mass update and migrate to networking.k8s.io/v1 api

mastodon/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.7
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

mastodon/templates/ingress.yaml

@@ -2,7 +2,12 @@
 {{- $fullName := include "mastodon.fullname" . -}}
 {{- $webPort := .Values.mastodon.web.port -}}
 {{- $streamingPort := .Values.mastodon.streaming.port -}}
-{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
@@ -19,6 +24,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
   {{- if .Values.ingress.tls }}
   tls:
     {{- range .Values.ingress.tls }}
@@ -36,8 +44,11 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
-              {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
                 name: {{ $fullName }}-web
                 port:
@@ -46,12 +57,12 @@ spec:
               serviceName: {{ $fullName }}-web
               servicePort: {{ $webPort }}
               {{- end }}
-            {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
-            pathType: ImplementationSpecific
-            {{- end }}
           - path: {{ .path }}api/v1/streaming
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
-              {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
                 name: {{ $fullName }}-streaming
                 port:
@@ -60,9 +71,6 @@ spec:
               serviceName: {{ $fullName }}-streaming
               servicePort: {{ $streamingPort }}
               {{- end }}
-            {{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
-            pathType: ImplementationSpecific
-            {{- end }}
           {{- end }}
     {{- end }}
 {{- end }}

mastodon/values.yaml

@@ -29,6 +29,9 @@ mastodon:
   # available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
   locale: en
   local_domain: mastodon.local
+  # Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
+  # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
+  # web_domain: mastodon.example.com
   persistence:
     assets:
       # ReadWriteOnce is more widely supported than ReadWriteMany, but limits
@@ -51,6 +54,8 @@ mastodon:
     endpoint: https://us-east-1.linodeobjects.com
     hostname: us-east-1.linodeobjects.com
     region: ""
+    # If you have a caching proxy, enter its base URL here.
+    alias_host: ""
   # these must be set manually; autogenerated keys are rotated on each upgrade
   secrets:
     secret_key_base: ""
@@ -62,7 +67,7 @@ mastodon:
     concurrency: 25
   smtp:
     auth_method: plain
-    ca_file:
+    ca_file: /etc/ssl/certs/ca-certificates.crt
     delivery_method: smtp
     domain:
     enable_starttls_auto: true
@@ -80,29 +85,28 @@ mastodon:
     # the node running the pod, which is unrelated to the resources allocated to
     # the pod by k8s
     workers: 1
+    # The base url for streaming can be set if the streaming API is deployed to
+    # a different domain/subdomain.
+    # base_url: wws://streaming.example.com
   web:
     port: 3000
 
 ingress:
-  enabled: true
+  enabled: false
+  className: ""
   annotations: {}
-    #kubernetes.io/ingress.class: nginx
-    #kubernetes.io/tls-acme: "true"
-    # cert-manager.io/cluster-issuer: "letsencrypt"
-    #
-    # ensure that NGINX's upload size matches Mastodon's
-    #   for the K8s ingress controller:
-    # nginx.ingress.kubernetes.io/proxy-body-size: 40m
-    #   for the NGINX ingress controller:
-    # nginx.org/client-max-body-size: 40m
+    # nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    # nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    # nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
   hosts:
-    - host: mastodon.local
+    - host: chart-example.local
       paths:
-        - path: '/'
-  tls:
-    - secretName: mastodon-tls
-      hosts:
-        - mastodon.local
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
 
 # https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
 elasticsearch:
@@ -112,10 +116,8 @@ elasticsearch:
   # RAILS_ENV=production bundle exec rake chewy:sync
   # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
   enabled: true
-  # may be removed once https://github.com/tootsuite/mastodon/pull/13828 is part
-  # of a tagged release
   image:
-    tag: 6
+    tag: 7
 
 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
 postgresql:
@@ -132,14 +134,113 @@ postgresql:
 
 # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
 redis:
-  enabled: true
-  auth:
-    password: ""
+  # you must set a password; the password generated by the redis chart will be
+  # rotated on each upgrade:
+  password: ""
 
 service:
   type: ClusterIP
   port: 80
 
+externalAuth:
+  oidc:
+    # OpenID Connect support is proposed in PR #16221 and awaiting merge.
+    enabled: false
+    # display_name: "example-label"
+    # issuer: https://login.example.space/auth/realms/example-space
+    # discovery: true
+    # scope: "openid,profile"
+    # uid_field: uid
+    # client_id: mastodon
+    # client_secret: SECRETKEY
+    # redirect_uri: https://example.com/auth/auth/openid_connect/callback
+    # assume_email_is_verified: true
+    # client_auth_method: 
+    # response_type: 
+    # response_mode: 
+    # display: 
+    # prompt: 
+    # send_nonce: 
+    # send_scope_to_token_endpoint: 
+    # idp_logout_redirect_uri: 
+    # http_scheme: 
+    # host: 
+    # port: 
+    # jwks_uri: 
+    # auth_endpoint: 
+    # token_endpoint: 
+    # user_info_endpoint: 
+    # end_session_endpoint: 
+  saml:
+    enabled: false
+    # acs_url: http://mastodon.example.com/auth/auth/saml/callback
+    # issuer: mastodon
+    # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
+    # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
+    # idp_cert_fingerprint: 
+    # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+    # cert: 
+    # private_key: 
+    # want_assertion_signed: true
+    # want_assertion_encrypted: true
+    # assume_email_is_verified: true
+    # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
+    # attributes_statements: 
+    #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
+    #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+    #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
+    #   first_name: "urn:oid:2.5.4.42"
+    #   last_name: "urn:oid:2.5.4.4"
+    #   verified: 
+    #   verified_email: 
+  oauth_global: 
+    # Force redirect local login to CAS. Does not function with SAML or LDAP.
+    oauth_redirect_at_sign_in: false
+  cas:
+    enabled: false
+    # url: https://sso.myserver.com
+    # host: sso.myserver.com
+    # port: 443
+    # ssl: true
+    # validate_url: 
+    # callback_url: 
+    # logout_url: 
+    # login_url: 
+    # uid_field: 'user'
+    # ca_path: 
+    # disable_ssl_verification: false
+    # assume_email_is_verified: true
+    # keys: 
+    #   uid: 'user'
+    #   name: 'name'
+    #   email: 'email'
+    #   nickname: 'nickname'
+    #   first_name: 'firstname'
+    #   last_name: 'lastname'
+    #   location: 'location'
+    #   image: 'image'
+    #   phone: 'phone'
+  pam: 
+    enabled: false
+    # email_domain: example.com
+    # default_service: rpam
+    # controlled_service: rpam
+  ldap:
+    enabled: false
+    # host: myservice.namespace.svc
+    # port: 389
+    # method: simple_tls
+    # base: 
+    # bind_on: 
+    # password: 
+    # uid: cn
+    # mail: mail
+    # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
+    # uid_conversion:
+    #   enabled: true
+    #   search: "., -"
+    #   replace: _
+
 # https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
 #
 # if you manually change the UID/GID environment variables, ensure these values