From 1b8a9685d7fe6824108665cb1abf61eeeb7ea83b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 30 Sep 2023 15:08:17 +0200
Subject: [PATCH] feat(mastodon): Make sidekiq run with readOnlyFilesystem:
true
This patch introduces and ephemeral volume in order to allow sidekiq to
do the media processing without the problem that emptydir causes due to
how the ruby tempfile libarary evaluates temp file locations. Therefore
a small volume is introduced that takes care of it instead.
Additionally it refactors some of the volume templates to reduce
repetition.
References:
https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes
https://microblog.shivering-isles.com/@sheogorath/111040613569754423
---
charts/mastodon/Chart.yaml | 3 +-
charts/mastodon/README.md | 7 +-
charts/mastodon/templates/_helpers.tpl | 20 ++
.../templates/cronjob-media-remove.yaml | 12 +-
.../templates/deployment-sidekiq.yaml | 20 +-
charts/mastodon/templates/deployment-web.yaml | 12 +-
.../templates/job-assets-precompile.yaml | 12 +-
.../mastodon/templates/job-chewy-upgrade.yaml | 12 +-
.../mastodon/templates/job-create-admin.yaml | 12 +-
charts/mastodon/templates/job-db-migrate.yaml | 12 +-
.../templates/job-db-pre-migrate.yaml | 12 +-
charts/mastodon/tests/50_sidekiq_test.yaml | 13 +
.../__snapshot__/50_sidekiq_test.yaml.snap | 294 ++++++++++++++++++
.../80_subchart_redis_test.yaml.snap | 12 +
.../__snapshot__/98_snapshot_test.yaml.snap | 24 ++
charts/mastodon/values.yaml | 15 +-
16 files changed, 406 insertions(+), 86 deletions(-)
diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index d20722766..deba215fd 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -17,7 +17,8 @@ annotations:
- name: support
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 7.0.0
+version: 7.1.0
+kubeVersion: ">= 1.23"
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.9"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index 4e708915d..53234fc15 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -15,6 +15,8 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
## Requirements
+Kubernetes: `>= 1.23`
+
| Repository | Name | Version |
|------------|------|---------|
| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | elasticsearch | 19.11.1 |
@@ -73,7 +75,8 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| mastodon.sidekiq.affinity | object | `{}` | Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity |
| mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
| mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
-| mastodon.sidekiq.securityContext | Sidekiq Container | `{}` | Security Context for all Pods, overwrites .Values.securityContext |
+| mastodon.sidekiq.securityContext | Sidekiq Container | `{"readOnlyRootFilesystem":true}` | Security Context for all Pods, overwrites .Values.securityContext |
+| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"ephemeral":{"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}}}` | temporary volume template required for read-only root filesystem |
| mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
| mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
| mastodon.sidekiq.workers[0].name | string | `"all-queues"` | |
diff --git a/charts/mastodon/templates/_helpers.tpl b/charts/mastodon/templates/_helpers.tpl
index 336037b59..11301c750 100644
--- a/charts/mastodon/templates/_helpers.tpl
+++ b/charts/mastodon/templates/_helpers.tpl
@@ -147,3 +147,23 @@ Find highest number of needed database connections to set DB_POOL variable
{{- end }}
{{- $poolSize | quote }}
{{- end }}
+
+{{- define "mastodon.nonS3MediaVolumes" -}}
+{{- if (not .Values.mastodon.s3.enabled) }}
+- name: assets
+ persistentVolumeClaim:
+ claimName: {{ template "mastodon.fullname" . }}-assets
+- name: system
+ persistentVolumeClaim:
+ claimName: {{ template "mastodon.fullname" . }}-system
+{{- end }}
+{{- end }}
+
+{{- define "mastodon.nonS3MediaMounts" -}}
+{{- if (not .Values.mastodon.s3.enabled) }}
+- name: assets
+ mountPath: /opt/mastodon/public/assets
+- name: system
+ mountPath: /opt/mastodon/public/system
+{{- end }}
+{{- end }}
diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml
index 4707b6319..9e2354c01 100644
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -38,12 +38,7 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 12 }}
{{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-media-remove
@@ -79,9 +74,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 16 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 486c2e428..82b7746fb 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -46,15 +46,12 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (not $context.Values.mastodon.s3.enabled) }}
+ {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" $context }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" $context }}-system
+ {{- include "mastodon.nonS3MediaVolumes" $context | nindent 8 }}
{{- end }}
+ - name: tmp
+ {{- toYaml $context.Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
- name: {{ $context.Chart.Name }}
{{- with (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext ) }}
@@ -116,12 +113,11 @@ spec:
name: {{ $context.Values.mastodon.smtp.existingSecret }}
key: password
{{- end }}
- {{- if (not $context.Values.mastodon.s3.enabled) }}
+ {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" $context | nindent 12 }}
+ - name: tmp
+ mountPath: /tmp
{{- end }}
resources:
{{- toYaml (default (default $context.Values.resources $context.Values.mastodon.sidekiq.resources) .resources) | nindent 12 }}
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index 0ba5374db..ebaeebe3f 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -35,12 +35,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
@@ -90,10 +85,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
ports:
- name: http
diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml
index f0604ced3..a3fbd5d03 100644
--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -70,8 +65,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml
index dd8a8ad4c..f360e96ef 100644
--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -25,12 +25,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -71,9 +66,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml
index 9fba07add..353ab6a33 100644
--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -25,12 +25,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -76,9 +71,6 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
{{- end }}
diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml
index 830f5b590..6c627dc7e 100644
--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -70,8 +65,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml
index f77a2525e..e75e0f06b 100644
--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -24,12 +24,7 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- - name: assets
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-assets
- - name: system
- persistentVolumeClaim:
- claimName: {{ template "mastodon.fullname" . }}-system
+ {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
@@ -72,8 +67,5 @@ spec:
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- - name: assets
- mountPath: /opt/mastodon/public/assets
- - name: system
- mountPath: /opt/mastodon/public/system
+ {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/tests/50_sidekiq_test.yaml b/charts/mastodon/tests/50_sidekiq_test.yaml
index 4c5bbf666..ae9fdc2bb 100644
--- a/charts/mastodon/tests/50_sidekiq_test.yaml
+++ b/charts/mastodon/tests/50_sidekiq_test.yaml
@@ -79,4 +79,17 @@ tests:
path: spec.selector.matchLabels["app.kubernetes.io/part-of"]
value: rails
template: deployment-sidekiq.yaml
+ - it: renders temporaryVolumeTemplate correctly
+ values:
+ - mocks/dev.yaml
+ - mocks/sidekiq.yaml
+ set:
+ mastodon:
+ s3:
+ enabled: true
+ chart:
+ version: 1.2.3
+ appVersion: 4.5.6
+ asserts:
+ - matchSnapshot: {}
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index b09d31f73..c8fa6ea83 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -1,3 +1,285 @@
+renders temporaryVolumeTemplate correctly:
+ 1: |
+ apiVersion: v1
+ data:
+ DB_HOST: RELEASE-NAME-postgresql
+ DB_NAME: mastodon_production
+ DB_POOL: "25"
+ DB_PORT: "5432"
+ DB_USER: mastodon
+ DEFAULT_LOCALE: en
+ ES_ENABLED: "true"
+ ES_HOST: RELEASE-NAME-elasticsearch-master-hl
+ ES_PORT: "9200"
+ LOCAL_DOMAIN: mastodon.local
+ MALLOC_ARENA_MAX: "2"
+ NODE_ENV: production
+ PREPARED_STATEMENTS: "true"
+ RAILS_ENV: production
+ REDIS_HOST: RELEASE-NAME-redis-master
+ REDIS_PORT: "6379"
+ S3_BUCKET: null
+ S3_ENABLED: "true"
+ S3_ENDPOINT: null
+ S3_HOSTNAME: null
+ S3_PROTOCOL: https
+ SMTP_AUTH_METHOD: plain
+ SMTP_CA_FILE: /etc/ssl/certs/ca-certificates.crt
+ SMTP_DELIVERY_METHOD: smtp
+ SMTP_ENABLE_STARTTLS: auto
+ SMTP_FROM_ADDRESS: notifications@example.com
+ SMTP_OPENSSL_VERIFY_MODE: peer
+ SMTP_PORT: "587"
+ SMTP_SERVER: smtp.mailgun.org
+ STREAMING_CLUSTER_NUM: "1"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-env
+ 2: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-scheduler
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: b4ff25ac749821c69f078e62cf9ef4b11a561dfe000643b674f0cd4452c29379
+ checksum/config-secrets: 90ba38117b49c3fae15b0af40de2acce58cfa37f2e6e5d981b39815786ab41d3
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - scheduler
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: redis-password
+ name: RELEASE-NAME-redis
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
+ 3: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-default
+ spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ template:
+ metadata:
+ annotations:
+ checksum/config-configmap: b4ff25ac749821c69f078e62cf9ef4b11a561dfe000643b674f0cd4452c29379
+ checksum/config-secrets: 90ba38117b49c3fae15b0af40de2acce58cfa37f2e6e5d981b39815786ab41d3
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ spec:
+ containers:
+ - command:
+ - bundle
+ - exec
+ - sidekiq
+ - -c
+ - "25"
+ - -q
+ - default
+ env:
+ - name: DB_PASS
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: RELEASE-NAME-postgresql
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ key: redis-password
+ name: RELEASE-NAME-redis
+ envFrom:
+ - configMapRef:
+ name: RELEASE-NAME-mastodon-env
+ - secretRef:
+ name: RELEASE-NAME-mastodon
+ image: ghcr.io/mastodon/mastodon:4.5.6
+ imagePullPolicy: IfNotPresent
+ name: mastodon
+ resources: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
+ serviceAccountName: RELEASE-NAME-mastodon
+ volumes:
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
+ 4: |
+ apiVersion: policy/v1
+ kind: PodDisruptionBudget
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-scheduler
+ spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-scheduler
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ 5: |
+ apiVersion: policy/v1
+ kind: PodDisruptionBudget
+ metadata:
+ labels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon-sidekiq-default
+ spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: sidekiq-default
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/part-of: rails
+ 6: |
+ apiVersion: v1
+ data:
+ AWS_ACCESS_KEY_ID: ""
+ AWS_SECRET_ACCESS_KEY: ""
+ OTP_SECRET: ZHVtbXktb3RwX3NlY3JldA==
+ SECRET_KEY_BASE: ZHVtbXktc2VjcmV0X2tleV9iYXNl
+ VAPID_PRIVATE_KEY: ZHVtbXktdmFwaWQtcHJpdmF0ZV9rZXk=
+ VAPID_PUBLIC_KEY: ZHVtbXktdmFwaWQtcHVibGljX2tleQ==
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: mastodon
+ app.kubernetes.io/version: 4.5.6
+ helm.sh/chart: mastodon-1.2.3
+ name: RELEASE-NAME-mastodon
+ type: Opaque
should match basic snapshot:
1: |
apiVersion: v1
@@ -114,11 +396,14 @@ should match basic snapshot:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -134,6 +419,15 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
3: |
apiVersion: policy/v1
kind: PodDisruptionBudget
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
index bae0e7530..721f8cc89 100644
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -72,11 +72,14 @@ should allow disabling redis auth:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -92,6 +95,15 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
2: |
apiVersion: apps/v1
kind: Deployment
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index a872391ce..dda25cf87 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -194,11 +194,14 @@ should match basic snapshot:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -214,6 +217,15 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
4: |
apiVersion: apps/v1
kind: Deployment
@@ -1157,11 +1169,14 @@ should match basic snapshot without dependencies:
capabilities:
drop:
- ALL
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -1177,6 +1192,15 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
+ name: tmp
4: |
apiVersion: apps/v1
kind: Deployment
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index db78da6ce..5648141e2 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -82,7 +82,20 @@ mastodon:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
- securityContext: {}
+ securityContext:
+ readOnlyRootFilesystem: true
+ # -- temporary volume template required for read-only root filesystem
+ temporaryVolumeTemplate:
+ # emptydir is currently not possible due to permissions issue with Ruby: https://microblog.shivering-isles.com/@sheogorath/111040613569754423
+ # emptydir: {}
+ ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 5Gi
# -- Resources for all Sidekiq Deployments unless overwritten
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
--
GitLab