Merge branch 'main' into main

.gitignore

@@ -0,0 +1 @@
+charts/

templates/_helpers.tpl

@@ -55,7 +55,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Rolling pod annotations
 */}}
 {{- define "mastodon.rollingPodAnnotations" -}}
+{{- if .Values.revisionPodAnnotation }}
 rollme: {{ .Release.Revision | quote }}
+{{- end }}
 checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }}
 checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }}
 {{- end }}
@@ -98,6 +100,17 @@ Get the mastodon secret.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Get the smtp secret.
+*/}}
+{{- define "mastodon.smtp.secretName" -}}
+{{- if .Values.mastodon.smtp.existingSecret }}
+    {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-smtp" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get the postgresql secret.
 */}}

templates/configmap-env.yaml

@@ -15,6 +15,7 @@ data:
   DB_NAME: {{ .Values.postgresql.auth.database }}
   DB_POOL: {{ include "mastodon.maxDbPool" . }}
   DB_USER: {{ .Values.postgresql.auth.username }}
+  PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }}
   DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
   {{- if .Values.elasticsearch.enabled }}
   ES_ENABLED: "true"
@@ -31,6 +32,9 @@ data:
   {{- with .Values.mastodon.authorizedFetch }}
   AUTHORIZED_FETCH: {{ . | quote }}
   {{- end }}
+  {{- with .Values.mastodon.limitedFederationMode }}
+  LIMITED_FEDERATION_MODE: {{ . | quote }}
+  {{- end }}
   # https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior
   MALLOC_ARENA_MAX: "2"
   NODE_ENV: "production"
@@ -47,11 +51,14 @@ data:
   S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
   S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
   S3_PROTOCOL: "https"
+  {{- if .Values.mastodon.s3.permission }}
+  S3_PERMISSION: {{ .Values.mastodon.s3.permission }}
+  {{- end }}
   {{- with .Values.mastodon.s3.region }}
   S3_REGION: {{ . }}
   {{- end }}
   {{- with .Values.mastodon.s3.alias_host }}
-  S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}}
+  S3_ALIAS_HOST: {{ . }}
   {{- end }}
   {{- end }}
   {{- with .Values.mastodon.smtp.auth_method }}
@@ -75,15 +82,9 @@ data:
   {{- with .Values.mastodon.smtp.from_address }}
   SMTP_FROM_ADDRESS: {{ . }}
   {{- end }}
-  {{- with .Values.mastodon.smtp.login }}
-  SMTP_LOGIN: {{ . }}
-  {{- end }}
   {{- with .Values.mastodon.smtp.openssl_verify_mode }}
   SMTP_OPENSSL_VERIFY_MODE: {{ . }}
   {{- end }}
-  {{- with .Values.mastodon.smtp.password }}
-  SMTP_PASSWORD: {{ . }}
-  {{- end }}
   {{- with .Values.mastodon.smtp.port }}
   SMTP_PORT: {{ . | quote }}
   {{- end }}
@@ -288,13 +289,16 @@ data:
   {{- if .Values.externalAuth.ldap.enabled }}
   LDAP_ENABLED: {{ .Values.externalAuth.ldap.enabled | quote }}
   LDAP_HOST: {{ .Values.externalAuth.ldap.host }}
-  LDAP_PORT: {{ .Values.externalAuth.ldap.port }}
+  LDAP_PORT: {{ .Values.externalAuth.ldap.port | quote }}
   LDAP_METHOD: {{ .Values.externalAuth.ldap.method }}
-  {{- with .Values.externalAuth.ldap.base }}
-  LDAP_BASE: {{ . }}
+  {{- if .Values.externalAuth.ldap.tls_no_verify }}
+  LDAP_TLS_NO_VERIFY: {{ .Values.externalAuth.ldap.tls_no_verify | quote }}
   {{- end }}
-  {{- with .Values.externalAuth.ldap.bind_on }}
-  LDAP_BIND_ON: {{ . }}
+  {{- if .Values.externalAuth.ldap.base }}
+  LDAP_BASE: {{ .Values.externalAuth.ldap.base }}
+  {{- end }}
+  {{- if .Values.externalAuth.ldap.bind_dn }}
+  LDAP_BIND_DN: {{ .Values.externalAuth.ldap.bind_dn }}
   {{- end }}
   {{- with .Values.externalAuth.ldap.password }}
   LDAP_PASSWORD: {{ . }}

templates/deployment-sidekiq.yaml

@@ -31,6 +31,7 @@ spec:
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
         {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
+        checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
       labels:
         {{- include "mastodon.selectorLabels" $context | nindent 8 }}
         app.kubernetes.io/component: sidekiq-{{ .name }}
@@ -90,6 +91,17 @@ spec:
                 secretKeyRef:
                   name: {{ template "mastodon.redis.secretName" $context }}
                   key: redis-password
+            - name: "SMTP_LOGIN"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mastodon.smtp.secretName" $context }}
+                  key: login
+                  optional: true
+            - name: "SMTP_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mastodon.smtp.secretName" $context }}
+                  key: password
             {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
             - name: "AWS_SECRET_ACCESS_KEY"
               valueFrom:
@@ -102,19 +114,6 @@ spec:
                   name: {{ $context.Values.mastodon.s3.existingSecret }}
                   key: AWS_ACCESS_KEY_ID
             {{- end }}
-            {{- if $context.Values.mastodon.smtp.existingSecret }}
-            - name: "SMTP_LOGIN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $context.Values.mastodon.smtp.existingSecret }}
-                  key: login
-                  optional: true
-            - name: "SMTP_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $context.Values.mastodon.smtp.existingSecret }}
-                  key: password
-            {{- end }}
           {{- if (not $context.Values.mastodon.s3.enabled) }}
           volumeMounts:
             - name: assets

templates/deployment-web.yaml

@@ -74,6 +74,22 @@ spec:
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}
+            {{- if .Values.mastodon.web.minThreads }}
+            - name: "MIN_THREADS"
+              value: {{ .Values.mastodon.web.minThreads | quote }}
+            {{- end }}
+            {{- if .Values.mastodon.web.maxThreads }}
+            - name: "MAX_THREADS"
+              value: {{ .Values.mastodon.web.maxThreads | quote }}
+            {{- end }}
+            {{- if .Values.mastodon.web.workers }}
+            - name: "WEB_CONCURRENCY"
+              value: {{ .Values.mastodon.web.workers | quote }}
+            {{- end }}
+            {{- if .Values.mastodon.web.persistentTimeout }}
+            - name: "PERSISTENT_TIMEOUT"
+              value: {{ .Values.mastodon.web.persistentTimeout | quote }}
+            {{- end }}
             {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
             - name: "AWS_SECRET_ACCESS_KEY"
               valueFrom:

templates/ingress.yaml

@@ -52,7 +52,7 @@ spec:
             {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
             pathType: Prefix
             {{- end }}
-          - path: {{ .path }}api/v1/streaming/
+          - path: {{ .path }}api/v1/streaming
             backend:
               {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
               service:
@@ -64,7 +64,7 @@ spec:
               servicePort: {{ $streamingPort }}
               {{- end }}
             {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
-            pathType: Exact
+            pathType: Prefix
             {{- end }}
           {{- end }}
     {{- end }}

templates/secret-smtp.yaml

@@ -0,0 +1,16 @@
+{{- if not .Values.mastodon.smtp.existingSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-smtp" (include "common.names.fullname" .) }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- with .Values.mastodon.smtp.login }}
+  login: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.password }}
+  password: {{ . | b64enc }}
+  {{- end }}
+{{- end }}

values.yaml

@@ -38,6 +38,8 @@ mastodon:
   singleUserMode: false
   # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
   authorizedFetch: false
+  # -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
+  limitedFederationMode: false
   persistence:
     assets:
       # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits
@@ -63,6 +65,7 @@ mastodon:
     endpoint: ""
     hostname: ""
     region: ""
+    permission: ""
     # -- If you have a caching proxy, enter its base URL here.
     alias_host: ""
   # these must be set manually; autogenerated keys are rotated on each upgrade
@@ -141,8 +144,8 @@ mastodon:
     tls: false
     login:
     password:
-    # -- you can also specify the name of an existing Secret
-    # with the keys login and password
+    # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
+    # password must be located in keys named `login` and `password` respectively.
     existingSecret:
   streaming:
     port: 4000
@@ -223,12 +226,21 @@ mastodon:
         port: http
       failureThreshold: 20
       periodSeconds: 3
+    # -- Puma-specific options. Below values are based on default behavior in
+    # config/puma.rb when no custom values are provided.
+    minThreads: "5"
+    maxThreads: "5"
+    workers: "2"
+    persistentTimeout: "20"
 
   metrics:
     statsd:
       # -- Enable statsd publishing via STATSD_ADDR environment variable
       address: ""
 
+  # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
+  preparedStatements: true
+
 ingress:
   enabled: true
   annotations:
@@ -297,12 +309,12 @@ redis:
   enabled: true
   hostname: ""
   port: 6379
-  # -- you must set a password; the password generated by the redis chart will be
-  # rotated on each upgrade:
-  password: ""
-  # you can also specify the name of an existing Secret
-  # with a key of redis-password set to the password you want
-  # auth:
+  auth:
+    # -- you must set a password; the password generated by the redis chart will be
+    # rotated on each upgrade:
+    password: ""
+    # you can also specify the name of an existing Secret
+    # with a key of redis-password set to the password you want
     # existingSecret: ""
 
 # @ignored
@@ -396,10 +408,11 @@ externalAuth:
   ldap:
     enabled: false
     # host: myservice.namespace.svc
-    # port: 389
+    # port: 636
     # method: simple_tls
+    # tls_no_verify: true
     # base:
-    # bind_on:
+    # bind_dn:
     # password:
     # uid: cn
     # mail: mail
@@ -435,7 +448,11 @@ serviceAccount:
 # set with podAnnotations will be added to all deployment-managed pods.
 podAnnotations: {}
 
-# -- The annotations set with jobAnnotations will be added to all job pods.
+# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
+# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
+revisionPodAnnotation: true
+
+# The annotations set with jobAnnotations will be added to all job pods.
 jobAnnotations: {}
 
 # -- Default resources for all Deployments and jobs unless overwritten