Merge pull request #1 from jessebot/feature/adding-admin-existingsecret

Feature: adding admin mastodon.createAdmin.existingsecretkeys

charts/mastodon/Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.0.5
+version: 4.0.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v4.1.3
+appVersion: v4.1.4
 
 dependencies:
   - name: postgresql

charts/mastodon/dev-values.yaml

@@ -1,25 +1,453 @@
 # Chart values used for testing the Helm chart.
 #
+image:
+  repository: ghcr.io/mastodon/mastodon
+  # https://github.com/mastodon/mastodon/pkgs/container/mastodon
+  #
+  # alternatively, use `latest` for the latest release or `edge` for the image
+  # built from the most recent commit
+  # tag: latest
+  tag: ""
+  # use `Always` when using `latest` tag
+  pullPolicy: IfNotPresent
+
 mastodon:
+  # -- create an initial administrator user; the password is autogenerated and will
+  # have to be reset
+  createAdmin:
+    # @ignored
+    enabled: false
+    # @ignored
+    username: not_gargron
+    # @ignored
+    email: not@example.commit
+    # existingSecret: mastodon-admin
+    # secretKeys:
+    #   usernameKey: username
+    #   passwordKey: password
+    #   emailKey: email
+  cron:
+    # -- run `tootctl media remove` every week
+    removeMedia:
+      # @ignored
+      enabled: true
+      # @ignored
+      schedule: "0 0 * * 0"
+  # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
+  locale: en
+  local_domain: mastodon.local
+  # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
+  # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
+  # Example: mastodon.example.com
+  web_domain: null
+  # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
+  singleUserMode: false
+  # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
+  authorizedFetch: false
+  # -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
+  limitedFederationMode: false
+  persistence:
+    assets:
+      # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits
+      # scalability, since it requires the Rails and Sidekiq pods to run on the
+      # same node.
+      accessMode: ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+    system:
+      accessMode: ReadWriteOnce
+      resources:
+        requests:
+          storage: 100Gi
+  s3:
+    enabled: false
+    access_key: ""
+    access_secret: ""
+    # -- you can also specify the name of an existing Secret
+    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+    existingSecret: ""
+    bucket: ""
+    endpoint: ""
+    hostname: ""
+    region: ""
+    permission: ""
+    # -- If you have a caching proxy, enter its base URL here.
+    alias_host: ""
+  # these must be set manually; autogenerated keys are rotated on each upgrade
   secrets:
     secret_key_base: dummy-secret_key_base
     otp_secret: dummy-otp_secret
     vapid:
       private_key: dummy-vapid-private_key
       public_key: dummy-vapid-public_key
+    # -- you can also specify the name of an existing Secret
+    # with keys SECRET_KEY_BASE and OTP_SECRET and
+    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+    # existingSecret: ""
+  sidekiq:
+    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- Resources for all Sidekiq Deployments unless overwritten
+    resources: {}
+    # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
+    affinity: {}
+    # limits:
+    #   cpu: "1"
+    #   memory: 768Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 512Mi
+    workers:
+    - name: all-queues
+      # -- Number of threads / parallel sidekiq jobs that are executed per Pod
+      concurrency: 25
+      # -- Number of Pod replicas deployed by the Deployment
+      replicas: 1
+      # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
+      resources: {}
+      # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
+      affinity: {}
+      # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
+      # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
+      queues:
+        - default,8
+        - push,6
+        - ingress,4
+        - mailers,2
+        - pull
+        - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
+    #- name: push-pull
+    #  concurrency: 50
+    #  resources: {}
+    #  replicas: 2
+    #  queues:
+    #    - push
+    #    - pull
+    #- name: mailers
+    #  concurrency: 25
+    #  replicas: 2
+    #  queues:
+    #    - mailers
+    #- name: default
+    #  concurrency: 25
+    #  replicas: 2
+    #  queues:
+    #    - default
+  smtp:
+    auth_method: plain
+    ca_file: /etc/ssl/certs/ca-certificates.crt
+    delivery_method: smtp
+    domain:
+    enable_starttls: 'auto'
+    from_address: notifications@example.com
+    return_path:
+    openssl_verify_mode: peer
+    port: 587
+    reply_to:
+    server: smtp.mailgun.org
+    tls: false
+    login:
+    password:
+    # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
+    # password must be located in keys named `login` and `password` respectively.
+    existingSecret:
+  streaming:
+    port: 4000
+    # -- this should be set manually since os.cpus() returns the number of CPUs on
+    # the node running the pod, which is unrelated to the resources allocated to
+    # the pod by k8s
+    workers: 1
+    # -- The base url for streaming can be set if the streaming API is deployed to
+    # a different domain/subdomain.
+    base_url: null
+    # -- Number of Streaming Pods running
+    replicas: 1
+    # -- Affinity for Streaming Pods, overwrites .Values.affinity
+    affinity: {}
+    # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources
+    resources: {}
+    # limits:
+    #   cpu: "500m"
+    #   memory: 512Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 128Mi
+  web:
+    port: 3000
+    # -- Number of Web Pods running
+    replicas: 1
+    # -- Affinity for Web Pods, overwrites .Values.affinity
+    affinity: {}
+    # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
+    podSecurityContext: {}
+    # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
+    securityContext: {}
+    # -- (Web Container) Resources for Web Pods, overwrites .Values.resources
+    resources: {}
+    # limits:
+    #   cpu: "1"
+    #   memory: 1280Mi
+    # requests:
+    #   cpu: 250m
+    #   memory: 768Mi
+    # -- Puma-specific options. Below values are based on default behavior in
+    # config/puma.rb when no custom values are provided.
+    minThreads: "5"
+    maxThreads: "5"
+    workers: "2"
+    persistentTimeout: "20"
 
-# ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
-redis:
-  replica:
-    replicaCount: 1
+  metrics:
+    statsd:
+      # -- Enable statsd publishing via STATSD_ADDR environment variable
+      address: ""
 
-# ref: https://github.com/bitnami/charts/tree/main/bitnami/elasticsearch#parameters
+  # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
+  preparedStatements: true
+
+ingress:
+  enabled: true
+  annotations:
+    # For choosing an ingress ingressClassName is preferred over annotations
+    # kubernetes.io/ingress.class: nginx
+    #
+    # To automatically request TLS certificates use one of the following
+    # kubernetes.io/tls-acme: "true"
+    # cert-manager.io/cluster-issuer: "letsencrypt"
+    #
+    # ensure that NGINX's upload size matches Mastodon's
+    #   for the K8s ingress controller:
+    # nginx.ingress.kubernetes.io/proxy-body-size: 40m
+    #   for the NGINX ingress controller:
+    # nginx.org/client-max-body-size: 40m
+  # -- you can specify the ingressClassName if it differs from the default
+  ingressClassName:
+  hosts:
+    - host: mastodon.local
+      paths:
+        - path: '/'
+  tls:
+    - secretName: mastodon-tls
+      hosts:
+        - mastodon.local
+
+# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
 elasticsearch:
-  master:
-    replicaCount: 1
-  data:
-    replicaCount: 1
-  coordinating:
-    replicaCount: 1
-  ingest:
-    replicaCount: 1
+  # `false` will disable full-text search
+  #
+  # if you enable ES after the initial install, you will need to manually run
+  # RAILS_ENV=production bundle exec rake chewy:sync
+  # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
+  # @ignored
+  enabled: true
+  # @ignored
+  image:
+    tag: 7
+
+# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
+postgresql:
+  # -- disable if you want to use an existing db; in which case the values below
+  # must match those of that external postgres instance
+  enabled: true
+  # postgresqlHostname: preexisting-postgresql
+  # postgresqlPort: 5432
+  auth:
+    database: mastodon_production
+    username: mastodon
+    # you must set a password; the password generated by the postgresql chart will
+    # be rotated on each upgrade:
+    # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
+    password: ""
+    # Set the password for the "postgres" admin user
+    # set this to the same value as above if you've previously installed
+    # this chart and you're having problems getting mastodon to connect to the DB
+    # postgresPassword: ""
+    # you can also specify the name of an existing Secret
+    # with a key of password set to the password you want
+    existingSecret: ""
+
+# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
+redis:
+  # disable if you want to use an existing redis instance; in which case the
+  # values below must match those of that external redis instance
+  enabled: true
+  hostname: ""
+  port: 6379
+  auth:
+    # -- you must set a password; the password generated by the redis chart will be
+    # rotated on each upgrade:
+    password: ""
+    # you can also specify the name of an existing Secret
+    # with a key of redis-password set to the password you want
+    # existingSecret: ""
+
+# @ignored
+service:
+  type: ClusterIP
+  port: 80
+
+externalAuth:
+  oidc:
+    # -- OpenID Connect support is proposed in PR #16221 and awaiting merge.
+    enabled: false
+    # display_name: "example-label"
+    # issuer: https://login.example.space/auth/realms/example-space
+    # discovery: true
+    # scope: "openid,profile"
+    # uid_field: uid
+    # client_id: mastodon
+    # client_secret: SECRETKEY
+    # redirect_uri: https://example.com/auth/auth/openid_connect/callback
+    # assume_email_is_verified: true
+    # client_auth_method:
+    # response_type:
+    # response_mode:
+    # display:
+    # prompt:
+    # send_nonce:
+    # send_scope_to_token_endpoint:
+    # idp_logout_redirect_uri:
+    # http_scheme:
+    # host:
+    # port:
+    # jwks_uri:
+    # auth_endpoint:
+    # token_endpoint:
+    # user_info_endpoint:
+    # end_session_endpoint:
+  saml:
+    enabled: false
+    # acs_url: http://mastodon.example.com/auth/auth/saml/callback
+    # issuer: mastodon
+    # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
+    # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
+    # idp_cert_fingerprint:
+    # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+    # cert:
+    # private_key:
+    # want_assertion_signed: true
+    # want_assertion_encrypted: true
+    # assume_email_is_verified: true
+    # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
+    # attributes_statements:
+    #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
+    #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+    #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
+    #   first_name: "urn:oid:2.5.4.42"
+    #   last_name: "urn:oid:2.5.4.4"
+    #   verified:
+    #   verified_email:
+  oauth_global:
+    # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In
+    omniauth_only: false
+  cas:
+    enabled: false
+    # url: https://sso.myserver.com
+    # host: sso.myserver.com
+    # port: 443
+    # ssl: true
+    # validate_url:
+    # callback_url:
+    # logout_url:
+    # login_url:
+    # uid_field: 'user'
+    # ca_path:
+    # disable_ssl_verification: false
+    # assume_email_is_verified: true
+    # keys:
+    #   uid: 'user'
+    #   name: 'name'
+    #   email: 'email'
+    #   nickname: 'nickname'
+    #   first_name: 'firstname'
+    #   last_name: 'lastname'
+    #   location: 'location'
+    #   image: 'image'
+    #   phone: 'phone'
+  pam:
+    enabled: false
+    # email_domain: example.com
+    # default_service: rpam
+    # controlled_service: rpam
+  ldap:
+    enabled: false
+    # host: myservice.namespace.svc
+    # port: 636
+    # method: simple_tls
+    # tls_no_verify: true
+    # base:
+    # bind_dn:
+    # password:
+    # uid: cn
+    # mail: mail
+    # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
+    # uid_conversion:
+    #   enabled: true
+    #   search: "., -"
+    #   replace: _
+
+# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
+#
+# if you manually change the UID/GID environment variables, ensure these values
+# match:
+podSecurityContext:
+  runAsUser: 991
+  runAsGroup: 991
+  fsGroup: 991
+
+# @ignored
+securityContext: {}
+
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: true
+  # -- Annotations to add to the service account
+  annotations: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# Custom annotations to apply to all created deployment objects. These can be
+# used to help mastodon interact with other services in the cluster.
+deploymentAnnotations: {}
+
+# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
+# need to apply different annotations to the two different sets of pods. The annotations
+# set with podAnnotations will be added to all deployment-managed pods.
+podAnnotations: {}
+
+# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
+# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
+revisionPodAnnotation: true
+
+# The annotations set with jobAnnotations will be added to all job pods.
+jobAnnotations: {}
+
+# -- Default resources for all Deployments and jobs unless overwritten
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# @ignored
+nodeSelector: {}
+
+# @ignored
+tolerations: []
+
+# -- Affinity for all pods unless overwritten
+affinity: {}

charts/mastodon/templates/job-create-admin.yaml

@@ -45,14 +45,14 @@ spec:
       containers:
         - name: {{ include "mastodon.fullname" . }}-create-admin
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
           command:
             - bin/tootctl
             - accounts
             - create
-            - {{ .Values.mastodon.createAdmin.username }}
+            - $ADMIN_USER
             - --email
-            - {{ .Values.mastodon.createAdmin.email }}
+            - $ADMIN_EMAIL 
             - --confirmed
             - --role
             - Owner
@@ -62,6 +62,33 @@ spec:
             - secretRef:
                 name: {{ template "mastodon.secretName" . }}
           env:
+            - name: "ADMIN_USER"
+              {{- if .Values.mastodon.createAdmin.existingSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.createAdmin.existingSecret }}
+                  key: {{ .Values.mastodon.createAdmin.secretKeys.usernameKey }}
+              {{- else }}
+              value: {{ .Values.mastodon.createAdmin.username }}
+              {{- end }}
+            - name: "ADMIN_EMAIL"
+              {{- if .Values.mastodon.createAdmin.existingSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.createAdmin.existingSecret }}
+                  key: {{ .Values.mastodon.createAdmin.secretKeys.emailKey }}
+              {{- else }}
+              value: {{ .Values.mastodon.createAdmin.username }}
+              {{- end }}
+            - name: "ADMIN_PASS"
+              {{- if .Values.mastodon.createAdmin.existingSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.createAdmin.existingSecret }}
+                  key: {{ .Values.mastodon.createAdmin.secretKeys.passwordKey }}
+              {{- else }}
+              value: {{ .Values.mastodon.createAdmin.username }}
+              {{- end }}
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:

charts/mastodon/values.yaml

@@ -18,7 +18,12 @@ mastodon:
     # @ignored
     username: not_gargron
     # @ignored
-    email: not@example.com
+    email: not@example.commit
+    # existingSecret: mastodon-admin
+    # secretKeys:
+    #   usernameKey: username
+    #   passwordKey: password
+    #   emailKey: email
   cron:
     # -- run `tootctl media remove` every week
     removeMedia: