From b0db681cefce5a18b8fa736e43ead2a8ad0a67fd Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 5 Oct 2023 20:38:34 +0200
Subject: [PATCH] feat(mastodon): Switch to emptydir from type Memory
This patch adjusts the tmp volume to be from type emtpyDir with medium
Memory be default, this will use more memory in the container, but
should provide an easier default for users.
Further it also introduces the tmp volume to the web containers, that
require it, in order to process media that is uploaded by users.
---
charts/mastodon/Chart.yaml | 2 +-
charts/mastodon/README.md | 5 +--
.../templates/deployment-sidekiq.yaml | 2 --
charts/mastodon/templates/deployment-web.yaml | 8 ++---
.../__snapshot__/50_sidekiq_test.yaml.snap | 30 ++++------------
.../tests/__snapshot__/50_web_test.yaml.snap | 5 +++
.../80_subchart_redis_test.yaml.snap | 15 ++++----
.../__snapshot__/98_snapshot_test.yaml.snap | 30 ++++++++--------
charts/mastodon/values.yaml | 35 +++++++++++++------
9 files changed, 64 insertions(+), 68 deletions(-)
diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index 09fde1c4d..260a791ef 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -17,7 +17,7 @@ annotations:
- name: support
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 7.1.1
+version: 7.2.0
kubeVersion: ">= 1.23"
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.9"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index f3eab429c..4084d4e0c 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -76,7 +76,7 @@ Kubernetes: `>= 1.23`
| mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
| mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
| mastodon.sidekiq.securityContext | Sidekiq Container | `{"readOnlyRootFilesystem":true}` | Security Context for all Pods, overwrites .Values.securityContext |
-| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"ephemeral":{"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}}}` | temporary volume template required for read-only root filesystem |
+| mastodon.sidekiq.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
| mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
| mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
| mastodon.sidekiq.workers[0].name | string | `"all-queues"` | |
@@ -112,6 +112,7 @@ Kubernetes: `>= 1.23`
| mastodon.web.replicas | int | `1` | Number of Web Pods running |
| mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
| mastodon.web.securityContext | Web Container | `{"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.temporaryVolumeTemplate | object | `{"emptydir":{"medium":"Memory"}}` | temporary volume template required for read-only root filesystem |
| mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
| podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
| podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsNonRoot":true,"runAsUser":991,"seccompProfile":{"type":"RuntimeDefault"}}` | base securityContext on Pod-Level. Can be overwritten but more specific contexts. Used to match the Upstream UID/GID |
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index 82b7746fb..d120cddf1 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -46,10 +46,8 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (or (not $context.Values.mastodon.s3.enabled) (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext).readOnlyRootFilesystem) }}
volumes:
{{- include "mastodon.nonS3MediaVolumes" $context | nindent 8 }}
- {{- end }}
- name: tmp
{{- toYaml $context.Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index ebaeebe3f..4e0947fbf 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -33,10 +33,10 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
- {{- if (not .Values.mastodon.s3.enabled) }}
volumes:
{{- include "mastodon.nonS3MediaVolumes" . | nindent 8 }}
- {{- end }}
+ - name: tmp
+ {{- toYaml .Values.mastodon.sidekiq.temporaryVolumeTemplate | nindent 10 }}
containers:
- name: {{ .Chart.Name }}-web
{{- with (deepCopy .Values.securityContext | mergeOverwrite .Values.mastodon.web.securityContext) }}
@@ -83,10 +83,10 @@ spec:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
- {{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
{{- include "mastodon.nonS3MediaMounts" . | nindent 12 }}
- {{- end }}
+ - name: tmp
+ mountPath: /tmp
ports:
- name: http
containerPort: {{ .Values.mastodon.web.port }}
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index c8fa6ea83..2bf52a5e5 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -122,14 +122,8 @@ renders temporaryVolumeTemplate correctly:
type: RuntimeDefault
serviceAccountName: RELEASE-NAME-mastodon
volumes:
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
3: |
apiVersion: apps/v1
@@ -210,14 +204,8 @@ renders temporaryVolumeTemplate correctly:
type: RuntimeDefault
serviceAccountName: RELEASE-NAME-mastodon
volumes:
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: policy/v1
@@ -419,14 +407,8 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
3: |
apiVersion: policy/v1
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 72f109d77..dd91d05cd 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -122,6 +122,8 @@ should match basic snapshot:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -137,6 +139,9 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
3: |
apiVersion: networking.k8s.io/v1
kind: Ingress
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
index 721f8cc89..dbe8f20cc 100644
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -95,14 +95,8 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
2: |
apiVersion: apps/v1
@@ -260,6 +254,8 @@ should allow disabling redis auth:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -275,3 +271,6 @@ should allow disabling redis auth:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index dda25cf87..e2228b3ce 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -217,14 +217,8 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: apps/v1
@@ -392,6 +386,8 @@ should match basic snapshot:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -407,6 +403,9 @@ should match basic snapshot:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
6: |
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -1192,14 +1191,8 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
- - ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ - emptydir:
+ medium: Memory
name: tmp
4: |
apiVersion: apps/v1
@@ -1367,6 +1360,8 @@ should match basic snapshot without dependencies:
name: assets
- mountPath: /opt/mastodon/public/system
name: system
+ - mountPath: /tmp
+ name: tmp
securityContext:
fsGroup: 991
runAsGroup: 991
@@ -1382,6 +1377,9 @@ should match basic snapshot without dependencies:
- name: system
persistentVolumeClaim:
claimName: RELEASE-NAME-mastodon-system
+ - emptydir:
+ medium: Memory
+ name: tmp
6: |
apiVersion: networking.k8s.io/v1
kind: Ingress
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index dc2f44511..d21c54233 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -86,17 +86,17 @@ mastodon:
readOnlyRootFilesystem: true
# -- temporary volume template required for read-only root filesystem
temporaryVolumeTemplate:
- # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
- # emptydir:
- # medium: Memory
- ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 5Gi
+ # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+ emptydir:
+ medium: Memory
+ # ephemeral:
+ # volumeClaimTemplate:
+ # spec:
+ # accessModes:
+ # - ReadWriteOnce
+ # resources:
+ # requests:
+ # storage: 5Gi
# -- Resources for all Sidekiq Deployments unless overwritten
resources: {}
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
@@ -198,6 +198,19 @@ mastodon:
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
securityContext:
readOnlyRootFilesystem: true
+ # -- temporary volume template required for read-only root filesystem
+ temporaryVolumeTemplate:
+ # emptydir is currently limited to medium Memory due to a Ruby special handling of temporary directories, alternatively use a generic ephemeral volume: https://shivering-isles.com/about-read-only-containers-ruby-and-emptydir
+ emptydir:
+ medium: Memory
+ # ephemeral:
+ # volumeClaimTemplate:
+ # spec:
+ # accessModes:
+ # - ReadWriteOnce
+ # resources:
+ # requests:
+ # storage: 5Gi
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
resources: {}
# limits:
--
GitLab