From 0b757804907311931c81ee00789441fb9645314c Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 18 Sep 2023 02:01:32 +0200
Subject: [PATCH] feat(mastodon): Add ability to disabled Redis authentication
This patch is needed to fully support disabling of redis authentication.
This allows to use the new defaults for the mastodon base deployment.
While it's probablky not recommended for a production deployment to
disable redis authentication, it doesn't hurt too much for a base
deployment.
Since no defaults change, it shouldn't matter anyway for users of this
chart.
---
charts/mastodon/Chart.yaml | 2 +-
charts/mastodon/README.md | 3 +-
.../templates/cronjob-media-remove.yaml | 2 +
.../templates/deployment-sidekiq.yaml | 2 +
.../templates/deployment-streaming.yaml | 2 +
charts/mastodon/templates/deployment-web.yaml | 2 +
.../templates/job-assets-precompile.yaml | 2 +
.../mastodon/templates/job-chewy-upgrade.yaml | 2 +
.../mastodon/templates/job-create-admin.yaml | 2 +
charts/mastodon/templates/job-db-migrate.yaml | 2 +
.../templates/job-db-pre-migrate.yaml | 2 +
.../tests/80_subchart_redis_test.yaml | 13 +-
.../80_subchart_redis_test.yaml.snap | 255 ++++++++++++++++++
charts/mastodon/values.yaml | 2 +
14 files changed, 290 insertions(+), 3 deletions(-)
create mode 100644 charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index f29dbd677..6e9cab8ab 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -18,7 +18,7 @@ annotations:
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 6.2.2
+version: 6.3.0
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.7"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index ef96d270f..bdeea98e1 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -117,6 +117,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| postgresql.auth.password | string | `""` | |
| postgresql.auth.username | string | `"mastodon"` | |
| postgresql.enabled | bool | `true` | disable if you want to use an existing db; in which case the values below must match those of that external postgres instance |
+| redis.auth.enabled | bool | `true` | Enables redis authentication |
| redis.auth.existingSecret | string | `nil` | |
| redis.auth.existingSecretPasswordKey | string | `nil` | |
| redis.auth.password | string | `""` | you must set a password; the password generated by the redis chart will be rotated on each upgrade: |
diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml
index f0cf4b8c7..fccd368a2 100644
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -60,11 +60,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 14abed897..ec91a8621 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -82,11 +82,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" $context }}
key: password
+ {{- if $context.Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" $context }}
key: {{ $context.Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
{{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
diff --git a/charts/mastodon/templates/deployment-streaming.yaml b/charts/mastodon/templates/deployment-streaming.yaml
index 8e90ac815..7c8bf15ac 100644
--- a/charts/mastodon/templates/deployment-streaming.yaml
+++ b/charts/mastodon/templates/deployment-streaming.yaml
@@ -54,11 +54,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.streaming.port | quote }}
ports:
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index abfec6871..2a19fad08 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -67,11 +67,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml
index 8f946685a..fd33b587c 100644
--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml
index 27b8fc29f..6ce8b6914 100644
--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -52,11 +52,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml
index 86512c7e1..5bf7839ba 100644
--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -57,11 +57,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml
index 51949f973..390ec9db9 100644
--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (not .Values.mastodon.s3.enabled) }}
diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml
index 0129091f8..4f745ec35 100644
--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -51,11 +51,13 @@ spec:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
+ {{- if .Values.redis.auth.enabled }}
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
+ {{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
- name: SKIP_POST_DEPLOYMENT_MIGRATIONS
diff --git a/charts/mastodon/tests/80_subchart_redis_test.yaml b/charts/mastodon/tests/80_subchart_redis_test.yaml
index 91ff108e0..bd1497721 100644
--- a/charts/mastodon/tests/80_subchart_redis_test.yaml
+++ b/charts/mastodon/tests/80_subchart_redis_test.yaml
@@ -74,4 +74,15 @@ tests:
path: data.redis-password
value: dGVzdA==
template: charts/redis/templates/secret.yaml
- documentIndex: 0
\ No newline at end of file
+ documentIndex: 0
+ - it: should allow disabling redis auth
+ set:
+ redis:
+ auth:
+ enabled: false
+ templates:
+ - deployment-sidekiq.yaml
+ - deployment-streaming.yaml
+ - deployment-web.yaml
+ asserts:
+ - matchSnapshot: {}
\ No newline at end of file
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
new file mode 100644
index 000000000..3bee04fc5
--- /dev/null
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -0,0 +1,255 @@
+should allow disabling redis auth:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-all-queues
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: sidekiq-all-queues
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - default,8
+ - -q
+ - push,6
+ - -q
+ - ingress,4
+ - -q
+ - mailers,2
+ - -q
+ - pull
+ - -q
+ - scheduler
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext: {}
+ volumeMounts:
+ - mountPath: /opt/mastodon/public/assets
+ name: assets
+ - mountPath: /opt/mastodon/public/system
+ name: system
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - name: assets
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-assets
+ - name: system
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-system
+ 2: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-streaming
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: streaming
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ spec:
+ containers:
+ - command:
+ - node
+ - ./streaming
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: PORT
+ value: "4000"
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /api/v1/streaming/health
+ port: streaming
+ name: mastodon-streaming
+ ports:
+ - containerPort: 4000
+ name: streaming
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /api/v1/streaming/health
+ port: streaming
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ 3: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-web
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: web
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: 6171320454845e8c5c867b5db63251ff95089e25c0200ca8f72d6bb9f6535726
+ checksum/config-secrets: c0d40e352ffcd2127af550b605bb0464640cd2960d007d940960d3d69d3c6aa4
+ labels:
+ app.kubernetes.io/component: web
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - puma
+ - -C
+ - config/puma.rb
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: PORT
+ value: "3000"
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ tcpSocket:
+ port: http
+ name: mastodon-web
+ ports:
+ - containerPort: 3000
+ name: http
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: http
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /health
+ port: http
+ periodSeconds: 5
+ volumeMounts:
+ - mountPath: /opt/mastodon/public/assets
+ name: assets
+ - mountPath: /opt/mastodon/public/system
+ name: system
+ securityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - name: assets
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-assets
+ - name: system
+ persistentVolumeClaim:
+ claimName: RELEASE-NAME-mastodon-system
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index 2bf3c3104..a1d060669 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -274,6 +274,8 @@ redis:
# -- redisUrl overwrites redis.host and redis.port. It allows to use sentinal redis installations
redisUrl: null
auth:
+ # -- Enables redis authentication
+ enabled: true
# -- you must set a password; the password generated by the redis chart will be
# rotated on each upgrade:
password: ""
--
GitLab