FIRST_NAME_KEY: {{ .Values.externalAuth.cas.keys.first_name | quote }}
+  CAS_FIRST_NAME_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.last_name }}
+  {{- with .Values.externalAuth.cas.keys.last_name }}
-  CAS_LAST_NAME_KEY: {{ .Values.externalAuth.cas.keys.last_name | quote }}
+  CAS_LAST_NAME_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.location }}
+  {{- with .Values.externalAuth.cas.keys.location }}
-  CAS_LOCATION_KEY: {{ .Values.externalAuth.cas.keys.location | quote }}
+  CAS_LOCATION_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.image }}
+  {{- with .Values.externalAuth.cas.keys.image }}
-  CAS_IMAGE_KEY: {{ .Values.externalAuth.cas.keys.image | quote }}
+  CAS_IMAGE_KEY: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.cas.keys.phone }}
+  {{- with .Values.externalAuth.cas.keys.phone }}
-  CAS_PHONE_KEY: {{ .Values.externalAuth.cas.keys.phone | quote }}
+  CAS_PHONE_KEY: {{ . | quote }}
   {{- end }}
   {{- end }}
-  {{- if .Values.externalAuth.pam.enabled }}
+  {{- with .Values.externalAuth.pam.enabled }}
-  PAM_ENABLED: {{ .Values.externalAuth.pam.enabled | quote }}
+  PAM_ENABLED: {{ . | quote }}
-  {{- if .Values.externalAuth.pam.email_domain }}
+  {{- with .Values.externalAuth.pam.email_domain }}
-  PAM_EMAIL_DOMAIN: {{ .Values.externalAuth.pam.email_domain }}
+  PAM_EMAIL_DOMAIN: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.pam.default_service }}
+  {{- with .Values.externalAuth.pam.default_service }}
-  PAM_DEFAULT_SERVICE: {{ .Values.externalAuth.pam.default_service }}
+  PAM_DEFAULT_SERVICE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.pam.controlled_service }}
+  {{- with .Values.externalAuth.pam.controlled_service }}
-  PAM_CONTROLLED_SERVICE: {{ .Values.externalAuth.pam.controlled_service }}
+  PAM_CONTROLLED_SERVICE: {{ . }}
   {{- end }}
   {{- end }}
   {{- if .Values.externalAuth.ldap.enabled }}
@@ -287,32 +290,32 @@ data:
   LDAP_HOST: {{ .Values.externalAuth.ldap.host }}
   LDAP_PORT: {{ .Values.externalAuth.ldap.port }}
   LDAP_METHOD: {{ .Values.externalAuth.ldap.method }}
-  {{- if .Values.externalAuth.ldap.base }}
+  {{- with .Values.externalAuth.ldap.base }}
-  LDAP_BASE: {{ .Values.externalAuth.ldap.base }}
+  LDAP_BASE: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.bind_on }}
+  {{- with .Values.externalAuth.ldap.bind_on }}
-  LDAP_BIND_ON: {{ .Values.externalAuth.ldap.bind_on }}
+  LDAP_BIND_ON: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.password }}
+  {{- with .Values.externalAuth.ldap.password }}
-  LDAP_PASSWORD: {{ .Values.externalAuth.ldap.password }}
+  LDAP_PASSWORD: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.uid }}
+  {{- with .Values.externalAuth.ldap.uid }}
-  LDAP_UID: {{ .Values.externalAuth.ldap.uid }}
+  LDAP_UID: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.mail }}
+  {{- with .Values.externalAuth.ldap.mail }}
-  LDAP_MAIL: {{ .Values.externalAuth.ldap.mail }}
+  LDAP_MAIL: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.search_filter }}
+  {{- with .Values.externalAuth.ldap.search_filter }}
-  LDAP_SEARCH_FILTER: {{ .Values.externalAuth.ldap.search_filter }}
+  LDAP_SEARCH_FILTER: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.uid_conversion.enabled }}
+  {{- with .Values.externalAuth.ldap.uid_conversion.enabled }}
-  LDAP_UID_CONVERSION_ENABLED: {{ .Values.externalAuth.ldap.uid_conversion.enabled | quote }}
+  LDAP_UID_CONVERSION_ENABLED: {{ . | quote }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.uid_conversion.search }}
+  {{- with .Values.externalAuth.ldap.uid_conversion.search }}
-  LDAP_UID_CONVERSION_SEARCH: {{ .Values.externalAuth.ldap.uid_conversion.search }}
+  LDAP_UID_CONVERSION_SEARCH: {{ . }}
   {{- end }}
-  {{- if .Values.externalAuth.ldap.uid_conversion.replace }}
+  {{- with .Values.externalAuth.ldap.uid_conversion.replace }}
-  LDAP_UID_CONVERSION_REPLACE: {{ .Values.externalAuth.ldap.uid_conversion.replace }}
+  LDAP_UID_CONVERSION_REPLACE: {{ . }}
   {{- end }}
   {{- end }}
   {{- with .Values.mastodon.metrics.statsd.address }}

templates/cronjob-media-remove.yaml

@@ -67,6 +67,18 @@ spec:
                       key: redis-password
                 - name: "PORT"
                   value: {{ .Values.mastodon.web.port | quote }}
+                {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
+                - name: "AWS_SECRET_ACCESS_KEY"
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ .Values.mastodon.s3.existingSecret }}
+                      key: AWS_SECRET_ACCESS_KEY
+                - name: "AWS_ACCESS_KEY_ID"
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ .Values.mastodon.s3.existingSecret }}
+                      key: AWS_ACCESS_KEY_ID
+                {{- end }}
               {{- if (not .Values.mastodon.s3.enabled) }}
               volumeMounts:
                 - name: assets

templates/deployment-sidekiq.yaml

@@ -1,117 +1,121 @@
+{{- $context := . }}
+{{- range .Values.mastodon.sidekiq.workers }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "mastodon.fullname" . }}-sidekiq
+  name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
   labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
+    {{- include "mastodon.labels" $context | nindent 4 }}
+    app.kubernetes.io/component: sidekiq-{{ .name }}
+    app.kubernetes.io/part-of: rails
 spec:
-  {{- if not .Values.autoscaling.enabled }}
+  {{- if (has "scheduler" .queues) }}
-  replicas: {{ .Values.replicaCount }}
+    {{- if (gt (int .replicas) 1) }}
+      {{ fail "The scheduler queue should never have more than 1 replicas" }}
     {{- end }}
+  strategy:
+    type: Recreate
+  {{- end }}
+  replicas: {{ .replicas }}
   selector:
     matchLabels:
-      {{- include "mastodon.selectorLabels" . | nindent 6 }}
+      {{- include "mastodon.selectorLabels" $context | nindent 6 }}
-      app.kubernetes.io/component: sidekiq
+      app.kubernetes.io/component: sidekiq-{{ .name }}
       app.kubernetes.io/part-of: rails
   template:
     metadata:
       annotations:
-        {{- with .Values.podAnnotations }}
+        {{- with $context.Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
-        {{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
+        {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
       labels:
-        {{- include "mastodon.selectorLabels" . | nindent 8 }}
+        {{- include "mastodon.selectorLabels" $context | nindent 8 }}
-        app.kubernetes.io/component: sidekiq
+        app.kubernetes.io/component: sidekiq-{{ .name }}
         app.kubernetes.io/part-of: rails
     spec:
-      {{- with .Values.imagePullSecrets }}
+      {{- with $context.Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
+      serviceAccountName: {{ include "mastodon.serviceAccountName" $context }}
-      {{- with .Values.podSecurityContext }}
+      {{- with (default $context.Values.podSecurityContext $context.Values.mastodon.sidekiq.podSecurityContext) }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if (not .Values.mastodon.s3.enabled) }}
+      {{- with (default (default $context.Values.affinity $context.Values.mastodon.sidekiq.affinity) .affinity) }}
-      # ensure we run on the same node as the other rails components; only
-      # required when using PVCs that are ReadWriteOnce
-      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
       affinity:
-        podAffinity:
+        {{- toYaml . | nindent 8 }}
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: app.kubernetes.io/part-of
-                    operator: In
-                    values:
-                      - rails
-              topologyKey: kubernetes.io/hostname
       {{- end }}
+      {{- if (not $context.Values.mastodon.s3.enabled) }}
       volumes:
         - name: assets
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.fullname" . }}-assets
+            claimName: {{ template "mastodon.fullname" $context }}-assets
         - name: system
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.fullname" . }}-system
+            claimName: {{ template "mastodon.fullname" $context }}-system
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ $context.Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ $context.Values.image.pullPolicy }}
           command:
             - bundle
             - exec
             - sidekiq
             - -c
-            - {{ .Values.mastodon.sidekiq.concurrency | quote }}
+            - {{ .concurrency | quote }}
+            {{- range .queues }}
+            - -q
+            - {{ . | quote }}
+            {{- end }}
           envFrom:
             - configMapRef:
-                name: {{ include "mastodon.fullname" . }}-env
+                name: {{ include "mastodon.fullname" $context }}-env
             - secretRef:
-                name: {{ template "mastodon.secretName" . }}
+                name: {{ template "mastodon.secretName" $context }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  name: {{ template "mastodon.postgresql.secretName" $context }}
                   key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ template "mastodon.redis.secretName" . }}
+                  name: {{ template "mastodon.redis.secretName" $context }}
                   key: redis-password
-            {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
+            {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
             - name: "AWS_SECRET_ACCESS_KEY"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  name: {{ $context.Values.mastodon.s3.existingSecret }}
                   key: AWS_SECRET_ACCESS_KEY
             - name: "AWS_ACCESS_KEY_ID"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  name: {{ $context.Values.mastodon.s3.existingSecret }}
                   key: AWS_ACCESS_KEY_ID
             {{- end }}
-            {{- if .Values.mastodon.smtp.existingSecret }}
+            {{- if $context.Values.mastodon.smtp.existingSecret }}
             - name: "SMTP_LOGIN"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.mastodon.smtp.existingSecret }}
+                  name: {{ $context.Values.mastodon.smtp.existingSecret }}
                   key: login
                   optional: true
             - name: "SMTP_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.mastodon.smtp.existingSecret }}
+                  name: {{ $context.Values.mastodon.smtp.existingSecret }}
                   key: password
             {{- end }}
-          {{- if (not .Values.mastodon.s3.enabled) }}
+          {{- if (not $context.Values.mastodon.s3.enabled) }}
           volumeMounts:
             - name: assets
               mountPath: /opt/mastodon/public/assets
@@ -119,12 +123,13 @@ spec:
               mountPath: /opt/mastodon/public/system
           {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
-      {{- with .Values.nodeSelector }}
+      {{- with $context.Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with $context.Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}

templates/deployment-streaming.yaml

@@ -5,9 +5,7 @@ metadata:
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
 spec:
-  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.mastodon.streaming.replicas }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
   selector:
     matchLabels:
       {{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -15,7 +13,7 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with .Values.podAnnotations }}
+        {{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
@@ -29,13 +27,13 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+      {{- with (default .Values.podSecurityContext .Values.mastodon.streaming.podSecurityContext) }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-streaming
-          {{- with .Values.securityContext }}
+          {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -72,7 +70,7 @@ spec:
             httpGet:
               path: /api/v1/streaming/health
               port: streaming
-          {{- with .Values.resources }}
+          {{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -80,7 +78,7 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}

templates/deployment-web.yaml

@@ -5,9 +5,7 @@ metadata:
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
 spec:
-  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.mastodon.web.replicas }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
   selector:
     matchLabels:
       {{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -16,7 +14,7 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with .Values.podAnnotations }}
+        {{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
@@ -31,7 +29,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+      {{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -45,8 +43,8 @@ spec:
             claimName: {{ template "mastodon.fullname" . }}-system
       {{- end }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-web
-          {{- with .Values.securityContext }}
+          {{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -112,7 +110,7 @@ spec:
               port: http
             failureThreshold: 30
             periodSeconds: 5
-          {{- with .Values.resources }}
+          {{- with (default .Values.resources .Values.mastodon.web.resources) }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -120,7 +118,7 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}

templates/hpa.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.autoscaling.enabled -}}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "mastodon.fullname" . }}
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "mastodon.fullname" . }}
-  minReplicas: {{ .Values.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
-  metrics:
-    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
-    {{- end }}
-    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    {{- end }}
-{{- end }}

templates/job-create-admin.yaml

@@ -55,7 +55,7 @@ spec:
             - {{ .Values.mastodon.createAdmin.email }}
             - --confirmed
             - --role
-            - admin
+            - Owner
           envFrom:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env

templates/tests/test-connection.yaml

@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args: ['{{ include "mastodon.fullname" . }}:{{ .Values.service.port }}']
+      args: ['{{ include "mastodon.fullname" . }}-web:{{ .Values.service.port }}']
   restartPolicy: Never

values.yaml

@@ -1,5 +1,3 @@
-replicaCount: 1
-
 image:
   repository: tootsuite/mastodon
   # https://hub.docker.com/r/tootsuite/mastodon/tags
@@ -13,28 +11,36 @@ image:
   pullPolicy: IfNotPresent
 
 mastodon:
-  # create an initial administrator user; the password is autogenerated and will
+  # -- create an initial administrator user; the password is autogenerated and will
   # have to be reset
   createAdmin:
+    # @ignored
     enabled: false
+    # @ignored
     username: not_gargron
+    # @ignored
     email: not@example.com
   cron:
-    # run `tootctl media remove` every week
+    # -- run `tootctl media remove` every week
     removeMedia:
+      # @ignored
       enabled: true
+      # @ignored
       schedule: "0 0 * * 0"
-  # available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
+  # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
   locale: en
   local_domain: mastodon.local
-  # Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
+  # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
   # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
-  # web_domain: mastodon.example.com
+  # Example: mastodon.example.com
-  # If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
+  web_domain: null
+  # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
   singleUserMode: false
+  # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
+  authorizedFetch: false
   persistence:
     assets:
-      # ReadWriteOnce is more widely supported than ReadWriteMany, but limits
+      # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits
       # scalability, since it requires the Rails and Sidekiq pods to run on the
       # same node.
       accessMode: ReadWriteOnce
@@ -50,14 +56,14 @@ mastodon:
     enabled: false
     access_key: ""
     access_secret: ""
-    # you can also specify the name of an existing Secret
+    # -- you can also specify the name of an existing Secret
     # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
     existingSecret: ""
     bucket: ""
-    endpoint: https://us-east-1.linodeobjects.com
+    endpoint: ""
-    hostname: us-east-1.linodeobjects.com
+    hostname: ""
     region: ""
-    # If you have a caching proxy, enter its base URL here.
+    # -- If you have a caching proxy, enter its base URL here.
     alias_host: ""
   # these must be set manually; autogenerated keys are rotated on each upgrade
   secrets:
@@ -66,12 +72,61 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
-    # you can also specify the name of an existing Secret
+    # -- you can also specify the name of an existing Secret
     # with keys SECRET_KEY_BASE and OTP_SECRET and
     # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
     existingSecret: ""
   sidekiq:
+    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- Resources for all Sidekiq Deployments unless overwritten
+    resources: {}
+    # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
+    affinity: {}
+    # limits:
+    #   cpu: "1"
+    #   memory: 768Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 512Mi
+    workers:
+    - name: all-queues
+      # -- Number of threads / parallel sidekiq jobs that are executed per Pod
       concurrency: 25
+      # -- Number of Pod replicas deployed by the Deployment
+      replicas: 1
+      # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
+      resources: {}
+      # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
+      affinity: {}
+      # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
+      # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
+      queues:
+        - default,8
+        - push,6
+        - ingress,4
+        - mailers,2
+        - pull
+        - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
+    #- name: push-pull
+    #  concurrency: 50
+    #  resources: {}
+    #  replicas: 2
+    #  queues:
+    #    - push
+    #    - pull
+    #- name: mailers
+    #  concurrency: 25
+    #  replicas: 2
+    #  queues:
+    #    - mailers
+    #- name: default
+    #  concurrency: 25
+    #  replicas: 2
+    #  queues:
+    #    - default
   smtp:
     auth_method: plain
     ca_file: /etc/ssl/certs/ca-certificates.crt
@@ -86,24 +141,56 @@ mastodon:
     tls: false
     login:
     password:
-    # you can also specify the name of an existing Secret
+    # -- you can also specify the name of an existing Secret
     # with the keys login and password
     existingSecret:
   streaming:
     port: 4000
-    # this should be set manually since os.cpus() returns the number of CPUs on
+    # -- this should be set manually since os.cpus() returns the number of CPUs on
     # the node running the pod, which is unrelated to the resources allocated to
     # the pod by k8s
     workers: 1
-    # The base url for streaming can be set if the streaming API is deployed to
+    # -- The base url for streaming can be set if the streaming API is deployed to
     # a different domain/subdomain.
-    # base_url: wws://streaming.example.com
+    base_url: null
+    # -- Number of Streaming Pods running
+    replicas: 1
+    # -- Affinity for Streaming Pods, overwrites .Values.affinity
+    affinity: {}
+    # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources
+    resources: {}
+    # limits:
+    #   cpu: "500m"
+    #   memory: 512Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 128Mi
   web:
     port: 3000
+    # -- Number of Web Pods running
+    replicas: 1
+    # -- Affinity for Web Pods, overwrites .Values.affinity
+    affinity: {}
+    # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- (Web Container) Resources for Web Pods, overwrites .Values.resources
+    resources: {}
+    # limits:
+    #   cpu: "1"
+    #   memory: 1280Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 768Mi
 
   metrics:
     statsd:
-      # Enable statsd publishing via STATSD_ADDR environment variable
+      # -- Enable statsd publishing via STATSD_ADDR environment variable
       address: ""
 
 ingress:
@@ -121,7 +208,7 @@ ingress:
     # nginx.ingress.kubernetes.io/proxy-body-size: 40m
     #   for the NGINX ingress controller:
     # nginx.org/client-max-body-size: 40m
-  # you can specify the ingressClassName if it differs from the default
+  # -- you can specify the ingressClassName if it differs from the default
   ingressClassName:
   hosts:
     - host: mastodon.local
@@ -132,20 +219,22 @@ ingress:
       hosts:
         - mastodon.local
 
-# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
+# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
 elasticsearch:
   # `false` will disable full-text search
   #
   # if you enable ES after the initial install, you will need to manually run
   # RAILS_ENV=production bundle exec rake chewy:sync
   # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
+  # @ignored
   enabled: true
+  # @ignored
   image:
     tag: 7
 
 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
 postgresql:
-  # disable if you want to use an existing db; in which case the values below
+  # -- disable if you want to use an existing db; in which case the values below
   # must match those of that external postgres instance
   enabled: true
   # postgresqlHostname: preexisting-postgresql
@@ -172,7 +261,7 @@ redis:
   enabled: true
   hostname: ""
   port: 6379
-  # you must set a password; the password generated by the redis chart will be
+  # -- you must set a password; the password generated by the redis chart will be
   # rotated on each upgrade:
   password: ""
   # you can also specify the name of an existing Secret
@@ -180,13 +269,14 @@ redis:
   # auth:
     # existingSecret: ""
 
+# @ignored
 service:
   type: ClusterIP
   port: 80
 
 externalAuth:
   oidc:
-    # OpenID Connect support is proposed in PR #16221 and awaiting merge.
+    # -- OpenID Connect support is proposed in PR #16221 and awaiting merge.
     enabled: false
     # display_name: "example-label"
     # issuer: https://login.example.space/auth/realms/example-space
@@ -236,8 +326,8 @@ externalAuth:
     #   verified:
     #   verified_email:
   oauth_global:
-    # Force redirect local login to CAS. Does not function with SAML or LDAP.
+    # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In
-    oauth_redirect_at_sign_in: false
+    omniauth_only: false
   cas:
     enabled: false
     # url: https://sso.myserver.com
@@ -283,7 +373,7 @@ externalAuth:
     #   search: "., -"
     #   replace: _
 
-# https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
+# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
 #
 # if you manually change the UID/GID environment variables, ensure these values
 # match:
@@ -292,25 +382,27 @@ podSecurityContext:
   runAsGroup: 991
   fsGroup: 991
 
+# @ignored
 securityContext: {}
 
 serviceAccount:
-  # Specifies whether a service account should be created
+  # -- Specifies whether a service account should be created
   create: true
-  # Annotations to add to the service account
+  # -- Annotations to add to the service account
   annotations: {}
-  # The name of the service account to use.
+  # -- The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-# Kubernetes manages pods for jobs and pods for deployments differently, so you might
+# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
 # need to apply different annotations to the two different sets of pods. The annotations
 # set with podAnnotations will be added to all deployment-managed pods.
 podAnnotations: {}
 
-# The annotations set with jobAnnotations will be added to all job pods.
+# -- The annotations set with jobAnnotations will be added to all job pods.
 jobAnnotations: {}
 
+# -- Default resources for all Deployments and jobs unless overwritten
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
@@ -323,15 +415,11 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
-autoscaling:
+# @ignored
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
 nodeSelector: {}
 
+# @ignored
 tolerations: []
 
+# -- Affinity for all pods unless overwritten
 affinity: {}