ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ghp:def5dee695cb793d56087a4d209b3dd22dc164ad
Branches Tags
ghp:master
...
compare: ghp:master
Branches Tags
ghp:master

66 Commits
def5dee695 ... master

Author SHA1 Message Date
ace
f3dea682a5 mastodon: bump to v4.4.1, helm chart v6.5.0 2025-07-14 00:14:20 +03:00
ace
bca2de6613 mastodon: bump to v4.2.22, helm chart v5.1.9 2025-07-13 20:56:17 +03:00
ace
9219b9d048 rspamd: bump to v3.12.1, helm chart v0.5.7 2025-06-28 16:29:17 +03:00
ace
7e7fc46d18 adguard-home: bump to v0.107.63, helm chart v2.3.33 2025-06-28 16:29:14 +03:00
ace
d2a23231dc peertube: bump to v7.2.1, helm chart v0.4.4 2025-06-28 16:29:09 +03:00
ace
4d3b1c57f6 kanidm: bump to v1.6.4, helm chart v0.2.2 2025-06-12 22:48:42 +03:00
ace
4b59f3bde0 peertube: bump to v7.2.0, helm chart v0.4.3 2025-06-12 22:48:00 +03:00
ace
88d3175327 roundcube: bump to v1.6.11, helm chart v0.4.6 2025-06-11 00:36:48 +03:00
ace
f58b0e15d2 bitwarden: bump to v1.34.1, helm chart v2.0.38 2025-06-11 00:36:44 +03:00
ace
058c4aee3c adguard-home: bump to v0.107.62, helm chart v2.3.32 2025-06-11 00:36:41 +03:00
ace
c7da441b17 kanidm: bump to v1.6.3, helm chart v0.2.1 2025-05-23 13:06:11 +03:00
ace
c0ad9437b2 kanidm: bump to v1.6.2, helm chart v0.2.0 2025-05-13 00:12:33 +03:00
ace
77c2028150 mastodon: bump to v4.2.21, helm chart v5.1.8 2025-05-13 00:12:21 +03:00
ace
399eae0f1a kanidm: fix probes and use 443 port by default 2025-04-11 16:01:20 +03:00
ace
0d91f6f91d add kanidm helm chart 2025-04-10 00:21:11 +03:00
ace
ae6f9bb30b add autovault helm chart 2025-04-10 00:21:01 +03:00
ace
858581c554 wikijs: bump to v2.5.307, helm chart v2.3.19 2025-03-25 16:27:27 +03:00
ace
c9a99c1062 peertube: bump to v7.1.0, helm chart v0.4.2 2025-03-25 16:27:23 +03:00
ace
bad060f0dd adguard-home: bump to v0.107.59, helm chart v2.3.31 2025-03-25 16:27:19 +03:00
ace
c7255cdaf1 mastodon: bump to v4.2.19, helm chart v5.1.7 2025-03-14 23:36:13 +03:00
ace
a83dac3d32 rspamd: bump to v3.11.1, helm chart v0.5.6 2025-03-09 17:03:04 +03:00
ace
c5c7b21e6f mastodon: bump to v4.2.17, helm chart v5.1.6 2025-03-02 17:24:16 +03:00
ace
15f9334d28 gitea-act-runner: bump to v0.2.11, helm chart v0.1.12 2025-03-02 17:24:07 +03:00
ace
5d77150525 adguard-home: bump to v0.107.57, helm chart v2.3.30 2025-03-02 17:24:04 +03:00
ace
f5fdcff1d9 postfix: bump to v3.5.25, helm chart v0.1.7 2025-02-15 22:28:05 +03:00
ace
5e7679078d rspamd: bump to v3.11.0, helm chart v0.5.5 2025-02-15 22:28:01 +03:00
ace
7ea997cbbb roundcube: bump to v1.6.10, helm chart v0.4.5 2025-02-15 22:27:59 +03:00
ace
0d3fb60b95 dovecot: bump to v2.3.16, helm chart v0.1.8 2025-02-15 22:27:55 +03:00
ace
de4157c81c bitwarden: bump to v1.33.2, helm chart v2.0.37 2025-02-12 15:31:02 +03:00
ace
47e16defa7 wikijs: bump to v2.5.306, helm chart v2.3.18 2025-02-06 00:36:02 +03:00
ace
0ee0d754b9 bitwarden: bump to v1.33.1, helm chart v2.0.36 2025-02-06 00:35:52 +03:00
ace
cfb50a3261 adguard-home: bump to v0.107.56, helm chart v2.3.29 2025-01-26 17:12:31 +03:00
ace
b94d794c2a bitwarden: bump to v1.33.0, helm chart v2.0.35 2025-01-26 17:12:28 +03:00
ace
7c84796f5f peertube: bump to v7.0.1, helm chart v0.4.1 2025-01-26 17:12:09 +03:00
ace
b09e51c39b bitwarden: bump to v1.32.7, helm chart v2.0.34 
peertube: bump to v7.0.0, helm chart v0.4.0
 2024-12-22 15:12:24 +03:00
ace
796483d2b5 bitwarden: bump to v1.32.5, helm chart v2.0.32 2024-11-19 17:59:15 +03:00
ace
373984242e adguard-home: bump to v0.107.54, helm chart v2.3.28 2024-11-11 13:34:41 +03:00
ace
96f81e7d3f bitwarden: bump to v1.32.4, helm chart v2.0.31 2024-11-11 13:34:39 +03:00
ace
d2cd7daa25 rspamd: bump to v3.10.2, helm chart v0.5.4 2024-11-03 17:07:36 +03:00
ace
dd2838a47b bitwarden: bump to v1.32.3, helm chart v2.0.30 2024-11-03 17:07:33 +03:00
ace
50fff3de7d peertube: bump to v6.3.3, helm chart v0.3.8 2024-11-03 17:07:32 +03:00
ace
626e71e16a wikijs: bump to v2.5.305, helm chart v2.3.17 2024-10-14 11:20:21 +03:00
ace
f83831aabf bitwarden: bump to v1.32.2, helm chart v2.0.29 2024-10-14 11:20:18 +03:00
ace
691e984150 peertube: bump to v6.3.2, helm chart v0.3.7 2024-10-08 14:41:53 +03:00
ace
c0b9d55820 peertube: bump to v6.3.1, helm chart v0.3.6 2024-10-08 10:58:24 +03:00
ace
060e445d4f gitea-act-runner: bump to v0.2.11, helm chart v0.1.11 2024-10-06 22:09:10 +03:00
ace
a6a99cdb91 adguard-home: bump to v0.107.53, helm chart v2.3.27 2024-10-04 04:57:24 +03:00
ace
895105f3d4 bitwarden: bump to v1.32.1, helm chart v2.0.28 2024-10-04 04:57:06 +03:00
ace
cfbedaebe0 wikijs: bump to v2.5.304, helm chart v2.3.16 2024-09-22 22:22:25 +03:00
ace
5ef80aed84 roundcube: bump to v1.6.9, helm chart v0.4.4 2024-09-03 19:41:36 +03:00
ace
769ba9cf5d postfix: bump to v3.5.9, helm chart v0.1.6 2024-08-24 03:30:22 +03:00
ace
db0458a87b rspamd: bump to v3.9.1, helm chart v0.5.3 2024-08-24 03:30:14 +03:00
ace
aa2f627b9d dovecot: bump to v2.3.16, helm chart v0.1.7 2024-08-24 03:30:13 +03:00
ace
7ca7f196ba postgres-operator: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:34 +03:00
ace
5f7967bf6a postgres-operator-ui: bump to v1.13.0, helm chart v1.13.0 2024-08-24 03:12:32 +03:00
ace
72a60c9e67 mastodon: bump to v4.2.12, helm chart v5.1.5 2024-08-19 19:25:21 +03:00
ace
097cb672f1 mastodon: bump to v4.2.11, helm chart v5.1.4 2024-08-19 14:16:47 +03:00
ace
7f13ed6508 bitwarden: bump to v1.32.0, helm chart v2.0.27 2024-08-13 02:49:04 +03:00
ace
c28dc5a64d roundcube: bump to v1.6.8, helm chart v0.4.3 2024-08-13 02:49:01 +03:00
ace
b1d06879b3 peertube: bump to v6.2.1, helm chart v0.3.5 2024-08-13 02:48:51 +03:00
ace
6f71f2ace1 mastodon: bump to v4.2.10, helm chart v5.1.3 2024-07-05 01:19:57 +03:00
ace
17bd057945 postgres-operator-ui: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:52 +03:00
ace
ffc7f36269 postgres-operator: bump to v1.12.2, helm chart v1.12.2 2024-06-16 17:38:50 +03:00
ace
3a8be39de0 mastodon: bump to vv4.2.9, helm chart v5.1.2 2024-06-01 03:42:03 +03:00
ace
6b110c9f5b postgres-operator-ui: bump to v1.12.0, helm chart v1.12.0 2024-06-01 03:42:01 +03:00
ace
2ec29384d5 postgres-operator: bump to v1.12.0, helm chart v1.12.0 2024-06-01 03:41:59 +03:00
97 changed files with 3980 additions and 664 deletions
Expand all files Collapse all files

4
adguard-home/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 0.107.50
appVersion: 0.107.63
description: DNS proxy as ad-blocker for local network
home: https://github.com/k8s-at-home/charts/tree/master/charts/adguard-home
icon: https://avatars3.githubusercontent.com/u/8361145?s=200&v=4?sanitize=true
@ -12,4 +12,4 @@ maintainers:
name: adguard-home
sources:
- https://github.com/AdguardTeam/AdGuardHome
version: 2.3.26
version: 2.3.33

2
adguard-home/values.yaml
View File

@ -4,7 +4,7 @@ strategyType: Recreate
image:
repository: adguard/adguardhome
# Image tag is set via charts appVersion. If you want to override the tag, specify it here
tag: v0.107.50
tag: v0.107.63
pullPolicy: IfNotPresent
nameOverride: ""

23
autovault/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
autovault/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: autovault
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.0"

62
autovault/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "autovault.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "autovault.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "autovault.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "autovault.labels" -}}
helm.sh/chart: {{ include "autovault.chart" . }}
{{ include "autovault.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "autovault.selectorLabels" -}}
app.kubernetes.io/name: {{ include "autovault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "autovault.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "autovault.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

68
autovault/templates/configmap.yaml Normal file
View File

@ -0,0 +1,68 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "autovault.fullname" . }}-scripts
labels:
{{- include "autovault.labels" . | nindent 4 }}
data:
autovault.sh: |
#!/bin/bash
HOME=/vault/data
while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done
export VAULT_ADDR={{ .Values.vaultUrl }}
INITIALIZED=$(vault status -format=json | jq -r '.initialized')
SEALED=$(vault status -format=json | jq -r '.sealed')
if [[ "$INITIALIZED" == "false" ]] ; then
vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json
fi
if [[ "$SEALED" == "true" ]] ; then
KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]')
vault operator unseal $KEY
fi
export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token')
KV_ENABLED=$(vault secrets list | grep -i kv)
if [[ -z "$KV_ENABLED" ]] ; then
vault secrets enable -version=2 kv
fi
USERPASS_ENABLED=$(vault auth list | grep -i userpass)
if [[ -z "$USERPASS_ENABLED" ]] ; then
vault auth enable userpass
fi
APPROLE_ENABLED=$(vault auth list | grep -i approle)
if [[ -z "$APPROLE_ENABLED" ]] ; then
vault auth enable approle
fi
echo
echo "----------------------------------------------------------------"
echo
echo "Vault root token: ${VAULT_TOKEN}"
echo
echo "----------------------------------------------------------------"
echo
for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do
APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id)
if [[ -z "$APPROLE_CREATED" ]] ; then
vault write -f auth/approle/role/"$APPROLE"
fi
kubectl get secret vault-secret-"$APPROLE" || \
{ APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \
APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \
kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ;
echo "$APPROLE role-id = $APPROLE_ROLE_ID" ; }
done
vault auth list

54
autovault/templates/cronjob.yaml Normal file
View File

@ -0,0 +1,54 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
spec:
concurrencyPolicy: Forbid
schedule: {{ .Values.autovaultSchedule | quote }}
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 2
activeDeadlineSeconds: 300
template:
spec:
serviceAccountName: {{ include "autovault.fullname" . }}
restartPolicy: Never
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: autovault
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: {{ include "autovault.fullname" . }}-data
mountPath: /vault/data
- name: {{ include "autovault.fullname" . }}-scripts
mountPath: /vault/scripts
command: [ "/bin/bash", "-c", "/vault/scripts/autovault.sh" ]
volumes:
- name: {{ include "autovault.fullname" . }}-data
persistentVolumeClaim:
claimName: {{ include "autovault.fullname" . }}-data
- name: {{ include "autovault.fullname" . }}-scripts
configMap:
name: {{ include "autovault.fullname" . }}-scripts
defaultMode: 0777
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

26
autovault/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "autovault.fullname" . }}-data
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
autovault/templates/role.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
autovault/templates/rolebinging.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "autovault.fullname" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "autovault.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "autovault.fullname" . }}
namespace: {{ .Release.Namespace }}

13
autovault/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "autovault.serviceAccountName" . }}
labels:
{{- include "autovault.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

107
autovault/values.yaml Normal file
View File

@ -0,0 +1,107 @@
# Default values for autovault.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
repository: gitea.geekhome.org/ghp/autovault
# This sets the pull policy for images.
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "0.1.0-1"
# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
vaultUrl: "http://vault:8200"
autovaultGenSecretsApps:
- approle1
autovaultSchedule: "0/5 * * * *"
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# This is for setting Kubernetes Annotations to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Mi
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

4
bitwarden/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.30.5
appVersion: 1.34.1
description: Unofficial Bitwarden compatible server written in Rust
home: https://github.com/k8s-at-home/charts/tree/master/charts/bitwardenrs
icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/256x256.png
@ -17,4 +17,4 @@ name: bitwarden
sources:
- https://github.com/dani-garcia/bitwarden_rs
type: application
version: 2.0.25
version: 2.0.38

2
bitwarden/values.yaml
View File

@ -5,7 +5,7 @@ replicaCount: 1
image:
repository: vaultwarden/server
pullPolicy: IfNotPresent
tag: "1.30.5"
tag: "1.34.1"
imagePullSecrets: []
nameOverride: ""

2
dovecot/Chart.yaml
View File

@ -14,7 +14,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.6
version: 0.1.8
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.

2
dovecot/values.yaml
View File

@ -14,7 +14,7 @@ tls:
dovecot:
image:
repository: gitea.geekhome.org/ghp/dovecot
tag: 2.3.16-3
tag: 2.3.16-5
pullPolicy: Always
configmaps:
dovecot:

4
gitea-act-runner/Chart.yaml
View File

@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.10
version: 0.1.12
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.2.10"
appVersion: "0.2.11"

4
gitea-act-runner/templates/statefulset.yaml
View File

@ -32,7 +32,7 @@ spec:
- name: {{ .Chart.Name }}-runner
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.image.runner.repository }}:{{ .Values.image.runner.tag | default .Chart.AppVersion }}"
command: ["/bin/sh"]
args: ["-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
@ -81,7 +81,7 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-daemon
image: docker:23.0.6-dind
image: "{{ .Values.image.daemon.repository }}:{{ .Values.image.daemon.tag | default .Chart.AppVersion }}"
env:
- name: DOCKER_TLS_CERTDIR
value: /certs

7
gitea-act-runner/values.yaml
View File

@ -5,10 +5,15 @@
replicaCount: 1
image:
runner:
repository: gitea/act_runner
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.2.10"
tag: "0.2.11"
daemon:
repository: docker
pullPolicy: IfNotPresent
tag: "27.5.1-dind"
imagePullSecrets: []
nameOverride: ""

23
kanidm/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
kanidm/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: kanidm
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.2.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.6.4"

22
kanidm/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kanidm.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kanidm.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kanidm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kanidm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
kanidm/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kanidm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kanidm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kanidm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kanidm.labels" -}}
helm.sh/chart: {{ include "kanidm.chart" . }}
{{ include "kanidm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kanidm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kanidm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kanidm.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kanidm.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

136
kanidm/templates/configmap.yaml Normal file
View File

@ -0,0 +1,136 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kanidm.fullname" . }}-config
labels:
{{- include "kanidm.labels" . | nindent 4 }}
data:
server.toml: |
# The server configuration file version.
version = "2"
# The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443"
bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
#
# The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability.
# Defaults to "" (disabled)
{{- if .Values.kanidmLdap.enabled }}
dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- else }}
# ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- end }}
#
# The path to the kanidm database.
db_path = "{{ .Values.kanidm.db_path }}"
#
# If you have a known filesystem, kanidm can tune the
# database page size to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
# * sets database pagesize to 64k. You must set
# recordsize=64k on the zfs filesystem.
# - other:
# * sets database pagesize to 4k, matching most
# filesystems block sizes.
{{- if .Values.kanidm.db_fs_type }}
db_fs_type = "{{ .Values.kanidm.db_fs_type }}"
{{- else }}
# db_fs_type = "zfs"
{{- end }}
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# You should only adjust this value if you experience
# memory pressure on your system.
{{- if .Values.kanidm.db_arc_size }}
db_arc_size = {{ .Values.kanidm.db_arc_size }}
{{- else }}
# db_arc_size = 2048
{{- end }}
#
# TLS chain and key in pem format. Both must be present.
# If the server receives a SIGHUP, these files will be
# re-read and reloaded if their content is valid.
tls_chain = "{{ .Values.kanidm.tls_chain }}"
tls_key = "{{ .Values.kanidm.tls_key }}"
#
# The log level of the server. May be one of info, debug, trace
#
# NOTE: this can be overridden by the environment variable
# `KANIDM_LOG_LEVEL` at runtime
# Defaults to "info"
log_level = "{{ .Values.kanidm.log_level }}"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future) trust configuration it is possible
# to have unique Security Principal Names (spns) throughout
# the topology.
#
# ⚠️ WARNING ⚠️
#
# Changing this value WILL break many types of registered
# credentials for accounts including but not limited to
# webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain rename` immediately after.
domain = "{{ tpl .Values.kanidm.domain $ }}"
#
# The origin for webauthn. This is the url to the server,
# with the port included if it is non-standard (any port
# except 443). This must match or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = "https://idm.example.com"
origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# # OR
# x-forward-for = ["127.0.0.1"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
{{- if .Values.kanidmOnlineBackup.enabled }}
[online_backup]
# The path to the output folder for online backups
path = "{{ .Values.kanidmOnlineBackup.path }}"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
schedule = "{{ .Values.kanidmOnlineBackup.schedule }}"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = "03 */6 * * *"
# We also support non standard cron syntax, with the following format:
# sec min hour day of month month day of week year
# (it's very similar to the standard cron syntax, it just allows to specify the seconds
# at the beginning and the year at the end)
# Number of backups to keep (default 7)
versions = {{ .Values.kanidmOnlineBackup.versions }}
{{- end }}

147
kanidm/templates/deployment.yaml Normal file
View File

@ -0,0 +1,147 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- if .Values.strategy }}
strategy:
{{ toYaml .Values.strategy | indent 2 }}
{{- end }}
selector:
matchLabels:
{{- include "kanidm.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "kanidm.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
shareProcessNamespace: true
initContainers:
- name: {{ .Chart.Name }}-certs
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
- -c
- kanidmd cert-generate
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: {{ .Chart.Name }}-db-pass
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- sh
- -c
- |
/sbin/kanidmd server -c /data/server.toml &
serverPID=$!
until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
printf '.'
sleep 5
done
echo "##### Start domain upgrade-check"
/sbin/kanidmd domain upgrade-check
echo "##### Done domain upgrade-check"
ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
kill $serverPID
kubectl delete secret kanidm-passwords --ignore-not-found
kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- if .Values.kanidmLdap.enabled }}
- name: ldap
containerPort: {{ .Values.service.ldap }}
protocol: TCP
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kanidm-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
{{- else }}
emptyDir: {}
{{- end }}
- name: kanidm-config
configMap:
name: {{ include "kanidm.fullname" . }}-config
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

32
kanidm/templates/hpa.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kanidm.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

61
kanidm/templates/ingress.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "kanidm.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
---
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "kanidm.fullname" . }}-data
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}

26
kanidm/templates/role.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "get", "create", "delete", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["list", "get", "create", "delete", "update"]

15
kanidm/templates/rolebinging.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: {{ include "kanidm.fullname" . }}
kind: Role
subjects:
- kind: ServiceAccount
name: {{ include "kanidm.fullname" . }}
namespace: {{ .Release.Namespace }}

21
kanidm/templates/service.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.kanidmLdap.enabled }}
- port: {{ .Values.service.ldap }}
targetPort: ldap
protocol: TCP
name: ldap
{{- end }}
selector:
{{- include "kanidm.selectorLabels" . | nindent 4 }}

13
kanidm/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kanidm.serviceAccountName" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

15
kanidm/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "kanidm.fullname" . }}-test-connection"
labels:
{{- include "kanidm.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "kanidm.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

154
kanidm/values.yaml Normal file
View File

@ -0,0 +1,154 @@
# Default values for kanidm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
strategy:
type: Recreate
image:
repository: gitea.geekhome.org/ghp/kanidm
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "1.6.4-1"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
kanidm:
bindaddress: "[::]:{{ .Values.service.port }}"
domain: "idm.example.com"
#origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
db_path: "/data/kanidm.db"
#db_fs_type: "zfs"
#db_arc_size: "2048"
tls_chain: "/data/chain.pem"
tls_key: "/data/key.pem"
log_level: "debug"
kanidmLdap:
enabled: false
dapbindaddress: "[::]:{{ .Values.service.ldap }}"
kanidmOnlineBackup:
enabled: true
path: "/data/kanidm/backups/"
schedule: "00 22 * * *"
versions: "7"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 443
ldap: 636
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
persistence:
enabled: true
annotations: {}
## PeerTube data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 1Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
livenessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
readinessProbe:
httpGet:
scheme: HTTPS
path: /status
port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}

129
mastodon/.github/workflows/test-chart.yml vendored Normal file
View File

@ -0,0 +1,129 @@
# This is a GitHub workflow defining a set of jobs with a set of steps.
# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
#
name: Test chart
on:
pull_request:
paths-ignore:
- "README.md"
push:
branches-ignore:
- "dependabot/**"
workflow_dispatch:
permissions:
contents: read
jobs:
lint-templates:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Install dependencies (yamllint)
run: pip install yamllint
- run: helm dependency update
- name: helm lint
run: |
helm lint . \
--values dev-values.yaml
- name: helm template
run: |
helm template . \
--values dev-values.yaml \
--output-dir rendered-templates
- name: yamllint (only on templates we manage)
run: |
rm -rf rendered-templates/mastodon/charts
yamllint rendered-templates \
--config-data "{rules: {indentation: {spaces: 2}, line-length: disable}}"
# This job helps us validate that rendered templates are valid k8s resources
# against a k8s api-server, via "helm template --validate", but also that a
# basic configuration can be used to successfully startup mastodon.
#
test-install:
runs-on: ubuntu-24.04
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
include:
# k3s-channel reference: https://update.k3s.io/v1-release/channels
- k3s-channel: latest
- k3s-channel: stable
# This represents the oldest configuration we test against.
#
# The k8s version chosen is based on the oldest still supported k8s
# version among two managed k8s services, GKE, EKS.
# - GKE: https://endoflife.date/google-kubernetes-engine
# - EKS: https://endoflife.date/amazon-eks
#
# The helm client's version can influence what helper functions is
# available for use in the templates, currently we need v3.6.0 or
# higher.
#
- k3s-channel: v1.28
helm-version: v3.8.0
env:
HELM_EXPERIMENTAL_OCI: "1"
steps:
- uses: actions/checkout@v3
# This action starts a k8s cluster with NetworkPolicy enforcement and
# installs both kubectl and helm.
#
# ref: https://github.com/jupyterhub/action-k3s-helm#readme
#
- uses: jupyterhub/action-k3s-helm@v3
with:
k3s-channel: ${{ matrix.k3s-channel }}
helm-version: ${{ matrix.helm-version }}
metrics-enabled: false
traefik-enabled: false
docker-enabled: false
- run: helm dependency update
# Validate rendered helm templates against the k8s api-server
- name: helm template --validate
run: |
helm template --validate mastodon . \
--values dev-values.yaml
- name: helm install
run: |
helm install mastodon . \
--values dev-values.yaml \
--timeout 15m
# This actions provides a report about the state of the k8s cluster,
# providing logs etc on anything that has failed and workloads marked as
# important.
#
# ref: https://github.com/jupyterhub/action-k8s-namespace-report#readme
#
- name: Kubernetes namespace report
uses: jupyterhub/action-k8s-namespace-report@v1
if: always()
with:
important-workloads: >-
deploy/mastodon-sidekiq
deploy/mastodon-streaming
deploy/mastodon-web
job/mastodon-create-admin
job/mastodon-db-migrate

1
mastodon/.gitignore vendored
View File

@ -1 +1,2 @@
charts/
.DS_Store

243
mastodon/CHANGELOG.md Normal file
View File

@ -0,0 +1,243 @@
# 6.5.0
Updated the Mastodon version to v4.4.1. Please read the [4.4.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.4.0) before updating from a version < 4.4. In particular:
- Redis & Postgres minimum versions have been bumped to 6.2 and 13 respectively
- Redis namespace support has been dropped
- No-downtime updates from versions before 4.3.0 are not supported
- Elasticsearch mappings need to be updated manually via `tootctl` after deploying this new version
- The new experimental Fediverse Auxiliary Service (`fasp`) Sidekiq queue needs to be added to the list of processed queues if you changed the default Sidekiq values
# 6.4.0
- Added configuration for [bulk SMTP](https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings):
```yaml
mastodon:
smtp:
bulk:
```
# 6.3.4
- Updated the Mastodon version to v4.3.9
# 6.3.3
- Updated the Mastodon version to v4.3.8
# 6.3.2
- No longer sets `DEFAULT_LOCALE` to `en` by default; leaves this value unset.
# 6.3.1
- Removed DB_POOL from the ConfigMap as we should never have to override this.
# 6.3.0
- Added `nodeSelector` fields for every resource type for better fine-grain tuning of where resources end up.
# 6.2.4
- Fixed an issue where redis secrets specified in values or the helm CLI wouldn't be used by the db-prepare job on install.
# 6.2.3
- Updated the Mastodon version to v4.3.7
# 6.2.2
- `app.kubernetes.io/version` shortens any potential digest hash to 7 characters to avoid hitting the 63 character label limit.
# 6.2.1
- Fixed some situations where disabling all bitnami charts caused it to error.
- Fixed a potential null postgresql host value error.
# 6.2.0
- Added ability to add pod labels to pods created from Deployment objects at the global level
# 6.1.1
- Updated the Mastodon version to v4.3.6
# 6.1.0
- Added a new job to re/build elasticsearch indices as a post-upgrade hook:
```yaml
mastodon:
hooks:
deploySearch:
```
# 6.0.3
- Updated the Mastodon version to v4.3.5
# 6.0.2
- Helm version tagging now utilizes `.Values.image.tag` when set.
# 6.0.1
- Added additional values to separate out `db:prepare` and `db:migrate` jobs and whether they should run:
```yaml
mastodon:
hooks:
dbPrepare:
enabled: true
dbMigrate:
enabled: true
```
# 6.0.0
### !! BREAKING CHANGES !!
- Services for web & streaming now use `ipFamilyPolicy: PreferDualStack`. This will cause upgrades on existing deployments to fail, as kubernetes cannot patch this field. Please remove both service objects before running `helm upgrade` (services are `mastodon-web` and `mastodon-streaming` by default).
### Features
- Added prometheus metrics config for web and sidekiq pods (feature will be available with Mastodon v4.4).
```yaml
mastodon:
metrics:
prometheus:
```
- Added ability to automatically upload assets to an S3 bucket:
```yaml
mastodon:
hooks:
s3Upload:
```
- Added OpenTelemetry metrics:
```yaml
mastodon:
otel:
---
mastodon:
sidekiq:
otel:
---
mastodon:
web:
otel:
```
- Fine-grained control of labels and annotations for both pods and deployments.
- Additional redis options for separate instances (app, sidekiq, cache).
- Configurable PodDisruptionBudgets for web and streaming pods.
### Fixes
- Various database migrations fixes
- Fixed first-time install DB setup on self-managed databases
- Fixed running migrations through a connection pooler.
- Removed old, unused jobs:
- chewy upgrade (use `tootctl search deploy` instead)
- assets precompile
# 5.1.0
- Added values for Active Record Encryption in Redis:
```yaml
mastodon:
secrets:
activeRecordEncryption:
primaryKey:
deterministicKey:
keyDerivationSalt:
```
- Small bugfix related to automatic secret generation
# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
# [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
- adds support for multiple Sidekiq deployments to be configured to manage
different sets of queues.
- smtp: replaces `enable_starttls_auto` boolean with `enable_starttls` setting
that defaults to `auto`.
- adds support for statsd publishing:
```
mastodon:
metrics:
statsd:
address:
```
- allows disabling the included redis deployment in order to use an existing external redis server:
```
redis:
enabled: false
```
- adds support for [authorized
fetch](https://docs.joinmastodon.org/admin/config/#authorized_fetch):
```
mastodon:
authorizedFetch: true
```
- removed the `HorizontalPodAutoscaler` and the global autoscaling configuration.
A number of other configuration options have been added, see [values.yaml](./values.yaml).
# 3.0.0
skipped
# 2.1.0
## ingressClassName and tls-acme changes
The annotations previously defaulting to nginx have been removed and support
for ingressClassName has been added.
```yaml
ingress:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
```
To restore the old functionality simply add the above snippet to your `values.yaml`,
but the recommendation is to replace these with `ingress.ingressClassName` and use
cert-manager's issuer/cluster-issuer instead of tls-acme.
If you're uncertain about your current setup leave `ingressClassName` empty and add
`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
# 2.0.0
## Fixed labels
Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
If you want an easy upgrade and you're comfortable with some downtime then
simply delete the -sidekiq, -web, and -streaming Deployments manually.
If you require a no-downtime upgrade then:
1. run `helm template` instead of `helm upgrade`
2. Copy the new -web and -streaming services into `services.yml`
3. Copy the new -web and -streaming deployments into `deployments.yml`
4. Append -temp to the name of each deployment in `deployments.yml`
5. `kubectl apply -f deployments.yml` then wait until all pods are ready
6. `kubectl apply -f services.yml`
7. Delete the old -sidekiq, -web, and -streaming deployments manually
8. `helm upgrade` like normal
9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
## PostgreSQL passwords
If you've previously installed the chart and you're having problems with
postgres not accepting your password then make sure to set `username` to
`postgres` and `password` and `postgresPassword` to the same passwords.
```yaml
postgresql:
auth:
username: postgres
password: <same password>
postgresPassword: <same password>
```
And make sure to set `password` to the same value as `postgres-password`
in your `mastodon-postgresql` secret:
```kubectl edit secret mastodon-postgresql```

12
mastodon/Chart.lock Normal file
View File

@ -0,0 +1,12 @@
dependencies:
- name: elasticsearch
repository: oci://registry-1.docker.io/bitnamicharts
version: 19.19.2
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 14.2.3
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.16.1
digest: sha256:684daaf2067d96e2aa6d93e9d29b7b13fc586f6ae929342e5e9c7c169b1c0748
generated: "2024-02-23T15:14:47.536480528-08:00"

20
mastodon/Chart.yaml
View File

@ -12,26 +12,26 @@ description: Mastodon is a free, open-source social network server based on Acti
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# This is the chart version. This version number should be incremented each time
# you make changes to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 4.0.1
version: 6.5.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 4.1.4
appVersion: "v4.4.1"
dependencies:
- name: elasticsearch
version: 19.6.0
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 19.19.2
repository: oci://registry-1.docker.io/bitnamicharts
condition: elasticsearch.enabled
- name: postgresql
version: 12.2.7
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 14.2.3
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
- name: redis
version: 17.9.3
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
version: 18.16.1
repository: oci://registry-1.docker.io/bitnamicharts
condition: redis.enabled

66
mastodon/README.md
View File

@ -4,10 +4,18 @@ This is a [Helm](https://helm.sh/) chart for installing Mastodon into a
Kubernetes cluster. The basic usage is:
1. edit `values.yaml` or create a separate yaml file for custom values
1. `helm dep update`
1. `helm dep install`
1. `helm install --namespace mastodon --create-namespace my-mastodon ./ -f path/to/additional/values.yaml`
This chart is tested with k8s 1.21+ and helm 3.6.0+.
This chart is tested with k8s 1.21+ and helm 3.8.0+.
# NOTICE: Future Deprecation
We have plans in the very near future to deprecate this chart in favor of a [new git repo](https://github.com/mastodon/helm-charts), which has proper helm repository support (e.g. `helm repo add`), and will contain multiple charts, both for mastodon and for supplementary components that we make use of.
We still encourage suggestions and PRs to help make this chart better, and this repository will remain available after the new charts are ready to give users time to migrate. However, we will not be approving large PRs, or PRs that change fundamental chart functions, as those changes should be directed to the new charts.
Please see the pinned [GitHub issue](https://github.com/mastodon/chart/issues/129) for more info & discussion.
# Configuration
@ -64,57 +72,3 @@ Sidekiq deployments, its possible they will occur in the wrong order. After
upgrading Mastodon versions, it may sometimes be necessary to manually delete
the Rails and Sidekiq pods so that they are recreated against the latest
migration.
# Upgrades in 2.1.0
## ingressClassName and tls-acme changes
The annotations previously defaulting to nginx have been removed and support
for ingressClassName has been added.
```yaml
ingress:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
```
To restore the old functionality simply add the above snippet to your `values.yaml`,
but the recommendation is to replace these with `ingress.ingressClassName` and use
cert-manager's issuer/cluster-issuer instead of tls-acme.
If you're uncertain about your current setup leave `ingressClassName` empty and add
`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
# Upgrades in 2.0.0
## Fixed labels
Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
If you want an easy upgrade and you're comfortable with some downtime then
simply delete the -sidekiq, -web, and -streaming Deployments manually.
If you require a no-downtime upgrade then:
1. run `helm template` instead of `helm upgrade`
2. Copy the new -web and -streaming services into `services.yml`
3. Copy the new -web and -streaming deployments into `deployments.yml`
4. Append -temp to the name of each deployment in `deployments.yml`
5. `kubectl apply -f deployments.yml` then wait until all pods are ready
6. `kubectl apply -f services.yml`
7. Delete the old -sidekiq, -web, and -streaming deployments manually
8. `helm upgrade` like normal
9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
## PostgreSQL passwords
If you've previously installed the chart and you're having problems with
postgres not accepting your password then make sure to set `username` to
`postgres` and `password` and `postgresPassword` to the same passwords.
```yaml
postgresql:
auth:
username: postgres
password: <same password>
postgresPassword: <same password>
```
And make sure to set `password` to the same value as `postgres-password`
in your `mastodon-postgresql` secret:
```kubectl edit secret mastodon-postgresql```

8
mastodon/dev-values.yaml
View File

@ -7,6 +7,11 @@ mastodon:
vapid:
private_key: dummy-vapid-private_key
public_key: dummy-vapid-public_key
activeRecordEncryption:
primaryKey: dummy-are-primary_key
deterministicKey: dummy-are-deterministic_key
keyDerivationSalt: dummy-are-key_derivation_salt
# ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
redis:
@ -23,3 +28,6 @@ elasticsearch:
replicaCount: 1
ingest:
replicaCount: 1
# -- Timezone for all pods unless overwritten
timezone: UTC

111
mastodon/templates/_db-migrate.tpl Normal file
View File

@ -0,0 +1,111 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for DB migration pre- and post-install/upgrade jobs.
*/}}
{{- define "mastodon.dbMigrateJob" -}}
apiVersion: batch/v1
kind: Job
metadata:
{{- if .prepare }}
name: {{ include "mastodon.fullname" . }}-db-prepare
{{- else if .preDeploy }}
name: {{ include "mastodon.fullname" . }}-db-pre-migrate
{{- else }}
name: {{ include "mastodon.fullname" . }}-db-post-migrate
{{- end }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
{{- if .prepare }}
"helm.sh/hook": pre-install
{{- else if .preDeploy }}
"helm.sh/hook": pre-upgrade
{{- else }}
"helm.sh/hook": post-install,post-upgrade
{{- end }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- if .prepare }}
"helm.sh/hook-weight": "-3"
{{- else }}
"helm.sh/hook-weight": "-2"
{{- end }}
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
{{- if .prepare }}
- db:prepare
{{- else }}
- db:migrate
{{- end }}
envFrom:
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_HOST"
value: {{ template "mastodon.postgres.direct.host" . }}
- name: "DB_PORT"
value: {{ template "mastodon.postgres.direct.port" . }}
- name: "DB_NAME"
value: {{ template "mastodon.postgres.direct.database" . }}
- name: "DB_USER"
value: {{ .Values.postgresql.auth.username }}
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_HOST"
value: {{ template "mastodon.redis.host" . }}
- name: "REDIS_PORT"
value: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
- name: SIDEKIQ_REDIS_HOST
value: {{ .Values.redis.sidekiq.hostname }}
{{- end }}
{{- if .Values.redis.sidekiq.port }}
- name: SIDEKIQ_REDIS_PORT
value: {{ .Values.redis.sidekiq.port | quote }}
{{- end }}
{{- end }}
{{- if .Values.redis.cache.enabled }}
{{- if .Values.redis.cache.hostname }}
- name: CACHE_REDIS_HOST
value: {{ .Values.redis.cache.hostname }}
{{- end }}
{{- if .Values.redis.cache.port }}
- name: CACHE_REDIS_PORT
value: {{ .Values.redis.cache.port | quote }}
{{- end }}
{{- end }}
- name: "REDIS_DRIVER"
value: "ruby"
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
{{- if and (.prepare) (not .Values.redis.enabled) (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) (.Values.redis.auth.password) }}
name: {{ template "mastodon.redis.secretName" . }}-pre-install
{{- else }}
name: {{ template "mastodon.redis.secretName" . }}
{{- end }}
key: redis-password
{{- if .preDeploy }}
- name: "SKIP_POST_DEPLOYMENT_MIGRATIONS"
value: "true"
{{- end }}
{{- end }}

157
mastodon/templates/_helpers.tpl
View File

@ -31,13 +31,25 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Labels added on every Mastodon resource
*/}}
{{- define "mastodon.globalLabels" -}}
{{- range $k, $v := .Values.mastodon.labels }}
{{ $k }}: {{ quote $v }}
{{- end -}}
{{- end }}
{{/*
Common labels
*/}}
{{- define "mastodon.labels" -}}
helm.sh/chart: {{ include "mastodon.chart" . }}
{{ include "mastodon.selectorLabels" . }}
{{- if .Chart.AppVersion }}
{{ include "mastodon.globalLabels" . }}
{{- if .Values.image.tag }}
app.kubernetes.io/version: {{ regexReplaceAll "@(\\w+:\\w{0,7})\\w*" .Values.image.tag "@${1}" | quote }}
{{- else if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
@ -73,6 +85,28 @@ Create the name of the service account to use
{{- end }}
{{- end }}
{{/*
Create the name of the assets persistent volume to use
*/}}
{{- define "mastodon.pvc.assets" -}}
{{- if .Values.mastodon.persistence.assets.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.assets.existingClaim $) -}}
{{- else -}}
{{- printf "%s-assets" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the system persistent volume to use
*/}}
{{- define "mastodon.pvc.system" -}}
{{- if .Values.mastodon.persistence.system.existingClaim }}
{{- printf "%s" (tpl .Values.mastodon.persistence.system.existingClaim $) -}}
{{- else -}}
{{- printf "%s-system" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified name for dependent services.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@ -89,6 +123,60 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Establish which values we will use for remote connections
*/}}
{{- define "mastodon.postgres.host" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%s" (include "mastodon.postgresql.fullname" .) -}}
{{- else }}
{{- printf "%s" (required "When the postgresql chart is disabled .Values.postgresql.postgresqlHostname is required" .Values.postgresql.postgresqlHostname) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.port" -}}
{{- if .Values.postgresql.enabled }}
{{- printf "%d" 5432 | int | quote -}}
{{- else }}
{{- printf "%d" | default 5432 .Values.postgresql.postgresqlPort | int | quote -}}
{{- end }}
{{- end }}
{{/*
Establish which values we will use for direct remote DB connections
*/}}
{{- define "mastodon.postgres.direct.host" -}}
{{- if .Values.postgresql.direct.hostname }}
{{- printf "%s" .Values.postgresql.direct.hostname -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.host" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.port" -}}
{{- if .Values.postgresql.direct.port }}
{{- printf "%d" (int .Values.postgresql.direct.port) | quote -}}
{{- else }}
{{- printf "%s" (include "mastodon.postgres.port" .) -}}
{{- end }}
{{- end }}
{{- define "mastodon.postgres.direct.database" -}}
{{- if .Values.postgresql.direct.database }}
{{- printf "%s" .Values.postgresql.direct.database -}}
{{- else }}
{{- printf "%s" .Values.postgresql.auth.database -}}
{{- end }}
{{- end }}
{{- define "mastodon.redis.host" -}}
{{- if .Values.redis.enabled }}
{{- printf "%s-%s" (include "mastodon.redis.fullname" .) "master" -}}
{{- else }}
{{- printf "%s" (required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname) -}}
{{- end }}
{{- end }}
{{/*
Get the mastodon secret.
*/}}
@ -96,18 +184,26 @@ Get the mastodon secret.
{{- if .Values.mastodon.secrets.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- printf "%s" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the smtp secret.
Get the smtp secrets.
*/}}
{{- define "mastodon.smtp.secretName" -}}
{{- if .Values.mastodon.smtp.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
{{- else -}}
{{- printf "%s-smtp" (include "common.names.fullname" .) -}}
{{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{- define "mastodon.smtp.bulk.secretName" -}}
{{- if .Values.mastodon.smtp.bulk.existingSecret }}
{{- printf "%s" (tpl .Values.mastodon.smtp.bulk.existingSecret $) -}}
{{- else -}}
{{- printf "%s-smtp-bulk" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@ -120,7 +216,7 @@ Get the postgresql secret.
{{- else if .Values.postgresql.enabled -}}
{{- printf "%s-postgresql" (tpl .Release.Name $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- printf "%s" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
@ -132,6 +228,38 @@ Get the redis secret.
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else if .Values.redis.enabled -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- else -}}
{{- printf "%s-redis" (include "mastodon.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the redis secret (sidekiq).
*/}}
{{- define "mastodon.redis.sidekiq.secretName" -}}
{{- if .Values.redis.sidekiq.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.sidekiq.auth.existingSecret $) -}}
{{- else if .Values.redis.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- end -}}
{{- end -}}
{{/*
Get the redis secret (cache).
*/}}
{{- define "mastodon.redis.cache.secretName" -}}
{{- if .Values.redis.cache.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.cache.auth.existingSecret $) -}}
{{- else if .Values.redis.auth.existingSecret }}
{{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
{{- else if .Values.redis.existingSecret }}
{{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
{{- else -}}
{{- printf "%s-redis" (tpl .Release.Name $) -}}
{{- end -}}
@ -151,13 +279,14 @@ Return true if a mastodon secret object should be created
{{- end -}}
{{/*
Find highest number of needed database connections to set DB_POOL variable
Full hostname for a custom Elasticsearch cluster
*/}}
{{- define "mastodon.maxDbPool" -}}
{{/* Default MAX_THREADS for Puma is 5 */}}
{{- $poolSize := 5 }}
{{- range .Values.mastodon.sidekiq.workers }}
{{- $poolSize = max $poolSize .concurrency }}
{{- end }}
{{- $poolSize | quote }}
{{- end }}
{{- define "mastodon.elasticsearch.fullHostname" -}}
{{- if not .Values.elasticsearch.enabled }}
{{- if .Values.elasticsearch.tls }}
{{- printf "https://%s" (tpl .Values.elasticsearch.hostname $) -}}
{{- else -}}
{{- printf "%s" (tpl .Values.elasticsearch.hostname $) -}}
{{- end }}
{{- end -}}
{{- end -}}

65
mastodon/templates/_secrets.tpl Normal file
View File

@ -0,0 +1,65 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Spec template for mastodon secrets object.
*/}}
{{- define "mastodon.secrets.object" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-4"
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
{{- else }}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

54
mastodon/templates/_statsd.yaml Normal file
View File

@ -0,0 +1,54 @@
{{/*
The exporter container attached to every Mastodon pod
*/}}
{{- define "mastodon.statsdExporterContainer" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
- name: statsd-exporter
image: prom/statsd-exporter
args:
- "--statsd.mapping-config=/statsd-mappings/mastodon.yml"
resources:
requests:
cpu: "0.1"
memory: "180M"
limits:
cpu: "0.5"
memory: "250M"
ports:
- name: statsd
containerPort: {{ .exporter.port }}
volumeMounts:
- name: statsd-mappings
mountPath: /statsd-mappings
{{- end }}
{{- end }}
{{- end }}
{{/*
The volume needed for the container above
*/}}
{{- define "mastodon.statsdExporterVolume" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
- name: statsd-mappings
configMap:
name: {{ include "mastodon.fullname" $ }}-statsd-mappings
items:
- key: mastodon-statsd-mappings.yml
path: mastodon.yml
{{- end }}
{{- end }}
{{- end }}
{{/*
Labels added to every statsd_exporter-enabled pod
*/}}
{{- define "mastodon.statsdExporterLabels" }}
{{- with .Values.mastodon.metrics.statsd }}
{{- if and .exporter.enabled (not .address) }}
mastodon/statsd-exporter: "true"
{{- end }}
{{- end }}
{{- end }}

149
mastodon/templates/configmap-env.yaml
View File

@ -5,27 +5,50 @@ metadata:
labels:
{{- include "mastodon.labels" . | nindent 4 }}
data:
{{- if .Values.postgresql.enabled }}
DB_HOST: {{ template "mastodon.postgresql.fullname" . }}
DB_PORT: "5432"
{{- else }}
DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
{{- end }}
DB_HOST: {{ template "mastodon.postgres.host" . }}
DB_PORT: {{ template "mastodon.postgres.port" . }}
DB_NAME: {{ .Values.postgresql.auth.database }}
DB_POOL: {{ include "mastodon.maxDbPool" . }}
DB_USER: {{ .Values.postgresql.auth.username }}
{{- if .Values.postgresql.readReplica.hostname }}
REPLICA_DB_HOST: {{ .Values.postgresql.readReplica.hostname }}
{{- end }}
{{- if .Values.postgresql.readReplica.port }}
REPLICA_DB_PORT: {{ .Values.postgresql.readReplica.port | quote }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.database }}
REPLICA_DB_NAME: {{ .Values.postgresql.readReplica.auth.database }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.username }}
REPLICA_DB_USER: {{ .Values.postgresql.readReplica.auth.username }}
{{- end }}
{{- if .Values.postgresql.readReplica.auth.password }}
REPLICA_DB_PASS: {{ .Values.postgresql.readReplica.auth.password }}
{{- end }}
PREPARED_STATEMENTS: {{ .Values.mastodon.preparedStatements | quote }}
{{- if .Values.mastodon.locale }}
DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
{{- end }}
{{- if .Values.elasticsearch.enabled }}
ES_ENABLED: "true"
ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master-hl
ES_PORT: "9200"
{{- else if .Values.elasticsearch.hostname }}
ES_ENABLED: "true"
ES_PRESET: {{ .Values.elasticsearch.preset | default "single_node_cluster" | quote }}
ES_HOST: {{ include "mastodon.elasticsearch.fullHostname" .}}
ES_PORT: {{ .Values.elasticsearch.port | default "9200" | quote }}
{{- end }}
{{- with .Values.elasticsearch.user }}
ES_USER: {{ . }}
{{- end }}
LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
{{- with .Values.mastodon.web_domain }}
WEB_DOMAIN: {{ . }}
{{- end }}
{{- with .Values.mastodon.alternate_domains }}
ALTERNATE_DOMAINS: {{ join "," . }}
{{- end }}
{{- with .Values.mastodon.singleUserMode }}
SINGLE_USER_MODE: "true"
{{- end }}
@ -39,12 +62,32 @@ data:
MALLOC_ARENA_MAX: "2"
NODE_ENV: "production"
RAILS_ENV: "production"
{{- if .Values.redis.enabled }}
REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master
{{- else }}
REDIS_HOST: {{ required "When the redis chart is disabled .Values.redis.hostname is required" .Values.redis.hostname }}
{{- end }}
REDIS_HOST: {{ template "mastodon.redis.host" . }}
REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.redis.sidekiq.enabled }}
{{- if .Values.redis.sidekiq.hostname }}
SIDEKIQ_REDIS_HOST: {{ .Values.redis.sidekiq.hostname }}
{{- else }}
SIDEKIQ_REDIS_HOST: {{ .Values.redis.hostname }}
{{- end }}
{{- if .Values.redis.sidekiq.port }}
SIDEKIQ_REDIS_PORT: {{ .Values.redis.sidekiq.port | quote }}
{{- else }}
SIDEKIQ_REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- end }}
{{- end }}
{{- if .Values.redis.cache.enabled }}
{{- if .Values.redis.cache.hostname }}
CACHE_REDIS_HOST: {{ .Values.redis.cache.hostname }}
{{- else }}
CACHE_REDIS_HOST: {{ .Values.redis.hostname}}
{{- end }}
{{- if .Values.redis.cache.port }}
CACHE_REDIS_PORT: {{ .Values.redis.cache.port | quote }}
{{- else }}
CACHE_REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- end }}
{{- end }}
{{- if .Values.mastodon.s3.enabled }}
S3_BUCKET: {{ .Values.mastodon.s3.bucket }}
S3_ENABLED: "true"
@ -60,6 +103,12 @@ data:
{{- with .Values.mastodon.s3.alias_host }}
S3_ALIAS_HOST: {{ . }}
{{- end }}
{{- with .Values.mastodon.s3.multipart_threshold }}
S3_MULTIPART_THRESHOLD: "{{ . }}"
{{- end }}
{{- with .Values.mastodon.s3.override_path_style }}
S3_OVERRIDE_PATH_STYLE: "{{ . }}"
{{- end }}
{{- end }}
{{- with .Values.mastodon.smtp.auth_method }}
SMTP_AUTH_METHOD: {{ . }}
@ -80,7 +129,10 @@ data:
SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.from_address }}
SMTP_FROM_ADDRESS: {{ . }}
SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.return_path }}
SMTP_RETURN_PATH: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.openssl_verify_mode }}
SMTP_OPENSSL_VERIFY_MODE: {{ . }}
@ -89,7 +141,7 @@ data:
SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.reply_to }}
SMTP_REPLY_TO: {{ . }}
SMTP_REPLY_TO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.server }}
SMTP_SERVER: {{ . }}
@ -97,10 +149,45 @@ data:
{{- with .Values.mastodon.smtp.tls }}
SMTP_TLS: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.bulk.enabled }}
{{- with .Values.mastodon.smtp.bulk.auth_method }}
BULK_SMTP_AUTH_METHOD: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.ca_file }}
BULK_SMTP_CA_FILE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.domain }}
BULK_SMTP_DOMAIN: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls }}
BULK_SMTP_ENABLE_STARTTLS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.enable_starttls_auto }}
BULK_SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.from_address }}
BULK_SMTP_FROM_ADDRESS: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.openssl_verify_mode }}
BULK_SMTP_OPENSSL_VERIFY_MODE: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.port }}
BULK_SMTP_PORT: {{ . | quote }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.server }}
BULK_SMTP_SERVER: {{ . }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.tls }}
BULK_SMTP_TLS: {{ . | quote }}
{{- end }}
{{- end }}
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
{{- with .Values.mastodon.streaming.base_url }}
STREAMING_API_BASE_URL: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.trusted_proxy_ip }}
TRUSTED_PROXY_IP: {{ .Values.mastodon.trusted_proxy_ip }}
{{ end }}
{{- if .Values.externalAuth.oidc.enabled }}
OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }}
@ -322,6 +409,34 @@ data:
LDAP_UID_CONVERSION_REPLACE: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.mastodon.metrics.statsd.address }}
STATSD_ADDR: {{ . }}
{{- if .Values.mastodon.metrics.statsd.address }}
STATSD_ADDR: {{ .Values.mastodon.metrics.statsd.address }}
{{- else if .Values.mastodon.metrics.statsd.exporter.enabled }}
STATSD_ADDR: localhost:9125
{{- end }}
{{- range $k, $v := .Values.mastodon.extraEnvVars }}
{{ $k }}: {{ quote $v }}
{{- end }}
{{- if .Values.mastodon.deepl.enabled }}
DEEPL_PLAN: {{ .Values.mastodon.deepl.plan }}
{{- end }}
{{- if .Values.mastodon.hcaptcha.enabled }}
HCAPTCHA_SITE_KEY: {{ .Values.mastodon.hcaptcha.siteId }}
{{- end }}
{{- if .Values.mastodon.cacheBuster.enabled }}
CACHE_BUSTER_ENABLED: "true"
{{- if .Values.mastodon.cacheBuster.httpMethod }}
CACHE_BUSTER_HTTP_METHOD: {{ .Values.mastodon.cacheBuster.httpMethod }}
{{- end }}
{{- if .Values.mastodon.cacheBuster.authHeader }}
CACHE_BUSTER_SECRET_HEADER: {{ .Values.mastodon.cacheBuster.authHeader }}
{{- end }}
{{- else }}
CACHE_BUSTER_ENABLED: "false"
{{- end }}
{{- with .Values.timezone }}
TZ: {{ . | quote }}
{{- end }}

29
mastodon/templates/cronjob-media-remove.yaml
View File

@ -36,10 +36,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-media-remove
@ -65,6 +65,27 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
@ -86,4 +107,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.cron.removeMedia.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}

171
mastodon/templates/deployment-sidekiq.yaml
View File

@ -7,17 +7,31 @@ metadata:
name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
labels:
{{- include "mastodon.labels" $context | nindent 4 }}
{{- with $context.Values.mastodon.sidekiq.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
annotations:
{{- with $context.Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if (has "scheduler" .queues) }}
{{- if (gt (int .replicas) 1) }}
{{ fail "The scheduler queue should never have more than 1 replicas" }}
{{- end }}
strategy:
type: Recreate
{{- end }}
{{- if $context.Values.mastodon.sidekiq.updateStrategy }}
strategy: {{- toYaml $context.Values.mastodon.sidekiq.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .replicas }}
{{- if (ne (toString $context.Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ $context.Values.mastodon.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" $context | nindent 6 }}
@ -29,11 +43,22 @@ spec:
{{- with $context.Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
checksum/config-secrets-smtp: {{ include ( print $.Template.BasePath "/secret-smtp.yaml" ) $context | sha256sum | quote }}
labels:
{{- include "mastodon.globalLabels" $context | nindent 8 }}
{{- include "mastodon.selectorLabels" $context | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" $context | nindent 8 }}
{{- with $context.Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $context.Values.mastodon.sidekiq.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
spec:
@ -50,20 +75,35 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
{{- with (default (default $context.Values.topologySpreadConstraints $context.Values.mastodon.sidekiq.topologySpreadConstraints) .topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if (not $context.Values.mastodon.s3.enabled) }}
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" $context }}-assets
claimName: {{ template "mastodon.pvc.assets" $context }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" $context }}-system
claimName: {{ template "mastodon.pvc.system" $context }}
{{- end }}
{{- include "mastodon.statsdExporterVolume" $ | indent 8 }}
{{- if dig "customDatabaseConfigYml" "configMapRef" "name" false . }}
- name: config-database-yml
configMap:
name: {{ .customDatabaseConfigYml.configMapRef.name }}
{{- end }}
{{- with $context.Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ $context.Chart.Name }}
{{- with $context.Values.mastodon.sidekiq.securityContext | default $context.Values.securityContext }}
securityContext:
{{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }}
image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}"
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ coalesce (dig "image" "repository" false .) $context.Values.image.repository }}:{{ coalesce (dig "image" "tag" false .) $context.Values.image.tag $context.Chart.AppVersion }}"
imagePullPolicy: {{ $context.Values.image.pullPolicy }}
command:
- bundle
@ -80,17 +120,49 @@ spec:
name: {{ include "mastodon.fullname" $context }}-env
- secretRef:
name: {{ template "mastodon.secretName" $context }}
{{- if $context.Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ $context.Values.mastodon.extraEnvFrom }}
{{- end}}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" $context }}
key: password
{{- if $context.Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ $context.Values.postgresql.readReplica.auth.existingSecret }}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" $context }}
key: redis-password
{{- if and $context.Values.redis.sidekiq.enabled $context.Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" $context }}
key: redis-password
{{- end }}
{{- if and $context.Values.redis.cache.enabled $context.Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" $context }}
key: redis-password
{{- end }}
{{- if and $context.Values.elasticsearch.existingSecret (or $context.Values.elasticsearch.enabled $context.Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ $context.Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "SMTP_LOGIN"
valueFrom:
secretKeyRef:
@ -102,6 +174,21 @@ spec:
secretKeyRef:
name: {{ include "mastodon.smtp.secretName" $context }}
key: password
optional: true
{{- if $context.Values.mastodon.smtp.bulk.enabled }}
- name: "BULK_SMTP_LOGIN"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: login
optional: true
- name: "BULK_SMTP_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ include "mastodon.smtp.bulk.secretName" $context }}
key: password
optional: true
{{- end }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
@ -114,18 +201,80 @@ spec:
name: {{ $context.Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
{{- if and $context.Values.mastodon.deepl.enabled }}
- name: "DEEPL_API_KEY"
valueFrom:
secretKeyRef:
name: {{ $context.Values.mastodon.deepl.apiKeySecretRef.name }}
key: {{ $context.Values.mastodon.deepl.apiKeySecretRef.key }}
{{- end }}
{{- if and $context.Values.mastodon.cacheBuster.enabled $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
- name: CACHE_BUSTER_SECRET
valueFrom:
secretKeyRef:
name: {{ $context.Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or $context.Values.mastodon.sidekiq.otel.enabled (and $context.Values.mastodon.otel.enabled (ne $context.Values.mastodon.sidekiq.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.endpointUri $context.Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce $context.Values.mastodon.sidekiq.otel.namePrefix $context.Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce $context.Values.mastodon.sidekiq.otel.nameSeparator $context.Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_LOCAL
value: "true"
- name: MASTODON_PROMETHEUS_EXPORTER_HOST
value: "0.0.0.0"
- name: MASTODON_PROMETHEUS_EXPORTER_PORT
value: "{{ $context.Values.mastodon.metrics.prometheus.port }}"
{{- if $context.Values.mastodon.metrics.prometheus.sidekiq.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_SIDEKIQ_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
{{- if $context.Values.mastodon.metrics.prometheus.enabled }}
ports:
- name: prometheus
containerPort: {{ $context.Values.mastodon.metrics.prometheus.port }}
{{- end }}
volumeMounts:
{{- if (not $context.Values.mastodon.s3.enabled) }}
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- if dig "customDatabaseConfigYml" "configMapRef" "name" false . }}
- name: config-database-yml
mountPath: /opt/mastodon/config/database.yml
subPath: {{ .customDatabaseConfigYml.configMapRef.key }}
{{- end }}
{{- with $context.Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if $context.Values.mastodon.sidekiq.readinessProbe.enabled }}
readinessProbe:
failureThreshold: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.failureThreshold }}
exec:
command:
- cat
- {{ required "A valid sidekiq readiness path is required." $context.Values.mastodon.sidekiq.readinessProbe.path }}
initialDelaySeconds: {{ default 10 $context.Values.mastodon.sidekiq.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ default 2 $context.Values.mastodon.sidekiq.readinessProbe.periodSeconds }}
successThreshold: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.successThreshold }}
timeoutSeconds: {{ default 1 $context.Values.mastodon.sidekiq.readinessProbe.timeoutSeconds }}
{{- end }}
resources:
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
{{- with $context.Values.nodeSelector }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with coalesce .nodeSelector $context.Values.mastodon.sidekiq.nodeSelector $context.Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with $context.Values.tolerations }}
tolerations:

102
mastodon/templates/deployment-streaming.yaml
View File

@ -4,8 +4,24 @@ metadata:
name: {{ include "mastodon.fullname" . }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.streaming.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.streaming.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.mastodon.streaming.replicas }}
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.streaming.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.streaming.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@ -13,13 +29,23 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
labels:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: streaming
spec:
{{- with .Values.imagePullSecrets }}
@ -31,33 +57,90 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.streaming.extraCerts }}
{{- $name := .name | default "extra-certs" }}
volumes:
- name: {{ $name }}
secret:
secretName: {{ .existingSecret }}
items:
- key: ca.crt
path: trusted-ca.crt
{{- end }}
containers:
- name: {{ .Chart.Name }}-streaming
{{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ .Values.mastodon.streaming.image.repository }}:{{ coalesce .Values.mastodon.streaming.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- node
- ./streaming
{{- with .Values.mastodon.streaming.extraCerts }}
{{- $name := .name | default "extra-certs" }}
volumeMounts:
- name: {{ $name }}
mountPath: "/usr/local/share/ca-certificates"
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
{{- if .Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ .Values.mastodon.extraEnvFrom }}
{{- end}}
env:
{{- with .Values.mastodon.streaming.extraCerts }}
- name: "NODE_EXTRA_CA_CERTS"
value: "/usr/local/share/ca-certificates/trusted-ca.crt"
{{- with .sslMode }}
- name: "DB_SSLMODE"
value: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.postgresql.postgresqlReplicaHostname }}
- name: "DB_HOST"
value: {{ . }}
{{- end }}
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
{{- if .Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.readReplica.auth.existingSecret }}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.streaming.port | quote }}
{{- range $k, $v := .Values.mastodon.streaming.extraEnvVars }}
- name: {{ $k }}
value: {{ quote $v }}
{{- end }}
ports:
- name: streaming
containerPort: {{ .Values.mastodon.streaming.port }}
@ -70,18 +153,29 @@ spec:
httpGet:
path: /api/v1/streaming/health
port: streaming
startupProbe:
httpGet:
path: /api/v1/streaming/health
port: streaming
initialDelaySeconds: 5
failureThreshold: 15
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
{{- with coalesce .Values.mastodon.streaming.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (default .Values.topologySpreadConstraints .Values.mastodon.streaming.topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}

164
mastodon/templates/deployment-web.yaml
View File

@ -4,8 +4,24 @@ metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.mastodon.web.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.deploymentAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.mastodon.web.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.mastodon.web.replicas }}
{{- if (ne (toString .Values.mastodon.revisionHistoryLimit) "<nil>") }}
revisionHistoryLimit: {{ .Values.mastodon.revisionHistoryLimit }}
{{- end }}
{{- if .Values.mastodon.web.updateStrategy }}
strategy: {{- toYaml .Values.mastodon.web.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@ -14,13 +30,24 @@ spec:
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
labels:
{{- include "mastodon.globalLabels" . | nindent 8 }}
{{- include "mastodon.selectorLabels" . | nindent 8 }}
{{- include "mastodon.statsdExporterLabels" . | nindent 8 }}
{{- with .Values.mastodon.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mastodon.web.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
spec:
@ -33,14 +60,23 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
{{- if (not .Values.mastodon.s3.enabled) }}
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
{{- include "mastodon.statsdExporterVolume" $ | indent 8 }}
{{- if .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
- name: config-database-yml
configMap:
name: {{ .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
@ -48,7 +84,7 @@ spec:
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
@ -61,17 +97,49 @@ spec:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
{{- if .Values.mastodon.extraEnvFrom }}
- configMapRef:
name: {{ .Values.mastodon.extraEnvFrom }}
{{- end}}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
{{- if .Values.postgresql.readReplica.auth.existingSecret }}
- name: "REPLICA_DB_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.readReplica.auth.existingSecret}}
key: password
{{- end }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.elasticsearch.existingSecret (or .Values.elasticsearch.enabled .Values.elasticsearch.hostname) }}
- name: "ES_PASS"
valueFrom:
secretKeyRef:
name: {{ .Values.elasticsearch.existingSecret }}
key: password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if .Values.mastodon.web.minThreads }}
@ -102,13 +170,64 @@ spec:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
{{- if .Values.mastodon.deepl.enabled }}
- name: "DEEPL_API_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.deepl.apiKeySecretRef.name }}
key: {{ .Values.mastodon.deepl.apiKeySecretRef.key }}
{{- end }}
{{- if .Values.mastodon.hcaptcha.enabled }}
- name: "HCAPTCHA_SECRET_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.hcaptcha.secretKeySecretRef.name }}
key: {{ .Values.mastodon.hcaptcha.secretKeySecretRef.key }}
{{- end }}
{{- if and .Values.mastodon.cacheBuster.enabled .Values.mastodon.cacheBuster.authToken.existingSecret }}
- name: CACHE_BUSTER_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.cacheBuster.authToken.existingSecret }}
key: password
{{- end }}
{{- if or .Values.mastodon.web.otel.enabled (and .Values.mastodon.otel.enabled (ne .Values.mastodon.web.otel.enabled false)) }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ coalesce .Values.mastodon.web.otel.endpointUri .Values.mastodon.otel.endpointUri }}
- name: OTEL_SERVICE_NAME_PREFIX
value: {{ coalesce .Values.mastodon.web.otel.namePrefix .Values.mastodon.otel.namePrefix }}
- name: OTEL_SERVICE_NAME_SEPARATOR
value: "{{ coalesce .Values.mastodon.web.otel.nameSeparator .Values.mastodon.otel.nameSeparator }}"
{{- end }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: MASTODON_PROMETHEUS_EXPORTER_ENABLED
value: "true"
- name: PROMETHEUS_EXPORTER_HOST
value: "127.0.0.1"
- name: PROMETHEUS_EXPORTER_PORT
value: "{{ .Values.mastodon.metrics.prometheus.port }}"
{{- if .Values.mastodon.metrics.prometheus.web.detailed }}
- name: MASTODON_PROMETHEUS_EXPORTER_WEB_DETAILED_METRICS
value: "true"
{{- end }}
{{- end }}
- name: TEST_ENV_VALUE
value: {{ .Values.mastodon.metrics.statsd.address }}
volumeMounts:
{{- if (not .Values.mastodon.s3.enabled) }}
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- if .Values.mastodon.web.customDatabaseConfigYml.configMapRef.name }}
- name: config-database-yml
mountPath: /opt/mastodon/config/database.yml
subPath: {{ .Values.mastodon.web.customDatabaseConfigYml.configMapRef.key }}
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.mastodon.web.port }}
@ -124,21 +243,48 @@ spec:
httpGet:
path: /health
port: http
initialDelaySeconds: 15
failureThreshold: 30
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.web.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
{{- if .Values.mastodon.metrics.prometheus.enabled }}
- name: prometheus-exporter
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
command:
- ./bin/prometheus_exporter
args:
- "--bind"
- "0.0.0.0"
- "--port"
- "{{ .Values.mastodon.metrics.prometheus.port }}"
resources:
requests:
cpu: "0.1"
memory: "180M"
limits:
cpu: "0.5"
memory: "250M"
ports:
- name: prometheus
containerPort: {{ .Values.mastodon.metrics.prometheus.port }}
{{- end }}
{{- include "mastodon.statsdExporterContainer" $ | indent 8 }}
{{- with coalesce .Values.mastodon.web.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
{{- with (default .Values.topologySpreadConstraints .Values.mastodon.web.topologySpreadConstraints) }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (default .Values.tolerations .Values.mastodon.web.tolerations) }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

57
mastodon/templates/ingress-streaming.yml Normal file
View File

@ -0,0 +1,57 @@
{{- if .Values.ingress.streaming.enabled -}}
{{- $fullName := include "mastodon.fullname" . -}}
{{- $webPort := .Values.mastodon.web.port -}}
{{- $streamingPort := .Values.mastodon.streaming.port -}}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- with .Values.ingress.streaming.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.streaming.ingressClassName }}
ingressClassName: {{ .Values.ingress.streaming.ingressClassName }}
{{- end }}
{{- if .Values.ingress.streaming.tls }}
tls:
{{- range .Values.ingress.streaming.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.streaming.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}api/v1/streaming
backend:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
service:
name: {{ $fullName }}-streaming
port:
number: {{ $streamingPort }}
{{- else }}
serviceName: {{ $fullName }}-streaming
servicePort: {{ $streamingPort }}
{{- end }}
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: Prefix
{{- end }}
{{- end }}
{{- end }}
{{- end }}

2
mastodon/templates/ingress.yaml
View File

@ -52,6 +52,7 @@ spec:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: Prefix
{{- end }}
{{- if not $.Values.ingress.streaming.enabled }}
- path: {{ .path }}api/v1/streaming
backend:
{{- if or ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
@ -68,4 +69,5 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

97
mastodon/templates/job-assets-copy.yaml Normal file
View File

@ -0,0 +1,97 @@
{{- if .Values.mastodon.hooks.s3Upload.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-upload
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
restartPolicy: Never
initContainers:
- name: extract-assets
image: "{{ coalesce .Values.mastodon.web.image.repository .Values.image.repository }}:{{ coalesce .Values.mastodon.web.image.tag .Values.image.tag .Chart.AppVersion }}"
imagePullPolicy: Always
command:
- cp
args:
- -rv
- public
- /assets
volumeMounts:
- mountPath: /assets
name: assets
containers:
- name: upload-assets
image: rclone/rclone:1
imagePullPolicy: Always
env:
- name: RCLONE_S3_NO_CHECK_BUCKET
value: "true"
- name: RCLONE_S3_ACL
value: {{ required "Please specify a canned ACL for S3 asset uploads" .Values.mastodon.hooks.s3Upload.acl }}
- name: RCLONE_CONFIG_REMOTE_TYPE
value: s3
- name: RCLONE_CONFIG_REMOTE_PROVIDER
value: AWS
- name: RCLONE_CONFIG_REMOTE_ENDPOINT
value: {{ required "Please specify an endpoint for S3 asset uploads" .Values.mastodon.hooks.s3Upload.endpoint }}
- name: RCLONE_CONFIG_REMOTE_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.accesKeyId }}
- name: RCLONE_CONFIG_REMOTE_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ required "Please specify a secret with S3 credentials for S3 asset uploads" .Values.mastodon.hooks.s3Upload.secretRef.name }}
key: {{ .Values.mastodon.hooks.s3Upload.secretRef.keys.secretAccessKey }}
{{- with .Values.mastodon.hooks.s3Upload.rclone.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- rclone
args:
- copy
- /assets/public
- "remote:{{ required "Please specify a bucket for S3 asset uploads" .Values.mastodon.hooks.s3Upload.bucket }}"
- --fast-list
- --transfers=32
- --include
- "{assets,packs}/**"
- --progress
- -vv
volumeMounts:
- mountPath: /assets
name: assets
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 500Mi
volumes:
- name: assets
emptyDir: {}
{{- with coalesce .Values.mastodon.hooks.s3Upload.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end -}}

79
mastodon/templates/job-chewy-upgrade.yaml
View File

@ -1,79 +0,0 @@
{{- if .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-1"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-chewy-upgrade
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-chewy-setup
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- chewy:upgrade
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

22
mastodon/templates/job-create-admin.yaml
View File

@ -37,10 +37,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-create-admin
@ -72,6 +72,20 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@ -81,4 +95,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

82
mastodon/templates/job-db-migrate.yaml
View File

@ -1,77 +1,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
template:
metadata:
name: {{ include "mastodon.fullname" . }}-db-migrate
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- rake
- db:migrate
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" false ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

7
mastodon/templates/job-db-pre-migrate.yaml Normal file
View File

@ -0,0 +1,7 @@
{{- if .Values.mastodon.hooks.dbMigrate.enabled }}
{{- include "mastodon.dbMigrateJob" (merge (dict "preDeploy" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbMigrate.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

7
mastodon/templates/job-db-prepare.yaml Normal file
View File

@ -0,0 +1,7 @@
{{- if and .Values.mastodon.hooks.dbPrepare.enabled (not .Values.postgresql.enabled) }}
{{- include "mastodon.dbMigrateJob" (merge (dict "prepare" true ) .) }}
{{- with coalesce .Values.mastodon.hooks.dbPrepare.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

46
mastodon/templates/job-assets-precompile.yaml → mastodon/templates/job-deploy-search.yaml
View File

@ -1,17 +1,19 @@
{{- if and .Values.mastodon.hooks.deploySearch.enabled .Values.elasticsearch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-2"
spec:
suspend: false
template:
metadata:
name: {{ include "mastodon.fullname" . }}-assets-precompile
name: {{ include "mastodon.fullname" . }}-deploy-search
{{- with .Values.jobAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
@ -21,7 +23,7 @@ spec:
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.persistence.system.accessMode) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -42,19 +44,42 @@ spec:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-assets-precompile
- name: {{ include "mastodon.fullname" . }}-deploy-search
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.mastodon.hooks.deploySearch }}
{{- with .resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
command:
- bash
- -c
- |
bundle exec rake assets:precompile && yarn cache clean
- bin/tootctl
- search
- deploy
{{- with .concurrency }}
- '--concurrency'
- {{ . | quote }}
{{- end }}
{{- if .resetChewy }}
- '--reset-chewy'
{{- end }}
{{- with .batchSize }}
- '--batch-size'
- {{ . | quote }}
{{- end }}
{{- with .only }}
{{- if not (has . (list "instances" "accounts" "tags" "statuses" "public_statuses")) -}}
{{ fail "mastodon.hooks.deploySearch.only: Value must be one of the following words: instances, accounts, tags, statuses, public_statuses"}}
{{- end }}
- '--only'
- {{ . | quote }}
{{- end }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
name: {{ template "mastodon.secretName" $ }}
env:
- name: "DB_PASS"
valueFrom:
@ -75,3 +100,4 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- end }}

24
mastodon/templates/job-set-admin-password.yaml
View File

@ -37,10 +37,10 @@ spec:
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.pvc.assets" . }}
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.pvc.system" . }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-set-admin-password
@ -49,7 +49,7 @@ spec:
command:
- "/bin/bash"
- "-c"
- "echo \"account=Account.find_by(username:'{{ .Values.mastodon.createAdmin.username }}') ; user=User.find_by(account:account) ; user.password='{{ .Values.mastodon.createAdmin.password }}' ; user.save!\" | rails c"
- "echo \"account=Account.find_by(username:'{{ .Values.mastodon.createAdmin.username }}') ; user=User.find_by(account:account) ; user.password='{{ .Values.mastodon.createAdmin.password }}' ; user.save!\" | rails c && /opt/mastodon/bin/tootctl accounts approve {{ .Values.mastodon.createAdmin.username }}"
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
@ -70,6 +70,20 @@ spec:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
{{- if and .Values.redis.sidekiq.enabled .Values.redis.sidekiq.auth.existingSecret }}
- name: "SIDEKIQ_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.sidekiq.secretName" . }}
key: redis-password
{{- end }}
{{- if and .Values.redis.cache.enabled .Values.redis.cache.auth.existingSecret }}
- name: "CACHE_REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.cache.secretName" . }}
key: redis-password
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
@ -79,4 +93,8 @@ spec:
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
{{- with coalesce .Values.mastodon.createAdmin.nodeSelector .Values.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- end }}

19
mastodon/templates/pdb-streaming.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.mastodon.streaming.pdb.enable }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "mastodon.fullname" . }}-streaming
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if .Values.mastodon.streaming.pdb.minAvailable }}
minAvailable: {{ .Values.mastodon.streaming.pdb.minAvailable }}
{{- end }}
{{- if .Values.mastodon.streaming.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.mastodon.streaming.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: streaming
{{- end }}

20
mastodon/templates/pdb-web.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.mastodon.web.pdb.enable }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if .Values.mastodon.web.pdb.minAvailable }}
minAvailable: {{ .Values.mastodon.web.pdb.minAvailable }}
{{- end }}
{{- if .Values.mastodon.web.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.mastodon.web.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
{{- end }}

4
mastodon/templates/pvc-assets.yaml
View File

@ -1,4 +1,4 @@
{{- if (not .Values.mastodon.s3.enabled) -}}
{{- if and (not .Values.mastodon.s3.enabled) (not .Values.mastodon.persistence.assets.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
@ -7,7 +7,7 @@ metadata:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.mastodon.persistence.system.accessMode }}
- {{ .Values.mastodon.persistence.assets.accessMode }}
{{- with .Values.mastodon.persistence.assets.resources }}
resources:
{{- toYaml . | nindent 4 }}

2
mastodon/templates/pvc-system.yaml
View File

@ -1,4 +1,4 @@
{{- if (not .Values.mastodon.s3.enabled) -}}
{{- if and (not .Values.mastodon.s3.enabled) (not .Values.mastodon.persistence.system.existingClaim) -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:

3
mastodon/templates/secret-prepare.yml Normal file
View File

@ -0,0 +1,3 @@
{{- if and (include "mastodon.createSecret" .) (not .Values.postgresql.enabled) -}}
{{- include "mastodon.secrets.object" (merge (dict "prepare" true ) .) }}
{{- end }}

19
mastodon/templates/secret-redis-preinstall.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if not .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.redis.secretName" . }}-pre-install
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

19
mastodon/templates/secret-redis.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.redis.enabled }}
{{- if and (not .Values.redis.auth.existingSecret) (not .Values.redis.existingSecret) }}
{{- if .Values.redis.auth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.redis.secretName" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
type: Opaque
data:
redis-password: "{{ .Values.redis.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

16
mastodon/templates/secret-smtp-bulk.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.mastodon.smtp.bulk.enabled (not .Values.mastodon.smtp.bulk.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-smtp-bulk" (include "mastodon.fullname" .) }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- with .Values.mastodon.smtp.bulk.login }}
login: {{ . | b64enc }}
{{- end }}
{{- with .Values.mastodon.smtp.bulk.password }}
password: {{ . | b64enc }}
{{- end }}
{{- end }}

2
mastodon/templates/secret-smtp.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-smtp" (include "common.names.fullname" .) }}
name: {{ printf "%s-smtp" (include "mastodon.fullname" .) }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque

42
mastodon/templates/secrets.yaml
View File

@ -1,43 +1,3 @@
{{- if (include "mastodon.createSecret" .) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- include "mastodon.secrets.object" . }}
{{- end }}

1
mastodon/templates/service-streaming.yaml
View File

@ -11,6 +11,7 @@ spec:
targetPort: streaming
protocol: TCP
name: streaming
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: streaming

1
mastodon/templates/service-web.yaml
View File

@ -11,6 +11,7 @@ spec:
targetPort: http
protocol: TCP
name: http
ipFamilyPolicy: PreferDualStack
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: web

107
mastodon/templates/statsd-exporter-mappings.yaml Normal file
View File

@ -0,0 +1,107 @@
{{- if and .Values.mastodon.metrics.statsd.exporter.enabled (not .Values.mastodon.metrics.statsd.address) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "mastodon.fullname" . }}-statsd-mappings
labels:
{{- include "mastodon.labels" . | nindent 4 }}
data:
mastodon-statsd-mappings.yml: |-
## From https://ipng.ch/assets/mastodon/statsd-mapping.yaml
## Prometheus Statsd Exporter mapping for Mastodon 4.0+
##
## Version 1.0, November 2022
##
## Documentation: https://ipng.ch/s/articles/2022/11/27/mastodon-3.html
mappings:
## Web collector
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.status\.(.+)
match_type: regex
name: "mastodon_controller_status"
labels:
controller: $1
action: $2
format: $3
status: $4
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.db_time
match_type: regex
name: "mastodon_controller_db_time"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.view_time
match_type: regex
name: "mastodon_controller_view_time"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
- match: Mastodon\.production\.web\.(.+)\.(.+)\.(.+)\.total_duration
match_type: regex
name: "mastodon_controller_duration"
labels:
controller: $1
action: $2
format: $3
mastodon: "web"
## Database collector
- match: Mastodon\.production\.db\.tables\.(.+)\.queries\.(.+)\.duration
match_type: regex
name: "mastodon_db_operation"
labels:
table: "$1"
operation: "$2"
mastodon: "db"
## Cache collector
- match: Mastodon\.production\.cache\.(.+)\.duration
match_type: regex
name: "mastodon_cache_duration"
labels:
operation: "$1"
mastodon: "cache"
## Sidekiq collector
- match: Mastodon\.production\.sidekiq\.(.+)\.processing_time
match_type: regex
name: "mastodon_sidekiq_worker_processing_time"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)\.success
match_type: regex
name: "mastodon_sidekiq_worker_success_total"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)\.failure
match_type: regex
name: "mastodon_sidekiq_worker_failure_total"
labels:
worker: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.queues\.(.+)\.enqueued
match_type: regex
name: "mastodon_sidekiq_queue_enqueued"
labels:
queue: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.queues\.(.+)\.latency
match_type: regex
name: "mastodon_sidekiq_queue_latency"
labels:
queue: "$1"
mastodon: "sidekiq"
- match: Mastodon\.production\.sidekiq\.(.+)
match_type: regex
name: "mastodon_sidekiq_$1"
labels:
mastodon: "sidekiq"
{{- end }}

553
mastodon/values.yaml
View File

@ -6,11 +6,16 @@ image:
# built from the most recent commit
#
# tag: latest
tag: "v4.1.4"
tag: ""
# use `Always` when using `latest` tag
pullPolicy: IfNotPresent
mastodon:
# Labels added to every Mastodon-related object
labels: {}
# Labes added to every deployed mastodon pod
podLabels: {}
# -- create an initial administrator user; the password is autogenerated and will
# have to be reset
createAdmin:
@ -19,7 +24,84 @@ mastodon:
# @ignored
username: not_gargron
# @ignored
password: not_gargron
# @ignored
email: not@example.com
# Node(s) on which we will deploy this job
nodeSelector: {}
hooks:
# Whether to perform DB schema creation on `helm install`.
# Please note that this does not work when using the included database
# (postgresql.enabled=true).
# NOTE: When using certain GitOps solutions such as Argo CD, this should be
# disabled, as these apps do not necessarily differentiate between `pre-install`
# and `pre-upgrade`.
dbPrepare:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# Whether to perform DB migrations on `helm upgrade`.
dbMigrate:
enabled: true
# Node(s) on which we will deploy this job
nodeSelector: {}
# WARNING: deploySearch is potentially a very expensive job!
# Only enable this once at a time, when you deploy elasticsearch or when
# the upgrade notes for a new mastodon version request rebuilding search.
# Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true`
# to ensure the job is only dispatched for a single upgrade when required.
# This job may take days to run on very large instances. Even small
# instances may take long enough to trigger helm's completion timeout, so
# DO NOT PANIC if helm complains; simply verify the job is still running.
#
# Builds or rebuilds the elasticsearch indices via `tootctl deploy search`
# with timing hooks to ensure the job runs immediately after install/upgrade
# and will be restarted if another, corrective upgrade is triggered.
# Please check the tootctl documentation and upgrade notes to pick values.
#
# NOTE: The resource stanza set below is intentionally very conservative.
# Consider assigning a liberal chunk of your cluster's typical headroom.
deploySearch:
enabled: false
resetChewy: true
# one index name. Possible values: instances, accounts, tags, statuses, public_statuses
only: ""
concurrency: 5
resources: # this accepts any keys in a full container resources stanza.
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
# Upload website assets to S3 before deploying using rclone.
# Whenever there is an update to Mastodon, sometimes there are assets files
# that are renamed. As the pods are getting redeployed, and old/new pods are
# present simultaneously, there is a chance that old asset files are
# requested from pods that don't have them anymore, or new asset files are
# requested from old pods. Uploading asset files to S3 in this manner solves
# this potential conflict.
# Note that you will need to CDN/proxy to send all requests to /assets and
# /packs to this bucket.
s3Upload:
enabled: false
endpoint:
bucket:
acl: public-read
secretRef:
name:
keys:
accesKeyId: acces-key-id
secretAccessKey: secret-access-key
rclone:
# Any additional environment variables to pass to rclone.
env: {}
# Node(s) on which we will deploy this job
nodeSelector: {}
# Custom labels to add to kubernetes resources
#labels:
cron:
# -- run `tootctl media remove` every week
removeMedia:
@ -27,18 +109,31 @@ mastodon:
enabled: true
# @ignored
schedule: "0 0 * * 0"
# Node(s) on which we will deploy this job
nodeSelector: {}
# Sets the default locale for this server.
# NOTICE: This will force this locale on every user who is not logged in, and
# the instance will no longer do any local detection for clients.
# -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
locale: en
locale:
local_domain: mastodon.local
# -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
# Example: mastodon.example.com
web_domain: null
# -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize
# itself when users are addressed using those other domains.
alternate_domains: []
# -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers
# Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip
# trusted_proxy_ip:
# -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
singleUserMode: false
# -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
authorizedFetch: false
# -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
# -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
limitedFederationMode: false
persistence:
assets:
@ -49,11 +144,15 @@ mastodon:
resources:
requests:
storage: 10Gi
# -- name of existing persistent volume claim to use for assets
existingClaim:
system:
accessMode: ReadWriteOnce
resources:
requests:
storage: 100Gi
# -- name of existing persistent volume claim to use for system
existingClaim:
s3:
enabled: false
access_key: ""
@ -68,6 +167,24 @@ mastodon:
permission: ""
# -- If you have a caching proxy, enter its base URL here.
alias_host: ""
# When uploading data to S3, if the number of bytes to send exceedes
# multipart_threshold then a multi part session is automatically started
# and the data is sent up in chunks. Defaults to 16777216 (16MB).
multipart_threshold: ""
# -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
# override_path_style: "true"
deepl:
enabled: false
plan:
apiKeySecretRef:
name:
key:
hcaptcha:
enabled: false
siteId:
secretKeySecretRef:
name:
key:
# these must be set manually; autogenerated keys are rotated on each upgrade
secrets:
secret_key_base: ""
@ -75,10 +192,25 @@ mastodon:
vapid:
private_key: ""
public_key: ""
activeRecordEncryption:
primaryKey: ""
deterministicKey: ""
keyDerivationSalt: ""
# -- you can also specify the name of an existing Secret
# with keys SECRET_KEY_BASE and OTP_SECRET and
# VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
# with keys:
# - SECRET_KEY_BASE
# - OTP_SECRET
# - VAPID_PRIVATE_KEY
# - VAPID_PUBLIC_KEY
# - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
# - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
# - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
existingSecret: ""
# -- The number of old revisions to keep for each Deployment in Kubernetes.
# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy
revisionHistoryLimit: 2
sidekiq:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
@ -88,12 +220,55 @@ mastodon:
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
affinity: {}
# Node(s) on which we will deploy sidekiq in general
# Any worker-specific configuration will override this setting.
nodeSelector: {}
# -- Annotations to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object(s) for sidekiq.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the sidekiq pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the sidekiq pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods.
# Recreate will help reduce the number of retried jobs when updating when
# the code introduces a new job as the pods are all replaced immediately.
# RollingUpdate can help with larger clusters if job retries aren't an
# issue, as it will reduce strain by replacing pods more slowly. It is
# strongly recommended to enable the readinessProbe when using RollingUpdate.
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: Recreate
# Readiness probe configuration
# NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10.
readinessProbe:
enabled: false
path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
# -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# limits:
# cpu: "1"
# memory: 768Mi
# requests:
# cpu: 250m
# memory: 512Mi
# Open Telemetry configuration for sidekiq pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
workers:
- name: all-queues
# -- Number of threads / parallel sidekiq jobs that are executed per Pod
@ -104,6 +279,11 @@ mastodon:
resources: {}
# -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
affinity: {}
# -- Node(s) on which we will deploy this sidekiq worker
nodeSelector: {}
# -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
# See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
queues:
@ -113,6 +293,16 @@ mastodon:
- mailers,2
- pull
- scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
- fasp
image:
repository:
tag:
# allows you to mount a custom database.yml from a configmap
# please note that we do not advise using a read-only replica for sidekiq workers
customDatabaseConfigYml:
configMapRef:
name:
key:
#- name: push-pull
# concurrency: 50
# resources: {}
@ -135,8 +325,9 @@ mastodon:
ca_file: /etc/ssl/certs/ca-certificates.crt
delivery_method: smtp
domain:
enable_starttls: 'auto'
enable_starttls: "auto"
from_address: notifications@example.com
return_path:
openssl_verify_mode: peer
port: 587
reply_to:
@ -147,7 +338,35 @@ mastodon:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
# Configuration for bulk/broadcast messages.
# Some transactional email providers require customers to use a separate set
# of SMTP credentials to send emails that are not transactional in nature.
# For more information, refer to the docs:
# https://docs.joinmastodon.org/admin/config/#optional-bulk-email-settings
bulk:
enabled: false
auth_method: plain
ca_file: /etc/ssl/certs/ca-certificates.crt
domain:
enable_starttls: "auto"
from_address: notifications@example.com
openssl_verify_mode: peer
port: 587
server: smtp.mailgun.org
tls:
login:
password:
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively.
existingSecret:
streaming:
image:
# streaming image split in Mastodon v4.3.0
repository: ghcr.io/mastodon/mastodon-streaming
# other options: `latest` for the latest release or `edge` for most recent commit
tag: ""
port: 4000
# -- this should be set manually since os.cpus() returns the number of CPUs on
# the node running the pod, which is unrelated to the resources allocated to
@ -160,6 +379,29 @@ mastodon:
replicas: 1
# -- Affinity for Streaming Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the streaming pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for streaming.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for streaming.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the streaming pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the streaming pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
@ -172,12 +414,54 @@ mastodon:
# requests:
# cpu: 250m
# memory: 128Mi
# -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
enable: false
# minAvailable: 1
# maxUnavailable: 1
# -- Puma-specific options. Below values are based on default behavior in
# config/puma.rb when no custom values are provided.
# -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
extraCerts: {}
# -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
# existingSecret:
# -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
# name:
# -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
# sslMode:
# Specify extra environment variables to be added to streaming pods.
extraEnvVars: {}
web:
port: 3000
# -- Number of Web Pods running
replicas: 1
# -- Affinity for Web Pods, overwrites .Values.affinity
affinity: {}
# -- Node(s) on which we will deploy the web pods
nodeSelector: {}
# -- Annotations to apply to the deployment object for web.
# -- These are applied in addition to deploymentAnnotations.
annotations: {}
# -- Labels to apply to the deployment object for web.
# -- These are applied in addition to mastodon.labels.
labels: {}
# -- Annotations to apply to the web pods.
# -- These are applied in addition to the global podAnnotations.
podAnnotations: {}
# -- Labels to apply to the web pods.
# -- These are applied in addition to mastodon.labels.
podLabels: {}
# Rollout strategy to use when updating pods
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 10%
maxUnavailable: 25%
# -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints
topologySpreadConstraints: {}
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
@ -190,21 +474,99 @@ mastodon:
# requests:
# cpu: 250m
# memory: 768Mi
# -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
enable: false
# minAvailable: 1
# maxUnavailable: 1
# -- Puma-specific options. Below values are based on default behavior in
# config/puma.rb when no custom values are provided.
minThreads: "5"
maxThreads: "5"
workers: "2"
persistentTimeout: "20"
image:
repository:
tag:
# allows you to mount a custom database.yml from a configmap
# for example if you want to use a read-only replica
customDatabaseConfigYml:
configMapRef:
name:
key:
# Open Telemetry configuration for web pods. Overrides global settings.
otel:
enabled:
exporterUri:
namePrefix:
nameSeparator:
# HTTP cache buster configuration.
# See the documentation for more information about this feature:
# https://docs.joinmastodon.org/admin/config/#http-cache-buster
cacheBuster:
enabled: false
httpMethod: "GET"
# If the cache service requires authentication, specify the header name and
# secret/token here.
authHeader:
authToken:
existingSecret:
metrics:
# NOTE: This feature was dropped in v4.3.0, and will not work for any versions beyond this.
statsd:
# -- Enable statsd publishing via STATSD_ADDR environment variable
address: ""
# -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod
# Please note the exporter will not be enabled if metrics.statsd.address is not empty
exporter:
enabled: false
port: 9102
# Settings for Prometheus metrics.
# For more information, see:
# https://docs.joinmastodon.org/admin/config/#prometheus
prometheus:
enabled: false
# Port for the exporter to listen on
port: 9394
# Prometheus for web pods
web:
# Collect per-controller/action metrics for every request
detailed: false
# Prometheus for sidekiq pods
sidekiq:
# Collect per-job metrics for every job
detailed: false
# Open Telemetry configuration for all deployments. Component-specific
# configuration will override these values.
otel:
enabled: false
exporterUri:
namePrefix: mastodon
nameSeparator: "-"
# Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
preparedStatements: true
# Specify extra environment variables to be added to all Mastodon pods.
# These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
extraEnvVars: {}
# Alternatively specify extra environment variables stored in a ConfigMap.
# The specified ConfigMap should contain the additional environment variables in key-value format.
# extraEnvFrom: <config-map-name>
ingress:
enabled: true
annotations:
@ -225,32 +587,97 @@ ingress:
hosts:
- host: mastodon.local
paths:
- path: '/'
- path: "/"
tls:
- secretName: mastodon-tls
hosts:
- mastodon.local
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
# This allows you to have a separate ingress for streaming
# When enabled, the main ingress will no longer handle streaming requests.
# You will also need to configure mastodon.streaming.base_url accordingly
streaming:
enabled: false
annotations:
ingressClassName:
hosts:
- host: streaming.mastodon.local
paths:
- path: "/"
tls:
- secretName: mastodon-tls
hosts:
- streaming.mastodon.local
# Configuration for Elasticsearch.
# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
#
# Please note that we recommend using your own deployment for better management.
elasticsearch:
# `false` will disable full-text search
# Elasticsearch is powering full-text search. It is optional.
# `false` will not install Elasticsearch as part of this chart
#
# if you enable ES after the initial install, you will need to manually run
# RAILS_ENV=production bundle exec rake chewy:sync
# (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
# @ignored
enabled: true
# @ignored
image:
tag: 7
# If you are using an external ES cluster, use `enabled: false` and set the hostname, port,
# and whether the cluster uses TLS.
# hostname:
# port: 9200
# tls: true
# preset: single_node_cluster
# This is optional, use it if you ES cluster requires authentication
# user:
# Name of an existing secret with a password key
# existingSecret:
# -- Node(s) on which we will deploy the various elasticsearch pods
master:
nodeSelector: {}
data:
nodeSelector: {}
coordinating:
nodeSelector: {}
ingest:
nodeSelector: {}
metrics:
nodeSelector: {}
# Configuration for PostgreSQL.
# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
#
# Please note that we recommend using your own deployment for better management.
postgresql:
# -- disable if you want to use an existing db; in which case the values below
# must match those of that external postgres instance
# must match those of that external postgres instance.
# Please note that certain features do not work when enabling the included
# database, namely automatic schema creation when the app is first installed.
enabled: true
# postgresqlHostname: preexisting-postgresql
# postgresqlPort: 5432
# If using a connection pooler such as pgbouncer, please specify a hostname/IP
# that serves as a "direct" connection to the database, rather than going
# through the connection pooler. This is required for migrations to work
# properly.
direct:
hostname:
port:
database:
auth:
database: mastodon_production
username: mastodon
@ -266,7 +693,36 @@ postgresql:
# with a key of password set to the password you want
existingSecret: ""
# Options for a read-only replica.
# If enabled, mastodon uses existing defaults for postgres for these values as well.
# NOTE: This feature is only available on Mastodon v4.2+
# Documentation for more information on this feature:
# https://docs.joinmastodon.org/admin/scaling/#read-replicas
readReplica:
hostname:
port:
auth:
database:
username:
password:
existingSecret:
# -- Node(s) on which we will deploy the various database pods
primary:
nodeSelector: {}
readReplicas:
nodeSelector: {}
backup:
cronjob:
nodeSelector: {}
# Configuration for Redis.
# When enabled, the bitnami helm chart used for Redis deployment, and all values
# here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
#
# Please note that we recommend using your own deployment for better management.
redis:
# disable if you want to use an existing redis instance; in which case the
# values below must match those of that external redis instance
@ -277,9 +733,46 @@ redis:
# -- you must set a password; the password generated by the redis chart will be
# rotated on each upgrade:
password: ""
# setting password for an existing redis instance will store it in a new Secret
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
# existingSecret: ""
replica:
replicaCount: 0
# Configuration for a separate redis instance only for sidekiq processing.
# If enabled, any values not specified will be copied from the base config.
# If set to false, the main redis instance will be used, and all values will
# be ignored.
sidekiq:
enabled: false
hostname: ""
port: 6379
auth:
password: ""
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
existingSecret: ""
# Configuration for a separate redis instance only for cache.
# If enabled, any values not specified will be copied from the base config.
# If set to false, the main redis instance will be used, and all values will
# be ignored.
cache:
enabled: false
hostname: ""
port: 6379
auth:
password: ""
# you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want
existingSecret: ""
# -- Node(s) on which we will deploy the various redis pods
master:
nodeSelector: {}
replica:
nodeSelector: {}
# @ignored
service:
@ -407,20 +900,25 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""
# Custom annotations to apply to all created mastodon deployment objects. These
# can be used to help mastodon interact with other services in the cluster.
deploymentAnnotations: {}
# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
# need to apply different annotations to the two different sets of pods. The annotations
# set with podAnnotations will be added to all deployment-managed pods.
# set with podAnnotations will be added to all mastodon deployment-managed pods.
podAnnotations: {}
# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
revisionPodAnnotation: true
# The annotations set with jobAnnotations will be added to all job pods.
# The annotations set with jobAnnotations will be added to all mastodon job pods
jobAnnotations: {}
# -- Default resources for all Deployments and jobs unless overwritten
resources: {}
# -- Default resources for all mastodon Deployments and jobs unless overwritten
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
@ -432,11 +930,28 @@ resources: {}
# cpu: 100m
# memory: 128Mi
# @ignored
nodeSelector: {}
# @ignored
tolerations: []
# -- Affinity for all pods unless overwritten
# -- Affinity for all mastodon pods unless overwritten
affinity: {}
# Node(s) on which we will deploy all resources.
# Any node selectors specified for individual resources will override this
# setting.
nodeSelector: {}
# -- Timezone for all mastodon pods unless overwritten
timezone: UTC
# -- Topology Spread Constraints for all mastodon pods unless overwritten
# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you
# want to spread each deployment independently, or override topologySpreadConstraints
# for each deployment
topologySpreadConstraints: {}
# Default volume mounts for all mastodon pods
volumeMounts: []
# Default volumes for all mastodon pods
volumes: []

8
peertube/Chart.yaml
View File

@ -5,11 +5,11 @@ dependencies:
- condition: postgresql.enabled
name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 13.2.21
version: 16.3.2
- condition: redis.enabled
name: redis
repository: https://charts.bitnami.com/bitnami
version: 18.4.0
version: 20.6.0
type: application
version: 0.3.4
appVersion: 6.1.0
version: 0.4.4
appVersion: 7.2.1

190
peertube/values.yaml
View File

@ -8,7 +8,7 @@ image:
repository: chocobozzz/peertube
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "v6.1.0-bookworm"
tag: "v7.2.1-bookworm"
imagePullSecrets: []
nameOverride: ""
@ -47,9 +47,9 @@ configAsCode:
window: 5 minutes
max: 3
receive_client_log:
# 10 attempts in 10 min
window: 10 minutes
max: 10
# 1 attempt every 2 seconds
window: 1 minutes
max: 30
plugins:
# 500 attempts in 10 seconds (we also serve plugin static files)
window: 10 seconds
@ -70,6 +70,10 @@ configAsCode:
# 500 attempts in 10 seconds (to not break crawlers)
window: 10 seconds
max: 500
download_generate_video: # A light FFmpeg process is used to generate videos (to merge audio and video streams for example)
# 5 attempts in 5 seconds
window: 5 seconds
max: 5
oauth2:
token_lifetime:
access_token: '1 day'
@ -134,7 +138,8 @@ configAsCode:
# Change default values when publishing a video (upload/import/go Live)
publish:
download_enabled: true
comments_enabled: true
# enabled = 1, disabled = 2, requires_approval = 3
comments_policy: 1
# public = 1, unlisted = 2, private = 3, internal = 4
privacy: 1
# CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
@ -150,6 +155,9 @@ configAsCode:
# Can be enabled/disabled by URL option
embed:
enabled: true
player:
# By default, playback starts automatically when opening a video
auto_play: true
# From the project root directory
storage:
tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
@ -210,7 +218,13 @@ configAsCode:
secret_access_key: ''
# Maximum amount to upload in one request to object storage
max_upload_part: 100MB
# Maximum number of attempts to make a request to object storage
# Some object storage providers (for instance Backblaze) expects the client to retry upload upon 5xx errors
# If you're using such a provider then you can increase this value
max_request_attempts: 3
streaming_playlists:
# Bucket name created on your object storage provider
# PeerTube will access it via {bucket_name}.example.com
bucket_name: 'streaming-playlists'
# Allows setting all buckets to the same value but with a different prefix
prefix: '' # Example: 'streaming-playlists:'
@ -221,7 +235,7 @@ configAsCode:
# which can be a problem depending on your object storage provider
# You can also choose to disable this feature to reduce live streams latency
# Live stream replays are not affected by this setting, so they are uploaded in object storage as regular VOD videos
store_live_streams: true
store_live_streams: false
web_videos:
bucket_name: 'web-videos'
prefix: ''
@ -235,10 +249,15 @@ configAsCode:
bucket_name: 'original-video-files'
prefix: ''
base_url: ''
# Video captions
captions:
bucket_name: 'captions'
prefix: ''
base_url: ''
log:
level: 'info' # 'debug' | 'info' | 'warn' | 'error'
rotation:
enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
enabled: true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
max_file_size: 12MB
max_files: 20
anonymize_ip: false
@ -277,7 +296,7 @@ configAsCode:
- 'hot' # Adaptation of Reddit's 'Hot' algorithm
- 'most-viewed' # Number of views in the last x days
- 'most-liked' # Global views since the upload of the video
default: 'most-viewed'
default: 'hot'
# Cache remote videos on your server, to help other instances to broadcast the video
# You can define multiple caches using different sizes/strategies
# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
@ -304,9 +323,12 @@ configAsCode:
# Other instances that duplicate your content
remote_redundancy:
videos:
# 'nobody': Do not accept remote redundancies
# 'anybody': Accept remote redundancies from anybody
# 'followings': Accept redundancies from instance followings
# PeerTube doesn't remove existing redundancies when you change this setting
# You can remove them in the web interface: https://docs.joinpeertube.org/admin/following-instances#instances-redundancy
# Available values:
# * nobody: Do not accept remote redundancies
# * followings: Accept redundancies from instance followings
# * anybody: Accept remote redundancies from anybody
accept_from: 'followings'
csp:
enabled: false
@ -376,9 +398,14 @@ configAsCode:
# This is an unmoderated plugin index, so only install plugins/themes you trust
index:
enabled: true
check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
check_latest_versions_interval: '4 hours' # How often you want to check new plugins/themes versions
url: 'https://packages.joinpeertube.org'
federation:
# Enable ActivityPub endpoints (inbox/outbox)
enabled: true
# Prevent SSRF requests (requests to your internal network for example) by checking the request IP address
# More information about SSRF: https://portswigger.net/web-security/ssrf
prevent_ssrf: true
# Some federated software such as Mastodon may require an HTTP signature to access content
sign_federated_fetches: true
videos:
@ -419,6 +446,14 @@ configAsCode:
# Increasing this value will increase CPU and memory usage when generating the thumbnail, especially for high video resolution
# Minimum value is 2
frames_to_analyze: 50
# Only two sizes are currently supported for now (not less, not more)
# 1 size for the thumbnail (displayed in video miniatures)
# 1 size for the preview (displayed in the video player)
sizes:
- width: 280
height: 157
- width: 850
height: 480
stats:
# Display registration requests stats (average response time, total requests...)
registration_requests:
@ -430,6 +465,20 @@ configAsCode:
enabled: true
total_admins:
enabled: true
webrtc:
# 1 or 2 STUN servers are sufficient
stun_servers:
- 'stun:stunserver2024.stunprotocol.org'
- 'stun:stun.framasoft.org'
nsfw_flags_settings:
# Allow logged-in/anonymous users to have a more granular control over their NSFW policy
# using NSFW flags (violent content, etc.) set by video authors
enabled: true
download_generate_video:
# Max parallel downloads on your instance
# Each download spawns an ffmpeg process
# The ffmpeg process ends when users have downloaded the entire file or cancelled the download
max_parallel_downloads: 100
###############################################################################
#
# From this point, all the following keys can be overridden by the web interface
@ -461,7 +510,9 @@ configAsCode:
enabled: true
signup:
enabled: false
limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
# When the total number of users in your instance reaches this limit, registrations are disabled.
# -1 == unlimited
limit: 10
minimum_age: 16 # Used to configure the signup form
requires_approval: true
requires_email_verification: false
@ -520,7 +571,7 @@ configAsCode:
# Available in core PeerTube: 'default'
profile: 'default'
resolutions: # Only created if the original video has a higher resolution, uses more storage!
0p: false # audio-only (creates mp4 without video stream, always created when enabled)
0p: false # audio-only (creates mp4 without video stream)
144p: false
240p: false
360p: false
@ -531,6 +582,10 @@ configAsCode:
2160p: false
# Transcode and keep original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
fps:
# Cap transcoded video FPS
# Max resolution file still keeps the original FPS
max: 60
# Generate videos in a web compatible format
# If you also enabled the hls format, it will multiply videos storage by 2
# If disabled, breaks federation with PeerTube instances < 2.1
@ -544,6 +599,11 @@ configAsCode:
# If you also enabled the web videos format, it will multiply videos storage by 2
hls:
enabled: true
# Store the audio stream in a separate file from the video
# This option adds the ability for the HLS player to propose the "Audio only" quality to users
# It also saves disk space by not duplicating the audio stream in each resolution file
# /!\ If enabled, remote PeerTube instances < 6.3.0 won't be able to play these videos
split_audio_and_video: false
live:
enabled: true
# Limit lives duration
@ -597,6 +657,7 @@ configAsCode:
# Available in core PeerTube: 'default'
profile: 'default'
resolutions:
0p: false # Audio only
144p: false
240p: false
360p: false
@ -607,6 +668,10 @@ configAsCode:
2160p: false
# Also transcode original resolution, even if it's above your maximum enabled resolution
always_transcode_original_resolution: true
fps:
# Cap transcoded live FPS
# Max resolution stream still keeps the original FPS
max: 60
video_studio:
# Enable video edition by users (cut, add intro/outro, add watermark etc)
# If enabled, users can create transcoding tasks as they wish
@ -616,6 +681,28 @@ configAsCode:
# At least 1 remote runner must be configured to transcode your videos
remote_runners:
enabled: false
video_transcription:
# Enable automatic transcription of videos
enabled: false
# Choose engine for local transcription
# Supported: 'openai-whisper' or 'whisper-ctranslate2'
engine: 'whisper-ctranslate2'
# You can set a custom engine path for local transcription
# If not provided, PeerTube will try to automatically install it in the PeerTube bin directory
engine_path: null
# Choose engine model for local transcription
# Available for 'openai-whisper' and 'whisper-ctranslate2': 'tiny', 'base', 'small', 'medium', 'large-v2' or 'large-v3'
model: 'small'
# Or specify the model path:
# * PyTorch model file path for 'openai-whisper'
# * CTranslate2 Whisper model directory path for 'whisper-ctranslate2'
# If not provided, PeerTube will automatically download the model
model_path: null
# Enable remote runners to transcribe videos
# If enabled, your instance won't transcribe the videos itself
# At least 1 remote runner must be configured to transcribe your videos
remote_runners:
enabled: false
video_file:
update:
# Add ability for users to replace the video file of an existing video
@ -635,17 +722,31 @@ configAsCode:
youtube_dl_release:
# Direct download URL to youtube-dl binary
# Github releases API is also supported
# Examples:
#
# Platform-independent examples:
# * https://api.github.com/repos/ytdl-org/youtube-dl/releases
# * https://api.github.com/repos/yt-dlp/yt-dlp/releases
# * https://yt-dl.org/downloads/latest/youtube-dl
#
# You can also use a youtube-dl standalone binary (requires python_path: null)
# GNU/Linux binaries with support for impersonating browser requests (required by some platforms such as Vimeo) examples:
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux (x64)
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux_armv7l (ARMv7)
# * https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp_linux_armv7l (ARMv8/AArch64/ARM64)
url: 'https://api.github.com/repos/yt-dlp/yt-dlp/releases'
# Release binary name: 'yt-dlp' or 'youtube-dl'
name: 'yt-dlp'
# Path to the python binary to execute for youtube-dl or yt-dlp
# Set to null if you use a youtube-dl executable
python_path: '/usr/bin/python3'
# IPv6 is very strongly rate-limited on most sites supported by youtube-dl
force_ipv4: false
# By default PeerTube uses HTTP_PROXY and HTTPS_PROXY environment variables
# But you can specify custom proxies for youtube-dl because remote websites (like YouTube) may block your server IP address
# PeerTube will randomly select a proxy from the following list
# You may need to use a standalone youtube-dl binary (see `url` key comment above) to use this feature
proxies:
# - "https://username:password@example.com:8888"
# Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
torrent:
# We recommend to only enable magnet URI/torrent import if you trust your users
@ -699,16 +800,19 @@ configAsCode:
# If you want to explain on what type of hardware your PeerTube instance runs
# Example: '2 vCore, 2GB RAM...'
hardware_information: '' # Supports Markdown
# What are the main languages of your instance? To interact with your users for example
# Describe the languages spoken on your instance, to interact with your users for example
# Uncomment or add the languages you want
# List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
# PeerTube plugins can add additional languages to the official list of supported languages
languages:
# - en
# - es
# - fr
# You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
# Uncomment or add the category ids you want
# Describe the main categories of your instance (to explain for example that your instance is dedicated to music, gaming, etc.)
# Uncomment categories you want
# List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
# PeerTube plugins can add additional categories to the official list of supported categories
categories:
# - 1 # Music
# - 2 # Films
@ -728,14 +832,28 @@ configAsCode:
# - 16 # Animals
# - 17 # Kids
# - 18 # Food
default_client_route: '/videos/trending'
default_client_route: '/videos/browse'
# Whether or not the instance is dedicated to NSFW content
# Enabling it will allow other administrators to know that you are mainly federating sensitive content
# Moreover, the NSFW checkbox on video upload will be automatically checked by default
is_nsfw: false
# By default, `do_not_list` or `blur` or `display` NSFW videos
# By default, `do_not_list`, `blur`, `warn` or `display` NSFW videos
# Could be overridden per user with a setting
default_nsfw_policy: 'display'
# PeerTube uses this setting to explain to your users which law they must follow in the "About" instance pages
server_country: '' # Example: "France", "United States", "España"
support:
# Explain to your users how to support your instance
# If set, PeerTube will display a "Support" button in "About" instance pages
text: '' # Supports Markdown
# If set, PeerTube will display buttons in "About" instance pages
social:
# Link to your main website
external_link: ''
# Mastodon
mastodon_link: ''
# Bluesky
bluesky_link: ''
customizations:
javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
@ -796,11 +914,12 @@ configAsCode:
# instead of loading the video locally
search_index:
enabled: false
# URL of the search index, that should use the same search API and routes
# than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
# You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
# and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
url: ''
# URL of the search index, which should use the same search API and routes
# as PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
# You can deploy your own with https://framagit.org/framasoft/peertube/search-index,
# or you can use the official one: https://sepiasearch.org.
# But keep in mind it is an unmoderated search index
url: 'https://sepiasearch.org'
# You can disable local search in the client, so users only use the search index
disable_local_search: false
# If you did not disable local search in the client, you can decide to use the search index by default
@ -811,17 +930,36 @@ configAsCode:
miniature:
# By default PeerTube client displays author username
prefer_author_display_name: false
display_author_avatar: false
resumable_upload:
# Max size of upload chunks, e.g. '90MB'
# If null, it will be calculated based on network speed
max_chunk_size: null
menu:
login:
# If you enable only one external auth plugin
# You can automatically redirect your users on this external platform when they click on the login button
redirect_on_single_external_auth: false
open_in_app:
android:
# Use an intent URL: https://developer.chrome.com/docs/android/intents
intent:
enabled: true
# Host registered by the mobile app
host: 'joinpeertube.org'
# Scheme registered by the mobile app
scheme: 'peertube'
# If not having the app on the mobile device, open this page
# F-Droid alternative: https://f-droid.org/packages/org.framasoft.peertube/
fallback_url: 'https://play.google.com/store/apps/details?id=org.framasoft.peertube'
ios:
# We use a timeout for iOS: if the app is not opened after a few seconds, open the fallback URL
enabled: true
# Host registered by the mobile app
host: 'joinpeertube.org'
# Scheme registered by the mobile app
scheme: 'peertube'
# If not having the app on the mobile device, open this page
fallback_url: 'https://apps.apple.com/fr/app/peertube/id6737834858'
storyboards:
# Generate storyboards of local videos using ffmpeg so users can see the video preview in the player while scrubbing the video
enabled: true

4
postfix/Chart.yaml
View File

@ -14,8 +14,8 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.5
version: 0.1.7
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 3.5.9
appVersion: 3.5.25

2
postfix/values.yaml
View File

@ -14,7 +14,7 @@ tls:
postfix:
image:
repository: gitea.geekhome.org/ghp/postfix
tag: 3.5.9-2
tag: 3.5.25-1
pullPolicy: Always
configmaps:
main: |

4
postgres-operator-ui/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2
name: postgres-operator-ui
version: 1.11.0
appVersion: 1.11.0
version: 1.13.0
appVersion: 1.13.0
home: https://github.com/zalando/postgres-operator
description: Postgres Operator UI provides a graphical interface for a convenient database-as-a-service user experience
keywords:

146
postgres-operator-ui/index.yaml
View File

@ -1,9 +1,55 @@
apiVersion: v1
entries:
postgres-operator-ui:
- apiVersion: v2
appVersion: 1.13.0
created: "2024-08-21T18:55:36.524305158+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: e0444e516b50f82002d1a733527813c51759a627cefdd1005cea73659f824ea8
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.13.0.tgz
version: 1.13.0
- apiVersion: v2
appVersion: 1.12.2
created: "2024-08-21T18:55:36.521875733+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: cbcef400c23ccece27d97369ad629278265c013e0a45c0b7f33e7568a082fedd
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.12.2.tgz
version: 1.12.2
- apiVersion: v2
appVersion: 1.11.0
created: "2024-03-14T17:12:46.692800586+01:00"
created: "2024-08-21T18:55:36.51959105+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: a45f2284045c2a9a79750a36997386444f39b01ac722b17c84b431457577a3a2
@ -26,7 +72,7 @@ entries:
version: 1.11.0
- apiVersion: v2
appVersion: 1.10.1
created: "2024-03-14T17:12:46.691746076+01:00"
created: "2024-08-21T18:55:36.516518177+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: 2e5e7a82aebee519ec57c6243eb8735124aa4585a3a19c66ffd69638fbeb11ce
@ -47,32 +93,9 @@ entries:
urls:
- postgres-operator-ui-1.10.1.tgz
version: 1.10.1
- apiVersion: v2
appVersion: 1.10.0
created: "2024-03-14T17:12:46.690807634+01:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: 47413650e3188539ae778a601998efa2c4f80b8aa16e3668a2fc7b72e014b605
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.10.0.tgz
version: 1.10.0
- apiVersion: v2
appVersion: 1.9.0
created: "2024-03-14T17:12:46.696626932+01:00"
created: "2024-08-21T18:55:36.52712908+02:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: df434af6c8b697fe0631017ecc25e3c79e125361ae6622347cea41a545153bdc
@ -93,73 +116,4 @@ entries:
urls:
- postgres-operator-ui-1.9.0.tgz
version: 1.9.0
- apiVersion: v2
appVersion: 1.8.2
created: "2024-03-14T17:12:46.69565936+01:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: fbfc90fa8fd007a08a7c02e0ec9108bb8282cbb42b8c976d88f2193d6edff30c
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.8.2.tgz
version: 1.8.2
- apiVersion: v2
appVersion: 1.8.1
created: "2024-03-14T17:12:46.694691362+01:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: d26342e385ea51a0fbfbe23477999863e9489664ae803ea5c56da8897db84d24
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.8.1.tgz
version: 1.8.1
- apiVersion: v1
appVersion: 1.8.0
created: "2024-03-14T17:12:46.693750873+01:00"
description: Postgres Operator UI provides a graphical interface for a convenient
database-as-a-service user experience
digest: d4a7b40c23fd167841cc28342afdbd5ecc809181913a5c31061c83139187f148
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- ui
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator-ui
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-ui-1.8.0.tgz
version: 1.8.0
generated: "2024-03-14T17:12:46.689654615+01:00"
generated: "2024-08-21T18:55:36.512456099+02:00"

9
postgres-operator-ui/templates/deployment.yaml
View File

@ -94,3 +94,12 @@ spec:
{{- if .Values.extraEnvs }}
{{- .Values.extraEnvs | toYaml | nindent 12 }}
{{- end }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}

21
postgres-operator-ui/values.yaml
View File

@ -6,9 +6,9 @@ replicaCount: 1
# configure ui image
image:
registry: registry.opensource.zalan.do
repository: acid/postgres-operator-ui
tag: v1.11.0
registry: ghcr.io
repository: zalando/postgres-operator-ui
tag: v1.13.0
pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets.
@ -111,3 +111,18 @@ ingress:
# - secretName: ui-tls
# hosts:
# - ui.exmaple.org
# priority class for operator-ui pod
priorityClassName: ""
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

4
postgres-operator/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2
name: postgres-operator
version: 1.11.0
appVersion: 1.11.0
version: 1.13.0
appVersion: 1.13.0
home: https://github.com/zalando/postgres-operator
description: Postgres Operator creates and manages PostgreSQL clusters running in Kubernetes
keywords:

18
postgres-operator/crds/operatorconfigurations.yaml
View File

@ -68,7 +68,7 @@ spec:
type: string
docker_image:
type: string
default: "ghcr.io/zalando/spilo-16:3.2-p2"
default: "ghcr.io/zalando/spilo-16:3.3-p1"
enable_crd_registration:
type: boolean
default: true
@ -160,7 +160,7 @@ spec:
properties:
major_version_upgrade_mode:
type: string
default: "off"
default: "manual"
major_version_upgrade_team_allow_list:
type: array
items:
@ -211,6 +211,9 @@ spec:
enable_init_containers:
type: boolean
default: true
enable_owner_references:
type: boolean
default: false
enable_persistent_volume_claim_deletion:
type: boolean
default: true
@ -223,6 +226,9 @@ spec:
enable_readiness_probe:
type: boolean
default: false
enable_secrets_deletion:
type: boolean
default: true
enable_sidecars:
type: boolean
default: true
@ -281,6 +287,9 @@ spec:
oauth_token_secret_name:
type: string
default: "postgresql-operator"
pdb_master_label_selector:
type: boolean
default: true
pdb_name_format:
type: string
default: "postgres-{cluster}-pdb"
@ -463,7 +472,6 @@ spec:
type: string
additional_secret_mount_path:
type: string
default: "/meta/credentials"
aws_region:
type: string
default: "eu-central-1"
@ -502,7 +510,7 @@ spec:
pattern: '^(\d+m|\d+(\.\d{1,3})?)$'
logical_backup_docker_image:
type: string
default: "registry.opensource.zalan.do/acid/logical-backup:v1.11.0"
default: "ghcr.io/zalando/postgres-operator/logical-backup:v1.13.0"
logical_backup_google_application_credentials:
type: string
logical_backup_job_prefix:
@ -525,6 +533,8 @@ spec:
type: string
logical_backup_s3_bucket:
type: string
logical_backup_s3_bucket_prefix:
type: string
logical_backup_s3_endpoint:
type: string
logical_backup_s3_region:

13
postgres-operator/crds/postgresqls.yaml
View File

@ -87,10 +87,14 @@ spec:
- mountPath
- volumeSource
properties:
isSubPathExpr:
type: boolean
name:
type: string
mountPath:
type: string
subPath:
type: string
targetContainers:
type: array
nullable: true
@ -99,8 +103,6 @@ spec:
volumeSource:
type: object
x-kubernetes-preserve-unknown-fields: true
subPath:
type: string
allowedSourceRanges:
type: array
nullable: true
@ -215,6 +217,8 @@ spec:
items:
type: object
x-kubernetes-preserve-unknown-fields: true
logicalBackupRetention:
type: string
logicalBackupSchedule:
type: string
pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'
@ -222,7 +226,7 @@ spec:
type: array
items:
type: string
pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$'
pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$'
masterServiceAnnotations:
type: object
additionalProperties:
@ -371,7 +375,6 @@ spec:
version:
type: string
enum:
- "11"
- "12"
- "13"
- "14"
@ -632,6 +635,8 @@ spec:
required:
- size
properties:
isSubPathExpr:
type: boolean
iops:
type: integer
selector:

144
postgres-operator/index.yaml
View File

@ -2,11 +2,55 @@ apiVersion: v1
entries:
postgres-operator:
- apiVersion: v2
appVersion: 1.11.0
created: "2024-03-14T17:11:54.311938906+01:00"
appVersion: 1.13.0
created: "2024-08-21T18:54:43.160735116+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: f12f5ae9282dd77d37e3bfd0aa47be58ed0b2f02056889d8f1111bdb2b9fe286
digest: a839601689aea0a7e6bc0712a5244d435683cf3314c95794097ff08540e1dfef
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.13.0.tgz
version: 1.13.0
- apiVersion: v2
appVersion: 1.12.2
created: "2024-08-21T18:54:43.152249286+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 65858d14a40d7fd90c32bd9fc60021acc9555c161079f43a365c70171eaf21d8
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.12.2.tgz
version: 1.12.2
- apiVersion: v2
appVersion: 1.11.0
created: "2024-08-21T18:54:43.145837894+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 3914b5e117bda0834f05c9207f007e2ac372864cf6e86dcc2e1362bbe46c14d9
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
@ -25,7 +69,7 @@ entries:
version: 1.11.0
- apiVersion: v2
appVersion: 1.10.1
created: "2024-03-14T17:11:54.3101439+01:00"
created: "2024-08-21T18:54:43.139552116+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: cc3baa41753da92466223d0b334df27e79c882296577b404a8e9071411fcf19c
@ -45,31 +89,9 @@ entries:
urls:
- postgres-operator-1.10.1.tgz
version: 1.10.1
- apiVersion: v2
appVersion: 1.10.0
created: "2024-03-14T17:11:54.308561116+01:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 60fc5c8059dfed175d14e1034b40997d9c59d33ec8ea158c0597f7228ab04b51
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.10.0.tgz
version: 1.10.0
- apiVersion: v2
appVersion: 1.9.0
created: "2024-03-14T17:11:54.3194627+01:00"
created: "2024-08-21T18:54:43.168490032+02:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 64df90c898ca591eb3a330328173ffaadfbf9ddd474d8c42ed143edc9e3f4276
@ -89,70 +111,4 @@ entries:
urls:
- postgres-operator-1.9.0.tgz
version: 1.9.0
- apiVersion: v2
appVersion: 1.8.2
created: "2024-03-14T17:11:54.317846817+01:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: f77ffad2e98b72a621e5527015cf607935d3ed688f10ba4b626435acb9631b5b
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.8.2.tgz
version: 1.8.2
- apiVersion: v2
appVersion: 1.8.1
created: "2024-03-14T17:11:54.315242584+01:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: ee0c3bb6ba72fa4289ba3b1c6060e5b312dd023faba2a61b4cb7d9e5e2cc57a5
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.8.1.tgz
version: 1.8.1
- apiVersion: v1
appVersion: 1.8.0
created: "2024-03-14T17:11:54.313632778+01:00"
description: Postgres Operator creates and manages PostgreSQL clusters running
in Kubernetes
digest: 3ae232cf009e09aa2ad11c171484cd2f1b72e63c59735e58fbe2b6eb842f4c86
home: https://github.com/zalando/postgres-operator
keywords:
- postgres
- operator
- cloud-native
- patroni
- spilo
maintainers:
- email: opensource@zalando.de
name: Zalando
name: postgres-operator
sources:
- https://github.com/zalando/postgres-operator
urls:
- postgres-operator-1.8.0.tgz
version: 1.8.0
generated: "2024-03-14T17:11:54.305930529+01:00"
generated: "2024-08-21T18:54:43.126871802+02:00"

2
postgres-operator/templates/_helpers.tpl
View File

@ -70,8 +70,8 @@ Flatten nested config options when ConfigMap is used as ConfigTarget
{{- $list := list }}
{{- range $subKey, $subValue := $value }}
{{- $list = append $list (printf "%s:%s" $subKey $subValue) }}
{{ $key }}: {{ join "," $list | quote }}
{{- end }}
{{ $key }}: {{ join "," $list | quote }}
{{- else }}
{{ $key }}: {{ $value | quote }}
{{- end }}

2
postgres-operator/templates/clusterrole.yaml
View File

@ -120,6 +120,7 @@ rules:
- create
- delete
- get
- patch
- update
# to check nodes for node readiness label
- apiGroups:
@ -196,6 +197,7 @@ rules:
- get
- list
- patch
- update
# to CRUD cron jobs for logical backups
- apiGroups:
- batch

3
postgres-operator/templates/deployment.yaml
View File

@ -52,6 +52,9 @@ spec:
{{- if .Values.controllerID.create }}
- name: CONTROLLER_ID
value: {{ template "postgres-operator.controllerID" . }}
{{- end }}
{{- if .Values.extraEnvs }}
{{- .Values.extraEnvs | toYaml | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}

20
postgres-operator/templates/operatorconfiguration.yaml
View File

@ -14,7 +14,7 @@ configuration:
users:
{{ tpl (toYaml .Values.configUsers) . | indent 4 }}
major_version_upgrade:
{{ toYaml .Values.configMajorVersionUpgrade | indent 4 }}
{{ tpl (toYaml .Values.configMajorVersionUpgrade) . | indent 4 }}
kubernetes:
{{- if .Values.podPriorityClassName.name }}
pod_priority_class_name: {{ .Values.podPriorityClassName.name }}
@ -23,23 +23,23 @@ configuration:
oauth_token_secret_name: {{ template "postgres-operator.fullname" . }}
{{ tpl (toYaml .Values.configKubernetes) . | indent 4 }}
postgres_pod_resources:
{{ toYaml .Values.configPostgresPodResources | indent 4 }}
{{ tpl (toYaml .Values.configPostgresPodResources) . | indent 4 }}
timeouts:
{{ toYaml .Values.configTimeouts | indent 4 }}
{{ tpl (toYaml .Values.configTimeouts) . | indent 4 }}
load_balancer:
{{ toYaml .Values.configLoadBalancer | indent 4 }}
{{ tpl (toYaml .Values.configLoadBalancer) . | indent 4 }}
aws_or_gcp:
{{ toYaml .Values.configAwsOrGcp | indent 4 }}
{{ tpl (toYaml .Values.configAwsOrGcp) . | indent 4 }}
logical_backup:
{{ toYaml .Values.configLogicalBackup | indent 4 }}
{{ tpl (toYaml .Values.configLogicalBackup) . | indent 4 }}
debug:
{{ toYaml .Values.configDebug | indent 4 }}
{{ tpl (toYaml .Values.configDebug) . | indent 4 }}
teams_api:
{{ tpl (toYaml .Values.configTeamsApi) . | indent 4 }}
logging_rest_api:
{{ toYaml .Values.configLoggingRestApi | indent 4 }}
{{ tpl (toYaml .Values.configLoggingRestApi) . | indent 4 }}
connection_pooler:
{{ toYaml .Values.configConnectionPooler | indent 4 }}
{{ tpl (toYaml .Values.configConnectionPooler) . | indent 4 }}
patroni:
{{ toYaml .Values.configPatroni | indent 4 }}
{{ tpl (toYaml .Values.configPatroni) . | indent 4 }}
{{- end }}

40
postgres-operator/values.yaml
View File

@ -1,7 +1,7 @@
image:
registry: registry.opensource.zalan.do
repository: acid/postgres-operator
tag: v1.11.0
registry: ghcr.io
repository: zalando/postgres-operator
tag: v1.13.0
pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets.
@ -38,7 +38,7 @@ configGeneral:
# etcd connection string for Patroni. Empty uses K8s-native DCS.
etcd_host: ""
# Spilo docker image
docker_image: ghcr.io/zalando/spilo-16:3.2-p2
docker_image: ghcr.io/zalando/spilo-16:3.3-p1
# key name for annotation to ignore globally configured instance limits
# ignore_instance_limits_annotation_key: ""
@ -83,7 +83,7 @@ configUsers:
configMajorVersionUpgrade:
# "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too
major_version_upgrade_mode: "off"
major_version_upgrade_mode: "manual"
# upgrades will only be carried out for clusters of listed teams when mode is "off"
# major_version_upgrade_team_allow_list:
# - acid
@ -129,6 +129,8 @@ configKubernetes:
enable_finalizers: false
# enables initContainers to run actions before Spilo is started
enable_init_containers: true
# toggles if child resources should have an owner reference to the postgresql CR
enable_owner_references: false
# toggles if operator should delete PVCs on cluster deletion
enable_persistent_volume_claim_deletion: true
# toggles pod anti affinity on the Postgres pods
@ -137,6 +139,8 @@ configKubernetes:
enable_pod_disruption_budget: true
# toogles readiness probe for database pods
enable_readiness_probe: false
# toggles if operator should delete secrets on cluster deletion
enable_secrets_deletion: true
# enables sidecar containers to run alongside Spilo in the same pod
enable_sidecars: true
@ -169,7 +173,9 @@ configKubernetes:
# namespaced name of the secret containing the OAuth2 token to pass to the teams API
# oauth_token_secret_name: postgresql-operator
# defines the template for PDB (Pod Disruption Budget) names
# toggle if `spilo-role=master` selector should be added to the PDB (Pod Disruption Budget)
pdb_master_label_selector: true
# defines the template for PDB names
pdb_name_format: "postgres-{cluster}-pdb"
# specify the PVC retention policy when scaling down and/or deleting
persistent_volume_claim_retention_policy:
@ -358,7 +364,7 @@ configLogicalBackup:
# logical_backup_memory_request: ""
# image for pods of the logical backup job (example runs pg_dumpall)
logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup:v1.11.0"
logical_backup_docker_image: "ghcr.io/zalando/postgres-operator/logical-backup:v1.13.0"
# path of google cloud service account json file
# logical_backup_google_application_credentials: ""
@ -370,6 +376,8 @@ configLogicalBackup:
logical_backup_s3_access_key_id: ""
# S3 bucket to store backup results
logical_backup_s3_bucket: "my-bucket-url"
# S3 bucket prefix to use
logical_backup_s3_bucket_prefix: "spilo"
# S3 region of bucket
logical_backup_s3_region: ""
# S3 endpoint url when not using AWS
@ -498,6 +506,24 @@ readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
# configure extra environment variables
# Extra environment variables are writen in kubernetes format and added "as is" to the pod's env variables
# https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
extraEnvs:
[]
# Exemple of settings maximum amount of memory / cpu that can be used by go process (to match resources.limits)
# - name: MY_VAR
# value: my-value
# - name: GOMAXPROCS
# valueFrom:
# resourceFieldRef:
# resource: limits.cpu
# - name: GOMEMLIMIT
# valueFrom:
# resourceFieldRef:
# resource: limits.memory
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

4
roundcube/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v2
appVersion: "1.6.7"
appVersion: "1.6.11"
description: A Helm chart for Kubernetes
name: roundcube
version: 0.4.2
version: 0.4.6
icon: https://github.com/roundcube/roundcubemail/blob/master/skins/classic/images/roundcube_logo.png

2
roundcube/values.yaml
View File

@ -2,7 +2,7 @@ replicaCount: 1
image:
repository: roundcube/roundcubemail
tag: 1.6.7-apache
tag: 1.6.11-apache
pullPolicy: IfNotPresent
args: [ sh, -c, 'update-ca-certificates && /docker-entrypoint.sh apache2-foreground' ]

4
rspamd/Chart.yaml
View File

@ -7,5 +7,5 @@ dependencies:
repository: https://charts.bitnami.com/bitnami
version: 17.9.3
type: application
version: 0.5.2
appVersion: 3.8.4
version: 0.5.7
appVersion: 3.12.1

2
rspamd/values.yaml
View File

@ -10,7 +10,7 @@ persistence:
rspamd:
image:
repository: gitea.geekhome.org/ghp/rspamd
tag: 3.8.4-1
tag: 3.12.1-1
pullPolicy: Always
local.d:
redis.conf: |

4
wikijs/Chart.yaml
View File

@ -2,10 +2,10 @@ apiVersion: v2
name: wikijs
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 2.3.15
version: 2.3.19
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 2.5.303
appVersion: 2.5.307
description: The most powerful and extensible open source Wiki software.
keywords:
- wiki

2
wikijs/values.yaml
View File

@ -6,7 +6,7 @@ replicaCount: 1
image:
repository: requarks/wiki
tag: 2.5.303
tag: 2.5.307
pullPolicy: IfNotPresent
imagePullSecrets: []