feat(mastodon): Switch to emptydir from type Memory

This patch adjusts the tmp volume to be from type emtpyDir with medium
Memory be default, this will use more memory in the container, but
should provide an easier default for users.

Further it also introduces the tmp volume to the web containers, that
require it, in order to process media that is uploaded by users.

charts/mastodon/Chart.yaml

@@ -17,7 +17,7 @@ annotations:
     - name: support
       url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
 type: application
-version: 7.1.1
+version: 7.2.0
 kubeVersion: ">= 1.23"
 # renovate: image=ghcr.io/mastodon/mastodon
 appVersion: "v4.1.9"

charts/mastodon/README.md

 # mastodon
 
-![Version: 7.1.1](https://img.shields.io/badge/Version-7.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.9](https://img.shields.io/badge/AppVersion-v4.1.9-informational?style=flat-square)
+![Version: 7.2.0](https://img.shields.io/badge/Version-7.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.9](https://img.shields.io/badge/AppVersion-v4.1.9-informational?style=flat-square)
 
 Mastodon is a free, open-source social network server based on ActivityPub.
 
@@ -76,7 +76,7 @@ Kubernetes: `>= 1.23`
 | mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
 | mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
 | mastodon.sidekiq.securityContext | Sidekiq Container | `{"readOnlyRootFilesystem":true}` | Security Context for all Pods, overwrites .Values.securityContext |
-| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"ephemeral":{"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}}}` | temporary volume template required for read-only root filesystem |
+| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
 | mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
 | mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
 | mastodon.sidekiq.workers[0].name | string | `"all-queues"` |  |
@@ -112,6 +112,7 @@ Kubernetes: `>= 1.23`
 | mastodon.web.replicas | int | `1` | Number of Web Pods running |
 | mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
 | mastodon.web.securityContext | Web Container | `{"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
 | mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
 | podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
 | podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsNonRoot":true,"runAsUser":991,"seccompProfile":{"type":"RuntimeDefault"}}` | base securityContext on Pod-Level. Can be overwritten but more specific contexts. Used to match the Upstream UID/GID |

charts/mastodon/templates/deployment-sidekiq.yaml

@@ -46,10 +46,8 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite  $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
       volumes:
         {{- include "mastodon.nonS3MediaVolumes" $context | nindent 8 }}
-      {{- end }}
         - name: tmp
           {{- toYaml $context.Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
       containers:

charts/mastodon/templates/deployment-web.yaml

@@ -33,10 +33,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if (not .Values.mastodon.s3.enabled) }}
       volumes:
         {{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
-      {{- end }}
+        - name: tmp
+          {{- toYaml .Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
       containers:
         - name: {{ .Chart.Name }}-web
           {{- with (deepCopy .Values.securityContext | mergeOverwrite .Values.mastodon.web.securityContext) }}
@@ -83,10 +83,10 @@ spec:
                   name: {{ .Values.mastodon.s3.existingSecret }}
                   key: AWS_ACCESS_KEY_ID
             {{- end }}
-          {{- if (not .Values.mastodon.s3.enabled) }}
           volumeMounts:
             {{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
-          {{- end }}
+            - name: tmp
+              mountPath: /tmp
           ports:
             - name: http
               containerPort: {{ .Values.mastodon.web.port }}

charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap

@@ -122,14 +122,8 @@ renders temporaryVolumeTemplate correctly:
               type: RuntimeDefault
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   3: |
     apiVersion: apps/v1
@@ -210,14 +204,8 @@ renders temporaryVolumeTemplate correctly:
               type: RuntimeDefault
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   4: |
     apiVersion: policy/v1
@@ -419,14 +407,8 @@ should match basic snapshot:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   3: |
     apiVersion: policy/v1

charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap

@@ -122,6 +122,8 @@ should match basic snapshot:
                   name: assets
                 - mountPath: /opt/mastodon/public/system
                   name: system
+                - mountPath: /tmp
+                  name: tmp
           securityContext:
             fsGroup: 991
             runAsGroup: 991
@@ -137,6 +139,9 @@ should match basic snapshot:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
+            - emptydir:
+                medium: Memory
+              name: tmp
   3: |
     apiVersion: networking.k8s.io/v1
     kind: Ingress

charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap

@@ -95,14 +95,8 @@ should allow disabling redis auth:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   2: |
     apiVersion: apps/v1
@@ -260,6 +254,8 @@ should allow disabling redis auth:
                   name: assets
                 - mountPath: /opt/mastodon/public/system
                   name: system
+                - mountPath: /tmp
+                  name: tmp
           securityContext:
             fsGroup: 991
             runAsGroup: 991
@@ -275,3 +271,6 @@ should allow disabling redis auth:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
+            - emptydir:
+                medium: Memory
+              name: tmp

charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap

@@ -217,14 +217,8 @@ should match basic snapshot:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   4: |
     apiVersion: apps/v1
@@ -392,6 +386,8 @@ should match basic snapshot:
                   name: assets
                 - mountPath: /opt/mastodon/public/system
                   name: system
+                - mountPath: /tmp
+                  name: tmp
           securityContext:
             fsGroup: 991
             runAsGroup: 991
@@ -407,6 +403,9 @@ should match basic snapshot:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
+            - emptydir:
+                medium: Memory
+              name: tmp
   6: |
     apiVersion: networking.k8s.io/v1
     kind: Ingress
@@ -1192,14 +1191,8 @@ should match basic snapshot without dependencies:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
-            - ephemeral:
-                volumeClaimTemplate:
-                  spec:
-                    accessModes:
-                      - ReadWriteOnce
-                    resources:
-                      requests:
-                        storage: 5Gi
+            - emptydir:
+                medium: Memory
               name: tmp
   4: |
     apiVersion: apps/v1
@@ -1367,6 +1360,8 @@ should match basic snapshot without dependencies:
                   name: assets
                 - mountPath: /opt/mastodon/public/system
                   name: system
+                - mountPath: /tmp
+                  name: tmp
           securityContext:
             fsGroup: 991
             runAsGroup: 991
@@ -1382,6 +1377,9 @@ should match basic snapshot without dependencies:
             - name: system
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-mastodon-system
+            - emptydir:
+                medium: Memory
+              name: tmp
   6: |
     apiVersion: networking.k8s.io/v1
     kind: Ingress

charts/mastodon/values.yaml

@@ -86,17 +86,17 @@ mastodon:
       readOnlyRootFilesystem: true
     # -- temporary volume template required for read-only root filesystem
     temporaryVolumeTemplate:
-      # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
-      # emptydir:
-      #   medium: Memory
-      ephemeral:
-        volumeClaimTemplate:
-          spec:
-            accessModes:
-              - ReadWriteOnce
-            resources:
-              requests:
-                storage: 5Gi
+      # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+      emptydir:
+        medium: Memory
+      # ephemeral:
+      #   volumeClaimTemplate:
+      #     spec:
+      #       accessModes:
+      #         - ReadWriteOnce
+      #       resources:
+      #         requests:
+      #           storage: 5Gi
     # -- Resources for all Sidekiq Deployments unless overwritten
     resources: {}
     # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
@@ -198,6 +198,19 @@ mastodon:
     # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
     securityContext:
       readOnlyRootFilesystem: true
+    # -- temporary volume template required for read-only root filesystem
+    temporaryVolumeTemplate:
+      # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+      emptydir:
+        medium: Memory
+      # ephemeral:
+      #   volumeClaimTemplate:
+      #     spec:
+      #       accessModes:
+      #         - ReadWriteOnce
+      #       resources:
+      #         requests:
+      #           storage: 5Gi
     # -- (Web Container) Resources for Web Pods, overwrites .Values.resources
     resources: {}
     # limits: