ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ghp:3a8be39de0d5f538987183bf3bfb224aeec47bc9
Branches Tags
ghp:master
...
compare: ghp:master
Branches Tags
ghp:master

63 Commits
3a8be39de0 ... master

Author SHA1 Message Date
ace
f3dea682a5 mastodon: bump to v4.4.1, helm chart v6.5.0 2025-07-14 00:14:20 +03:00
ace
bca2de6613 mastodon: bump to v4.2.22, helm chart v5.1.9 2025-07-13 20:56:17 +03:00
ace
9219b9d048 rspamd: bump to v3.12.1, helm chart v0.5.7 2025-06-28 16:29:17 +03:00
ace
7e7fc46d18 adguard-home: bump to v0.107.63, helm chart v2.3.33 2025-06-28 16:29:14 +03:00
ace
d2a23231dc peertube: bump to v7.2.1, helm chart v0.4.4 2025-06-28 16:29:09 +03:00
ace
4d3b1c57f6 kanidm: bump to v1.6.4, helm chart v0.2.2 2025-06-12 22:48:42 +03:00
ace
4b59f3bde0 peertube: bump to v7.2.0, helm chart v0.4.3 2025-06-12 22:48:00 +03:00
ace
88d3175327 roundcube: bump to v1.6.11, helm chart v0.4.6 2025-06-11 00:36:48 +03:00
ace
f58b0e15d2 bitwarden: bump to v1.34.1, helm chart v2.0.38 2025-06-11 00:36:44 +03:00
ace
058c4aee3c adguard-home: bump to v0.107.62, helm chart v2.3.32 2025-06-11 00:36:41 +03:00
ace
c7da441b17 kanidm: bump to v1.6.3, helm chart v0.2.1 2025-05-23 13:06:11 +03:00
ace
c0ad9437b2 kanidm: bump to v1.6.2, helm chart v0.2.0 2025-05-13 00:12:33 +03:00
ace
77c2028150 mastodon: bump to v4.2.21, helm chart v5.1.8 2025-05-13 00:12:21 +03:00
ace
399eae0f1a kanidm: fix probes and use 443 port by default 2025-04-11 16:01:20 +03:00
ace
0d91f6f91d add kanidm helm chart 2025-04-10 00:21:11 +03:00
ace
ae6f9bb30b add autovault helm chart 2025-04-10 00:21:01 +03:00
ace
858581c554 wikijs: bump to v2.5.307, helm chart v2.3.19 2025-03-25 16:27:27 +03:00
ace
c9a99c1062 peertube: bump to v7.1.0, helm chart v0.4.2 2025-03-25 16:27:23 +03:00
ace
bad060f0dd adguard-home: bump to v0.107.59, helm chart v2.3.31 2025-03-25 16:27:19 +03:00
ace
c7255cdaf1 mastodon: bump to v4.2.19, helm chart v5.1.7 2025-03-14 23:36:13 +03:00
ace
a83dac3d32 rspamd: bump to v3.11.1, helm chart v0.5.6 2025-03-09 17:03:04 +03:00
ace
c5c7b21e6f mastodon: bump to v4.2.17, helm chart v5.1.6 2025-03-02 17:24:16 +03:00
ace
15f9334d28 gitea-act-runner: bump to v0.2.11, helm chart v0.1.12 2025-03-02 17:24:07 +03:00
ace
5d77150525 adguard-home: bump to v0.107.57, helm chart v2.3.30 2025-03-02 17:24:04 +03:00
ace
f5fdcff1d9 postfix: bump to v3.5.25, helm chart v0.1.7 2025-02-15 22:28:05 +03:00
ace
5e7679078d rspamd: bump to v3.11.0, helm chart v0.5.5 2025-02-15 22:28:01 +03:00
ace
7ea997cbbb roundcube: bump to v1.6.10, helm chart v0.4.5 2025-02-15 22:27:59 +03:00
ace
0d3fb60b95 dovecot: bump to v2.3.16, helm chart v0.1.8 2025-02-15 22:27:55 +03:00
ace
de4157c81c bitwarden: bump to v1.33.2, helm chart v2.0.37 2025-02-12 15:31:02 +03:00
ace
47e16defa7 wikijs: bump to v2.5.306, helm chart v2.3.18 2025-02-06 00:36:02 +03:00
ace
0ee0d754b9 bitwarden: bump to v1.33.1, helm chart v2.0.36 2025-02-06 00:35:52 +03:00
ace
cfb50a3261 adguard-home: bump to v0.107.56, helm chart v2.3.29 2025-01-26 17:12:31 +03:00
ace
b94d794c2a bitwarden: bump to v1.33.0, helm chart v2.0.35 2025-01-26 17:12:28 +03:00
ace
7c84796f5f peertube: bump to v7.0.1, helm chart v0.4.1 2025-01-26 17:12:09 +03:00
ace
b09e51c39b bitwarden: bump to v1.32.7, helm chart v2.0.34 
peertube: bump to v7.0.0, helm chart v0.4.0
 2024-12-22 15:12:24 +03:00
ace
796483d2b5 bitwarden: bump to v1.32.5, helm chart v2.0.32 2024-11-19 17:59:15 +03:00
ace
373984242e adguard-home: bump to v0.107.54, helm chart v2.3.28 2024-11-11 13:34:41 +03:00
ace
96f81e7d3f bitwarden: bump to v1.32.4, helm chart v2.0.31 2024-11-11 13:34:39 +03:00
ace
d2cd7daa25 rspamd: bump to v3.10.2, helm chart v0.5.4 2024-11-03 17:07:36 +03:00
ace
dd2838a47b bitwarden: bump to v1.32.3, helm chart v2.0.30 2024-11-03 17:07:33 +03:00
ace
50fff3de7d peertube: bump to v6.3.3, helm chart v0.3.8 2024-11-03 17:07:32 +03:00
ace
626e71e16a wikijs: bump to v2.5.305, helm chart v2.3.17 2024-10-14 11:20:21 +03:00
ace
f83831aabf bitwarden: bump to v1.32.2, helm chart v2.0.29 2024-10-14 11:20:18 +03:00
ace
691e984150 peertube: bump to v6.3.2, helm chart v0.3.7 2024-10-08 14:41:53 +03:00
ace
c0b9d55820 peertube: bump to v6.3.1, helm chart v0.3.6 2024-10-08 10:58:24 +03:00
ace
060e445d4f gitea-act-runner: bump to v0.2.11, helm chart v0.1.11 2024-10-06 22:09:10 +03:00
ace
a6a99cdb91 adguard-home: bump to v0.107.53, helm chart v2.3.27 2024-10-04 04:57:24 +03:00
ace
895105f3d4 bitwarden: bump to v1.32.1, helm chart v2.0.28 2024-10-04 04:57:06 +03:00
ace
cfbedaebe0 wikijs: bump to v2.5.304, helm chart v2.3.16 2024-09-22 22:22:25 +03:00
ace
5ef80aed84 roundcube: bump to v1.6.9, helm chart v0.4.4 2024-09-03 19:41:36 +03:00
ace
769ba9cf5d postfix: bump to v3.5.9, helm chart v0.1.6 2024-08-24 03:30:22 +03:00
ace
db0458a87b rspamd: bump to v3.9.1, helm chart v0.5.3 2024-08-24 03:30:14 +03:00
ace
aa2f627b9d dovecot: bump to v2.3.16, helm chart v0.1.7 2024-08-24 03:30:13 +03:00
ace
7ca7f196ba postgres-operator: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:34 +03:00
ace
5f7967bf6a postgres-operator-ui: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:32 +03:00
ace
72a60c9e67 mastodon: bump to v4.2.12, helm chart v5.1.5 2024-08-19 19:25:21 +03:00
ace
097cb672f1 mastodon: bump to v4.2.11, helm chart v5.1.4 2024-08-19 14:16:47 +03:00
ace
7f13ed6508 bitwarden: bump to v1.32.0, helm chart v2.0.27 2024-08-13 02:49:04 +03:00
ace
c28dc5a64d roundcube: bump to v1.6.8, helm chart v0.4.3 2024-08-13 02:49:01 +03:00
ace
b1d06879b3 peertube: bump to v6.2.1, helm chart v0.3.5 2024-08-13 02:48:51 +03:00
ace
6f71f2ace1 mastodon: bump to v4.2.10, helm chart v5.1.3 2024-07-05 01:19:57 +03:00
ace
17bd057945 postgres-operator-ui: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:52 +03:00
ace
ffc7f36269 postgres-operator: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:50 +03:00
82 changed files with 2649 additions and 547 deletions
Expand all files Collapse all files

4
adguard-home/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 0.107.50
appVersion: 0.107.63
description: DNS proxy as ad-blocker for local network
home: https://github.com/k8s-at-home/charts/tree/master/charts/adguard-home
icon: https://avatars3.githubusercontent.com/u/8361145?s=200&v=4?sanitize=true
@ -12,4 +12,4 @@ maintainers:
name: adguard-home
sources:
- https://github.com/AdguardTeam/AdGuardHome
version: 2.3.26
version: 2.3.33

2
adguard-home/values.yaml
View File

@ -4,7 +4,7 @@ strategyType: Recreate
image:
repository: adguard/adguardhome
# Image tag is set via charts appVersion. If you want to override the tag, specify it here
tag: v0.107.50
tag: v0.107.63
pullPolicy: IfNotPresent
nameOverride: ""

23
autovault/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
autovault/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: autovault
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.0"

62
autovault/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "autovault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "autovault.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "autovault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "autovault.labels" -}}
helm.sh/chart: {{ include "autovault.chart" . }}
{{ include "autovault.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "autovault.selectorLabels" -}}
app.kubernetes.io/name: {{ include "autovault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "autovault.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "autovault.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

68
autovault/templates/configmap.yaml Normal file
View File

@ -0,0 +1,68 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "autovault.fullname" . }}-scripts
labels:
{{- include "autovault.labels" . | nindent 4 }}
data:
autovault.sh: |
#!/bin/bash
HOME=/vault/data
while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done
export VAULT_ADDR={{ .Values.vaultUrl }}
INITIALIZED=$(vault status -format=json | jq -r '.initialized')
SEALED=$(vault status -format=json | jq -r '.sealed')
if [[ "$INITIALIZED" == "false" ]] ; then
vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json
fi
if [[ "$SEALED" == "true" ]] ; then
KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]')
vault operator unseal $KEY
fi
export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token')
KV_ENABLED=$(vault secrets list | grep -i kv)
if [[ -z "$KV_ENABLED" ]] ; then
vault secrets enable -version=2 kv
fi
USERPASS_ENABLED=$(vault auth list | grep -i userpass)
if [[ -z "$USERPASS_ENABLED" ]] ; then
vault auth enable userpass
fi
APPROLE_ENABLED=$(vault auth list | grep -i approle)
if [[ -z "$APPROLE_ENABLED" ]] ; then
vault auth enable approle
fi
echo
echo "----------------------------------------------------------------"
echo
echo "Vault root token: ${VAULT_TOKEN}"
echo
echo "----------------------------------------------------------------"
echo
for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do
APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id)
if [[ -z "$APPROLE_CREATED" ]] ; then
vault write -f auth/approle/role/"$APPROLE"
fi
kubectl get secret vault-secret-"$APPROLE" || \
{ APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \
APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \
kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ;
echo "$APPROLE role-id = $APPROLE_ROLE_ID" ; }
done
vault auth list

54
autovault/templates/cronjob.yaml Normal file
View File

@ -0,0 +1,54 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.autovaultSchedule | quote }}
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 2
activeDeadlineSeconds: 300
template:
spec:
serviceAccountName: {{ include "autovault.fullname" . }}
restartPolicy: Never
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: autovault
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: {{ include "autovault.fullname" . }}-data
mountPath: /vault/data
- name: {{ include "autovault.fullname" . }}-scripts
mountPath: /vault/scripts
command: [ "/bin/bash", "-c", "/vault/scripts/autovault.sh" ]
volumes:
- name: {{ include "autovault.fullname" . }}-data
persistentVolumeClaim:
claimName: {{ include "autovault.fullname" . }}-data
- name: {{ include "autovault.fullname" . }}-scripts
configMap:
name: {{ include "autovault.fullname" . }}-scripts
defaultMode: 0777
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

26
autovault/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "autovault.fullname" . }}-data
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
autovault/templates/role.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
autovault/templates/rolebinging.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "autovault.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "autovault.fullname" . }}
namespace: {{ .Release.Namespace }}

13
autovault/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "autovault.serviceAccountName" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

107
autovault/values.yaml Normal file
View File

@ -0,0 +1,107 @@
# Default values for autovault.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: gitea.geekhome.org/ghp/autovault
# This sets the pull policy for images.
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "0.1.0-1"
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
vaultUrl: "http://vault:8200"
autovaultGenSecretsApps:
- approle1
autovaultSchedule: "0/5 * * * *"
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Mi
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

4
bitwarden/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.30.5
appVersion: 1.34.1
description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png
@ -17,4 +17,4 @@ name: bitwarden
sources:
- https://github.com/dani-garcia/bitwarden_rs
type: application
version: 2.0.25
version: 2.0.38

2
bitwarden/values.yaml
View File

@ -5,7 +5,7 @@ replicaCount: 1
image:
repository: vaultwarden/server
pullPolicy: IfNotPresent
tag: "1.30.5"
tag: "1.34.1"
imagePullSecrets: []
nameOverride: ""

2
dovecot/Chart.yaml
View File

@ -14,7 +14,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.6
version: 0.1.8
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.

2
dovecot/values.yaml
View File

@ -14,7 +14,7 @@ tls:
dovecot:
image:
repository: gitea.geekhome.org/ghp/dovecot
tag: 2.3.16-3
tag: 2.3.16-5
pullPolicy: Always
configmaps:
dovecot:

4
gitea-act-runner/Chart.yaml
View File

@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.10
version: 0.1.12
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.2.10"
appVersion: "0.2.11"

4
gitea-act-runner/templates/statefulset.yaml
View File

@ -32,7 +32,7 @@ spec:
- name: {{ .Chart.Name }}-runner
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.image.runner.repository }}:{{ .Values.image.runner.tag | default .Chart.AppVersion }}"
command: ["/bin/sh"]
args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
@ -81,7 +81,7 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-daemon
image: docker:23.0.6-dind
image: "{{ .Values.image.daemon.repository }}:{{ .Values.image.daemon.tag | default .Chart.AppVersion }}"
env:
- name: DOCKER_TLS_CERTDIR
value: /certs

13
gitea-act-runner/values.yaml
View File

@ -5,10 +5,15 @@
replicaCount: 1
image:
repository: gitea/act_runner
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.2.10"
runner:
repository: gitea/act_runner
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.2.11"
daemon:
repository: docker
pullPolicy: IfNotPresent
tag: "27.5.1-dind"
imagePullSecrets: []
nameOverride: ""

23
kanidm/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
kanidm/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: kanidm
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.6.4"

22
kanidm/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kanidm.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kanidm.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kanidm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kanidm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
kanidm/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kanidm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kanidm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kanidm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kanidm.labels" -}}
helm.sh/chart: {{ include "kanidm.chart" . }}
{{ include "kanidm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kanidm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kanidm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kanidm.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kanidm.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

136
kanidm/templates/configmap.yaml Normal file
View File

@ -0,0 +1,136 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kanidm.fullname" . }}-config
labels:
{{- include "kanidm.labels" . | nindent 4 }}
data:
server.toml: |
# The server configuration file version.
version = "2"
# The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443"
bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
#
# The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability.
# Defaults to "" (disabled)
{{- if .Values.kanidmLdap.enabled }}
dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- else }}
# ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- end }}
#
# The path to the kanidm database.
db_path = "{{ .Values.kanidm.db_path }}"
#
# If you have a known filesystem, kanidm can tune the
# database page size to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
# * sets database pagesize to 64k. You must set
# recordsize=64k on the zfs filesystem.
# - other:
# * sets database pagesize to 4k, matching most
# filesystems block sizes.
{{- if .Values.kanidm.db_fs_type }}
db_fs_type = "{{ .Values.kanidm.db_fs_type }}"
{{- else }}
# db_fs_type = "zfs"
{{- end }}
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# You should only adjust this value if you experience
# memory pressure on your system.
{{- if .Values.kanidm.db_arc_size }}
db_arc_size = {{ .Values.kanidm.db_arc_size }}
{{- else }}
# db_arc_size = 2048
{{- end }}
#
# TLS chain and key in pem format. Both must be present.
# If the server receives a SIGHUP, these files will be
# re-read and reloaded if their content is valid.
tls_chain = "{{ .Values.kanidm.tls_chain }}"
tls_key = "{{ .Values.kanidm.tls_key }}"
#
# The log level of the server. May be one of info, debug, trace
#
# NOTE: this can be overridden by the environment variable
# `KANIDM_LOG_LEVEL` at runtime
# Defaults to "info"
log_level = "{{ .Values.kanidm.log_level }}"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future) trust configuration it is possible
# to have unique Security Principal Names (spns) throughout
# the topology.
#
# ⚠️ WARNING ⚠️
#
# Changing this value WILL break many types of registered
# credentials for accounts including but not limited to
# webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain rename` immediately after.
domain = "{{ tpl .Values.kanidm.domain $ }}"
#
# The origin for webauthn. This is the url to the server,
# with the port included if it is non-standard (any port
# except 443). This must match or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = "https://idm.example.com"
origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# # OR
# x-forward-for = ["127.0.0.1"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
{{- if .Values.kanidmOnlineBackup.enabled }}
[online_backup]
# The path to the output folder for online backups
path = "{{ .Values.kanidmOnlineBackup.path }}"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
schedule = "{{ .Values.kanidmOnlineBackup.schedule }}"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = "03 */6 * * *"
# We also support non standard cron syntax, with the following format:
# sec min hour day of month month day of week year
# (it's very similar to the standard cron syntax, it just allows to specify the seconds
# at the beginning and the year at the end)
# Number of backups to keep (default 7)
versions = {{ .Values.kanidmOnlineBackup.versions }}
{{- end }}

147
kanidm/templates/deployment.yaml Normal file
View File

@ -0,0 +1,147 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- if .Values.strategy }}
strategy:
{{ toYaml .Values.strategy | indent 2 }}
{{- end }}
selector:
matchLabels:
{{- include "kanidm.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "kanidm.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
shareProcessNamespace: true
initContainers:
- name: {{ .Chart.Name }}-certs
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
- -c
- kanidmd cert-generate
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: {{ .Chart.Name }}-db-pass
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- sh
- -c
- |
/sbin/kanidmd server -c /data/server.toml &
serverPID=$!
until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
printf '.'
sleep 5
done
echo "##### Start domain upgrade-check"
/sbin/kanidmd domain upgrade-check
echo "##### Done domain upgrade-check"
ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
kill $serverPID
kubectl delete secret kanidm-passwords --ignore-not-found
kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- if .Values.kanidmLdap.enabled }}
- name: ldap
containerPort: {{ .Values.service.ldap }}
protocol: TCP
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kanidm-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
{{- else }}
emptyDir: {}
{{- end }}
- name: kanidm-config
configMap:
name: {{ include "kanidm.fullname" . }}-config
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
kanidm/templates/hpa.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kanidm.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

61
kanidm/templates/ingress.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "kanidm.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "kanidm.fullname" . }}-data
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/role.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
kanidm/templates/rolebinging.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "kanidm.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "kanidm.fullname" . }}
namespace: {{ .Release.Namespace }}

21
kanidm/templates/service.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.kanidmLdap.enabled }}
- port: {{ .Values.service.ldap }}
targetPort: ldap
protocol: TCP
name: ldap
{{- end }}
selector:
{{- include "kanidm.selectorLabels" . | nindent 4 }}

13
kanidm/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kanidm.serviceAccountName" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

15
kanidm/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "kanidm.fullname" . }}-test-connection"
labels:
{{- include "kanidm.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "kanidm.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

154
kanidm/values.yaml Normal file
View File

@ -0,0 +1,154 @@
# Default values for kanidm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
strategy:
type: Recreate
image:
repository: gitea.geekhome.org/ghp/kanidm
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "1.6.4-1"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
kanidm:
bindaddress: "[::]:{{ .Values.service.port }}"
domain: "idm.example.com"
#origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
db_path: "/data/kanidm.db"
#db_fs_type: "zfs"
#db_arc_size: "2048"
tls_chain: "/data/chain.pem"
tls_key: "/data/key.pem"
log_level: "debug"
kanidmLdap:
enabled: false
dapbindaddress: "[::]:{{ .Values.service.ldap }}"
kanidmOnlineBackup:
enabled: true
path: "/data/kanidm/backups/"
schedule: "00 22 * * *"
versions: "7"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 443
ldap: 636
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
livenessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
readinessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

10
mastodon/.github/workflows/test-chart.yml vendored
View File

@ -17,7 +17,7 @@ permissions:
jobs:
lint-templates:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
@ -53,7 +53,7 @@ jobs:
# basic configuration can be used to successfully startup mastodon.
#
test-install:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
timeout-minutes: 15
strategy:
@ -75,7 +75,7 @@ jobs:
# available for use in the templates, currently we need v3.6.0 or
# higher.
#
- k3s-channel: v1.21
- k3s-channel: v1.28
helm-version: v3.8.0
env:
@ -109,7 +109,7 @@ jobs:
run: |
helm install mastodon . \
--values dev-values.yaml \
--timeout 10m
--timeout 15m
# This actions provides a report about the state of the k8s cluster,
# providing logs etc on anything that has failed and workloads marked as
@ -125,7 +125,5 @@ jobs:
deploy/mastodon-sidekiq
deploy/mastodon-streaming
deploy/mastodon-web
job/mastodon-assets-precompile
job/mastodon-chewy-upgrade
job/mastodon-create-admin
job/mastodon-db-migrate

1
mastodon/.gitignore vendored
View File

@ -1 +1,2 @@
charts/
.DS_Store

135
mastodon/CHANGELOG.md
View File

@ -1,3 +1,138 @@
# 6.5.0
Updated the Mastodon version to v4.4.1. Please read the [4.4.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.4.0) before updating from a version < 4.4. In particular:
- Redis & Postgres minimum versions have been bumped to 6.2 and 13 respectively
- Redis namespace support has been dropped
- No-downtime updates from versions before 4.3.0 are not supported
- Elasticsearch mappings need to be updated manually via `tootctl` after deploying this new version
- The new experimental Fediverse Auxiliary Service (`fasp`) Sidekiq queue needs to be added to the list of processed queues if you changed the default Sidekiq values
# 6.4.0
- Added configuration for [bulk SMTP](https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings):
```yaml
mastodon:
smtp:
bulk:
```
# 6.3.4
- Updated the Mastodon version to v4.3.9
# 6.3.3
- Updated the Mastodon version to v4.3.8
# 6.3.2
- No longer sets `DEFAULT_LOCALE` to `en` by default; leaves this value unset.
# 6.3.1
- Removed DB_POOL from the ConfigMap as we should never have to override this.
# 6.3.0
- Added `nodeSelector` fields for every resource type for better fine-grain tuning of where resources end up.
# 6.2.4
- Fixed an issue where redis secrets specified in values or the helm CLI wouldn't be used by the db-prepare job on install.
# 6.2.3
- Updated the Mastodon version to v4.3.7
# 6.2.2
- `app.kubernetes.io/version` shortens any potential digest hash to 7 characters to avoid hitting the 63 character label limit.
# 6.2.1
- Fixed some situations where disabling all bitnami charts caused it to error.
- Fixed a potential null postgresql host value error.
# 6.2.0
- Added ability to add pod labels to pods created from Deployment objects at the global level
# 6.1.1
- Updated the Mastodon version to v4.3.6
# 6.1.0
- Added a new job to re/build elasticsearch indices as a post-upgrade hook:
```yaml
mastodon:
hooks:
deploySearch:
```
# 6.0.3
- Updated the Mastodon version to v4.3.5
# 6.0.2
- Helm version tagging now utilizes `.Values.image.tag` when set.
# 6.0.1
- Added additional values to separate out `db:prepare` and `db:migrate` jobs and whether they should run:
```yaml
mastodon:
hooks:
dbPrepare:
enabled: true
dbMigrate:
enabled: true
```
# 6.0.0
### !! BREAKING CHANGES !!
- Services for web & streaming now use `ipFamilyPolicy: PreferDualStack`. This will cause upgrades on existing deployments to fail, as kubernetes cannot patch this field. Please remove both service objects before running `helm upgrade` (services are `mastodon-web` and `mastodon-streaming` by default).
### Features
- Added prometheus metrics config for web and sidekiq pods (feature will be available with Mastodon v4.4).
```yaml
mastodon:
metrics:
prometheus:
```
- Added ability to automatically upload assets to an S3 bucket:
```yaml
mastodon:
hooks:
s3Upload:
```
- Added OpenTelemetry metrics:
```yaml
mastodon:
otel:
---
mastodon:
sidekiq:
otel:
---
mastodon:
web:
otel:
```
- Fine-grained control of labels and annotations for both pods and deployments.
- Additional redis options for separate instances (app, sidekiq, cache).
- Configurable PodDisruptionBudgets for web and streaming pods.
### Fixes
- Various database migrations fixes
- Fixed first-time install DB setup on self-managed databases
- Fixed running migrations through a connection pooler.
- Removed old, unused jobs:
- chewy upgrade (use `tootctl search deploy` instead)
- assets precompile
# 5.1.0
- Added values for Active Record Encryption in Redis:

4
mastodon/Chart.yaml
View File

@ -15,12 +15,12 @@ type: application
# This is the chart version. This version number should be incremented each time
# you make changes to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 5.1.2
version: 6.5.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: v4.2.9
appVersion: "v4.4.1"
dependencies:
- name: elasticsearch

111
mastodon/templates/_db-migrate.tpl Normal file
View File

@ -0,0 +1,111 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for DB migration pre- and post-install/upgrade jobs.
*/}}
{{- define "mastodon.dbMigrateJob" -}}
apiVersion: batch/v1
kind: Job
metadata:
{{- if .prepare }}
name: {{ include "mastodon.fullname" . }}-db-prepare
{{- else if .preDeploy }}
name: {{ include "mastodon.fullname" . }}-db-pre-migrate
{{- else }}
name: {{ include "mastodon.fullname" . }}-db-post-migrate
{{- end }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
{{- if .prepare }}
"helm.sh/hook": pre-install
{{- else if .preDeploy }}
"helm.sh/hook": pre-upgrade
{{- else }}
"helm.sh/hook": post-install,post-upgrade
{{- end }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if .prepare }}
"helm.sh/hook-weight": "-3"
{{- else }}
"helm.sh/hook-weight": "-2"
{{- end }}
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
{{- if .prepare }}
- db:prepare
{{- else }}
- db:migrate
{{- end }}
envFrom:
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_HOST"
value: {{ template "mastodon.postgres.direct.host" . }}
- name: "DB_PORT"
value: {{ template "mastodon.postgres.direct.port" . }}
- name: "DB_NAME"
value: {{ template "mastodon.postgres.direct.database" . }}
- name: "DB_USER"
value: {{ .Values.postgresql.auth.username }}
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_HOST"
value: {{ template "mastodon.redis.host" . }}
- name: "REDIS_PORT"
value: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
- name: SIDEKIQ_REDIS_HOST
value: {{ .Values.redis.sidekiq.hostname }}
{{- end }}
{{- if .Values.redis.sidekiq.port }}
- name: SIDEKIQ_REDIS_PORT
value: {{ .Values.redis.sidekiq.port | quote }}
{{- end }}
{{- end }}
{{- if .Values.redis.cache.enabled }}
{{- if .Values.redis.cache.hostname }}
- name: CACHE_REDIS_HOST
value: {{ .Values.redis.cache.hostname }}
{{- end }}
{{- if .Values.redis.cache.port }}
- name: CACHE_REDIS_PORT
value: {{ .Values.redis.cache.port | quote }}
{{- end }}
{{- end }}
- name: "REDIS_DRIVER"
value: "ruby"
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
{{- if and (.prepare) (not .Values.redis.enabled) (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) (.Values.redis.auth.password) }}
name: {{ template "mastodon.redis.secretName" . }}-pre-install
{{- else }}
name: {{ template "mastodon.redis.secretName" . }}
{{- end }}
key: redis-password
{{- if .preDeploy }}
- name: "SKIP_POST_DEPLOYMENT_MIGRATIONS"
value: "true"
{{- end }}
{{- end }}

84
mastodon/templates/_helpers.tpl
View File

@ -47,7 +47,9 @@ Common labels
helm.sh/chart: {{ include "mastodon.chart" . }}
{{ include "mastodon.selectorLabels" . }}
{{ include "mastodon.globalLabels" . }}
{{- if .Chart.AppVersion }}
{{- if .Values.image.tag }}
app.kubernetes.io/version: {{ regexReplaceAll "@(\\w+:\\w{0,7})\\w*" .Values.image.tag "@${1}" | quote }}
{{- else if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
@ -90,7 +92,7 @@ Create the name of the assets persistent volume to use
{{- if .Values.mastodon.persistence.assets.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.assets.existingClaim $) -}}
{{- else -}}
{{- printf "%s-assets" (include "common.names.fullname" .) -}}
{{- printf "%s-assets" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@ -101,7 +103,7 @@ Create the name of the system persistent volume to use
{{- if .Values.mastodon.persistence.system.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.system.existingClaim $) -}}
{{- else -}}
{{- printf "%s-system" (include "common.names.fullname" .) -}}
{{- printf "%s-system" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@ -121,6 +123,60 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Establish which values we will use for remote connections
*/}}
{{- define "mastodon.postgres.host" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}}
{{- else }}
{{- printf "%s" (required "When the postgresql chart is disabled .Values.postgresql.postgresqlHostname is required" .Values.postgresql.postgresqlHostname) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.port" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%d" 5432 | int | quote -}}
{{- else }}
{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}}
{{- end }}
{{- end }}
{{/*
Establish which values we will use for direct remote DB connections
*/}}
{{- define "mastodon.postgres.direct.host" -}}
{{- if .Values.postgresql.direct.hostname }}
{{- printf "%s" .Values.postgresql.direct.hostname -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.host" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.port" -}}
{{- if .Values.postgresql.direct.port }}
{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.port" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.database" -}}
{{- if .Values.postgresql.direct.database }}
{{- printf "%s" .Values.postgresql.direct.database -}}
{{- else }}
{{- printf "%s" .Values.postgresql.auth.database -}}
{{- end }}
{{- end }}
{{- define "mastodon.redis.host" -}}
{{- if .Values.redis.enabled }}
{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}}
{{- else }}
{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}}
{{- end }}
{{- end }}
{{/*
Get the mastodon secret.
*/}}
@ -133,7 +189,7 @@ Get the mastodon secret.
{{- end -}}
{{/*
Get the smtp secret.
Get the smtp secrets.
*/}}
{{- define "mastodon.smtp.secretName" -}}
{{- if .Values.mastodon.smtp.existingSecret }}
@ -143,6 +199,14 @@ Get the smtp secret.
{{- end -}}
{{- end -}}
{{- define "mastodon.smtp.bulk.secretName" -}}
{{- if .Values.mastodon.smtp.bulk.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.smtp.bulk.existingSecret $) -}}
{{- else -}}
{{- printf "%s-smtp-bulk" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the postgresql secret.
*/}}
@ -214,18 +278,6 @@ Return true if a mastodon secret object should be created
{{- end -}}
{{- end -}}
{{/*
Find highest number of needed database connections to set DB_POOL variable
*/}}
{{- define "mastodon.maxDbPool" -}}
{{/* Default MAX_THREADS for Puma is 5 */}}
{{- $poolSize := 5 }}
{{- range .Values.mastodon.sidekiq.workers }}
{{- $poolSize = max $poolSize .concurrency }}
{{- end }}
{{- $poolSize | quote }}
{{- end }}
{{/*
Full hostname for a custom Elasticsearch cluster
*/}}

65
mastodon/templates/_secrets.tpl Normal file
View File

@ -0,0 +1,65 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for mastodon secrets object.
*/}}
{{- define "mastodon.secrets.object" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-4"
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

61
mastodon/templates/configmap-env.yaml
View File

@ -5,21 +5,15 @@ metadata:
labels:
{{- include "mastodon.labels" . | nindent 4 }}
data:
{{- if .Values.postgresql.enabled }}
DB_HOST: {{ template "mastodon.postgresql.fullname" . }}
DB_PORT: "5432"
{{- else }}
DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
{{- end }}
DB_HOST: {{ template "mastodon.postgres.host" . }}
DB_PORT: {{ template "mastodon.postgres.port" . }}
DB_NAME: {{ .Values.postgresql.auth.database }}
DB_POOL: {{ include "mastodon.maxDbPool" . }}
DB_USER: {{ .Values.postgresql.auth.username }}
{{- if .Values.postgresql.readReplica.hostname }}
REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }}
{{- end }}
{{- if .Values.postgresql.readReplica.port }}
REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port }}
REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.database }}
REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }}
@ -31,7 +25,9 @@ data:
REPLICA_DB_PASS: {{ .Values.postgresql.readReplica.auth.password }}
{{- end }}
PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }}
{{- if .Values.mastodon.locale }}
DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
{{- end }}
{{- if .Values.elasticsearch.enabled }}
ES_ENABLED: "true"
ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
@ -66,11 +62,7 @@ data:
MALLOC_ARENA_MAX: "2"
NODE_ENV: "production"
RAILS_ENV: "production"
{{- if .Values.redis.enabled }}
REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master
{{- else }}
REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }}
{{- end }}
REDIS_HOST: {{ template "mastodon.redis.host" . }}
REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
@ -137,10 +129,10 @@ data:
SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.from_address }}
SMTP_FROM_ADDRESS: {{ . }}
SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.return_path }}
SMTP_RETURN_PATH: {{ . }}
SMTP_RETURN_PATH: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.openssl_verify_mode }}
SMTP_OPENSSL_VERIFY_MODE: {{ . }}
@ -149,7 +141,7 @@ data:
SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.reply_to }}
SMTP_REPLY_TO: {{ . }}
SMTP_REPLY_TO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.server }}
SMTP_SERVER: {{ . }}
@ -157,10 +149,45 @@ data:
{{- with .Values.mastodon.smtp.tls }}
SMTP_TLS: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.bulk.enabled }}
{{- with .Values.mastodon.smtp.bulk.auth_method }}
BULK_SMTP_AUTH_METHOD: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.ca_file }}
BULK_SMTP_CA_FILE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.domain }}
BULK_SMTP_DOMAIN: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls }}
BULK_SMTP_ENABLE_STARTTLS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls_auto }}
BULK_SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.from_address }}
BULK_SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.openssl_verify_mode }}
BULK_SMTP_OPENSSL_VERIFY_MODE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.port }}
BULK_SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.server }}
BULK_SMTP_SERVER: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.tls }}
BULK_SMTP_TLS: {{ . | quote }}
{{- end }}
{{- end }}
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
{{- with .Values.mastodon.streaming.base_url }}
STREAMING_API_BASE_URL: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.trusted_proxy_ip }}
TRUSTED_PROXY_IP: {{ .Values.mastodon.trusted_proxy_ip }}
{{ end }}
{{- if .Values.externalAuth.oidc.enabled }}
OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }}

4
mastodon/templates/cronjob-media-remove.yaml
View File

@ -107,4 +107,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.cron.removeMedia.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}

77
mastodon/templates/deployment-sidekiq.yaml
View File

@ -7,19 +7,26 @@ metadata:
name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
labels:
{{- include "mastodon.labels" $context | nindent 4 }}
{{- with $context.Values.mastodon.sidekiq.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
annotations:
{{- with $context.Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if (has "scheduler" .queues) }}
{{- if (gt (int .replicas) 1) }}
{{ fail "The scheduler queue should never have more than 1 replicas" }}
{{- end }}
strategy:
type: Recreate
{{- end }}
{{- if $context.Values.mastodon.sidekiq.updateStrategy }}
strategy: {{- toYaml $context.Values.mastodon.sidekiq.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .replicas }}
{{- if (ne (toString $context.Values.mastodon.revisionHistoryLimit) "<nil>") }}
@ -36,6 +43,9 @@ spec:
{{- with $context.Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
checksum/config-secrets-smtp: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
@ -43,6 +53,12 @@ spec:
{{- include "mastodon.globalLabels" $context | nindent 8 }}
{{- include "mastodon.selectorLabels" $context | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" $context | nindent 8 }}
{{- with $context.Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
spec:
@ -159,6 +175,20 @@ spec:
name: {{ include "mastodon.smtp.secretName" $context }}
key: password
optional: true
{{- if $context.Values.mastodon.smtp.bulk.enabled }}
- name: "BULK_SMTP_LOGIN"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: login
optional: true
- name: "BULK_SMTP_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: password
optional: true
{{- end }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
@ -185,6 +215,33 @@ spec:
name: {{ $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or $context.Values.mastodon.sidekiq.otel.enabled (and $context.Values.mastodon.otel.enabled (ne $context.Values.mastodon.sidekiq.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.endpointUri $context.Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.namePrefix $context.Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_LOCAL
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_HOST
value: "0.0.0.0"
- name: MASTODON_PROMETHEUS_EXPORTER_PORT
value: "{{ $context.Values.mastodon.metrics.prometheus.port }}"
{{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
ports:
- name: prometheus
containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }}
{{- end }}
volumeMounts:
{{- if (not $context.Values.mastodon.s3.enabled) }}
- name: assets
@ -200,12 +257,24 @@ spec:
{{- with $context.Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $context.Values.mastodon.sidekiq.readinessProbe.enabled }}
readinessProbe:
failureThreshold: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.failureThreshold }}
exec:
command:
- cat
- {{ required "A valid sidekiq readiness path is required." $context.Values.mastodon.sidekiq.readinessProbe.path }}
initialDelaySeconds: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ default 2 $context.Values.mastodon.sidekiq.readinessProbe.periodSeconds }}
successThreshold: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.successThreshold }}
timeoutSeconds: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.timeoutSeconds }}
{{- end }}
resources:
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with $context.Values.nodeSelector }}
{{- with coalesce .nodeSelector $context.Values.mastodon.sidekiq.nodeSelector $context.Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with $context.Values.tolerations }}
tolerations:

35
mastodon/templates/deployment-streaming.yaml
View File

@ -4,8 +4,14 @@ metadata:
name: {{ include "mastodon.fullname" . }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.streaming.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with (default .Values.deploymentAnnotations .Values.mastodon.streaming.deploymentAnnotations) }}
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.streaming.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
@ -13,6 +19,9 @@ spec:
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.streaming.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.streaming.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@ -20,7 +29,10 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
@ -28,6 +40,12 @@ spec:
labels:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: streaming
spec:
{{- with .Values.imagePullSecrets }}
@ -55,7 +73,7 @@ spec:
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ coalesce .Values.mastodon.streaming.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
image: "{{ .Values.mastodon.streaming.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- node
@ -135,13 +153,20 @@ spec:
httpGet:
path: /api/v1/streaming/health
port: streaming
startupProbe:
httpGet:
path: /api/v1/streaming/health
port: streaming
initialDelaySeconds: 5
failureThreshold: 15
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
{{- with coalesce .Values.mastodon.streaming.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
affinity:

70
mastodon/templates/deployment-web.yaml
View File

@ -4,8 +4,14 @@ metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.web.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with (default .Values.deploymentAnnotations .Values.mastodon.web.deploymentAnnotations) }}
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.web.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
@ -13,6 +19,9 @@ spec:
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.web.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.web.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@ -21,7 +30,10 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
@ -30,6 +42,12 @@ spec:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
spec:
@ -173,6 +191,28 @@ spec:
name: {{ .Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or .Values.mastodon.web.otel.enabled (and .Values.mastodon.otel.enabled (ne .Values.mastodon.web.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce .Values.mastodon.web.otel.endpointUri .Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce .Values.mastodon.web.otel.namePrefix .Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: PROMETHEUS_EXPORTER_HOST
value: "127.0.0.1"
- name: PROMETHEUS_EXPORTER_PORT
value: "{{ .Values.mastodon.metrics.prometheus.port }}"
{{- if .Values.mastodon.metrics.prometheus.web.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
- name: TEST_ENV_VALUE
value: {{ .Values.mastodon.metrics.statsd.address }}
volumeMounts:
{{- if (not .Values.mastodon.s3.enabled) }}
- name: assets
@ -203,16 +243,38 @@ spec:
httpGet:
path: /health
port: http
initialDelaySeconds: 15
failureThreshold: 30
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.web.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: prometheus-exporter
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
command:
- ./bin/prometheus_exporter
args:
- "--bind"
- "0.0.0.0"
- "--port"
- "{{ .Values.mastodon.metrics.prometheus.port }}"
resources:
requests:
cpu: "0.1"
memory: "180M"
limits:
cpu: "0.5"
memory: "250M"
ports:
- name: prometheus
containerPort: {{ .Values.mastodon.metrics.prometheus.port }}
{{- end }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with .Values.nodeSelector }}
{{- with coalesce .Values.mastodon.web.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
affinity:

97
mastodon/templates/job-assets-copy.yaml Normal file
View File

@ -0,0 +1,97 @@
{{- if .Values.mastodon.hooks.s3Upload.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
restartPolicy: Never
initContainers:
- name: extract-assets
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: Always
command:
- cp
args:
- -rv
- public
- /assets
volumeMounts:
- mountPath: /assets
name: assets
containers:
- name: upload-assets
image: rclone/rclone:1
imagePullPolicy: Always
env:
- name: RCLONE_S3_NO_CHECK_BUCKET
value: "true"
- name: RCLONE_S3_ACL
value: {{ required "Please specify a canned ACL for S3 asset uploads" .Values.mastodon.hooks.s3Upload.acl }}
- name: RCLONE_CONFIG_REMOTE_TYPE
value: s3
- name: RCLONE_CONFIG_REMOTE_PROVIDER
value: AWS
- name: RCLONE_CONFIG_REMOTE_ENDPOINT
value: {{ required "Please specify an endpoint for S3 asset uploads" .Values.mastodon.hooks.s3Upload.endpoint }}
- name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.accesKeyId }}
- name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.secretAccessKey }}
{{- with .Values.mastodon.hooks.s3Upload.rclone.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- rclone
args:
- copy
- /assets/public
- "remote:{{ required "Please specify a bucket for S3 asset uploads" .Values.mastodon.hooks.s3Upload.bucket }}"
- --fast-list
- --transfers=32
- --include
- "{assets,packs}/**"
- --progress
- -vv
volumeMounts:
- mountPath: /assets
name: assets
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 500Mi
volumes:
- name: assets
emptyDir: {}
{{- with coalesce .Values.mastodon.hooks.s3Upload.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end -}}

100
mastodon/templates/job-chewy-upgrade.yaml
View File

@ -1,100 +0,0 @@
{{- if .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-chewy-setup
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- chewy:upgrade
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

4
mastodon/templates/job-create-admin.yaml
View File

@ -95,4 +95,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

98
mastodon/templates/job-db-migrate.yaml
View File

@ -1,93 +1,7 @@
{{- if .Values.mastodon.hooks.dbMigrate.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- db:migrate
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end -}}
{{- end }}

7
mastodon/templates/job-db-pre-migrate.yaml Normal file
View File

@ -0,0 +1,7 @@
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

7
mastodon/templates/job-db-prepare.yaml Normal file
View File

@ -0,0 +1,7 @@
{{- if and .Values.mastodon.hooks.dbPrepare.enabled (not .Values.postgresql.enabled) }}
{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbPrepare.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

80
mastodon/templates/job-assets-precompile.yaml → mastodon/templates/job-deploy-search.yaml
View File

@ -1,18 +1,19 @@
{{- if .Values.mastodon.hooks.assetsPrecompile.enabled -}}
{{- if and .Values.mastodon.hooks.deploySearch.enabled .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
suspend: false
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
@ -22,40 +23,63 @@ spec:
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.assets" . }}
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.pvc.system" . }}
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-assets-precompile
- name: {{ include "mastodon.fullname" . }}-deploy-search
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.mastodon.hooks.deploySearch }}
{{- with .resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- bash
- -c
- |
bundle exec rake assets:precompile && yarn cache clean
- bin/tootctl
- search
- deploy
{{- with .concurrency }}
- '--concurrency'
- {{ . | quote }}
{{- end }}
{{- if .resetChewy }}
- '--reset-chewy'
{{- end }}
{{- with .batchSize }}
- '--batch-size'
- {{ . | quote }}
{{- end }}
{{- with .only }}
{{- if not (has . (list "instances" "accounts" "tags" "statuses" "public_statuses")) -}}
{{ fail "mastodon.hooks.deploySearch.only: Value must be one of the following words: instances, accounts, tags, statuses, public_statuses"}}
{{- end }}
- '--only'
- {{ . | quote }}
{{- end }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
name: {{ template "mastodon.secretName" $ }}
env:
- name: "DB_PASS"
valueFrom:
@ -67,20 +91,6 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@ -90,4 +100,4 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end -}}
{{- end }}

22
mastodon/templates/job-set-admin-password.yaml
View File

@ -37,10 +37,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-set-admin-password
@ -70,6 +70,20 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@ -79,4 +93,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

3
mastodon/templates/secret-prepare.yml Normal file
View File

@ -0,0 +1,3 @@
{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}}
{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }}
{{- end }}

19
mastodon/templates/secret-redis-preinstall.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if not .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.redis.secretName" . }}-pre-install
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

6
mastodon/templates/secret-redis.yaml
View File

@ -1,4 +1,4 @@
{{- if not .Values.redis.enabled }}
{{- if .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
@ -7,6 +7,10 @@ metadata:
name: {{ include "mastodon.redis.secretName" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"

16
mastodon/templates/secret-smtp-bulk.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.mastodon.smtp.bulk.enabled (not .Values.mastodon.smtp.bulk.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-smtp-bulk" (include "mastodon.fullname" .) }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- with .Values.mastodon.smtp.bulk.login }}
login: {{ . | b64enc }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.password }}
password: {{ . | b64enc }}
{{- end }}
{{- end }}

57
mastodon/templates/secrets.yaml
View File

@ -1,58 +1,3 @@
{{- if (include "mastodon.createSecret" .) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- include "mastodon.secrets.object" . }}
{{- end }}

1
mastodon/templates/service-streaming.yaml
View File

@ -11,6 +11,7 @@ spec:
targetPort: streaming
protocol: TCP
name: streaming
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: streaming

1
mastodon/templates/service-web.yaml
View File

@ -11,6 +11,7 @@ spec:
targetPort: http
protocol: TCP
name: http
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: web

330
mastodon/values.yaml
View File

@ -6,13 +6,15 @@ image:
# built from the most recent commit
#
# tag: latest
tag: "v4.2.9"
tag: ""
# use `Always` when using `latest` tag
pullPolicy: IfNotPresent
mastodon:
# Labels added to every Mastodon-related object
labels: {}
# Labes added to every deployed mastodon pod
podLabels: {}
# -- create an initial administrator user; the password is autogenerated and will
# have to be reset
@ -25,13 +27,81 @@ mastodon:
password: not_gargron
# @ignored
email: not@example.com
# Node(s) on which we will deploy this job
nodeSelector: {}
hooks:
# Whether to perform DB schema creation on `helm install`.
# Please note that this does not work when using the included database
# (postgresql.enabled=true).
# NOTE: When using certain GitOps solutions such as Argo CD, this should be
# disabled, as these apps do not necessarily differentiate between `pre-install`
# and `pre-upgrade`.
dbPrepare:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# Whether to perform DB migrations on `helm upgrade`.
dbMigrate:
enabled: true
assetsPrecompile:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# WARNING: deploySearch is potentially a very expensive job!
# Only enable this once at a time, when you deploy elasticsearch or when
# the upgrade notes for a new mastodon version request rebuilding search.
# Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true`
# to ensure the job is only dispatched for a single upgrade when required.
# This job may take days to run on very large instances. Even small
# instances may take long enough to trigger helm's completion timeout, so
# DO NOT PANIC if helm complains; simply verify the job is still running.
#
# Builds or rebuilds the elasticsearch indices via `tootctl deploy search`
# with timing hooks to ensure the job runs immediately after install/upgrade
# and will be restarted if another, corrective upgrade is triggered.
# Please check the tootctl documentation and upgrade notes to pick values.
#
# NOTE: The resource stanza set below is intentionally very conservative.
# Consider assigning a liberal chunk of your cluster's typical headroom.
deploySearch:
enabled: false
resetChewy: true
# one index name. Possible values: instances, accounts, tags, statuses, public_statuses
only: ""
concurrency: 5
resources: # this accepts any keys in a full container resources stanza.
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
# Upload website assets to S3 before deploying using rclone.
# Whenever there is an update to Mastodon, sometimes there are assets files
# that are renamed. As the pods are getting redeployed, and old/new pods are
# present simultaneously, there is a chance that old asset files are
# requested from pods that don't have them anymore, or new asset files are
# requested from old pods. Uploading asset files to S3 in this manner solves
# this potential conflict.
# Note that you will need to CDN/proxy to send all requests to /assets and
# /packs to this bucket.
s3Upload:
enabled: false
endpoint:
bucket:
acl: public-read
secretRef:
name:
keys:
accesKeyId: acces-key-id
secretAccessKey: secret-access-key
rclone:
# Any additional environment variables to pass to rclone.
env: {}
# Node(s) on which we will deploy this job
nodeSelector: {}
# Custom labels to add to kubernetes resources
#labels:
cron:
# -- run `tootctl media remove` every week
removeMedia:
@ -39,8 +109,15 @@ mastodon:
enabled: true
# @ignored
schedule: "0 0 * * 0"
# Node(s) on which we will deploy this job
nodeSelector: {}
# Sets the default locale for this server.
# NOTICE: This will force this locale on every user who is not logged in, and
# the instance will no longer do any local detection for clients.
# -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
locale: en
locale:
local_domain: mastodon.local
# -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
@ -49,6 +126,9 @@ mastodon:
# -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize
# itself when users are addressed using those other domains.
alternate_domains: []
# -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers
# Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip
# trusted_proxy_ip:
# -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
singleUserMode: false
# -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
@ -140,6 +220,39 @@ mastodon:
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
affinity: {}
# Node(s) on which we will deploy sidekiq in general
# Any worker-specific configuration will override this setting.
nodeSelector: {}
# -- Annotations to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the sidekiq pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the sidekiq pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods.
# Recreate will help reduce the number of retried jobs when updating when
# the code introduces a new job as the pods are all replaced immediately.
# RollingUpdate can help with larger clusters if job retries aren't an
# issue, as it will reduce strain by replacing pods more slowly. It is
# strongly recommended to enable the readinessProbe when using RollingUpdate.
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: Recreate
# Readiness probe configuration
# NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10.
readinessProbe:
enabled: false
path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
# -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# limits:
@ -148,6 +261,14 @@ mastodon:
# requests:
# cpu: 250m
# memory: 512Mi
# Open Telemetry configuration for sidekiq pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
workers:
- name: all-queues
# -- Number of threads / parallel sidekiq jobs that are executed per Pod
@ -158,8 +279,11 @@ mastodon:
resources: {}
# -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
affinity: {}
# -- Node(s) on which we will deploy this sidekiq worker
nodeSelector: {}
# -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
# See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
queues:
@ -169,6 +293,7 @@ mastodon:
- mailers,2
- pull
- scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
- fasp
image:
repository:
tag:
@ -213,10 +338,35 @@ mastodon:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
# Configuration for bulk/broadcast messages.
# Some transactional email providers require customers to use a separate set
# of SMTP credentials to send emails that are not transactional in nature.
# For more information, refer to the docs:
# https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings
bulk:
enabled: false
auth_method: plain
ca_file: /etc/ssl/certs/ca-certificates.crt
domain:
enable_starttls: "auto"
from_address: notifications@example.com
openssl_verify_mode: peer
port: 587
server: smtp.mailgun.org
tls:
login:
password:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
streaming:
image:
repository:
tag:
# streaming image split in Mastodon v4.3.0
repository: ghcr.io/mastodon/mastodon-streaming
# other options: `latest` for the latest release or `edge` for most recent commit
tag: ""
port: 4000
# -- this should be set manually since os.cpus() returns the number of CPUs on
# the node running the pod, which is unrelated to the resources allocated to
@ -229,6 +379,27 @@ mastodon:
replicas: 1
# -- Affinity for Streaming Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the streaming pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for streaming.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for streaming.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the streaming pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the streaming pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
@ -268,6 +439,27 @@ mastodon:
replicas: 1
# -- Affinity for Web Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the web pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for web.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for web.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the web pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the web pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
@ -287,8 +479,10 @@ mastodon:
enable: false
# minAvailable: 1
# maxUnavailable: 1
# -- Puma-specific options. Below values are based on default behavior in
# config/puma.rb when no custom values are provided.
minThreads: "5"
maxThreads: "5"
workers: "2"
@ -303,6 +497,13 @@ mastodon:
name:
key:
# Open Telemetry configuration for web pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
# HTTP cache buster configuration.
# See the documentation for more information about this feature:
# https://docs.joinmastodon.org/admin/config/#http-cache-buster
@ -316,6 +517,8 @@ mastodon:
existingSecret:
metrics:
# NOTE: This feature was dropped in v4.3.0, and will not work for any versions beyond this.
statsd:
# -- Enable statsd publishing via STATSD_ADDR environment variable
address: ""
@ -325,6 +528,32 @@ mastodon:
enabled: false
port: 9102
# Settings for Prometheus metrics.
# For more information, see:
# https://docs.joinmastodon.org/admin/config/#prometheus
prometheus:
enabled: false
# Port for the exporter to listen on
port: 9394
# Prometheus for web pods
web:
# Collect per-controller/action metrics for every request
detailed: false
# Prometheus for sidekiq pods
sidekiq:
# Collect per-job metrics for every job
detailed: false
# Open Telemetry configuration for all deployments. Component-specific
# configuration will override these values.
otel:
enabled: false
exporterUri:
namePrefix: mastodon
nameSeparator: "-"
# Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
preparedStatements: true
@ -380,7 +609,13 @@ ingress:
hosts:
- streaming.mastodon.local
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
# Configuration for Elasticsearch.
# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
#
# Please note that we recommend using your own deployment for better management.
elasticsearch:
# Elasticsearch is powering full-text search. It is optional.
@ -406,13 +641,43 @@ elasticsearch:
# Name of an existing secret with a password key
# existingSecret:
# -- Node(s) on which we will deploy the various elasticsearch pods
master:
nodeSelector: {}
data:
nodeSelector: {}
coordinating:
nodeSelector: {}
ingest:
nodeSelector: {}
metrics:
nodeSelector: {}
# Configuration for PostgreSQL.
# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
#
# Please note that we recommend using your own deployment for better management.
postgresql:
# -- disable if you want to use an existing db; in which case the values below
# must match those of that external postgres instance
# must match those of that external postgres instance.
# Please note that certain features do not work when enabling the included
# database, namely automatic schema creation when the app is first installed.
enabled: true
# postgresqlHostname: preexisting-postgresql
# postgresqlPort: 5432
# If using a connection pooler such as pgbouncer, please specify a hostname/IP
# that serves as a "direct" connection to the database, rather than going
# through the connection pooler. This is required for migrations to work
# properly.
direct:
hostname:
port:
database:
auth:
database: mastodon_production
username: mastodon
@ -442,7 +707,22 @@ postgresql:
password:
existingSecret:
# -- Node(s) on which we will deploy the various database pods
primary:
nodeSelector: {}
readReplicas:
nodeSelector: {}
backup:
cronjob:
nodeSelector: {}
# Configuration for Redis.
# When enabled, the bitnami helm chart used for Redis deployment, and all values
# here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
#
# Please note that we recommend using your own deployment for better management.
redis:
# disable if you want to use an existing redis instance; in which case the
# values below must match those of that external redis instance
@ -488,6 +768,12 @@ redis:
# with a key of redis-password set to the password you want
existingSecret: ""
# -- Node(s) on which we will deploy the various redis pods
master:
nodeSelector: {}
replica:
nodeSelector: {}
# @ignored
service:
type: ClusterIP
@ -614,23 +900,23 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""
# Custom annotations to apply to all created deployment objects. These can be
# used to help mastodon interact with other services in the cluster.
# Custom annotations to apply to all created mastodon deployment objects. These
# can be used to help mastodon interact with other services in the cluster.
deploymentAnnotations: {}
# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
# need to apply different annotations to the two different sets of pods. The annotations
# set with podAnnotations will be added to all deployment-managed pods.
# set with podAnnotations will be added to all mastodon deployment-managed pods.
podAnnotations: {}
# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
revisionPodAnnotation: true
# The annotations set with jobAnnotations will be added to all job pods.
# The annotations set with jobAnnotations will be added to all mastodon job pods
jobAnnotations: {}
# -- Default resources for all Deployments and jobs unless overwritten
# -- Default resources for all mastodon Deployments and jobs unless overwritten
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
@ -644,26 +930,28 @@ resources:
# cpu: 100m
# memory: 128Mi
# @ignored
nodeSelector: {}
# @ignored
tolerations: []
# -- Affinity for all pods unless overwritten
# -- Affinity for all mastodon pods unless overwritten
affinity: {}
# -- Timezone for all pods unless overwritten
# Node(s) on which we will deploy all resources.
# Any node selectors specified for individual resources will override this
# setting.
nodeSelector: {}
# -- Timezone for all mastodon pods unless overwritten
timezone: UTC
# -- Topology Spread Constraints for all pods unless overwritten
# -- Topology Spread Constraints for all mastodon pods unless overwritten
# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you
# want to spread each deployment independently, or override topologySpreadConstraints
# for each deployment
topologySpreadConstraints: {}
# Default volume mounts for all pods
# Default volume mounts for all mastodon pods
volumeMounts: []
# Default volumes for all pods
# Default volumes for all mastodon pods
volumes: []

8
peertube/Chart.yaml
View File

@ -5,11 +5,11 @@ dependencies:
- condition: postgresql.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 13.2.21
version: 16.3.2
- condition: redis.enabled
name: redis
repository: https://charts.bitnami.com/bitnami
version: 18.4.0
version: 20.6.0
type: application
version: 0.3.4
appVersion: 6.1.0
version: 0.4.4
appVersion: 7.2.1

190
peertube/values.yaml
View File

@ -8,7 +8,7 @@ image:
repository: chocobozzz/peertube
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "v6.1.0-bookworm"
tag: "v7.2.1-bookworm"
imagePullSecrets: []
nameOverride: ""
@ -47,9 +47,9 @@ configAsCode:
window: 5 minutes
max: 3
receive_client_log:
# 10 attempts in 10 min
window: 10 minutes
max: 10
# 1 attempt every 2 seconds
window: 1 minutes
max: 30
plugins:
# 500 attempts in 10 seconds (we also serve plugin static files)
window: 10 seconds
@ -70,6 +70,10 @@ configAsCode:
# 500 attempts in 10 seconds (to not break crawlers)
window: 10 seconds
max: 500
download_generate_video: # A light FFmpeg process is used to generate videos (to merge audio and video streams for example)
# 5 attempts in 5 seconds
window: 5 seconds
max: 5
oauth2:
token_lifetime:
access_token: '1 day'
@ -134,7 +138,8 @@ configAsCode:
# Change default values when publishing a video (upload/import/go Live)
publish:
download_enabled: true
comments_enabled: true
# enabled = 1, disabled = 2, requires_approval = 3
comments_policy: 1
# public = 1, unlisted = 2, private = 3, internal = 4
privacy: 1
# CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
@ -150,6 +155,9 @@ configAsCode:
# Can be enabled/disabled by URL option
embed:
enabled: true
player:
# By default, playback starts automatically when opening a video
auto_play: true
# From the project root directory
storage:
tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
@ -210,7 +218,13 @@ configAsCode:
secret_access_key: ''
# Maximum amount to upload in one request to object storage
max_upload_part: 100MB
# Maximum number of attempts to make a request to object storage
# Some object storage providers (for instance Backblaze) expects the client to retry upload upon 5xx errors
# If you're using such a provider then you can increase this value
max_request_attempts: 3
streaming_playlists:
# Bucket name created on your object storage provider
# PeerTube will access it via {bucket_name}.example.com
bucket_name: 'streaming-playlists'
# Allows setting all buckets to the same value but with a different prefix
prefix: '' # Example: 'streaming-playlists:'
@ -221,7 +235,7 @@ configAsCode:
# which can be a problem depending on your object storage provider
# You can also choose to disable this feature to reduce live streams latency
# Live stream replays are not affected by this setting, so they are uploaded in object storage as regular VOD videos
store_live_streams: true
store_live_streams: false
web_videos:
bucket_name: 'web-videos'
prefix: ''
@ -235,10 +249,15 @@ configAsCode:
bucket_name: 'original-video-files'
prefix: ''
base_url: ''
# Video captions
captions:
bucket_name: 'captions'
prefix: ''
base_url: ''
log:
level: 'info' # 'debug' | 'info' | 'warn' | 'error'
rotation:
enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
enabled: true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
max_file_size: 12MB
max_files: 20
anonymize_ip: false
@ -277,7 +296,7 @@ configAsCode:
- 'hot' # Adaptation of Reddit's 'Hot' algorithm
- 'most-viewed' # Number of views in the last x days
- 'most-liked' # Global views since the upload of the video
default: 'most-viewed'
default: 'hot'
# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
@ -304,9 +323,12 @@ configAsCode:
# Other instances that duplicate your content
remote_redundancy:
videos:
# 'nobody': Do not accept remote redundancies
# 'anybody': Accept remote redundancies from anybody
# 'followings': Accept redundancies from instance followings
# PeerTube doesn't remove existing redundancies when you change this setting
# You can remove them in the web interface: https://docs.joinpeertube.org/admin/following-instances#instances-redundancy
# Available values:
# * nobody: Do not accept remote redundancies
# * followings: Accept redundancies from instance followings
# * anybody: Accept remote redundancies from anybody
accept_from: 'followings'
csp:
enabled: false
@ -376,9 +398,14 @@ configAsCode:
# This is an unmoderated plugin index, so only install plugins/themes you trust
index:
enabled: true
check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
check_latest_versions_interval: '4 hours' # How often you want to check new plugins/themes versions
url: 'https://packages.joinpeertube.org'
federation:
# Enable ActivityPub endpoints (inbox/outbox)
enabled: true
# Prevent SSRF requests (requests to your internal network for example) by checking the request IP address
# More information about SSRF: https://portswigger.net/web-security/ssrf
prevent_ssrf: true
# Some federated software such as Mastodon may require an HTTP signature to access content
sign_federated_fetches: true
videos:
@ -419,6 +446,14 @@ configAsCode:
# Increasing this value will increase CPU and memory usage when generating the thumbnail, especially for high video resolution
# Minimum value is 2
frames_to_analyze: 50
# Only two sizes are currently supported for now (not less, not more)
# 1 size for the thumbnail (displayed in video miniatures)
# 1 size for the preview (displayed in the video player)
sizes:
- width: 280
height: 157
- width: 850
height: 480
stats:
# Display registration requests stats (average response time, total requests...)
registration_requests:
@ -430,6 +465,20 @@ configAsCode:
enabled: true
total_admins:
enabled: true
webrtc:
# 1 or 2 STUN servers are sufficient
stun_servers:
- 'stun:stunserver2024.stunprotocol.org'
- 'stun:stun.framasoft.org'
nsfw_flags_settings:
# Allow logged-in/anonymous users to have a more granular control over their NSFW policy
# using NSFW flags (violent content, etc.) set by video authors
enabled: true
download_generate_video:
# Max parallel downloads on your instance
# Each download spawns an ffmpeg process
# The ffmpeg process ends when users have downloaded the entire file or cancelled the download
max_parallel_downloads: 100
###############################################################################
#
# From this point, all the following keys can be overridden by the web interface
@ -461,7 +510,9 @@ configAsCode:
enabled: true
signup:
enabled: false
limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
# When the total number of users in your instance reaches this limit, registrations are disabled.
# -1 == unlimited
limit: 10
minimum_age: 16 # Used to configure the signup form
requires_approval: true
requires_email_verification: false
@ -520,7 +571,7 @@ configAsCode:
# Available in core PeerTube: 'default'
profile: 'default'
resolutions: # Only created if the original video has a higher resolution, uses more storage!
0p: false # audio-only (creates mp4 without video stream, always created when enabled)
0p: false # audio-only (creates mp4 without video stream)
144p: false
240p: false
360p: false
@ -531,6 +582,10 @@ configAsCode:
2160p: false
# Transcode and keep original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
fps:
# Cap transcoded video FPS
# Max resolution file still keeps the original FPS
max: 60
# Generate videos in a web compatible format
# If you also enabled the hls format, it will multiply videos storage by 2
# If disabled, breaks federation with PeerTube instances < 2.1
@ -544,6 +599,11 @@ configAsCode:
# If you also enabled the web videos format, it will multiply videos storage by 2
hls:
enabled: true
# Store the audio stream in a separate file from the video
# This option adds the ability for the HLS player to propose the "Audio only" quality to users
# It also saves disk space by not duplicating the audio stream in each resolution file
# /!\ If enabled, remote PeerTube instances < 6.3.0 won't be able to play these videos
split_audio_and_video: false
live:
enabled: true
# Limit lives duration
@ -597,6 +657,7 @@ configAsCode:
# Available in core PeerTube: 'default'
profile: 'default'
resolutions:
0p: false # Audio only
144p: false
240p: false
360p: false
@ -607,6 +668,10 @@ configAsCode:
2160p: false
# Also transcode original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
fps:
# Cap transcoded live FPS
# Max resolution stream still keeps the original FPS
max: 60
video_studio:
# Enable video edition by users (cut, add intro/outro, add watermark etc)
# If enabled, users can create transcoding tasks as they wish
@ -616,6 +681,28 @@ configAsCode:
# At least 1 remote runner must be configured to transcode your videos
remote_runners:
enabled: false
video_transcription:
# Enable automatic transcription of videos
enabled: false
# Choose engine for local transcription
# Supported: 'openai-whisper' or 'whisper-ctranslate2'
engine: 'whisper-ctranslate2'
# You can set a custom engine path for local transcription
# If not provided, PeerTube will try to automatically install it in the PeerTube bin directory
engine_path: null
# Choose engine model for local transcription
# Available for 'openai-whisper' and 'whisper-ctranslate2': 'tiny', 'base', 'small', 'medium', 'large-v2' or 'large-v3'
model: 'small'
# Or specify the model path:
# * PyTorch model file path for 'openai-whisper'
# * CTranslate2 Whisper model directory path for 'whisper-ctranslate2'
# If not provided, PeerTube will automatically download the model
model_path: null
# Enable remote runners to transcribe videos
# If enabled, your instance won't transcribe the videos itself
# At least 1 remote runner must be configured to transcribe your videos
remote_runners:
enabled: false
video_file:
update:
# Add ability for users to replace the video file of an existing video
@ -635,17 +722,31 @@ configAsCode:
youtube_dl_release:
# Direct download URL to youtube-dl binary
# Github releases API is also supported
# Examples:
#
# Platform-independent examples:
# * https://api.github.com/repos/ytdl-org/youtube-dl/releases
# * https://api.github.com/repos/yt-dlp/yt-dlp/releases
# * https://yt-dl.org/downloads/latest/youtube-dl
#
# You can also use a youtube-dl standalone binary (requires python_path: null)
# GNU/Linux binaries with support for impersonating browser requests (required by some platforms such as Vimeo) examples:
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux (x64)
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux_armv7l (ARMv7)
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux_armv7l (ARMv8/AArch64/ARM64)
url: 'https://api.github.com/repos/yt-dlp/yt-dlp/releases'
# Release binary name: 'yt-dlp' or 'youtube-dl'
name: 'yt-dlp'
# Path to the python binary to execute for youtube-dl or yt-dlp
# Set to null if you use a youtube-dl executable
python_path: '/usr/bin/python3'
# IPv6 is very strongly rate-limited on most sites supported by youtube-dl
force_ipv4: false
# By default PeerTube uses HTTP_PROXY and HTTPS_PROXY environment variables
# But you can specify custom proxies for youtube-dl because remote websites (like YouTube) may block your server IP address
# PeerTube will randomly select a proxy from the following list
# You may need to use a standalone youtube-dl binary (see `url` key comment above) to use this feature
proxies:
# - "https://username:password@example.com:8888"
# Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
torrent:
# We recommend to only enable magnet URI/torrent import if you trust your users
@ -699,16 +800,19 @@ configAsCode:
# If you want to explain on what type of hardware your PeerTube instance runs
# Example: '2 vCore, 2GB RAM...'
hardware_information: '' # Supports Markdown
# What are the main languages of your instance? To interact with your users for example
# Describe the languages spoken on your instance, to interact with your users for example
# Uncomment or add the languages you want
# List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
# PeerTube plugins can add additional languages to the official list of supported languages
languages:
# - en
# - es
# - fr
# You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
# Uncomment or add the category ids you want
# Describe the main categories of your instance (to explain for example that your instance is dedicated to music, gaming, etc.)
# Uncomment categories you want
# List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
# PeerTube plugins can add additional categories to the official list of supported categories
categories:
# - 1 # Music
# - 2 # Films
@ -728,14 +832,28 @@ configAsCode:
# - 16 # Animals
# - 17 # Kids
# - 18 # Food
default_client_route: '/videos/trending'
default_client_route: '/videos/browse'
# Whether or not the instance is dedicated to NSFW content
# Enabling it will allow other administrators to know that you are mainly federating sensitive content
# Moreover, the NSFW checkbox on video upload will be automatically checked by default
is_nsfw: false
# By default, `do_not_list` or `blur` or `display` NSFW videos
# By default, `do_not_list`, `blur`, `warn` or `display` NSFW videos
# Could be overridden per user with a setting
default_nsfw_policy: 'display'
# PeerTube uses this setting to explain to your users which law they must follow in the "About" instance pages
server_country: '' # Example: "France", "United States", "España"
support:
# Explain to your users how to support your instance
# If set, PeerTube will display a "Support" button in "About" instance pages
text: '' # Supports Markdown
# If set, PeerTube will display buttons in "About" instance pages
social:
# Link to your main website
external_link: ''
# Mastodon
mastodon_link: ''
# Bluesky
bluesky_link: ''
customizations:
javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
@ -796,11 +914,12 @@ configAsCode:
# instead of loading the video locally
search_index:
enabled: false
# URL of the search index, that should use the same search API and routes
# than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
# You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
# and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
url: ''
# URL of the search index, which should use the same search API and routes
# as PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
# You can deploy your own with https://framagit.org/framasoft/peertube/search-index,
# or you can use the official one: https://sepiasearch.org.
# But keep in mind it is an unmoderated search index
url: 'https://sepiasearch.org'
# You can disable local search in the client, so users only use the search index
disable_local_search: false
# If you did not disable local search in the client, you can decide to use the search index by default
@ -811,17 +930,36 @@ configAsCode:
miniature:
# By default PeerTube client displays author username
prefer_author_display_name: false
display_author_avatar: false
resumable_upload:
# Max size of upload chunks, e.g. '90MB'
# If null, it will be calculated based on network speed
max_chunk_size: null
menu:
login:
# If you enable only one external auth plugin
# You can automatically redirect your users on this external platform when they click on the login button
redirect_on_single_external_auth: false
open_in_app:
android:
# Use an intent URL: https://developer.chrome.com/docs/android/intents
intent:
enabled: true
# Host registered by the mobile app
host: 'joinpeertube.org'
# Scheme registered by the mobile app
scheme: 'peertube'
# If not having the app on the mobile device, open this page
# F-Droid alternative: https://f-droid.org/packages/org.framasoft.peertube/
fallback_url: 'https://play.google.com/store/apps/details?id=org.framasoft.peertube'
ios:
# We use a timeout for iOS: if the app is not opened after a few seconds, open the fallback URL
enabled: true
# Host registered by the mobile app
host: 'joinpeertube.org'
# Scheme registered by the mobile app
scheme: 'peertube'
# If not having the app on the mobile device, open this page
fallback_url: 'https://apps.apple.com/fr/app/peertube/id6737834858'
storyboards:
# Generate storyboards of local videos using ffmpeg so users can see the video preview in the player while scrubbing the video
enabled: true

4
postfix/Chart.yaml
View File

@ -14,8 +14,8 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.5
version: 0.1.7
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 3.5.9
appVersion: 3.5.25

2
postfix/values.yaml
View File

@ -14,7 +14,7 @@ tls:
postfix:
image:
repository: gitea.geekhome.org/ghp/postfix
tag: 3.5.9-2
tag: 3.5.25-1
pullPolicy: Always
configmaps:
main: |

4
postgres-operator-ui/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2
name: postgres-operator-ui
version: 1.12.0
appVersion: 1.12.0
version: 1.13.0
appVersion: 1.13.0
home: https://github.com/zalando/postgres-operator
description: Postgres Operator UI provides a graphical interface for a convenient database-as-a-service user experience
keywords:

87
postgres-operator-ui/index.yaml
View File

@ -2,11 +2,11 @@ apiVersion: v1
entries:
postgres-operator-ui:
- apiVersion: v2
appVersion: 1.12.0
created: "2024-05-24T16:34:14.027533755+02:00"
appVersion: 1.13.0
created: "2024-08-21T18:55:36.524305158+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: 498b8254dc0e24bc3cdc98e250a5640dc104b75e1dbba5d9fdb90a3b39e7eb8c
digest: e0444e516b50f82002d1a733527813c51759a627cefdd1005cea73659f824ea8
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
@ -22,11 +22,34 @@ entries:
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.12.0.tgz
version: 1.12.0
- postgres-operator-ui-1.13.0.tgz
version: 1.13.0
- apiVersion: v2
appVersion: 1.12.2
created: "2024-08-21T18:55:36.521875733+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: cbcef400c23ccece27d97369ad629278265c013e0a45c0b7f33e7568a082fedd
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.12.2.tgz
version: 1.12.2
- apiVersion: v2
appVersion: 1.11.0
created: "2024-05-24T16:34:14.02529813+02:00"
created: "2024-08-21T18:55:36.51959105+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: a45f2284045c2a9a79750a36997386444f39b01ac722b17c84b431457577a3a2
@ -49,7 +72,7 @@ entries:
version: 1.11.0
- apiVersion: v2
appVersion: 1.10.1
created: "2024-05-24T16:34:14.023186291+02:00"
created: "2024-08-21T18:55:36.516518177+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: 2e5e7a82aebee519ec57c6243eb8735124aa4585a3a19c66ffd69638fbeb11ce
@ -70,32 +93,9 @@ entries:
urls:
- postgres-operator-ui-1.10.1.tgz
version: 1.10.1
- apiVersion: v2
appVersion: 1.10.0
created: "2024-05-24T16:34:14.021045516+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: 47413650e3188539ae778a601998efa2c4f80b8aa16e3668a2fc7b72e014b605
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.10.0.tgz
version: 1.10.0
- apiVersion: v2
appVersion: 1.9.0
created: "2024-05-24T16:34:14.031516234+02:00"
created: "2024-08-21T18:55:36.52712908+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: df434af6c8b697fe0631017ecc25e3c79e125361ae6622347cea41a545153bdc
@ -116,27 +116,4 @@ entries:
urls:
- postgres-operator-ui-1.9.0.tgz
version: 1.9.0
- apiVersion: v2
appVersion: 1.8.2
created: "2024-05-24T16:34:14.029536821+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: fbfc90fa8fd007a08a7c02e0ec9108bb8282cbb42b8c976d88f2193d6edff30c
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.8.2.tgz
version: 1.8.2
generated: "2024-05-24T16:34:14.018381989+02:00"
generated: "2024-08-21T18:55:36.512456099+02:00"

2
postgres-operator-ui/values.yaml
View File

@ -8,7 +8,7 @@ replicaCount: 1
image:
registry: ghcr.io
repository: zalando/postgres-operator-ui
tag: v1.12.0
tag: v1.13.0
pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets.

4
postgres-operator/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2
name: postgres-operator
version: 1.12.0
appVersion: 1.12.0
version: 1.13.0
appVersion: 1.13.0
home: https://github.com/zalando/postgres-operator
description: Postgres Operator creates and manages PostgreSQL clusters running in Kubernetes
keywords:

14
postgres-operator/crds/operatorconfigurations.yaml
View File

@ -68,7 +68,7 @@ spec:
type: string
docker_image:
type: string
default: "ghcr.io/zalando/spilo-16:3.2-p3"
default: "ghcr.io/zalando/spilo-16:3.3-p1"
enable_crd_registration:
type: boolean
default: true
@ -160,7 +160,7 @@ spec:
properties:
major_version_upgrade_mode:
type: string
default: "off"
default: "manual"
major_version_upgrade_team_allow_list:
type: array
items:
@ -211,9 +211,9 @@ spec:
enable_init_containers:
type: boolean
default: true
enable_secrets_deletion:
enable_owner_references:
type: boolean
default: true
default: false
enable_persistent_volume_claim_deletion:
type: boolean
default: true
@ -226,6 +226,9 @@ spec:
enable_readiness_probe:
type: boolean
default: false
enable_secrets_deletion:
type: boolean
default: true
enable_sidecars:
type: boolean
default: true
@ -469,7 +472,6 @@ spec:
type: string
additional_secret_mount_path:
type: string
default: "/meta/credentials"
aws_region:
type: string
default: "eu-central-1"
@ -508,7 +510,7 @@ spec:
pattern: '^(\d+m|\d+(\.\d{1,3})?)$'
logical_backup_docker_image:
type: string
default: "ghcr.io/zalando/postgres-operator/logical-backup:v1.12.0"
default: "ghcr.io/zalando/postgres-operator/logical-backup:v1.13.0"
logical_backup_google_application_credentials:
type: string
logical_backup_job_prefix:

3
postgres-operator/crds/postgresqls.yaml
View File

@ -226,7 +226,7 @@ spec:
type: array
items:
type: string
pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$'
pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$'
masterServiceAnnotations:
type: object
additionalProperties:
@ -375,7 +375,6 @@ spec:
version:
type: string
enum:
- "11"
- "12"
- "13"
- "14"

84
postgres-operator/index.yaml
View File

@ -2,11 +2,11 @@ apiVersion: v1
entries:
postgres-operator:
- apiVersion: v2
appVersion: 1.12.0
created: "2024-05-24T16:33:38.650770727+02:00"
appVersion: 1.13.0
created: "2024-08-21T18:54:43.160735116+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: d56e9471096d3e0dfd3a35619bfd8e81895979e95a0cad44eb021335814d19cf
digest: a839601689aea0a7e6bc0712a5244d435683cf3314c95794097ff08540e1dfef
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
@ -21,11 +21,33 @@ entries:
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.12.0.tgz
version: 1.12.0
- postgres-operator-1.13.0.tgz
version: 1.13.0
- apiVersion: v2
appVersion: 1.12.2
created: "2024-08-21T18:54:43.152249286+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 65858d14a40d7fd90c32bd9fc60021acc9555c161079f43a365c70171eaf21d8
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.12.2.tgz
version: 1.12.2
- apiVersion: v2
appVersion: 1.11.0
created: "2024-05-24T16:33:38.644616857+02:00"
created: "2024-08-21T18:54:43.145837894+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 3914b5e117bda0834f05c9207f007e2ac372864cf6e86dcc2e1362bbe46c14d9
@ -47,7 +69,7 @@ entries:
version: 1.11.0
- apiVersion: v2
appVersion: 1.10.1
created: "2024-05-24T16:33:38.638769428+02:00"
created: "2024-08-21T18:54:43.139552116+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: cc3baa41753da92466223d0b334df27e79c882296577b404a8e9071411fcf19c
@ -67,31 +89,9 @@ entries:
urls:
- postgres-operator-1.10.1.tgz
version: 1.10.1
- apiVersion: v2
appVersion: 1.10.0
created: "2024-05-24T16:33:38.633634768+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 60fc5c8059dfed175d14e1034b40997d9c59d33ec8ea158c0597f7228ab04b51
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.10.0.tgz
version: 1.10.0
- apiVersion: v2
appVersion: 1.9.0
created: "2024-05-24T16:33:38.663765707+02:00"
created: "2024-08-21T18:54:43.168490032+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 64df90c898ca591eb3a330328173ffaadfbf9ddd474d8c42ed143edc9e3f4276
@ -111,26 +111,4 @@ entries:
urls:
- postgres-operator-1.9.0.tgz
version: 1.9.0
- apiVersion: v2
appVersion: 1.8.2
created: "2024-05-24T16:33:38.658286963+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: f77ffad2e98b72a621e5527015cf607935d3ed688f10ba4b626435acb9631b5b
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.8.2.tgz
version: 1.8.2
generated: "2024-05-24T16:33:38.62797266+02:00"
generated: "2024-08-21T18:54:43.126871802+02:00"

2
postgres-operator/templates/clusterrole.yaml
View File

@ -120,6 +120,7 @@ rules:
- create
- delete
- get
- patch
- update
# to check nodes for node readiness label
- apiGroups:
@ -196,6 +197,7 @@ rules:
- get
- list
- patch
- update
# to CRUD cron jobs for logical backups
- apiGroups:
- batch

3
postgres-operator/templates/deployment.yaml
View File

@ -52,6 +52,9 @@ spec:
{{- if .Values.controllerID.create }}
- name: CONTROLLER_ID
value: {{ template "postgres-operator.controllerID" . }}
{{- end }}
{{- if .Values.extraEnvs }}
{{- .Values.extraEnvs | toYaml | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}

34
postgres-operator/values.yaml
View File

@ -1,7 +1,7 @@
image:
registry: ghcr.io
repository: zalando/postgres-operator
tag: v1.12.0
tag: v1.13.0
pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets.
@ -38,7 +38,7 @@ configGeneral:
# etcd connection string for Patroni. Empty uses K8s-native DCS.
etcd_host: ""
# Spilo docker image
docker_image: ghcr.io/zalando/spilo-16:3.2-p3
docker_image: ghcr.io/zalando/spilo-16:3.3-p1
# key name for annotation to ignore globally configured instance limits
# ignore_instance_limits_annotation_key: ""
@ -83,7 +83,7 @@ configUsers:
configMajorVersionUpgrade:
# "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too
major_version_upgrade_mode: "off"
major_version_upgrade_mode: "manual"
# upgrades will only be carried out for clusters of listed teams when mode is "off"
# major_version_upgrade_team_allow_list:
# - acid
@ -129,8 +129,8 @@ configKubernetes:
enable_finalizers: false
# enables initContainers to run actions before Spilo is started
enable_init_containers: true
# toggles if operator should delete secrets on cluster deletion
enable_secrets_deletion: true
# toggles if child resources should have an owner reference to the postgresql CR
enable_owner_references: false
# toggles if operator should delete PVCs on cluster deletion
enable_persistent_volume_claim_deletion: true
# toggles pod anti affinity on the Postgres pods
@ -139,6 +139,8 @@ configKubernetes:
enable_pod_disruption_budget: true
# toogles readiness probe for database pods
enable_readiness_probe: false
# toggles if operator should delete secrets on cluster deletion
enable_secrets_deletion: true
# enables sidecar containers to run alongside Spilo in the same pod
enable_sidecars: true
@ -362,7 +364,7 @@ configLogicalBackup:
# logical_backup_memory_request: ""
# image for pods of the logical backup job (example runs pg_dumpall)
logical_backup_docker_image: "ghcr.io/zalando/postgres-operator/logical-backup:v1.12.0"
logical_backup_docker_image: "ghcr.io/zalando/postgres-operator/logical-backup:v1.13.0"
# path of google cloud service account json file
# logical_backup_google_application_credentials: ""
@ -478,7 +480,7 @@ priorityClassName: ""
# priority class for database pods
podPriorityClassName:
# If create is false with no name set, no podPriorityClassName is specified.
# Hence, the pod priorityClass is the one with globalDefault set.
# Hence, the pod priorityClass is the one with globalDefault set.
# If there is no PriorityClass with globalDefault set, the priority of Pods with no priorityClassName is zero.
create: true
# If not set a name is generated using the fullname template and "-pod" suffix
@ -504,6 +506,24 @@ readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
# configure extra environment variables
# Extra environment variables are writen in kubernetes format and added "as is" to the pod's env variables
# https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
extraEnvs:
[]
# Exemple of settings maximum amount of memory / cpu that can be used by go process (to match resources.limits)
# - name: MY_VAR
# value: my-value
# - name: GOMAXPROCS
# valueFrom:
# resourceFieldRef:
# resource: limits.cpu
# - name: GOMEMLIMIT
# valueFrom:
# resourceFieldRef:
# resource: limits.memory
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

4
roundcube/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v2
appVersion: "1.6.7"
appVersion: "1.6.11"
description: A Helm chart for Kubernetes
name: roundcube
version: 0.4.2
version: 0.4.6
icon: https://github.com/roundcube/roundcubemail/blob/master/skins/classic/images/roundcube_logo.png

2
roundcube/values.yaml
View File

@ -2,7 +2,7 @@ replicaCount: 1
image:
repository: roundcube/roundcubemail
tag: 1.6.7-apache
tag: 1.6.11-apache
pullPolicy: IfNotPresent
args: [ sh, -c, 'update-ca-certificates && /docker-entrypoint.sh apache2-foreground' ]

4
rspamd/Chart.yaml
View File

@ -7,5 +7,5 @@ dependencies:
repository: https://charts.bitnami.com/bitnami
version: 17.9.3
type: application
version: 0.5.2
appVersion: 3.8.4
version: 0.5.7
appVersion: 3.12.1

2
rspamd/values.yaml
View File

@ -10,7 +10,7 @@ persistence:
rspamd:
image:
repository: gitea.geekhome.org/ghp/rspamd
tag: 3.8.4-1
tag: 3.12.1-1
pullPolicy: Always
local.d:
redis.conf: |

4
wikijs/Chart.yaml
View File

@ -2,10 +2,10 @@ apiVersion: v2
name: wikijs
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 2.3.15
version: 2.3.19
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 2.5.303
appVersion: 2.5.307
description: The most powerful and extensible open source Wiki software.
keywords:
- wiki

2
wikijs/values.yaml
View File

@ -6,7 +6,7 @@ replicaCount: 1
image:
repository: requarks/wiki
tag: 2.5.303
tag: 2.5.307
pullPolicy: IfNotPresent
imagePullSecrets: []