diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index f29dbd67784bb0c26e45bd7d29843ca5f74e5388..6e9cab8abd1fce7f1aa80f9c636f15feecb9a157 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -18,7 +18,7 @@ annotations:
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 6.2.2
+version: 6.3.0
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.7"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index ef96d270ffd7954d6a32f8cdd7af5d15a24f2b09..bdeea98e1b45b2562d7be6a6019d681eb207d124 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -117,6 +117,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| postgresql.auth.password | string | `""` | |
| postgresql.auth.username | string | `"mastodon"` | |
| postgresql.enabled | bool | `true` | disable if you want to use an existing db; in which case the values below must match those of that external postgres instance |
+| redis.auth.enabled | bool | `true` | Enables redis authentication |
| redis.auth.existingSecret | string | `nil` | |
| redis.auth.existingSecretPasswordKey | string | `nil` | |
| redis.auth.password | string | `""` | you must set a password; the password generated by the redis chart will be rotated on each upgrade: |
diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml
index f0cf4b8c766e592a45214e4292db088d6b2c436c..fccd368a2deb80bbd7a7bd26a1e839d56bebf4f6 100644
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -60,11 +60,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 14abed897f2a4eb7179c24a81a50d20da2b32189..ec91a8621856b25547c3e8235c6100c27afd267b 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -82,11 +82,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" $context }}
key: password
+ {{- if $context.Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" $context }}
key: {{ $context.Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
diff --git a/charts/mastodon/templates/deployment-streaming.yaml b/charts/mastodon/templates/deployment-streaming.yaml
index 8e90ac81510dc54f068cae7c7863abbbac5074f3..7c8bf15aca7bf025af6650344f4078266b40a7d5 100644
--- a/charts/mastodon/templates/deployment-streaming.yaml
+++ b/charts/mastodon/templates/deployment-streaming.yaml
@@ -54,11 +54,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.streaming.port | quote }}
ports:
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index abfec687123896d3b4eaed41681f6e8e44cac626..2a19fad089383b4d31681cef2b0e6ccffe1f17b0 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -67,11 +67,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml
index 8f946685a87b18bef2a4d758ca356effdbd527b2..fd33b587c62e8c005cbe9cacc62f04cc044b5179 100644
--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml
index 27b8fc29ffc2203857c444835d7c864fe2275f29..6ce8b69147873832f6d5b101d152fc4ec24fbbd5 100644
--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -52,11 +52,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml
index 86512c7e12ab506b00423156ab592b17f6dc4fab..5bf7839bab02b9952a3f72e359ca91a0ca894e23 100644
--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -57,11 +57,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml
index 51949f9733069650c316f4ae95fe28cc58c0dd3e..390ec9db93529bff1cae6968aad007494310b001 100644
--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml
index 0129091f8f804d6ebe353e8d0c63e43bc53070c2..4f745ec358d0baf0a5fdebd03e64eec64bd9086f 100644
--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
- name: SKIP_POST_DEPLOYMENT_MIGRATIONS
diff --git a/charts/mastodon/tests/80_subchart_redis_test.yaml b/charts/mastodon/tests/80_subchart_redis_test.yaml
index 91ff108e0f11cfd4ba6c516e95d16bb5c8fd6fd4..bd14977214eb2bde490a9f579839e43cc8f9b39e 100644
--- a/charts/mastodon/tests/80_subchart_redis_test.yaml
+++ b/charts/mastodon/tests/80_subchart_redis_test.yaml
@@ -74,4 +74,15 @@ tests:
path: data.redis-password
value: dGVzdA==
template: charts/redis/templates/secret.yaml
- documentIndex: 0
\ No newline at end of file
+ documentIndex: 0
+ - it: should allow disabling redis auth
+ set:
+ redis:
+ auth:
+ enabled: false
+ templates:
+ - deployment-sidekiq.yaml
+ - deployment-streaming.yaml
+ - deployment-web.yaml
+ asserts:
+ - matchSnapshot: {}
\ No newline at end of file
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
new file mode 100644
index 0000000000000000000000000000000000000000..3bee04fc5c28a4c47020fcf042f050565ca617b7
--- /dev/null
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -0,0 +1,255 @@
+should allow disabling redis auth:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-all-queues
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - default,8
+ - -q
+ - push,6
+ - -q
+ - ingress,4
+ - -q
+ - mailers,2
+ - -q
+ - pull
+ - -q
+ - scheduler
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext: {}
+ volumeMounts:
+ - mountPath: /opt/mastodon/public/assets
+ name: assets
+ - mountPath: /opt/mastodon/public/system
+ name: system
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - name: assets
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-assets
+ - name: system
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-system
+ 2: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-streaming
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ spec:
+ containers:
+ - command:
+ - node
+ - ./streaming
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: PORT
+ value: "4000"
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /api/v1/streaming/health
+ port: streaming
+ name: mastodon-streaming
+ ports:
+ - containerPort: 4000
+ name: streaming
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /api/v1/streaming/health
+ port: streaming
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ 3: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-web
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: web
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: web
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - puma
+ - -C
+ - config/puma.rb
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: PORT
+ value: "3000"
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ tcpSocket:
+ port: http
+ name: mastodon-web
+ ports:
+ - containerPort: 3000
+ name: http
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: http
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /health
+ port: http
+ periodSeconds: 5
+ volumeMounts:
+ - mountPath: /opt/mastodon/public/assets
+ name: assets
+ - mountPath: /opt/mastodon/public/system
+ name: system
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - name: assets
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-assets
+ - name: system
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-system
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index 2bf3c3104b781904cd032da4348d546c6aa53140..a1d06066915b3ec83fc2154c949dd5dfbb038ca7 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -274,6 +274,8 @@ redis:
# -- redisUrl overwrites redis.host and redis.port. It allows to use sentinal redis installations
redisUrl: null
auth:
+ # -- Enables redis authentication
+ enabled: true
# -- you must set a password; the password generated by the redis chart will be
# rotated on each upgrade:
password: ""