tarrien/Mastodon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Helm: Major refactoring regarding Deployments, Environment variables and more (#20733)

Browse Source 
* fix(chart): Remove non-functional Horizontal Pod Autoscaler

The Horizontal Pod Autoscaler (HPA) refers to a Deployment that
doesn't exist and therefore can not work. As a result it's
pointless to carry it around in this chart and give the wrong
impression it could work. This patch removes it from the helm
chart and drops all references to it.

* refactor(chart): Refactor sidekiq deployments to scale

This patch reworks how the sidekiq deployment is set up, by
splitting it into many sidekiq deployments, but at least one,
which should allow to scale the number of sidekiq jobs as
expected while being friendly to single user instances as well
as larger ones.

Further it introduces per deployment overwrites for the most
relevant pod fields like resources, affinities and processed
queues, number of jobs and the sidekiq security contexts.

The exact implementation was inspired by an upstream issue:

https://github.com/mastodon/mastodon/issues/20453

* fix(chart): Remove linode default values from values

This patch drops the linode defaults from the values.yaml since
these are not obvious and can cause unexpected connections as
well as leaking secrets to linode, when other s3 storage
backends are used and don't explicitly configure these options
by accident.

Mastodon will then try to authenticate to the linode backends
and therefore disclose the authentication secrets.

* refactor(chart): Rework reduce value reference duplication

Since most of the values are simply setup like this:

```
{{- if .Values.someVariable }}
SOME_VARIABLE: {{ .Values.someVariable }}
{{- end }}
```

There is a lot of duplication in the references in order to
full in the variables. There is an equivalent notation, which
reduces the usage of the variable name to just once:

```
{{- with .Values.someVariable }}
SOME_VARIABLE: {{ . }}
{{- end }}
```

What seems like a pointless replacement, will reduce potential
mistakes down the line by possibly only adjusting one of the
two references.

* fix(chart): Switch to new OMNIAUTH_ONLY variable

This patch adjusts the helm chart to use the new `OMNIAUTH_ONLY`
variable, which replaced the former
`OAUTH_REDIRECT_AT_SIGN_IN` variable in the following commit:

https://github.com/mastodon/mastodon/pull/17288
3c8857917e

* fix(chart): Repair connection test to existing service

Currently the connect test can't work, since it's connecting to
a non-existing service this patch fixes the service name to
make the job connect to the mastodon web service to verify the
connection.

* docs(chart): Adjust values.yaml to support helm-docs

This patch updates most values to prepare an introduction of
helm-docs. This should help to make the chart more user
friendly by explaining the variables and provide a standardised
README file, like many other helm charts do.

References:
https://github.com/norwoodj/helm-docs

* refactor(chart): Allow individual overwrites for streaming and web deployment

This patch works how the streaming and web deployments work by
adding various fields to overwrite values such as affinities,
resources, replica count, and security contexts.

BREAKING CHANGE: This commit removes `.Values.replicaCount` in
favour of `.Values.mastodon.web.replicas` and
`.Values.mastodon.streaming.values`.

* feat(chart): Add option for authorized fetch

Currently the helm chart doesn't support authorized fetch aka.
"Secure Mode" this patch fixes that by adding the needed config
option to the values file and the configmap.

* docs(chart): Improve helm-docs compatiblity

This patch adjust a few more comments in the values.yaml to be
picked up by helm-docs. This way, future adoption is properly
prepared.

* fix(chart): Add automatic detection of scheduler sidekiq queue

This patch adds an automatic switch to the `Recreate` strategy
for the sidekiq Pod in order to prevent accidental concurrency
for the scheduler queue.

* fix(chart): Repair broken DB_POOL variable
This commit is contained in:
Sheogorath
2022-11-24 21:30:29 +01:00
committed by GitHub
parent 75bbe3b1b8
commit cddcafec31
8 changed files with 366 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
chart/templates/_helpers.tpl
View File

@@ -136,3 +136,15 @@ Return true if a mastodon secret object should be created
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Find highest number of needed database connections to set DB_POOL variable
*/}}
{{- define "mastodon.maxDbPool" -}}
{{/* Default MAX_THREADS for Puma is 5 */}}
{{- $poolSize := 5 }}
{{- range .Values.mastodon.sidekiq.workers }}
{{- $poolSize = max $poolSize .concurrency }}
{{- end }}
{{- $poolSize | quote }}
{{- end }}

325
chart/templates/configmap-env.yaml
View File

@@ -13,7 +13,7 @@ data:
DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }}
{{- end }}
DB_NAME: {{ .Values.postgresql.auth.database }}
DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }}
DB_POOL: {{ include "mastodon.maxDbPool" . }}
DB_USER: {{ .Values.postgresql.auth.username }}
DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
{{- if .Values.elasticsearch.enabled }}
@@ -22,12 +22,15 @@ data:
ES_PORT: "9200"
{{- end }}
LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
{{- if .Values.mastodon.web_domain }}
WEB_DOMAIN: {{ .Values.mastodon.web_domain }}
{{- with .Values.mastodon.web_domain }}
WEB_DOMAIN: {{ . }}
{{- end }}
{{- if .Values.mastodon.singleUserMode }}
{{- with .Values.mastodon.singleUserMode }}
SINGLE_USER_MODE: "true"
{{- end }}
{{- with .Values.mastodon.authorizedFetch }}
AUTHORIZED_FETCH: {{ . | quote }}
{{- end }}
# https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior
MALLOC_ARENA_MAX: "2"
NODE_ENV: "production"
@@ -40,58 +43,58 @@ data:
S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
S3_PROTOCOL: "https"
{{- if .Values.mastodon.s3.region }}
S3_REGION: {{ .Values.mastodon.s3.region }}
{{- with .Values.mastodon.s3.region }}
S3_REGION: {{ . }}
{{- end }}
{{- if .Values.mastodon.s3.alias_host }}
{{- with .Values.mastodon.s3.alias_host }}
S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}}
{{- end }}
{{- end }}
{{- if .Values.mastodon.smtp.auth_method }}
SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }}
{{- with .Values.mastodon.smtp.auth_method }}
SMTP_AUTH_METHOD: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.ca_file }}
SMTP_CA_FILE: {{ .Values.mastodon.smtp.ca_file }}
{{- with .Values.mastodon.smtp.ca_file }}
SMTP_CA_FILE: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.delivery_method }}
SMTP_DELIVERY_METHOD: {{ .Values.mastodon.smtp.delivery_method }}
{{- with .Values.mastodon.smtp.delivery_method }}
SMTP_DELIVERY_METHOD: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.domain }}
SMTP_DOMAIN: {{ .Values.mastodon.smtp.domain }}
{{- with .Values.mastodon.smtp.domain }}
SMTP_DOMAIN: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.enable_starttls }}
SMTP_ENABLE_STARTTLS: {{ .Values.mastodon.smtp.enable_starttls | quote }}
{{- with .Values.mastodon.smtp.enable_starttls }}
SMTP_ENABLE_STARTTLS: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.enable_starttls_auto }}
SMTP_ENABLE_STARTTLS_AUTO: {{ .Values.mastodon.smtp.enable_starttls_auto | quote }}
{{- with .Values.mastodon.smtp.enable_starttls_auto }}
SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.from_address }}
SMTP_FROM_ADDRESS: {{ .Values.mastodon.smtp.from_address }}
{{- with .Values.mastodon.smtp.from_address }}
SMTP_FROM_ADDRESS: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.login }}
SMTP_LOGIN: {{ .Values.mastodon.smtp.login }}
{{- with .Values.mastodon.smtp.login }}
SMTP_LOGIN: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.openssl_verify_mode }}
SMTP_OPENSSL_VERIFY_MODE: {{ .Values.mastodon.smtp.openssl_verify_mode }}
{{- with .Values.mastodon.smtp.openssl_verify_mode }}
SMTP_OPENSSL_VERIFY_MODE: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.password }}
SMTP_PASSWORD: {{ .Values.mastodon.smtp.password }}
{{- with .Values.mastodon.smtp.password }}
SMTP_PASSWORD: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.port }}
SMTP_PORT: {{ .Values.mastodon.smtp.port | quote }}
{{- with .Values.mastodon.smtp.port }}
SMTP_PORT: {{ . | quote }}
{{- end }}
{{- if .Values.mastodon.smtp.reply_to }}
SMTP_REPLY_TO: {{ .Values.mastodon.smtp.reply_to }}
{{- with .Values.mastodon.smtp.reply_to }}
SMTP_REPLY_TO: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.server }}
SMTP_SERVER: {{ .Values.mastodon.smtp.server }}
{{- with .Values.mastodon.smtp.server }}
SMTP_SERVER: {{ . }}
{{- end }}
{{- if .Values.mastodon.smtp.tls }}
SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }}
{{- with .Values.mastodon.smtp.tls }}
SMTP_TLS: {{ . | quote }}
{{- end }}
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
{{- if .Values.mastodon.streaming.base_url }}
STREAMING_API_BASE_URL: {{ .Values.mastodon.streaming.base_url | quote }}
{{- with .Values.mastodon.streaming.base_url }}
STREAMING_API_BASE_URL: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.oidc.enabled }}
OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
@@ -104,53 +107,53 @@ data:
OIDC_CLIENT_SECRET: {{ .Values.externalAuth.oidc.client_secret }}
OIDC_REDIRECT_URI: {{ .Values.externalAuth.oidc.redirect_uri }}
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.oidc.assume_email_is_verified | quote }}
{{- if .Values.externalAuth.oidc.client_auth_method }}
OIDC_CLIENT_AUTH_METHOD: {{ .Values.externalAuth.oidc.client_auth_method }}
{{- with .Values.externalAuth.oidc.client_auth_method }}
OIDC_CLIENT_AUTH_METHOD: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.response_type }}
OIDC_RESPONSE_TYPE: {{ .Values.externalAuth.oidc.response_type }}
{{- with .Values.externalAuth.oidc.response_type }}
OIDC_RESPONSE_TYPE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.response_mode }}
OIDC_RESPONSE_MODE: {{ .Values.externalAuth.oidc.response_mode }}
{{- with .Values.externalAuth.oidc.response_mode }}
OIDC_RESPONSE_MODE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.display }}
OIDC_DISPLAY: {{ .Values.externalAuth.oidc.display }}
{{- with .Values.externalAuth.oidc.display }}
OIDC_DISPLAY: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.prompt }}
OIDC_PROMPT: {{ .Values.externalAuth.oidc.prompt }}
{{- with .Values.externalAuth.oidc.prompt }}
OIDC_PROMPT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.send_nonce }}
OIDC_SEND_NONCE: {{ .Values.externalAuth.oidc.send_nonce }}
{{- with .Values.externalAuth.oidc.send_nonce }}
OIDC_SEND_NONCE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.send_scope_to_token_endpoint }}
OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.send_scope_to_token_endpoint | quote }}
{{- with .Values.externalAuth.oidc.send_scope_to_token_endpoint }}
OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.oidc.idp_logout_redirect_uri }}
OIDC_IDP_LOGOUT_REDIRECT_URI: {{ .Values.externalAuth.oidc.idp_logout_redirect_uri }}
{{- with .Values.externalAuth.oidc.idp_logout_redirect_uri }}
OIDC_IDP_LOGOUT_REDIRECT_URI: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.http_scheme }}
OIDC_HTTP_SCHEME: {{ .Values.externalAuth.oidc.http_scheme }}
{{- with .Values.externalAuth.oidc.http_scheme }}
OIDC_HTTP_SCHEME: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.host }}
OIDC_HOST: {{ .Values.externalAuth.oidc.host }}
{{- with .Values.externalAuth.oidc.host }}
OIDC_HOST: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.port }}
OIDC_PORT: {{ .Values.externalAuth.oidc.port }}
{{- with .Values.externalAuth.oidc.port }}
OIDC_PORT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.jwks_uri }}
OIDC_JWKS_URI: {{ .Values.externalAuth.oidc.jwks_uri }}
{{- with .Values.externalAuth.oidc.jwks_uri }}
OIDC_JWKS_URI: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.auth_endpoint }}
OIDC_AUTH_ENDPOINT: {{ .Values.externalAuth.oidc.auth_endpoint }}
{{- with .Values.externalAuth.oidc.auth_endpoint }}
OIDC_AUTH_ENDPOINT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.token_endpoint }}
OIDC_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.token_endpoint }}
{{- with .Values.externalAuth.oidc.token_endpoint }}
OIDC_TOKEN_ENDPOINT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.user_info_endpoint }}
OIDC_USER_INFO_ENDPOINT: {{ .Values.externalAuth.oidc.user_info_endpoint }}
{{- with .Values.externalAuth.oidc.user_info_endpoint }}
OIDC_USER_INFO_ENDPOINT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.oidc.end_session_endpoint }}
OIDC_END_SESSION_ENDPOINT: {{ .Values.externalAuth.oidc.end_session_endpoint }}
{{- with .Values.externalAuth.oidc.end_session_endpoint }}
OIDC_END_SESSION_ENDPOINT: {{ . }}
{{- end }}
{{- end }}
{{- if .Values.externalAuth.saml.enabled }}
@@ -159,54 +162,54 @@ data:
SAML_ISSUER: {{ .Values.externalAuth.saml.issuer }}
SAML_IDP_SSO_TARGET_URL: {{ .Values.externalAuth.saml.idp_sso_target_url }}
SAML_IDP_CERT: {{ .Values.externalAuth.saml.idp_cert | quote }}
{{- if .Values.externalAuth.saml.idp_cert_fingerprint }}
SAML_IDP_CERT_FINGERPRINT: {{ .Values.externalAuth.saml.idp_cert_fingerprint | quote }}
{{- with .Values.externalAuth.saml.idp_cert_fingerprint }}
SAML_IDP_CERT_FINGERPRINT: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.name_identifier_format }}
SAML_NAME_IDENTIFIER_FORMAT: {{ .Values.externalAuth.saml.name_identifier_format }}
{{- with .Values.externalAuth.saml.name_identifier_format }}
SAML_NAME_IDENTIFIER_FORMAT: {{ . }}
{{- end }}
{{- if .Values.externalAuth.saml.cert }}
SAML_CERT: {{ .Values.externalAuth.saml.cert | quote }}
{{- with .Values.externalAuth.saml.cert }}
SAML_CERT: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.private_key }}
SAML_PRIVATE_KEY: {{ .Values.externalAuth.saml.private_key | quote }}
{{- with .Values.externalAuth.saml.private_key }}
SAML_PRIVATE_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.want_assertion_signed }}
SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ .Values.externalAuth.saml.want_assertion_signed | quote }}
{{- with .Values.externalAuth.saml.want_assertion_signed }}
SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.want_assertion_encrypted }}
SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ .Values.externalAuth.saml.want_assertion_encrypted | quote }}
{{- with .Values.externalAuth.saml.want_assertion_encrypted }}
SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.assume_email_is_verified }}
SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.saml.assume_email_is_verified | quote }}
{{- with .Values.externalAuth.saml.assume_email_is_verified }}
SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.uid_attribute }}
SAML_UID_ATTRIBUTE: {{ .Values.externalAuth.saml.uid_attribute }}
{{- with .Values.externalAuth.saml.uid_attribute }}
SAML_UID_ATTRIBUTE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.uid }}
SAML_ATTRIBUTES_STATEMENTS_UID: {{ .Values.externalAuth.saml.attributes_statements.uid | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.uid }}
SAML_ATTRIBUTES_STATEMENTS_UID: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.email }}
SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.email | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.email }}
SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.full_name }}
SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ .Values.externalAuth.saml.attributes_statements.full_name | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.full_name }}
SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.first_name }}
SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ .Values.externalAuth.saml.attributes_statements.first_name | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.first_name }}
SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.last_name }}
SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ .Values.externalAuth.saml.attributes_statements.last_name | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.last_name }}
SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.verified }}
SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ .Values.externalAuth.saml.attributes_statements.verified | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.verified }}
SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.saml.attributes_statements.verified_email }}
SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.verified_email | quote }}
{{- with .Values.externalAuth.saml.attributes_statements.verified_email }}
SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ . | quote }}
{{- end }}
{{- end }}
{{- if .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in }}
OAUTH_REDIRECT_AT_SIGN_IN: {{ .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in | quote }}
{{- with .Values.externalAuth.oauth_global.omniauth_only }}
OMNIAUTH_ONLY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.enabled }}
CAS_ENABLED: {{ .Values.externalAuth.cas.enabled | quote }}
@@ -214,68 +217,68 @@ data:
CAS_HOST: {{ .Values.externalAuth.cas.host }}
CAS_PORT: {{ .Values.externalAuth.cas.port }}
CAS_SSL: {{ .Values.externalAuth.cas.ssl | quote }}
{{- if .Values.externalAuth.cas.validate_url }}
CAS_VALIDATE_URL: {{ .Values.externalAuth.cas.validate_url }}
{{- with .Values.externalAuth.cas.validate_url }}
CAS_VALIDATE_URL: {{ . }}
{{- end }}
{{- if .Values.externalAuth.cas.callback_url }}
CAS_CALLBACK_URL: {{ .Values.externalAuth.cas.callback_url }}
{{- with .Values.externalAuth.cas.callback_url }}
CAS_CALLBACK_URL: {{ . }}
{{- end }}
{{- if .Values.externalAuth.cas.logout_url }}
CAS_LOGOUT_URL: {{ .Values.externalAuth.cas.logout_url }}
{{- with .Values.externalAuth.cas.logout_url }}
CAS_LOGOUT_URL: {{ . }}
{{- end }}
{{- if .Values.externalAuth.cas.login_url }}
CAS_LOGIN_URL: {{ .Values.externalAuth.cas.login_url }}
{{- with .Values.externalAuth.cas.login_url }}
CAS_LOGIN_URL: {{ . }}
{{- end }}
{{- if .Values.externalAuth.cas.uid_field }}
CAS_UID_FIELD: {{ .Values.externalAuth.cas.uid_field | quote }}
{{- with .Values.externalAuth.cas.uid_field }}
CAS_UID_FIELD: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.ca_path }}
CAS_CA_PATH: {{ .Values.externalAuth.cas.ca_path }}
{{- with .Values.externalAuth.cas.ca_path }}
CAS_CA_PATH: {{ . }}
{{- end }}
{{- if .Values.externalAuth.cas.disable_ssl_verification }}
CAS_DISABLE_SSL_VERIFICATION: {{ .Values.externalAuth.cas.disable_ssl_verification | quote }}
{{- with .Values.externalAuth.cas.disable_ssl_verification }}
CAS_DISABLE_SSL_VERIFICATION: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.assume_email_is_verified }}
CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.cas.assume_email_is_verified | quote }}
{{- with .Values.externalAuth.cas.assume_email_is_verified }}
CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.uid }}
CAS_UID_KEY: {{ .Values.externalAuth.cas.keys.uid | quote }}
{{- with .Values.externalAuth.cas.keys.uid }}
CAS_UID_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.name }}
CAS_NAME_KEY: {{ .Values.externalAuth.cas.keys.name | quote }}
{{- with .Values.externalAuth.cas.keys.name }}
CAS_NAME_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.email }}
CAS_EMAIL_KEY: {{ .Values.externalAuth.cas.keys.email | quote }}
{{- with .Values.externalAuth.cas.keys.email }}
CAS_EMAIL_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.nickname }}
CAS_NICKNAME_KEY: {{ .Values.externalAuth.cas.keys.nickname | quote }}
{{- with .Values.externalAuth.cas.keys.nickname }}
CAS_NICKNAME_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.first_name }}
CAS_FIRST_NAME_KEY: {{ .Values.externalAuth.cas.keys.first_name | quote }}
{{- with .Values.externalAuth.cas.keys.first_name }}
CAS_FIRST_NAME_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.last_name }}
CAS_LAST_NAME_KEY: {{ .Values.externalAuth.cas.keys.last_name | quote }}
{{- with .Values.externalAuth.cas.keys.last_name }}
CAS_LAST_NAME_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.location }}
CAS_LOCATION_KEY: {{ .Values.externalAuth.cas.keys.location | quote }}
{{- with .Values.externalAuth.cas.keys.location }}
CAS_LOCATION_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.image }}
CAS_IMAGE_KEY: {{ .Values.externalAuth.cas.keys.image | quote }}
{{- with .Values.externalAuth.cas.keys.image }}
CAS_IMAGE_KEY: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.cas.keys.phone }}
CAS_PHONE_KEY: {{ .Values.externalAuth.cas.keys.phone | quote }}
{{- with .Values.externalAuth.cas.keys.phone }}
CAS_PHONE_KEY: {{ . | quote }}
{{- end }}
{{- end }}
{{- if .Values.externalAuth.pam.enabled }}
PAM_ENABLED: {{ .Values.externalAuth.pam.enabled | quote }}
{{- if .Values.externalAuth.pam.email_domain }}
PAM_EMAIL_DOMAIN: {{ .Values.externalAuth.pam.email_domain }}
{{- with .Values.externalAuth.pam.enabled }}
PAM_ENABLED: {{ . | quote }}
{{- with .Values.externalAuth.pam.email_domain }}
PAM_EMAIL_DOMAIN: {{ . }}
{{- end }}
{{- if .Values.externalAuth.pam.default_service }}
PAM_DEFAULT_SERVICE: {{ .Values.externalAuth.pam.default_service }}
{{- with .Values.externalAuth.pam.default_service }}
PAM_DEFAULT_SERVICE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.pam.controlled_service }}
PAM_CONTROLLED_SERVICE: {{ .Values.externalAuth.pam.controlled_service }}
{{- with .Values.externalAuth.pam.controlled_service }}
PAM_CONTROLLED_SERVICE: {{ . }}
{{- end }}
{{- end }}
{{- if .Values.externalAuth.ldap.enabled }}
@@ -283,32 +286,32 @@ data:
LDAP_HOST: {{ .Values.externalAuth.ldap.host }}
LDAP_PORT: {{ .Values.externalAuth.ldap.port }}
LDAP_METHOD: {{ .Values.externalAuth.ldap.method }}
{{- if .Values.externalAuth.ldap.base }}
LDAP_BASE: {{ .Values.externalAuth.ldap.base }}
{{- with .Values.externalAuth.ldap.base }}
LDAP_BASE: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.bind_on }}
LDAP_BIND_ON: {{ .Values.externalAuth.ldap.bind_on }}
{{- with .Values.externalAuth.ldap.bind_on }}
LDAP_BIND_ON: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.password }}
LDAP_PASSWORD: {{ .Values.externalAuth.ldap.password }}
{{- with .Values.externalAuth.ldap.password }}
LDAP_PASSWORD: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.uid }}
LDAP_UID: {{ .Values.externalAuth.ldap.uid }}
{{- with .Values.externalAuth.ldap.uid }}
LDAP_UID: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.mail }}
LDAP_MAIL: {{ .Values.externalAuth.ldap.mail }}
{{- with .Values.externalAuth.ldap.mail }}
LDAP_MAIL: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.search_filter }}
LDAP_SEARCH_FILTER: {{ .Values.externalAuth.ldap.search_filter }}
{{- with .Values.externalAuth.ldap.search_filter }}
LDAP_SEARCH_FILTER: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.uid_conversion.enabled }}
LDAP_UID_CONVERSION_ENABLED: {{ .Values.externalAuth.ldap.uid_conversion.enabled | quote }}
{{- with .Values.externalAuth.ldap.uid_conversion.enabled }}
LDAP_UID_CONVERSION_ENABLED: {{ . | quote }}
{{- end }}
{{- if .Values.externalAuth.ldap.uid_conversion.search }}
LDAP_UID_CONVERSION_SEARCH: {{ .Values.externalAuth.ldap.uid_conversion.search }}
{{- with .Values.externalAuth.ldap.uid_conversion.search }}
LDAP_UID_CONVERSION_SEARCH: {{ . }}
{{- end }}
{{- if .Values.externalAuth.ldap.uid_conversion.replace }}
LDAP_UID_CONVERSION_REPLACE: {{ .Values.externalAuth.ldap.uid_conversion.replace }}
{{- with .Values.externalAuth.ldap.uid_conversion.replace }}
LDAP_UID_CONVERSION_REPLACE: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.mastodon.metrics.statsd.address }}

94
chart/templates/deployment-sidekiq.yaml
View File

@@ -1,96 +1,97 @@
{{- $context := . }}
{{- range .Values.mastodon.sidekiq.workers }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "mastodon.fullname" . }}-sidekiq
name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
{{- include "mastodon.labels" $context | nindent 4 }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
replicas: {{ .replicas }}
{{- if (has "scheduler" .queues) }}
strategy:
type: Recreate
{{- end }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: sidekiq
{{- include "mastodon.selectorLabels" $context | nindent 6 }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- with $context.Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
{{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }}
labels:
{{- include "mastodon.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: sidekiq
{{- include "mastodon.selectorLabels" $context | nindent 8 }}
app.kubernetes.io/component: sidekiq-{{ .name }}
app.kubernetes.io/part-of: rails
spec:
{{- with .Values.imagePullSecrets }}
{{- with $context.Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
serviceAccountName: {{ include "mastodon.serviceAccountName" $context }}
{{- with (default $context.Values.podSecurityContext $context.Values.mastodon.sidekiq.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
# ensure we run on the same node as the other rails components; only
# required when using PVCs that are ReadWriteOnce
{{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }}
{{- with (default (default $context.Values.affinity $context.Values.mastodon.sidekiq.affinity) .affinity) }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- rails
topologyKey: kubernetes.io/hostname
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
claimName: {{ template "mastodon.fullname" $context }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
claimName: {{ template "mastodon.fullname" $context }}-system
{{- end }}
containers:
- name: {{ .Chart.Name }}
- name: {{ $context.Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }}
image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}"
imagePullPolicy: {{ $context.Values.image.pullPolicy }}
command:
- bundle
- exec
- sidekiq
- -c
- {{ .Values.mastodon.sidekiq.concurrency | quote }}
- {{ .concurrency | quote }}
{{- range .queues }}
- -q
- {{ . | quote }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
name: {{ include "mastodon.fullname" $context }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
name: {{ template "mastodon.secretName" $context }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
name: {{ template "mastodon.postgresql.secretName" $context }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
name: {{ template "mastodon.redis.secretName" $context }}
key: redis-password
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
name: {{ $context.Values.mastodon.s3.existingSecret }}
key: AWS_SECRET_ACCESS_KEY
- name: "AWS_ACCESS_KEY_ID"
valueFrom:
@@ -98,20 +99,20 @@ spec:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if .Values.mastodon.smtp.existingSecret }}
{{- if $context.Values.mastodon.smtp.existingSecret }}
- name: "SMTP_LOGIN"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.smtp.existingSecret }}
name: {{ $context.Values.mastodon.smtp.existingSecret }}
key: login
optional: true
- name: "SMTP_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.smtp.existingSecret }}
name: {{ $context.Values.mastodon.smtp.existingSecret }}
key: password
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
{{- if (not $context.Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
@@ -119,12 +120,13 @@ spec:
mountPath: /opt/mastodon/public/system
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
{{- with $context.Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
{{- with $context.Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

16
chart/templates/deployment-streaming.yaml
View File

@@ -5,9 +5,7 @@ metadata:
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
replicas: {{ .Values.mastodon.streaming.replicas }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -15,7 +13,7 @@ spec:
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
@@ -29,13 +27,13 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
{{- with (default .Values.podSecurityContext .Values.mastodon.streaming.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
- name: {{ .Chart.Name }}-streaming
{{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
@@ -72,7 +70,7 @@ spec:
httpGet:
path: /api/v1/streaming/health
port: streaming
{{- with .Values.resources }}
{{- with (default .Values.resources .Values.mastodon.streaming.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
@@ -80,7 +78,7 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
{{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}

16
chart/templates/deployment-web.yaml
View File

@@ -5,9 +5,7 @@ metadata:
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
replicas: {{ .Values.mastodon.web.replicas }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
@@ -16,7 +14,7 @@ spec:
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
@@ -31,7 +29,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
{{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -45,8 +43,8 @@ spec:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
- name: {{ .Chart.Name }}-web
{{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
@@ -112,7 +110,7 @@ spec:
port: http
failureThreshold: 30
periodSeconds: 5
{{- with .Values.resources }}
{{- with (default .Values.resources .Values.mastodon.web.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
@@ -120,7 +118,7 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
{{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}

28
chart/templates/hpa.yaml
View File

@@ -1,28 +0,0 @@
{{- if .Values.autoscaling.enabled -}}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "mastodon.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

2
chart/templates/tests/test-connection.yaml
View File

@@ -11,5 +11,5 @@ spec:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "mastodon.fullname" . }}:{{ .Values.service.port }}']
args: ['{{ include "mastodon.fullname" . }}-web:{{ .Values.service.port }}']
restartPolicy: Never