diff --git a/tasks/main.yaml b/tasks/main.yaml index d821304..40a02b0 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,4 +1,4 @@ --- # tasks file for eom - name: Deploy - include_tasks: git.yaml + include_tasks: social.yaml diff --git a/tasks/social.yaml b/tasks/social.yaml new file mode 100644 index 0000000..a0f59ac --- /dev/null +++ b/tasks/social.yaml @@ -0,0 +1,47 @@ +--- +# tasks file for social +- name: Deploy Mastodon + kubernetes.core.helm: + name: mastodon + chart_ref: oci://registry-1.docker.io/bitnamicharts/mastodon + release_namespace: mastodon + create_namespace: true + values: + localDomain: mastodon.eom.dev + global: + defaultStorageClass: default + web: + extraEnvVars: + - name: LDAP_ENABLED + value: "yes" + - name: LDAP_HOST + value: openldap.auth.svc.cluster.local + - name: LDAP_PORT + value: 389 + - name: LDAP_METHOD + value: plain + - name: LDAP_BASE + value: dc=eom,dc=dev + - name: LDAP_BIND_DN + value: cn=readonly,dc=eom,dc=dev + - name: LDAP_PASSWORD + value: "{{ ldap_readonly_password }}" + - name: LDAP_UID + value: uid + - name: LDAP_MAIL + value: mail + - name: LDAP_SEARCH_FILTER + value: (|(objectClass=inetOrgPerson)) + apache: + ingress: + enabled: true + hostname: mastodon.eom.dev + annotations: + cert-manager.io/cluster-issuer: ca-issuer + tls: + - hosts: + - mastodon.eom.dev + secretName: mastodon-tls + postgresql: + auth: + password: "{{ mastodon_postgres_password }}" diff --git a/tasks/stream.yaml b/tasks/stream.yaml new file mode 100644 index 0000000..22d5fce --- /dev/null +++ b/tasks/stream.yaml @@ -0,0 +1,187 @@ +--- +# tasks file for gitlab +- name: Create stream namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: stream + +- name: Create PVC for PostgreSQL + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: postgres + namespace: stream + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Gi + +- name: Create Deployment for PostgreSQL + k8s: + state: present + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: postgres + namespace: stream + labels: + app: postgres + spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: postgres + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + ports: + - containerPort: 5432 + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + - name: POSTGRES_DB + value: owncast + - name: POSTGRES_USER + value: owncast + - name: POSTGRES_PASSWORD + value: "{{ owncast_postgres_password }}" + volumes: + - name: data + persistentVolumeClaim: + claimName: postgres + +- name: Create Service for PostgreSQL + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: postgres + namespace: stream + spec: + selector: + app: postgres + ports: + - port: 5432 + name: postgres + type: ClusterIP + +- name: Create PVC for OwnCast + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: owncast + namespace: stream + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 128Gi + +- name: Create Deployment for OwnCast + k8s: + state: present + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: owncast + namespace: stream + labels: + app: owncast + spec: + replicas: 1 + selector: + matchLabels: + app: owncast + template: + metadata: + labels: + app: owncast + spec: + containers: + - name: owncast + image: owncast/owncast + volumeMounts: + - name: data + mountPath: /app/data + ports: + - containerPort: 8080 + - containerPort: 1935 + env: + volumes: + - name: data + persistentVolumeClaim: + claimName: owncast + +- name: Create Service for OwnCast + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: owncast + namespace: stream + spec: + selector: + app: owncast + ports: + - port: 1935 + name: rtmp + - port: 80 + targetPort: 8080 + name: http + type: LoadBalancer + +- name: Create Ingress + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + cert-manager.io/cluster-issuer: ca-issuer + name: owncast + namespace: stream + spec: + ingressClassName: nginx + rules: + - host: stream.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: stream + port: + number: 80 + tls: + - hosts: + - stream.eom.dev + secretName: owncast diff --git a/templates/values.yaml.j2 b/templates/values.yaml.j2 new file mode 100644 index 0000000..89a5ec2 --- /dev/null +++ b/templates/values.yaml.j2 @@ -0,0 +1,784 @@ +image: + repository: ghcr.io/mastodon/mastodon + # https://github.com/mastodon/mastodon/pkgs/container/mastodon + # + # alternatively, use `latest` for the latest release or `edge` for the image + # built from the most recent commit + # + # tag: latest + tag: null + # use `Always` when using `latest` tag + pullPolicy: IfNotPresent + +mastodon: + # Labels added to every Mastodon-related object + labels: {} + + # -- create an initial administrator user; the password is autogenerated and will + # have to be reset + createAdmin: + # @ignored + enabled: false + # @ignored + username: not_gargron + # @ignored + email: not@example.com + hooks: + dbMigrate: + enabled: true + assetsPrecompile: + enabled: true + # Upload website assets to S3 before deploying using rclone. + # Whenever there is an update to Mastodon, sometimes there are assets files + # that are renamed. As the pods are getting redeployed, and old/new pods are + # present simultaneously, there is a chance that old asset files are + # requested from pods that don't have them anymore, or new asset files are + # requested from old pods. Uploading asset files to S3 in this manner solves + # this potential conflict. + # Note that you will need to CDN/proxy to send all requests to /assets and + # /packs to this bucket. + s3Upload: + enabled: false + endpoint: + bucket: + acl: public-read + secretRef: + name: + keys: + accesKeyId: acces-key-id + secretAccessKey: secret-access-key + rclone: + # Any additional environment variables to pass to rclone. + env: {} + # Custom labels to add to kubernetes resources + #labels: + cron: + # -- run `tootctl media remove` every week + removeMedia: + # @ignored + enabled: true + # @ignored + schedule: "0 0 * * 0" + # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 + locale: en + local_domain: mastodon.eom.dev + # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation + # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described + # Example: mastodon.example.com + web_domain: null + # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize + # itself when users are addressed using those other domains. + alternate_domains: [] + # -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers + # Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip + # trusted_proxy_ip: + # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. + singleUserMode: false + # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch + authorizedFetch: false + # -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode + limitedFederationMode: false + persistence: + assets: + # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits + # scalability, since it requires the Rails and Sidekiq pods to run on the + # same node. + accessMode: ReadWriteOnce + resources: + requests: + storage: 10Gi + # -- name of existing persistent volume claim to use for assets + existingClaim: + system: + accessMode: ReadWriteOnce + resources: + requests: + storage: 100Gi + # -- name of existing persistent volume claim to use for system + existingClaim: + s3: + enabled: false + access_key: "" + access_secret: "" + # -- you can also specify the name of an existing Secret + # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + existingSecret: "" + bucket: "" + endpoint: "" + hostname: "" + region: "" + permission: "" + # -- If you have a caching proxy, enter its base URL here. + alias_host: "" + # When uploading data to S3, if the number of bytes to send exceedes + # multipart_threshold then a multi part session is automatically started + # and the data is sent up in chunks. Defaults to 16777216 (16MB). + multipart_threshold: "" + # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming + # override_path_style: "true" + deepl: + enabled: false + plan: + apiKeySecretRef: + name: + key: + hcaptcha: + enabled: false + siteId: + secretKeySecretRef: + name: + key: + # these must be set manually; autogenerated keys are rotated on each upgrade + secrets: + secret_key_base: "" + otp_secret: "" + vapid: + private_key: "" + public_key: "" + activeRecordEncryption: + primaryKey: "" + deterministicKey: "" + keyDerivationSalt: "" + # -- you can also specify the name of an existing Secret + # with keys: + # - SECRET_KEY_BASE + # - OTP_SECRET + # - VAPID_PRIVATE_KEY + # - VAPID_PUBLIC_KEY + # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY + # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY + # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT + existingSecret: "" + + # -- The number of old revisions to keep for each Deployment in Kubernetes. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy + revisionHistoryLimit: 2 + + sidekiq: + # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext + securityContext: {} + # -- Resources for all Sidekiq Deployments unless overwritten + resources: {} + # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity + affinity: {} + # -- Annotations to apply to the deployment object(s) for sidekiq. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object(s) for sidekiq. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the sidekiq pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the sidekiq pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods. + # Recreate will help reduce the number of retried jobs when updating when + # the code introduces a new job as the pods are all replaced immediately. + # RollingUpdate can help with larger clusters if job retries aren't an + # issue, as it will reduce strain by replacing pods more slowly. It is + # strongly recommended to enable the readinessProbe when using RollingUpdate. + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: Recreate + # Readiness probe configuration + # NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10. + readinessProbe: + enabled: false + path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs + initialDelaySeconds: 10 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints + topologySpreadConstraints: {} + # limits: + # cpu: "1" + # memory: 768Mi + # requests: + # cpu: 250m + # memory: 512Mi + + # Open Telemetry configuration for sidekiq pods. Overrides global settings. + otel: + enabled: + exporterUri: + namePrefix: + nameSeparator: + + workers: + - name: all-queues + # -- Number of threads / parallel sidekiq jobs that are executed per Pod + concurrency: 25 + # -- Number of Pod replicas deployed by the Deployment + replicas: 1 + # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources + resources: {} + # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity + affinity: {} + # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints + topologySpreadConstraints: {} + # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency + # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument + queues: + - default,8 + - push,6 + - ingress,4 + - mailers,2 + - pull + - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. + image: + repository: + tag: + # allows you to mount a custom database.yml from a configmap + # please note that we do not advise using a read-only replica for sidekiq workers + customDatabaseConfigYml: + configMapRef: + name: + key: + #- name: push-pull + # concurrency: 50 + # resources: {} + # replicas: 2 + # queues: + # - push + # - pull + #- name: mailers + # concurrency: 25 + # replicas: 2 + # queues: + # - mailers + #- name: default + # concurrency: 25 + # replicas: 2 + # queues: + # - default + smtp: + auth_method: plain + ca_file: /etc/ssl/certs/ca-certificates.crt + delivery_method: smtp + domain: + enable_starttls: "auto" + from_address: notifications@example.com + return_path: + openssl_verify_mode: peer + port: 587 + reply_to: + server: smtp.mailgun.org + tls: false + login: + password: + # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and + # password must be located in keys named `login` and `password` respectively. + existingSecret: + streaming: + image: + repository: + tag: + port: 4000 + # -- this should be set manually since os.cpus() returns the number of CPUs on + # the node running the pod, which is unrelated to the resources allocated to + # the pod by k8s + workers: 1 + # -- The base url for streaming can be set if the streaming API is deployed to + # a different domain/subdomain. + base_url: null + # -- Number of Streaming Pods running + replicas: 1 + # -- Affinity for Streaming Pods, overwrites .Values.affinity + affinity: {} + # -- Annotations to apply to the deployment object for streaming. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object for streaming. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the streaming pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the streaming pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 10% + maxUnavailable: 25% + # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints + topologySpreadConstraints: {} + # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "500m" + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 128Mi + # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + enable: false + # minAvailable: 1 + # maxUnavailable: 1 + # -- Puma-specific options. Below values are based on default behavior in + # config/puma.rb when no custom values are provided. + # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database + extraCerts: {} + # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format + # existingSecret: + # -- Optional volume name for mounting the .crt file, defaults to "extra-certs" + # name: + # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify" + # sslMode: + + # Specify extra environment variables to be added to streaming pods. + extraEnvVars: {} + + web: + port: 3000 + # -- Number of Web Pods running + replicas: 1 + # -- Affinity for Web Pods, overwrites .Values.affinity + affinity: {} + # -- Annotations to apply to the deployment object for web. + # -- These are applied in addition to deploymentAnnotations. + annotations: {} + # -- Labels to apply to the deployment object for web. + # -- These are applied in addition to mastodon.labels. + labels: {} + # -- Annotations to apply to the web pods. + # -- These are applied in addition to the global podAnnotations. + podAnnotations: {} + # -- Labels to apply to the web pods. + # -- These are applied in addition to mastodon.labels. + podLabels: {} + # Rollout strategy to use when updating pods + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 10% + maxUnavailable: 25% + # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints + topologySpreadConstraints: {} + # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext + podSecurityContext: {} + # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext + securityContext: {} + # -- (Web Container) Resources for Web Pods, overwrites .Values.resources + resources: {} + # limits: + # cpu: "1" + # memory: 1280Mi + # requests: + # cpu: 250m + # memory: 768Mi + # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + enable: false + # minAvailable: 1 + # maxUnavailable: 1 + # -- Puma-specific options. Below values are based on default behavior in + # config/puma.rb when no custom values are provided. + minThreads: "5" + maxThreads: "5" + workers: "2" + persistentTimeout: "20" + image: + repository: + tag: + # allows you to mount a custom database.yml from a configmap + # for example if you want to use a read-only replica + customDatabaseConfigYml: + configMapRef: + name: + key: + + # Open Telemetry configuration for web pods. Overrides global settings. + otel: + enabled: + exporterUri: + namePrefix: + nameSeparator: + + # HTTP cache buster configuration. + # See the documentation for more information about this feature: + # https://docs.joinmastodon.org/admin/config/#http-cache-buster + cacheBuster: + enabled: false + httpMethod: "GET" + # If the cache service requires authentication, specify the header name and + # secret/token here. + authHeader: + authToken: + existingSecret: + + metrics: + statsd: + # -- Enable statsd publishing via STATSD_ADDR environment variable + address: "" + # -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod + # Please note the exporter will not be enabled if metrics.statsd.address is not empty + exporter: + enabled: false + port: 9102 + + # Open Telemetry configuration for all deployments. Component-specific + # configuration will override these values. + otel: + enabled: false + exporterUri: + namePrefix: mastodon + nameSeparator: "-" + + # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements + preparedStatements: true + + + # Specify extra environment variables to be added to all Mastodon pods. + # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.) + extraEnvVars: {} + + # Alternatively specify extra environment variables stored in a ConfigMap. + # The specified ConfigMap should contain the additional environment variables in key-value format. + # extraEnvFrom: + + +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: ca-issuer + # For choosing an ingress ingressClassName is preferred over annotations + # kubernetes.io/ingress.class: nginx + # + # To automatically request TLS certificates use one of the following + # kubernetes.io/tls-acme: "true" + # cert-manager.io/cluster-issuer: "letsencrypt" + # + # ensure that NGINX's upload size matches Mastodon's + # for the K8s ingress controller: + # nginx.ingress.kubernetes.io/proxy-body-size: 40m + # for the NGINX ingress controller: + # nginx.org/client-max-body-size: 40m + # -- you can specify the ingressClassName if it differs from the default + ingressClassName: nginx + hosts: + - host: mastodon.eom.dev + paths: + - path: "/" + tls: + - secretName: mastodon-tls + hosts: + - mastodon.eom.dev + + # This allows you to have a separate ingress for streaming + # When enabled, the main ingress will no longer handle streaming requests. + # You will also need to configure mastodon.streaming.base_url accordingly + streaming: + enabled: false + annotations: + ingressClassName: + hosts: + - host: streaming.mastodon.local + paths: + - path: "/" + tls: + - secretName: mastodon-tls + hosts: + - streaming.mastodon.local + +# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters +elasticsearch: + # Elasticsearch is powering full-text search. It is optional. + + # `false` will not install Elasticsearch as part of this chart + # + # if you enable ES after the initial install, you will need to manually run + # RAILS_ENV=production bundle exec rake chewy:sync + # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) + enabled: true + # @ignored + image: + tag: 7 + + # If you are using an external ES cluster, use `enabled: false` and set the hostname, port, + # and whether the cluster uses TLS. + # hostname: + # port: 9200 + # tls: true + # preset: single_node_cluster + + # This is optional, use it if you ES cluster requires authentication + # user: + # Name of an existing secret with a password key + # existingSecret: + +# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters +postgresql: + # -- disable if you want to use an existing db; in which case the values below + # must match those of that external postgres instance + enabled: true + # postgresqlHostname: preexisting-postgresql + # postgresqlPort: 5432 + auth: + database: mastodon_production + username: mastodon + # you must set a password; the password generated by the postgresql chart will + # be rotated on each upgrade: + # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade + password: {{ mastodon_postgres_password }} + # Set the password for the "postgres" admin user + # set this to the same value as above if you've previously installed + # this chart and you're having problems getting mastodon to connect to the DB + # postgresPassword: "" + # you can also specify the name of an existing Secret + # with a key of password set to the password you want + existingSecret: "" + + # Options for a read-only replica. + # If enabled, mastodon uses existing defaults for postgres for these values as well. + # NOTE: This feature is only available on Mastodon v4.2+ + # Documentation for more information on this feature: + # https://docs.joinmastodon.org/admin/scaling/#read-replicas + readReplica: + hostname: + port: + auth: + database: + username: + password: + existingSecret: + +# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters +redis: + # disable if you want to use an existing redis instance; in which case the + # values below must match those of that external redis instance + enabled: true + hostname: "" + port: 6379 + auth: + # -- you must set a password; the password generated by the redis chart will be + # rotated on each upgrade: + password: "" + # setting password for an existing redis instance will store it in a new Secret + # you can also specify the name of an existing Secret + # with a key of redis-password set to the password you want + # existingSecret: "" + replica: + replicaCount: 0 + + # Configuration for a separate redis instance only for sidekiq processing. + # If enabled, any values not specified will be copied from the base config. + # If set to false, the main redis instance will be used, and all values will + # be ignored. + sidekiq: + enabled: false + hostname: "" + port: 6379 + auth: + password: "" + # you can also specify the name of an existing Secret + # with a key of redis-password set to the password you want + existingSecret: "" + + # Configuration for a separate redis instance only for cache. + # If enabled, any values not specified will be copied from the base config. + # If set to false, the main redis instance will be used, and all values will + # be ignored. + cache: + enabled: false + hostname: "" + port: 6379 + auth: + password: "" + # you can also specify the name of an existing Secret + # with a key of redis-password set to the password you want + existingSecret: "" + +# @ignored +service: + type: ClusterIP + port: 80 + +externalAuth: + oidc: + # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. + enabled: false + # display_name: "example-label" + # issuer: https://login.example.space/auth/realms/example-space + # discovery: true + # scope: "openid,profile" + # uid_field: uid + # client_id: mastodon + # client_secret: SECRETKEY + # redirect_uri: https://example.com/auth/auth/openid_connect/callback + # assume_email_is_verified: true + # client_auth_method: + # response_type: + # response_mode: + # display: + # prompt: + # send_nonce: + # send_scope_to_token_endpoint: + # idp_logout_redirect_uri: + # http_scheme: + # host: + # port: + # jwks_uri: + # auth_endpoint: + # token_endpoint: + # user_info_endpoint: + # end_session_endpoint: + saml: + enabled: false + # acs_url: http://mastodon.example.com/auth/auth/saml/callback + # issuer: mastodon + # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml + # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----' + # idp_cert_fingerprint: + # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + # cert: + # private_key: + # want_assertion_signed: true + # want_assertion_encrypted: true + # assume_email_is_verified: true + # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1" + # attributes_statements: + # uid: "urn:oid:0.9.2342.19200300.100.1.1" + # email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" + # full_name: "urn:oid:2.16.840.1.113730.3.1.241" + # first_name: "urn:oid:2.5.4.42" + # last_name: "urn:oid:2.5.4.4" + # verified: + # verified_email: + oauth_global: + # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In + omniauth_only: false + cas: + enabled: false + # url: https://sso.myserver.com + # host: sso.myserver.com + # port: 443 + # ssl: true + # validate_url: + # callback_url: + # logout_url: + # login_url: + # uid_field: 'user' + # ca_path: + # disable_ssl_verification: false + # assume_email_is_verified: true + # keys: + # uid: 'user' + # name: 'name' + # email: 'email' + # nickname: 'nickname' + # first_name: 'firstname' + # last_name: 'lastname' + # location: 'location' + # image: 'image' + # phone: 'phone' + pam: + enabled: false + # email_domain: example.com + # default_service: rpam + # controlled_service: rpam + ldap: + enabled: true + host: openldap.auth.svc.cluster.local + port: 389 + method: plain + # tls_no_verify: true + base: dc=eom,dc=dev + bind_dn: cn=readonly,dc=eom,dc=dev + password: {{ ldap_readonly_password }} + uid: uid + mail: mail + search_filter: (|(objectClass=inetOrgPerson)) + # uid_conversion: + # enabled: true + # search: "., -" + # replace: _ + +# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 +# +# if you manually change the UID/GID environment variables, ensure these values +# match: +podSecurityContext: + runAsUser: 991 + runAsGroup: 991 + fsGroup: 991 + +# @ignored +securityContext: {} + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# Custom annotations to apply to all created deployment objects. These can be +# used to help mastodon interact with other services in the cluster. +deploymentAnnotations: {} + +# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might +# need to apply different annotations to the two different sets of pods. The annotations +# set with podAnnotations will be added to all deployment-managed pods. +podAnnotations: {} + +# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will +# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. +revisionPodAnnotation: true + +# The annotations set with jobAnnotations will be added to all job pods. +jobAnnotations: {} + +# -- Default resources for all Deployments and jobs unless overwritten +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# @ignored +nodeSelector: {} + +# @ignored +tolerations: [] + +# -- Affinity for all pods unless overwritten +affinity: {} + +# -- Timezone for all pods unless overwritten +timezone: UTC + +# -- Topology Spread Constraints for all pods unless overwritten +# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you +# want to spread each deployment independently, or override topologySpreadConstraints +# for each deployment +topologySpreadConstraints: {} + +# Default volume mounts for all pods +volumeMounts: [] + +# Default volumes for all pods +volumes: []