feat(mastodon): Add ability to disabled Redis authentication

This patch is needed to fully support disabling of redis authentication. This allows to use the new defaults for the mastodon base deployment. While it's probablky not recommended for a production deployment to disable redis authentication, it doesn't hurt too much for a base deployment. Since no defaults change, it shouldn't matter anyway for users of this chart.

feat(mastodon): Add ability to disabled Redis authentication
0b757804 · Sheogorath · b5df7626 · 0b757804 · 0b757804 · 0b757804
Verified Commit 0b757804 authored Sep 18, 2023 by Sheogorath
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -18,7 +18,7 @@ annotations:
      url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
 type: application
-version: 6.2.2
+version: 6.3.0
 # renovate: image=ghcr.io/mastodon/mastodon
 appVersion: "v4.1.7"

--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
 # mastodon
-![Version: 6.2.2](https://img.shields.io/badge/Version-6.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.7](https://img.shields.io/badge/AppVersion-v4.1.7-informational?style=flat-square)
+![Version: 6.3.0](https://img.shields.io/badge/Version-6.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.7](https://img.shields.io/badge/AppVersion-v4.1.7-informational?style=flat-square)
 Mastodon is a free, open-source social network server based on ActivityPub.
@@ -117,6 +117,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
 | postgresql.auth.password | string | `""` |  |
 | postgresql.auth.username | string | `"mastodon"` |  |
 | postgresql.enabled | bool | `true` | disable if you want to use an existing db; in which case the values below must match those of that external postgres instance |
+| redis.auth.enabled | bool | `true` | Enables redis authentication |
 | redis.auth.existingSecret | string | `nil` |  |
 | redis.auth.existingSecretPasswordKey | string | `nil` |  |
 | redis.auth.password | string | `""` | you must set a password; the password generated by the redis chart will be rotated on each upgrade: |

--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -60,11 +60,13 @@ spec:
                    secretKeyRef:
                      name: {{ template "mastodon.postgresql.secretName" . }}
                      key: password
+                {{- if .Values.redis.auth.enabled }}
                - name: "REDIS_PASSWORD"
                  valueFrom:
                    secretKeyRef:
                      name: {{ template "mastodon.redis.secretName" . }}
                      key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+                {{- end }}
                - name: "PORT"
                  value: {{ .Values.mastodon.web.port | quote }}
              {{- if (not .Values.mastodon.s3.enabled) }}

--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -82,11 +82,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" $context }}
                  key: password
+            {{- if $context.Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" $context }}
                  key: {{ $context.Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
            - name: "AWS_SECRET_ACCESS_KEY"
              valueFrom:

--- a/charts/mastodon/templates/deployment-streaming.yaml
+++ b/charts/mastodon/templates/deployment-streaming.yaml
@@ -54,11 +54,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.streaming.port | quote }}
          ports:

--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -67,11 +67,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
            {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}

--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -51,11 +51,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
          {{- if (not .Values.mastodon.s3.enabled) }}

--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -52,11 +52,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
          {{- if (not .Values.mastodon.s3.enabled) }}

--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -57,11 +57,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
          {{- if (not .Values.mastodon.s3.enabled) }}

--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -51,11 +51,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
          {{- if (not .Values.mastodon.s3.enabled) }}

--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -51,11 +51,13 @@ spec:
                secretKeyRef:
                  name: {{ template "mastodon.postgresql.secretName" . }}
                  key: password
+            {{- if .Values.redis.auth.enabled }}
            - name: "REDIS_PASSWORD"
              valueFrom:
                secretKeyRef:
                  name: {{ template "mastodon.redis.secretName" . }}
                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+            {{- end }}
            - name: "PORT"
              value: {{ .Values.mastodon.web.port | quote }}
            - name: SKIP_POST_DEPLOYMENT_MIGRATIONS

--- a/charts/mastodon/tests/80_subchart_redis_test.yaml
+++ b/charts/mastodon/tests/80_subchart_redis_test.yaml
@@ -75,3 +75,14 @@ tests:
          value: dGVzdA==
        template: charts/redis/templates/secret.yaml
        documentIndex: 0
+  - it: should allow disabling redis auth
+    set:
+      redis:
+        auth:
+          enabled: false
+    templates:
+      - deployment-sidekiq.yaml
+      - deployment-streaming.yaml
+      - deployment-web.yaml
+    asserts:
+      - matchSnapshot: {}
\ No newline at end of file
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+should allow disabling redis auth:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/component: sidekiq-all-queues
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: mastodon
+        app.kubernetes.io/part-of: rails
+        app.kubernetes.io/version: 4.5.6
+        helm.sh/chart: mastodon-1.2.3
+      name: RELEASE-NAME-mastodon-sidekiq-all-queues
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/component: sidekiq-all-queues
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: mastodon
+          app.kubernetes.io/part-of: rails
+      strategy:
+        type: Recreate
+      template:
+        metadata:
+          annotations:
+            checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+            checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+          labels:
+            app.kubernetes.io/component: sidekiq-all-queues
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: mastodon
+            app.kubernetes.io/part-of: rails
+        spec:
+          containers:
+            - command:
+                - bundle
+                - exec
+                - sidekiq
+                - -c
+                - "25"
+                - -q
+                - default,8
+                - -q
+                - push,6
+                - -q
+                - ingress,4
+                - -q
+                - mailers,2
+                - -q
+                - pull
+                - -q
+                - scheduler
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: mastodon
+              resources: {}
+              securityContext: {}
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
+          securityContext:
+            allowPrivilegeEscalation: false
+            fsGroup: 991
+            runAsGroup: 991
+            runAsNonRoot: true
+            runAsUser: 991
+            seccompProfile:
+              type: RuntimeDefault
+          serviceAccountName: RELEASE-NAME-mastodon
+          volumes:
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
+  2: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/component: streaming
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: mastodon
+        app.kubernetes.io/version: 4.5.6
+        helm.sh/chart: mastodon-1.2.3
+      name: RELEASE-NAME-mastodon-streaming
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/component: streaming
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: mastodon
+      template:
+        metadata:
+          annotations:
+            checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+            checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+          labels:
+            app.kubernetes.io/component: streaming
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: mastodon
+        spec:
+          containers:
+            - command:
+                - node
+                - ./streaming
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: PORT
+                  value: "4000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                httpGet:
+                  path: /api/v1/streaming/health
+                  port: streaming
+              name: mastodon-streaming
+              ports:
+                - containerPort: 4000
+                  name: streaming
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /api/v1/streaming/health
+                  port: streaming
+          securityContext:
+            allowPrivilegeEscalation: false
+            fsGroup: 991
+            runAsGroup: 991
+            runAsNonRoot: true
+            runAsUser: 991
+            seccompProfile:
+              type: RuntimeDefault
+          serviceAccountName: RELEASE-NAME-mastodon
+  3: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: mastodon
+        app.kubernetes.io/version: 4.5.6
+        helm.sh/chart: mastodon-1.2.3
+      name: RELEASE-NAME-mastodon-web
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/component: web
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: mastodon
+          app.kubernetes.io/part-of: rails
+      template:
+        metadata:
+          annotations:
+            checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+            checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+          labels:
+            app.kubernetes.io/component: web
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: mastodon
+            app.kubernetes.io/part-of: rails
+        spec:
+          containers:
+            - command:
+                - bundle
+                - exec
+                - puma
+                - -C
+                - config/puma.rb
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                tcpSocket:
+                  port: http
+              name: mastodon-web
+              ports:
+                - containerPort: 3000
+                  name: http
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /health
+                  port: http
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+              startupProbe:
+                failureThreshold: 30
+                httpGet:
+                  path: /health
+                  port: http
+                periodSeconds: 5
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
+          securityContext:
+            allowPrivilegeEscalation: false
+            fsGroup: 991
+            runAsGroup: 991
+            runAsNonRoot: true
+            runAsUser: 991
+            seccompProfile:
+              type: RuntimeDefault
+          serviceAccountName: RELEASE-NAME-mastodon
+          volumes:
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -274,6 +274,8 @@ redis:
  # -- redisUrl overwrites redis.host and redis.port. It allows to use sentinal redis installations
  redisUrl: null
  auth:
+    # -- Enables redis authentication
+    enabled: true
    # -- you must set a password; the password generated by the redis chart will be
    # rotated on each upgrade:
    password: ""