From f3dea682a5d08140c86625e13ac77f13ec737b7a Mon Sep 17 00:00:00 2001 From: ace Date: Mon, 14 Jul 2025 00:14:20 +0300 Subject: [PATCH] mastodon: bump to v4.4.1, helm chart v6.5.0 --- mastodon/.github/workflows/test-chart.yml | 10 +- mastodon/.gitignore | 1 + mastodon/CHANGELOG.md | 135 +++++++ mastodon/Chart.yaml | 4 +- mastodon/templates/_db-migrate.tpl | 111 ++++++ mastodon/templates/_helpers.tpl | 84 ++++- mastodon/templates/_secrets.tpl | 65 ++++ mastodon/templates/configmap-env.yaml | 61 +++- mastodon/templates/cronjob-media-remove.yaml | 4 + mastodon/templates/deployment-sidekiq.yaml | 77 +++- mastodon/templates/deployment-streaming.yaml | 35 +- mastodon/templates/deployment-web.yaml | 70 +++- mastodon/templates/job-assets-copy.yaml | 97 +++++ mastodon/templates/job-chewy-upgrade.yaml | 100 ------ mastodon/templates/job-create-admin.yaml | 4 + mastodon/templates/job-db-migrate.yaml | 98 +----- mastodon/templates/job-db-pre-migrate.yaml | 7 + mastodon/templates/job-db-prepare.yaml | 7 + ...precompile.yaml => job-deploy-search.yaml} | 80 +++-- .../templates/job-set-admin-password.yaml | 22 +- mastodon/templates/secret-prepare.yml | 3 + .../templates/secret-redis-preinstall.yaml | 19 + mastodon/templates/secret-redis.yaml | 6 +- mastodon/templates/secret-smtp-bulk.yaml | 16 + mastodon/templates/secrets.yaml | 57 +-- mastodon/templates/service-streaming.yaml | 1 + mastodon/templates/service-web.yaml | 1 + mastodon/values.yaml | 330 ++++++++++++++++-- 28 files changed, 1144 insertions(+), 361 deletions(-) create mode 100644 mastodon/templates/_db-migrate.tpl create mode 100644 mastodon/templates/_secrets.tpl create mode 100644 mastodon/templates/job-assets-copy.yaml delete mode 100644 mastodon/templates/job-chewy-upgrade.yaml create mode 100644 mastodon/templates/job-db-pre-migrate.yaml create mode 100644 mastodon/templates/job-db-prepare.yaml rename mastodon/templates/{job-assets-precompile.yaml => job-deploy-search.yaml} (53%) create mode 100644 mastodon/templates/secret-prepare.yml create mode 100644 mastodon/templates/secret-redis-preinstall.yaml create mode 100644 mastodon/templates/secret-smtp-bulk.yaml diff --git a/mastodon/.github/workflows/test-chart.yml b/mastodon/.github/workflows/test-chart.yml index 3e02fc6..09e1519 100644 --- a/mastodon/.github/workflows/test-chart.yml +++ b/mastodon/.github/workflows/test-chart.yml @@ -17,7 +17,7 @@ permissions: jobs: lint-templates: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v3 @@ -53,7 +53,7 @@ jobs: # basic configuration can be used to successfully startup mastodon. # test-install: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 timeout-minutes: 15 strategy: @@ -75,7 +75,7 @@ jobs: # available for use in the templates, currently we need v3.6.0 or # higher. # - - k3s-channel: v1.21 + - k3s-channel: v1.28 helm-version: v3.8.0 env: @@ -109,7 +109,7 @@ jobs: run: | helm install mastodon . \ --values dev-values.yaml \ - --timeout 10m + --timeout 15m # This actions provides a report about the state of the k8s cluster, # providing logs etc on anything that has failed and workloads marked as @@ -125,7 +125,5 @@ jobs: deploy/mastodon-sidekiq deploy/mastodon-streaming deploy/mastodon-web - job/mastodon-assets-precompile - job/mastodon-chewy-upgrade job/mastodon-create-admin job/mastodon-db-migrate diff --git a/mastodon/.gitignore b/mastodon/.gitignore index ee3892e..a5b65d3 100644 --- a/mastodon/.gitignore +++ b/mastodon/.gitignore @@ -1 +1,2 @@ charts/ +.DS_Store diff --git a/mastodon/CHANGELOG.md b/mastodon/CHANGELOG.md index 2b6c100..6887904 100644 --- a/mastodon/CHANGELOG.md +++ b/mastodon/CHANGELOG.md @@ -1,3 +1,138 @@ +# 6.5.0 + +Updated the Mastodon version to v4.4.1. Please read the [4.4.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.4.0) before updating from a version < 4.4. In particular: +- Redis & Postgres minimum versions have been bumped to 6.2 and 13 respectively +- Redis namespace support has been dropped +- No-downtime updates from versions before 4.3.0 are not supported +- Elasticsearch mappings need to be updated manually via `tootctl` after deploying this new version +- The new experimental Fediverse Auxiliary Service (`fasp`) Sidekiq queue needs to be added to the list of processed queues if you changed the default Sidekiq values + +# 6.4.0 + +- Added configuration for [bulk SMTP](https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings): +```yaml +mastodon: + smtp: + bulk: +``` + +# 6.3.4 + +- Updated the Mastodon version to v4.3.9 + +# 6.3.3 + +- Updated the Mastodon version to v4.3.8 + +# 6.3.2 + +- No longer sets `DEFAULT_LOCALE` to `en` by default; leaves this value unset. + +# 6.3.1 + +- Removed DB_POOL from the ConfigMap as we should never have to override this. + +# 6.3.0 + +- Added `nodeSelector` fields for every resource type for better fine-grain tuning of where resources end up. + +# 6.2.4 + +- Fixed an issue where redis secrets specified in values or the helm CLI wouldn't be used by the db-prepare job on install. + +# 6.2.3 + +- Updated the Mastodon version to v4.3.7 + +# 6.2.2 + +- `app.kubernetes.io/version` shortens any potential digest hash to 7 characters to avoid hitting the 63 character label limit. + +# 6.2.1 + +- Fixed some situations where disabling all bitnami charts caused it to error. +- Fixed a potential null postgresql host value error. + +# 6.2.0 + +- Added ability to add pod labels to pods created from Deployment objects at the global level + +# 6.1.1 + +- Updated the Mastodon version to v4.3.6 + +# 6.1.0 + +- Added a new job to re/build elasticsearch indices as a post-upgrade hook: +```yaml +mastodon: + hooks: + deploySearch: +``` + +# 6.0.3 + +- Updated the Mastodon version to v4.3.5 + +# 6.0.2 + +- Helm version tagging now utilizes `.Values.image.tag` when set. + +# 6.0.1 + +- Added additional values to separate out `db:prepare` and `db:migrate` jobs and whether they should run: +```yaml +mastodon: + hooks: + dbPrepare: + enabled: true + dbMigrate: + enabled: true +``` + +# 6.0.0 + +### !! BREAKING CHANGES !! +- Services for web & streaming now use `ipFamilyPolicy: PreferDualStack`. This will cause upgrades on existing deployments to fail, as kubernetes cannot patch this field. Please remove both service objects before running `helm upgrade` (services are `mastodon-web` and `mastodon-streaming` by default). + +### Features +- Added prometheus metrics config for web and sidekiq pods (feature will be available with Mastodon v4.4). +```yaml +mastodon: + metrics: + prometheus: +``` +- Added ability to automatically upload assets to an S3 bucket: +```yaml +mastodon: + hooks: + s3Upload: +``` +- Added OpenTelemetry metrics: +```yaml +mastodon: + otel: +--- +mastodon: + sidekiq: + otel: +--- +mastodon: + web: + otel: +``` +- Fine-grained control of labels and annotations for both pods and deployments. +- Additional redis options for separate instances (app, sidekiq, cache). +- Configurable PodDisruptionBudgets for web and streaming pods. + +### Fixes +- Various database migrations fixes + - Fixed first-time install DB setup on self-managed databases + - Fixed running migrations through a connection pooler. +- Removed old, unused jobs: + - chewy upgrade (use `tootctl search deploy` instead) + - assets precompile + # 5.1.0 - Added values for Active Record Encryption in Redis: diff --git a/mastodon/Chart.yaml b/mastodon/Chart.yaml index 056546b..e08b6e2 100644 --- a/mastodon/Chart.yaml +++ b/mastodon/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time # you make changes to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 5.1.9 +version: 6.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: v4.2.22 +appVersion: "v4.4.1" dependencies: - name: elasticsearch diff --git a/mastodon/templates/_db-migrate.tpl b/mastodon/templates/_db-migrate.tpl new file mode 100644 index 0000000..c6ff22f --- /dev/null +++ b/mastodon/templates/_db-migrate.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for DB migration pre- and post-install/upgrade jobs. +*/}} +{{- define "mastodon.dbMigrateJob" -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- if .prepare }} + name: {{ include "mastodon.fullname" . }}-db-prepare + {{- else if .preDeploy }} + name: {{ include "mastodon.fullname" . }}-db-pre-migrate + {{- else }} + name: {{ include "mastodon.fullname" . }}-db-post-migrate + {{- end }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + {{- if .prepare }} + "helm.sh/hook": pre-install + {{- else if .preDeploy }} + "helm.sh/hook": pre-upgrade + {{- else }} + "helm.sh/hook": post-install,post-upgrade + {{- end }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- if .prepare }} + "helm.sh/hook-weight": "-3" + {{- else }} + "helm.sh/hook-weight": "-2" + {{- end }} +spec: + template: + metadata: + name: {{ include "mastodon.fullname" . }}-db-migrate + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + containers: + - name: {{ include "mastodon.fullname" . }}-db-migrate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bundle + - exec + - rake + {{- if .prepare }} + - db:prepare + {{- else }} + - db:migrate + {{- end }} + envFrom: + - secretRef: + name: {{ template "mastodon.secretName" . }} + env: + - name: "DB_HOST" + value: {{ template "mastodon.postgres.direct.host" . }} + - name: "DB_PORT" + value: {{ template "mastodon.postgres.direct.port" . }} + - name: "DB_NAME" + value: {{ template "mastodon.postgres.direct.database" . }} + - name: "DB_USER" + value: {{ .Values.postgresql.auth.username }} + - name: "DB_PASS" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.postgresql.secretName" . }} + key: password + - name: "REDIS_HOST" + value: {{ template "mastodon.redis.host" . }} + - name: "REDIS_PORT" + value: {{ .Values.redis.port | default "6379" | quote }} + {{- if .Values.redis.sidekiq.enabled }} + {{- if .Values.redis.sidekiq.hostname }} + - name: SIDEKIQ_REDIS_HOST + value: {{ .Values.redis.sidekiq.hostname }} + {{- end }} + {{- if .Values.redis.sidekiq.port }} + - name: SIDEKIQ_REDIS_PORT + value: {{ .Values.redis.sidekiq.port | quote }} + {{- end }} + {{- end }} + {{- if .Values.redis.cache.enabled }} + {{- if .Values.redis.cache.hostname }} + - name: CACHE_REDIS_HOST + value: {{ .Values.redis.cache.hostname }} + {{- end }} + {{- if .Values.redis.cache.port }} + - name: CACHE_REDIS_PORT + value: {{ .Values.redis.cache.port | quote }} + {{- end }} + {{- end }} + - name: "REDIS_DRIVER" + value: "ruby" + - name: "REDIS_PASSWORD" + valueFrom: + secretKeyRef: + {{- if and (.prepare) (not .Values.redis.enabled) (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) (.Values.redis.auth.password) }} + name: {{ template "mastodon.redis.secretName" . }}-pre-install + {{- else }} + name: {{ template "mastodon.redis.secretName" . }} + {{- end }} + key: redis-password + {{- if .preDeploy }} + - name: "SKIP_POST_DEPLOYMENT_MIGRATIONS" + value: "true" + {{- end }} +{{- end }} diff --git a/mastodon/templates/_helpers.tpl b/mastodon/templates/_helpers.tpl index ff7dcfc..b1f50f8 100644 --- a/mastodon/templates/_helpers.tpl +++ b/mastodon/templates/_helpers.tpl @@ -47,7 +47,9 @@ Common labels helm.sh/chart: {{ include "mastodon.chart" . }} {{ include "mastodon.selectorLabels" . }} {{ include "mastodon.globalLabels" . }} -{{- if .Chart.AppVersion }} +{{- if .Values.image.tag }} +app.kubernetes.io/version: {{ regexReplaceAll "@(\\w+:\\w{0,7})\\w*" .Values.image.tag "@${1}" | quote }} +{{- else if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -90,7 +92,7 @@ Create the name of the assets persistent volume to use {{- if .Values.mastodon.persistence.assets.existingClaim }} {{- printf "%s" (tpl .Values.mastodon.persistence.assets.existingClaim $) -}} {{- else -}} - {{- printf "%s-assets" (include "common.names.fullname" .) -}} + {{- printf "%s-assets" (include "mastodon.fullname" .) -}} {{- end -}} {{- end -}} @@ -101,7 +103,7 @@ Create the name of the system persistent volume to use {{- if .Values.mastodon.persistence.system.existingClaim }} {{- printf "%s" (tpl .Values.mastodon.persistence.system.existingClaim $) -}} {{- else -}} - {{- printf "%s-system" (include "common.names.fullname" .) -}} + {{- printf "%s-system" (include "mastodon.fullname" .) -}} {{- end -}} {{- end -}} @@ -121,6 +123,60 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Establish which values we will use for remote connections +*/}} +{{- define "mastodon.postgres.host" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}} +{{- else }} +{{- printf "%s" (required "When the postgresql chart is disabled .Values.postgresql.postgresqlHostname is required" .Values.postgresql.postgresqlHostname) -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.port" -}} +{{- if .Values.postgresql.enabled }} +{{- printf "%d" 5432 | int | quote -}} +{{- else }} +{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}} +{{- end }} +{{- end }} + +{{/* +Establish which values we will use for direct remote DB connections +*/}} +{{- define "mastodon.postgres.direct.host" -}} +{{- if .Values.postgresql.direct.hostname }} +{{- printf "%s" .Values.postgresql.direct.hostname -}} +{{- else }} +{{- printf "%s" (include "mastodon.postgres.host" .) -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.direct.port" -}} +{{- if .Values.postgresql.direct.port }} +{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}} +{{- else }} +{{- printf "%s" (include "mastodon.postgres.port" .) -}} +{{- end }} +{{- end }} + +{{- define "mastodon.postgres.direct.database" -}} +{{- if .Values.postgresql.direct.database }} +{{- printf "%s" .Values.postgresql.direct.database -}} +{{- else }} +{{- printf "%s" .Values.postgresql.auth.database -}} +{{- end }} +{{- end }} + +{{- define "mastodon.redis.host" -}} +{{- if .Values.redis.enabled }} +{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}} +{{- else }} +{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}} +{{- end }} +{{- end }} + {{/* Get the mastodon secret. */}} @@ -133,7 +189,7 @@ Get the mastodon secret. {{- end -}} {{/* -Get the smtp secret. +Get the smtp secrets. */}} {{- define "mastodon.smtp.secretName" -}} {{- if .Values.mastodon.smtp.existingSecret }} @@ -143,6 +199,14 @@ Get the smtp secret. {{- end -}} {{- end -}} +{{- define "mastodon.smtp.bulk.secretName" -}} +{{- if .Values.mastodon.smtp.bulk.existingSecret }} + {{- printf "%s" (tpl .Values.mastodon.smtp.bulk.existingSecret $) -}} +{{- else -}} + {{- printf "%s-smtp-bulk" (include "mastodon.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* Get the postgresql secret. */}} @@ -214,18 +278,6 @@ Return true if a mastodon secret object should be created {{- end -}} {{- end -}} -{{/* -Find highest number of needed database connections to set DB_POOL variable -*/}} -{{- define "mastodon.maxDbPool" -}} -{{/* Default MAX_THREADS for Puma is 5 */}} -{{- $poolSize := 5 }} -{{- range .Values.mastodon.sidekiq.workers }} -{{- $poolSize = max $poolSize .concurrency }} -{{- end }} -{{- $poolSize | quote }} -{{- end }} - {{/* Full hostname for a custom Elasticsearch cluster */}} diff --git a/mastodon/templates/_secrets.tpl b/mastodon/templates/_secrets.tpl new file mode 100644 index 0000000..88e74a6 --- /dev/null +++ b/mastodon/templates/_secrets.tpl @@ -0,0 +1,65 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Spec template for mastodon secrets object. +*/}} +{{- define "mastodon.secrets.object" -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "mastodon.fullname" . }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-4" +type: Opaque +data: + {{- if .Values.mastodon.s3.enabled }} + {{- if not .Values.mastodon.s3.existingSecret }} + AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" + AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" + {{- end }} + {{- end }} + {{- if not .Values.mastodon.secrets.existingSecret }} + {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} + SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" + {{- else }} + SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.otp_secret) }} + OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" + {{- else }} + OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} + VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" + {{- else }} + VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} + VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" + {{- else }} + VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} + {{- end }} + {{- end }} + {{- if not .Values.postgresql.enabled }} + {{- if not .Values.postgresql.auth.existingSecret }} + password: "{{ .Values.postgresql.auth.password | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/mastodon/templates/configmap-env.yaml b/mastodon/templates/configmap-env.yaml index fc719d3..489aaae 100644 --- a/mastodon/templates/configmap-env.yaml +++ b/mastodon/templates/configmap-env.yaml @@ -5,21 +5,15 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} data: - {{- if .Values.postgresql.enabled }} - DB_HOST: {{ template "mastodon.postgresql.fullname" . }} - DB_PORT: "5432" - {{- else }} - DB_HOST: {{ .Values.postgresql.postgresqlHostname }} - DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }} - {{- end }} + DB_HOST: {{ template "mastodon.postgres.host" . }} + DB_PORT: {{ template "mastodon.postgres.port" . }} DB_NAME: {{ .Values.postgresql.auth.database }} - DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} {{- if .Values.postgresql.readReplica.hostname }} REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }} {{- end }} {{- if .Values.postgresql.readReplica.port }} - REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port }} + REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }} {{- end }} {{- if .Values.postgresql.readReplica.auth.database }} REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }} @@ -31,7 +25,9 @@ data: REPLICA_DB_PASS: {{ .Values.postgresql.readReplica.auth.password }} {{- end }} PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }} + {{- if .Values.mastodon.locale }} DEFAULT_LOCALE: {{ .Values.mastodon.locale }} + {{- end }} {{- if .Values.elasticsearch.enabled }} ES_ENABLED: "true" ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }} @@ -66,11 +62,7 @@ data: MALLOC_ARENA_MAX: "2" NODE_ENV: "production" RAILS_ENV: "production" - {{- if .Values.redis.enabled }} - REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master - {{- else }} - REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }} - {{- end }} + REDIS_HOST: {{ template "mastodon.redis.host" . }} REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} {{- if .Values.redis.sidekiq.enabled }} {{- if .Values.redis.sidekiq.hostname }} @@ -137,10 +129,10 @@ data: SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.from_address }} - SMTP_FROM_ADDRESS: {{ . }} + SMTP_FROM_ADDRESS: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.return_path }} - SMTP_RETURN_PATH: {{ . }} + SMTP_RETURN_PATH: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.openssl_verify_mode }} SMTP_OPENSSL_VERIFY_MODE: {{ . }} @@ -149,7 +141,7 @@ data: SMTP_PORT: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.reply_to }} - SMTP_REPLY_TO: {{ . }} + SMTP_REPLY_TO: {{ . | quote }} {{- end }} {{- with .Values.mastodon.smtp.server }} SMTP_SERVER: {{ . }} @@ -157,10 +149,45 @@ data: {{- with .Values.mastodon.smtp.tls }} SMTP_TLS: {{ . | quote }} {{- end }} + {{- if .Values.mastodon.smtp.bulk.enabled }} + {{- with .Values.mastodon.smtp.bulk.auth_method }} + BULK_SMTP_AUTH_METHOD: {{ . }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.ca_file }} + BULK_SMTP_CA_FILE: {{ . }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.domain }} + BULK_SMTP_DOMAIN: {{ . }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.enable_starttls }} + BULK_SMTP_ENABLE_STARTTLS: {{ . | quote }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.enable_starttls_auto }} + BULK_SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.from_address }} + BULK_SMTP_FROM_ADDRESS: {{ . | quote }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.openssl_verify_mode }} + BULK_SMTP_OPENSSL_VERIFY_MODE: {{ . }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.port }} + BULK_SMTP_PORT: {{ . | quote }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.server }} + BULK_SMTP_SERVER: {{ . }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.tls }} + BULK_SMTP_TLS: {{ . | quote }} + {{- end }} + {{- end }} STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }} {{- with .Values.mastodon.streaming.base_url }} STREAMING_API_BASE_URL: {{ . | quote }} {{- end }} + {{- if .Values.mastodon.trusted_proxy_ip }} + TRUSTED_PROXY_IP: {{ .Values.mastodon.trusted_proxy_ip }} + {{ end }} {{- if .Values.externalAuth.oidc.enabled }} OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }} OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }} diff --git a/mastodon/templates/cronjob-media-remove.yaml b/mastodon/templates/cronjob-media-remove.yaml index 5dbd578..a4c4510 100644 --- a/mastodon/templates/cronjob-media-remove.yaml +++ b/mastodon/templates/cronjob-media-remove.yaml @@ -107,4 +107,8 @@ spec: - name: system mountPath: /opt/mastodon/public/system {{- end }} + {{- with coalesce .Values.mastodon.cron.removeMedia.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 12 }} + {{- end }} {{- end }} diff --git a/mastodon/templates/deployment-sidekiq.yaml b/mastodon/templates/deployment-sidekiq.yaml index 1870cf4..7d99638 100644 --- a/mastodon/templates/deployment-sidekiq.yaml +++ b/mastodon/templates/deployment-sidekiq.yaml @@ -7,19 +7,26 @@ metadata: name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }} labels: {{- include "mastodon.labels" $context | nindent 4 }} + {{- with $context.Values.mastodon.sidekiq.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails annotations: {{- with $context.Values.deploymentAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with $context.Values.mastodon.sidekiq.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if (has "scheduler" .queues) }} {{- if (gt (int .replicas) 1) }} {{ fail "The scheduler queue should never have more than 1 replicas" }} {{- end }} - strategy: - type: Recreate + {{- end }} + {{- if $context.Values.mastodon.sidekiq.updateStrategy }} + strategy: {{- toYaml $context.Values.mastodon.sidekiq.updateStrategy | nindent 4 }} {{- end }} replicas: {{ .replicas }} {{- if (ne (toString $context.Values.mastodon.revisionHistoryLimit) "") }} @@ -36,6 +43,9 @@ spec: {{- with $context.Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} + {{- with $context.Values.mastodon.sidekiq.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} # roll the pods to pick up any db migrations or other changes {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }} checksum/config-secrets-smtp: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }} @@ -43,6 +53,12 @@ spec: {{- include "mastodon.globalLabels" $context | nindent 8 }} {{- include "mastodon.selectorLabels" $context | nindent 8 }} {{- include "mastodon.statsdExporterLabels" $context | nindent 8 }} + {{- with $context.Values.mastodon.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $context.Values.mastodon.sidekiq.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails spec: @@ -159,6 +175,20 @@ spec: name: {{ include "mastodon.smtp.secretName" $context }} key: password optional: true + {{- if $context.Values.mastodon.smtp.bulk.enabled }} + - name: "BULK_SMTP_LOGIN" + valueFrom: + secretKeyRef: + name: {{ include "mastodon.smtp.bulk.secretName" $context }} + key: login + optional: true + - name: "BULK_SMTP_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ include "mastodon.smtp.bulk.secretName" $context }} + key: password + optional: true + {{- end }} {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: @@ -185,6 +215,33 @@ spec: name: {{ $context.Values.mastodon.cacheBuster.authToken.existingSecret }} key: password {{- end }} + {{- if or $context.Values.mastodon.sidekiq.otel.enabled (and $context.Values.mastodon.otel.enabled (ne $context.Values.mastodon.sidekiq.otel.enabled false)) }} + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: {{ coalesce $context.Values.mastodon.sidekiq.otel.endpointUri $context.Values.mastodon.otel.endpointUri }} + - name: OTEL_SERVICE_NAME_PREFIX + value: {{ coalesce $context.Values.mastodon.sidekiq.otel.namePrefix $context.Values.mastodon.otel.namePrefix }} + - name: OTEL_SERVICE_NAME_SEPARATOR + value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}" + {{- end }} + {{- if $context.Values.mastodon.metrics.prometheus.enabled }} + - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED + value: "true" + - name: MASTODON_PROMETHEUS_EXPORTER_LOCAL + value: "true" + - name: MASTODON_PROMETHEUS_EXPORTER_HOST + value: "0.0.0.0" + - name: MASTODON_PROMETHEUS_EXPORTER_PORT + value: "{{ $context.Values.mastodon.metrics.prometheus.port }}" + {{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }} + - name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS + value: "true" + {{- end }} + {{- end }} + {{- if $context.Values.mastodon.metrics.prometheus.enabled }} + ports: + - name: prometheus + containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }} + {{- end }} volumeMounts: {{- if (not $context.Values.mastodon.s3.enabled) }} - name: assets @@ -200,12 +257,24 @@ spec: {{- with $context.Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if $context.Values.mastodon.sidekiq.readinessProbe.enabled }} + readinessProbe: + failureThreshold: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.failureThreshold }} + exec: + command: + - cat + - {{ required "A valid sidekiq readiness path is required." $context.Values.mastodon.sidekiq.readinessProbe.path }} + initialDelaySeconds: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ default 2 $context.Values.mastodon.sidekiq.readinessProbe.periodSeconds }} + successThreshold: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.successThreshold }} + timeoutSeconds: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.timeoutSeconds }} + {{- end }} resources: {{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }} {{- include "mastodon.statsdExporterContainer" $ | indent 8 }} - {{- with $context.Values.nodeSelector }} + {{- with coalesce .nodeSelector $context.Values.mastodon.sidekiq.nodeSelector $context.Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- with $context.Values.tolerations }} tolerations: diff --git a/mastodon/templates/deployment-streaming.yaml b/mastodon/templates/deployment-streaming.yaml index 0d7d071..b0752a4 100644 --- a/mastodon/templates/deployment-streaming.yaml +++ b/mastodon/templates/deployment-streaming.yaml @@ -4,8 +4,14 @@ metadata: name: {{ include "mastodon.fullname" . }}-streaming labels: {{- include "mastodon.labels" . | nindent 4 }} + {{- with .Values.mastodon.streaming.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} annotations: - {{- with (default .Values.deploymentAnnotations .Values.mastodon.streaming.deploymentAnnotations) }} + {{- with .Values.deploymentAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.mastodon.streaming.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: @@ -13,6 +19,9 @@ spec: {{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "") }} revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }} {{- end }} + {{- if .Values.mastodon.streaming.updateStrategy }} + strategy: {{- toYaml .Values.mastodon.streaming.updateStrategy | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -20,7 +29,10 @@ spec: template: metadata: annotations: - {{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mastodon.streaming.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -28,6 +40,12 @@ spec: labels: {{- include "mastodon.globalLabels" . | nindent 8 }} {{- include "mastodon.selectorLabels" . | nindent 8 }} + {{- with .Values.mastodon.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mastodon.streaming.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} app.kubernetes.io/component: streaming spec: {{- with .Values.imagePullSecrets }} @@ -55,7 +73,7 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - image: "{{ coalesce .Values.mastodon.streaming.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}" + image: "{{ .Values.mastodon.streaming.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - node @@ -135,13 +153,20 @@ spec: httpGet: path: /api/v1/streaming/health port: streaming + startupProbe: + httpGet: + path: /api/v1/streaming/health + port: streaming + initialDelaySeconds: 5 + failureThreshold: 15 + periodSeconds: 5 {{- with (default .Values.resources .Values.mastodon.streaming.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.nodeSelector }} + {{- with coalesce .Values.mastodon.streaming.nodeSelector .Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }} affinity: diff --git a/mastodon/templates/deployment-web.yaml b/mastodon/templates/deployment-web.yaml index 487f443..1031edf 100644 --- a/mastodon/templates/deployment-web.yaml +++ b/mastodon/templates/deployment-web.yaml @@ -4,8 +4,14 @@ metadata: name: {{ include "mastodon.fullname" . }}-web labels: {{- include "mastodon.labels" . | nindent 4 }} + {{- with .Values.mastodon.web.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} annotations: - {{- with (default .Values.deploymentAnnotations .Values.mastodon.web.deploymentAnnotations) }} + {{- with .Values.deploymentAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.mastodon.web.annotations }} {{- toYaml . | nindent 4 }} {{- end }} spec: @@ -13,6 +19,9 @@ spec: {{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "") }} revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }} {{- end }} + {{- if .Values.mastodon.web.updateStrategy }} + strategy: {{- toYaml .Values.mastodon.web.updateStrategy | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -21,7 +30,10 @@ spec: template: metadata: annotations: - {{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mastodon.web.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -30,6 +42,12 @@ spec: {{- include "mastodon.globalLabels" . | nindent 8 }} {{- include "mastodon.selectorLabels" . | nindent 8 }} {{- include "mastodon.statsdExporterLabels" . | nindent 8 }} + {{- with .Values.mastodon.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mastodon.web.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} app.kubernetes.io/component: web app.kubernetes.io/part-of: rails spec: @@ -173,6 +191,28 @@ spec: name: {{ .Values.mastodon.cacheBuster.authToken.existingSecret }} key: password {{- end }} + {{- if or .Values.mastodon.web.otel.enabled (and .Values.mastodon.otel.enabled (ne .Values.mastodon.web.otel.enabled false)) }} + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: {{ coalesce .Values.mastodon.web.otel.endpointUri .Values.mastodon.otel.endpointUri }} + - name: OTEL_SERVICE_NAME_PREFIX + value: {{ coalesce .Values.mastodon.web.otel.namePrefix .Values.mastodon.otel.namePrefix }} + - name: OTEL_SERVICE_NAME_SEPARATOR + value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}" + {{- end }} + {{- if .Values.mastodon.metrics.prometheus.enabled }} + - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED + value: "true" + - name: PROMETHEUS_EXPORTER_HOST + value: "127.0.0.1" + - name: PROMETHEUS_EXPORTER_PORT + value: "{{ .Values.mastodon.metrics.prometheus.port }}" + {{- if .Values.mastodon.metrics.prometheus.web.detailed }} + - name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS + value: "true" + {{- end }} + {{- end }} + - name: TEST_ENV_VALUE + value: {{ .Values.mastodon.metrics.statsd.address }} volumeMounts: {{- if (not .Values.mastodon.s3.enabled) }} - name: assets @@ -203,16 +243,38 @@ spec: httpGet: path: /health port: http + initialDelaySeconds: 15 failureThreshold: 30 periodSeconds: 5 {{- with (default .Values.resources .Values.mastodon.web.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.mastodon.metrics.prometheus.enabled }} + - name: prometheus-exporter + image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}" + command: + - ./bin/prometheus_exporter + args: + - "--bind" + - "0.0.0.0" + - "--port" + - "{{ .Values.mastodon.metrics.prometheus.port }}" + resources: + requests: + cpu: "0.1" + memory: "180M" + limits: + cpu: "0.5" + memory: "250M" + ports: + - name: prometheus + containerPort: {{ .Values.mastodon.metrics.prometheus.port }} + {{- end }} {{- include "mastodon.statsdExporterContainer" $ | indent 8 }} - {{- with .Values.nodeSelector }} + {{- with coalesce .Values.mastodon.web.nodeSelector .Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- with (default .Values.affinity .Values.mastodon.web.affinity) }} affinity: diff --git a/mastodon/templates/job-assets-copy.yaml b/mastodon/templates/job-assets-copy.yaml new file mode 100644 index 0000000..496e599 --- /dev/null +++ b/mastodon/templates/job-assets-copy.yaml @@ -0,0 +1,97 @@ +{{- if .Values.mastodon.hooks.s3Upload.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "mastodon.fullname" . }}-assets-upload + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" +spec: + template: + metadata: + name: {{ include "mastodon.fullname" . }}-assets-upload + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + restartPolicy: Never + initContainers: + - name: extract-assets + image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}" + imagePullPolicy: Always + command: + - cp + args: + - -rv + - public + - /assets + volumeMounts: + - mountPath: /assets + name: assets + containers: + - name: upload-assets + image: rclone/rclone:1 + imagePullPolicy: Always + env: + - name: RCLONE_S3_NO_CHECK_BUCKET + value: "true" + - name: RCLONE_S3_ACL + value: {{ required "Please specify a canned ACL for S3 asset uploads" .Values.mastodon.hooks.s3Upload.acl }} + - name: RCLONE_CONFIG_REMOTE_TYPE + value: s3 + - name: RCLONE_CONFIG_REMOTE_PROVIDER + value: AWS + - name: RCLONE_CONFIG_REMOTE_ENDPOINT + value: {{ required "Please specify an endpoint for S3 asset uploads" .Values.mastodon.hooks.s3Upload.endpoint }} + - name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }} + key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.accesKeyId }} + - name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }} + key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.secretAccessKey }} + {{- with .Values.mastodon.hooks.s3Upload.rclone.env }} + {{- toYaml . | nindent 12 }} + {{- end }} + command: + - rclone + args: + - copy + - /assets/public + - "remote:{{ required "Please specify a bucket for S3 asset uploads" .Values.mastodon.hooks.s3Upload.bucket }}" + - --fast-list + - --transfers=32 + - --include + - "{assets,packs}/**" + - --progress + - -vv + volumeMounts: + - mountPath: /assets + name: assets + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 500Mi + volumes: + - name: assets + emptyDir: {} + {{- with coalesce .Values.mastodon.hooks.s3Upload.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} + {{- end }} + +{{- end -}} diff --git a/mastodon/templates/job-chewy-upgrade.yaml b/mastodon/templates/job-chewy-upgrade.yaml deleted file mode 100644 index e760f34..0000000 --- a/mastodon/templates/job-chewy-upgrade.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- if .Values.elasticsearch.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "mastodon.fullname" . }}-chewy-upgrade - labels: - {{- include "mastodon.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "-1" -spec: - template: - metadata: - name: {{ include "mastodon.fullname" . }}-chewy-upgrade - {{- with .Values.jobAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - restartPolicy: Never - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname - {{- end }} - volumes: - - name: assets - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.assets" . }} - - name: system - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.system" . }} - {{- end }} - containers: - - name: {{ include "mastodon.fullname" . }}-chewy-setup - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bundle - - exec - - rake - - chewy:upgrade - envFrom: - - configMapRef: - name: {{ include "mastodon.fullname" . }}-env - - secretRef: - name: {{ template "mastodon.secretName" . }} - env: - - name: "DB_PASS" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} - key: password - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} - key: redis-password - {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} - - name: "SIDEKIQ_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.sidekiq.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} - - name: "CACHE_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.cache.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }} - - name: "ES_PASS" - valueFrom: - secretKeyRef: - name: {{ .Values.elasticsearch.existingSecret }} - key: password - {{- end }} - - name: "PORT" - value: {{ .Values.mastodon.web.port | quote }} - {{- if (not .Values.mastodon.s3.enabled) }} - volumeMounts: - - name: assets - mountPath: /opt/mastodon/public/assets - - name: system - mountPath: /opt/mastodon/public/system - {{- end }} -{{- end }} diff --git a/mastodon/templates/job-create-admin.yaml b/mastodon/templates/job-create-admin.yaml index d1a4355..f54a696 100644 --- a/mastodon/templates/job-create-admin.yaml +++ b/mastodon/templates/job-create-admin.yaml @@ -95,4 +95,8 @@ spec: - name: system mountPath: /opt/mastodon/public/system {{- end }} + {{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} + {{- end }} {{- end }} diff --git a/mastodon/templates/job-db-migrate.yaml b/mastodon/templates/job-db-migrate.yaml index 9b0745f..c33d58d 100644 --- a/mastodon/templates/job-db-migrate.yaml +++ b/mastodon/templates/job-db-migrate.yaml @@ -1,93 +1,7 @@ -{{- if .Values.mastodon.hooks.dbMigrate.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - labels: - {{- include "mastodon.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "-2" -spec: - template: - metadata: - name: {{ include "mastodon.fullname" . }}-db-migrate - {{- with .Values.jobAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} +{{- if .Values.mastodon.hooks.dbMigrate.enabled }} +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }} + {{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} {{- end }} - spec: - restartPolicy: Never - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname - {{- end }} - volumes: - - name: assets - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.assets" . }} - - name: system - persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.system" . }} - {{- end }} - containers: - - name: {{ include "mastodon.fullname" . }}-db-migrate - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bundle - - exec - - rake - - db:migrate - envFrom: - - configMapRef: - name: {{ include "mastodon.fullname" . }}-env - - secretRef: - name: {{ template "mastodon.secretName" . }} - env: - - name: "DB_PASS" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} - key: password - - name: "REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} - key: redis-password - {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} - - name: "SIDEKIQ_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.sidekiq.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} - - name: "CACHE_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.cache.secretName" . }} - key: redis-password - {{- end }} - - name: "PORT" - value: {{ .Values.mastodon.web.port | quote }} - {{- if (not .Values.mastodon.s3.enabled) }} - volumeMounts: - - name: assets - mountPath: /opt/mastodon/public/assets - - name: system - mountPath: /opt/mastodon/public/system - {{- end }} -{{- end -}} +{{- end }} diff --git a/mastodon/templates/job-db-pre-migrate.yaml b/mastodon/templates/job-db-pre-migrate.yaml new file mode 100644 index 0000000..09b4759 --- /dev/null +++ b/mastodon/templates/job-db-pre-migrate.yaml @@ -0,0 +1,7 @@ +{{- if .Values.mastodon.hooks.dbMigrate.enabled }} +{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }} + {{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} + {{- end }} +{{- end }} diff --git a/mastodon/templates/job-db-prepare.yaml b/mastodon/templates/job-db-prepare.yaml new file mode 100644 index 0000000..98fba59 --- /dev/null +++ b/mastodon/templates/job-db-prepare.yaml @@ -0,0 +1,7 @@ +{{- if and .Values.mastodon.hooks.dbPrepare.enabled (not .Values.postgresql.enabled) }} +{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }} + {{- with coalesce .Values.mastodon.hooks.dbPrepare.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} + {{- end }} +{{- end }} diff --git a/mastodon/templates/job-assets-precompile.yaml b/mastodon/templates/job-deploy-search.yaml similarity index 53% rename from mastodon/templates/job-assets-precompile.yaml rename to mastodon/templates/job-deploy-search.yaml index f3b8fa7..fbd53dc 100644 --- a/mastodon/templates/job-assets-precompile.yaml +++ b/mastodon/templates/job-deploy-search.yaml @@ -1,18 +1,19 @@ -{{- if .Values.mastodon.hooks.assetsPrecompile.enabled -}} +{{- if and .Values.mastodon.hooks.deploySearch.enabled .Values.elasticsearch.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "mastodon.fullname" . }}-assets-precompile + name: {{ include "mastodon.fullname" . }}-deploy-search labels: {{- include "mastodon.labels" . | nindent 4 }} annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-weight": "-2" spec: + suspend: false template: metadata: - name: {{ include "mastodon.fullname" . }}-assets-precompile + name: {{ include "mastodon.fullname" . }}-deploy-search {{- with .Values.jobAnnotations }} annotations: {{- toYaml . | nindent 8 }} @@ -22,40 +23,63 @@ spec: {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} + {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.persistence.system.accessMode) }} affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/part-of + operator: In + values: + - rails + topologyKey: kubernetes.io/hostname {{- end }} volumes: - name: assets persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.assets" . }} + claimName: {{ template "mastodon.fullname" . }}-assets - name: system persistentVolumeClaim: - claimName: {{ template "mastodon.pvc.system" . }} + claimName: {{ template "mastodon.fullname" . }}-system {{- end }} containers: - - name: {{ include "mastodon.fullname" . }}-assets-precompile + - name: {{ include "mastodon.fullname" . }}-deploy-search image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.mastodon.hooks.deploySearch }} + {{- with .resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} command: - - bash - - -c - - | - bundle exec rake assets:precompile && yarn cache clean + - bin/tootctl + - search + - deploy + {{- with .concurrency }} + - '--concurrency' + - {{ . | quote }} + {{- end }} + {{- if .resetChewy }} + - '--reset-chewy' + {{- end }} + {{- with .batchSize }} + - '--batch-size' + - {{ . | quote }} + {{- end }} + {{- with .only }} + {{- if not (has . (list "instances" "accounts" "tags" "statuses" "public_statuses")) -}} + {{ fail "mastodon.hooks.deploySearch.only: Value must be one of the following words: instances, accounts, tags, statuses, public_statuses"}} + {{- end }} + - '--only' + - {{ . | quote }} + {{- end }} + {{- end }} envFrom: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.secretName" . }} + name: {{ template "mastodon.secretName" $ }} env: - name: "DB_PASS" valueFrom: @@ -67,20 +91,6 @@ spec: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: redis-password - {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} - - name: "SIDEKIQ_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.sidekiq.secretName" . }} - key: redis-password - {{- end }} - {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} - - name: "CACHE_REDIS_PASSWORD" - valueFrom: - secretKeyRef: - name: {{ template "mastodon.redis.cache.secretName" . }} - key: redis-password - {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} @@ -90,4 +100,4 @@ spec: - name: system mountPath: /opt/mastodon/public/system {{- end }} -{{- end -}} +{{- end }} diff --git a/mastodon/templates/job-set-admin-password.yaml b/mastodon/templates/job-set-admin-password.yaml index 600e705..66597e6 100644 --- a/mastodon/templates/job-set-admin-password.yaml +++ b/mastodon/templates/job-set-admin-password.yaml @@ -37,10 +37,10 @@ spec: volumes: - name: assets persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-assets + claimName: {{ template "mastodon.pvc.assets" . }} - name: system persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-system + claimName: {{ template "mastodon.pvc.system" . }} {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-set-admin-password @@ -70,6 +70,20 @@ spec: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: redis-password + {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }} + - name: "SIDEKIQ_REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.redis.sidekiq.secretName" . }} + key: redis-password + {{- end }} + {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }} + - name: "CACHE_REDIS_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ template "mastodon.redis.cache.secretName" . }} + key: redis-password + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} @@ -79,4 +93,8 @@ spec: - name: system mountPath: /opt/mastodon/public/system {{- end }} + {{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }} + nodeSelector: + {{- . | toYaml | nindent 8 }} + {{- end }} {{- end }} diff --git a/mastodon/templates/secret-prepare.yml b/mastodon/templates/secret-prepare.yml new file mode 100644 index 0000000..375f047 --- /dev/null +++ b/mastodon/templates/secret-prepare.yml @@ -0,0 +1,3 @@ +{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}} +{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }} +{{- end }} diff --git a/mastodon/templates/secret-redis-preinstall.yaml b/mastodon/templates/secret-redis-preinstall.yaml new file mode 100644 index 0000000..074e035 --- /dev/null +++ b/mastodon/templates/secret-redis-preinstall.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.redis.enabled }} +{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }} +{{- if .Values.redis.auth.password }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mastodon.redis.secretName" . }}-pre-install + labels: + {{- include "mastodon.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +type: Opaque +data: + redis-password: "{{ .Values.redis.auth.password | b64enc }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/mastodon/templates/secret-redis.yaml b/mastodon/templates/secret-redis.yaml index b1d8ac1..e14ba1f 100644 --- a/mastodon/templates/secret-redis.yaml +++ b/mastodon/templates/secret-redis.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.redis.enabled }} +{{- if .Values.redis.enabled }} {{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }} {{- if .Values.redis.auth.password }} apiVersion: v1 @@ -7,6 +7,10 @@ metadata: name: {{ include "mastodon.redis.secretName" . }} labels: {{- include "mastodon.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded type: Opaque data: redis-password: "{{ .Values.redis.auth.password | b64enc }}" diff --git a/mastodon/templates/secret-smtp-bulk.yaml b/mastodon/templates/secret-smtp-bulk.yaml new file mode 100644 index 0000000..3aa31b6 --- /dev/null +++ b/mastodon/templates/secret-smtp-bulk.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.mastodon.smtp.bulk.enabled (not .Values.mastodon.smtp.bulk.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-smtp-bulk" (include "mastodon.fullname" .) }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} +type: Opaque +data: + {{- with .Values.mastodon.smtp.bulk.login }} + login: {{ . | b64enc }} + {{- end }} + {{- with .Values.mastodon.smtp.bulk.password }} + password: {{ . | b64enc }} + {{- end }} +{{- end }} diff --git a/mastodon/templates/secrets.yaml b/mastodon/templates/secrets.yaml index 0eec2ab..584177c 100644 --- a/mastodon/templates/secrets.yaml +++ b/mastodon/templates/secrets.yaml @@ -1,58 +1,3 @@ {{- if (include "mastodon.createSecret" .) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -type: Opaque -data: - {{- if .Values.mastodon.s3.enabled }} - {{- if not .Values.mastodon.s3.existingSecret }} - AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" - AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" - {{- end }} - {{- end }} - {{- if not .Values.mastodon.secrets.existingSecret }} - {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} - SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" - {{- else }} - SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.otp_secret) }} - OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" - {{- else }} - OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} - VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" - {{- else }} - VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} - VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" - {{- else }} - VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" - {{- else }} - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} - {{- end }} - {{- end }} - {{- if not .Values.postgresql.enabled }} - {{- if not .Values.postgresql.auth.existingSecret }} - password: "{{ .Values.postgresql.auth.password | b64enc }}" - {{- end }} - {{- end }} +{{- include "mastodon.secrets.object" . }} {{- end }} diff --git a/mastodon/templates/service-streaming.yaml b/mastodon/templates/service-streaming.yaml index bade7b1..d52eeee 100644 --- a/mastodon/templates/service-streaming.yaml +++ b/mastodon/templates/service-streaming.yaml @@ -11,6 +11,7 @@ spec: targetPort: streaming protocol: TCP name: streaming + ipFamilyPolicy: PreferDualStack selector: {{- include "mastodon.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: streaming diff --git a/mastodon/templates/service-web.yaml b/mastodon/templates/service-web.yaml index acf1233..b08cc66 100644 --- a/mastodon/templates/service-web.yaml +++ b/mastodon/templates/service-web.yaml @@ -11,6 +11,7 @@ spec: targetPort: http protocol: TCP name: http + ipFamilyPolicy: PreferDualStack selector: {{- include "mastodon.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: web diff --git a/mastodon/values.yaml b/mastodon/values.yaml index 499dabe..f5672d3 100644 --- a/mastodon/values.yaml +++ b/mastodon/values.yaml @@ -6,13 +6,15 @@ image: # built from the most recent commit # # tag: latest - tag: "v4.2.22" + tag: "" # use `Always` when using `latest` tag pullPolicy: IfNotPresent mastodon: # Labels added to every Mastodon-related object labels: {} + # Labes added to every deployed mastodon pod + podLabels: {} # -- create an initial administrator user; the password is autogenerated and will # have to be reset @@ -25,13 +27,81 @@ mastodon: password: not_gargron # @ignored email: not@example.com + # Node(s) on which we will deploy this job + nodeSelector: {} hooks: + # Whether to perform DB schema creation on `helm install`. + # Please note that this does not work when using the included database + # (postgresql.enabled=true). + # NOTE: When using certain GitOps solutions such as Argo CD, this should be + # disabled, as these apps do not necessarily differentiate between `pre-install` + # and `pre-upgrade`. + dbPrepare: + enabled: true + # Node(s) on which we will deploy this job + nodeSelector: {} + # Whether to perform DB migrations on `helm upgrade`. dbMigrate: enabled: true - assetsPrecompile: - enabled: true + # Node(s) on which we will deploy this job + nodeSelector: {} + + # WARNING: deploySearch is potentially a very expensive job! + # Only enable this once at a time, when you deploy elasticsearch or when + # the upgrade notes for a new mastodon version request rebuilding search. + # Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true` + # to ensure the job is only dispatched for a single upgrade when required. + # This job may take days to run on very large instances. Even small + # instances may take long enough to trigger helm's completion timeout, so + # DO NOT PANIC if helm complains; simply verify the job is still running. + # + # Builds or rebuilds the elasticsearch indices via `tootctl deploy search` + # with timing hooks to ensure the job runs immediately after install/upgrade + # and will be restarted if another, corrective upgrade is triggered. + # Please check the tootctl documentation and upgrade notes to pick values. + # + # NOTE: The resource stanza set below is intentionally very conservative. + # Consider assigning a liberal chunk of your cluster's typical headroom. + deploySearch: + enabled: false + resetChewy: true + # one index name. Possible values: instances, accounts, tags, statuses, public_statuses + only: "" + concurrency: 5 + resources: # this accepts any keys in a full container resources stanza. + requests: + cpu: 250m + memory: 256Mi + limits: + cpu: 500m + + # Upload website assets to S3 before deploying using rclone. + # Whenever there is an update to Mastodon, sometimes there are assets files + # that are renamed. As the pods are getting redeployed, and old/new pods are + # present simultaneously, there is a chance that old asset files are + # requested from pods that don't have them anymore, or new asset files are + # requested from old pods. Uploading asset files to S3 in this manner solves + # this potential conflict. + # Note that you will need to CDN/proxy to send all requests to /assets and + # /packs to this bucket. + s3Upload: + enabled: false + endpoint: + bucket: + acl: public-read + secretRef: + name: + keys: + accesKeyId: acces-key-id + secretAccessKey: secret-access-key + rclone: + # Any additional environment variables to pass to rclone. + env: {} + # Node(s) on which we will deploy this job + nodeSelector: {} # Custom labels to add to kubernetes resources #labels: + cron: # -- run `tootctl media remove` every week removeMedia: @@ -39,8 +109,15 @@ mastodon: enabled: true # @ignored schedule: "0 0 * * 0" + # Node(s) on which we will deploy this job + nodeSelector: {} + + # Sets the default locale for this server. + # NOTICE: This will force this locale on every user who is not logged in, and + # the instance will no longer do any local detection for clients. # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 - locale: en + locale: + local_domain: mastodon.local # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described @@ -49,6 +126,9 @@ mastodon: # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize # itself when users are addressed using those other domains. alternate_domains: [] + # -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers + # Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip + # trusted_proxy_ip: # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. singleUserMode: false # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch @@ -140,6 +220,39 @@ mastodon: resources: {} # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity affinity: {} + # Node(s) on which we will deploy sidekiq in general + # Any worker-specific configuration will override this setting. + nodeSelector: {} + # -- Annotations to apply to the deployment object(s) for sidekiq. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object(s) for sidekiq. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the sidekiq pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the sidekiq pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods. + # Recreate will help reduce the number of retried jobs when updating when + # the code introduces a new job as the pods are all replaced immediately. + # RollingUpdate can help with larger clusters if job retries aren't an + # issue, as it will reduce strain by replacing pods more slowly. It is + # strongly recommended to enable the readinessProbe when using RollingUpdate. + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: Recreate + # Readiness probe configuration + # NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10. + readinessProbe: + enabled: false + path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs + initialDelaySeconds: 10 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # limits: @@ -148,6 +261,14 @@ mastodon: # requests: # cpu: 250m # memory: 512Mi + + # Open Telemetry configuration for sidekiq pods. Overrides global settings. + otel: + enabled: + exporterUri: + namePrefix: + nameSeparator: + workers: - name: all-queues # -- Number of threads / parallel sidekiq jobs that are executed per Pod @@ -158,8 +279,11 @@ mastodon: resources: {} # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity affinity: {} + # -- Node(s) on which we will deploy this sidekiq worker + nodeSelector: {} # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints topologySpreadConstraints: {} + # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument queues: @@ -169,6 +293,7 @@ mastodon: - mailers,2 - pull - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. + - fasp image: repository: tag: @@ -213,10 +338,35 @@ mastodon: # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and # password must be located in keys named `login` and `password` respectively. existingSecret: + + # Configuration for bulk/broadcast messages. + # Some transactional email providers require customers to use a separate set + # of SMTP credentials to send emails that are not transactional in nature. + # For more information, refer to the docs: + # https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings + bulk: + enabled: false + auth_method: plain + ca_file: /etc/ssl/certs/ca-certificates.crt + domain: + enable_starttls: "auto" + from_address: notifications@example.com + openssl_verify_mode: peer + port: 587 + server: smtp.mailgun.org + tls: + login: + password: + # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and + # password must be located in keys named `login` and `password` respectively. + existingSecret: + streaming: image: - repository: - tag: + # streaming image split in Mastodon v4.3.0 + repository: ghcr.io/mastodon/mastodon-streaming + # other options: `latest` for the latest release or `edge` for most recent commit + tag: "" port: 4000 # -- this should be set manually since os.cpus() returns the number of CPUs on # the node running the pod, which is unrelated to the resources allocated to @@ -229,6 +379,27 @@ mastodon: replicas: 1 # -- Affinity for Streaming Pods, overwrites .Values.affinity affinity: {} + # -- Node(s) on which we will deploy the streaming pods + nodeSelector: {} + # -- Annotations to apply to the deployment object for streaming. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object for streaming. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the streaming pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the streaming pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 10% + maxUnavailable: 25% # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext @@ -268,6 +439,27 @@ mastodon: replicas: 1 # -- Affinity for Web Pods, overwrites .Values.affinity affinity: {} + # -- Node(s) on which we will deploy the web pods + nodeSelector: {} + # -- Annotations to apply to the deployment object for web. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object for web. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the web pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the web pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 10% + maxUnavailable: 25% # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext @@ -287,8 +479,10 @@ mastodon: enable: false # minAvailable: 1 # maxUnavailable: 1 + # -- Puma-specific options. Below values are based on default behavior in # config/puma.rb when no custom values are provided. + minThreads: "5" maxThreads: "5" workers: "2" @@ -303,6 +497,13 @@ mastodon: name: key: + # Open Telemetry configuration for web pods. Overrides global settings. + otel: + enabled: + exporterUri: + namePrefix: + nameSeparator: + # HTTP cache buster configuration. # See the documentation for more information about this feature: # https://docs.joinmastodon.org/admin/config/#http-cache-buster @@ -316,6 +517,8 @@ mastodon: existingSecret: metrics: + + # NOTE: This feature was dropped in v4.3.0, and will not work for any versions beyond this. statsd: # -- Enable statsd publishing via STATSD_ADDR environment variable address: "" @@ -325,6 +528,32 @@ mastodon: enabled: false port: 9102 + # Settings for Prometheus metrics. + # For more information, see: + # https://docs.joinmastodon.org/admin/config/#prometheus + prometheus: + enabled: false + # Port for the exporter to listen on + port: 9394 + + # Prometheus for web pods + web: + # Collect per-controller/action metrics for every request + detailed: false + + # Prometheus for sidekiq pods + sidekiq: + # Collect per-job metrics for every job + detailed: false + + # Open Telemetry configuration for all deployments. Component-specific + # configuration will override these values. + otel: + enabled: false + exporterUri: + namePrefix: mastodon + nameSeparator: "-" + # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements preparedStatements: true @@ -380,7 +609,13 @@ ingress: hosts: - streaming.mastodon.local -# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters +# Configuration for Elasticsearch. +# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and +# all values here correspond to their values file. Please see the bitnami chart +# documentation: +# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters +# +# Please note that we recommend using your own deployment for better management. elasticsearch: # Elasticsearch is powering full-text search. It is optional. @@ -406,13 +641,43 @@ elasticsearch: # Name of an existing secret with a password key # existingSecret: + # -- Node(s) on which we will deploy the various elasticsearch pods + master: + nodeSelector: {} + data: + nodeSelector: {} + coordinating: + nodeSelector: {} + ingest: + nodeSelector: {} + metrics: + nodeSelector: {} + +# Configuration for PostgreSQL. +# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and +# all values here correspond to their values file. Please see the bitnami chart +# documentation: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters +# +# Please note that we recommend using your own deployment for better management. postgresql: # -- disable if you want to use an existing db; in which case the values below - # must match those of that external postgres instance + # must match those of that external postgres instance. + # Please note that certain features do not work when enabling the included + # database, namely automatic schema creation when the app is first installed. enabled: true # postgresqlHostname: preexisting-postgresql # postgresqlPort: 5432 + + # If using a connection pooler such as pgbouncer, please specify a hostname/IP + # that serves as a "direct" connection to the database, rather than going + # through the connection pooler. This is required for migrations to work + # properly. + direct: + hostname: + port: + database: + auth: database: mastodon_production username: mastodon @@ -442,7 +707,22 @@ postgresql: password: existingSecret: + # -- Node(s) on which we will deploy the various database pods + primary: + nodeSelector: {} + readReplicas: + nodeSelector: {} + backup: + cronjob: + nodeSelector: {} + +# Configuration for Redis. +# When enabled, the bitnami helm chart used for Redis deployment, and all values +# here correspond to their values file. Please see the bitnami chart +# documentation: # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters +# +# Please note that we recommend using your own deployment for better management. redis: # disable if you want to use an existing redis instance; in which case the # values below must match those of that external redis instance @@ -488,6 +768,12 @@ redis: # with a key of redis-password set to the password you want existingSecret: "" + # -- Node(s) on which we will deploy the various redis pods + master: + nodeSelector: {} + replica: + nodeSelector: {} + # @ignored service: type: ClusterIP @@ -614,23 +900,23 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" -# Custom annotations to apply to all created deployment objects. These can be -# used to help mastodon interact with other services in the cluster. +# Custom annotations to apply to all created mastodon deployment objects. These +# can be used to help mastodon interact with other services in the cluster. deploymentAnnotations: {} # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might # need to apply different annotations to the two different sets of pods. The annotations -# set with podAnnotations will be added to all deployment-managed pods. +# set with podAnnotations will be added to all mastodon deployment-managed pods. podAnnotations: {} # If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will # cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. revisionPodAnnotation: true -# The annotations set with jobAnnotations will be added to all job pods. +# The annotations set with jobAnnotations will be added to all mastodon job pods jobAnnotations: {} -# -- Default resources for all Deployments and jobs unless overwritten +# -- Default resources for all mastodon Deployments and jobs unless overwritten resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -644,26 +930,28 @@ resources: # cpu: 100m # memory: 128Mi -# @ignored -nodeSelector: {} - # @ignored tolerations: [] -# -- Affinity for all pods unless overwritten +# -- Affinity for all mastodon pods unless overwritten affinity: {} -# -- Timezone for all pods unless overwritten +# Node(s) on which we will deploy all resources. +# Any node selectors specified for individual resources will override this +# setting. +nodeSelector: {} + +# -- Timezone for all mastodon pods unless overwritten timezone: UTC -# -- Topology Spread Constraints for all pods unless overwritten +# -- Topology Spread Constraints for all mastodon pods unless overwritten # Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you # want to spread each deployment independently, or override topologySpreadConstraints # for each deployment topologySpreadConstraints: {} -# Default volume mounts for all pods +# Default volume mounts for all mastodon pods volumeMounts: [] -# Default volumes for all pods +# Default volumes for all mastodon pods volumes: []