diff --git a/templates/_db-migrate.tpl b/templates/_db-migrate.tpl new file mode 100644 index 0000000..042faf3 --- /dev/null +++ b/templates/_db-migrate.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for DB migration pre- and post-install/upgrade jobs. +*/}} +{{- define "mastodon.dbMigrateJob" -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- if .prepare }} + name: {{ include "mastodon.fullname" . }}-db-prepare + {{- else if .preDeploy }} + name: {{ include "mastodon.fullname" . }}-db-pre-migrate + {{- else }} + name: {{ include "mastodon.fullname" . }}-db-post-migrate + {{- end }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- if .prepare }} + "helm.sh/hook": pre-install + {{- else if .preDeploy }} + "helm.sh/hook": pre-upgrade + {{- else }} + "helm.sh/hook": post-install,post-upgrade + {{- end }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-2" +spec: + template: + metadata: + name: {{ include "mastodon.fullname" . }}-db-migrate + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + containers: + - name: {{ include "mastodon.fullname" . }}-db-migrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bundle + - exec + - rake + {{- if .prepare }} + - db:prepare + {{- else }} + - db:migrate + {{- end }} + envFrom: + - secretRef: + {{- if and .prepare (not .Values.mastodon.secrets.existingSecret) }} + name: {{ template "mastodon.secretName" . }}-prepare + {{- else }} + name: {{ template "mastodon.secretName" . }} + {{- end }} + env: + - name: "DB_HOST" + value: {{ template "mastodon.postgres.host" . }} + - name: "DB_PORT" + value: {{ template "mastodon.postgres.port" . }} + - name: "DB_NAME" + value: {{ .Values.postgresql.auth.database }} + - name: "DB_USER" + value: {{ .Values.postgresql.auth.username }} + - name: "DB_PASS" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.postgresql.secretName" . }} + key: password + - name: "REDIS_HOST" + value: {{ template "mastodon.redis.host" . }} + - name: "REDIS_PORT" + value: {{ .Values.redis.port | default "6379" | quote }} + {{- if .Values.redis.sidekiq.enabled }} + {{- if .Values.redis.sidekiq.hostname }} + - name: SIDEKIQ_REDIS_HOST + value: {{ .Values.redis.sidekiq.hostname }} + {{- end }} + {{- if .Values.redis.sidekiq.port }} + - name: SIDEKIQ_REDIS_PORT + value: {{ .Values.redis.sidekiq.port | quote }} + {{- end }} + {{- end }} + {{- if .Values.redis.cache.enabled }} + {{- if .Values.redis.cache.hostname }} + - name: CACHE_REDIS_HOST + value: {{ .Values.redis.cache.hostname }} + {{- end }} + {{- if .Values.redis.cache.port }} + - name: CACHE_REDIS_PORT + value: {{ .Values.redis.cache.port | quote }} + {{- end }} + {{- end }} + - name: "REDIS_DRIVER" + value: "ruby" + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.redis.secretName" . }} + key: redis-password + {{- if .preDeploy }} + - name: "SKIP_POST_DEPLOYMENT_MIGRATIONS" + value: "true" + {{- end }} +{{- end }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index ff7dcfc..91409e0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -121,6 +121,33 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Establish which values we will use for remote connections +*/}} +{{- define "mastodon.postgres.host" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}} +{{- else }} +{{- printf "%s" .Values.postgresql.postgresqlHostname -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.port" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%d" 5432 | int | quote -}} +{{- else }} +{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}} +{{- end }} +{{- end }} + +{{- define "mastodon.redis.host" -}} +{{- if .Values.redis.enabled }} +{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}} +{{- else }} +{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}} +{{- end }} +{{- end }} + {{/* Get the mastodon secret. */}} diff --git a/templates/_secrets.tpl b/templates/_secrets.tpl new file mode 100644 index 0000000..0bbaa20 --- /dev/null +++ b/templates/_secrets.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for mastodon secrets object. +*/}} +{{- define "mastodon.secrets.object" -}} +apiVersion: v1 +kind: Secret +metadata: + {{- if .prepare }} + name: {{ template "mastodon.fullname" . }}-prepare + {{- else }} + name: {{ template "mastodon.fullname" . }} + {{- end }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- if .prepare }} + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-3" + {{- end }} +type: Opaque +data: + {{- if .Values.mastodon.s3.enabled }} + {{- if not .Values.mastodon.s3.existingSecret }} + AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" + AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" + {{- end }} + {{- end }} + {{- if not .Values.mastodon.secrets.existingSecret }} + {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} + SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" + {{- else }} + SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.otp_secret) }} + OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" + {{- else }} + OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} + VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" + {{- else }} + VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} + VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" + {{- else }} + VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} + {{- end }} + {{- end }} + {{- if not .Values.postgresql.enabled }} + {{- if not .Values.postgresql.auth.existingSecret }} + password: "{{ .Values.postgresql.auth.password | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 64f6681..ad0a0a9 100644 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -5,13 +5,8 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} data: - {{- if .Values.postgresql.enabled }} - DB_HOST: {{ template "mastodon.postgresql.fullname" . }} - DB_PORT: "5432" - {{- else }} - DB_HOST: {{ .Values.postgresql.postgresqlHostname }} - DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }} - {{- end }} + DB_HOST: {{ template "mastodon.postgres.host" . }} + DB_PORT: {{ template "mastodon.postgres.port" . }} DB_NAME: {{ .Values.postgresql.auth.database }} DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} @@ -66,11 +61,7 @@ data: MALLOC_ARENA_MAX: "2" NODE_ENV: "production" RAILS_ENV: "production" - {{- if .Values.redis.enabled }} - REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master - {{- else }} - REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }} - {{- end }} + REDIS_HOST: {{ template "mastodon.redis.host" . }} REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} {{- if .Values.redis.sidekiq.enabled }} {{- if .Values.redis.sidekiq.hostname }} diff --git a/templates/job-db-migrate.yaml b/templates/job-db-migrate.yaml index 9b0745f..da7503a 100644 --- a/templates/job-db-migrate.yaml +++ b/templates/job-db-migrate.yaml @@ -1,93 +1 @@ -{{- if .Values.mastodon.hooks.dbMigrate.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - labels: - {{- include "mastodon.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "-2" -spec: - template: - metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - {{- with .Values.jobAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - restartPolicy: Never - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname - {{- end }} - volumes: - - name: assets - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.assets" . }} - - name: system - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.system" . }} - {{- end }} - containers: - - name: {{ include "mastodon.fullname" . }}-db-migrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bundle - - exec - - rake - - db:migrate - envFrom: - - configMapRef: - name: {{ include "mastodon.fullname" . }}-env - - secretRef: - name: {{ template "mastodon.secretName" . }} - env: - - name: "DB_PASS" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} - key: password - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} - key: redis-password - {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} - - name: "SIDEKIQ_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.sidekiq.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} - - name: "CACHE_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.cache.secretName" . }} - key: redis-password - {{- end }} - - name: "PORT" - value: {{ .Values.mastodon.web.port | quote }} - {{- if (not .Values.mastodon.s3.enabled) }} - volumeMounts: - - name: assets - mountPath: /opt/mastodon/public/assets - - name: system - mountPath: /opt/mastodon/public/system - {{- end }} -{{- end -}} +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }} diff --git a/templates/job-db-pre-migrate.yaml b/templates/job-db-pre-migrate.yaml new file mode 100644 index 0000000..2f29716 --- /dev/null +++ b/templates/job-db-pre-migrate.yaml @@ -0,0 +1 @@ +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }} diff --git a/templates/job-db-prepare.yaml b/templates/job-db-prepare.yaml new file mode 100644 index 0000000..5f0b5ab --- /dev/null +++ b/templates/job-db-prepare.yaml @@ -0,0 +1,4 @@ +# Does not work with included database because of helm install order. +{{- if not .Values.postgresql.enabled }} +{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }} +{{- end }} diff --git a/templates/secret-prepare.yml b/templates/secret-prepare.yml new file mode 100644 index 0000000..8cfac53 --- /dev/null +++ b/templates/secret-prepare.yml @@ -0,0 +1,4 @@ +# Does not work with included database because of helm install order. +{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}} +{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }} +{{- end }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 0eec2ab..584177c 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -1,58 +1,3 @@ {{- if (include "mastodon.createSecret" .) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -type: Opaque -data: - {{- if .Values.mastodon.s3.enabled }} - {{- if not .Values.mastodon.s3.existingSecret }} - AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" - AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" - {{- end }} - {{- end }} - {{- if not .Values.mastodon.secrets.existingSecret }} - {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} - SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" - {{- else }} - SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.otp_secret) }} - OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" - {{- else }} - OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} - VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" - {{- else }} - VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} - VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" - {{- else }} - VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} - {{- end }} - {{- end }} - {{- if not .Values.postgresql.enabled }} - {{- if not .Values.postgresql.auth.existingSecret }} - password: "{{ .Values.postgresql.auth.password | b64enc }}" - {{- end }} - {{- end }} +{{- include "mastodon.secrets.object" . }} {{- end }} diff --git a/values.yaml b/values.yaml index 1bf977d..7ad93af 100644 --- a/values.yaml +++ b/values.yaml @@ -24,6 +24,9 @@ mastodon: # @ignored email: not@example.com hooks: + # Whether to perform DB migrations on `helm install|upgrade`. + # Please note that initial DB schema creation on `helm install` does not + # work when using the included database (postgresql.enabled=true). dbMigrate: enabled: true assetsPrecompile: @@ -523,7 +526,9 @@ elasticsearch: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters postgresql: # -- disable if you want to use an existing db; in which case the values below - # must match those of that external postgres instance + # must match those of that external postgres instance. + # Please note that certain features do not work when enabling the included + # database, namely automatic schema creation when the app is first installed. enabled: true # postgresqlHostname: preexisting-postgresql # postgresqlPort: 5432