bitwarden: bump to 1.34.3, helm chart 2.0.40

adguard-home/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.107.59
+appVersion: 0.107.63
 description: DNS proxy as ad-blocker for local network
 home: https://github.com/k8s-at-home/charts/tree/master/charts/adguard-home
 icon: https://avatars3.githubusercontent.com/u/8361145?s=200&v=4?sanitize=true
@@ -12,4 +12,4 @@ maintainers:
 name: adguard-home
 sources:
 - https://github.com/AdguardTeam/AdGuardHome
-version: 2.3.31
+version: 2.3.33

adguard-home/values.yaml

@@ -4,7 +4,7 @@ strategyType: Recreate
 image:
   repository: adguard/adguardhome
   # Image tag is set via charts appVersion. If you want to override the tag, specify it here
-  tag: v0.107.59
+  tag: v0.107.63
   pullPolicy: IfNotPresent
 
 nameOverride: ""

autovault/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

autovault/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: autovault
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

autovault/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "autovault.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "autovault.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "autovault.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "autovault.labels" -}}
+helm.sh/chart: {{ include "autovault.chart" . }}
+{{ include "autovault.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "autovault.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "autovault.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "autovault.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "autovault.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

autovault/templates/configmap.yaml

@@ -0,0 +1,68 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "autovault.fullname" . }}-scripts
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+data:
+  autovault.sh: |
+    #!/bin/bash
+
+    HOME=/vault/data
+    while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done
+
+    export VAULT_ADDR={{ .Values.vaultUrl }}
+
+    INITIALIZED=$(vault status -format=json | jq -r '.initialized')
+
+    SEALED=$(vault status -format=json | jq -r '.sealed')
+
+    if [[ "$INITIALIZED" == "false" ]] ; then
+      vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json
+    fi
+
+    if [[ "$SEALED" == "true" ]] ; then
+      KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]')
+      vault operator unseal $KEY
+    fi
+
+    export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token')
+
+    KV_ENABLED=$(vault secrets list | grep -i kv)
+    if [[ -z "$KV_ENABLED" ]] ; then
+      vault secrets enable -version=2 kv
+    fi
+
+    USERPASS_ENABLED=$(vault auth list | grep -i userpass)
+    if [[ -z "$USERPASS_ENABLED" ]] ; then
+      vault auth enable userpass
+    fi
+
+    APPROLE_ENABLED=$(vault auth list | grep -i approle)
+    if [[ -z "$APPROLE_ENABLED" ]] ; then
+      vault auth enable approle
+    fi
+
+    echo
+    echo "----------------------------------------------------------------"
+    echo
+    echo "Vault root token: ${VAULT_TOKEN}"
+    echo
+    echo "----------------------------------------------------------------"
+    echo
+
+    for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do
+      APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id)
+      if [[ -z "$APPROLE_CREATED" ]] ; then
+        vault write -f auth/approle/role/"$APPROLE"
+      fi
+      kubectl get secret vault-secret-"$APPROLE" || \
+        { APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \
+        APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \
+        kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ;
+        echo "$APPROLE    role-id = $APPROLE_ROLE_ID" ; }
+    done
+
+    vault auth list
+

autovault/templates/cronjob.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "autovault.fullname" . }}
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: Forbid
+  schedule: {{ .Values.autovaultSchedule | quote }}
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: 300
+      template:
+        spec:
+          serviceAccountName: {{ include "autovault.fullname" . }}
+          restartPolicy: Never
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          containers:
+            - name: autovault
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              volumeMounts:
+              - name: {{ include "autovault.fullname" . }}-data
+                mountPath: /vault/data
+              - name: {{ include "autovault.fullname" . }}-scripts
+                mountPath: /vault/scripts
+              command: [ "/bin/bash", "-c", "/vault/scripts/autovault.sh" ]
+          volumes:
+          - name: {{ include "autovault.fullname" . }}-data
+            persistentVolumeClaim:
+              claimName: {{ include "autovault.fullname" . }}-data
+          - name: {{ include "autovault.fullname" . }}-scripts
+            configMap:
+              name: {{ include "autovault.fullname" . }}-scripts
+              defaultMode: 0777
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}

autovault/templates/pvc.yaml

@@ -0,0 +1,26 @@
+---
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "autovault.fullname" . }}-data
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+{{- if .Values.persistence.annotations }}
+  annotations:
+{{ toYaml .Values.persistence.annotations | indent 4 }}
+{{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

autovault/templates/role.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "autovault.fullname" . }}
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list", "get", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["pods/attach"]
+    verbs: ["list", "get", "create", "delete", "update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "get", "create", "delete", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["list", "get", "create", "delete", "update"]

autovault/templates/rolebinging.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "autovault.fullname" . }}
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ include "autovault.fullname" . }}
+  kind: Role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "autovault.fullname" . }}
+  namespace: {{ .Release.Namespace }}

autovault/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "autovault.serviceAccountName" . }}
+  labels:
+    {{- include "autovault.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

autovault/values.yaml

@@ -0,0 +1,107 @@
+# Default values for autovault.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+  repository: gitea.geekhome.org/ghp/autovault
+  # This sets the pull policy for images.
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "0.1.0-1"
+
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+vaultUrl: "http://vault:8200"
+autovaultGenSecretsApps:
+  - approle1
+
+autovaultSchedule: "0/5 * * * *"
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+persistence:
+  enabled: true
+  annotations: {}
+  ## PeerTube data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  # storageClass: "-"
+
+  ## A manually managed Persistent Volume and Claim
+  ## Requires persistence.enabled: true
+  ## If defined, PVC must be created manually before volume will be bound
+  # existingClaim:
+
+  accessMode: ReadWriteOnce
+  size: 1Mi
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

bitwarden/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 1.33.2
+appVersion: 1.34.3
 description: Unofficial Bitwarden compatible server written in Rust
 home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
 icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png
@@ -17,4 +17,4 @@ name: bitwarden
 sources:
 - https://github.com/dani-garcia/bitwarden_rs
 type: application
-version: 2.0.37
+version: 2.0.40

bitwarden/values.yaml

@@ -5,7 +5,7 @@ replicaCount: 1
 image:
   repository: vaultwarden/server
   pullPolicy: IfNotPresent
-  tag: "1.33.2"
+  tag: "1.34.3"
 
 imagePullSecrets: []
 nameOverride: ""

gitea-act-runner/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.12
+version: 0.1.13
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.11"
+appVersion: "0.2.12"

gitea-act-runner/templates/statefulset.yaml

@@ -34,7 +34,7 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.runner.repository }}:{{ .Values.image.runner.tag | default .Chart.AppVersion }}"
           command: ["/bin/sh"]
-          args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+          args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /usr/local/bin/run.sh"]
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
           - name: DOCKER_HOST

gitea-act-runner/values.yaml

@@ -9,11 +9,11 @@ image:
     repository: gitea/act_runner
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: "0.2.11"
+    tag: "0.2.12"
   daemon:
     repository: docker
     pullPolicy: IfNotPresent
-    tag: "27.5.1-dind"
+    tag: "28.3.2-dind"
 
 imagePullSecrets: []
 nameOverride: ""

kanidm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

kanidm/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: kanidm
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.2.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.6.4"

kanidm/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kanidm.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kanidm.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kanidm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kanidm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

kanidm/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kanidm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kanidm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kanidm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kanidm.labels" -}}
+helm.sh/chart: {{ include "kanidm.chart" . }}
+{{ include "kanidm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kanidm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kanidm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kanidm.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kanidm.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

kanidm/templates/configmap.yaml

@@ -0,0 +1,136 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "kanidm.fullname" . }}-config
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+data: 
+  server.toml: |
+    # The server configuration file version.
+    version = "2"
+    #   The webserver bind address. Requires TLS certificates.
+    #   If the port is set to 443 you may require the
+    #   NET_BIND_SERVICE capability.
+    #   Defaults to "127.0.0.1:8443"
+    bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
+    #
+    #   The read-only ldap server bind address. Requires
+    #   TLS certificates. If set to 636 you may require
+    #   the NET_BIND_SERVICE capability.
+    #   Defaults to "" (disabled)
+    {{- if .Values.kanidmLdap.enabled }}
+    dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
+    {{- else }}
+    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
+    {{- end }}
+    #
+    #   The path to the kanidm database.
+    db_path = "{{ .Values.kanidm.db_path }}"
+    #
+    #   If you have a known filesystem, kanidm can tune the
+    #   database page size to match. Valid choices are:
+    #   [zfs, other]
+    #   If you are unsure about this leave it as the default
+    #   (other). After changing this
+    #   value you must run a vacuum task.
+    #   - zfs:
+    #     * sets database pagesize to 64k. You must set
+    #       recordsize=64k on the zfs filesystem.
+    #   - other:
+    #     * sets database pagesize to 4k, matching most
+    #       filesystems block sizes.
+    {{- if .Values.kanidm.db_fs_type }}
+    db_fs_type = "{{ .Values.kanidm.db_fs_type }}"
+    {{- else }}
+    # db_fs_type = "zfs"
+    {{- end }}
+    #
+    #   The number of entries to store in the in-memory cache.
+    #   Minimum value is 256. If unset
+    #   an automatic heuristic is used to scale this.
+    #   You should only adjust this value if you experience
+    #   memory pressure on your system.
+    {{- if .Values.kanidm.db_arc_size }}
+    db_arc_size = {{ .Values.kanidm.db_arc_size }}
+    {{- else }}
+    # db_arc_size = 2048
+    {{- end }}
+    #
+    #   TLS chain and key in pem format. Both must be present.
+    #   If the server receives a SIGHUP, these files will be
+    #   re-read and reloaded if their content is valid.
+    tls_chain = "{{ .Values.kanidm.tls_chain }}"
+    tls_key = "{{ .Values.kanidm.tls_key }}"
+    #
+    #   The log level of the server. May be one of info, debug, trace
+    #
+    #   NOTE: this can be overridden by the environment variable
+    #   `KANIDM_LOG_LEVEL` at runtime
+    #   Defaults to "info"
+    log_level = "{{ .Values.kanidm.log_level }}"
+    #
+    #   The DNS domain name of the server. This is used in a
+    #   number of security-critical contexts
+    #   such as webauthn, so it *must* match your DNS
+    #   hostname. It is used to create
+    #   security principal names such as `william@idm.example.com`
+    #   so that in a (future) trust configuration it is possible
+    #   to have unique Security Principal Names (spns) throughout
+    #   the topology.
+    #
+    #   ⚠️  WARNING ⚠️
+    #
+    #   Changing this value WILL break many types of registered
+    #   credentials for accounts including but not limited to
+    #   webauthn, oauth tokens, and more.
+    #   If you change this value you *must* run
+    #   `kanidmd domain rename` immediately after.
+    domain = "{{ tpl .Values.kanidm.domain $ }}"
+    #
+    #   The origin for webauthn. This is the url to the server,
+    #   with the port included if it is non-standard (any port
+    #   except 443). This must match or be a descendent of the
+    #   domain name you configure above. If these two items are
+    #   not consistent, the server WILL refuse to start!
+    #   origin = "https://idm.example.com"
+    origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
+    #
+    #   HTTPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   will often add a header such as "Forwarded" or
+    #   "X-Forwarded-For". Some other proxies can use the PROXY
+    #   protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    #   Only one option can be used at a time.
+    # [http_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
+    #   # OR
+    # x-forward-for = ["127.0.0.1"]
+    #   LDAPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   can add a header such as the PROXY protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    # [ldap_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
+    {{- if .Values.kanidmOnlineBackup.enabled }}
+    [online_backup]
+    #   The path to the output folder for online backups
+    path = "{{ .Values.kanidmOnlineBackup.path }}"
+    #   The schedule to run online backups (see https://crontab.guru/)
+    #   every day at 22:00 UTC (default)
+    schedule = "{{ .Values.kanidmOnlineBackup.schedule }}"
+    #    four times a day at 3 minutes past the hour, every 6th hours
+    # schedule = "03 */6 * * *"
+    #   We also support non standard cron syntax, with the following format:
+    #   sec  min   hour   day of month   month   day of week   year
+    #   (it's very similar to the standard cron syntax, it just allows to specify the seconds
+    #   at the beginning and the year at the end)
+    #   Number of backups to keep (default 7)
+    versions = {{ .Values.kanidmOnlineBackup.versions }}
+    {{- end }}

kanidm/templates/deployment.yaml

@@ -0,0 +1,147 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kanidm.fullname" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  {{- if .Values.strategy }}
+  strategy:
+  {{ toYaml .Values.strategy | indent 2 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kanidm.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "kanidm.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      shareProcessNamespace: true
+      initContainers:
+        - name: {{ .Chart.Name }}-certs
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command:
+            - bash
+            - -c
+            - kanidmd cert-generate
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: "/data"
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        - name: {{ .Chart.Name }}-db-pass
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command:
+            - sh
+            - -c
+            - |
+              /sbin/kanidmd server -c /data/server.toml &
+              serverPID=$!
+              until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
+                printf '.'
+                sleep 5
+              done
+
+              echo "##### Start domain upgrade-check"
+              /sbin/kanidmd domain upgrade-check
+              echo "##### Done domain upgrade-check"
+
+              ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
+              IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
+              kill $serverPID
+              kubectl delete secret kanidm-passwords --ignore-not-found
+              kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: "/data"
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- if .Values.kanidmLdap.enabled }}
+            - name: ldap
+              containerPort: {{ .Values.service.ldap }}
+              protocol: TCP
+          {{- end }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: "/data"
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: kanidm-data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        - name: kanidm-config
+          configMap:
+            name: {{ include "kanidm.fullname" . }}-config
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

kanidm/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "kanidm.fullname" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "kanidm.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

kanidm/templates/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "kanidm.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

kanidm/templates/pvc.yaml

@@ -0,0 +1,26 @@
+---
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "kanidm.fullname" . }}-data
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+{{- if .Values.persistence.annotations }}
+  annotations:
+{{ toYaml .Values.persistence.annotations | indent 4 }}
+{{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

kanidm/templates/role.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kanidm.fullname" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list", "get", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["pods/attach"]
+    verbs: ["list", "get", "create", "delete", "update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "get", "create", "delete", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["list", "get", "create", "delete", "update"]

kanidm/templates/rolebinging.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kanidm.fullname" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ include "kanidm.fullname" . }}
+  kind: Role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kanidm.fullname" . }}
+  namespace: {{ .Release.Namespace }}

kanidm/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kanidm.fullname" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    {{- if .Values.kanidmLdap.enabled }}
+    - port: {{ .Values.service.ldap }}
+      targetPort: ldap
+      protocol: TCP
+      name: ldap
+    {{- end }}
+  selector:
+    {{- include "kanidm.selectorLabels" . | nindent 4 }}

kanidm/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kanidm.serviceAccountName" . }}
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

kanidm/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "kanidm.fullname" . }}-test-connection"
+  labels:
+    {{- include "kanidm.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "kanidm.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

kanidm/values.yaml

@@ -0,0 +1,154 @@
+# Default values for kanidm.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+strategy:
+  type: Recreate
+
+image:
+  repository: gitea.geekhome.org/ghp/kanidm
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "1.6.4-1"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+kanidm:
+  bindaddress: "[::]:{{ .Values.service.port }}"
+  domain: "idm.example.com"
+  #origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
+  db_path: "/data/kanidm.db"
+  #db_fs_type: "zfs"
+  #db_arc_size: "2048"
+  tls_chain: "/data/chain.pem"
+  tls_key: "/data/key.pem"
+  log_level: "debug"
+
+kanidmLdap:
+  enabled: false
+  dapbindaddress: "[::]:{{ .Values.service.ldap }}"
+
+kanidmOnlineBackup:
+  enabled: true
+  path: "/data/kanidm/backups/"
+  schedule: "00 22 * * *"
+  versions: "7"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 443
+  ldap: 636
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+persistence:
+  enabled: true
+  annotations: {}
+  ## PeerTube data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  # storageClass: "-"
+
+  ## A manually managed Persistent Volume and Claim
+  ## Requires persistence.enabled: true
+  ## If defined, PVC must be created manually before volume will be bound
+  # existingClaim:
+
+  accessMode: ReadWriteOnce
+  size: 1Gi
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+livenessProbe:
+  httpGet:
+    scheme: HTTPS
+    path: /status
+    port: http
+readinessProbe:
+  httpGet:
+    scheme: HTTPS
+    path: /status
+    port: http
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

mastodon/.github/workflows/test-chart.yml

@@ -17,7 +17,7 @@ permissions:
 
 jobs:
   lint-templates:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - uses: actions/checkout@v3
@@ -53,7 +53,7 @@ jobs:
   # basic configuration can be used to successfully startup mastodon.
   #
   test-install:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 15
 
     strategy:
@@ -75,7 +75,7 @@ jobs:
           # available for use in the templates, currently we need v3.6.0 or
           # higher.
           #
-          - k3s-channel: v1.21
+          - k3s-channel: v1.28
             helm-version: v3.8.0
 
     env:
@@ -109,7 +109,7 @@ jobs:
         run: |
           helm install mastodon . \
               --values dev-values.yaml \
-              --timeout 10m
+              --timeout 15m
 
       # This actions provides a report about the state of the k8s cluster,
       # providing logs etc on anything that has failed and workloads marked as
@@ -125,7 +125,5 @@ jobs:
             deploy/mastodon-sidekiq
             deploy/mastodon-streaming
             deploy/mastodon-web
-            job/mastodon-assets-precompile
-            job/mastodon-chewy-upgrade
             job/mastodon-create-admin
             job/mastodon-db-migrate

mastodon/.gitignore

@@ -1 +1,2 @@
 charts/
+.DS_Store

mastodon/CHANGELOG.md

@@ -1,3 +1,138 @@
+# 6.5.0
+
+Updated the Mastodon version to v4.4.1. Please read the [4.4.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.4.0) before updating from a version < 4.4. In particular:
+- Redis & Postgres minimum versions have been bumped to 6.2 and 13 respectively
+- Redis namespace support has been dropped
+- No-downtime updates from versions before 4.3.0 are not supported
+- Elasticsearch mappings need to be updated manually via `tootctl` after deploying this new version
+- The new experimental Fediverse Auxiliary Service (`fasp`) Sidekiq queue needs to be added to the list of processed queues if you changed the default Sidekiq values
+
+# 6.4.0
+
+- Added configuration for [bulk SMTP](https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings):
+```yaml
+mastodon:
+  smtp:
+    bulk:
+```
+
+# 6.3.4
+
+- Updated the Mastodon version to v4.3.9
+
+# 6.3.3
+
+- Updated the Mastodon version to v4.3.8
+
+# 6.3.2
+
+- No longer sets `DEFAULT_LOCALE` to `en` by default; leaves this value unset.
+
+# 6.3.1
+
+- Removed DB_POOL from the ConfigMap as we should never have to override this.
+
+# 6.3.0
+
+- Added `nodeSelector` fields for every resource type for better fine-grain tuning of where resources end up.
+
+# 6.2.4
+
+- Fixed an issue where redis secrets specified in values or the helm CLI wouldn't be used by the db-prepare job on install.
+
+# 6.2.3
+
+- Updated the Mastodon version to v4.3.7
+
+# 6.2.2
+
+-  `app.kubernetes.io/version` shortens any potential digest hash to 7 characters to avoid hitting the 63 character label limit.
+
+# 6.2.1
+
+- Fixed some situations where disabling all bitnami charts caused it to error.
+- Fixed a potential null postgresql host value error.
+
+# 6.2.0
+
+- Added ability to add pod labels to pods created from Deployment objects at the global level
+
+# 6.1.1
+
+- Updated the Mastodon version to v4.3.6
+
+# 6.1.0
+
+- Added a new job to re/build elasticsearch indices as a post-upgrade hook:
+```yaml
+mastodon:
+  hooks:
+    deploySearch:
+```
+
+# 6.0.3
+
+- Updated the Mastodon version to v4.3.5
+
+# 6.0.2
+
+- Helm version tagging now utilizes `.Values.image.tag` when set.
+
+# 6.0.1
+
+- Added additional values to separate out `db:prepare` and `db:migrate` jobs and whether they should run:
+```yaml
+mastodon:
+  hooks:
+    dbPrepare:
+      enabled: true
+    dbMigrate:
+      enabled: true
+```
+
+# 6.0.0
+
+### !! BREAKING CHANGES !!
+- Services for web & streaming now use `ipFamilyPolicy: PreferDualStack`. This will cause upgrades on existing deployments to fail, as kubernetes cannot patch this field. Please remove both service objects before running `helm upgrade` (services are `mastodon-web` and `mastodon-streaming` by default).
+
+### Features
+- Added prometheus metrics config for web and sidekiq pods (feature will be available with Mastodon v4.4).
+```yaml
+mastodon:
+  metrics:
+    prometheus:
+```
+- Added ability to automatically upload assets to an S3 bucket:
+```yaml
+mastodon:
+  hooks:
+    s3Upload:
+```
+- Added OpenTelemetry metrics:
+```yaml
+mastodon:
+  otel:
+---
+mastodon:
+  sidekiq:
+    otel:
+---
+mastodon:
+  web:
+    otel:
+```
+- Fine-grained control of labels and annotations for both pods and deployments.
+- Additional redis options for separate instances (app, sidekiq, cache).
+- Configurable PodDisruptionBudgets for web and streaming pods.
+
+### Fixes
+- Various database migrations fixes
+  - Fixed first-time install DB setup on self-managed databases
+  - Fixed running migrations through a connection pooler.
+- Removed old, unused jobs:
+  - chewy upgrade (use `tootctl search deploy` instead)
+  - assets precompile
+
 # 5.1.0
 
 - Added values for Active Record Encryption in Redis:

mastodon/Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 5.1.7
+version: 6.5.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v4.2.19
+appVersion: "v4.4.2"
 
 dependencies:
   - name: elasticsearch

mastodon/templates/_db-migrate.tpl

@@ -0,0 +1,111 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Spec template for DB migration pre- and post-install/upgrade jobs.
+*/}}
+{{- define "mastodon.dbMigrateJob" -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  {{- if .prepare }}
+  name: {{ include "mastodon.fullname" . }}-db-prepare
+  {{- else if .preDeploy }}
+  name: {{ include "mastodon.fullname" . }}-db-pre-migrate
+  {{- else }}
+  name: {{ include "mastodon.fullname" . }}-db-post-migrate
+  {{- end }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    {{- if .prepare }}
+    "helm.sh/hook": pre-install
+    {{- else if .preDeploy }}
+    "helm.sh/hook": pre-upgrade
+    {{- else }}
+    "helm.sh/hook": post-install,post-upgrade
+    {{- end }}
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    {{- if .prepare }}
+    "helm.sh/hook-weight": "-3"
+    {{- else }}
+    "helm.sh/hook-weight": "-2"
+    {{- end }}
+spec:
+  template:
+    metadata:
+      name: {{ include "mastodon.fullname" . }}-db-migrate
+      {{- with .Values.jobAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: {{ include "mastodon.fullname" . }}-db-migrate
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - bundle
+            - exec
+            - rake
+            {{- if .prepare }}
+            - db:prepare
+            {{- else }}
+            - db:migrate
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ template "mastodon.secretName" . }}
+          env:
+            - name: "DB_HOST"
+              value: {{ template "mastodon.postgres.direct.host" . }}
+            - name: "DB_PORT"
+              value: {{ template "mastodon.postgres.direct.port" . }}
+            - name: "DB_NAME"
+              value: {{ template "mastodon.postgres.direct.database" . }}
+            - name: "DB_USER"
+              value: {{ .Values.postgresql.auth.username }}
+            - name: "DB_PASS"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
+            - name: "REDIS_HOST"
+              value: {{ template "mastodon.redis.host" . }}
+            - name: "REDIS_PORT"
+              value: {{ .Values.redis.port | default "6379" | quote }}
+            {{- if .Values.redis.sidekiq.enabled }}
+            {{- if .Values.redis.sidekiq.hostname }}
+            - name: SIDEKIQ_REDIS_HOST
+              value: {{ .Values.redis.sidekiq.hostname }}
+            {{- end }}
+            {{- if .Values.redis.sidekiq.port }}
+            - name: SIDEKIQ_REDIS_PORT
+              value: {{ .Values.redis.sidekiq.port | quote }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.redis.cache.enabled }}
+            {{- if .Values.redis.cache.hostname }}
+            - name: CACHE_REDIS_HOST
+              value: {{ .Values.redis.cache.hostname }}
+            {{- end }}
+            {{- if .Values.redis.cache.port }}
+            - name: CACHE_REDIS_PORT
+              value: {{ .Values.redis.cache.port | quote }}
+            {{- end }}
+            {{- end }}
+            - name: "REDIS_DRIVER"
+              value: "ruby"
+            - name: "REDIS_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  {{- if and (.prepare) (not .Values.redis.enabled) (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) (.Values.redis.auth.password) }}
+                  name: {{ template "mastodon.redis.secretName" . }}-pre-install
+                  {{- else }}
+                  name: {{ template "mastodon.redis.secretName" . }}
+                  {{- end }}
+                  key: redis-password
+          {{- if .preDeploy }}
+            - name: "SKIP_POST_DEPLOYMENT_MIGRATIONS"
+              value: "true"
+          {{- end }}
+{{- end }}

mastodon/templates/_helpers.tpl

@@ -47,7 +47,9 @@ Common labels
 helm.sh/chart: {{ include "mastodon.chart" . }}
 {{ include "mastodon.selectorLabels" . }}
 {{ include "mastodon.globalLabels" . }}
-{{- if .Chart.AppVersion }}
+{{- if .Values.image.tag }}
+app.kubernetes.io/version: {{ regexReplaceAll "@(\\w+:\\w{0,7})\\w*" .Values.image.tag "@${1}" | quote }}
+{{- else if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
@@ -90,7 +92,7 @@ Create the name of the assets persistent volume to use
 {{- if .Values.mastodon.persistence.assets.existingClaim }}
     {{- printf "%s" (tpl .Values.mastodon.persistence.assets.existingClaim $) -}}
 {{- else -}}
-    {{- printf "%s-assets" (include "common.names.fullname" .) -}}
+    {{- printf "%s-assets" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -101,7 +103,7 @@ Create the name of the system persistent volume to use
 {{- if .Values.mastodon.persistence.system.existingClaim }}
     {{- printf "%s" (tpl .Values.mastodon.persistence.system.existingClaim $) -}}
 {{- else -}}
-    {{- printf "%s-system" (include "common.names.fullname" .) -}}
+    {{- printf "%s-system" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -121,6 +123,60 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Establish which values we will use for remote connections
+*/}}
+{{- define "mastodon.postgres.host" -}}
+{{- if .Values.postgresql.enabled }}
+{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}}
+{{- else }}
+{{- printf "%s" (required "When the postgresql chart is disabled .Values.postgresql.postgresqlHostname is required" .Values.postgresql.postgresqlHostname) -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.postgres.port" -}}
+{{- if .Values.postgresql.enabled }}
+{{- printf "%d" 5432 | int | quote -}}
+{{- else }}
+{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Establish which values we will use for direct remote DB connections
+*/}}
+{{- define "mastodon.postgres.direct.host" -}}
+{{- if .Values.postgresql.direct.hostname }}
+{{- printf "%s" .Values.postgresql.direct.hostname -}}
+{{- else }}
+{{- printf "%s" (include "mastodon.postgres.host" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.postgres.direct.port" -}}
+{{- if .Values.postgresql.direct.port }}
+{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}}
+{{- else }}
+{{- printf "%s" (include "mastodon.postgres.port" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.postgres.direct.database" -}}
+{{- if .Values.postgresql.direct.database }}
+{{- printf "%s" .Values.postgresql.direct.database -}}
+{{- else }}
+{{- printf "%s" .Values.postgresql.auth.database -}}
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.redis.host" -}}
+{{- if .Values.redis.enabled }}
+{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}}
+{{- else }}
+{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Get the mastodon secret.
 */}}
@@ -133,7 +189,7 @@ Get the mastodon secret.
 {{- end -}}
 
 {{/*
-Get the smtp secret.
+Get the smtp secrets.
 */}}
 {{- define "mastodon.smtp.secretName" -}}
 {{- if .Values.mastodon.smtp.existingSecret }}
@@ -143,6 +199,14 @@ Get the smtp secret.
 {{- end -}}
 {{- end -}}
 
+{{- define "mastodon.smtp.bulk.secretName" -}}
+{{- if .Values.mastodon.smtp.bulk.existingSecret }}
+    {{- printf "%s" (tpl .Values.mastodon.smtp.bulk.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-smtp-bulk" (include "mastodon.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get the postgresql secret.
 */}}
@@ -214,18 +278,6 @@ Return true if a mastodon secret object should be created
 {{- end -}}
 {{- end -}}
 
-{{/*
-Find highest number of needed database connections to set DB_POOL variable
-*/}}
-{{- define "mastodon.maxDbPool" -}}
-{{/* Default MAX_THREADS for Puma is 5 */}}
-{{- $poolSize := 5 }}
-{{- range .Values.mastodon.sidekiq.workers }}
-{{- $poolSize = max $poolSize .concurrency }}
-{{- end }}
-{{- $poolSize | quote }}
-{{- end }}
-
 {{/*
 Full hostname for a custom Elasticsearch cluster
 */}}

mastodon/templates/_secrets.tpl

@@ -0,0 +1,65 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Spec template for mastodon secrets object.
+*/}}
+{{- define "mastodon.secrets.object" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "mastodon.fullname" . }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-4"
+type: Opaque
+data:
+  {{- if .Values.mastodon.s3.enabled }}
+  {{- if not .Values.mastodon.s3.existingSecret }}
+  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
+  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
+  {{- end }}
+  {{- end }}
+  {{- if not .Values.mastodon.secrets.existingSecret }}
+  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
+  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
+  {{- else }}
+  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
+  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
+  {{- else }}
+  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
+  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
+  {{- else }}
+  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
+  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
+  {{- else }}
+  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
+  {{- end }}
+  {{- if not .Values.postgresql.enabled }}
+  {{- if not .Values.postgresql.auth.existingSecret }}
+  password: "{{ .Values.postgresql.auth.password | b64enc }}"
+  {{- end }}
+  {{- end }}
+{{- end }}

mastodon/templates/configmap-env.yaml

@@ -5,21 +5,15 @@ metadata:
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
 data:
-  {{- if .Values.postgresql.enabled }}
+  DB_HOST: {{ template "mastodon.postgres.host" . }}
-  DB_HOST: {{ template "mastodon.postgresql.fullname" . }}
+  DB_PORT: {{ template "mastodon.postgres.port" . }}
-  DB_PORT: "5432"
-  {{- else }}
-  DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
-  DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
-  {{- end }}
   DB_NAME: {{ .Values.postgresql.auth.database }}
-  DB_POOL: {{ include "mastodon.maxDbPool" . }}
   DB_USER: {{ .Values.postgresql.auth.username }}
   {{- if .Values.postgresql.readReplica.hostname }}
   REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }}
   {{- end }}
   {{- if .Values.postgresql.readReplica.port }}
-  REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port }}
+  REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }}
   {{- end }}
   {{- if .Values.postgresql.readReplica.auth.database }}
   REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }}
@@ -31,7 +25,9 @@ data:
   REPLICA_DB_PASS: {{ .Values.postgresql.readReplica.auth.password }}
   {{- end }}
   PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }}
+  {{- if .Values.mastodon.locale }}
   DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
+  {{- end }}
   {{- if .Values.elasticsearch.enabled }}
   ES_ENABLED: "true"
   ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
@@ -66,11 +62,7 @@ data:
   MALLOC_ARENA_MAX: "2"
   NODE_ENV: "production"
   RAILS_ENV: "production"
-  {{- if .Values.redis.enabled }}
+  REDIS_HOST: {{ template "mastodon.redis.host" . }}
-  REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master
-  {{- else }}
-  REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }}
-  {{- end }}
   REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
   {{- if .Values.redis.sidekiq.enabled }}
   {{- if .Values.redis.sidekiq.hostname }}
@@ -137,10 +129,10 @@ data:
   SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
   {{- end }}
   {{- with .Values.mastodon.smtp.from_address }}
-  SMTP_FROM_ADDRESS: {{ . }}
+  SMTP_FROM_ADDRESS: {{ . | quote }}
   {{- end }}
   {{- with .Values.mastodon.smtp.return_path }}
-  SMTP_RETURN_PATH: {{ . }}
+  SMTP_RETURN_PATH: {{ . | quote }}
   {{- end }}
   {{- with .Values.mastodon.smtp.openssl_verify_mode }}
   SMTP_OPENSSL_VERIFY_MODE: {{ . }}
@@ -149,7 +141,7 @@ data:
   SMTP_PORT: {{ . | quote }}
   {{- end }}
   {{- with .Values.mastodon.smtp.reply_to }}
-  SMTP_REPLY_TO: {{ . }}
+  SMTP_REPLY_TO: {{ . | quote }}
   {{- end }}
   {{- with .Values.mastodon.smtp.server }}
   SMTP_SERVER: {{ . }}
@@ -157,10 +149,45 @@ data:
   {{- with .Values.mastodon.smtp.tls }}
   SMTP_TLS: {{ . | quote }}
   {{- end }}
+  {{- if .Values.mastodon.smtp.bulk.enabled }}
+  {{- with .Values.mastodon.smtp.bulk.auth_method }}
+  BULK_SMTP_AUTH_METHOD: {{ . }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.ca_file }}
+  BULK_SMTP_CA_FILE: {{ . }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.domain }}
+  BULK_SMTP_DOMAIN: {{ . }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.enable_starttls }}
+  BULK_SMTP_ENABLE_STARTTLS: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.enable_starttls_auto }}
+  BULK_SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.from_address }}
+  BULK_SMTP_FROM_ADDRESS: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.openssl_verify_mode }}
+  BULK_SMTP_OPENSSL_VERIFY_MODE: {{ . }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.port }}
+  BULK_SMTP_PORT: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.server }}
+  BULK_SMTP_SERVER: {{ . }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.tls }}
+  BULK_SMTP_TLS: {{ . | quote }}
+  {{- end }}
+  {{- end }}
   STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
   {{- with .Values.mastodon.streaming.base_url }}
   STREAMING_API_BASE_URL: {{ . | quote }}
   {{- end }}
+  {{- if .Values.mastodon.trusted_proxy_ip }}
+  TRUSTED_PROXY_IP: {{ .Values.mastodon.trusted_proxy_ip }}
+  {{ end }}
   {{- if .Values.externalAuth.oidc.enabled }}
   OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
   OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }}

mastodon/templates/cronjob-media-remove.yaml

@@ -107,4 +107,8 @@ spec:
                 - name: system
                   mountPath: /opt/mastodon/public/system
               {{- end }}
+          {{- with coalesce .Values.mastodon.cron.removeMedia.nodeSelector .Values.nodeSelector }}
+          nodeSelector:
+            {{- . | toYaml | nindent 12 }}
+          {{- end }}
 {{- end }}

mastodon/templates/deployment-sidekiq.yaml

@@ -7,19 +7,26 @@ metadata:
   name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
   labels:
     {{- include "mastodon.labels" $context | nindent 4 }}
+    {{- with $context.Values.mastodon.sidekiq.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
     app.kubernetes.io/component: sidekiq-{{ .name }}
     app.kubernetes.io/part-of: rails
   annotations:
     {{- with $context.Values.deploymentAnnotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    {{- with $context.Values.mastodon.sidekiq.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   {{- if (has "scheduler" .queues) }}
     {{- if (gt (int .replicas) 1) }}
       {{ fail "The scheduler queue should never have more than 1 replicas" }}
     {{- end }}
-  strategy:
+  {{- end }}
-    type: Recreate
+  {{- if $context.Values.mastodon.sidekiq.updateStrategy }}
+  strategy: {{- toYaml $context.Values.mastodon.sidekiq.updateStrategy | nindent 4 }}
   {{- end }}
   replicas: {{ .replicas }}
   {{- if (ne (toString $context.Values.mastodon.revisionHistoryLimit) "<nil>") }}
@@ -36,6 +43,9 @@ spec:
         {{- with $context.Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- with $context.Values.mastodon.sidekiq.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         # roll the pods to pick up any db migrations or other changes
         {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
         checksum/config-secrets-smtp: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
@@ -43,6 +53,12 @@ spec:
         {{- include "mastodon.globalLabels" $context | nindent 8 }}
         {{- include "mastodon.selectorLabels" $context | nindent 8 }}
         {{- include "mastodon.statsdExporterLabels" $context | nindent 8 }}
+        {{- with $context.Values.mastodon.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with $context.Values.mastodon.sidekiq.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         app.kubernetes.io/component: sidekiq-{{ .name }}
         app.kubernetes.io/part-of: rails
     spec:
@@ -159,6 +175,20 @@ spec:
                   name: {{ include "mastodon.smtp.secretName" $context }}
                   key: password
                   optional: true
+            {{- if $context.Values.mastodon.smtp.bulk.enabled }}
+            - name: "BULK_SMTP_LOGIN"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mastodon.smtp.bulk.secretName" $context }}
+                  key: login
+                  optional: true
+            - name: "BULK_SMTP_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mastodon.smtp.bulk.secretName" $context }}
+                  key: password
+                  optional: true
+            {{- end }}
             {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
             - name: "AWS_SECRET_ACCESS_KEY"
               valueFrom:
@@ -185,6 +215,33 @@ spec:
                   name: {{ $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
                   key: password
             {{- end }}
+            {{- if or $context.Values.mastodon.sidekiq.otel.enabled (and $context.Values.mastodon.otel.enabled (ne $context.Values.mastodon.sidekiq.otel.enabled false)) }}
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: {{ coalesce $context.Values.mastodon.sidekiq.otel.endpointUri $context.Values.mastodon.otel.endpointUri }}
+            - name: OTEL_SERVICE_NAME_PREFIX
+              value: {{ coalesce $context.Values.mastodon.sidekiq.otel.namePrefix $context.Values.mastodon.otel.namePrefix }}
+            - name: OTEL_SERVICE_NAME_SEPARATOR
+              value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}"
+            {{- end }}
+            {{- if $context.Values.mastodon.metrics.prometheus.enabled }}
+            - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
+              value: "true"
+            - name: MASTODON_PROMETHEUS_EXPORTER_LOCAL
+              value: "true"
+            - name: MASTODON_PROMETHEUS_EXPORTER_HOST
+              value: "0.0.0.0"
+            - name: MASTODON_PROMETHEUS_EXPORTER_PORT
+              value: "{{ $context.Values.mastodon.metrics.prometheus.port }}"
+            {{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }}
+            - name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS
+              value: "true"
+            {{- end }}
+            {{- end }}
+          {{- if $context.Values.mastodon.metrics.prometheus.enabled }}
+          ports:
+            - name: prometheus
+              containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }}
+          {{- end }}
           volumeMounts:
           {{- if (not $context.Values.mastodon.s3.enabled) }}
             - name: assets
@@ -200,12 +257,24 @@ spec:
           {{- with $context.Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if $context.Values.mastodon.sidekiq.readinessProbe.enabled }}
+          readinessProbe:
+            failureThreshold: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.failureThreshold }}
+            exec:
+              command:
+              - cat
+              - {{ required "A valid sidekiq readiness path is required." $context.Values.mastodon.sidekiq.readinessProbe.path }}
+            initialDelaySeconds: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ default 2 $context.Values.mastodon.sidekiq.readinessProbe.periodSeconds }}
+            successThreshold: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.successThreshold }}
+            timeoutSeconds: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.timeoutSeconds }}
+          {{- end }}
           resources:
             {{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
       {{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
-      {{- with $context.Values.nodeSelector }}
+      {{- with coalesce .nodeSelector $context.Values.mastodon.sidekiq.nodeSelector $context.Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- . | toYaml | nindent 8 }}
       {{- end }}
       {{- with $context.Values.tolerations }}
       tolerations:

mastodon/templates/deployment-streaming.yaml

@@ -4,8 +4,14 @@ metadata:
   name: {{ include "mastodon.fullname" . }}-streaming
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
+    {{- with .Values.mastodon.streaming.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   annotations:
-    {{- with (default .Values.deploymentAnnotations .Values.mastodon.streaming.deploymentAnnotations) }}
+    {{- with .Values.deploymentAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.mastodon.streaming.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
@@ -13,6 +19,9 @@ spec:
   {{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
   revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
   {{- end }}
+  {{- if .Values.mastodon.streaming.updateStrategy }}
+  strategy: {{- toYaml .Values.mastodon.streaming.updateStrategy | nindent 4 }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -20,7 +29,10 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.mastodon.streaming.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
@@ -28,6 +40,12 @@ spec:
       labels:
         {{- include "mastodon.globalLabels" . | nindent 8 }}
         {{- include "mastodon.selectorLabels" . | nindent 8 }}
+        {{- with .Values.mastodon.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.mastodon.streaming.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         app.kubernetes.io/component: streaming
     spec:
       {{- with .Values.imagePullSecrets }}
@@ -55,7 +73,7 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: "{{ coalesce .Values.mastodon.streaming.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
+          image: "{{ .Values.mastodon.streaming.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - node
@@ -135,13 +153,20 @@ spec:
             httpGet:
               path: /api/v1/streaming/health
               port: streaming
+          startupProbe:
+            httpGet:
+              path: /api/v1/streaming/health
+              port: streaming
+            initialDelaySeconds: 5
+            failureThreshold: 15
+            periodSeconds: 5
           {{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- with .Values.nodeSelector }}
+      {{- with coalesce .Values.mastodon.streaming.nodeSelector .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- . | toYaml | nindent 8 }}
       {{- end }}
       {{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
       affinity:

mastodon/templates/deployment-web.yaml

@@ -4,8 +4,14 @@ metadata:
   name: {{ include "mastodon.fullname" . }}-web
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
+    {{- with .Values.mastodon.web.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   annotations:
-    {{- with (default .Values.deploymentAnnotations .Values.mastodon.web.deploymentAnnotations) }}
+    {{- with .Values.deploymentAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.mastodon.web.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
@@ -13,6 +19,9 @@ spec:
   {{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
   revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
   {{- end }}
+  {{- if .Values.mastodon.web.updateStrategy }}
+  strategy: {{- toYaml .Values.mastodon.web.updateStrategy | nindent 4 }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -21,7 +30,10 @@ spec:
   template:
     metadata:
       annotations:
-        {{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.mastodon.web.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         # roll the pods to pick up any db migrations or other changes
@@ -30,6 +42,12 @@ spec:
         {{- include "mastodon.globalLabels" . | nindent 8 }}
         {{- include "mastodon.selectorLabels" . | nindent 8 }}
         {{- include "mastodon.statsdExporterLabels" . | nindent 8 }}
+        {{- with .Values.mastodon.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.mastodon.web.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         app.kubernetes.io/component: web
         app.kubernetes.io/part-of: rails
     spec:
@@ -173,6 +191,28 @@ spec:
                   name: {{ .Values.mastodon.cacheBuster.authToken.existingSecret }}
                   key: password
             {{- end }}
+            {{- if or .Values.mastodon.web.otel.enabled (and .Values.mastodon.otel.enabled (ne .Values.mastodon.web.otel.enabled false)) }}
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: {{ coalesce .Values.mastodon.web.otel.endpointUri .Values.mastodon.otel.endpointUri }}
+            - name: OTEL_SERVICE_NAME_PREFIX
+              value: {{ coalesce .Values.mastodon.web.otel.namePrefix .Values.mastodon.otel.namePrefix }}
+            - name: OTEL_SERVICE_NAME_SEPARATOR
+              value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}"
+            {{- end }}
+            {{- if .Values.mastodon.metrics.prometheus.enabled }}
+            - name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
+              value: "true"
+            - name: PROMETHEUS_EXPORTER_HOST
+              value: "127.0.0.1"
+            - name: PROMETHEUS_EXPORTER_PORT
+              value: "{{ .Values.mastodon.metrics.prometheus.port }}"
+            {{- if .Values.mastodon.metrics.prometheus.web.detailed }}
+            - name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS
+              value: "true"
+            {{- end }}
+            {{- end }}
+            - name: TEST_ENV_VALUE
+              value: {{ .Values.mastodon.metrics.statsd.address }}
           volumeMounts:
           {{- if (not .Values.mastodon.s3.enabled) }}
             - name: assets
@@ -203,16 +243,38 @@ spec:
             httpGet:
               path: /health
               port: http
+            initialDelaySeconds: 15
             failureThreshold: 30
             periodSeconds: 5
           {{- with (default .Values.resources .Values.mastodon.web.resources) }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+        {{- if .Values.mastodon.metrics.prometheus.enabled }}
+        - name: prometheus-exporter
+          image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
+          command:
+            - ./bin/prometheus_exporter
+          args:
+            - "--bind"
+            - "0.0.0.0"
+            - "--port"
+            - "{{ .Values.mastodon.metrics.prometheus.port }}"
+          resources:
+            requests:
+              cpu: "0.1"
+              memory: "180M"
+            limits:
+              cpu: "0.5"
+              memory: "250M"
+          ports:
+            - name: prometheus
+              containerPort: {{ .Values.mastodon.metrics.prometheus.port }}
+        {{- end }}
         {{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
-      {{- with .Values.nodeSelector }}
+      {{- with coalesce .Values.mastodon.web.nodeSelector .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- . | toYaml | nindent 8 }}
       {{- end }}
       {{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
       affinity:

mastodon/templates/job-assets-copy.yaml

@@ -0,0 +1,97 @@
+{{- if .Values.mastodon.hooks.s3Upload.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "mastodon.fullname" . }}-assets-upload
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-1"
+spec:
+  template:
+    metadata:
+      name: {{ include "mastodon.fullname" . }}-assets-upload
+      {{- with .Values.jobAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      restartPolicy: Never
+      initContainers:
+        - name: extract-assets
+          image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
+          imagePullPolicy: Always
+          command:
+          - cp
+          args:
+          - -rv
+          - public
+          - /assets
+          volumeMounts:
+            - mountPath: /assets
+              name: assets
+      containers:
+        - name: upload-assets
+          image: rclone/rclone:1
+          imagePullPolicy: Always
+          env:
+          - name: RCLONE_S3_NO_CHECK_BUCKET
+            value: "true"
+          - name: RCLONE_S3_ACL
+            value: {{ required "Please specify a canned ACL for S3 asset uploads" .Values.mastodon.hooks.s3Upload.acl }}
+          - name: RCLONE_CONFIG_REMOTE_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_REMOTE_PROVIDER
+            value: AWS
+          - name: RCLONE_CONFIG_REMOTE_ENDPOINT
+            value: {{ required "Please specify an endpoint for S3 asset uploads" .Values.mastodon.hooks.s3Upload.endpoint }}
+          - name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
+                key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.accesKeyId }}
+          - name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
+                key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.secretAccessKey }}
+          {{- with .Values.mastodon.hooks.s3Upload.rclone.env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          command:
+          - rclone
+          args:
+          - copy
+          - /assets/public
+          - "remote:{{ required "Please specify a bucket for S3 asset uploads" .Values.mastodon.hooks.s3Upload.bucket }}"
+          - --fast-list
+          - --transfers=32
+          - --include
+          - "{assets,packs}/**"
+          - --progress
+          - -vv
+          volumeMounts:
+            - mountPath: /assets
+              name: assets
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              memory: 500Mi
+      volumes:
+        - name: assets
+          emptyDir: {}
+      {{- with coalesce .Values.mastodon.hooks.s3Upload.nodeSelector .Values.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+
+{{- end -}}

mastodon/templates/job-chewy-upgrade.yaml

@@ -1,100 +0,0 @@
-{{- if .Values.elasticsearch.enabled -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "mastodon.fullname" . }}-chewy-upgrade
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    "helm.sh/hook-weight": "-1"
-spec:
-  template:
-    metadata:
-      name: {{ include "mastodon.fullname" . }}-chewy-upgrade
-      {{- with .Values.jobAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    spec:
-      restartPolicy: Never
-      {{- if (not .Values.mastodon.s3.enabled) }}
-      # ensure we run on the same node as the other rails components; only
-      # required when using PVCs that are ReadWriteOnce
-      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
-      affinity:
-        podAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: app.kubernetes.io/part-of
-                    operator: In
-                    values:
-                      - rails
-              topologyKey: kubernetes.io/hostname
-      {{- end }}
-      volumes:
-        - name: assets
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.assets" . }}
-        - name: system
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.system" . }}
-      {{- end }}
-      containers:
-        - name: {{ include "mastodon.fullname" . }}-chewy-setup
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
-            - bundle
-            - exec
-            - rake
-            - chewy:upgrade
-          envFrom:
-            - configMapRef:
-                name: {{ include "mastodon.fullname" . }}-env
-            - secretRef:
-                name: {{ template "mastodon.secretName" . }}
-          env:
-            - name: "DB_PASS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.postgresql.secretName" . }}
-                  key: password
-            - name: "REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.secretName" . }}
-                  key: redis-password
-            {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
-            - name: "SIDEKIQ_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.sidekiq.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
-            - name: "CACHE_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.cache.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            {{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
-            - name: "ES_PASS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.elasticsearch.existingSecret }}
-                  key: password
-            {{- end }}
-            - name: "PORT"
-              value: {{ .Values.mastodon.web.port | quote }}
-          {{- if (not .Values.mastodon.s3.enabled) }}
-          volumeMounts:
-            - name: assets
-              mountPath: /opt/mastodon/public/assets
-            - name: system
-              mountPath: /opt/mastodon/public/system
-          {{- end }}
-{{- end }}

mastodon/templates/job-create-admin.yaml

@@ -95,4 +95,8 @@ spec:
             - name: system
               mountPath: /opt/mastodon/public/system
           {{- end }}
+      {{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
 {{- end }}

mastodon/templates/job-db-migrate.yaml

@@ -1,93 +1,7 @@
-{{- if .Values.mastodon.hooks.dbMigrate.enabled -}}
+{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
-apiVersion: batch/v1
+{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }}
-kind: Job
+      {{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
-metadata:
+      nodeSelector:
-  name: {{ include "mastodon.fullname" . }}-db-migrate
+        {{- . | toYaml | nindent 8 }}
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": post-install,pre-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    "helm.sh/hook-weight": "-2"
-spec:
-  template:
-    metadata:
-      name: {{ include "mastodon.fullname" . }}-db-migrate
-      {{- with .Values.jobAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
       {{- end }}
-    spec:
-      restartPolicy: Never
-      {{- if (not .Values.mastodon.s3.enabled) }}
-      # ensure we run on the same node as the other rails components; only
-      # required when using PVCs that are ReadWriteOnce
-      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
-      affinity:
-        podAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: app.kubernetes.io/part-of
-                    operator: In
-                    values:
-                      - rails
-              topologyKey: kubernetes.io/hostname
 {{- end }}
-      volumes:
-        - name: assets
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.assets" . }}
-        - name: system
-          persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.system" . }}
-      {{- end }}
-      containers:
-        - name: {{ include "mastodon.fullname" . }}-db-migrate
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
-            - bundle
-            - exec
-            - rake
-            - db:migrate
-          envFrom:
-            - configMapRef:
-                name: {{ include "mastodon.fullname" . }}-env
-            - secretRef:
-                name: {{ template "mastodon.secretName" . }}
-          env:
-            - name: "DB_PASS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.postgresql.secretName" . }}
-                  key: password
-            - name: "REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.secretName" . }}
-                  key: redis-password
-            {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
-            - name: "SIDEKIQ_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.sidekiq.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
-            - name: "CACHE_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.cache.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            - name: "PORT"
-              value: {{ .Values.mastodon.web.port | quote }}
-          {{- if (not .Values.mastodon.s3.enabled) }}
-          volumeMounts:
-            - name: assets
-              mountPath: /opt/mastodon/public/assets
-            - name: system
-              mountPath: /opt/mastodon/public/system
-          {{- end }}
-{{- end -}}

mastodon/templates/job-db-pre-migrate.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
+{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }}
+      {{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+{{- end }}

mastodon/templates/job-db-prepare.yaml

@@ -0,0 +1,7 @@
+{{- if and .Values.mastodon.hooks.dbPrepare.enabled (not .Values.postgresql.enabled) }}
+{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }}
+      {{- with coalesce .Values.mastodon.hooks.dbPrepare.nodeSelector .Values.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+{{- end }}

mastodon/templates/job-deploy-search.yaml

@@ -1,18 +1,19 @@
-{{- if .Values.mastodon.hooks.assetsPrecompile.enabled -}}
+{{- if and .Values.mastodon.hooks.deploySearch.enabled .Values.elasticsearch.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "mastodon.fullname" . }}-assets-precompile
+  name: {{ include "mastodon.fullname" . }}-deploy-search
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-2"
 spec:
+  suspend: false
   template:
     metadata:
-      name: {{ include "mastodon.fullname" . }}-assets-precompile
+      name: {{ include "mastodon.fullname" . }}-deploy-search
       {{- with .Values.jobAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -22,7 +23,7 @@ spec:
       {{- if (not .Values.mastodon.s3.enabled) }}
       # ensure we run on the same node as the other rails components; only
       # required when using PVCs that are ReadWriteOnce
-      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
+      {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.persistence.system.accessMode) }}
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -37,25 +38,48 @@ spec:
       volumes:
         - name: assets
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.assets" . }}
+            claimName: {{ template "mastodon.fullname" . }}-assets
         - name: system
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.pvc.system" . }}
+            claimName: {{ template "mastodon.fullname" . }}-system
       {{- end }}
       containers:
-        - name: {{ include "mastodon.fullname" . }}-assets-precompile
+        - name: {{ include "mastodon.fullname" . }}-deploy-search
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.mastodon.hooks.deploySearch }}
+          {{- with .resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           command:
-            - bash
+            - bin/tootctl
-            - -c
+            - search
-            - |
+            - deploy
-                bundle exec rake assets:precompile && yarn cache clean
+            {{- with .concurrency }}
+            - '--concurrency'
+            - {{ . | quote }}
+            {{- end }}
+            {{- if .resetChewy }}
+            - '--reset-chewy'
+            {{- end }}
+            {{- with .batchSize }}
+            - '--batch-size'
+            - {{ . | quote }}
+            {{- end }}
+            {{- with .only }}
+              {{- if not (has . (list "instances" "accounts" "tags" "statuses" "public_statuses")) -}}
+                {{ fail "mastodon.hooks.deploySearch.only: Value must be one of the following words: instances, accounts, tags, statuses, public_statuses"}}
+              {{- end }}
+            - '--only'
+            - {{ . | quote }}
+            {{- end }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.secretName" . }}
+                name: {{ template "mastodon.secretName" $ }}
           env:
             - name: "DB_PASS"
               valueFrom:
@@ -67,20 +91,6 @@ spec:
                 secretKeyRef:
                   name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
-            {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
-            - name: "SIDEKIQ_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.sidekiq.secretName" . }}
-                  key: redis-password
-            {{- end }}
-            {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
-            - name: "CACHE_REDIS_PASSWORD"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mastodon.redis.cache.secretName" . }}
-                  key: redis-password
-            {{- end }}
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}
           {{- if (not .Values.mastodon.s3.enabled) }}
@@ -90,4 +100,4 @@ spec:
             - name: system
               mountPath: /opt/mastodon/public/system
           {{- end }}
-{{- end -}}
+{{- end }}

mastodon/templates/job-set-admin-password.yaml

@@ -37,10 +37,10 @@ spec:
       volumes:
         - name: assets
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.fullname" . }}-assets
+            claimName: {{ template "mastodon.pvc.assets" . }}
         - name: system
           persistentVolumeClaim:
-            claimName: {{ template "mastodon.fullname" . }}-system
+            claimName: {{ template "mastodon.pvc.system" . }}
       {{- end }}
       containers:
         - name: {{ include "mastodon.fullname" . }}-set-admin-password
@@ -70,6 +70,20 @@ spec:
                 secretKeyRef:
                   name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
+            {{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
+            - name: "SIDEKIQ_REDIS_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mastodon.redis.sidekiq.secretName" . }}
+                  key: redis-password
+            {{- end }}
+            {{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
+            - name: "CACHE_REDIS_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "mastodon.redis.cache.secretName" . }}
+                  key: redis-password
+            {{- end }}
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}
           {{- if (not .Values.mastodon.s3.enabled) }}
@@ -79,4 +93,8 @@ spec:
             - name: system
               mountPath: /opt/mastodon/public/system
           {{- end }}
+      {{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
 {{- end }}

mastodon/templates/secret-prepare.yml

@@ -0,0 +1,3 @@
+{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}}
+{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }}
+{{- end }}

mastodon/templates/secret-redis-preinstall.yaml

@@ -0,0 +1,19 @@
+{{- if not .Values.redis.enabled }}
+{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
+{{- if .Values.redis.auth.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mastodon.redis.secretName" . }}-pre-install
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+type: Opaque
+data:
+  redis-password: "{{ .Values.redis.auth.password | b64enc }}"
+{{- end }}
+{{- end }}
+{{- end }}

mastodon/templates/secret-redis.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.redis.enabled }}
+{{- if .Values.redis.enabled }}
 {{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
 {{- if .Values.redis.auth.password }}
 apiVersion: v1
@@ -7,6 +7,10 @@ metadata:
   name: {{ include "mastodon.redis.secretName" . }}
   labels:
     {{- include "mastodon.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 type: Opaque
 data:
   redis-password: "{{ .Values.redis.auth.password | b64enc }}"

mastodon/templates/secret-smtp-bulk.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.mastodon.smtp.bulk.enabled (not .Values.mastodon.smtp.bulk.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-smtp-bulk" (include "mastodon.fullname" .) }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- with .Values.mastodon.smtp.bulk.login }}
+  login: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.mastodon.smtp.bulk.password }}
+  password: {{ . | b64enc }}
+  {{- end }}
+{{- end }}

mastodon/templates/secrets.yaml

@@ -1,58 +1,3 @@
 {{- if (include "mastodon.createSecret" .) -}}
-apiVersion: v1
+{{- include "mastodon.secrets.object" . }}
-kind: Secret
-metadata:
-  name: {{ template "mastodon.fullname" . }}
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-type: Opaque
-data:
-  {{- if .Values.mastodon.s3.enabled }}
-  {{- if not .Values.mastodon.s3.existingSecret }}
-  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
-  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.mastodon.secrets.existingSecret }}
-  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
-  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
-  {{- else }}
-  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
-  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
-  {{- else }}
-  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
-  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
-  {{- else }}
-  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
-  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
-  {{- else }}
-  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
-  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
-  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
-  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
-  {{- else }}
-  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.postgresql.enabled }}
-  {{- if not .Values.postgresql.auth.existingSecret }}
-  password: "{{ .Values.postgresql.auth.password | b64enc }}"
-  {{- end }}
-  {{- end }}
 {{- end }}

mastodon/templates/service-streaming.yaml

@@ -11,6 +11,7 @@ spec:
       targetPort: streaming
       protocol: TCP
       name: streaming
+  ipFamilyPolicy: PreferDualStack
   selector:
     {{- include "mastodon.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: streaming

mastodon/templates/service-web.yaml

@@ -11,6 +11,7 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+  ipFamilyPolicy: PreferDualStack
   selector:
     {{- include "mastodon.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: web

mastodon/values.yaml

@@ -6,13 +6,15 @@ image:
   # built from the most recent commit
   #
   # tag: latest
-  tag: "v4.2.19"
+  tag: ""
   # use `Always` when using `latest` tag
   pullPolicy: IfNotPresent
 
 mastodon:
   # Labels added to every Mastodon-related object
   labels: {}
+  # Labes added to every deployed mastodon pod
+  podLabels: {}
 
   # -- create an initial administrator user; the password is autogenerated and will
   # have to be reset
@@ -25,13 +27,81 @@ mastodon:
     password: not_gargron
     # @ignored
     email: not@example.com
+    # Node(s) on which we will deploy this job
+    nodeSelector: {}
   hooks:
+    # Whether to perform DB schema creation on `helm install`.
+    # Please note that this does not work when using the included database
+    # (postgresql.enabled=true).
+    # NOTE: When using certain GitOps solutions such as Argo CD, this should be
+    # disabled, as these apps do not necessarily differentiate between `pre-install`
+    # and `pre-upgrade`.
+    dbPrepare:
+      enabled: true
+      # Node(s) on which we will deploy this job
+      nodeSelector: {}
+    # Whether to perform DB migrations on `helm upgrade`.
     dbMigrate:
       enabled: true
-    assetsPrecompile:
+      # Node(s) on which we will deploy this job
-      enabled: true
+      nodeSelector: {}
+
+    # WARNING: deploySearch is potentially a very expensive job!
+    # Only enable this once at a time, when you deploy elasticsearch or when
+    # the upgrade notes for a new mastodon version request rebuilding search.
+    # Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true`
+    # to ensure the job is only dispatched for a single upgrade when required.
+    # This job may take days to run on very large instances. Even small
+    # instances may take long enough to trigger helm's completion timeout, so
+    # DO NOT PANIC if helm complains; simply verify the job is still running.
+    #
+    # Builds or rebuilds the elasticsearch indices via `tootctl deploy search`
+    # with timing hooks to ensure the job runs immediately after install/upgrade
+    # and will be restarted if another, corrective upgrade is triggered.
+    # Please check the tootctl documentation and upgrade notes to pick values.
+    #
+    # NOTE: The resource stanza set below is intentionally very conservative.
+    # Consider assigning a liberal chunk of your cluster's typical headroom.
+    deploySearch:
+      enabled: false
+      resetChewy: true
+      # one index name. Possible values: instances, accounts, tags, statuses, public_statuses
+      only: ""
+      concurrency: 5
+      resources: # this accepts any keys in a full container resources stanza.
+        requests:
+          cpu: 250m
+          memory: 256Mi
+        limits:
+          cpu: 500m
+
+    # Upload website assets to S3 before deploying using rclone.
+    # Whenever there is an update to Mastodon, sometimes there are assets files
+    # that are renamed. As the pods are getting redeployed, and old/new pods are
+    # present simultaneously, there is a chance that old asset files are
+    # requested from pods that don't have them anymore, or new asset files are
+    # requested from old pods. Uploading asset files to S3 in this manner solves
+    # this potential conflict.
+    # Note that you will need to CDN/proxy to send all requests to /assets and
+    # /packs to this bucket.
+    s3Upload:
+      enabled: false
+      endpoint:
+      bucket:
+      acl: public-read
+      secretRef:
+        name:
+        keys:
+          accesKeyId: acces-key-id
+          secretAccessKey: secret-access-key
+      rclone:
+        # Any additional environment variables to pass to rclone.
+        env: {}
+      # Node(s) on which we will deploy this job
+      nodeSelector: {}
   # Custom labels to add to kubernetes resources
   #labels:
+
   cron:
     # -- run `tootctl media remove` every week
     removeMedia:
@@ -39,8 +109,15 @@ mastodon:
       enabled: true
       # @ignored
       schedule: "0 0 * * 0"
+      # Node(s) on which we will deploy this job
+      nodeSelector: {}
+
+  # Sets the default locale for this server.
+  # NOTICE: This will force this locale on every user who is not logged in, and
+  # the instance will no longer do any local detection for clients.
   # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
-  locale: en
+  locale:
+
   local_domain: mastodon.local
   # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
   # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
@@ -49,6 +126,9 @@ mastodon:
   # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize
   # itself when users are addressed using those other domains.
   alternate_domains: []
+  # -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers
+  # Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip
+  # trusted_proxy_ip:
   # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
   singleUserMode: false
   # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
@@ -140,6 +220,39 @@ mastodon:
     resources: {}
     # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
     affinity: {}
+    # Node(s) on which we will deploy sidekiq in general
+    # Any worker-specific configuration will override this setting.
+    nodeSelector: {}
+    # -- Annotations to apply to the deployment object(s) for sidekiq.
+    # -- These are applied in addition to deploymentAnnotations.
+    annotations: {}
+    # -- Labels to apply to the deployment object(s) for sidekiq.
+    # -- These are applied in addition to mastodon.labels.
+    labels: {}
+    # -- Annotations to apply to the sidekiq pods.
+    # -- These are applied in addition to the global podAnnotations.
+    podAnnotations: {}
+    # -- Labels to apply to the sidekiq pods.
+    # -- These are applied in addition to mastodon.labels.
+    podLabels: {}
+    # Rollout strategy to use when updating pods.
+    # Recreate will help reduce the number of retried jobs when updating when
+    # the code introduces a new job as the pods are all replaced immediately.
+    # RollingUpdate can help with larger clusters if job retries aren't an
+    # issue, as it will reduce strain by replacing pods more slowly. It is
+    # strongly recommended to enable the readinessProbe when using RollingUpdate.
+    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+    updateStrategy:
+      type: Recreate
+    # Readiness probe configuration
+    # NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10.
+    readinessProbe:
+      enabled: false
+      path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs
+      initialDelaySeconds: 10
+      periodSeconds: 2
+      successThreshold: 1
+      timeoutSeconds: 1
     # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints
     topologySpreadConstraints: {}
     # limits:
@@ -148,6 +261,14 @@ mastodon:
     # requests:
     #   cpu: 250m
     #   memory: 512Mi
+
+    # Open Telemetry configuration for sidekiq pods. Overrides global settings.
+    otel:
+      enabled:
+      exporterUri:
+      namePrefix:
+      nameSeparator:
+
     workers:
       - name: all-queues
         # -- Number of threads / parallel sidekiq jobs that are executed per Pod
@@ -158,8 +279,11 @@ mastodon:
         resources: {}
         # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
         affinity: {}
+        # -- Node(s) on which we will deploy this sidekiq worker
+        nodeSelector: {}
         # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints
         topologySpreadConstraints: {}
+
         # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
         # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
         queues:
@@ -169,6 +293,7 @@ mastodon:
           - mailers,2
           - pull
           - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
+          - fasp
         image:
           repository:
           tag:
@@ -213,10 +338,35 @@ mastodon:
     # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
     # password must be located in keys named `login` and `password` respectively.
     existingSecret:
+
+    # Configuration for bulk/broadcast messages.
+    # Some transactional email providers require customers to use a separate set
+    # of SMTP credentials to send emails that are not transactional in nature.
+    # For more information, refer to the docs:
+    # https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings
+    bulk:
+      enabled: false
+      auth_method: plain
+      ca_file: /etc/ssl/certs/ca-certificates.crt
+      domain:
+      enable_starttls: "auto"
+      from_address: notifications@example.com
+      openssl_verify_mode: peer
+      port: 587
+      server: smtp.mailgun.org
+      tls:
+      login:
+      password:
+      # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
+      # password must be located in keys named `login` and `password` respectively.
+      existingSecret:
+
   streaming:
     image:
-      repository:
+      # streaming image split in Mastodon v4.3.0
-      tag:
+      repository: ghcr.io/mastodon/mastodon-streaming
+      # other options: `latest` for the latest release or `edge` for most recent commit
+      tag: ""
     port: 4000
     # -- this should be set manually since os.cpus() returns the number of CPUs on
     # the node running the pod, which is unrelated to the resources allocated to
@@ -229,6 +379,27 @@ mastodon:
     replicas: 1
     # -- Affinity for Streaming Pods, overwrites .Values.affinity
     affinity: {}
+    # -- Node(s) on which we will deploy the streaming pods
+    nodeSelector: {}
+    # -- Annotations to apply to the deployment object for streaming.
+    # -- These are applied in addition to deploymentAnnotations.
+    annotations: {}
+    # -- Labels to apply to the deployment object for streaming.
+    # -- These are applied in addition to mastodon.labels.
+    labels: {}
+    # -- Annotations to apply to the streaming pods.
+    # -- These are applied in addition to the global podAnnotations.
+    podAnnotations: {}
+    # -- Labels to apply to the streaming pods.
+    # -- These are applied in addition to mastodon.labels.
+    podLabels: {}
+    # Rollout strategy to use when updating pods
+    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+    updateStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxSurge: 10%
+        maxUnavailable: 25%
     # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints
     topologySpreadConstraints: {}
     # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
@@ -268,6 +439,27 @@ mastodon:
     replicas: 1
     # -- Affinity for Web Pods, overwrites .Values.affinity
     affinity: {}
+    # -- Node(s) on which we will deploy the web pods
+    nodeSelector: {}
+    # -- Annotations to apply to the deployment object for web.
+    # -- These are applied in addition to deploymentAnnotations.
+    annotations: {}
+    # -- Labels to apply to the deployment object for web.
+    # -- These are applied in addition to mastodon.labels.
+    labels: {}
+    # -- Annotations to apply to the web pods.
+    # -- These are applied in addition to the global podAnnotations.
+    podAnnotations: {}
+    # -- Labels to apply to the web pods.
+    # -- These are applied in addition to mastodon.labels.
+    podLabels: {}
+    # Rollout strategy to use when updating pods
+    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+    updateStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxSurge: 10%
+        maxUnavailable: 25%
     # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints
     topologySpreadConstraints: {}
     # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
@@ -287,8 +479,10 @@ mastodon:
       enable: false
     # minAvailable: 1
     # maxUnavailable: 1
+
     # -- Puma-specific options. Below values are based on default behavior in
     # config/puma.rb when no custom values are provided.
+
     minThreads: "5"
     maxThreads: "5"
     workers: "2"
@@ -303,6 +497,13 @@ mastodon:
         name:
         key:
 
+    # Open Telemetry configuration for web pods. Overrides global settings.
+    otel:
+      enabled:
+      exporterUri:
+      namePrefix:
+      nameSeparator:
+
   # HTTP cache buster configuration.
   # See the documentation for more information about this feature:
   # https://docs.joinmastodon.org/admin/config/#http-cache-buster
@@ -316,6 +517,8 @@ mastodon:
       existingSecret:
 
   metrics:
+
+    # NOTE: This feature was dropped in v4.3.0, and will not work for any versions beyond this.
     statsd:
       # -- Enable statsd publishing via STATSD_ADDR environment variable
       address: ""
@@ -325,6 +528,32 @@ mastodon:
         enabled: false
         port: 9102
 
+    # Settings for Prometheus metrics.
+    # For more information, see:
+    # https://docs.joinmastodon.org/admin/config/#prometheus
+    prometheus:
+      enabled: false
+      # Port for the exporter to listen on
+      port: 9394
+
+      # Prometheus for web pods
+      web:
+        # Collect per-controller/action metrics for every request
+        detailed: false
+
+      # Prometheus for sidekiq pods
+      sidekiq:
+        # Collect per-job metrics for every job
+        detailed: false
+
+  # Open Telemetry configuration for all deployments. Component-specific
+  # configuration will override these values.
+  otel:
+    enabled: false
+    exporterUri:
+    namePrefix: mastodon
+    nameSeparator: "-"
+
   # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
   preparedStatements: true
 
@@ -380,7 +609,13 @@ ingress:
         hosts:
           - streaming.mastodon.local
 
-# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
+# Configuration for Elasticsearch.
+# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and
+# all values here correspond to their values file. Please see the bitnami chart
+# documentation:
+# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
+#
+# Please note that we recommend using your own deployment for better management.
 elasticsearch:
   # Elasticsearch is powering full-text search. It is optional.
 
@@ -406,13 +641,43 @@ elasticsearch:
   # Name of an existing secret with a password key
   # existingSecret:
 
+  # -- Node(s) on which we will deploy the various elasticsearch pods
+  master:
+    nodeSelector: {}
+  data:
+    nodeSelector: {}
+  coordinating:
+    nodeSelector: {}
+  ingest:
+    nodeSelector: {}
+  metrics:
+    nodeSelector: {}
+
+# Configuration for PostgreSQL.
+# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and
+# all values here correspond to their values file. Please see the bitnami chart
+# documentation:
 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
+#
+# Please note that we recommend using your own deployment for better management.
 postgresql:
   # -- disable if you want to use an existing db; in which case the values below
-  # must match those of that external postgres instance
+  # must match those of that external postgres instance.
+  # Please note that certain features do not work when enabling the included
+  # database, namely automatic schema creation when the app is first installed.
   enabled: true
   # postgresqlHostname: preexisting-postgresql
   # postgresqlPort: 5432
+
+  # If using a connection pooler such as pgbouncer, please specify a hostname/IP
+  # that serves as a "direct" connection to the database, rather than going
+  # through the connection pooler. This is required for migrations to work
+  # properly.
+  direct:
+    hostname:
+    port:
+    database:
+
   auth:
     database: mastodon_production
     username: mastodon
@@ -442,7 +707,22 @@ postgresql:
       password:
       existingSecret:
 
+  # -- Node(s) on which we will deploy the various database pods
+  primary:
+    nodeSelector: {}
+  readReplicas:
+    nodeSelector: {}
+  backup:
+    cronjob:
+      nodeSelector: {}
+
+# Configuration for Redis.
+# When enabled, the bitnami helm chart used for Redis deployment, and all values
+# here correspond to their values file. Please see the bitnami chart
+# documentation:
 # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
+#
+# Please note that we recommend using your own deployment for better management.
 redis:
   # disable if you want to use an existing redis instance; in which case the
   # values below must match those of that external redis instance
@@ -488,6 +768,12 @@ redis:
       # with a key of redis-password set to the password you want
       existingSecret: ""
 
+  # -- Node(s) on which we will deploy the various redis pods
+  master:
+    nodeSelector: {}
+  replica:
+    nodeSelector: {}
+
 # @ignored
 service:
   type: ClusterIP
@@ -614,23 +900,23 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-# Custom annotations to apply to all created deployment objects. These can be
+# Custom annotations to apply to all created mastodon deployment objects. These
-# used to help mastodon interact with other services in the cluster.
+# can be used to help mastodon interact with other services in the cluster.
 deploymentAnnotations: {}
 
 # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
 # need to apply different annotations to the two different sets of pods. The annotations
-# set with podAnnotations will be added to all deployment-managed pods.
+# set with podAnnotations will be added to all mastodon deployment-managed pods.
 podAnnotations: {}
 
 # If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
 # cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
 revisionPodAnnotation: true
 
-# The annotations set with jobAnnotations will be added to all job pods.
+# The annotations set with jobAnnotations will be added to all mastodon job pods
 jobAnnotations: {}
 
-# -- Default resources for all Deployments and jobs unless overwritten
+# -- Default resources for all mastodon Deployments and jobs unless overwritten
 resources:
   {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -644,26 +930,28 @@ resources:
   #   cpu: 100m
   #   memory: 128Mi
 
-# @ignored
-nodeSelector: {}
-
 # @ignored
 tolerations: []
 
-# -- Affinity for all pods unless overwritten
+# -- Affinity for all mastodon pods unless overwritten
 affinity: {}
 
-# -- Timezone for all pods unless overwritten
+# Node(s) on which we will deploy all resources.
+# Any node selectors specified for individual resources will override this
+# setting.
+nodeSelector: {}
+
+# -- Timezone for all mastodon pods unless overwritten
 timezone: UTC
 
-# -- Topology Spread Constraints for all pods unless overwritten
+# -- Topology Spread Constraints for all mastodon pods unless overwritten
 # Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you
 # want to spread each deployment independently, or override topologySpreadConstraints
 # for each deployment
 topologySpreadConstraints: {}
 
-# Default volume mounts for all pods
+# Default volume mounts for all mastodon pods
 volumeMounts: []
 
-# Default volumes for all pods
+# Default volumes for all mastodon pods
 volumes: []

peertube/Chart.yaml

@@ -11,5 +11,5 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 20.6.0
 type: application
-version: 0.4.2
+version: 0.4.5
-appVersion: 7.1.0
+appVersion: 7.2.3

peertube/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: chocobozzz/peertube
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v7.1.0-bookworm"
+  tag: "v7.2.3-bookworm"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -223,6 +223,8 @@ configAsCode:
       # If you're using such a provider then you can increase this value
       max_request_attempts: 3
       streaming_playlists:
+        # Bucket name created on your object storage provider
+        # PeerTube will access it via {bucket_name}.example.com
         bucket_name: 'streaming-playlists'
         # Allows setting all buckets to the same value but with a different prefix
         prefix: '' # Example: 'streaming-playlists:'
@@ -233,7 +235,7 @@ configAsCode:
         # which can be a problem depending on your object storage provider
         # You can also choose to disable this feature to reduce live streams latency
         # Live stream replays are not affected by this setting, so they are uploaded in object storage as regular VOD videos
-        store_live_streams: true
+        store_live_streams: false
       web_videos:
         bucket_name: 'web-videos'
         prefix: ''
@@ -294,7 +296,7 @@ configAsCode:
             - 'hot' # Adaptation of Reddit's 'Hot' algorithm
             - 'most-viewed' # Number of views in the last x days
             - 'most-liked' # Global views since the upload of the video
-          default: 'most-viewed'
+          default: 'hot'
     # Cache remote videos on your server, to help other instances to broadcast the video
     # You can define multiple caches using different sizes/strategies
     # Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
@@ -468,6 +470,15 @@ configAsCode:
       stun_servers:
         - 'stun:stunserver2024.stunprotocol.org'
         - 'stun:stun.framasoft.org'
+    nsfw_flags_settings:
+      # Allow logged-in/anonymous users to have a more granular control over their NSFW policy
+      # using NSFW flags (violent content, etc.) set by video authors
+      enabled: true
+    download_generate_video:
+      # Max parallel downloads on your instance
+      # Each download spawns an ffmpeg process
+      # The ffmpeg process ends when users have downloaded the entire file or cancelled the download
+      max_parallel_downloads: 100
     ###############################################################################
     #
     # From this point, all the following keys can be overridden by the web interface
@@ -826,7 +837,7 @@ configAsCode:
       # Enabling it will allow other administrators to know that you are mainly federating sensitive content
       # Moreover, the NSFW checkbox on video upload will be automatically checked by default
       is_nsfw: false
-      # By default, `do_not_list` or `blur` or `display` NSFW videos
+      # By default, `do_not_list`, `blur`, `warn` or `display` NSFW videos
       # Could be overridden per user with a setting
       default_nsfw_policy: 'display'
       # PeerTube uses this setting to explain to your users which law they must follow in the "About" instance pages

roundcube/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: "1.6.10"
+appVersion: "1.6.11"
 description: A Helm chart for Kubernetes
 name: roundcube
-version: 0.4.5
+version: 0.4.6
 icon: https://github.com/roundcube/roundcubemail/blob/master/skins/classic/images/roundcube_logo.png

roundcube/values.yaml

@@ -2,7 +2,7 @@ replicaCount: 1
 
 image:
   repository: roundcube/roundcubemail
-  tag: 1.6.10-apache
+  tag: 1.6.11-apache
   pullPolicy: IfNotPresent
 
 args: [ sh, -c, 'update-ca-certificates && /docker-entrypoint.sh apache2-foreground' ]

rspamd/Chart.yaml

@@ -7,5 +7,5 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 17.9.3
 type: application
-version: 0.5.6
+version: 0.5.7
-appVersion: 3.11.1
+appVersion: 3.12.1

rspamd/values.yaml

@@ -10,7 +10,7 @@ persistence:
 rspamd:
   image:
     repository: gitea.geekhome.org/ghp/rspamd
-    tag: 3.11.1-1
+    tag: 3.12.1-1
     pullPolicy: Always
   local.d:
     redis.conf: |