diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index d207227667f313c11df0276ac7ad539374d98672..deba215fd35b3efaaaa9e5572bde4c7e9c3c578c 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -17,7 +17,8 @@ annotations:
- name: support
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 7.0.0
+version: 7.1.0
+kubeVersion: ">= 1.23"
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.9"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index 4e708915ddb87abb9631b536b074c8e54af16b6e..53234fc15eca2a7e35d1807ce413df95f45c083e 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -15,6 +15,8 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
## Requirements
+Kubernetes: `>= 1.23`
+
| Repository | Name | Version |
|------------|------|---------|
| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | elasticsearch | 19.11.1 |
@@ -73,7 +75,8 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| mastodon.sidekiq.affinity | object | `{}` | Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity |
| mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
| mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
-| mastodon.sidekiq.securityContext | Sidekiq Container | `{}` | Security Context for all Pods, overwrites .Values.securityContext |
+| mastodon.sidekiq.securityContext | Sidekiq Container | `{"readOnlyRootFilesystem":true}` | Security Context for all Pods, overwrites .Values.securityContext |
+| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"ephemeral":{"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}}}` | temporary volume template required for read-only root filesystem |
| mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
| mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
| mastodon.sidekiq.workers[0].name | string | `"all-queues"` | |
diff --git a/charts/mastodon/templates/_helpers.tpl b/charts/mastodon/templates/_helpers.tpl
index 336037b59bb0cbe95b818addf6b96206c87c3124..11301c750a5f072636ec5700e50cfaa30c6a57c9 100644
--- a/charts/mastodon/templates/_helpers.tpl
+++ b/charts/mastodon/templates/_helpers.tpl
@@ -147,3 +147,23 @@ Find highest number of needed database connections to set DB_POOL variable
{{- end }}
{{- $poolSize | quote }}
{{- end }}
+
+{{- define "mastodon.nonS3MediaVolumes" -}}
+{{- if (not .Values.mastodon.s3.enabled) }}
+- name: assets
+ persistentVolumeClaim:
+ claimName: {{ template "mastodon.fullname" . }}-assets
+- name: system
+ persistentVolumeClaim:
+ claimName: {{ template "mastodon.fullname" . }}-system
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.nonS3MediaMounts" -}}
+{{- if (not .Values.mastodon.s3.enabled) }}
+- name: assets
+ mountPath: /opt/mastodon/public/assets
+- name: system
+ mountPath: /opt/mastodon/public/system
+{{- end }}
+{{- end }}
diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml
index 4707b631934339d20d05b3921eab96c57203e411..9e2354c0139935f6db7c808838c6691e850b2291 100644
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -38,12 +38,7 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 12 }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-media-remove
@@ -79,9 +74,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 16 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 486c2e4281a71e8747742cd5fd3af202e67cf927..82b7746fbd61f44b669483204728559e049850e9 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -46,15 +46,12 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (not $context.Values.mastodon.s3.enabled) }}
+ {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" $context }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" $context }}-system
+ {{- include "mastodon.nonS3MediaVolumes" $context | nindent 8 }}
{{- end }}
+ - name: tmp
+ {{- toYaml $context.Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
- name: {{ $context.Chart.Name }}
{{- with (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext ) }}
@@ -116,12 +113,11 @@ spec:
name: {{ $context.Values.mastodon.smtp.existingSecret }}
key: password
{{- end }}
- {{- if (not $context.Values.mastodon.s3.enabled) }}
+ {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" $context | nindent 12 }}
+ - name: tmp
+ mountPath: /tmp
{{- end }}
resources:
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index 0ba5374dbd636c90b49186bc0039fcdb98a1c6bb..ebaeebe3fe0dfc759d8b2e998f9175f956221550 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -35,12 +35,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
@@ -90,10 +85,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
ports:
- name: http
diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml
index f0604ced376dcbb6ae11f53fd54d57513ad69537..a3fbd5d03729074250b0ff516920c88e4937c03b 100644
--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -70,8 +65,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml
index dd8a8ad4c485b848ea763cc56afb481ae78470c4..f360e96efe47165c0a4c52f54f99450cc7db129d 100644
--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -25,12 +25,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -71,9 +66,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml
index 9fba07addacd6a70c92941b7c38df66d8206bf49..353ab6a33a330d1e1f56dd387867500a59c45525 100644
--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -25,12 +25,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -76,9 +71,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml
index 830f5b5900ea8bddf0b75addeb2d8fa2785e096b..6c627dc7e3a6e46b1ca4b355f4fc2877f669cc48 100644
--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -70,8 +65,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml
index f77a2525e81a7fef2bcd287e6a4dd110310c32c2..e75e0f06b672b75b95ad2b3df2d5e8e741f492dd 100644
--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -72,8 +67,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/tests/50_sidekiq_test.yaml b/charts/mastodon/tests/50_sidekiq_test.yaml
index 4c5bbf66665dd14f75362e0f3356045c49d40ff6..ae9fdc2bbf1ea7eeb1ac77e7c97e4b4564b323aa 100644
--- a/charts/mastodon/tests/50_sidekiq_test.yaml
+++ b/charts/mastodon/tests/50_sidekiq_test.yaml
@@ -79,4 +79,17 @@ tests:
path: spec.selector.matchLabels["app.kubernetes.io/part-of"]
value: rails
template: deployment-sidekiq.yaml
+ - it: renders temporaryVolumeTemplate correctly
+ values:
+ - mocks/dev.yaml
+ - mocks/sidekiq.yaml
+ set:
+ mastodon:
+ s3:
+ enabled: true
+ chart:
+ version: 1.2.3
+ appVersion: 4.5.6
+ asserts:
+ - matchSnapshot: {}
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index b09d31f736afaffb718910e24ce792c09a16e92d..c8fa6ea83380a6866666d036be6487c82fe95265 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -1,3 +1,285 @@
+renders temporaryVolumeTemplate correctly:
+ 1: |
+ apiVersion: v1
+ data:
+ DB_HOST: RELEASE-NAME-postgresql
+ DB_NAME: mastodon_production
+ DB_POOL: "25"
+ DB_PORT: "5432"
+ DB_USER: mastodon
+ DEFAULT_LOCALE: en
+ ES_ENABLED: "true"
+ ES_HOST: RELEASE-NAME-elasticsearch-master-hl
+ ES_PORT: "9200"
+ LOCAL_DOMAIN: mastodon.local
+ MALLOC_ARENA_MAX: "2"
+ NODE_ENV: production
+ PREPARED_STATEMENTS: "true"
+ RAILS_ENV: production
+ REDIS_HOST: RELEASE-NAME-redis-master
+ REDIS_PORT: "6379"
+ S3_BUCKET: null
+ S3_ENABLED: "true"
+ S3_ENDPOINT: null
+ S3_HOSTNAME: null
+ S3_PROTOCOL: https
+ SMTP_AUTH_METHOD: plain
+ SMTP_CA_FILE: /etc/ssl/certs/ca-certificates.crt
+ SMTP_DELIVERY_METHOD: smtp
+ SMTP_ENABLE_STARTTLS: auto
+ SMTP_FROM_ADDRESS: notifications@example.com
+ SMTP_OPENSSL_VERIFY_MODE: peer
+ SMTP_PORT: "587"
+ SMTP_SERVER: smtp.mailgun.org
+ STREAMING_CLUSTER_NUM: "1"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-env
+ 2: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-scheduler
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: b4ff25ac749821c69f078e62cf9ef4b11a561dfe000643b674f0cd4452c29379
+ checksum/config-secrets: 90ba38117b49c3fae15b0af40de2acce58cfa37f2e6e5d981b39815786ab41d3
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - scheduler
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: redis-password
+ name: RELEASE-NAME-redis
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
+ 3: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-default
+ spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: b4ff25ac749821c69f078e62cf9ef4b11a561dfe000643b674f0cd4452c29379
+ checksum/config-secrets: 90ba38117b49c3fae15b0af40de2acce58cfa37f2e6e5d981b39815786ab41d3
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - default
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: redis-password
+ name: RELEASE-NAME-redis
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
+ 4: |
+ apiVersion: policy/v1
+ kind: PodDisruptionBudget
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-scheduler
+ spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ 5: |
+ apiVersion: policy/v1
+ kind: PodDisruptionBudget
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-default
+ spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ 6: |
+ apiVersion: v1
+ data:
+ AWS_ACCESS_KEY_ID: ""
+ AWS_SECRET_ACCESS_KEY: ""
+ OTP_SECRET: ZHVtbXktb3RwX3NlY3JldA==
+ SECRET_KEY_BASE: ZHVtbXktc2VjcmV0X2tleV9iYXNl
+ VAPID_PRIVATE_KEY: ZHVtbXktdmFwaWQtcHJpdmF0ZV9rZXk=
+ VAPID_PUBLIC_KEY: ZHVtbXktdmFwaWQtcHVibGljX2tleQ==
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon
+ type: Opaque
should match basic snapshot:
1: |
apiVersion: v1
@@ -114,11 +396,14 @@ should match basic snapshot:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -134,6 +419,15 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
3: |
apiVersion: policy/v1
kind: PodDisruptionBudget
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
index bae0e7530d10b2674d047076035607016cbf0d7c..721f8cc897907a4c312a2d0db6acd1cf874a152f 100644
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -72,11 +72,14 @@ should allow disabling redis auth:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -92,6 +95,15 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
2: |
apiVersion: apps/v1
kind: Deployment
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index a872391ce09782a2d19310e17497a5b3d31edfea..dda25cf87e086313056df077b4ff0e120ca1e870 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -194,11 +194,14 @@ should match basic snapshot:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -214,6 +217,15 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
4: |
apiVersion: apps/v1
kind: Deployment
@@ -1157,11 +1169,14 @@ should match basic snapshot without dependencies:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -1177,6 +1192,15 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
4: |
apiVersion: apps/v1
kind: Deployment
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index db78da6ce089cc100c43f574ff8557082a2f36a7..5648141e29be07de481c3bed56bbb86ba1d255ad 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -82,7 +82,20 @@ mastodon:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
- securityContext: {}
+ securityContext:
+ readOnlyRootFilesystem: true
+ # -- temporary volume template required for read-only root filesystem
+ temporaryVolumeTemplate:
+ # emptydir is currently not possible due to permissions issue with Ruby: https://microblog.shivering-isles.com/@sheogorath/111040613569754423
+ # emptydir: {}
+ ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
# -- Resources for all Sidekiq Deployments unless overwritten
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity