From 7ccf7a73f1c47a8c03712c39f7c591e837cf6d08 Mon Sep 17 00:00:00 2001 From: Alex Nordlund Date: Wed, 10 Aug 2022 17:12:58 +0200 Subject: Fix broken dependencies in helm chart and allow using existing secrets in the chart (#18941) * Add ability to specify an existing Secret (#18139) Closes #18139 * Allow using secrets with external postgres * Upgrade CronJob to batch/v1 * Allow using redis.auth.existingSecret * Helmignore mastodon-*.tgz for easy local development * Upgrade helm dependencies * Upgrade postgresql to 11 * Allow putting SMTP password into a secret * Add optional login to SMTP secret This to allow setting LOGIN either in values.yaml or in the secret. * Switch to bitnami charts full archive This prevents older versions from disappearing, see https://github.com/bitnami/charts/issues/10539 for full context. Co-authored-by: Ted Tramonte --- chart/templates/_helpers.tpl | 50 ++++++++++++++++++++++++++++++ chart/templates/configmap-env.yaml | 6 ++-- chart/templates/cronjob-media-remove.yaml | 14 +++------ chart/templates/deployment-sidekiq.yaml | 25 ++++++++++----- chart/templates/deployment-streaming.yaml | 10 ++---- chart/templates/deployment-web.yaml | 12 +++---- chart/templates/job-assets-precompile.yaml | 12 +++---- chart/templates/job-chewy-upgrade.yaml | 12 +++---- chart/templates/job-create-admin.yaml | 12 +++---- chart/templates/job-db-migrate.yaml | 12 +++---- chart/templates/secrets.yaml | 10 +++++- 11 files changed, 107 insertions(+), 68 deletions(-) (limited to 'chart/templates') diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index 5814a3120..71bb002ef 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -77,3 +77,53 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- define "mastodon.postgresql.fullname" -}} {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Get the mastodon secret. +*/}} +{{- define "mastodon.secretName" -}} +{{- if .Values.mastodon.secrets.existingSecret }} + {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the postgresql secret. +*/}} +{{- define "mastodon.postgresql.secretName" -}} +{{- if (and (or .Values.postgresql.enabled .Values.postgresql.postgresqlHostname) .Values.postgresql.auth.existingSecret) }} + {{- printf "%s" (tpl .Values.postgresql.auth.existingSecret $) -}} +{{- else if .Values.postgresql.enabled -}} + {{- printf "%s-postgresql" (tpl .Release.Name $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the redis secret. +*/}} +{{- define "mastodon.redis.secretName" -}} +{{- if .Values.redis.auth.existingSecret }} + {{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}} +{{- else if .Values.redis.existingSecret }} + {{- printf "%s" (tpl .Values.redis.existingSecret $) -}} +{{- else -}} + {{- printf "%s-redis" (tpl .Release.Name $) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a mastodon secret object should be created +*/}} +{{- define "mastodon.createSecret" -}} +{{- if (or + (and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret)) + (not .Values.mastodon.secrets.existingSecret ) + (and (not .Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret)) + ) -}} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/chart/templates/configmap-env.yaml b/chart/templates/configmap-env.yaml index aa242684f..f988477d9 100644 --- a/chart/templates/configmap-env.yaml +++ b/chart/templates/configmap-env.yaml @@ -10,14 +10,14 @@ data: {{- else }} DB_HOST: {{ .Values.postgresql.postgresqlHostname }} {{- end }} - DB_NAME: {{ .Values.postgresql.postgresqlDatabase }} + DB_NAME: {{ .Values.postgresql.auth.database }} DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }} DB_PORT: "5432" - DB_USER: {{ .Values.postgresql.postgresqlUsername }} + DB_USER: {{ .Values.postgresql.auth.username }} DEFAULT_LOCALE: {{ .Values.mastodon.locale }} {{- if .Values.elasticsearch.enabled }} ES_ENABLED: "true" - ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master + ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master-hl ES_PORT: "9200" {{- end }} LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }} diff --git a/chart/templates/cronjob-media-remove.yaml b/chart/templates/cronjob-media-remove.yaml index 3d6e25cc6..726e100cf 100644 --- a/chart/templates/cronjob-media-remove.yaml +++ b/chart/templates/cronjob-media-remove.yaml @@ -1,5 +1,5 @@ {{ if .Values.mastodon.cron.removeMedia.enabled }} -apiVersion: batch/v1beta1 +apiVersion: batch/v1 kind: CronJob metadata: name: {{ include "mastodon.fullname" . }}-media-remove @@ -49,21 +49,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/deployment-sidekiq.yaml b/chart/templates/deployment-sidekiq.yaml index baf6c2b2d..f1809bd85 100644 --- a/chart/templates/deployment-sidekiq.yaml +++ b/chart/templates/deployment-sidekiq.yaml @@ -70,22 +70,31 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password + {{- if .Values.mastodon.smtp.existingSecret }} + - name: "SMTP_LOGIN" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.smtp.existingSecret }} + key: login + optional: true + - name: "SMTP_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.smtp.existingSecret }} + key: password + {{- end -}} {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets diff --git a/chart/templates/deployment-streaming.yaml b/chart/templates/deployment-streaming.yaml index b332b686a..12203a530 100644 --- a/chart/templates/deployment-streaming.yaml +++ b/chart/templates/deployment-streaming.yaml @@ -43,16 +43,12 @@ spec: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.streaming.port | quote }} diff --git a/chart/templates/deployment-web.yaml b/chart/templates/deployment-web.yaml index 8b8bb4f29..5e22ca539 100644 --- a/chart/templates/deployment-web.yaml +++ b/chart/templates/deployment-web.yaml @@ -56,21 +56,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/job-assets-precompile.yaml b/chart/templates/job-assets-precompile.yaml index 825a7e916..4aa8d1407 100644 --- a/chart/templates/job-assets-precompile.yaml +++ b/chart/templates/job-assets-precompile.yaml @@ -50,21 +50,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/job-chewy-upgrade.yaml b/chart/templates/job-chewy-upgrade.yaml index cc68a3385..16b4f75a7 100644 --- a/chart/templates/job-chewy-upgrade.yaml +++ b/chart/templates/job-chewy-upgrade.yaml @@ -51,21 +51,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/job-create-admin.yaml b/chart/templates/job-create-admin.yaml index ffb8bb059..486c0c357 100644 --- a/chart/templates/job-create-admin.yaml +++ b/chart/templates/job-create-admin.yaml @@ -56,21 +56,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/job-db-migrate.yaml b/chart/templates/job-db-migrate.yaml index 72f910e3b..41ece64a2 100644 --- a/chart/templates/job-db-migrate.yaml +++ b/chart/templates/job-db-migrate.yaml @@ -50,21 +50,17 @@ spec: - configMapRef: name: {{ include "mastodon.fullname" . }}-env - secretRef: - name: {{ template "mastodon.fullname" . }} + name: {{ template "mastodon.secretName" . }} env: - name: "DB_PASS" valueFrom: secretKeyRef: - {{- if .Values.postgresql.enabled }} - name: {{ .Release.Name }}-postgresql - {{- else }} - name: {{ template "mastodon.fullname" . }} - {{- end }} - key: postgresql-password + name: {{ template "mastodon.postgresql.secretName" . }} + key: password - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: - name: {{ .Release.Name }}-redis + name: {{ template "mastodon.redis.secretName" . }} key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml index 0452a8ae1..135d5b61a 100644 --- a/chart/templates/secrets.yaml +++ b/chart/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if (include "mastodon.createSecret" .) }} apiVersion: v1 kind: Secret metadata: @@ -7,9 +8,12 @@ metadata: type: Opaque data: {{- if .Values.mastodon.s3.enabled }} + {{- if not .Values.mastodon.s3.existingSecret }} AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" {{- end }} + {{- end }} + {{- if not .Values.mastodon.secrets.existingSecret }} {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" {{- else }} @@ -30,6 +34,10 @@ data: {{- else }} VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} {{- end }} + {{- end }} {{- if not .Values.postgresql.enabled }} - postgresql-password: "{{ .Values.postgresql.postgresqlPassword | b64enc }}" + {{- if not .Values.postgresql.auth.existingSecret }} + postgresql-password: "{{ .Values.postgresql.auth.password | b64enc }}" + {{- end }} {{- end }} +{{- end -}} -- cgit From 63a5514b29d44520058260cfb64c9fbf256e366a Mon Sep 17 00:00:00 2001 From: Alex Nordlund Date: Thu, 25 Aug 2022 04:39:11 +0200 Subject: Allow S3 to use an existing secret (#18997) --- chart/templates/deployment-web.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'chart/templates') diff --git a/chart/templates/deployment-web.yaml b/chart/templates/deployment-web.yaml index 5e22ca539..ab722c77b 100644 --- a/chart/templates/deployment-web.yaml +++ b/chart/templates/deployment-web.yaml @@ -70,6 +70,18 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} + - name: "AWS_SECRET_ACCESS_KEY" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: AWS_SECRET_ACCESS_KEY + - name: "AWS_ACCESS_KEY_ID" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: AWS_ACCESS_KEY_ID + {{- end -}} {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets -- cgit From 1165943968f8c79cfaccf30c392b14b4930d68e6 Mon Sep 17 00:00:00 2001 From: James Smith <119005+jgsmith@users.noreply.github.com> Date: Wed, 24 Aug 2022 22:40:38 -0400 Subject: Mark job pods not to use Istio's envoy sidecar (#18415) * Mark job pods not to use Istio's envoy sidecar Istio injects sidecars into pods to implement mTLS between pods. Jobs usually don't know about this, so they don't signal the Envoy process to stop when the job finishes. Since at least one process is running in the pod, Kubernetes doesn't consider the job to be completed, so it lingers. By adding the `sidecar.istio.io/inject` annotation set to `"false"`, we let Istio know that it should not inject the sidecar. If Istio is not installed, then this has no impact. * Support arbitrary job annotations in the Helm chart Rather than focus on Istio, this allows arbitrary annotations for job pods. * Add in-line documentation for pod/job annotations --- chart/templates/cronjob-media-remove.yaml | 4 ++++ chart/templates/job-assets-precompile.yaml | 4 ++++ chart/templates/job-chewy-upgrade.yaml | 4 ++++ chart/templates/job-create-admin.yaml | 4 ++++ chart/templates/job-db-migrate.yaml | 4 ++++ chart/values.yaml | 6 ++++++ 6 files changed, 26 insertions(+) (limited to 'chart/templates') diff --git a/chart/templates/cronjob-media-remove.yaml b/chart/templates/cronjob-media-remove.yaml index 726e100cf..160aee204 100644 --- a/chart/templates/cronjob-media-remove.yaml +++ b/chart/templates/cronjob-media-remove.yaml @@ -12,6 +12,10 @@ spec: template: metadata: name: {{ include "mastodon.fullname" . }}-media-remove + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} spec: restartPolicy: OnFailure {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/chart/templates/job-assets-precompile.yaml b/chart/templates/job-assets-precompile.yaml index 4aa8d1407..faa51a20d 100644 --- a/chart/templates/job-assets-precompile.yaml +++ b/chart/templates/job-assets-precompile.yaml @@ -12,6 +12,10 @@ spec: template: metadata: name: {{ include "mastodon.fullname" . }}-assets-precompile + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Never {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/chart/templates/job-chewy-upgrade.yaml b/chart/templates/job-chewy-upgrade.yaml index 16b4f75a7..ae6fb38e1 100644 --- a/chart/templates/job-chewy-upgrade.yaml +++ b/chart/templates/job-chewy-upgrade.yaml @@ -13,6 +13,10 @@ spec: template: metadata: name: {{ include "mastodon.fullname" . }}-chewy-upgrade + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Never {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/chart/templates/job-create-admin.yaml b/chart/templates/job-create-admin.yaml index 486c0c357..659c00671 100644 --- a/chart/templates/job-create-admin.yaml +++ b/chart/templates/job-create-admin.yaml @@ -13,6 +13,10 @@ spec: template: metadata: name: {{ include "mastodon.fullname" . }}-create-admin + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Never {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/chart/templates/job-db-migrate.yaml b/chart/templates/job-db-migrate.yaml index 41ece64a2..8e4f70dfb 100644 --- a/chart/templates/job-db-migrate.yaml +++ b/chart/templates/job-db-migrate.yaml @@ -12,6 +12,10 @@ spec: template: metadata: name: {{ include "mastodon.fullname" . }}-db-migrate + {{- with .Values.jobAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Never {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/chart/values.yaml b/chart/values.yaml index bd723567f..4b18a9dfa 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -281,8 +281,14 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +# Kubernetes manages pods for jobs and pods for deployments differently, so you might +# need to apply different annotations to the two different sets of pods. The annotations +# set with podAnnotations will be added to all deployment-managed pods. podAnnotations: {} +# The annotations set with jobAnnotations will be added to all job pods. +jobAnnotations: {} + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little -- cgit