Create new pre/post migrate jobs (#163)

templates/_db-migrate.tpl

@@ -0,0 +1,107 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Spec template for DB migration pre- and post-install/upgrade jobs.
+*/}}
+{{- define "mastodon.dbMigrateJob" -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  {{- if .prepare }}
+  name: {{ include "mastodon.fullname" . }}-db-prepare
+  {{- else if .preDeploy }}
+  name: {{ include "mastodon.fullname" . }}-db-pre-migrate
+  {{- else }}
+  name: {{ include "mastodon.fullname" . }}-db-post-migrate
+  {{- end }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    {{- if .prepare }}
+    "helm.sh/hook": pre-install
+    {{- else if .preDeploy }}
+    "helm.sh/hook": pre-upgrade
+    {{- else }}
+    "helm.sh/hook": post-install,post-upgrade
+    {{- end }}
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-2"
+spec:
+  template:
+    metadata:
+      name: {{ include "mastodon.fullname" . }}-db-migrate
+      {{- with .Values.jobAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: {{ include "mastodon.fullname" . }}-db-migrate
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - bundle
+            - exec
+            - rake
+            {{- if .prepare }}
+            - db:prepare
+            {{- else }}
+            - db:migrate
+            {{- end }}
+          envFrom:
+            - secretRef:
+                {{- if and .prepare (not .Values.mastodon.secrets.existingSecret) }}
+                name: {{ template "mastodon.secretName" . }}-prepare
+                {{- else }}
+                name: {{ template "mastodon.secretName" . }}
+                {{- end }}
+          env:
+            - name: "DB_HOST"
+              value: {{ template "mastodon.postgres.host" . }}
+            - name: "DB_PORT"
+              value: {{ template "mastodon.postgres.port" . }}
+            - name: "DB_NAME"
+              value: {{ .Values.postgresql.auth.database }}
+            - name: "DB_USER"
+              value: {{ .Values.postgresql.auth.username }}
+            - name: "DB_PASS"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
+            - name: "REDIS_HOST"
+              value: {{ template "mastodon.redis.host" . }}
+            - name: "REDIS_PORT"
+              value: {{ .Values.redis.port | default "6379" | quote }}
+            {{- if .Values.redis.sidekiq.enabled }}
+            {{- if .Values.redis.sidekiq.hostname }}
+            - name: SIDEKIQ_REDIS_HOST
+              value: {{ .Values.redis.sidekiq.hostname }}
+            {{- end }}
+            {{- if .Values.redis.sidekiq.port }}
+            - name: SIDEKIQ_REDIS_PORT
+              value: {{ .Values.redis.sidekiq.port | quote }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.redis.cache.enabled }}
+            {{- if .Values.redis.cache.hostname }}
+            - name: CACHE_REDIS_HOST
+              value: {{ .Values.redis.cache.hostname }}
+            {{- end }}
+            {{- if .Values.redis.cache.port }}
+            - name: CACHE_REDIS_PORT
+              value: {{ .Values.redis.cache.port | quote }}
+            {{- end }}
+            {{- end }}
+            - name: "REDIS_DRIVER"
+              value: "ruby"
+            - name: "REDIS_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mastodon.redis.secretName" . }}
+                  key: redis-password
+          {{- if .preDeploy }}
+            - name: "SKIP_POST_DEPLOYMENT_MIGRATIONS"
+              value: "true"
+          {{- end }}
+{{- end }}

templates/_helpers.tpl

@@ -121,6 +121,33 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Establish which values we will use for remote connections
+*/}}
+{{- define "mastodon.postgres.host" -}}
+{{- if .Values.postgresql.enabled }}
+{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}}
+{{- else }}
+{{- printf "%s" .Values.postgresql.postgresqlHostname -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.postgres.port" -}}
+{{- if .Values.postgresql.enabled }}
+{{- printf "%d" 5432 | int | quote -}}
+{{- else }}
+{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.redis.host" -}}
+{{- if .Values.redis.enabled }}
+{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}}
+{{- else }}
+{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Get the mastodon secret.
 */}}

templates/_secrets.tpl

@@ -0,0 +1,72 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Spec template for mastodon secrets object.
+*/}}
+{{- define "mastodon.secrets.object" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- if .prepare }}
+  name: {{ template "mastodon.fullname" . }}-prepare
+  {{- else }}
+  name: {{ template "mastodon.fullname" . }}
+  {{- end }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    {{- if .prepare }}
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-3"
+    {{- end }}
+type: Opaque
+data:
+  {{- if .Values.mastodon.s3.enabled }}
+  {{- if not .Values.mastodon.s3.existingSecret }}
+  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
+  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
+  {{- end }}
+  {{- end }}
+  {{- if not .Values.mastodon.secrets.existingSecret }}
+  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
+  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
+  {{- else }}
+  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
+  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
+  {{- else }}
+  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
+  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
+  {{- else }}
+  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
+  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
+  {{- else }}
+  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
+  {{- end }}
+  {{- if not .Values.postgresql.enabled }}
+  {{- if not .Values.postgresql.auth.existingSecret }}
+  password: "{{ .Values.postgresql.auth.password | b64enc }}"
+  {{- end }}
+  {{- end }}
+{{- end }}

templates/configmap-env.yaml

@@ -5,13 +5,8 @@ metadata:
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
 data:
-  {{- if .Values.postgresql.enabled }}
+  DB_HOST: {{ template "mastodon.postgres.host" . }}
-  DB_HOST: {{ template "mastodon.postgresql.fullname" . }}
+  DB_PORT: {{ template "mastodon.postgres.port" . }}
-  DB_PORT: "5432"
-  {{- else }}
-  DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
-  DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
-  {{- end }}
   DB_NAME: {{ .Values.postgresql.auth.database }}
   DB_POOL: {{ include "mastodon.maxDbPool" . }}
   DB_USER: {{ .Values.postgresql.auth.username }}
@@ -66,11 +61,7 @@ data:
   MALLOC_ARENA_MAX: "2"
   NODE_ENV: "production"
   RAILS_ENV: "production"
-  {{- if .Values.redis.enabled }}
+  REDIS_HOST: {{ template "mastodon.redis.host" . }}
-  REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master
-  {{- else }}
-  REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }}
-  {{- end }}
   REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
   {{- if .Values.redis.sidekiq.enabled }}
   {{- if .Values.redis.sidekiq.hostname }}

templates/job-db-migrate.yaml

@@ -1,93 +1 @@
-{{- if .Values.mastodon.hooks.dbMigrate.enabled -}}
+{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "mastodon.fullname" . }}-db-migrate
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install,pre-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    "helm.sh/hook-weight": "-2"
-spec:
-  template:
-    metadata:
-      name: {{ include "mastodon.fullname" . }}-db-migrate
-      {{- with .Values.jobAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    spec:
-      restartPolicy: Never
-      {{- if (not .Values.mastodon.s3.enabled) }}
-      # ensure we run on the same node as the other rails components; only
-      # required when using PVCs that are ReadWriteOnce
-      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
-      affinity:
-        podAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: app.kubernetes.io/part-of
-                    operator: In
-                    values:
-                      - rails
-              topologyKey: kubernetes.io/hostname
-      {{- end }}
-      volumes:
-        - name: assets
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.assets" . }}
-        - name: system
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.system" . }}
-      {{- end }}
-      containers:
-        - name: {{ include "mastodon.fullname" . }}-db-migrate
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
-            - bundle
-            - exec
-            - rake
-            - db:migrate
-          envFrom:
-            - configMapRef:
-                name: {{ include "mastodon.fullname" . }}-env
-            - secretRef:
-                name: {{ template "mastodon.secretName" . }}
-          env:
-            - name: "DB_PASS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.postgresql.secretName" . }}
-                  key: password
-            - name: "REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.secretName" . }}
-                  key: redis-password
-            {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
-            - name: "SIDEKIQ_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.sidekiq.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
-            - name: "CACHE_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.cache.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            - name: "PORT"
-              value: {{ .Values.mastodon.web.port | quote }}
-          {{- if (not .Values.mastodon.s3.enabled) }}
-          volumeMounts:
-            - name: assets
-              mountPath: /opt/mastodon/public/assets
-            - name: system
-              mountPath: /opt/mastodon/public/system
-          {{- end }}
-{{- end -}}

templates/job-db-pre-migrate.yaml

@@ -0,0 +1 @@
+{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }}

templates/job-db-prepare.yaml

@@ -0,0 +1,4 @@
+# Does not work with included database because of helm install order.
+{{- if not .Values.postgresql.enabled }}
+{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }}
+{{- end }}

templates/secret-prepare.yml

@@ -0,0 +1,4 @@
+# Does not work with included database because of helm install order.
+{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}}
+{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }}
+{{- end }}

templates/secrets.yaml

@@ -1,58 +1,3 @@
 {{- if (include "mastodon.createSecret" .) -}}
-apiVersion: v1
+{{- include "mastodon.secrets.object" . }}
-kind: Secret
-metadata:
-  name: {{ template "mastodon.fullname" . }}
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-type: Opaque
-data:
-  {{- if .Values.mastodon.s3.enabled }}
-  {{- if not .Values.mastodon.s3.existingSecret }}
-  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
-  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.mastodon.secrets.existingSecret }}
-  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
-  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
-  {{- else }}
-  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
-  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
-  {{- else }}
-  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
-  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
-  {{- else }}
-  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
-  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
-  {{- else }}
-  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
-  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
-  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
-  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.postgresql.enabled }}
-  {{- if not .Values.postgresql.auth.existingSecret }}
-  password: "{{ .Values.postgresql.auth.password | b64enc }}"
-  {{- end }}
-  {{- end }}
 {{- end }}

values.yaml

@@ -24,6 +24,9 @@ mastodon:
     # @ignored
     email: not@example.com
   hooks:
+    # Whether to perform DB migrations on `helm install|upgrade`.
+    # Please note that initial DB schema creation on `helm install` does not
+    # work when using the included database (postgresql.enabled=true).
     dbMigrate:
       enabled: true
     assetsPrecompile:
@@ -523,7 +526,9 @@ elasticsearch:
 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
 postgresql:
   # -- disable if you want to use an existing db; in which case the values below
-  # must match those of that external postgres instance
+  # must match those of that external postgres instance.
+  # Please note that certain features do not work when enabling the included
+  # database, namely automatic schema creation when the app is first installed.
   enabled: true
   # postgresqlHostname: preexisting-postgresql
   # postgresqlPort: 5432