diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index 09fde1c4d453c57867578374b68c00b1c538338b..260a791ef251066d2975e7e4188ae741e344e3e9 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -17,7 +17,7 @@ annotations:
- name: support
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 7.1.1
+version: 7.2.0
kubeVersion: ">= 1.23"
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.9"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index f3eab429c65ee5844135cb78bd1d46926dbb9a9d..4084d4e0cbd30e6f9d0ffdbd781c2a0350cffc89 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -76,7 +76,7 @@ Kubernetes: `>= 1.23`
| mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
| mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
| mastodon.sidekiq.securityContext | Sidekiq Container | `{"readOnlyRootFilesystem":true}` | Security Context for all Pods, overwrites .Values.securityContext |
-| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"ephemeral":{"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}}}` | temporary volume template required for read-only root filesystem |
+| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
| mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
| mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
| mastodon.sidekiq.workers[0].name | string | `"all-queues"` | |
@@ -112,6 +112,7 @@ Kubernetes: `>= 1.23`
| mastodon.web.replicas | int | `1` | Number of Web Pods running |
| mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
| mastodon.web.securityContext | Web Container | `{"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
| mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
| podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
| podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsNonRoot":true,"runAsUser":991,"seccompProfile":{"type":"RuntimeDefault"}}` | base securityContext on Pod-Level. Can be overwritten but more specific contexts. Used to match the Upstream UID/GID |
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 82b7746fbd61f44b669483204728559e049850e9..d120cddf12d4ab1294f3fff392a7a22c843f53d2 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -46,10 +46,8 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumes:
{{- include "mastodon.nonS3MediaVolumes" $context | nindent 8 }}
- {{- end }}
- name: tmp
{{- toYaml $context.Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index ebaeebe3fe0dfc759d8b2e998f9175f956221550..4e0947fbffd12c04b6c6d68d570b634170ca0a5a 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -33,10 +33,10 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (not .Values.mastodon.s3.enabled) }}
volumes:
{{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
- {{- end }}
+ - name: tmp
+ {{- toYaml .Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
- name: {{ .Chart.Name }}-web
{{- with (deepCopy .Values.securityContext | mergeOverwrite .Values.mastodon.web.securityContext) }}
@@ -83,10 +83,10 @@ spec:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
- {{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
{{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
- {{- end }}
+ - name: tmp
+ mountPath: /tmp
ports:
- name: http
containerPort: {{ .Values.mastodon.web.port }}
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index c8fa6ea83380a6866666d036be6487c82fe95265..2bf52a5e542949c0acb4de5f4186cac001c81281 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -122,14 +122,8 @@ renders temporaryVolumeTemplate correctly:
type: RuntimeDefault
serviceAccountName: RELEASE-NAME-mastodon
volumes:
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
3: |
apiVersion: apps/v1
@@ -210,14 +204,8 @@ renders temporaryVolumeTemplate correctly:
type: RuntimeDefault
serviceAccountName: RELEASE-NAME-mastodon
volumes:
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: policy/v1
@@ -419,14 +407,8 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
3: |
apiVersion: policy/v1
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 72f109d777892bc2e6efab68c87154cae761046a..dd91d05cd9e242983174257b2f88c5eec6e54253 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -122,6 +122,8 @@ should match basic snapshot:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -137,6 +139,9 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
3: |
apiVersion: networking.k8s.io/v1
kind: Ingress
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
index 721f8cc897907a4c312a2d0db6acd1cf874a152f..dbe8f20cc12e96c95acb92f1909c0175d193762c 100644
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -95,14 +95,8 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
2: |
apiVersion: apps/v1
@@ -260,6 +254,8 @@ should allow disabling redis auth:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -275,3 +271,6 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index dda25cf87e086313056df077b4ff0e120ca1e870..e2228b3ce5917dabcc774442239edb8dcc0e5ebd 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -217,14 +217,8 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: apps/v1
@@ -392,6 +386,8 @@ should match basic snapshot:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -407,6 +403,9 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
6: |
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -1192,14 +1191,8 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: apps/v1
@@ -1367,6 +1360,8 @@ should match basic snapshot without dependencies:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -1382,6 +1377,9 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
6: |
apiVersion: networking.k8s.io/v1
kind: Ingress
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index dc2f44511afbfcff8c6689e8e413dd052964ede6..d21c542333260c63dd91f9a8b72dc6298cfe5a90 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -86,17 +86,17 @@ mastodon:
readOnlyRootFilesystem: true
# -- temporary volume template required for read-only root filesystem
temporaryVolumeTemplate:
- # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
- # emptydir:
- # medium: Memory
- ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+ emptydir:
+ medium: Memory
+ # ephemeral:
+ # volumeClaimTemplate:
+ # spec:
+ # accessModes:
+ # - ReadWriteOnce
+ # resources:
+ # requests:
+ # storage: 5Gi
# -- Resources for all Sidekiq Deployments unless overwritten
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
@@ -198,6 +198,19 @@ mastodon:
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
securityContext:
readOnlyRootFilesystem: true
+ # -- temporary volume template required for read-only root filesystem
+ temporaryVolumeTemplate:
+ # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+ emptydir:
+ medium: Memory
+ # ephemeral:
+ # volumeClaimTemplate:
+ # spec:
+ # accessModes:
+ # - ReadWriteOnce
+ # resources:
+ # requests:
+ # storage: 5Gi
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
resources: {}
# limits: