From cddcafec31b1a6af1ccf5e066b8bf5a0f08647ef Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Thu, 24 Nov 2022 21:30:29 +0100 Subject: Helm: Major refactoring regarding Deployments, Environment variables and more (#20733) * fix(chart): Remove non-functional Horizontal Pod Autoscaler The Horizontal Pod Autoscaler (HPA) refers to a Deployment that doesn't exist and therefore can not work. As a result it's pointless to carry it around in this chart and give the wrong impression it could work. This patch removes it from the helm chart and drops all references to it. * refactor(chart): Refactor sidekiq deployments to scale This patch reworks how the sidekiq deployment is set up, by splitting it into many sidekiq deployments, but at least one, which should allow to scale the number of sidekiq jobs as expected while being friendly to single user instances as well as larger ones. Further it introduces per deployment overwrites for the most relevant pod fields like resources, affinities and processed queues, number of jobs and the sidekiq security contexts. The exact implementation was inspired by an upstream issue: https://github.com/mastodon/mastodon/issues/20453 * fix(chart): Remove linode default values from values This patch drops the linode defaults from the values.yaml since these are not obvious and can cause unexpected connections as well as leaking secrets to linode, when other s3 storage backends are used and don't explicitly configure these options by accident. Mastodon will then try to authenticate to the linode backends and therefore disclose the authentication secrets. * refactor(chart): Rework reduce value reference duplication Since most of the values are simply setup like this: ``` {{- if .Values.someVariable }} SOME_VARIABLE: {{ .Values.someVariable }} {{- end }} ``` There is a lot of duplication in the references in order to full in the variables. There is an equivalent notation, which reduces the usage of the variable name to just once: ``` {{- with .Values.someVariable }} SOME_VARIABLE: {{ . }} {{- end }} ``` What seems like a pointless replacement, will reduce potential mistakes down the line by possibly only adjusting one of the two references. * fix(chart): Switch to new OMNIAUTH_ONLY variable This patch adjusts the helm chart to use the new `OMNIAUTH_ONLY` variable, which replaced the former `OAUTH_REDIRECT_AT_SIGN_IN` variable in the following commit: https://github.com/mastodon/mastodon/pull/17288 https://github.com/mastodon/mastodon/pull/17288/commits/3c8857917ea9b9b3a76adb7afcea5842c8e1c0d1 * fix(chart): Repair connection test to existing service Currently the connect test can't work, since it's connecting to a non-existing service this patch fixes the service name to make the job connect to the mastodon web service to verify the connection. * docs(chart): Adjust values.yaml to support helm-docs This patch updates most values to prepare an introduction of helm-docs. This should help to make the chart more user friendly by explaining the variables and provide a standardised README file, like many other helm charts do. References: https://github.com/norwoodj/helm-docs * refactor(chart): Allow individual overwrites for streaming and web deployment This patch works how the streaming and web deployments work by adding various fields to overwrite values such as affinities, resources, replica count, and security contexts. BREAKING CHANGE: This commit removes `.Values.replicaCount` in favour of `.Values.mastodon.web.replicas` and `.Values.mastodon.streaming.values`. * feat(chart): Add option for authorized fetch Currently the helm chart doesn't support authorized fetch aka. "Secure Mode" this patch fixes that by adding the needed config option to the values file and the configmap. * docs(chart): Improve helm-docs compatiblity This patch adjust a few more comments in the values.yaml to be picked up by helm-docs. This way, future adoption is properly prepared. * fix(chart): Add automatic detection of scheduler sidekiq queue This patch adds an automatic switch to the `Recreate` strategy for the sidekiq Pod in order to prevent accidental concurrency for the scheduler queue. * fix(chart): Repair broken DB_POOL variable --- chart/templates/_helpers.tpl | 12 ++ chart/templates/configmap-env.yaml | 325 +++++++++++++++-------------- chart/templates/deployment-sidekiq.yaml | 94 +++++---- chart/templates/deployment-streaming.yaml | 16 +- chart/templates/deployment-web.yaml | 16 +- chart/templates/hpa.yaml | 28 --- chart/templates/tests/test-connection.yaml | 2 +- 7 files changed, 239 insertions(+), 254 deletions(-) delete mode 100644 chart/templates/hpa.yaml (limited to 'chart/templates') diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index 207780b34..0e1804f91 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -136,3 +136,15 @@ Return true if a mastodon secret object should be created {{- true -}} {{- end -}} {{- end -}} + +{{/* +Find highest number of needed database connections to set DB_POOL variable +*/}} +{{- define "mastodon.maxDbPool" -}} +{{/* Default MAX_THREADS for Puma is 5 */}} +{{- $poolSize := 5 }} +{{- range .Values.mastodon.sidekiq.workers }} +{{- $poolSize = max $poolSize .concurrency }} +{{- end }} +{{- $poolSize | quote }} +{{- end }} diff --git a/chart/templates/configmap-env.yaml b/chart/templates/configmap-env.yaml index 5d0b96db8..4d0195568 100644 --- a/chart/templates/configmap-env.yaml +++ b/chart/templates/configmap-env.yaml @@ -13,7 +13,7 @@ data: DB_PORT: {{ .Values.postgresql.postgresqlPort | default "5432" | quote }} {{- end }} DB_NAME: {{ .Values.postgresql.auth.database }} - DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }} + DB_POOL: {{ include "mastodon.maxDbPool" . }} DB_USER: {{ .Values.postgresql.auth.username }} DEFAULT_LOCALE: {{ .Values.mastodon.locale }} {{- if .Values.elasticsearch.enabled }} @@ -22,12 +22,15 @@ data: ES_PORT: "9200" {{- end }} LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }} - {{- if .Values.mastodon.web_domain }} - WEB_DOMAIN: {{ .Values.mastodon.web_domain }} + {{- with .Values.mastodon.web_domain }} + WEB_DOMAIN: {{ . }} {{- end }} - {{- if .Values.mastodon.singleUserMode }} + {{- with .Values.mastodon.singleUserMode }} SINGLE_USER_MODE: "true" {{- end }} + {{- with .Values.mastodon.authorizedFetch }} + AUTHORIZED_FETCH: {{ . | quote }} + {{- end }} # https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior MALLOC_ARENA_MAX: "2" NODE_ENV: "production" @@ -40,58 +43,58 @@ data: S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }} S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }} S3_PROTOCOL: "https" - {{- if .Values.mastodon.s3.region }} - S3_REGION: {{ .Values.mastodon.s3.region }} + {{- with .Values.mastodon.s3.region }} + S3_REGION: {{ . }} {{- end }} - {{- if .Values.mastodon.s3.alias_host }} + {{- with .Values.mastodon.s3.alias_host }} S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}} {{- end }} {{- end }} - {{- if .Values.mastodon.smtp.auth_method }} - SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }} + {{- with .Values.mastodon.smtp.auth_method }} + SMTP_AUTH_METHOD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.ca_file }} - SMTP_CA_FILE: {{ .Values.mastodon.smtp.ca_file }} + {{- with .Values.mastodon.smtp.ca_file }} + SMTP_CA_FILE: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.delivery_method }} - SMTP_DELIVERY_METHOD: {{ .Values.mastodon.smtp.delivery_method }} + {{- with .Values.mastodon.smtp.delivery_method }} + SMTP_DELIVERY_METHOD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.domain }} - SMTP_DOMAIN: {{ .Values.mastodon.smtp.domain }} + {{- with .Values.mastodon.smtp.domain }} + SMTP_DOMAIN: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.enable_starttls }} - SMTP_ENABLE_STARTTLS: {{ .Values.mastodon.smtp.enable_starttls | quote }} + {{- with .Values.mastodon.smtp.enable_starttls }} + SMTP_ENABLE_STARTTLS: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.enable_starttls_auto }} - SMTP_ENABLE_STARTTLS_AUTO: {{ .Values.mastodon.smtp.enable_starttls_auto | quote }} + {{- with .Values.mastodon.smtp.enable_starttls_auto }} + SMTP_ENABLE_STARTTLS_AUTO: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.from_address }} - SMTP_FROM_ADDRESS: {{ .Values.mastodon.smtp.from_address }} + {{- with .Values.mastodon.smtp.from_address }} + SMTP_FROM_ADDRESS: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.login }} - SMTP_LOGIN: {{ .Values.mastodon.smtp.login }} + {{- with .Values.mastodon.smtp.login }} + SMTP_LOGIN: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.openssl_verify_mode }} - SMTP_OPENSSL_VERIFY_MODE: {{ .Values.mastodon.smtp.openssl_verify_mode }} + {{- with .Values.mastodon.smtp.openssl_verify_mode }} + SMTP_OPENSSL_VERIFY_MODE: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.password }} - SMTP_PASSWORD: {{ .Values.mastodon.smtp.password }} + {{- with .Values.mastodon.smtp.password }} + SMTP_PASSWORD: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.port }} - SMTP_PORT: {{ .Values.mastodon.smtp.port | quote }} + {{- with .Values.mastodon.smtp.port }} + SMTP_PORT: {{ . | quote }} {{- end }} - {{- if .Values.mastodon.smtp.reply_to }} - SMTP_REPLY_TO: {{ .Values.mastodon.smtp.reply_to }} + {{- with .Values.mastodon.smtp.reply_to }} + SMTP_REPLY_TO: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.server }} - SMTP_SERVER: {{ .Values.mastodon.smtp.server }} + {{- with .Values.mastodon.smtp.server }} + SMTP_SERVER: {{ . }} {{- end }} - {{- if .Values.mastodon.smtp.tls }} - SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }} + {{- with .Values.mastodon.smtp.tls }} + SMTP_TLS: {{ . | quote }} {{- end }} STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }} - {{- if .Values.mastodon.streaming.base_url }} - STREAMING_API_BASE_URL: {{ .Values.mastodon.streaming.base_url | quote }} + {{- with .Values.mastodon.streaming.base_url }} + STREAMING_API_BASE_URL: {{ . | quote }} {{- end }} {{- if .Values.externalAuth.oidc.enabled }} OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }} @@ -104,53 +107,53 @@ data: OIDC_CLIENT_SECRET: {{ .Values.externalAuth.oidc.client_secret }} OIDC_REDIRECT_URI: {{ .Values.externalAuth.oidc.redirect_uri }} OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.oidc.assume_email_is_verified | quote }} - {{- if .Values.externalAuth.oidc.client_auth_method }} - OIDC_CLIENT_AUTH_METHOD: {{ .Values.externalAuth.oidc.client_auth_method }} + {{- with .Values.externalAuth.oidc.client_auth_method }} + OIDC_CLIENT_AUTH_METHOD: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.response_type }} - OIDC_RESPONSE_TYPE: {{ .Values.externalAuth.oidc.response_type }} + {{- with .Values.externalAuth.oidc.response_type }} + OIDC_RESPONSE_TYPE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.response_mode }} - OIDC_RESPONSE_MODE: {{ .Values.externalAuth.oidc.response_mode }} + {{- with .Values.externalAuth.oidc.response_mode }} + OIDC_RESPONSE_MODE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.display }} - OIDC_DISPLAY: {{ .Values.externalAuth.oidc.display }} + {{- with .Values.externalAuth.oidc.display }} + OIDC_DISPLAY: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.prompt }} - OIDC_PROMPT: {{ .Values.externalAuth.oidc.prompt }} + {{- with .Values.externalAuth.oidc.prompt }} + OIDC_PROMPT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.send_nonce }} - OIDC_SEND_NONCE: {{ .Values.externalAuth.oidc.send_nonce }} + {{- with .Values.externalAuth.oidc.send_nonce }} + OIDC_SEND_NONCE: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.send_scope_to_token_endpoint }} - OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.send_scope_to_token_endpoint | quote }} + {{- with .Values.externalAuth.oidc.send_scope_to_token_endpoint }} + OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.oidc.idp_logout_redirect_uri }} - OIDC_IDP_LOGOUT_REDIRECT_URI: {{ .Values.externalAuth.oidc.idp_logout_redirect_uri }} + {{- with .Values.externalAuth.oidc.idp_logout_redirect_uri }} + OIDC_IDP_LOGOUT_REDIRECT_URI: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.http_scheme }} - OIDC_HTTP_SCHEME: {{ .Values.externalAuth.oidc.http_scheme }} + {{- with .Values.externalAuth.oidc.http_scheme }} + OIDC_HTTP_SCHEME: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.host }} - OIDC_HOST: {{ .Values.externalAuth.oidc.host }} + {{- with .Values.externalAuth.oidc.host }} + OIDC_HOST: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.port }} - OIDC_PORT: {{ .Values.externalAuth.oidc.port }} + {{- with .Values.externalAuth.oidc.port }} + OIDC_PORT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.jwks_uri }} - OIDC_JWKS_URI: {{ .Values.externalAuth.oidc.jwks_uri }} + {{- with .Values.externalAuth.oidc.jwks_uri }} + OIDC_JWKS_URI: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.auth_endpoint }} - OIDC_AUTH_ENDPOINT: {{ .Values.externalAuth.oidc.auth_endpoint }} + {{- with .Values.externalAuth.oidc.auth_endpoint }} + OIDC_AUTH_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.token_endpoint }} - OIDC_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.token_endpoint }} + {{- with .Values.externalAuth.oidc.token_endpoint }} + OIDC_TOKEN_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.user_info_endpoint }} - OIDC_USER_INFO_ENDPOINT: {{ .Values.externalAuth.oidc.user_info_endpoint }} + {{- with .Values.externalAuth.oidc.user_info_endpoint }} + OIDC_USER_INFO_ENDPOINT: {{ . }} {{- end }} - {{- if .Values.externalAuth.oidc.end_session_endpoint }} - OIDC_END_SESSION_ENDPOINT: {{ .Values.externalAuth.oidc.end_session_endpoint }} + {{- with .Values.externalAuth.oidc.end_session_endpoint }} + OIDC_END_SESSION_ENDPOINT: {{ . }} {{- end }} {{- end }} {{- if .Values.externalAuth.saml.enabled }} @@ -159,54 +162,54 @@ data: SAML_ISSUER: {{ .Values.externalAuth.saml.issuer }} SAML_IDP_SSO_TARGET_URL: {{ .Values.externalAuth.saml.idp_sso_target_url }} SAML_IDP_CERT: {{ .Values.externalAuth.saml.idp_cert | quote }} - {{- if .Values.externalAuth.saml.idp_cert_fingerprint }} - SAML_IDP_CERT_FINGERPRINT: {{ .Values.externalAuth.saml.idp_cert_fingerprint | quote }} + {{- with .Values.externalAuth.saml.idp_cert_fingerprint }} + SAML_IDP_CERT_FINGERPRINT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.name_identifier_format }} - SAML_NAME_IDENTIFIER_FORMAT: {{ .Values.externalAuth.saml.name_identifier_format }} + {{- with .Values.externalAuth.saml.name_identifier_format }} + SAML_NAME_IDENTIFIER_FORMAT: {{ . }} {{- end }} - {{- if .Values.externalAuth.saml.cert }} - SAML_CERT: {{ .Values.externalAuth.saml.cert | quote }} + {{- with .Values.externalAuth.saml.cert }} + SAML_CERT: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.private_key }} - SAML_PRIVATE_KEY: {{ .Values.externalAuth.saml.private_key | quote }} + {{- with .Values.externalAuth.saml.private_key }} + SAML_PRIVATE_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.want_assertion_signed }} - SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ .Values.externalAuth.saml.want_assertion_signed | quote }} + {{- with .Values.externalAuth.saml.want_assertion_signed }} + SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.want_assertion_encrypted }} - SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ .Values.externalAuth.saml.want_assertion_encrypted | quote }} + {{- with .Values.externalAuth.saml.want_assertion_encrypted }} + SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.assume_email_is_verified }} - SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.saml.assume_email_is_verified | quote }} + {{- with .Values.externalAuth.saml.assume_email_is_verified }} + SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.uid_attribute }} - SAML_UID_ATTRIBUTE: {{ .Values.externalAuth.saml.uid_attribute }} + {{- with .Values.externalAuth.saml.uid_attribute }} + SAML_UID_ATTRIBUTE: {{ . }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.uid }} - SAML_ATTRIBUTES_STATEMENTS_UID: {{ .Values.externalAuth.saml.attributes_statements.uid | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.uid }} + SAML_ATTRIBUTES_STATEMENTS_UID: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.email }} - SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.email | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.email }} + SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.full_name }} - SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ .Values.externalAuth.saml.attributes_statements.full_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.full_name }} + SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.first_name }} - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ .Values.externalAuth.saml.attributes_statements.first_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.first_name }} + SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.last_name }} - SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ .Values.externalAuth.saml.attributes_statements.last_name | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.last_name }} + SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.verified }} - SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ .Values.externalAuth.saml.attributes_statements.verified | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.verified }} + SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.saml.attributes_statements.verified_email }} - SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.verified_email | quote }} + {{- with .Values.externalAuth.saml.attributes_statements.verified_email }} + SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ . | quote }} {{- end }} {{- end }} - {{- if .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in }} - OAUTH_REDIRECT_AT_SIGN_IN: {{ .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in | quote }} + {{- with .Values.externalAuth.oauth_global.omniauth_only }} + OMNIAUTH_ONLY: {{ . | quote }} {{- end }} {{- if .Values.externalAuth.cas.enabled }} CAS_ENABLED: {{ .Values.externalAuth.cas.enabled | quote }} @@ -214,68 +217,68 @@ data: CAS_HOST: {{ .Values.externalAuth.cas.host }} CAS_PORT: {{ .Values.externalAuth.cas.port }} CAS_SSL: {{ .Values.externalAuth.cas.ssl | quote }} - {{- if .Values.externalAuth.cas.validate_url }} - CAS_VALIDATE_URL: {{ .Values.externalAuth.cas.validate_url }} + {{- with .Values.externalAuth.cas.validate_url }} + CAS_VALIDATE_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.callback_url }} - CAS_CALLBACK_URL: {{ .Values.externalAuth.cas.callback_url }} + {{- with .Values.externalAuth.cas.callback_url }} + CAS_CALLBACK_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.logout_url }} - CAS_LOGOUT_URL: {{ .Values.externalAuth.cas.logout_url }} + {{- with .Values.externalAuth.cas.logout_url }} + CAS_LOGOUT_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.login_url }} - CAS_LOGIN_URL: {{ .Values.externalAuth.cas.login_url }} + {{- with .Values.externalAuth.cas.login_url }} + CAS_LOGIN_URL: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.uid_field }} - CAS_UID_FIELD: {{ .Values.externalAuth.cas.uid_field | quote }} + {{- with .Values.externalAuth.cas.uid_field }} + CAS_UID_FIELD: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.ca_path }} - CAS_CA_PATH: {{ .Values.externalAuth.cas.ca_path }} + {{- with .Values.externalAuth.cas.ca_path }} + CAS_CA_PATH: {{ . }} {{- end }} - {{- if .Values.externalAuth.cas.disable_ssl_verification }} - CAS_DISABLE_SSL_VERIFICATION: {{ .Values.externalAuth.cas.disable_ssl_verification | quote }} + {{- with .Values.externalAuth.cas.disable_ssl_verification }} + CAS_DISABLE_SSL_VERIFICATION: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.assume_email_is_verified }} - CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.cas.assume_email_is_verified | quote }} + {{- with .Values.externalAuth.cas.assume_email_is_verified }} + CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.uid }} - CAS_UID_KEY: {{ .Values.externalAuth.cas.keys.uid | quote }} + {{- with .Values.externalAuth.cas.keys.uid }} + CAS_UID_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.name }} - CAS_NAME_KEY: {{ .Values.externalAuth.cas.keys.name | quote }} + {{- with .Values.externalAuth.cas.keys.name }} + CAS_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.email }} - CAS_EMAIL_KEY: {{ .Values.externalAuth.cas.keys.email | quote }} + {{- with .Values.externalAuth.cas.keys.email }} + CAS_EMAIL_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.nickname }} - CAS_NICKNAME_KEY: {{ .Values.externalAuth.cas.keys.nickname | quote }} + {{- with .Values.externalAuth.cas.keys.nickname }} + CAS_NICKNAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.first_name }} - CAS_FIRST_NAME_KEY: {{ .Values.externalAuth.cas.keys.first_name | quote }} + {{- with .Values.externalAuth.cas.keys.first_name }} + CAS_FIRST_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.last_name }} - CAS_LAST_NAME_KEY: {{ .Values.externalAuth.cas.keys.last_name | quote }} + {{- with .Values.externalAuth.cas.keys.last_name }} + CAS_LAST_NAME_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.location }} - CAS_LOCATION_KEY: {{ .Values.externalAuth.cas.keys.location | quote }} + {{- with .Values.externalAuth.cas.keys.location }} + CAS_LOCATION_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.image }} - CAS_IMAGE_KEY: {{ .Values.externalAuth.cas.keys.image | quote }} + {{- with .Values.externalAuth.cas.keys.image }} + CAS_IMAGE_KEY: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.cas.keys.phone }} - CAS_PHONE_KEY: {{ .Values.externalAuth.cas.keys.phone | quote }} + {{- with .Values.externalAuth.cas.keys.phone }} + CAS_PHONE_KEY: {{ . | quote }} {{- end }} {{- end }} - {{- if .Values.externalAuth.pam.enabled }} - PAM_ENABLED: {{ .Values.externalAuth.pam.enabled | quote }} - {{- if .Values.externalAuth.pam.email_domain }} - PAM_EMAIL_DOMAIN: {{ .Values.externalAuth.pam.email_domain }} + {{- with .Values.externalAuth.pam.enabled }} + PAM_ENABLED: {{ . | quote }} + {{- with .Values.externalAuth.pam.email_domain }} + PAM_EMAIL_DOMAIN: {{ . }} {{- end }} - {{- if .Values.externalAuth.pam.default_service }} - PAM_DEFAULT_SERVICE: {{ .Values.externalAuth.pam.default_service }} + {{- with .Values.externalAuth.pam.default_service }} + PAM_DEFAULT_SERVICE: {{ . }} {{- end }} - {{- if .Values.externalAuth.pam.controlled_service }} - PAM_CONTROLLED_SERVICE: {{ .Values.externalAuth.pam.controlled_service }} + {{- with .Values.externalAuth.pam.controlled_service }} + PAM_CONTROLLED_SERVICE: {{ . }} {{- end }} {{- end }} {{- if .Values.externalAuth.ldap.enabled }} @@ -283,32 +286,32 @@ data: LDAP_HOST: {{ .Values.externalAuth.ldap.host }} LDAP_PORT: {{ .Values.externalAuth.ldap.port }} LDAP_METHOD: {{ .Values.externalAuth.ldap.method }} - {{- if .Values.externalAuth.ldap.base }} - LDAP_BASE: {{ .Values.externalAuth.ldap.base }} + {{- with .Values.externalAuth.ldap.base }} + LDAP_BASE: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.bind_on }} - LDAP_BIND_ON: {{ .Values.externalAuth.ldap.bind_on }} + {{- with .Values.externalAuth.ldap.bind_on }} + LDAP_BIND_ON: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.password }} - LDAP_PASSWORD: {{ .Values.externalAuth.ldap.password }} + {{- with .Values.externalAuth.ldap.password }} + LDAP_PASSWORD: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid }} - LDAP_UID: {{ .Values.externalAuth.ldap.uid }} + {{- with .Values.externalAuth.ldap.uid }} + LDAP_UID: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.mail }} - LDAP_MAIL: {{ .Values.externalAuth.ldap.mail }} + {{- with .Values.externalAuth.ldap.mail }} + LDAP_MAIL: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.search_filter }} - LDAP_SEARCH_FILTER: {{ .Values.externalAuth.ldap.search_filter }} + {{- with .Values.externalAuth.ldap.search_filter }} + LDAP_SEARCH_FILTER: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.enabled }} - LDAP_UID_CONVERSION_ENABLED: {{ .Values.externalAuth.ldap.uid_conversion.enabled | quote }} + {{- with .Values.externalAuth.ldap.uid_conversion.enabled }} + LDAP_UID_CONVERSION_ENABLED: {{ . | quote }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.search }} - LDAP_UID_CONVERSION_SEARCH: {{ .Values.externalAuth.ldap.uid_conversion.search }} + {{- with .Values.externalAuth.ldap.uid_conversion.search }} + LDAP_UID_CONVERSION_SEARCH: {{ . }} {{- end }} - {{- if .Values.externalAuth.ldap.uid_conversion.replace }} - LDAP_UID_CONVERSION_REPLACE: {{ .Values.externalAuth.ldap.uid_conversion.replace }} + {{- with .Values.externalAuth.ldap.uid_conversion.replace }} + LDAP_UID_CONVERSION_REPLACE: {{ . }} {{- end }} {{- end }} {{- with .Values.mastodon.metrics.statsd.address }} diff --git a/chart/templates/deployment-sidekiq.yaml b/chart/templates/deployment-sidekiq.yaml index 94af99b11..c7e0c5470 100644 --- a/chart/templates/deployment-sidekiq.yaml +++ b/chart/templates/deployment-sidekiq.yaml @@ -1,96 +1,97 @@ +{{- $context := . }} +{{- range .Values.mastodon.sidekiq.workers }} +--- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "mastodon.fullname" . }}-sidekiq + name: {{ include "mastodon.fullname" $context }}-sidekiq-{{ .name }} labels: - {{- include "mastodon.labels" . | nindent 4 }} + {{- include "mastodon.labels" $context | nindent 4 }} + app.kubernetes.io/component: sidekiq-{{ .name }} + app.kubernetes.io/part-of: rails spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + replicas: {{ .replicas }} + {{- if (has "scheduler" .queues) }} + strategy: + type: Recreate {{- end }} selector: matchLabels: - {{- include "mastodon.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: sidekiq + {{- include "mastodon.selectorLabels" $context | nindent 6 }} + app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with $context.Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes - {{- include "mastodon.rollingPodAnnotations" . | nindent 8 }} + {{- include "mastodon.rollingPodAnnotations" $context | nindent 8 }} labels: - {{- include "mastodon.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: sidekiq + {{- include "mastodon.selectorLabels" $context | nindent 8 }} + app.kubernetes.io/component: sidekiq-{{ .name }} app.kubernetes.io/part-of: rails spec: - {{- with .Values.imagePullSecrets }} + {{- with $context.Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + serviceAccountName: {{ include "mastodon.serviceAccountName" $context }} + {{- with (default $context.Values.podSecurityContext $context.Values.mastodon.sidekiq.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} - {{- if (not .Values.mastodon.s3.enabled) }} - # ensure we run on the same node as the other rails components; only - # required when using PVCs that are ReadWriteOnce - {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} + {{- with (default (default $context.Values.affinity $context.Values.mastodon.sidekiq.affinity) .affinity) }} affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/part-of - operator: In - values: - - rails - topologyKey: kubernetes.io/hostname + {{- toYaml . | nindent 8 }} {{- end }} + {{- if (not $context.Values.mastodon.s3.enabled) }} volumes: - name: assets persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-assets + claimName: {{ template "mastodon.fullname" $context }}-assets - name: system persistentVolumeClaim: - claimName: {{ template "mastodon.fullname" . }}-system + claimName: {{ template "mastodon.fullname" $context }}-system {{- end }} containers: - - name: {{ .Chart.Name }} + - name: {{ $context.Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }} + image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}" + imagePullPolicy: {{ $context.Values.image.pullPolicy }} command: - bundle - exec - sidekiq - -c - - {{ .Values.mastodon.sidekiq.concurrency | quote }} + - {{ .concurrency | quote }} + {{- range .queues }} + - -q + - {{ . | quote }} + {{- end }} envFrom: - configMapRef: - name: {{ include "mastodon.fullname" . }}-env + name: {{ include "mastodon.fullname" $context }}-env - secretRef: - name: {{ template "mastodon.secretName" . }} + name: {{ template "mastodon.secretName" $context }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - name: {{ template "mastodon.postgresql.secretName" . }} + name: {{ template "mastodon.postgresql.secretName" $context }} key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ template "mastodon.redis.secretName" . }} + name: {{ template "mastodon.redis.secretName" $context }} key: redis-password - {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} + {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.s3.existingSecret }} + name: {{ $context.Values.mastodon.s3.existingSecret }} key: AWS_SECRET_ACCESS_KEY - name: "AWS_ACCESS_KEY_ID" valueFrom: @@ -98,20 +99,20 @@ spec: name: {{ .Values.mastodon.s3.existingSecret }} key: AWS_ACCESS_KEY_ID {{- end }} - {{- if .Values.mastodon.smtp.existingSecret }} + {{- if $context.Values.mastodon.smtp.existingSecret }} - name: "SMTP_LOGIN" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.smtp.existingSecret }} + name: {{ $context.Values.mastodon.smtp.existingSecret }} key: login optional: true - name: "SMTP_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Values.mastodon.smtp.existingSecret }} + name: {{ $context.Values.mastodon.smtp.existingSecret }} key: password {{- end }} - {{- if (not .Values.mastodon.s3.enabled) }} + {{- if (not $context.Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets @@ -119,12 +120,13 @@ spec: mountPath: /opt/mastodon/public/system {{- end }} resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }} + {{- with $context.Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with $context.Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/chart/templates/deployment-streaming.yaml b/chart/templates/deployment-streaming.yaml index 5d565765e..dd804044c 100644 --- a/chart/templates/deployment-streaming.yaml +++ b/chart/templates/deployment-streaming.yaml @@ -5,9 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} + replicas: {{ .Values.mastodon.streaming.replicas }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -15,7 +13,7 @@ spec: template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with (default .Values.podAnnotations .Values.mastodon.streaming.podAnnotations) }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -29,13 +27,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + {{- with (default .Values.podSecurityContext .Values.mastodon.streaming.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} containers: - - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} + - name: {{ .Chart.Name }}-streaming + {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -72,7 +70,7 @@ spec: httpGet: path: /api/v1/streaming/health port: streaming - {{- with .Values.resources }} + {{- with (default .Values.resources .Values.mastodon.streaming.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -80,7 +78,7 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with (default .Values.affinity .Values.mastodon.streaming.affinity) }} affinity: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/deployment-web.yaml b/chart/templates/deployment-web.yaml index ec67481bf..c1ec2327e 100644 --- a/chart/templates/deployment-web.yaml +++ b/chart/templates/deployment-web.yaml @@ -5,9 +5,7 @@ metadata: labels: {{- include "mastodon.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} + replicas: {{ .Values.mastodon.web.replicas }} selector: matchLabels: {{- include "mastodon.selectorLabels" . | nindent 6 }} @@ -16,7 +14,7 @@ spec: template: metadata: annotations: - {{- with .Values.podAnnotations }} + {{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }} {{- toYaml . | nindent 8 }} {{- end }} # roll the pods to pick up any db migrations or other changes @@ -31,7 +29,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "mastodon.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + {{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -45,8 +43,8 @@ spec: claimName: {{ template "mastodon.fullname" . }}-system {{- end }} containers: - - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} + - name: {{ .Chart.Name }}-web + {{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -112,7 +110,7 @@ spec: port: http failureThreshold: 30 periodSeconds: 5 - {{- with .Values.resources }} + {{- with (default .Values.resources .Values.mastodon.web.resources) }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -120,7 +118,7 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with (default .Values.affinity .Values.mastodon.web.affinity) }} affinity: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/chart/templates/hpa.yaml b/chart/templates/hpa.yaml deleted file mode 100644 index b23b2cb16..000000000 --- a/chart/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled -}} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "mastodon.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/chart/templates/tests/test-connection.yaml b/chart/templates/tests/test-connection.yaml index 09d981691..185c037ab 100644 --- a/chart/templates/tests/test-connection.yaml +++ b/chart/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "mastodon.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "mastodon.fullname" . }}-web:{{ .Values.service.port }}'] restartPolicy: Never -- cgit From 8acf18a960cd4328d5a52fa820ce3fe741445bc5 Mon Sep 17 00:00:00 2001 From: Chris Funderburg Date: Thu, 24 Nov 2022 20:32:03 +0000 Subject: Fix the command to create the admin user (#19827) * fix the command to create the admin user * change Admin to Owner --- chart/templates/job-create-admin.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'chart/templates') diff --git a/chart/templates/job-create-admin.yaml b/chart/templates/job-create-admin.yaml index f28cdab41..3d137f5c7 100644 --- a/chart/templates/job-create-admin.yaml +++ b/chart/templates/job-create-admin.yaml @@ -55,7 +55,7 @@ spec: - {{ .Values.mastodon.createAdmin.email }} - --confirmed - --role - - admin + - Owner envFrom: - configMapRef: name: {{ include "mastodon.fullname" . }}-env -- cgit