ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ghp:b40cec7573d790228fbdb8848e46369e1a6c4f8e
Branches Tags
ghp:master
...
compare: ghp:master
Branches Tags
ghp:master

138 Commits
b40cec7573 ... master

Author SHA1 Message Date
ace
593faf1ff9 bitwarden: bump to 1.34.3, helm chart 2.0.40 2025-08-05 19:29:22 +03:00
ace
f14a5b7378 bitwarden: bump to 1.34.2, helm chart 2.0.39 2025-07-27 23:58:51 +03:00
ace
f2e33fabd5 peertube: bump to 7.2.3, helm chart 0.4.5 2025-07-25 15:19:31 +03:00
ace
d0e0b5af4b mastodon: bump to v4.4.2, helm chart 6.5.1 2025-07-25 15:19:26 +03:00
ace
af164c5630 gitea-act-runner: bump to 0.2.12, helm chart 0.1.13 2025-07-25 15:19:07 +03:00
ace
f3dea682a5 mastodon: bump to v4.4.1, helm chart v6.5.0 2025-07-14 00:14:20 +03:00
ace
bca2de6613 mastodon: bump to v4.2.22, helm chart v5.1.9 2025-07-13 20:56:17 +03:00
ace
9219b9d048 rspamd: bump to v3.12.1, helm chart v0.5.7 2025-06-28 16:29:17 +03:00
ace
7e7fc46d18 adguard-home: bump to v0.107.63, helm chart v2.3.33 2025-06-28 16:29:14 +03:00
ace
d2a23231dc peertube: bump to v7.2.1, helm chart v0.4.4 2025-06-28 16:29:09 +03:00
ace
4d3b1c57f6 kanidm: bump to v1.6.4, helm chart v0.2.2 2025-06-12 22:48:42 +03:00
ace
4b59f3bde0 peertube: bump to v7.2.0, helm chart v0.4.3 2025-06-12 22:48:00 +03:00
ace
88d3175327 roundcube: bump to v1.6.11, helm chart v0.4.6 2025-06-11 00:36:48 +03:00
ace
f58b0e15d2 bitwarden: bump to v1.34.1, helm chart v2.0.38 2025-06-11 00:36:44 +03:00
ace
058c4aee3c adguard-home: bump to v0.107.62, helm chart v2.3.32 2025-06-11 00:36:41 +03:00
ace
c7da441b17 kanidm: bump to v1.6.3, helm chart v0.2.1 2025-05-23 13:06:11 +03:00
ace
c0ad9437b2 kanidm: bump to v1.6.2, helm chart v0.2.0 2025-05-13 00:12:33 +03:00
ace
77c2028150 mastodon: bump to v4.2.21, helm chart v5.1.8 2025-05-13 00:12:21 +03:00
ace
399eae0f1a kanidm: fix probes and use 443 port by default 2025-04-11 16:01:20 +03:00
ace
0d91f6f91d add kanidm helm chart 2025-04-10 00:21:11 +03:00
ace
ae6f9bb30b add autovault helm chart 2025-04-10 00:21:01 +03:00
ace
858581c554 wikijs: bump to v2.5.307, helm chart v2.3.19 2025-03-25 16:27:27 +03:00
ace
c9a99c1062 peertube: bump to v7.1.0, helm chart v0.4.2 2025-03-25 16:27:23 +03:00
ace
bad060f0dd adguard-home: bump to v0.107.59, helm chart v2.3.31 2025-03-25 16:27:19 +03:00
ace
c7255cdaf1 mastodon: bump to v4.2.19, helm chart v5.1.7 2025-03-14 23:36:13 +03:00
ace
a83dac3d32 rspamd: bump to v3.11.1, helm chart v0.5.6 2025-03-09 17:03:04 +03:00
ace
c5c7b21e6f mastodon: bump to v4.2.17, helm chart v5.1.6 2025-03-02 17:24:16 +03:00
ace
15f9334d28 gitea-act-runner: bump to v0.2.11, helm chart v0.1.12 2025-03-02 17:24:07 +03:00
ace
5d77150525 adguard-home: bump to v0.107.57, helm chart v2.3.30 2025-03-02 17:24:04 +03:00
ace
f5fdcff1d9 postfix: bump to v3.5.25, helm chart v0.1.7 2025-02-15 22:28:05 +03:00
ace
5e7679078d rspamd: bump to v3.11.0, helm chart v0.5.5 2025-02-15 22:28:01 +03:00
ace
7ea997cbbb roundcube: bump to v1.6.10, helm chart v0.4.5 2025-02-15 22:27:59 +03:00
ace
0d3fb60b95 dovecot: bump to v2.3.16, helm chart v0.1.8 2025-02-15 22:27:55 +03:00
ace
de4157c81c bitwarden: bump to v1.33.2, helm chart v2.0.37 2025-02-12 15:31:02 +03:00
ace
47e16defa7 wikijs: bump to v2.5.306, helm chart v2.3.18 2025-02-06 00:36:02 +03:00
ace
0ee0d754b9 bitwarden: bump to v1.33.1, helm chart v2.0.36 2025-02-06 00:35:52 +03:00
ace
cfb50a3261 adguard-home: bump to v0.107.56, helm chart v2.3.29 2025-01-26 17:12:31 +03:00
ace
b94d794c2a bitwarden: bump to v1.33.0, helm chart v2.0.35 2025-01-26 17:12:28 +03:00
ace
7c84796f5f peertube: bump to v7.0.1, helm chart v0.4.1 2025-01-26 17:12:09 +03:00
ace
b09e51c39b bitwarden: bump to v1.32.7, helm chart v2.0.34 
peertube: bump to v7.0.0, helm chart v0.4.0
 2024-12-22 15:12:24 +03:00
ace
796483d2b5 bitwarden: bump to v1.32.5, helm chart v2.0.32 2024-11-19 17:59:15 +03:00
ace
373984242e adguard-home: bump to v0.107.54, helm chart v2.3.28 2024-11-11 13:34:41 +03:00
ace
96f81e7d3f bitwarden: bump to v1.32.4, helm chart v2.0.31 2024-11-11 13:34:39 +03:00
ace
d2cd7daa25 rspamd: bump to v3.10.2, helm chart v0.5.4 2024-11-03 17:07:36 +03:00
ace
dd2838a47b bitwarden: bump to v1.32.3, helm chart v2.0.30 2024-11-03 17:07:33 +03:00
ace
50fff3de7d peertube: bump to v6.3.3, helm chart v0.3.8 2024-11-03 17:07:32 +03:00
ace
626e71e16a wikijs: bump to v2.5.305, helm chart v2.3.17 2024-10-14 11:20:21 +03:00
ace
f83831aabf bitwarden: bump to v1.32.2, helm chart v2.0.29 2024-10-14 11:20:18 +03:00
ace
691e984150 peertube: bump to v6.3.2, helm chart v0.3.7 2024-10-08 14:41:53 +03:00
ace
c0b9d55820 peertube: bump to v6.3.1, helm chart v0.3.6 2024-10-08 10:58:24 +03:00
ace
060e445d4f gitea-act-runner: bump to v0.2.11, helm chart v0.1.11 2024-10-06 22:09:10 +03:00
ace
a6a99cdb91 adguard-home: bump to v0.107.53, helm chart v2.3.27 2024-10-04 04:57:24 +03:00
ace
895105f3d4 bitwarden: bump to v1.32.1, helm chart v2.0.28 2024-10-04 04:57:06 +03:00
ace
cfbedaebe0 wikijs: bump to v2.5.304, helm chart v2.3.16 2024-09-22 22:22:25 +03:00
ace
5ef80aed84 roundcube: bump to v1.6.9, helm chart v0.4.4 2024-09-03 19:41:36 +03:00
ace
769ba9cf5d postfix: bump to v3.5.9, helm chart v0.1.6 2024-08-24 03:30:22 +03:00
ace
db0458a87b rspamd: bump to v3.9.1, helm chart v0.5.3 2024-08-24 03:30:14 +03:00
ace
aa2f627b9d dovecot: bump to v2.3.16, helm chart v0.1.7 2024-08-24 03:30:13 +03:00
ace
7ca7f196ba postgres-operator: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:34 +03:00
ace
5f7967bf6a postgres-operator-ui: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:32 +03:00
ace
72a60c9e67 mastodon: bump to v4.2.12, helm chart v5.1.5 2024-08-19 19:25:21 +03:00
ace
097cb672f1 mastodon: bump to v4.2.11, helm chart v5.1.4 2024-08-19 14:16:47 +03:00
ace
7f13ed6508 bitwarden: bump to v1.32.0, helm chart v2.0.27 2024-08-13 02:49:04 +03:00
ace
c28dc5a64d roundcube: bump to v1.6.8, helm chart v0.4.3 2024-08-13 02:49:01 +03:00
ace
b1d06879b3 peertube: bump to v6.2.1, helm chart v0.3.5 2024-08-13 02:48:51 +03:00
ace
6f71f2ace1 mastodon: bump to v4.2.10, helm chart v5.1.3 2024-07-05 01:19:57 +03:00
ace
17bd057945 postgres-operator-ui: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:52 +03:00
ace
ffc7f36269 postgres-operator: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:50 +03:00
ace
3a8be39de0 mastodon: bump to vv4.2.9, helm chart v5.1.2 2024-06-01 03:42:03 +03:00
ace
6b110c9f5b postgres-operator-ui: bump to v1.12.0, helm chart v1.12.0 2024-06-01 03:42:01 +03:00
ace
2ec29384d5 postgres-operator: bump to v1.12.0, helm chart v1.12.0 2024-06-01 03:41:59 +03:00
ace
def5dee695 bitwarden: bump to v1.30.5, helm chart v2.0.25 2024-05-26 17:49:54 +03:00
ace
67a0368924 wikijs: bump to v2.5.303, helm chart v2.3.15 2024-05-25 18:11:43 +03:00
ace
c6c0bc64f4 roundcube: bump to v1.6.7, helm chart v0.4.2 2024-05-25 18:11:34 +03:00
ace
9fe614d2de peertube: bump to v6.1.0, helm chart v0.3.4 2024-05-25 18:11:27 +03:00
ace
036a5d477e adguard-home: bump to v0.107.50, helm chart v2.3.26 2024-05-25 18:11:21 +03:00
ace
dce6ca34c9 postgres-operator-ui: bump to v1.11.0, helm chart v1.11.0 2024-05-05 18:45:33 +03:00
ace
c3bbae39b8 postgres-operator: bump to v1.11.0, helm chart v1.11.0 2024-05-05 18:45:29 +03:00
ace
a4006d24d3 wikijs: bump to v2.5.302, helm chart v2.3.14 2024-04-27 12:06:45 +03:00
ace
a8c29396d8 gitea-act-runner: bump to v0.2.10, helm chart v0.1.10 2024-04-12 01:03:58 +03:00
ace
6c574f1b58 adguard-home: bump to v0.107.48, helm chart v2.3.24 2024-04-12 01:03:51 +03:00
ace
c256157ce1 peertube: bump to v6.0.4, helm chart v0.3.3 2024-04-12 01:03:45 +03:00
ace
eaacac528c gitea-act-runner: bump to v0.2.7, helm chart v0.1.9 2024-03-27 18:04:34 +03:00
ace
91c1777ec1 openshift-console: bump to v4.14.0, helm chart v0.3.7 2024-03-27 18:04:28 +03:00
ace
1f96e818db bitwarden: bump to v1.30.3, helm chart v2.0.24 2024-03-03 00:44:19 +03:00
ace
2cddd598cf bitwarden: bump to v1.30.5, helm chart v2.0.25 2024-03-03 00:41:52 +03:00
ace
80c4245b80 rspamd: bump to v3.8.4, helm chart v0.5.2 2024-03-02 17:05:28 +03:00
ace
3bc8eda509 rspamd: bump to v3.8.3, helm chart v0.5.1 2024-02-23 18:09:32 +03:00
ace
dbbade0ddf bitwarden: bump to v1.30.3, helm chart v2.0.24 2024-02-02 12:15:47 +03:00
ace
6558427c9f wikijs: bump to v2.5.301, helm chart v2.3.13 2024-02-01 15:19:48 +03:00
ace
0da5cdd6d7 bitwarden: bump to v1.30.2, helm chart v2.0.23 2024-02-01 15:19:43 +03:00
ace
5b006b5fef rspamd: bump to v3.8.1, helm chart v0.5.0 2024-01-26 02:08:36 +03:00
ace
177522e09b roundcube: bump to v1.6.6, helm chart v0.4.1 2024-01-26 02:08:34 +03:00
ace
1db178e7f0 postfix: bump to v3.5.9, helm chart v0.1.5 2024-01-26 02:08:31 +03:00
ace
89dd16aabd dovecot: bump to v2.3.16, helm chart v0.1.6 2024-01-26 02:08:27 +03:00
ace
d5392ce457 peertube: bump to v6.0.3, helm chart v0.3.2 2024-01-19 17:27:56 +03:00
ace
60b7538edf rspamd: bump to v3.7.5, helm chart v0.4.9 2023-12-16 23:30:21 +03:00
ace
bb32612a83 peertube: bump to v6.0.2, helm chart v0.3.1 2023-12-14 21:51:01 +03:00
ace
3b9a244f8d bitwarden: bump to v1.30.1, helm chart v2.0.22 2023-12-14 21:50:58 +03:00
ace
fe5dda3dcc adguard-home: bump to v0.107.43, helm chart v2.3.23 2023-12-14 21:50:56 +03:00
ace
f0711bb137 peertube: bump to v6.0.1, helm chart v0.3.0 2023-11-29 16:59:43 +03:00
ace
0cbf52ef5e rspamd: bump to v3.7.4, helm chart v0.4.8 2023-11-18 20:58:16 +03:00
ace
435b5f667d roundcube: bump to v1.6.5, helm chart v0.4.0 2023-11-18 20:58:05 +03:00
ace
673488912e adguard-home: bump to v0.107.41, helm chart v2.3.22 2023-11-18 20:58:00 +03:00
ace
a9b872769c rspamd: bump to v3.7.3, helm chart v0.4.7 2023-10-30 10:40:47 +03:00
ace
e61819d5b1 adguard-home: bump to v0.107.40, helm chart v2.3.21 2023-10-22 17:56:38 +03:00
ace
abf75e41f7 adguard-home: bump to v0.107.39, helm chart v2.3.20 2023-10-13 18:25:54 +03:00
ace
e17210ad5b rspamd: bump to v3.7.1, helm chart v0.4.6 2023-10-08 02:15:39 +03:00
ace
ac9f4c56dc gitea-act-runner: bump to v0.2.6, helm chart v0.1.8 2023-10-02 20:07:50 +03:00
ace
f64206fd04 gitea-act-runner: bump to v0.2.6, helm chart v0.1.7 2023-10-02 01:04:41 +03:00
ace
4a5526183a gitea-act-runner: bump to v0.2.5, helm chart v0.1.6 2023-09-15 23:43:34 +03:00
ace
a56f5245c7 adguard-home: bump to v0.107.38, helm chart v2.3.19 2023-09-12 23:24:15 +03:00
ace
4c69e6500c adguard-home: bump to v0.107.37, helm chart v2.3.18 2023-09-09 16:55:20 +03:00
ace
b2018c2a0d postgres-operator-ui: bump to v1.10.1, helm chart v1.10.1 2023-09-09 16:55:18 +03:00
ace
d5dff70302 postgres-operator: bump to v1.10.1, helm chart v1.10.1 2023-09-09 16:55:14 +03:00
ace
6a42c3a769 wikijs: bump to v2.5.300, helm chart v2.3.12 2023-08-12 18:13:19 +03:00
ace
0e483f78be rspamd: bump to v3.6, helm chart v0.4.5 2023-08-11 14:15:51 +03:00
ace
7e98d17f18 adguard-home: bump to v0.107.36, helm chart v2.3.17 2023-08-03 00:31:17 +03:00
ace
5b8785829f gitea-act-runner: bump to v0.2.5, helm chart v0.1.5 2023-08-02 12:31:24 +03:00
ace
d987cc9a5f opendkim: bump to v2.11.0, helm chart v0.1.4 2023-08-01 18:35:35 +03:00
ace
534ed82e5c opendmarc: bump to v1.4.2, helm chart v0.1.4 2023-08-01 18:35:32 +03:00
ace
989c52a69e postfix: bump to v3.5.9, helm chart v0.1.4 2023-08-01 18:35:28 +03:00
ace
42c28bff23 dovecot: bump to v2.3.16, helm chart v0.1.5 2023-08-01 18:35:21 +03:00
ace
bcae8772c6 rspamd: bump to v3.5, helm chart v0.4.4 2023-08-01 18:35:18 +03:00
ace
a7d4b0a452 gitea-act-runner: bump to v0.2.4, helm chart v0.1.4 2023-07-29 20:02:48 +03:00
ace
17178e812b bitwarden: bump to v1.29.1, helm chart v2.0.21 2023-07-29 20:02:44 +03:00
ace
5d1165921d adguard-home: bump to v0.107.35, helm chart v2.3.16 2023-07-27 22:54:53 +03:00
ace
53f68cd579 fix readme 2023-07-18 21:22:42 +03:00
ace
3eb6685103 mastodon: bump to v4.1.4, helm chart v4.0.1 2023-07-10 11:57:20 +03:00
ace
5ae0e7c42e gitea-act-runner: bump to v0.2.3, helm chart v0.1.3 2023-07-04 21:14:06 +03:00
ace
1164a2b2c4 adguard-home: bump to v0.107.33, helm chart v2.3.15 2023-07-04 21:02:22 +03:00
ace
c53ea826d4 peertube: bump to v5.2.0, helm chart v0.2.2 2023-06-24 18:08:28 +03:00
ace
45d1b4d9a5 gitea-act-runner: bump to v0.2.0, helm chart v0.1.2 2023-06-18 20:23:43 +03:00
ace
157e8cd86f adguard-home: bump to v0.107.32, helm chart v2.3.14 2023-06-17 04:17:11 +03:00
ace
e21e9f1b63 openshift-console: bump to v4.10.0, helm chart v0.3.6 2023-06-12 19:37:57 +03:00
ace
5b6043237d gitea-act-runner: bump to v0.1.8-14-gb21d476, helm chart v0.1.1 2023-06-11 22:03:07 +03:00
ace
65c9af1f88 fix 2023-06-10 08:05:02 +03:00
ace
0556cd20f3 external-dns: fix mistype 2023-06-10 06:35:44 +03:00
128 changed files with 4951 additions and 792 deletions
Expand all files Collapse all files

4
README.md
View File

@@ -1,7 +1,7 @@
## Helm charts repository
Used for Geek Home Platform deployment
Used for [Geek Home Platform](https://geekhome.org/) deployment
## Usage
helm repo add ghp https://registry.geekhome.org/chartrepo/ghp
helm repo add ghp https://gitea.geekhome.org/api/packages/ghp/helm

4
adguard-home/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 0.107.29
appVersion: 0.107.63
description: DNS proxy as ad-blocker for local network
home: https://github.com/k8s-at-home/charts/tree/master/charts/adguard-home
icon: https://avatars3.githubusercontent.com/u/8361145?s=200&v=4?sanitize=true
@@ -12,4 +12,4 @@ maintainers:
name: adguard-home
sources:
- https://github.com/AdguardTeam/AdGuardHome
version: 2.3.13
version: 2.3.33

2
adguard-home/values.yaml
View File

@@ -4,7 +4,7 @@ strategyType: Recreate
image:
repository: adguard/adguardhome
# Image tag is set via charts appVersion. If you want to override the tag, specify it here
tag: v0.107.29
tag: v0.107.63
pullPolicy: IfNotPresent
nameOverride: ""

23
autovault/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
autovault/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
name: autovault
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.0"

62
autovault/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "autovault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "autovault.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "autovault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "autovault.labels" -}}
helm.sh/chart: {{ include "autovault.chart" . }}
{{ include "autovault.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "autovault.selectorLabels" -}}
app.kubernetes.io/name: {{ include "autovault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "autovault.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "autovault.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

68
autovault/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "autovault.fullname" . }}-scripts
labels:
{{- include "autovault.labels" . | nindent 4 }}
data:
autovault.sh: |
#!/bin/bash
HOME=/vault/data
while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done
export VAULT_ADDR={{ .Values.vaultUrl }}
INITIALIZED=$(vault status -format=json | jq -r '.initialized')
SEALED=$(vault status -format=json | jq -r '.sealed')
if [[ "$INITIALIZED" == "false" ]] ; then
vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json
fi
if [[ "$SEALED" == "true" ]] ; then
KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]')
vault operator unseal $KEY
fi
export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token')
KV_ENABLED=$(vault secrets list | grep -i kv)
if [[ -z "$KV_ENABLED" ]] ; then
vault secrets enable -version=2 kv
fi
USERPASS_ENABLED=$(vault auth list | grep -i userpass)
if [[ -z "$USERPASS_ENABLED" ]] ; then
vault auth enable userpass
fi
APPROLE_ENABLED=$(vault auth list | grep -i approle)
if [[ -z "$APPROLE_ENABLED" ]] ; then
vault auth enable approle
fi
echo
echo "----------------------------------------------------------------"
echo
echo "Vault root token: ${VAULT_TOKEN}"
echo
echo "----------------------------------------------------------------"
echo
for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do
APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id)
if [[ -z "$APPROLE_CREATED" ]] ; then
vault write -f auth/approle/role/"$APPROLE"
fi
kubectl get secret vault-secret-"$APPROLE" || \
{ APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \
APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \
kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ;
echo "$APPROLE role-id = $APPROLE_ROLE_ID" ; }
done
vault auth list

54
autovault/templates/cronjob.yaml Normal file
View File

@@ -0,0 +1,54 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.autovaultSchedule | quote }}
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 2
activeDeadlineSeconds: 300
template:
spec:
serviceAccountName: {{ include "autovault.fullname" . }}
restartPolicy: Never
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: autovault
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: {{ include "autovault.fullname" . }}-data
mountPath: /vault/data
- name: {{ include "autovault.fullname" . }}-scripts
mountPath: /vault/scripts
command: [ "/bin/bash", "-c", "/vault/scripts/autovault.sh" ]
volumes:
- name: {{ include "autovault.fullname" . }}-data
persistentVolumeClaim:
claimName: {{ include "autovault.fullname" . }}-data
- name: {{ include "autovault.fullname" . }}-scripts
configMap:
name: {{ include "autovault.fullname" . }}-scripts
defaultMode: 0777
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

26
autovault/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "autovault.fullname" . }}-data
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
autovault/templates/role.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
autovault/templates/rolebinging.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "autovault.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "autovault.fullname" . }}
namespace: {{ .Release.Namespace }}

13
autovault/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "autovault.serviceAccountName" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

107
autovault/values.yaml Normal file
View File

@@ -0,0 +1,107 @@
# Default values for autovault.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: gitea.geekhome.org/ghp/autovault
# This sets the pull policy for images.
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "0.1.0-1"
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
vaultUrl: "http://vault:8200"
autovaultGenSecretsApps:
- approle1
autovaultSchedule: "0/5 * * * *"
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Mi
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

4
bitwarden/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.28.1
appVersion: 1.34.3
description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png
@@ -17,4 +17,4 @@ name: bitwarden
sources:
- https://github.com/dani-garcia/bitwarden_rs
type: application
version: 2.0.20
version: 2.0.40

2
bitwarden/values.yaml
View File

@@ -5,7 +5,7 @@ replicaCount: 1
image:
repository: vaultwarden/server
pullPolicy: IfNotPresent
tag: "1.28.1"
tag: "1.34.3"
imagePullSecrets: []
nameOverride: ""

2
dovecot/Chart.yaml
View File

@@ -14,7 +14,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.4
version: 0.1.8
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.

4
dovecot/values.yaml
View File

@@ -13,8 +13,8 @@ tls:
dovecot:
image:
repository: registry.geekhome.org/ghp/dovecot
tag: 2.3.16-1
repository: gitea.geekhome.org/ghp/dovecot
tag: 2.3.16-5
pullPolicy: Always
configmaps:
dovecot:

2
external-dns/values.yaml
View File

@@ -58,7 +58,7 @@ watchReleaseNamespace: false
## @param image.pullSecrets ExternalDNS image pull secrets
##
image:
registry: git.geekgome.org
registry: gitea.geekhome.org
repository: ghp/external-dns
tag: v0.7.6-663-gf76382a5
digest: ""

4
gitea-act-runner/Chart.yaml
View File

@@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.1.13
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.8"
appVersion: "0.2.12"

2
gitea-act-runner/templates/persistentvolumeclaim.yaml
View File

@@ -2,7 +2,7 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "gitea-act-runner.fullname" . }}
name: {{ template "gitea-act-runner.fullname" . }}-data
labels:
app: {{ template "gitea-act-runner.name" . }}
chart: {{ template "gitea-act-runner.chart" . }}

14
gitea-act-runner/templates/statefulset.yaml
View File

@@ -32,9 +32,9 @@ spec:
- name: {{ .Chart.Name }}-runner
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.image.runner.repository }}:{{ .Values.image.runner.tag | default .Chart.AppVersion }}"
command: ["/bin/sh"]
args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /usr/local/bin/run.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: DOCKER_HOST
@@ -81,15 +81,17 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-daemon
image: docker:23.0.6-dind
image: "{{ .Values.image.daemon.repository }}:{{ .Values.image.daemon.tag | default .Chart.AppVersion }}"
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: gitea-act-runner-data
mountPath: /data
- name: docker-certs
mountPath: /certs
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
@@ -98,7 +100,7 @@ spec:
- name: gitea-act-runner-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "gitea-act-runner.fullname" .) }}
claimName: {{ .Values.persistence.existingClaim | default (include "gitea-act-runner.fullname" .) }}-data
{{- else }}
emptyDir: {}
{{- end }}

31
gitea-act-runner/values.yaml
View File

@@ -5,10 +5,15 @@
replicaCount: 1
image:
repository: gitea/act_runner
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.1.8"
runner:
repository: gitea/act_runner
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.2.12"
daemon:
repository: docker
pullPolicy: IfNotPresent
tag: "28.3.2-dind"
imagePullSecrets: []
nameOverride: ""
@@ -60,7 +65,7 @@ configAsCode:
port: 0
container:
# Which network to use for the job containers. Could be bridge, host, none, or the name of a custom network.
network_mode: bridge
network: host
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: true
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
@@ -68,6 +73,22 @@ configAsCode:
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
serviceAccount:
# Specifies whether a service account should be created

23
kanidm/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
kanidm/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v2
name: kanidm
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.6.4"

22
kanidm/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kanidm.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kanidm.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kanidm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kanidm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
kanidm/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kanidm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kanidm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kanidm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kanidm.labels" -}}
helm.sh/chart: {{ include "kanidm.chart" . }}
{{ include "kanidm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kanidm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kanidm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kanidm.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kanidm.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

136
kanidm/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,136 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kanidm.fullname" . }}-config
labels:
{{- include "kanidm.labels" . | nindent 4 }}
data:
server.toml: |
# The server configuration file version.
version = "2"
# The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443"
bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
#
# The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability.
# Defaults to "" (disabled)
{{- if .Values.kanidmLdap.enabled }}
dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- else }}
# ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- end }}
#
# The path to the kanidm database.
db_path = "{{ .Values.kanidm.db_path }}"
#
# If you have a known filesystem, kanidm can tune the
# database page size to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
# * sets database pagesize to 64k. You must set
# recordsize=64k on the zfs filesystem.
# - other:
# * sets database pagesize to 4k, matching most
# filesystems block sizes.
{{- if .Values.kanidm.db_fs_type }}
db_fs_type = "{{ .Values.kanidm.db_fs_type }}"
{{- else }}
# db_fs_type = "zfs"
{{- end }}
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# You should only adjust this value if you experience
# memory pressure on your system.
{{- if .Values.kanidm.db_arc_size }}
db_arc_size = {{ .Values.kanidm.db_arc_size }}
{{- else }}
# db_arc_size = 2048
{{- end }}
#
# TLS chain and key in pem format. Both must be present.
# If the server receives a SIGHUP, these files will be
# re-read and reloaded if their content is valid.
tls_chain = "{{ .Values.kanidm.tls_chain }}"
tls_key = "{{ .Values.kanidm.tls_key }}"
#
# The log level of the server. May be one of info, debug, trace
#
# NOTE: this can be overridden by the environment variable
# `KANIDM_LOG_LEVEL` at runtime
# Defaults to "info"
log_level = "{{ .Values.kanidm.log_level }}"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future) trust configuration it is possible
# to have unique Security Principal Names (spns) throughout
# the topology.
#
# ⚠️ WARNING ⚠️
#
# Changing this value WILL break many types of registered
# credentials for accounts including but not limited to
# webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain rename` immediately after.
domain = "{{ tpl .Values.kanidm.domain $ }}"
#
# The origin for webauthn. This is the url to the server,
# with the port included if it is non-standard (any port
# except 443). This must match or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = "https://idm.example.com"
origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# # OR
# x-forward-for = ["127.0.0.1"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
{{- if .Values.kanidmOnlineBackup.enabled }}
[online_backup]
# The path to the output folder for online backups
path = "{{ .Values.kanidmOnlineBackup.path }}"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
schedule = "{{ .Values.kanidmOnlineBackup.schedule }}"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = "03 */6 * * *"
# We also support non standard cron syntax, with the following format:
# sec min hour day of month month day of week year
# (it's very similar to the standard cron syntax, it just allows to specify the seconds
# at the beginning and the year at the end)
# Number of backups to keep (default 7)
versions = {{ .Values.kanidmOnlineBackup.versions }}
{{- end }}

147
kanidm/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,147 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- if .Values.strategy }}
strategy:
{{ toYaml .Values.strategy | indent 2 }}
{{- end }}
selector:
matchLabels:
{{- include "kanidm.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "kanidm.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
shareProcessNamespace: true
initContainers:
- name: {{ .Chart.Name }}-certs
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
- -c
- kanidmd cert-generate
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: {{ .Chart.Name }}-db-pass
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- sh
- -c
- |
/sbin/kanidmd server -c /data/server.toml &
serverPID=$!
until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
printf '.'
sleep 5
done
echo "##### Start domain upgrade-check"
/sbin/kanidmd domain upgrade-check
echo "##### Done domain upgrade-check"
ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
kill $serverPID
kubectl delete secret kanidm-passwords --ignore-not-found
kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- if .Values.kanidmLdap.enabled }}
- name: ldap
containerPort: {{ .Values.service.ldap }}
protocol: TCP
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kanidm-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
{{- else }}
emptyDir: {}
{{- end }}
- name: kanidm-config
configMap:
name: {{ include "kanidm.fullname" . }}-config
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
kanidm/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kanidm.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

61
kanidm/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "kanidm.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "kanidm.fullname" . }}-data
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/role.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
kanidm/templates/rolebinging.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "kanidm.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "kanidm.fullname" . }}
namespace: {{ .Release.Namespace }}

21
kanidm/templates/service.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.kanidmLdap.enabled }}
- port: {{ .Values.service.ldap }}
targetPort: ldap
protocol: TCP
name: ldap
{{- end }}
selector:
{{- include "kanidm.selectorLabels" . | nindent 4 }}

13
kanidm/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kanidm.serviceAccountName" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

15
kanidm/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "kanidm.fullname" . }}-test-connection"
labels:
{{- include "kanidm.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "kanidm.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

154
kanidm/values.yaml Normal file
View File

@@ -0,0 +1,154 @@
# Default values for kanidm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
strategy:
type: Recreate
image:
repository: gitea.geekhome.org/ghp/kanidm
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "1.6.4-1"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
kanidm:
bindaddress: "[::]:{{ .Values.service.port }}"
domain: "idm.example.com"
#origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
db_path: "/data/kanidm.db"
#db_fs_type: "zfs"
#db_arc_size: "2048"
tls_chain: "/data/chain.pem"
tls_key: "/data/key.pem"
log_level: "debug"
kanidmLdap:
enabled: false
dapbindaddress: "[::]:{{ .Values.service.ldap }}"
kanidmOnlineBackup:
enabled: true
path: "/data/kanidm/backups/"
schedule: "00 22 * * *"
versions: "7"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 443
ldap: 636
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
livenessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
readinessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

129
mastodon/.github/workflows/test-chart.yml vendored Normal file
View File

@@ -0,0 +1,129 @@
# This is a GitHub workflow defining a set of jobs with a set of steps.
# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
#
name: Test chart
on:
pull_request:
paths-ignore:
- "README.md"
push:
branches-ignore:
- "dependabot/**"
workflow_dispatch:
permissions:
contents: read
jobs:
lint-templates:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies (yamllint)
run: pip install yamllint
- run: helm dependency update
- name: helm lint
run: |
helm lint . \
--values dev-values.yaml
- name: helm template
run: |
helm template . \
--values dev-values.yaml \
--output-dir rendered-templates
- name: yamllint (only on templates we manage)
run: |
rm -rf rendered-templates/mastodon/charts
yamllint rendered-templates \
--config-data "{rules: {indentation: {spaces: 2}, line-length: disable}}"
# This job helps us validate that rendered templates are valid k8s resources
# against a k8s api-server, via "helm template --validate", but also that a
# basic configuration can be used to successfully startup mastodon.
#
test-install:
runs-on: ubuntu-24.04
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
include:
# k3s-channel reference: https://update.k3s.io/v1-release/channels
- k3s-channel: latest
- k3s-channel: stable
# This represents the oldest configuration we test against.
#
# The k8s version chosen is based on the oldest still supported k8s
# version among two managed k8s services, GKE, EKS.
# - GKE: https://endoflife.date/google-kubernetes-engine
# - EKS: https://endoflife.date/amazon-eks
#
# The helm client's version can influence what helper functions is
# available for use in the templates, currently we need v3.6.0 or
# higher.
#
- k3s-channel: v1.28
helm-version: v3.8.0
env:
HELM_EXPERIMENTAL_OCI: "1"
steps:
- uses: actions/checkout@v3
# This action starts a k8s cluster with NetworkPolicy enforcement and
# installs both kubectl and helm.
#
# ref: https://github.com/jupyterhub/action-k3s-helm#readme
#
- uses: jupyterhub/action-k3s-helm@v3
with:
k3s-channel: ${{ matrix.k3s-channel }}
helm-version: ${{ matrix.helm-version }}
metrics-enabled: false
traefik-enabled: false
docker-enabled: false
- run: helm dependency update
# Validate rendered helm templates against the k8s api-server
- name: helm template --validate
run: |
helm template --validate mastodon . \
--values dev-values.yaml
- name: helm install
run: |
helm install mastodon . \
--values dev-values.yaml \
--timeout 15m
# This actions provides a report about the state of the k8s cluster,
# providing logs etc on anything that has failed and workloads marked as
# important.
#
# ref: https://github.com/jupyterhub/action-k8s-namespace-report#readme
#
- name: Kubernetes namespace report
uses: jupyterhub/action-k8s-namespace-report@v1
if: always()
with:
important-workloads: >-
deploy/mastodon-sidekiq
deploy/mastodon-streaming
deploy/mastodon-web
job/mastodon-create-admin
job/mastodon-db-migrate

1
mastodon/.gitignore vendored
View File

@@ -1 +1,2 @@
charts/
.DS_Store

243
mastodon/CHANGELOG.md Normal file
View File

@@ -0,0 +1,243 @@
# 6.5.0
Updated the Mastodon version to v4.4.1. Please read the [4.4.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.4.0) before updating from a version < 4.4. In particular:
- Redis & Postgres minimum versions have been bumped to 6.2 and 13 respectively
- Redis namespace support has been dropped
- No-downtime updates from versions before 4.3.0 are not supported
- Elasticsearch mappings need to be updated manually via `tootctl` after deploying this new version
- The new experimental Fediverse Auxiliary Service (`fasp`) Sidekiq queue needs to be added to the list of processed queues if you changed the default Sidekiq values
# 6.4.0
- Added configuration for [bulk SMTP](https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings):
```yaml
mastodon:
smtp:
bulk:
```
# 6.3.4
- Updated the Mastodon version to v4.3.9
# 6.3.3
- Updated the Mastodon version to v4.3.8
# 6.3.2
- No longer sets `DEFAULT_LOCALE` to `en` by default; leaves this value unset.
# 6.3.1
- Removed DB_POOL from the ConfigMap as we should never have to override this.
# 6.3.0
- Added `nodeSelector` fields for every resource type for better fine-grain tuning of where resources end up.
# 6.2.4
- Fixed an issue where redis secrets specified in values or the helm CLI wouldn't be used by the db-prepare job on install.
# 6.2.3
- Updated the Mastodon version to v4.3.7
# 6.2.2
- `app.kubernetes.io/version` shortens any potential digest hash to 7 characters to avoid hitting the 63 character label limit.
# 6.2.1
- Fixed some situations where disabling all bitnami charts caused it to error.
- Fixed a potential null postgresql host value error.
# 6.2.0
- Added ability to add pod labels to pods created from Deployment objects at the global level
# 6.1.1
- Updated the Mastodon version to v4.3.6
# 6.1.0
- Added a new job to re/build elasticsearch indices as a post-upgrade hook:
```yaml
mastodon:
hooks:
deploySearch:
```
# 6.0.3
- Updated the Mastodon version to v4.3.5
# 6.0.2
- Helm version tagging now utilizes `.Values.image.tag` when set.
# 6.0.1
- Added additional values to separate out `db:prepare` and `db:migrate` jobs and whether they should run:
```yaml
mastodon:
hooks:
dbPrepare:
enabled: true
dbMigrate:
enabled: true
```
# 6.0.0
### !! BREAKING CHANGES !!
- Services for web & streaming now use `ipFamilyPolicy: PreferDualStack`. This will cause upgrades on existing deployments to fail, as kubernetes cannot patch this field. Please remove both service objects before running `helm upgrade` (services are `mastodon-web` and `mastodon-streaming` by default).
### Features
- Added prometheus metrics config for web and sidekiq pods (feature will be available with Mastodon v4.4).
```yaml
mastodon:
metrics:
prometheus:
```
- Added ability to automatically upload assets to an S3 bucket:
```yaml
mastodon:
hooks:
s3Upload:
```
- Added OpenTelemetry metrics:
```yaml
mastodon:
otel:
---
mastodon:
sidekiq:
otel:
---
mastodon:
web:
otel:
```
- Fine-grained control of labels and annotations for both pods and deployments.
- Additional redis options for separate instances (app, sidekiq, cache).
- Configurable PodDisruptionBudgets for web and streaming pods.
### Fixes
- Various database migrations fixes
- Fixed first-time install DB setup on self-managed databases
- Fixed running migrations through a connection pooler.
- Removed old, unused jobs:
- chewy upgrade (use `tootctl search deploy` instead)
- assets precompile
# 5.1.0
- Added values for Active Record Encryption in Redis:
```yaml
mastodon:
secrets:
activeRecordEncryption:
primaryKey:
deterministicKey:
keyDerivationSalt:
```
- Small bugfix related to automatic secret generation
# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
# [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
- adds support for multiple Sidekiq deployments to be configured to manage
different sets of queues.
- smtp: replaces `enable_starttls_auto` boolean with `enable_starttls` setting
that defaults to `auto`.
- adds support for statsd publishing:
```
mastodon:
metrics:
statsd:
address:
```
- allows disabling the included redis deployment in order to use an existing external redis server:
```
redis:
enabled: false
```
- adds support for [authorized
fetch](https://docs.joinmastodon.org/admin/config/#authorized_fetch):
```
mastodon:
authorizedFetch: true
```
- removed the `HorizontalPodAutoscaler` and the global autoscaling configuration.
A number of other configuration options have been added, see [values.yaml](./values.yaml).
# 3.0.0
skipped
# 2.1.0
## ingressClassName and tls-acme changes
The annotations previously defaulting to nginx have been removed and support
for ingressClassName has been added.
```yaml
ingress:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
```
To restore the old functionality simply add the above snippet to your `values.yaml`,
but the recommendation is to replace these with `ingress.ingressClassName` and use
cert-manager's issuer/cluster-issuer instead of tls-acme.
If you're uncertain about your current setup leave `ingressClassName` empty and add
`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
# 2.0.0
## Fixed labels
Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
If you want an easy upgrade and you're comfortable with some downtime then
simply delete the -sidekiq, -web, and -streaming Deployments manually.
If you require a no-downtime upgrade then:
1. run `helm template` instead of `helm upgrade`
2. Copy the new -web and -streaming services into `services.yml`
3. Copy the new -web and -streaming deployments into `deployments.yml`
4. Append -temp to the name of each deployment in `deployments.yml`
5. `kubectl apply -f deployments.yml` then wait until all pods are ready
6. `kubectl apply -f services.yml`
7. Delete the old -sidekiq, -web, and -streaming deployments manually
8. `helm upgrade` like normal
9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
## PostgreSQL passwords
If you've previously installed the chart and you're having problems with
postgres not accepting your password then make sure to set `username` to
`postgres` and `password` and `postgresPassword` to the same passwords.
```yaml
postgresql:
auth:
username: postgres
password: <same password>
postgresPassword: <same password>
```
And make sure to set `password` to the same value as `postgres-password`
in your `mastodon-postgresql` secret:
```kubectl edit secret mastodon-postgresql```

12
mastodon/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: elasticsearch
repository: oci://registry-1.docker.io/bitnamicharts
version: 19.19.2
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 14.2.3
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.16.1
digest: sha256:684daaf2067d96e2aa6d93e9d29b7b13fc586f6ae929342e5e9c7c169b1c0748
generated: "2024-02-23T15:14:47.536480528-08:00"

20
mastodon/Chart.yaml
View File

@@ -12,26 +12,26 @@ description: Mastodon is a free, open-source social network server based on Acti
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# This is the chart version. This version number should be incremented each time
# you make changes to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 4.0.0
version: 6.5.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: v4.1.2
appVersion: "v4.4.2"
dependencies:
- name: elasticsearch
version: 19.6.0
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 19.19.2
repository: oci://registry-1.docker.io/bitnamicharts
condition: elasticsearch.enabled
- name: postgresql
version: 12.2.7
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 14.2.3
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
- name: redis
version: 17.9.3
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 18.16.1
repository: oci://registry-1.docker.io/bitnamicharts
condition: redis.enabled

66
mastodon/README.md
View File

@@ -4,10 +4,18 @@ This is a [Helm](https://helm.sh/) chart for installing Mastodon into a
Kubernetes cluster. The basic usage is:
1. edit `values.yaml` or create a separate yaml file for custom values
1. `helm dep update`
1. `helm dep install`
1. `helm install --namespace mastodon --create-namespace my-mastodon ./ -f path/to/additional/values.yaml`
This chart is tested with k8s 1.21+ and helm 3.6.0+.
This chart is tested with k8s 1.21+ and helm 3.8.0+.
# NOTICE: Future Deprecation
We have plans in the very near future to deprecate this chart in favor of a [new git repo](https://github.com/mastodon/helm-charts), which has proper helm repository support (e.g. `helm repo add`), and will contain multiple charts, both for mastodon and for supplementary components that we make use of.
We still encourage suggestions and PRs to help make this chart better, and this repository will remain available after the new charts are ready to give users time to migrate. However, we will not be approving large PRs, or PRs that change fundamental chart functions, as those changes should be directed to the new charts.
Please see the pinned [GitHub issue](https://github.com/mastodon/chart/issues/129) for more info & discussion.
# Configuration
@@ -64,57 +72,3 @@ Sidekiq deployments, its possible they will occur in the wrong order. After
upgrading Mastodon versions, it may sometimes be necessary to manually delete
the Rails and Sidekiq pods so that they are recreated against the latest
migration.
# Upgrades in 2.1.0
## ingressClassName and tls-acme changes
The annotations previously defaulting to nginx have been removed and support
for ingressClassName has been added.
```yaml
ingress:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
```
To restore the old functionality simply add the above snippet to your `values.yaml`,
but the recommendation is to replace these with `ingress.ingressClassName` and use
cert-manager's issuer/cluster-issuer instead of tls-acme.
If you're uncertain about your current setup leave `ingressClassName` empty and add
`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
# Upgrades in 2.0.0
## Fixed labels
Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
If you want an easy upgrade and you're comfortable with some downtime then
simply delete the -sidekiq, -web, and -streaming Deployments manually.
If you require a no-downtime upgrade then:
1. run `helm template` instead of `helm upgrade`
2. Copy the new -web and -streaming services into `services.yml`
3. Copy the new -web and -streaming deployments into `deployments.yml`
4. Append -temp to the name of each deployment in `deployments.yml`
5. `kubectl apply -f deployments.yml` then wait until all pods are ready
6. `kubectl apply -f services.yml`
7. Delete the old -sidekiq, -web, and -streaming deployments manually
8. `helm upgrade` like normal
9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
## PostgreSQL passwords
If you've previously installed the chart and you're having problems with
postgres not accepting your password then make sure to set `username` to
`postgres` and `password` and `postgresPassword` to the same passwords.
```yaml
postgresql:
auth:
username: postgres
password: <same password>
postgresPassword: <same password>
```
And make sure to set `password` to the same value as `postgres-password`
in your `mastodon-postgresql` secret:
```kubectl edit secret mastodon-postgresql```

8
mastodon/dev-values.yaml
View File

@@ -7,6 +7,11 @@ mastodon:
vapid:
private_key: dummy-vapid-private_key
public_key: dummy-vapid-public_key
activeRecordEncryption:
primaryKey: dummy-are-primary_key
deterministicKey: dummy-are-deterministic_key
keyDerivationSalt: dummy-are-key_derivation_salt
# ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
redis:
@@ -23,3 +28,6 @@ elasticsearch:
replicaCount: 1
ingest:
replicaCount: 1
# -- Timezone for all pods unless overwritten
timezone: UTC

111
mastodon/templates/_db-migrate.tpl Normal file
View File

@@ -0,0 +1,111 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for DB migration pre- and post-install/upgrade jobs.
*/}}
{{- define "mastodon.dbMigrateJob" -}}
apiVersion: batch/v1
kind: Job
metadata:
{{- if .prepare }}
name: {{ include "mastodon.fullname" . }}-db-prepare
{{- else if .preDeploy }}
name: {{ include "mastodon.fullname" . }}-db-pre-migrate
{{- else }}
name: {{ include "mastodon.fullname" . }}-db-post-migrate
{{- end }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
{{- if .prepare }}
"helm.sh/hook": pre-install
{{- else if .preDeploy }}
"helm.sh/hook": pre-upgrade
{{- else }}
"helm.sh/hook": post-install,post-upgrade
{{- end }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if .prepare }}
"helm.sh/hook-weight": "-3"
{{- else }}
"helm.sh/hook-weight": "-2"
{{- end }}
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
{{- if .prepare }}
- db:prepare
{{- else }}
- db:migrate
{{- end }}
envFrom:
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_HOST"
value: {{ template "mastodon.postgres.direct.host" . }}
- name: "DB_PORT"
value: {{ template "mastodon.postgres.direct.port" . }}
- name: "DB_NAME"
value: {{ template "mastodon.postgres.direct.database" . }}
- name: "DB_USER"
value: {{ .Values.postgresql.auth.username }}
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_HOST"
value: {{ template "mastodon.redis.host" . }}
- name: "REDIS_PORT"
value: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
- name: SIDEKIQ_REDIS_HOST
value: {{ .Values.redis.sidekiq.hostname }}
{{- end }}
{{- if .Values.redis.sidekiq.port }}
- name: SIDEKIQ_REDIS_PORT
value: {{ .Values.redis.sidekiq.port | quote }}
{{- end }}
{{- end }}
{{- if .Values.redis.cache.enabled }}
{{- if .Values.redis.cache.hostname }}
- name: CACHE_REDIS_HOST
value: {{ .Values.redis.cache.hostname }}
{{- end }}
{{- if .Values.redis.cache.port }}
- name: CACHE_REDIS_PORT
value: {{ .Values.redis.cache.port | quote }}
{{- end }}
{{- end }}
- name: "REDIS_DRIVER"
value: "ruby"
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
{{- if and (.prepare) (not .Values.redis.enabled) (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) (.Values.redis.auth.password) }}
name: {{ template "mastodon.redis.secretName" . }}-pre-install
{{- else }}
name: {{ template "mastodon.redis.secretName" . }}
{{- end }}
key: redis-password
{{- if .preDeploy }}
- name: "SKIP_POST_DEPLOYMENT_MIGRATIONS"
value: "true"
{{- end }}
{{- end }}

157
mastodon/templates/_helpers.tpl
View File

@@ -31,13 +31,25 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Labels added on every Mastodon resource
*/}}
{{- define "mastodon.globalLabels" -}}
{{- range $k, $v := .Values.mastodon.labels }}
{{ $k }}: {{ quote $v }}
{{- end -}}
{{- end }}
{{/*
Common labels
*/}}
{{- define "mastodon.labels" -}}
helm.sh/chart: {{ include "mastodon.chart" . }}
{{ include "mastodon.selectorLabels" . }}
{{- if .Chart.AppVersion }}
{{ include "mastodon.globalLabels" . }}
{{- if .Values.image.tag }}
app.kubernetes.io/version: {{ regexReplaceAll "@(\\w+:\\w{0,7})\\w*" .Values.image.tag "@${1}" | quote }}
{{- else if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
@@ -73,6 +85,28 @@ Create the name of the service account to use
{{- end }}
{{- end }}
{{/*
Create the name of the assets persistent volume to use
*/}}
{{- define "mastodon.pvc.assets" -}}
{{- if .Values.mastodon.persistence.assets.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.assets.existingClaim $) -}}
{{- else -}}
{{- printf "%s-assets" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the system persistent volume to use
*/}}
{{- define "mastodon.pvc.system" -}}
{{- if .Values.mastodon.persistence.system.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.system.existingClaim $) -}}
{{- else -}}
{{- printf "%s-system" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified name for dependent services.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -89,6 +123,60 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Establish which values we will use for remote connections
*/}}
{{- define "mastodon.postgres.host" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}}
{{- else }}
{{- printf "%s" (required "When the postgresql chart is disabled .Values.postgresql.postgresqlHostname is required" .Values.postgresql.postgresqlHostname) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.port" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%d" 5432 | int | quote -}}
{{- else }}
{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}}
{{- end }}
{{- end }}
{{/*
Establish which values we will use for direct remote DB connections
*/}}
{{- define "mastodon.postgres.direct.host" -}}
{{- if .Values.postgresql.direct.hostname }}
{{- printf "%s" .Values.postgresql.direct.hostname -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.host" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.port" -}}
{{- if .Values.postgresql.direct.port }}
{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.port" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.database" -}}
{{- if .Values.postgresql.direct.database }}
{{- printf "%s" .Values.postgresql.direct.database -}}
{{- else }}
{{- printf "%s" .Values.postgresql.auth.database -}}
{{- end }}
{{- end }}
{{- define "mastodon.redis.host" -}}
{{- if .Values.redis.enabled }}
{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}}
{{- else }}
{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}}
{{- end }}
{{- end }}
{{/*
Get the mastodon secret.
*/}}
@@ -96,18 +184,26 @@ Get the mastodon secret.
{{- if .Values.mastodon.secrets.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- printf "%s" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the smtp secret.
Get the smtp secrets.
*/}}
{{- define "mastodon.smtp.secretName" -}}
{{- if .Values.mastodon.smtp.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
{{- else -}}
{{- printf "%s-smtp" (include "common.names.fullname" .) -}}
{{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{- define "mastodon.smtp.bulk.secretName" -}}
{{- if .Values.mastodon.smtp.bulk.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.smtp.bulk.existingSecret $) -}}
{{- else -}}
{{- printf "%s-smtp-bulk" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@@ -120,7 +216,7 @@ Get the postgresql secret.
{{- else if .Values.postgresql.enabled -}}
{{- printf "%s-postgresql" (tpl .Release.Name $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- printf "%s" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@@ -132,6 +228,38 @@ Get the redis secret.
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else if .Values.redis.enabled -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- else -}}
{{- printf "%s-redis" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the redis secret (sidekiq).
*/}}
{{- define "mastodon.redis.sidekiq.secretName" -}}
{{- if .Values.redis.sidekiq.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.sidekiq.auth.existingSecret $) -}}
{{- else if .Values.redis.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- end -}}
{{- end -}}
{{/*
Get the redis secret (cache).
*/}}
{{- define "mastodon.redis.cache.secretName" -}}
{{- if .Values.redis.cache.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.cache.auth.existingSecret $) -}}
{{- else if .Values.redis.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- end -}}
@@ -151,13 +279,14 @@ Return true if a mastodon secret object should be created
{{- end -}}
{{/*
Find highest number of needed database connections to set DB_POOL variable
Full hostname for a custom Elasticsearch cluster
*/}}
{{- define "mastodon.maxDbPool" -}}
{{/* Default MAX_THREADS for Puma is 5 */}}
{{- $poolSize := 5 }}
{{- range .Values.mastodon.sidekiq.workers }}
{{- $poolSize = max $poolSize .concurrency }}
{{- end }}
{{- $poolSize | quote }}
{{- end }}
{{- define "mastodon.elasticsearch.fullHostname" -}}
{{- if not .Values.elasticsearch.enabled }}
{{- if .Values.elasticsearch.tls }}
{{- printf "https://%s" (tpl .Values.elasticsearch.hostname $) -}}
{{- else -}}
{{- printf "%s" (tpl .Values.elasticsearch.hostname $) -}}
{{- end }}
{{- end -}}
{{- end -}}

65
mastodon/templates/_secrets.tpl Normal file
View File

@@ -0,0 +1,65 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for mastodon secrets object.
*/}}
{{- define "mastodon.secrets.object" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-4"
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

54
mastodon/templates/_statsd.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{/*
The exporter container attached to every Mastodon pod
*/}}
{{- define "mastodon.statsdExporterContainer" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
- name: statsd-exporter
image: prom/statsd-exporter
args:
- "--statsd.mapping-config=/statsd-mappings/mastodon.yml"
resources:
requests:
cpu: "0.1"
memory: "180M"
limits:
cpu: "0.5"
memory: "250M"
ports:
- name: statsd
containerPort: {{ .exporter.port }}
volumeMounts:
- name: statsd-mappings
mountPath: /statsd-mappings
{{- end }}
{{- end }}
{{- end }}
{{/*
The volume needed for the container above
*/}}
{{- define "mastodon.statsdExporterVolume" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
- name: statsd-mappings
configMap:
name: {{ include "mastodon.fullname" $ }}-statsd-mappings
items:
- key: mastodon-statsd-mappings.yml
path: mastodon.yml
{{- end }}
{{- end }}
{{- end }}
{{/*
Labels added to every statsd_exporter-enabled pod
*/}}
{{- define "mastodon.statsdExporterLabels" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
mastodon/statsd-exporter: "true"
{{- end }}
{{- end }}
{{- end }}

149
mastodon/templates/configmap-env.yaml
View File

@@ -5,27 +5,50 @@ metadata:
labels:
{{- include "mastodon.labels" . | nindent 4 }}
data:
{{- if .Values.postgresql.enabled }}
DB_HOST: {{ template "mastodon.postgresql.fullname" . }}
DB_PORT: "5432"
{{- else }}
DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
{{- end }}
DB_HOST: {{ template "mastodon.postgres.host" . }}
DB_PORT: {{ template "mastodon.postgres.port" . }}
DB_NAME: {{ .Values.postgresql.auth.database }}
DB_POOL: {{ include "mastodon.maxDbPool" . }}
DB_USER: {{ .Values.postgresql.auth.username }}
{{- if .Values.postgresql.readReplica.hostname }}
REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }}
{{- end }}
{{- if .Values.postgresql.readReplica.port }}
REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.database }}
REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.username }}
REPLICA_DB_USER: {{ .Values.postgresql.readReplica.auth.username }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.password }}
REPLICA_DB_PASS: {{ .Values.postgresql.readReplica.auth.password }}
{{- end }}
PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }}
{{- if .Values.mastodon.locale }}
DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
{{- end }}
{{- if .Values.elasticsearch.enabled }}
ES_ENABLED: "true"
ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master-hl
ES_PORT: "9200"
{{- else if .Values.elasticsearch.hostname }}
ES_ENABLED: "true"
ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
ES_HOST: {{ include "mastodon.elasticsearch.fullHostname" .}}
ES_PORT: {{ .Values.elasticsearch.port | default "9200" | quote }}
{{- end }}
{{- with .Values.elasticsearch.user }}
ES_USER: {{ . }}
{{- end }}
LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
{{- with .Values.mastodon.web_domain }}
WEB_DOMAIN: {{ . }}
{{- end }}
{{- with .Values.mastodon.alternate_domains }}
ALTERNATE_DOMAINS: {{ join "," . }}
{{- end }}
{{- with .Values.mastodon.singleUserMode }}
SINGLE_USER_MODE: "true"
{{- end }}
@@ -39,12 +62,32 @@ data:
MALLOC_ARENA_MAX: "2"
NODE_ENV: "production"
RAILS_ENV: "production"
{{- if .Values.redis.enabled }}
REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master
{{- else }}
REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }}
{{- end }}
REDIS_HOST: {{ template "mastodon.redis.host" . }}
REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
SIDEKIQ_REDIS_HOST: {{ .Values.redis.sidekiq.hostname }}
{{- else }}
SIDEKIQ_REDIS_HOST: {{ .Values.redis.hostname }}
{{- end }}
{{- if .Values.redis.sidekiq.port }}
SIDEKIQ_REDIS_PORT: {{ .Values.redis.sidekiq.port | quote }}
{{- else }}
SIDEKIQ_REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- end }}
{{- end }}
{{- if .Values.redis.cache.enabled }}
{{- if .Values.redis.cache.hostname }}
CACHE_REDIS_HOST: {{ .Values.redis.cache.hostname }}
{{- else }}
CACHE_REDIS_HOST: {{ .Values.redis.hostname}}
{{- end }}
{{- if .Values.redis.cache.port }}
CACHE_REDIS_PORT: {{ .Values.redis.cache.port | quote }}
{{- else }}
CACHE_REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- end }}
{{- end }}
{{- if .Values.mastodon.s3.enabled }}
S3_BUCKET: {{ .Values.mastodon.s3.bucket }}
S3_ENABLED: "true"
@@ -60,6 +103,12 @@ data:
{{- with .Values.mastodon.s3.alias_host }}
S3_ALIAS_HOST: {{ . }}
{{- end }}
{{- with .Values.mastodon.s3.multipart_threshold }}
S3_MULTIPART_THRESHOLD: "{{ . }}"
{{- end }}
{{- with .Values.mastodon.s3.override_path_style }}
S3_OVERRIDE_PATH_STYLE: "{{ . }}"
{{- end }}
{{- end }}
{{- with .Values.mastodon.smtp.auth_method }}
SMTP_AUTH_METHOD: {{ . }}
@@ -80,7 +129,10 @@ data:
SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.from_address }}
SMTP_FROM_ADDRESS: {{ . }}
SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.return_path }}
SMTP_RETURN_PATH: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.openssl_verify_mode }}
SMTP_OPENSSL_VERIFY_MODE: {{ . }}
@@ -89,7 +141,7 @@ data:
SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.reply_to }}
SMTP_REPLY_TO: {{ . }}
SMTP_REPLY_TO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.server }}
SMTP_SERVER: {{ . }}
@@ -97,10 +149,45 @@ data:
{{- with .Values.mastodon.smtp.tls }}
SMTP_TLS: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.bulk.enabled }}
{{- with .Values.mastodon.smtp.bulk.auth_method }}
BULK_SMTP_AUTH_METHOD: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.ca_file }}
BULK_SMTP_CA_FILE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.domain }}
BULK_SMTP_DOMAIN: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls }}
BULK_SMTP_ENABLE_STARTTLS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls_auto }}
BULK_SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.from_address }}
BULK_SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.openssl_verify_mode }}
BULK_SMTP_OPENSSL_VERIFY_MODE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.port }}
BULK_SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.server }}
BULK_SMTP_SERVER: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.tls }}
BULK_SMTP_TLS: {{ . | quote }}
{{- end }}
{{- end }}
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
{{- with .Values.mastodon.streaming.base_url }}
STREAMING_API_BASE_URL: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.trusted_proxy_ip }}
TRUSTED_PROXY_IP: {{ .Values.mastodon.trusted_proxy_ip }}
{{ end }}
{{- if .Values.externalAuth.oidc.enabled }}
OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }}
@@ -322,6 +409,34 @@ data:
LDAP_UID_CONVERSION_REPLACE: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.mastodon.metrics.statsd.address }}
STATSD_ADDR: {{ . }}
{{- if .Values.mastodon.metrics.statsd.address }}
STATSD_ADDR: {{ .Values.mastodon.metrics.statsd.address }}
{{- else if .Values.mastodon.metrics.statsd.exporter.enabled }}
STATSD_ADDR: localhost:9125
{{- end }}
{{- range $k, $v := .Values.mastodon.extraEnvVars }}
{{ $k }}: {{ quote $v }}
{{- end }}
{{- if .Values.mastodon.deepl.enabled }}
DEEPL_PLAN: {{ .Values.mastodon.deepl.plan }}
{{- end }}
{{- if .Values.mastodon.hcaptcha.enabled }}
HCAPTCHA_SITE_KEY: {{ .Values.mastodon.hcaptcha.siteId }}
{{- end }}
{{- if .Values.mastodon.cacheBuster.enabled }}
CACHE_BUSTER_ENABLED: "true"
{{- if .Values.mastodon.cacheBuster.httpMethod }}
CACHE_BUSTER_HTTP_METHOD: {{ .Values.mastodon.cacheBuster.httpMethod }}
{{- end }}
{{- if .Values.mastodon.cacheBuster.authHeader }}
CACHE_BUSTER_SECRET_HEADER: {{ .Values.mastodon.cacheBuster.authHeader }}
{{- end }}
{{- else }}
CACHE_BUSTER_ENABLED: "false"
{{- end }}
{{- with .Values.timezone }}
TZ: {{ . | quote }}
{{- end }}

29
mastodon/templates/cronjob-media-remove.yaml
View File

@@ -36,10 +36,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-media-remove
@@ -65,6 +65,27 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
@@ -86,4 +107,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.cron.removeMedia.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}

171
mastodon/templates/deployment-sidekiq.yaml
View File

@@ -7,17 +7,31 @@ metadata:
name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
labels:
{{- include "mastodon.labels" $context | nindent 4 }}
{{- with $context.Values.mastodon.sidekiq.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
annotations:
{{- with $context.Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if (has "scheduler" .queues) }}
{{- if (gt (int .replicas) 1) }}
{{ fail "The scheduler queue should never have more than 1 replicas" }}
{{- end }}
strategy:
type: Recreate
{{- end }}
{{- if $context.Values.mastodon.sidekiq.updateStrategy }}
strategy: {{- toYaml $context.Values.mastodon.sidekiq.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .replicas }}
{{- if (ne (toString $context.Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ $context.Values.mastodon.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" $context | nindent 6 }}
@@ -29,11 +43,22 @@ spec:
{{- with $context.Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
checksum/config-secrets-smtp: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
labels:
{{- include "mastodon.globalLabels" $context | nindent 8 }}
{{- include "mastodon.selectorLabels" $context | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" $context | nindent 8 }}
{{- with $context.Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
spec:
@@ -50,20 +75,35 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
{{- with (default (default $context.Values.topologySpreadConstraints $context.Values.mastodon.sidekiq.topologySpreadConstraints) .topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if (not $context.Values.mastodon.s3.enabled) }}
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" $context }}-assets
claimName: {{ template "mastodon.pvc.assets" $context }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" $context }}-system
claimName: {{ template "mastodon.pvc.system" $context }}
{{- end }}
{{- include "mastodon.statsdExporterVolume" $ | indent 8 }}
{{- if dig "customDatabaseConfigYml" "configMapRef" "name" false . }}
- name: config-database-yml
configMap:
name: {{ .customDatabaseConfigYml.configMapRef.name }}
{{- end }}
{{- with $context.Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ $context.Chart.Name }}
{{- with $context.Values.mastodon.sidekiq.securityContext | default $context.Values.securityContext }}
securityContext:
{{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }}
image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}"
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ coalesce (dig "image" "repository" false .) $context.Values.image.repository }}:{{ coalesce (dig "image" "tag" false .) $context.Values.image.tag $context.Chart.AppVersion }}"
imagePullPolicy: {{ $context.Values.image.pullPolicy }}
command:
- bundle
@@ -80,17 +120,49 @@ spec:
name: {{ include "mastodon.fullname" $context }}-env
- secretRef:
name: {{ template "mastodon.secretName" $context }}
{{- if $context.Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ $context.Values.mastodon.extraEnvFrom }}
{{- end}}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" $context }}
key: password
{{- if $context.Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ $context.Values.postgresql.readReplica.auth.existingSecret }}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" $context }}
key: redis-password
{{- if and $context.Values.redis.sidekiq.enabled $context.Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" $context }}
key: redis-password
{{- end }}
{{- if and $context.Values.redis.cache.enabled $context.Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" $context }}
key: redis-password
{{- end }}
{{- if and $context.Values.elasticsearch.existingSecret (or $context.Values.elasticsearch.enabled $context.Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ $context.Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "SMTP_LOGIN"
valueFrom:
secretKeyRef:
@@ -102,6 +174,21 @@ spec:
secretKeyRef:
name: {{ include "mastodon.smtp.secretName" $context }}
key: password
optional: true
{{- if $context.Values.mastodon.smtp.bulk.enabled }}
- name: "BULK_SMTP_LOGIN"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: login
optional: true
- name: "BULK_SMTP_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: password
optional: true
{{- end }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
@@ -114,18 +201,80 @@ spec:
name: {{ $context.Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
{{- if and $context.Values.mastodon.deepl.enabled }}
- name: "DEEPL_API_KEY"
valueFrom:
secretKeyRef:
name: {{ $context.Values.mastodon.deepl.apiKeySecretRef.name }}
key: {{ $context.Values.mastodon.deepl.apiKeySecretRef.key }}
{{- end }}
{{- if and $context.Values.mastodon.cacheBuster.enabled $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
- name: CACHE_BUSTER_SECRET
valueFrom:
secretKeyRef:
name: {{ $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or $context.Values.mastodon.sidekiq.otel.enabled (and $context.Values.mastodon.otel.enabled (ne $context.Values.mastodon.sidekiq.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.endpointUri $context.Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.namePrefix $context.Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_LOCAL
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_HOST
value: "0.0.0.0"
- name: MASTODON_PROMETHEUS_EXPORTER_PORT
value: "{{ $context.Values.mastodon.metrics.prometheus.port }}"
{{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
ports:
- name: prometheus
containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }}
{{- end }}
volumeMounts:
{{- if (not $context.Values.mastodon.s3.enabled) }}
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- if dig "customDatabaseConfigYml" "configMapRef" "name" false . }}
- name: config-database-yml
mountPath: /opt/mastodon/config/database.yml
subPath: {{ .customDatabaseConfigYml.configMapRef.key }}
{{- end }}
{{- with $context.Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $context.Values.mastodon.sidekiq.readinessProbe.enabled }}
readinessProbe:
failureThreshold: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.failureThreshold }}
exec:
command:
- cat
- {{ required "A valid sidekiq readiness path is required." $context.Values.mastodon.sidekiq.readinessProbe.path }}
initialDelaySeconds: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ default 2 $context.Values.mastodon.sidekiq.readinessProbe.periodSeconds }}
successThreshold: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.successThreshold }}
timeoutSeconds: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.timeoutSeconds }}
{{- end }}
resources:
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
{{- with $context.Values.nodeSelector }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with coalesce .nodeSelector $context.Values.mastodon.sidekiq.nodeSelector $context.Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with $context.Values.tolerations }}
tolerations:

102
mastodon/templates/deployment-streaming.yaml
View File

@@ -4,8 +4,24 @@ metadata:
name: {{ include "mastodon.fullname" . }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.streaming.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.streaming.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.mastodon.streaming.replicas }}
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.streaming.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.streaming.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -13,13 +29,23 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
labels:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: streaming
spec:
{{- with .Values.imagePullSecrets }}
@@ -31,33 +57,90 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.extraCerts }}
{{- $name := .name | default "extra-certs" }}
volumes:
- name: {{ $name }}
secret:
secretName: {{ .existingSecret }}
items:
- key: ca.crt
path: trusted-ca.crt
{{- end }}
containers:
- name: {{ .Chart.Name }}-streaming
{{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.mastodon.streaming.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- node
- ./streaming
{{- with .Values.mastodon.streaming.extraCerts }}
{{- $name := .name | default "extra-certs" }}
volumeMounts:
- name: {{ $name }}
mountPath: "/usr/local/share/ca-certificates"
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
{{- if .Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ .Values.mastodon.extraEnvFrom }}
{{- end}}
env:
{{- with .Values.mastodon.streaming.extraCerts }}
- name: "NODE_EXTRA_CA_CERTS"
value: "/usr/local/share/ca-certificates/trusted-ca.crt"
{{- with .sslMode }}
- name: "DB_SSLMODE"
value: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.postgresql.postgresqlReplicaHostname }}
- name: "DB_HOST"
value: {{ . }}
{{- end }}
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
{{- if .Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.readReplica.auth.existingSecret }}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.streaming.port | quote }}
{{- range $k, $v := .Values.mastodon.streaming.extraEnvVars }}
- name: {{ $k }}
value: {{ quote $v }}
{{- end }}
ports:
- name: streaming
containerPort: {{ .Values.mastodon.streaming.port }}
@@ -70,18 +153,29 @@ spec:
httpGet:
path: /api/v1/streaming/health
port: streaming
startupProbe:
httpGet:
path: /api/v1/streaming/health
port: streaming
initialDelaySeconds: 5
failureThreshold: 15
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
{{- with coalesce .Values.mastodon.streaming.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (default .Values.topologySpreadConstraints .Values.mastodon.streaming.topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}

164
mastodon/templates/deployment-web.yaml
View File

@@ -4,8 +4,24 @@ metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.web.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.web.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.mastodon.web.replicas }}
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.web.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.web.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -14,13 +30,24 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
labels:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
spec:
@@ -33,14 +60,23 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
{{- if (not .Values.mastodon.s3.enabled) }}
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
{{- include "mastodon.statsdExporterVolume" $ | indent 8 }}
{{- if .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
- name: config-database-yml
configMap:
name: {{ .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
@@ -48,7 +84,7 @@ spec:
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
@@ -61,17 +97,49 @@ spec:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
{{- if .Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ .Values.mastodon.extraEnvFrom }}
{{- end}}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
{{- if .Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.readReplica.auth.existingSecret}}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if .Values.mastodon.web.minThreads }}
@@ -102,13 +170,64 @@ spec:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
{{- if .Values.mastodon.deepl.enabled }}
- name: "DEEPL_API_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.deepl.apiKeySecretRef.name }}
key: {{ .Values.mastodon.deepl.apiKeySecretRef.key }}
{{- end }}
{{- if .Values.mastodon.hcaptcha.enabled }}
- name: "HCAPTCHA_SECRET_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.hcaptcha.secretKeySecretRef.name }}
key: {{ .Values.mastodon.hcaptcha.secretKeySecretRef.key }}
{{- end }}
{{- if and .Values.mastodon.cacheBuster.enabled .Values.mastodon.cacheBuster.authToken.existingSecret }}
- name: CACHE_BUSTER_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or .Values.mastodon.web.otel.enabled (and .Values.mastodon.otel.enabled (ne .Values.mastodon.web.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce .Values.mastodon.web.otel.endpointUri .Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce .Values.mastodon.web.otel.namePrefix .Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: PROMETHEUS_EXPORTER_HOST
value: "127.0.0.1"
- name: PROMETHEUS_EXPORTER_PORT
value: "{{ .Values.mastodon.metrics.prometheus.port }}"
{{- if .Values.mastodon.metrics.prometheus.web.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
- name: TEST_ENV_VALUE
value: {{ .Values.mastodon.metrics.statsd.address }}
volumeMounts:
{{- if (not .Values.mastodon.s3.enabled) }}
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- if .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
- name: config-database-yml
mountPath: /opt/mastodon/config/database.yml
subPath: {{ .Values.mastodon.web.customDatabaseConfigYml.configMapRef.key }}
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.mastodon.web.port }}
@@ -124,21 +243,48 @@ spec:
httpGet:
path: /health
port: http
initialDelaySeconds: 15
failureThreshold: 30
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.web.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: prometheus-exporter
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
command:
- ./bin/prometheus_exporter
args:
- "--bind"
- "0.0.0.0"
- "--port"
- "{{ .Values.mastodon.metrics.prometheus.port }}"
resources:
requests:
cpu: "0.1"
memory: "180M"
limits:
cpu: "0.5"
memory: "250M"
ports:
- name: prometheus
containerPort: {{ .Values.mastodon.metrics.prometheus.port }}
{{- end }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with coalesce .Values.mastodon.web.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
{{- with (default .Values.topologySpreadConstraints .Values.mastodon.web.topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (default .Values.tolerations .Values.mastodon.web.tolerations) }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

57
mastodon/templates/ingress-streaming.yml Normal file
View File

@@ -0,0 +1,57 @@
{{- if .Values.ingress.streaming.enabled -}}
{{- $fullName := include "mastodon.fullname" . -}}
{{- $webPort := .Values.mastodon.web.port -}}
{{- $streamingPort := .Values.mastodon.streaming.port -}}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.ingress.streaming.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.streaming.ingressClassName }}
ingressClassName: {{ .Values.ingress.streaming.ingressClassName }}
{{- end }}
{{- if .Values.ingress.streaming.tls }}
tls:
{{- range .Values.ingress.streaming.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.streaming.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}api/v1/streaming
backend:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
service:
name: {{ $fullName }}-streaming
port:
number: {{ $streamingPort }}
{{- else }}
serviceName: {{ $fullName }}-streaming
servicePort: {{ $streamingPort }}
{{- end }}
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: Prefix
{{- end }}
{{- end }}
{{- end }}
{{- end }}

2
mastodon/templates/ingress.yaml
View File

@@ -52,6 +52,7 @@ spec:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: Prefix
{{- end }}
{{- if not $.Values.ingress.streaming.enabled }}
- path: {{ .path }}api/v1/streaming
backend:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
@@ -67,5 +68,6 @@ spec:
pathType: Prefix
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

97
mastodon/templates/job-assets-copy.yaml Normal file
View File

@@ -0,0 +1,97 @@
{{- if .Values.mastodon.hooks.s3Upload.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
restartPolicy: Never
initContainers:
- name: extract-assets
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: Always
command:
- cp
args:
- -rv
- public
- /assets
volumeMounts:
- mountPath: /assets
name: assets
containers:
- name: upload-assets
image: rclone/rclone:1
imagePullPolicy: Always
env:
- name: RCLONE_S3_NO_CHECK_BUCKET
value: "true"
- name: RCLONE_S3_ACL
value: {{ required "Please specify a canned ACL for S3 asset uploads" .Values.mastodon.hooks.s3Upload.acl }}
- name: RCLONE_CONFIG_REMOTE_TYPE
value: s3
- name: RCLONE_CONFIG_REMOTE_PROVIDER
value: AWS
- name: RCLONE_CONFIG_REMOTE_ENDPOINT
value: {{ required "Please specify an endpoint for S3 asset uploads" .Values.mastodon.hooks.s3Upload.endpoint }}
- name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.accesKeyId }}
- name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.secretAccessKey }}
{{- with .Values.mastodon.hooks.s3Upload.rclone.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- rclone
args:
- copy
- /assets/public
- "remote:{{ required "Please specify a bucket for S3 asset uploads" .Values.mastodon.hooks.s3Upload.bucket }}"
- --fast-list
- --transfers=32
- --include
- "{assets,packs}/**"
- --progress
- -vv
volumeMounts:
- mountPath: /assets
name: assets
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 500Mi
volumes:
- name: assets
emptyDir: {}
{{- with coalesce .Values.mastodon.hooks.s3Upload.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end -}}

79
mastodon/templates/job-chewy-upgrade.yaml
View File

@@ -1,79 +0,0 @@
{{- if .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-chewy-setup
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- chewy:upgrade
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

22
mastodon/templates/job-create-admin.yaml
View File

@@ -37,10 +37,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-create-admin
@@ -72,6 +72,20 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@@ -81,4 +95,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

82
mastodon/templates/job-db-migrate.yaml
View File

@@ -1,77 +1,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- db:migrate
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

7
mastodon/templates/job-db-pre-migrate.yaml Normal file
View File

@@ -0,0 +1,7 @@
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

7
mastodon/templates/job-db-prepare.yaml Normal file
View File

@@ -0,0 +1,7 @@
{{- if and .Values.mastodon.hooks.dbPrepare.enabled (not .Values.postgresql.enabled) }}
{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbPrepare.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

60
mastodon/templates/job-assets-precompile.yaml → mastodon/templates/job-deploy-search.yaml
View File

@@ -1,17 +1,19 @@
{{- if and .Values.mastodon.hooks.deploySearch.enabled .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
suspend: false
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
@@ -21,17 +23,17 @@ spec:
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
@@ -42,19 +44,42 @@ spec:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-assets-precompile
- name: {{ include "mastodon.fullname" . }}-deploy-search
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.mastodon.hooks.deploySearch }}
{{- with .resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- bash
- -c
- |
bundle exec rake assets:precompile && yarn cache clean
- bin/tootctl
- search
- deploy
{{- with .concurrency }}
- '--concurrency'
- {{ . | quote }}
{{- end }}
{{- if .resetChewy }}
- '--reset-chewy'
{{- end }}
{{- with .batchSize }}
- '--batch-size'
- {{ . | quote }}
{{- end }}
{{- with .only }}
{{- if not (has . (list "instances" "accounts" "tags" "statuses" "public_statuses")) -}}
{{ fail "mastodon.hooks.deploySearch.only: Value must be one of the following words: instances, accounts, tags, statuses, public_statuses"}}
{{- end }}
- '--only'
- {{ . | quote }}
{{- end }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
name: {{ template "mastodon.secretName" $ }}
env:
- name: "DB_PASS"
valueFrom:
@@ -75,3 +100,4 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

24
mastodon/templates/job-set-admin-password.yaml
View File

@@ -37,10 +37,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-set-admin-password
@@ -49,7 +49,7 @@ spec:
command:
- "/bin/bash"
- "-c"
- "echo \"account=Account.find_by(username:'{{ .Values.mastodon.createAdmin.username }}') ; user=User.find_by(account:account) ; user.password='{{ .Values.mastodon.createAdmin.password }}' ; user.save!\" | rails c"
- "echo \"account=Account.find_by(username:'{{ .Values.mastodon.createAdmin.username }}') ; user=User.find_by(account:account) ; user.password='{{ .Values.mastodon.createAdmin.password }}' ; user.save!\" | rails c && /opt/mastodon/bin/tootctl accounts approve {{ .Values.mastodon.createAdmin.username }}"
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
@@ -70,6 +70,20 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@@ -79,4 +93,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

19
mastodon/templates/pdb-streaming.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.mastodon.streaming.pdb.enable }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "mastodon.fullname" . }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if .Values.mastodon.streaming.pdb.minAvailable }}
minAvailable: {{ .Values.mastodon.streaming.pdb.minAvailable }}
{{- end }}
{{- if .Values.mastodon.streaming.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.mastodon.streaming.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: streaming
{{- end }}

20
mastodon/templates/pdb-web.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.mastodon.web.pdb.enable }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if .Values.mastodon.web.pdb.minAvailable }}
minAvailable: {{ .Values.mastodon.web.pdb.minAvailable }}
{{- end }}
{{- if .Values.mastodon.web.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.mastodon.web.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
{{- end }}

4
mastodon/templates/pvc-assets.yaml
View File

@@ -1,4 +1,4 @@
{{- if (not .Values.mastodon.s3.enabled) -}}
{{- if and (not .Values.mastodon.s3.enabled) (not .Values.mastodon.persistence.assets.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
@@ -7,7 +7,7 @@ metadata:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.mastodon.persistence.system.accessMode }}
- {{ .Values.mastodon.persistence.assets.accessMode }}
{{- with .Values.mastodon.persistence.assets.resources }}
resources:
{{- toYaml . | nindent 4 }}

2
mastodon/templates/pvc-system.yaml
View File

@@ -1,4 +1,4 @@
{{- if (not .Values.mastodon.s3.enabled) -}}
{{- if and (not .Values.mastodon.s3.enabled) (not .Values.mastodon.persistence.system.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:

3
mastodon/templates/secret-prepare.yml Normal file
View File

@@ -0,0 +1,3 @@
{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}}
{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }}
{{- end }}

19
mastodon/templates/secret-redis-preinstall.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if not .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.redis.secretName" . }}-pre-install
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

19
mastodon/templates/secret-redis.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.redis.secretName" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

16
mastodon/templates/secret-smtp-bulk.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.mastodon.smtp.bulk.enabled (not .Values.mastodon.smtp.bulk.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-smtp-bulk" (include "mastodon.fullname" .) }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- with .Values.mastodon.smtp.bulk.login }}
login: {{ . | b64enc }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.password }}
password: {{ . | b64enc }}
{{- end }}
{{- end }}

2
mastodon/templates/secret-smtp.yaml
View File

@@ -2,7 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-smtp" (include "common.names.fullname" .) }}
name: {{ printf "%s-smtp" (include "mastodon.fullname" .) }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque

42
mastodon/templates/secrets.yaml
View File

@@ -1,43 +1,3 @@
{{- if (include "mastodon.createSecret" .) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- include "mastodon.secrets.object" . }}
{{- end }}

1
mastodon/templates/service-streaming.yaml
View File

@@ -11,6 +11,7 @@ spec:
targetPort: streaming
protocol: TCP
name: streaming
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: streaming

1
mastodon/templates/service-web.yaml
View File

@@ -11,6 +11,7 @@ spec:
targetPort: http
protocol: TCP
name: http
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: web

107
mastodon/templates/statsd-exporter-mappings.yaml Normal file
View File

@@ -0,0 +1,107 @@
{{- if and .Values.mastodon.metrics.statsd.exporter.enabled (not .Values.mastodon.metrics.statsd.address) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "mastodon.fullname" . }}-statsd-mappings
labels:
{{- include "mastodon.labels" . | nindent 4 }}
data:
mastodon-statsd-mappings.yml: |-
## From https://ipng.ch/assets/mastodon/statsd-mapping.yaml
## Prometheus Statsd Exporter mapping for Mastodon 4.0+
##
## Version 1.0, November 2022
##
## Documentation: https://ipng.ch/s/articles/2022/11/27/mastodon-3.html
mappings:
## Web collector
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.status\.(.+)
match_type: regex
name: "mastodon_controller_status"
labels:
controller: $1
action: $2
format: $3
status: $4
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.db_time
match_type: regex
name: "mastodon_controller_db_time"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.view_time
match_type: regex
name: "mastodon_controller_view_time"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.total_duration
match_type: regex
name: "mastodon_controller_duration"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
## Database collector
- match: Mastodon\.production\.db\.tables\.(.+)\.queries\.(.+)\.duration
match_type: regex
name: "mastodon_db_operation"
labels:
table: "$1"
operation: "$2"
mastodon: "db"
## Cache collector
- match: Mastodon\.production\.cache\.(.+)\.duration
match_type: regex
name: "mastodon_cache_duration"
labels:
operation: "$1"
mastodon: "cache"
## Sidekiq collector
- match: Mastodon\.production\.sidekiq\.(.+)\.processing_time
match_type: regex
name: "mastodon_sidekiq_worker_processing_time"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)\.success
match_type: regex
name: "mastodon_sidekiq_worker_success_total"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)\.failure
match_type: regex
name: "mastodon_sidekiq_worker_failure_total"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.queues\.(.+)\.enqueued
match_type: regex
name: "mastodon_sidekiq_queue_enqueued"
labels:
queue: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.queues\.(.+)\.latency
match_type: regex
name: "mastodon_sidekiq_queue_latency"
labels:
queue: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)
match_type: regex
name: "mastodon_sidekiq_$1"
labels:
mastodon: "sidekiq"
{{- end }}

589
mastodon/values.yaml
View File

@@ -6,11 +6,16 @@ image:
# built from the most recent commit
#
# tag: latest
tag: "v4.1.2"
tag: ""
# use `Always` when using `latest` tag
pullPolicy: IfNotPresent
mastodon:
# Labels added to every Mastodon-related object
labels: {}
# Labes added to every deployed mastodon pod
podLabels: {}
# -- create an initial administrator user; the password is autogenerated and will
# have to be reset
createAdmin:
@@ -19,7 +24,84 @@ mastodon:
# @ignored
username: not_gargron
# @ignored
password: not_gargron
# @ignored
email: not@example.com
# Node(s) on which we will deploy this job
nodeSelector: {}
hooks:
# Whether to perform DB schema creation on `helm install`.
# Please note that this does not work when using the included database
# (postgresql.enabled=true).
# NOTE: When using certain GitOps solutions such as Argo CD, this should be
# disabled, as these apps do not necessarily differentiate between `pre-install`
# and `pre-upgrade`.
dbPrepare:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# Whether to perform DB migrations on `helm upgrade`.
dbMigrate:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# WARNING: deploySearch is potentially a very expensive job!
# Only enable this once at a time, when you deploy elasticsearch or when
# the upgrade notes for a new mastodon version request rebuilding search.
# Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true`
# to ensure the job is only dispatched for a single upgrade when required.
# This job may take days to run on very large instances. Even small
# instances may take long enough to trigger helm's completion timeout, so
# DO NOT PANIC if helm complains; simply verify the job is still running.
#
# Builds or rebuilds the elasticsearch indices via `tootctl deploy search`
# with timing hooks to ensure the job runs immediately after install/upgrade
# and will be restarted if another, corrective upgrade is triggered.
# Please check the tootctl documentation and upgrade notes to pick values.
#
# NOTE: The resource stanza set below is intentionally very conservative.
# Consider assigning a liberal chunk of your cluster's typical headroom.
deploySearch:
enabled: false
resetChewy: true
# one index name. Possible values: instances, accounts, tags, statuses, public_statuses
only: ""
concurrency: 5
resources: # this accepts any keys in a full container resources stanza.
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
# Upload website assets to S3 before deploying using rclone.
# Whenever there is an update to Mastodon, sometimes there are assets files
# that are renamed. As the pods are getting redeployed, and old/new pods are
# present simultaneously, there is a chance that old asset files are
# requested from pods that don't have them anymore, or new asset files are
# requested from old pods. Uploading asset files to S3 in this manner solves
# this potential conflict.
# Note that you will need to CDN/proxy to send all requests to /assets and
# /packs to this bucket.
s3Upload:
enabled: false
endpoint:
bucket:
acl: public-read
secretRef:
name:
keys:
accesKeyId: acces-key-id
secretAccessKey: secret-access-key
rclone:
# Any additional environment variables to pass to rclone.
env: {}
# Node(s) on which we will deploy this job
nodeSelector: {}
# Custom labels to add to kubernetes resources
#labels:
cron:
# -- run `tootctl media remove` every week
removeMedia:
@@ -27,18 +109,31 @@ mastodon:
enabled: true
# @ignored
schedule: "0 0 * * 0"
# Node(s) on which we will deploy this job
nodeSelector: {}
# Sets the default locale for this server.
# NOTICE: This will force this locale on every user who is not logged in, and
# the instance will no longer do any local detection for clients.
# -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
locale: en
locale:
local_domain: mastodon.local
# -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
# Example: mastodon.example.com
web_domain: null
# -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize
# itself when users are addressed using those other domains.
alternate_domains: []
# -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers
# Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip
# trusted_proxy_ip:
# -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
singleUserMode: false
# -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
authorizedFetch: false
# -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
# -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
limitedFederationMode: false
persistence:
assets:
@@ -49,11 +144,15 @@ mastodon:
resources:
requests:
storage: 10Gi
# -- name of existing persistent volume claim to use for assets
existingClaim:
system:
accessMode: ReadWriteOnce
resources:
requests:
storage: 100Gi
# -- name of existing persistent volume claim to use for system
existingClaim:
s3:
enabled: false
access_key: ""
@@ -68,6 +167,24 @@ mastodon:
permission: ""
# -- If you have a caching proxy, enter its base URL here.
alias_host: ""
# When uploading data to S3, if the number of bytes to send exceedes
# multipart_threshold then a multi part session is automatically started
# and the data is sent up in chunks. Defaults to 16777216 (16MB).
multipart_threshold: ""
# -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
# override_path_style: "true"
deepl:
enabled: false
plan:
apiKeySecretRef:
name:
key:
hcaptcha:
enabled: false
siteId:
secretKeySecretRef:
name:
key:
# these must be set manually; autogenerated keys are rotated on each upgrade
secrets:
secret_key_base: ""
@@ -75,10 +192,25 @@ mastodon:
vapid:
private_key: ""
public_key: ""
activeRecordEncryption:
primaryKey: ""
deterministicKey: ""
keyDerivationSalt: ""
# -- you can also specify the name of an existing Secret
# with keys SECRET_KEY_BASE and OTP_SECRET and
# VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
# with keys:
# - SECRET_KEY_BASE
# - OTP_SECRET
# - VAPID_PRIVATE_KEY
# - VAPID_PUBLIC_KEY
# - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
# - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
# - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
existingSecret: ""
# -- The number of old revisions to keep for each Deployment in Kubernetes.
# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy
revisionHistoryLimit: 2
sidekiq:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
@@ -88,31 +220,89 @@ mastodon:
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
affinity: {}
# Node(s) on which we will deploy sidekiq in general
# Any worker-specific configuration will override this setting.
nodeSelector: {}
# -- Annotations to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the sidekiq pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the sidekiq pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods.
# Recreate will help reduce the number of retried jobs when updating when
# the code introduces a new job as the pods are all replaced immediately.
# RollingUpdate can help with larger clusters if job retries aren't an
# issue, as it will reduce strain by replacing pods more slowly. It is
# strongly recommended to enable the readinessProbe when using RollingUpdate.
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: Recreate
# Readiness probe configuration
# NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10.
readinessProbe:
enabled: false
path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
# -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# limits:
# cpu: "1"
# memory: 768Mi
# requests:
# cpu: 250m
# memory: 512Mi
# Open Telemetry configuration for sidekiq pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
workers:
- name: all-queues
# -- Number of threads / parallel sidekiq jobs that are executed per Pod
concurrency: 25
# -- Number of Pod replicas deployed by the Deployment
replicas: 1
# -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
resources: {}
# -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
affinity: {}
# -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
# See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
queues:
- default,8
- push,6
- ingress,4
- mailers,2
- pull
- scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
- name: all-queues
# -- Number of threads / parallel sidekiq jobs that are executed per Pod
concurrency: 25
# -- Number of Pod replicas deployed by the Deployment
replicas: 1
# -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
resources: {}
# -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
affinity: {}
# -- Node(s) on which we will deploy this sidekiq worker
nodeSelector: {}
# -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
# See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
queues:
- default,8
- push,6
- ingress,4
- mailers,2
- pull
- scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
- fasp
image:
repository:
tag:
# allows you to mount a custom database.yml from a configmap
# please note that we do not advise using a read-only replica for sidekiq workers
customDatabaseConfigYml:
configMapRef:
name:
key:
#- name: push-pull
# concurrency: 50
# resources: {}
@@ -135,8 +325,9 @@ mastodon:
ca_file: /etc/ssl/certs/ca-certificates.crt
delivery_method: smtp
domain:
enable_starttls: 'auto'
enable_starttls: "auto"
from_address: notifications@example.com
return_path:
openssl_verify_mode: peer
port: 587
reply_to:
@@ -147,7 +338,35 @@ mastodon:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
# Configuration for bulk/broadcast messages.
# Some transactional email providers require customers to use a separate set
# of SMTP credentials to send emails that are not transactional in nature.
# For more information, refer to the docs:
# https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings
bulk:
enabled: false
auth_method: plain
ca_file: /etc/ssl/certs/ca-certificates.crt
domain:
enable_starttls: "auto"
from_address: notifications@example.com
openssl_verify_mode: peer
port: 587
server: smtp.mailgun.org
tls:
login:
password:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
streaming:
image:
# streaming image split in Mastodon v4.3.0
repository: ghcr.io/mastodon/mastodon-streaming
# other options: `latest` for the latest release or `edge` for most recent commit
tag: ""
port: 4000
# -- this should be set manually since os.cpus() returns the number of CPUs on
# the node running the pod, which is unrelated to the resources allocated to
@@ -160,6 +379,29 @@ mastodon:
replicas: 1
# -- Affinity for Streaming Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the streaming pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for streaming.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for streaming.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the streaming pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the streaming pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
@@ -172,12 +414,54 @@ mastodon:
# requests:
# cpu: 250m
# memory: 128Mi
# -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
enable: false
# minAvailable: 1
# maxUnavailable: 1
# -- Puma-specific options. Below values are based on default behavior in
# config/puma.rb when no custom values are provided.
# -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
extraCerts: {}
# -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
# existingSecret:
# -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
# name:
# -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
# sslMode:
# Specify extra environment variables to be added to streaming pods.
extraEnvVars: {}
web:
port: 3000
# -- Number of Web Pods running
replicas: 1
# -- Affinity for Web Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the web pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for web.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for web.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the web pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the web pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
@@ -190,21 +474,99 @@ mastodon:
# requests:
# cpu: 250m
# memory: 768Mi
# -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
enable: false
# minAvailable: 1
# maxUnavailable: 1
# -- Puma-specific options. Below values are based on default behavior in
# config/puma.rb when no custom values are provided.
minThreads: "5"
maxThreads: "5"
workers: "2"
persistentTimeout: "20"
image:
repository:
tag:
# allows you to mount a custom database.yml from a configmap
# for example if you want to use a read-only replica
customDatabaseConfigYml:
configMapRef:
name:
key:
# Open Telemetry configuration for web pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
# HTTP cache buster configuration.
# See the documentation for more information about this feature:
# https://docs.joinmastodon.org/admin/config/#http-cache-buster
cacheBuster:
enabled: false
httpMethod: "GET"
# If the cache service requires authentication, specify the header name and
# secret/token here.
authHeader:
authToken:
existingSecret:
metrics:
# NOTE: This feature was dropped in v4.3.0, and will not work for any versions beyond this.
statsd:
# -- Enable statsd publishing via STATSD_ADDR environment variable
address: ""
# -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod
# Please note the exporter will not be enabled if metrics.statsd.address is not empty
exporter:
enabled: false
port: 9102
# Settings for Prometheus metrics.
# For more information, see:
# https://docs.joinmastodon.org/admin/config/#prometheus
prometheus:
enabled: false
# Port for the exporter to listen on
port: 9394
# Prometheus for web pods
web:
# Collect per-controller/action metrics for every request
detailed: false
# Prometheus for sidekiq pods
sidekiq:
# Collect per-job metrics for every job
detailed: false
# Open Telemetry configuration for all deployments. Component-specific
# configuration will override these values.
otel:
enabled: false
exporterUri:
namePrefix: mastodon
nameSeparator: "-"
# Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
preparedStatements: true
# Specify extra environment variables to be added to all Mastodon pods.
# These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
extraEnvVars: {}
# Alternatively specify extra environment variables stored in a ConfigMap.
# The specified ConfigMap should contain the additional environment variables in key-value format.
# extraEnvFrom: <config-map-name>
ingress:
enabled: true
annotations:
@@ -225,32 +587,97 @@ ingress:
hosts:
- host: mastodon.local
paths:
- path: '/'
- path: "/"
tls:
- secretName: mastodon-tls
hosts:
- mastodon.local
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
# This allows you to have a separate ingress for streaming
# When enabled, the main ingress will no longer handle streaming requests.
# You will also need to configure mastodon.streaming.base_url accordingly
streaming:
enabled: false
annotations:
ingressClassName:
hosts:
- host: streaming.mastodon.local
paths:
- path: "/"
tls:
- secretName: mastodon-tls
hosts:
- streaming.mastodon.local
# Configuration for Elasticsearch.
# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
#
# Please note that we recommend using your own deployment for better management.
elasticsearch:
# `false` will disable full-text search
# Elasticsearch is powering full-text search. It is optional.
# `false` will not install Elasticsearch as part of this chart
#
# if you enable ES after the initial install, you will need to manually run
# RAILS_ENV=production bundle exec rake chewy:sync
# (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
# @ignored
enabled: true
# @ignored
image:
tag: 7
# If you are using an external ES cluster, use `enabled: false` and set the hostname, port,
# and whether the cluster uses TLS.
# hostname:
# port: 9200
# tls: true
# preset: single_node_cluster
# This is optional, use it if you ES cluster requires authentication
# user:
# Name of an existing secret with a password key
# existingSecret:
# -- Node(s) on which we will deploy the various elasticsearch pods
master:
nodeSelector: {}
data:
nodeSelector: {}
coordinating:
nodeSelector: {}
ingest:
nodeSelector: {}
metrics:
nodeSelector: {}
# Configuration for PostgreSQL.
# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
#
# Please note that we recommend using your own deployment for better management.
postgresql:
# -- disable if you want to use an existing db; in which case the values below
# must match those of that external postgres instance
# must match those of that external postgres instance.
# Please note that certain features do not work when enabling the included
# database, namely automatic schema creation when the app is first installed.
enabled: true
# postgresqlHostname: preexisting-postgresql
# postgresqlPort: 5432
# If using a connection pooler such as pgbouncer, please specify a hostname/IP
# that serves as a "direct" connection to the database, rather than going
# through the connection pooler. This is required for migrations to work
# properly.
direct:
hostname:
port:
database:
auth:
database: mastodon_production
username: mastodon
@@ -266,7 +693,36 @@ postgresql:
# with a key of password set to the password you want
existingSecret: ""
# Options for a read-only replica.
# If enabled, mastodon uses existing defaults for postgres for these values as well.
# NOTE: This feature is only available on Mastodon v4.2+
# Documentation for more information on this feature:
# https://docs.joinmastodon.org/admin/scaling/#read-replicas
readReplica:
hostname:
port:
auth:
database:
username:
password:
existingSecret:
# -- Node(s) on which we will deploy the various database pods
primary:
nodeSelector: {}
readReplicas:
nodeSelector: {}
backup:
cronjob:
nodeSelector: {}
# Configuration for Redis.
# When enabled, the bitnami helm chart used for Redis deployment, and all values
# here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
#
# Please note that we recommend using your own deployment for better management.
redis:
# disable if you want to use an existing redis instance; in which case the
# values below must match those of that external redis instance
@@ -277,9 +733,46 @@ redis:
# -- you must set a password; the password generated by the redis chart will be
# rotated on each upgrade:
password: ""
# setting password for an existing redis instance will store it in a new Secret
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
# existingSecret: ""
replica:
replicaCount: 0
# Configuration for a separate redis instance only for sidekiq processing.
# If enabled, any values not specified will be copied from the base config.
# If set to false, the main redis instance will be used, and all values will
# be ignored.
sidekiq:
enabled: false
hostname: ""
port: 6379
auth:
password: ""
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
existingSecret: ""
# Configuration for a separate redis instance only for cache.
# If enabled, any values not specified will be copied from the base config.
# If set to false, the main redis instance will be used, and all values will
# be ignored.
cache:
enabled: false
hostname: ""
port: 6379
auth:
password: ""
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
existingSecret: ""
# -- Node(s) on which we will deploy the various redis pods
master:
nodeSelector: {}
replica:
nodeSelector: {}
# @ignored
service:
@@ -407,20 +900,25 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""
# Custom annotations to apply to all created mastodon deployment objects. These
# can be used to help mastodon interact with other services in the cluster.
deploymentAnnotations: {}
# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
# need to apply different annotations to the two different sets of pods. The annotations
# set with podAnnotations will be added to all deployment-managed pods.
# set with podAnnotations will be added to all mastodon deployment-managed pods.
podAnnotations: {}
# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
revisionPodAnnotation: true
# The annotations set with jobAnnotations will be added to all job pods.
# The annotations set with jobAnnotations will be added to all mastodon job pods
jobAnnotations: {}
# -- Default resources for all Deployments and jobs unless overwritten
resources: {}
# -- Default resources for all mastodon Deployments and jobs unless overwritten
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -432,11 +930,28 @@ resources: {}
# cpu: 100m
# memory: 128Mi
# @ignored
nodeSelector: {}
# @ignored
tolerations: []
# -- Affinity for all pods unless overwritten
# -- Affinity for all mastodon pods unless overwritten
affinity: {}
# Node(s) on which we will deploy all resources.
# Any node selectors specified for individual resources will override this
# setting.
nodeSelector: {}
# -- Timezone for all mastodon pods unless overwritten
timezone: UTC
# -- Topology Spread Constraints for all mastodon pods unless overwritten
# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you
# want to spread each deployment independently, or override topologySpreadConstraints
# for each deployment
topologySpreadConstraints: {}
# Default volume mounts for all mastodon pods
volumeMounts: []
# Default volumes for all mastodon pods
volumes: []

2
opendkim/Chart.yaml
View File

@@ -14,7 +14,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.3
version: 0.1.4
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.

4
opendkim/values.yaml
View File

@@ -9,8 +9,8 @@ persistence:
opendkim:
image:
repository: registry.geekhome.org/ghp/opendkim
tag: 2.11.0-1
repository: gitea.geekhome.org/ghp/opendkim
tag: 2.11.0-2
pullPolicy: Always
configmaps:
opendkim: |

4
opendmarc/Chart.yaml
View File

@@ -14,8 +14,8 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.3
version: 0.1.4
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 1.4.1.1
appVersion: 1.4.2

4
opendmarc/values.yaml
View File

@@ -9,8 +9,8 @@ persistence:
opendmarc:
image:
repository: registry.geekhome.org/ghp/opendmarc
tag: 1.4.1.1-1
repository: gitea.geekhome.org/ghp/opendmarc
tag: 1.4.2-2
pullPolicy: Always
configmaps:
opendmarc: |

23
openshift-console/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
openshift-console/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v2
appVersion: 4.14.0
description: OpenShift Cluster Console UI
icon: https://avatars0.githubusercontent.com/u/792337?s=200&v=4
name: openshift-console
type: application
version: 0.3.7

75
openshift-console/README.md Normal file
View File

@@ -0,0 +1,75 @@
# OpenShift Console (Bridge)
[Bridge](https://github.com/openshift/console) is the OpenShift console.
## TL;DR
```console
$ helm repo add av1o https://av1o.gitlab.io/charts
$ helm install bridge av1o/openshift-console
```
## Introduction
This chart bootstraps a deployment of the OpenShift Console on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
The OpenShift Console is designed for running on OpenShift, however it works perfectly fine in native Kubernetes. Since the Console is unable to use the default OpenShift OAuth2, this chart is expecting a Dex deployment which is configured to generate OIDC tokens for the Kubernetes API server.
This behaviour can be configured with the `extraEnv` map.
## Prerequisites
- Kubernetes 1.12+
- Helm 3
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install my-release av1o/openshift-console
```
The command deploys the console on the Kubernetes cluster in the default configuration.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
## Parameters
The following table lists the configurable parameters of the OpenShift Console chart and their default values.
| Parameter | Description | Default |
|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
| `replicaCount` | Number of pods to run | 1 |
| `image.registry` | Docker image registry | `quay.io` |
| `image.repository` | Docker image name | `openshift/origin-console` |
| `image.pullPolicy` | Docker image pull policy | `IfNotPresent` |
| `image.tag` | Docker image tag | `${CHART_VERSION}` |
| `imagePullSecrets` | Specify Image pull secrets | `[]` |
| `podAnnotations` | Map of annotations to add to the pods | See `values.yaml` |
| `podSecurityContext` | Map of security context to add to the pod | See `values.yaml` |
| `securityContext` | Map of security context to add to the container | See `values.yaml` |
| `service.type` | Service type | `ClusterIP` |
| `extraEnv` | Map of environment variables to include in the container | `{}` |
| `console.dex.host` | HTTP(S) address of the Dex instance | `https://dex.example.org` |
| `console.baseUrl` | HTTP(S) address of the Console | `https://console.example.org` |
| `console.impersonateOpenShift` | Install CRDs to trick the Console into showing some OpenShift-exclusive actions which work on Kubernetes. Note: requires `cluster-admin` | `false` |
| `console.oidc.enabled` | Enable OIDC authentication | `true` |
| `console.oidc.issuerUrl` | Issuer of the OIDC server | `https://dex.example.org` |
| `console.oidc.clientId` | OIDC client ID | `kubernetes` |
| `console.oidc.clientSecret` | OIDC client secret | `hunter2` |
| `rbac.enabled` | Install RBAC to trick the Console into behaving closer to how OpenShift does. Required `cluster-admin` and `console.impersonateOpenShift=true` | `false` |
| `ingress.className` | IngressClass resource to use. | |
| `sidecars` | Arbitrary sidecars to include as-is | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
### Version `0.2.X`
Version `0.2.0` and above require the `networking.k8s.io/v1` API for Ingress which is available in Kubernetes 1.19 and above.

4
openshift-console/ci/hostaliases.yaml Normal file
View File

@@ -0,0 +1,4 @@
hostAliases:
- ip: "127.0.0.1"
hostnames:
- "kubernetes.default.svc"

7
openshift-console/ci/sidecar.yaml Normal file
View File

@@ -0,0 +1,7 @@
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234

21
openshift-console/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "openshift-console.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "openshift-console.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "openshift-console.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "openshift-console.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

75
openshift-console/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,75 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openshift-console.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openshift-console.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openshift-console.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openshift-console.labels" -}}
helm.sh/chart: {{ include "openshift-console.chart" . }}
{{ include "openshift-console.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openshift-console.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openshift-console.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openshift-console.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openshift-console.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

21
openshift-console/templates/crd.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.console.impersonateOpenShift }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: apps.apps.openshift.io
spec:
group: apps.openshift.io
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties: {}
scope: Namespaced
names:
plural: apps
singular: app
kind: OpenShift
{{- end }}

124
openshift-console/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,124 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "openshift-console.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openshift-console.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "openshift-console.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
serviceAccountName: {{ include "openshift-console.serviceAccountName" . }}
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.volumes }}
{{- range .Values.volumes }}
- name: {{ .name }}
{{ toYaml .config | indent 10 }}
{{- end }}
{{- end }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if .Values.securityContext.enabled }}
securityContext:
{{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: BRIDGE_DOCUMENTATION_BASE_URL
value: https://kubernetes.io/docs/
- name: BRIDGE_DEX_API_HOST
value: {{ .Values.console.dex.host }}
- name: BRIDGE_BASE_ADDRESS
value: {{ .Values.console.baseUrl }}
{{- if .Values.console.oidc.enabled }}
- name: BRIDGE_USER_AUTH
value: oidc
- name: BRIDGE_K8S_AUTH
value: oidc
- name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
value: {{ .Values.console.oidc.issuerUrl }}
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
value: {{ .Values.console.oidc.clientId }}
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
value: {{ .Values.console.oidc.clientSecret }}
{{- end }}
{{- range $key, $value := .Values.extraEnv }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- with .Values.extraEnvFrom }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
volumeMounts:
{{- if .Values.volumes }}
{{- range .Values.volumes }}
- mountPath: {{ .mountPath }}
name: {{ .name }}
{{- if .subPath }}
subPath: {{ .subPath }}
{{- end }}
{{- end }}
{{- end }}
livenessProbe:
httpGet:
path: /health
port: http
readinessProbe:
httpGet:
path: /health
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

28
openshift-console/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "openshift-console.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

41
openshift-console/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "openshift-console.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- omit . "kubernetes.io/ingress.class" | toYaml | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.className | default (get .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
pathType: ImplementationSpecific
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

31
openshift-console/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if and .Values.console.impersonateOpenShift .Values.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "openshift-console.fullname" . }}-dashboards
namespace: openshift-config-managed
rules:
- verbs:
- get
- list
- watch
apiGroups:
- ""
resources:
- configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "openshift-console.fullname" . }}-dashboards
# unfortunately this is hardcoded (https://github.com/openshift/console/blob/master/cmd/bridge/main.go#L576)
namespace: openshift-config-managed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "openshift-console.fullname" . }}-dashboards
subjects:
- kind: ServiceAccount
name: {{ include "openshift-console.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

15
openshift-console/templates/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "openshift-console.selectorLabels" . | nindent 4 }}

12
openshift-console/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openshift-console.serviceAccountName" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

15
openshift-console/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "openshift-console.fullname" . }}-test-connection"
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "openshift-console.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

128
openshift-console/values.yaml Normal file
View File

@@ -0,0 +1,128 @@
# Default values for openshift-console.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
registry: quay.io
repository: openshift/origin-console
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "4.14.0"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
annotations: {}
labels: {}
podLabels: {}
podAnnotations:
linkerd.io/inject: enabled
sidecar.istio.io/inject: "true"
podSecurityContext:
enabled: true
runAsUser: 1001
securityContext:
enabled: true
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1001
service:
type: ClusterIP
port: 9000
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
extraEnvFrom: {}
#- name: BRIDGE_K8S_AUTH_BEARER_TOKEN
# valueFrom:
# secretKeyRef:
# key: token
# name: console-secret
extraEnv: {}
# BRIDGE_K8S_AUTH: bearer-token
# BRIDGE_K8S_MODE: off-cluster
# BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT: https://kubernetes.default
# BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS: "true"
# BRIDGE_USER_AUTH: disabled
volumes: []
# - name: my-volume
# mountPath: /foo/bar
# config:
# emptyDir: {}
console:
dex:
host: https://dex.example.org
baseUrl: https://console.example.org
impersonateOpenShift: false
oidc:
enabled: true
issuerUrl: https://dex.example.org
clientId: kubernetes
clientSecret: hunter2
rbac:
enabled: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
sidecars: []
serviceAccount:
create: true
automountServiceAccountToken: true
annotations: {}
name: ""
hostAliases: []
# - ip: "127.0.0.1"
# hostnames:
# - "kubernetes.default.svc"

8
peertube/Chart.yaml
View File

@@ -5,11 +5,11 @@ dependencies:
- condition: postgresql.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 12.2.2
version: 16.3.2
- condition: redis.enabled
name: redis
repository: https://charts.bitnami.com/bitnami
version: 17.8.2
version: 20.6.0
type: application
version: 0.2.1
appVersion: 5.1.0
version: 0.4.5
appVersion: 7.2.3

BIN
peertube/charts/postgresql-12.2.2.tgz
View File

Binary file not shown.

BIN
peertube/charts/postgresql-13.2.21.tgz Normal file
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More