Merge branch 'main' into feature/add-timezone

.github/workflows/test-chart.yml

@@ -76,7 +76,10 @@ jobs:
           # higher.
           #
           - k3s-channel: v1.21
-            helm-version: v3.6.0
+            helm-version: v3.8.0
+
+    env:
+      HELM_EXPERIMENTAL_OCI: "1"
 
     steps:
       - uses: actions/checkout@v3

.gitignore

@@ -0,0 +1 @@
+charts/

CHANGELOG.md

@@ -0,0 +1,108 @@
+# 5.1.0
+
+- Added values for Active Record Encryption in Redis:
+    ```yaml
+    mastodon:
+      secrets:
+        activeRecordEncryption:
+          primaryKey:
+          deterministicKey:
+          keyDerivationSalt:
+    ```
+
+- Small bugfix related to automatic secret generation
+
+# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
+
+- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
+
+# [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
+
+- adds support for multiple Sidekiq deployments to be configured to manage
+  different sets of queues.
+
+- smtp: replaces `enable_starttls_auto` boolean with `enable_starttls` setting
+  that defaults to `auto`.
+
+- adds support for statsd publishing:
+    ```
+    mastodon:
+      metrics:
+        statsd:
+          address:
+    ```
+
+- allows disabling the included redis deployment in order to use an existing external redis server:
+    ```
+    redis:
+      enabled: false
+    ```
+
+- adds support for [authorized
+  fetch](https://docs.joinmastodon.org/admin/config/#authorized_fetch):
+    ```
+    mastodon:
+      authorizedFetch: true
+    ```
+
+- removed the `HorizontalPodAutoscaler` and the global autoscaling configuration.
+
+A number of other configuration options have been added, see [values.yaml](./values.yaml).
+
+# 3.0.0
+
+skipped
+
+#  2.1.0
+
+## ingressClassName and tls-acme changes
+The annotations previously defaulting to nginx have been removed and support
+ for ingressClassName has been added.
+```yaml
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+```
+
+To restore the old functionality simply add the above snippet to your `values.yaml`,
+but the recommendation is to replace these with `ingress.ingressClassName` and use
+cert-manager's issuer/cluster-issuer instead of tls-acme.
+If you're uncertain about your current setup leave `ingressClassName` empty and add
+`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
+
+#  2.0.0
+
+## Fixed labels
+Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
+```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
+
+If you want an easy upgrade and you're comfortable with some downtime then
+simply delete the -sidekiq, -web, and -streaming Deployments manually.
+
+If you require a no-downtime upgrade then:
+1. run `helm template` instead of `helm upgrade`
+2. Copy the new -web and -streaming services into `services.yml`
+3. Copy the new -web and -streaming deployments into `deployments.yml`
+4. Append -temp to the name of each deployment in `deployments.yml`
+5. `kubectl apply -f deployments.yml` then wait until all pods are ready
+6. `kubectl apply -f services.yml`
+7. Delete the old -sidekiq, -web, and -streaming deployments manually
+8. `helm upgrade` like normal
+9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
+
+## PostgreSQL passwords
+If you've previously installed the chart and you're having problems with
+postgres not accepting your password then make sure to set `username` to
+`postgres` and `password` and `postgresPassword` to the same passwords.
+```yaml
+postgresql:
+  auth:
+    username: postgres
+    password: <same password>
+    postgresPassword: <same password>
+```
+
+And make sure to set `password` to the same value as `postgres-password`
+in your `mastodon-postgresql` secret:
+```kubectl edit secret mastodon-postgresql```

Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: elasticsearch
-  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
-  version: 19.0.1
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 19.19.2
 - name: postgresql
-  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
-  version: 11.1.3
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 14.2.3
 - name: redis
-  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
-  version: 16.13.2
-digest: sha256:17ea58a3264aa22faff18215c4269f47dabae956d0df273c684972f356416193
-generated: "2022-08-08T21:44:18.0195364+02:00"
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 18.16.1
+digest: sha256:684daaf2067d96e2aa6d93e9d29b7b13fc586f6ae929342e5e9c7c169b1c0748
+generated: "2024-02-23T15:14:47.536480528-08:00"

Chart.yaml

@@ -12,26 +12,26 @@ description: Mastodon is a free, open-source social network server based on Acti
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
+# This is the chart version. This version number should be incremented each time
+# you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.0.0
+version: 5.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: v4.0.2
+appVersion: v4.2.8
 
 dependencies:
   - name: elasticsearch
-    version: 19.0.1
-    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+    version: 19.19.2
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: elasticsearch.enabled
   - name: postgresql
-    version: 11.1.3
-    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+    version: 14.2.3
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: redis
-    version: 16.13.2
-    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+    version: 18.16.1
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: redis.enabled

README.md

@@ -4,10 +4,18 @@ This is a [Helm](https://helm.sh/) chart for installing Mastodon into a
 Kubernetes cluster.  The basic usage is:
 
 1. edit `values.yaml` or create a separate yaml file for custom values
-1. `helm dep update`
+1. `helm dep install`
 1. `helm install --namespace mastodon --create-namespace my-mastodon ./ -f path/to/additional/values.yaml`
 
-This chart is tested with k8s 1.21+ and helm 3.6.0+.
+This chart is tested with k8s 1.21+ and helm 3.8.0+.
+
+# NOTICE: Future Deprecation
+
+We have plans in the very near future to deprecate this chart in favor of a [new git repo](https://github.com/mastodon/helm-charts), which has proper helm repository support (e.g. `helm repo add`), and will contain multiple charts, both for mastodon and for supplementary components that we make use of.
+
+We still encourage suggestions and PRs to help make this chart better, and this repository will remain available after the new charts are ready to give users time to migrate. However, we will not be approving large PRs, or PRs that change fundamental chart functions, as those changes should be directed to the new charts.
+
+Please see the pinned [GitHub issue](https://github.com/mastodon/chart/issues/129) for more info & discussion.
 
 # Configuration
 
@@ -64,57 +72,3 @@ Sidekiq deployments, it’s possible they will occur in the wrong order.  After
 upgrading Mastodon versions, it may sometimes be necessary to manually delete
 the Rails and Sidekiq pods so that they are recreated against the latest
 migration.
-
-# Upgrades in 2.1.0
-
-## ingressClassName and tls-acme changes
-The annotations previously defaulting to nginx have been removed and support
- for ingressClassName has been added.
-```yaml
-ingress:
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    kubernetes.io/tls-acme: "true"
-```
-
-To restore the old functionality simply add the above snippet to your `values.yaml`,
-but the recommendation is to replace these with `ingress.ingressClassName` and use
-cert-manager's issuer/cluster-issuer instead of tls-acme.
-If you're uncertain about your current setup leave `ingressClassName` empty and add
-`kubernetes.io/tls-acme` to `ingress.annotations` in your `values.yaml`.
-
-# Upgrades in 2.0.0
-
-## Fixed labels
-Because of the changes in [#19706](https://github.com/mastodon/mastodon/pull/19706) the upgrade may fail with the following error:
-```Error: UPGRADE FAILED: cannot patch "mastodon-sidekiq"```
-
-If you want an easy upgrade and you're comfortable with some downtime then
-simply delete the -sidekiq, -web, and -streaming Deployments manually.
-
-If you require a no-downtime upgrade then:
-1. run `helm template` instead of `helm upgrade`
-2. Copy the new -web and -streaming services into `services.yml`
-3. Copy the new -web and -streaming deployments into `deployments.yml`
-4. Append -temp to the name of each deployment in `deployments.yml`
-5. `kubectl apply -f deployments.yml` then wait until all pods are ready
-6. `kubectl apply -f services.yml`
-7. Delete the old -sidekiq, -web, and -streaming deployments manually
-8. `helm upgrade` like normal
-9. `kubectl delete -f deployments.yml` to clear out the temporary deployments
-
-## PostgreSQL passwords
-If you've previously installed the chart and you're having problems with 
-postgres not accepting your password then make sure to set `username` to
-`postgres` and `password` and `postgresPassword` to the same passwords.
-```yaml
-postgresql:
-  auth:
-    username: postgres
-    password: <same password>
-    postgresPassword: <same password>
-```
-
-And make sure to set `password` to the same value as `postgres-password`
-in your `mastodon-postgresql` secret:
-```kubectl edit secret mastodon-postgresql```

dev-values.yaml

@@ -7,6 +7,11 @@ mastodon:
     vapid:
       private_key: dummy-vapid-private_key
       public_key: dummy-vapid-public_key
+    activeRecordEncryption:
+      primaryKey: dummy-are-primary_key
+      deterministicKey: dummy-are-deterministic_key
+      keyDerivationSalt: dummy-are-key_derivation_salt
+
 
 # ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
 redis:

templates/_helpers.tpl

@@ -31,12 +31,22 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Labels added on every Mastodon resource
+*/}}
+{{- define "mastodon.globalLabels" -}}
+{{- range $k, $v := .Values.mastodon.labels }}
+{{ $k }}: {{ quote $v }}
+{{- end -}}
+{{- end }}
+
 {{/*
 Common labels
 */}}
 {{- define "mastodon.labels" -}}
 helm.sh/chart: {{ include "mastodon.chart" . }}
 {{ include "mastodon.selectorLabels" . }}
+{{ include "mastodon.globalLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -55,7 +65,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Rolling pod annotations
 */}}
 {{- define "mastodon.rollingPodAnnotations" -}}
+{{- if .Values.revisionPodAnnotation }}
 rollme: {{ .Release.Revision | quote }}
+{{- end }}
 checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }}
 checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }}
 {{- end }}
@@ -94,7 +106,18 @@ Get the mastodon secret.
 {{- if .Values.mastodon.secrets.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the smtp secret.
+*/}}
+{{- define "mastodon.smtp.secretName" -}}
+{{- if .Values.mastodon.smtp.existingSecret }}
+    {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -107,7 +130,7 @@ Get the postgresql secret.
 {{- else if .Values.postgresql.enabled -}}
     {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -148,3 +171,16 @@ Find highest number of needed database connections to set DB_POOL variable
 {{- end }}
 {{- $poolSize | quote }}
 {{- end }}
+
+{{/*
+Full hostname for a custom Elasticsearch cluster
+*/}}
+{{- define "mastodon.elasticsearch.fullHostname" -}}
+{{- if not .Values.elasticsearch.enabled }}
+    {{- if .Values.elasticsearch.tls }}
+        {{- printf "https://%s" (tpl .Values.elasticsearch.hostname $) -}}
+    {{- else -}}
+        {{- printf "%s" (tpl .Values.elasticsearch.hostname $) -}}
+    {{- end }}
+{{- end -}}
+{{- end -}}