image: repository: ghcr.io/mastodon/mastodon # https://github.com/mastodon/mastodon/pkgs/container/mastodon # # alternatively, use `latest` for the latest release or `edge` for the image # built from the most recent commit # # tag: latest tag: "v4.2.10" # use `Always` when using `latest` tag pullPolicy: IfNotPresent mastodon: # Labels added to every Mastodon-related object labels: {} # -- create an initial administrator user; the password is autogenerated and will # have to be reset createAdmin: # @ignored enabled: false # @ignored username: not_gargron # @ignored password: not_gargron # @ignored email: not@example.com hooks: dbMigrate: enabled: true assetsPrecompile: enabled: true # Custom labels to add to kubernetes resources #labels: cron: # -- run `tootctl media remove` every week removeMedia: # @ignored enabled: true # @ignored schedule: "0 0 * * 0" # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 locale: en local_domain: mastodon.local # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described # Example: mastodon.example.com web_domain: null # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize # itself when users are addressed using those other domains. alternate_domains: [] # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. singleUserMode: false # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch authorizedFetch: false # -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode limitedFederationMode: false persistence: assets: # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits # scalability, since it requires the Rails and Sidekiq pods to run on the # same node. accessMode: ReadWriteOnce resources: requests: storage: 10Gi # -- name of existing persistent volume claim to use for assets existingClaim: system: accessMode: ReadWriteOnce resources: requests: storage: 100Gi # -- name of existing persistent volume claim to use for system existingClaim: s3: enabled: false access_key: "" access_secret: "" # -- you can also specify the name of an existing Secret # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY existingSecret: "" bucket: "" endpoint: "" hostname: "" region: "" permission: "" # -- If you have a caching proxy, enter its base URL here. alias_host: "" # When uploading data to S3, if the number of bytes to send exceedes # multipart_threshold then a multi part session is automatically started # and the data is sent up in chunks. Defaults to 16777216 (16MB). multipart_threshold: "" # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming # override_path_style: "true" deepl: enabled: false plan: apiKeySecretRef: name: key: hcaptcha: enabled: false siteId: secretKeySecretRef: name: key: # these must be set manually; autogenerated keys are rotated on each upgrade secrets: secret_key_base: "" otp_secret: "" vapid: private_key: "" public_key: "" activeRecordEncryption: primaryKey: "" deterministicKey: "" keyDerivationSalt: "" # -- you can also specify the name of an existing Secret # with keys: # - SECRET_KEY_BASE # - OTP_SECRET # - VAPID_PRIVATE_KEY # - VAPID_PUBLIC_KEY # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT existingSecret: "" # -- The number of old revisions to keep for each Deployment in Kubernetes. # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy revisionHistoryLimit: 2 sidekiq: # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext podSecurityContext: {} # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext securityContext: {} # -- Resources for all Sidekiq Deployments unless overwritten resources: {} # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity affinity: {} # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # limits: # cpu: "1" # memory: 768Mi # requests: # cpu: 250m # memory: 512Mi workers: - name: all-queues # -- Number of threads / parallel sidekiq jobs that are executed per Pod concurrency: 25 # -- Number of Pod replicas deployed by the Deployment replicas: 1 # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources resources: {} # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity affinity: {} # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints topologySpreadConstraints: {} # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument queues: - default,8 - push,6 - ingress,4 - mailers,2 - pull - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. image: repository: tag: # allows you to mount a custom database.yml from a configmap # please note that we do not advise using a read-only replica for sidekiq workers customDatabaseConfigYml: configMapRef: name: key: #- name: push-pull # concurrency: 50 # resources: {} # replicas: 2 # queues: # - push # - pull #- name: mailers # concurrency: 25 # replicas: 2 # queues: # - mailers #- name: default # concurrency: 25 # replicas: 2 # queues: # - default smtp: auth_method: plain ca_file: /etc/ssl/certs/ca-certificates.crt delivery_method: smtp domain: enable_starttls: "auto" from_address: notifications@example.com return_path: openssl_verify_mode: peer port: 587 reply_to: server: smtp.mailgun.org tls: false login: password: # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and # password must be located in keys named `login` and `password` respectively. existingSecret: streaming: image: repository: tag: port: 4000 # -- this should be set manually since os.cpus() returns the number of CPUs on # the node running the pod, which is unrelated to the resources allocated to # the pod by k8s workers: 1 # -- The base url for streaming can be set if the streaming API is deployed to # a different domain/subdomain. base_url: null # -- Number of Streaming Pods running replicas: 1 # -- Affinity for Streaming Pods, overwrites .Values.affinity affinity: {} # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext podSecurityContext: {} # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext securityContext: {} # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources resources: {} # limits: # cpu: "500m" # memory: 512Mi # requests: # cpu: 250m # memory: 128Mi # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: enable: false # minAvailable: 1 # maxUnavailable: 1 # -- Puma-specific options. Below values are based on default behavior in # config/puma.rb when no custom values are provided. # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database extraCerts: {} # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format # existingSecret: # -- Optional volume name for mounting the .crt file, defaults to "extra-certs" # name: # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify" # sslMode: # Specify extra environment variables to be added to streaming pods. extraEnvVars: {} web: port: 3000 # -- Number of Web Pods running replicas: 1 # -- Affinity for Web Pods, overwrites .Values.affinity affinity: {} # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints topologySpreadConstraints: {} # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext podSecurityContext: {} # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext securityContext: {} # -- (Web Container) Resources for Web Pods, overwrites .Values.resources resources: {} # limits: # cpu: "1" # memory: 1280Mi # requests: # cpu: 250m # memory: 768Mi # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: enable: false # minAvailable: 1 # maxUnavailable: 1 # -- Puma-specific options. Below values are based on default behavior in # config/puma.rb when no custom values are provided. minThreads: "5" maxThreads: "5" workers: "2" persistentTimeout: "20" image: repository: tag: # allows you to mount a custom database.yml from a configmap # for example if you want to use a read-only replica customDatabaseConfigYml: configMapRef: name: key: # HTTP cache buster configuration. # See the documentation for more information about this feature: # https://docs.joinmastodon.org/admin/config/#http-cache-buster cacheBuster: enabled: false httpMethod: "GET" # If the cache service requires authentication, specify the header name and # secret/token here. authHeader: authToken: existingSecret: metrics: statsd: # -- Enable statsd publishing via STATSD_ADDR environment variable address: "" # -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod # Please note the exporter will not be enabled if metrics.statsd.address is not empty exporter: enabled: false port: 9102 # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements preparedStatements: true # Specify extra environment variables to be added to all Mastodon pods. # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.) extraEnvVars: {} # Alternatively specify extra environment variables stored in a ConfigMap. # The specified ConfigMap should contain the additional environment variables in key-value format. # extraEnvFrom: ingress: enabled: true annotations: # For choosing an ingress ingressClassName is preferred over annotations # kubernetes.io/ingress.class: nginx # # To automatically request TLS certificates use one of the following # kubernetes.io/tls-acme: "true" # cert-manager.io/cluster-issuer: "letsencrypt" # # ensure that NGINX's upload size matches Mastodon's # for the K8s ingress controller: # nginx.ingress.kubernetes.io/proxy-body-size: 40m # for the NGINX ingress controller: # nginx.org/client-max-body-size: 40m # -- you can specify the ingressClassName if it differs from the default ingressClassName: hosts: - host: mastodon.local paths: - path: "/" tls: - secretName: mastodon-tls hosts: - mastodon.local # This allows you to have a separate ingress for streaming # When enabled, the main ingress will no longer handle streaming requests. # You will also need to configure mastodon.streaming.base_url accordingly streaming: enabled: false annotations: ingressClassName: hosts: - host: streaming.mastodon.local paths: - path: "/" tls: - secretName: mastodon-tls hosts: - streaming.mastodon.local # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters elasticsearch: # Elasticsearch is powering full-text search. It is optional. # `false` will not install Elasticsearch as part of this chart # # if you enable ES after the initial install, you will need to manually run # RAILS_ENV=production bundle exec rake chewy:sync # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) enabled: true # @ignored image: tag: 7 # If you are using an external ES cluster, use `enabled: false` and set the hostname, port, # and whether the cluster uses TLS. # hostname: # port: 9200 # tls: true # preset: single_node_cluster # This is optional, use it if you ES cluster requires authentication # user: # Name of an existing secret with a password key # existingSecret: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters postgresql: # -- disable if you want to use an existing db; in which case the values below # must match those of that external postgres instance enabled: true # postgresqlHostname: preexisting-postgresql # postgresqlPort: 5432 auth: database: mastodon_production username: mastodon # you must set a password; the password generated by the postgresql chart will # be rotated on each upgrade: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade password: "" # Set the password for the "postgres" admin user # set this to the same value as above if you've previously installed # this chart and you're having problems getting mastodon to connect to the DB # postgresPassword: "" # you can also specify the name of an existing Secret # with a key of password set to the password you want existingSecret: "" # Options for a read-only replica. # If enabled, mastodon uses existing defaults for postgres for these values as well. # NOTE: This feature is only available on Mastodon v4.2+ # Documentation for more information on this feature: # https://docs.joinmastodon.org/admin/scaling/#read-replicas readReplica: hostname: port: auth: database: username: password: existingSecret: # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters redis: # disable if you want to use an existing redis instance; in which case the # values below must match those of that external redis instance enabled: true hostname: "" port: 6379 auth: # -- you must set a password; the password generated by the redis chart will be # rotated on each upgrade: password: "" # setting password for an existing redis instance will store it in a new Secret # you can also specify the name of an existing Secret # with a key of redis-password set to the password you want # existingSecret: "" replica: replicaCount: 0 # Configuration for a separate redis instance only for sidekiq processing. # If enabled, any values not specified will be copied from the base config. # If set to false, the main redis instance will be used, and all values will # be ignored. sidekiq: enabled: false hostname: "" port: 6379 auth: password: "" # you can also specify the name of an existing Secret # with a key of redis-password set to the password you want existingSecret: "" # Configuration for a separate redis instance only for cache. # If enabled, any values not specified will be copied from the base config. # If set to false, the main redis instance will be used, and all values will # be ignored. cache: enabled: false hostname: "" port: 6379 auth: password: "" # you can also specify the name of an existing Secret # with a key of redis-password set to the password you want existingSecret: "" # @ignored service: type: ClusterIP port: 80 externalAuth: oidc: # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. enabled: false # display_name: "example-label" # issuer: https://login.example.space/auth/realms/example-space # discovery: true # scope: "openid,profile" # uid_field: uid # client_id: mastodon # client_secret: SECRETKEY # redirect_uri: https://example.com/auth/auth/openid_connect/callback # assume_email_is_verified: true # client_auth_method: # response_type: # response_mode: # display: # prompt: # send_nonce: # send_scope_to_token_endpoint: # idp_logout_redirect_uri: # http_scheme: # host: # port: # jwks_uri: # auth_endpoint: # token_endpoint: # user_info_endpoint: # end_session_endpoint: saml: enabled: false # acs_url: http://mastodon.example.com/auth/auth/saml/callback # issuer: mastodon # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----' # idp_cert_fingerprint: # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified # cert: # private_key: # want_assertion_signed: true # want_assertion_encrypted: true # assume_email_is_verified: true # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1" # attributes_statements: # uid: "urn:oid:0.9.2342.19200300.100.1.1" # email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" # full_name: "urn:oid:2.16.840.1.113730.3.1.241" # first_name: "urn:oid:2.5.4.42" # last_name: "urn:oid:2.5.4.4" # verified: # verified_email: oauth_global: # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In omniauth_only: false cas: enabled: false # url: https://sso.myserver.com # host: sso.myserver.com # port: 443 # ssl: true # validate_url: # callback_url: # logout_url: # login_url: # uid_field: 'user' # ca_path: # disable_ssl_verification: false # assume_email_is_verified: true # keys: # uid: 'user' # name: 'name' # email: 'email' # nickname: 'nickname' # first_name: 'firstname' # last_name: 'lastname' # location: 'location' # image: 'image' # phone: 'phone' pam: enabled: false # email_domain: example.com # default_service: rpam # controlled_service: rpam ldap: enabled: false # host: myservice.namespace.svc # port: 636 # method: simple_tls # tls_no_verify: true # base: # bind_dn: # password: # uid: cn # mail: mail # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))" # uid_conversion: # enabled: true # search: "., -" # replace: _ # -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 # # if you manually change the UID/GID environment variables, ensure these values # match: podSecurityContext: runAsUser: 991 runAsGroup: 991 fsGroup: 991 # @ignored securityContext: {} serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # Custom annotations to apply to all created deployment objects. These can be # used to help mastodon interact with other services in the cluster. deploymentAnnotations: {} # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might # need to apply different annotations to the two different sets of pods. The annotations # set with podAnnotations will be added to all deployment-managed pods. podAnnotations: {} # If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will # cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. revisionPodAnnotation: true # The annotations set with jobAnnotations will be added to all job pods. jobAnnotations: {} # -- Default resources for all Deployments and jobs unless overwritten resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi # @ignored nodeSelector: {} # @ignored tolerations: [] # -- Affinity for all pods unless overwritten affinity: {} # -- Timezone for all pods unless overwritten timezone: UTC # -- Topology Spread Constraints for all pods unless overwritten # Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you # want to spread each deployment independently, or override topologySpreadConstraints # for each deployment topologySpreadConstraints: {} # Default volume mounts for all pods volumeMounts: [] # Default volumes for all pods volumes: []