* fix(chart): Remove non-functional Horizontal Pod Autoscaler
The Horizontal Pod Autoscaler (HPA) refers to a Deployment that
doesn't exist and therefore can not work. As a result it's
pointless to carry it around in this chart and give the wrong
impression it could work. This patch removes it from the helm
chart and drops all references to it.
* refactor(chart): Refactor sidekiq deployments to scale
This patch reworks how the sidekiq deployment is set up, by
splitting it into many sidekiq deployments, but at least one,
which should allow to scale the number of sidekiq jobs as
expected while being friendly to single user instances as well
as larger ones.
Further it introduces per deployment overwrites for the most
relevant pod fields like resources, affinities and processed
queues, number of jobs and the sidekiq security contexts.
The exact implementation was inspired by an upstream issue:
https://github.com/mastodon/mastodon/issues/20453
* fix(chart): Remove linode default values from values
This patch drops the linode defaults from the values.yaml since
these are not obvious and can cause unexpected connections as
well as leaking secrets to linode, when other s3 storage
backends are used and don't explicitly configure these options
by accident.
Mastodon will then try to authenticate to the linode backends
and therefore disclose the authentication secrets.
* refactor(chart): Rework reduce value reference duplication
Since most of the values are simply setup like this:
```
{{- if .Values.someVariable }}
SOME_VARIABLE: {{ .Values.someVariable }}
{{- end }}
```
There is a lot of duplication in the references in order to
full in the variables. There is an equivalent notation, which
reduces the usage of the variable name to just once:
```
{{- with .Values.someVariable }}
SOME_VARIABLE: {{ . }}
{{- end }}
```
What seems like a pointless replacement, will reduce potential
mistakes down the line by possibly only adjusting one of the
two references.
* fix(chart): Switch to new OMNIAUTH_ONLY variable
This patch adjusts the helm chart to use the new `OMNIAUTH_ONLY`
variable, which replaced the former
`OAUTH_REDIRECT_AT_SIGN_IN` variable in the following commit:
https://github.com/mastodon/mastodon/pull/172883c8857917e
* fix(chart): Repair connection test to existing service
Currently the connect test can't work, since it's connecting to
a non-existing service this patch fixes the service name to
make the job connect to the mastodon web service to verify the
connection.
* docs(chart): Adjust values.yaml to support helm-docs
This patch updates most values to prepare an introduction of
helm-docs. This should help to make the chart more user
friendly by explaining the variables and provide a standardised
README file, like many other helm charts do.
References:
https://github.com/norwoodj/helm-docs
* refactor(chart): Allow individual overwrites for streaming and web deployment
This patch works how the streaming and web deployments work by
adding various fields to overwrite values such as affinities,
resources, replica count, and security contexts.
BREAKING CHANGE: This commit removes `.Values.replicaCount` in
favour of `.Values.mastodon.web.replicas` and
`.Values.mastodon.streaming.values`.
* feat(chart): Add option for authorized fetch
Currently the helm chart doesn't support authorized fetch aka.
"Secure Mode" this patch fixes that by adding the needed config
option to the values file and the configmap.
* docs(chart): Improve helm-docs compatiblity
This patch adjust a few more comments in the values.yaml to be
picked up by helm-docs. This way, future adoption is properly
prepared.
* fix(chart): Add automatic detection of scheduler sidekiq queue
This patch adds an automatic switch to the `Recreate` strategy
for the sidekiq Pod in order to prevent accidental concurrency
for the scheduler queue.
* fix(chart): Repair broken DB_POOL variable
While the normal assumption of port `5432` for a postgresql server is pretty reliable I found that DigitalOcean puts them on a somewhat random port. This adds the ability to specify the port in the helm chart.
* Allow statsd publishing from Helm
* Apply suggestions from code review
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
ENABLE_STARTTLS is designed to replace ENABLE_STARTTLS_AUTO by accepting
three values: 'auto' (the default), 'always', and 'never'. If
ENABLE_STARTTLS isn't provided, we fall back to ENABLE_STARTTLS_AUTO. In
this way, this change should be fully backwards compatible.
Resolves#20311
This patch reworks the Pod rolling mechanism, which is supposed to update Pods
with each migration run, but since the it generates a new random value on each
helm execution, this will constantly roll all pods in a GitOps driven deployment,
which reconciles the helm release.
This is resolved by fixing the upgrade to the `.Release.Revision`, which should
stay identical, unless config or helm release version have been changed. Further
it introduces automatic rolls based on adjustments to the environment variables
and secrets.
The implementation uses a helper template, following the 1-2-N rule, and omitting
code duplication.
References:
https://helm.sh/docs/chart_template_guide/builtin_objects/https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
* Mark job pods not to use Istio's envoy sidecar
Istio injects sidecars into pods to implement mTLS between pods. Jobs
usually don't know about this, so they don't signal the Envoy process
to stop when the job finishes. Since at least one process is running
in the pod, Kubernetes doesn't consider the job to be completed, so it
lingers.
By adding the `sidecar.istio.io/inject` annotation set to `"false"`,
we let Istio know that it should not inject the sidecar. If Istio is
not installed, then this has no impact.
* Support arbitrary job annotations in the Helm chart
Rather than focus on Istio, this allows arbitrary annotations for job pods.
* Add in-line documentation for pod/job annotations
* Add ability to specify an existing Secret (#18139)
Closes#18139
* Allow using secrets with external postgres
* Upgrade CronJob to batch/v1
* Allow using redis.auth.existingSecret
* Helmignore mastodon-*.tgz for easy local development
* Upgrade helm dependencies
* Upgrade postgresql to 11
* Allow putting SMTP password into a secret
* Add optional login to SMTP secret
This to allow setting LOGIN either in values.yaml or
in the secret.
* Switch to bitnami charts full archive
This prevents older versions from disappearing, see
https://github.com/bitnami/charts/issues/10539 for
full context.
Co-authored-by: Ted Tramonte <ted.tramonte@gmail.com>
This adds a mastodon.streaming.base_url setting in the Helm chart values
file to allow setting the STREAMING_API_BASE_URL in the Mastodon environnment
config map.
- move application variables under `mastodon` namespace
- restore standard yaml structure for ingress configuration
- move values.yaml.template to values.yaml
The cronjob tries to get key from `mastodon` secret instead of
`mastodon-postgresql` - so the cronjob fails with this error:
Error: couldn't find key postgresql-password in Secret [NS]/mastodon
Another solution is to save the postgres password in mastodon secret,
but that means that the password is placed in two places.
Postgresql use <fullname>-postgresql name as secret name.
* add Helm chart
known issues/future work:
- SSO is unsupported
- S3/Minio/GCS is unsupported
- Swift is unsupported
- WEB_DOMAIN is unsupported
- Tor is unsupported
* helm: clarify how LOCAL_DOMAIN is set
* helm: add chart description
* helm: make DB_POOL and Sidekiq concurrency configurable
* helm: only enforce pod affinity when using ReadWriteOnce
* helm: clarify compatibility
* helm: clean up application variables
* helm: add job to create initial admin