diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml index f29dbd67784bb0c26e45bd7d29843ca5f74e5388..6e9cab8abd1fce7f1aa80f9c636f15feecb9a157 100644 --- a/charts/mastodon/Chart.yaml +++ b/charts/mastodon/Chart.yaml @@ -18,7 +18,7 @@ annotations: url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com type: application -version: 6.2.2 +version: 6.3.0 # renovate: image=ghcr.io/mastodon/mastodon appVersion: "v4.1.7" diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md index ef96d270ffd7954d6a32f8cdd7af5d15a24f2b09..bdeea98e1b45b2562d7be6a6019d681eb207d124 100644 --- a/charts/mastodon/README.md +++ b/charts/mastodon/README.md @@ -1,6 +1,6 @@ # mastodon -   +   Mastodon is a free, open-source social network server based on ActivityPub. @@ -117,6 +117,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim | postgresql.auth.password | string | `""` | | | postgresql.auth.username | string | `"mastodon"` | | | postgresql.enabled | bool | `true` | disable if you want to use an existing db; in which case the values below must match those of that external postgres instance | +| redis.auth.enabled | bool | `true` | Enables redis authentication | | redis.auth.existingSecret | string | `nil` | | | redis.auth.existingSecretPasswordKey | string | `nil` | | | redis.auth.password | string | `""` | you must set a password; the password generated by the redis chart will be rotated on each upgrade: | diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml index f0cf4b8c766e592a45214e4292db088d6b2c436c..fccd368a2deb80bbd7a7bd26a1e839d56bebf4f6 100644 --- a/charts/mastodon/templates/cronjob-media-remove.yaml +++ b/charts/mastodon/templates/cronjob-media-remove.yaml @@ -60,11 +60,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml index 14abed897f2a4eb7179c24a81a50d20da2b32189..ec91a8621856b25547c3e8235c6100c27afd267b 100644 --- a/charts/mastodon/templates/deployment-sidekiq.yaml +++ b/charts/mastodon/templates/deployment-sidekiq.yaml @@ -82,11 +82,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" $context }} key: password + {{- if $context.Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" $context }} key: {{ $context.Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }} - name: "AWS_SECRET_ACCESS_KEY" valueFrom: diff --git a/charts/mastodon/templates/deployment-streaming.yaml b/charts/mastodon/templates/deployment-streaming.yaml index 8e90ac81510dc54f068cae7c7863abbbac5074f3..7c8bf15aca7bf025af6650344f4078266b40a7d5 100644 --- a/charts/mastodon/templates/deployment-streaming.yaml +++ b/charts/mastodon/templates/deployment-streaming.yaml @@ -54,11 +54,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.streaming.port | quote }} ports: diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml index abfec687123896d3b4eaed41681f6e8e44cac626..2a19fad089383b4d31681cef2b0e6ccffe1f17b0 100644 --- a/charts/mastodon/templates/deployment-web.yaml +++ b/charts/mastodon/templates/deployment-web.yaml @@ -67,11 +67,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml index 8f946685a87b18bef2a4d758ca356effdbd527b2..fd33b587c62e8c005cbe9cacc62f04cc044b5179 100644 --- a/charts/mastodon/templates/job-assets-precompile.yaml +++ b/charts/mastodon/templates/job-assets-precompile.yaml @@ -51,11 +51,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml index 27b8fc29ffc2203857c444835d7c864fe2275f29..6ce8b69147873832f6d5b101d152fc4ec24fbbd5 100644 --- a/charts/mastodon/templates/job-chewy-upgrade.yaml +++ b/charts/mastodon/templates/job-chewy-upgrade.yaml @@ -52,11 +52,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml index 86512c7e12ab506b00423156ab592b17f6dc4fab..5bf7839bab02b9952a3f72e359ca91a0ca894e23 100644 --- a/charts/mastodon/templates/job-create-admin.yaml +++ b/charts/mastodon/templates/job-create-admin.yaml @@ -57,11 +57,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml index 51949f9733069650c316f4ae95fe28cc58c0dd3e..390ec9db93529bff1cae6968aad007494310b001 100644 --- a/charts/mastodon/templates/job-db-migrate.yaml +++ b/charts/mastodon/templates/job-db-migrate.yaml @@ -51,11 +51,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} {{- if (not .Values.mastodon.s3.enabled) }} diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml index 0129091f8f804d6ebe353e8d0c63e43bc53070c2..4f745ec358d0baf0a5fdebd03e64eec64bd9086f 100644 --- a/charts/mastodon/templates/job-db-pre-migrate.yaml +++ b/charts/mastodon/templates/job-db-pre-migrate.yaml @@ -51,11 +51,13 @@ spec: secretKeyRef: name: {{ template "mastodon.postgresql.secretName" . }} key: password + {{- if .Values.redis.auth.enabled }} - name: "REDIS_PASSWORD" valueFrom: secretKeyRef: name: {{ template "mastodon.redis.secretName" . }} key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} + {{- end }} - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} - name: SKIP_POST_DEPLOYMENT_MIGRATIONS diff --git a/charts/mastodon/tests/80_subchart_redis_test.yaml b/charts/mastodon/tests/80_subchart_redis_test.yaml index 91ff108e0f11cfd4ba6c516e95d16bb5c8fd6fd4..bd14977214eb2bde490a9f579839e43cc8f9b39e 100644 --- a/charts/mastodon/tests/80_subchart_redis_test.yaml +++ b/charts/mastodon/tests/80_subchart_redis_test.yaml @@ -74,4 +74,15 @@ tests: path: data.redis-password value: dGVzdA== template: charts/redis/templates/secret.yaml - documentIndex: 0 \ No newline at end of file + documentIndex: 0 + - it: should allow disabling redis auth + set: + redis: + auth: + enabled: false + templates: + - deployment-sidekiq.yaml + - deployment-streaming.yaml + - deployment-web.yaml + asserts: + - matchSnapshot: {} \ No newline at end of file diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap new file mode 100644 index 0000000000000000000000000000000000000000..3bee04fc5c28a4c47020fcf042f050565ca617b7 --- /dev/null +++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap @@ -0,0 +1,255 @@ +should allow disabling redis auth: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: sidekiq-all-queues + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mastodon + app.kubernetes.io/part-of: rails + app.kubernetes.io/version: 4.5.6 + helm.sh/chart: mastodon-1.2.3 + name: RELEASE-NAME-mastodon-sidekiq-all-queues + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: sidekiq-all-queues + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + app.kubernetes.io/part-of: rails + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726 + checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4 + labels: + app.kubernetes.io/component: sidekiq-all-queues + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + app.kubernetes.io/part-of: rails + spec: + containers: + - command: + - bundle + - exec + - sidekiq + - -c + - "25" + - -q + - default,8 + - -q + - push,6 + - -q + - ingress,4 + - -q + - mailers,2 + - -q + - pull + - -q + - scheduler + env: + - name: DB_PASS + valueFrom: + secretKeyRef: + key: password + name: RELEASE-NAME-postgresql + envFrom: + - configMapRef: + name: RELEASE-NAME-mastodon-env + - secretRef: + name: RELEASE-NAME-mastodon + image: ghcr.io/mastodon/mastodon:4.5.6 + imagePullPolicy: IfNotPresent + name: mastodon + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /opt/mastodon/public/assets + name: assets + - mountPath: /opt/mastodon/public/system + name: system + securityContext: + allowPrivilegeEscalation: false + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: RELEASE-NAME-mastodon + volumes: + - name: assets + persistentVolumeClaim: + claimName: RELEASE-NAME-mastodon-assets + - name: system + persistentVolumeClaim: + claimName: RELEASE-NAME-mastodon-system + 2: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/component: streaming + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mastodon + app.kubernetes.io/version: 4.5.6 + helm.sh/chart: mastodon-1.2.3 + name: RELEASE-NAME-mastodon-streaming + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: streaming + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + template: + metadata: + annotations: + checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726 + checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4 + labels: + app.kubernetes.io/component: streaming + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + spec: + containers: + - command: + - node + - ./streaming + env: + - name: DB_PASS + valueFrom: + secretKeyRef: + key: password + name: RELEASE-NAME-postgresql + - name: PORT + value: "4000" + envFrom: + - configMapRef: + name: RELEASE-NAME-mastodon-env + - secretRef: + name: RELEASE-NAME-mastodon + image: ghcr.io/mastodon/mastodon:4.5.6 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/v1/streaming/health + port: streaming + name: mastodon-streaming + ports: + - containerPort: 4000 + name: streaming + protocol: TCP + readinessProbe: + httpGet: + path: /api/v1/streaming/health + port: streaming + securityContext: + allowPrivilegeEscalation: false + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: RELEASE-NAME-mastodon + 3: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mastodon + app.kubernetes.io/version: 4.5.6 + helm.sh/chart: mastodon-1.2.3 + name: RELEASE-NAME-mastodon-web + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: web + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + app.kubernetes.io/part-of: rails + template: + metadata: + annotations: + checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726 + checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4 + labels: + app.kubernetes.io/component: web + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: mastodon + app.kubernetes.io/part-of: rails + spec: + containers: + - command: + - bundle + - exec + - puma + - -C + - config/puma.rb + env: + - name: DB_PASS + valueFrom: + secretKeyRef: + key: password + name: RELEASE-NAME-postgresql + - name: PORT + value: "3000" + envFrom: + - configMapRef: + name: RELEASE-NAME-mastodon-env + - secretRef: + name: RELEASE-NAME-mastodon + image: ghcr.io/mastodon/mastodon:4.5.6 + imagePullPolicy: IfNotPresent + livenessProbe: + tcpSocket: + port: http + name: mastodon-web + ports: + - containerPort: 3000 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /health + port: http + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + startupProbe: + failureThreshold: 30 + httpGet: + path: /health + port: http + periodSeconds: 5 + volumeMounts: + - mountPath: /opt/mastodon/public/assets + name: assets + - mountPath: /opt/mastodon/public/system + name: system + securityContext: + allowPrivilegeEscalation: false + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: RELEASE-NAME-mastodon + volumes: + - name: assets + persistentVolumeClaim: + claimName: RELEASE-NAME-mastodon-assets + - name: system + persistentVolumeClaim: + claimName: RELEASE-NAME-mastodon-system diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml index 2bf3c3104b781904cd032da4348d546c6aa53140..a1d06066915b3ec83fc2154c949dd5dfbb038ca7 100644 --- a/charts/mastodon/values.yaml +++ b/charts/mastodon/values.yaml @@ -274,6 +274,8 @@ redis: # -- redisUrl overwrites redis.host and redis.port. It allows to use sentinal redis installations redisUrl: null auth: + # -- Enables redis authentication + enabled: true # -- you must set a password; the password generated by the redis chart will be # rotated on each upgrade: password: ""