From e004e9988439822917a634786ecec23a5a155a4a Mon Sep 17 00:00:00 2001 From: eric o meehan Date: Sat, 23 Nov 2024 17:23:12 -0500 Subject: [PATCH] v1.0.4 --- tasks/grafana.yaml | 193 +++++++++++++++++++++++++++++ tasks/influxdb.yaml | 105 ++++++++++------ tasks/mail.yaml | 12 +- tasks/main.yaml | 2 +- tasks/mastodon.yaml | 80 ++++++++++++ tasks/monitor.yaml | 76 +++++++----- tasks/social.yaml | 47 ------- tasks/{www.yaml => wordpress.yaml} | 29 +++-- templates/ldap.toml.j2 | 63 ++++++++++ templates/values.yaml.j2 | 29 +++-- 10 files changed, 485 insertions(+), 151 deletions(-) create mode 100644 tasks/grafana.yaml create mode 100644 tasks/mastodon.yaml delete mode 100644 tasks/social.yaml rename tasks/{www.yaml => wordpress.yaml} (87%) create mode 100644 templates/ldap.toml.j2 diff --git a/tasks/grafana.yaml b/tasks/grafana.yaml new file mode 100644 index 0000000..6fdcf17 --- /dev/null +++ b/tasks/grafana.yaml @@ -0,0 +1,193 @@ +--- +# tasks file for grafana +- name: Create Grafana namespace + k8s: + state: present + definition: + apiVersion: v1 + kind: Namespace + metadata: + name: grafana + +- name: Create PVC for MySQL + k8s: + state: present + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: mysql + namespace: grafana + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 64Gi + +- name: Create Deployment for MySQL + k8s: + state: present + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: mysql + namespace: grafana + labels: + app: mysql + spec: + replicas: 1 + selector: + matchLabels: + app: mysql + template: + metadata: + labels: + app: mysql + spec: + containers: + - name: mysql + image: mysql + volumeMounts: + - name: data + mountPath: /var/lib/mysql + ports: + - containerPort: 3306 + env: + - name: MYSQL_ROOT_PASSWORD + value: "{{ mysql_root_password }}" + - name: MYSQL_DATABASE + value: grafana + - name: MYSQL_USER + value: grafana + - name: MYSQL_PASSWORD + value: "{{ grafana_mysql_password }}" + volumes: + - name: data + persistentVolumeClaim: + claimName: mysql + +- name: Create Service for MySQL + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: mysql + namespace: grafana + spec: + selector: + app: mysql + ports: + - port: 3306 + name: mysql + type: ClusterIP + +- name: Create a config map for grafana + k8s: + state: present + api_version: v1 + kind: ConfigMap + name: grafana + namespace: grafana + definition: + data: + ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}" + +- name: Create Deployment for Grafana + k8s: + state: present + definition: + apiVersion: v1 + kind: Deployment + metadata: + name: grafana + namespace: grafana + labels: + app: grafana + spec: + replicas: 1 + selector: + matchLabels: + app: grafana + template: + metadata: + labels: + app: grafana + spec: + containers: + - name: grafana + image: grafana/grafana + ports: + - containerPort: 3000 + env: + - name: GF_DATABASE_TYPE + value: mysql + - name: GF_DATABASE_HOST + value: mysql + - name: GF_DATABASE_USER + value: grafana + - name: GF_DATABASE_PASSWORD + value: "{{ grafana_mysql_password }}" + - name: GF_AUTH_LDAP_ENABLED + value: "true" + - name: GF_AUTH_LDAP_CONFIG_FILE + value: /etc/grafana/cm/ldap.toml + - name: GF_AUTH_LDAP_ALLOW_SIGN_UP + value: "true" + volumeMounts: + - name: config + mountPath: /etc/grafana/cm + volumes: + - name: config + configMap: + name: grafana + +- name: Create Service for Grafana + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: grafana + namespace: grafana + spec: + selector: + app: grafana + ports: + - port: 80 + targetPort: 3000 + name: grafana + type: ClusterIP + +- name: Create Ingress + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + cert-manager.io/cluster-issuer: ca-issuer + name: grafana + namespace: grafana + spec: + ingressClassName: nginx + rules: + - host: grafana.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: grafana + port: + number: 80 + tls: + - hosts: + - grafana.eom.dev + secretName: grafana diff --git a/tasks/influxdb.yaml b/tasks/influxdb.yaml index fd180e1..0617066 100644 --- a/tasks/influxdb.yaml +++ b/tasks/influxdb.yaml @@ -1,32 +1,15 @@ --- -# tasks file for influxdb -- name: Create persistent volume for influxdb +# tasks file for grafana +- name: Create InfluxDB namespace k8s: state: present definition: apiVersion: v1 - kind: PersistentVolume + kind: Namespace metadata: - name: "eom-{{ target_namespace }}-influxdb" - spec: - capacity: - storage: 32Gi - accessModes: - - ReadWriteMany - persistentVolumeReclaimPolicy: Retain - storageClassName: standard - hostPath: - path: "/data/store-0/eom-{{ target_namespace }}/influxdb" - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - alpha-worker-0 + name: influxdb -- name: Create a persistent volume claim for influxdb +- name: Create PVC for InfluxDB k8s: state: present definition: @@ -34,24 +17,25 @@ kind: PersistentVolumeClaim metadata: name: influxdb - namespace: "eom-{{ target_namespace }}" + namespace: influxdb spec: accessModes: - - ReadWriteMany + - ReadWriteOnce resources: requests: - storage: 32Gi - storageClassName: standard - volumeName: "eom-{{ target_namespace }}-influxdb" + storage: 128Gi -- name: Create a deployment +- name: Create Deployment for InfluxDB k8s: + state: present definition: apiVersion: v1 kind: Deployment metadata: name: influxdb - namespace: "eom-{{ target_namespace }}" + namespace: influxdb + labels: + app: influxdb spec: replicas: 1 selector: @@ -64,32 +48,75 @@ spec: containers: - name: influxdb - image: bitnami/influxdb + image: influxdb + env: + - name: DOCKER_INFLUXDB_INIT_MODE + value: setup + - name: DOCKER_INFLUXDB_INIT_USERNAME + value: influxdb + - name: DOCKER_INFLUXDB_INIT_PASSWORD + value: "{{ influxdb_admin_password }}" + - name: DOCKER_INFLUXDB_INIT_ORG + value: DevOps + - name: DOCKER_INFLUXDB_INIT_BUCKET + value: default + - name: DOCKER_INFLUXDB_INIT_RETENTION + value: 1w + - name: DOCKER_INFLUXDB_INIT_ADMIN_TOKEN + value: "{{ influxdb_admin_token }}" volumeMounts: - name: data - mountPath: /var/lib/mysql + mountPath: /var/lib/influxdb ports: - - containerPort: 3306 - env: - key: INFLUXDB_ADMIN_USER_PASSWORD - value: "{{ influxdb_root_password }}" + - containerPort: 8086 volumes: - name: data persistentVolumeClaim: claimName: influxdb -- name: Expose deployment as a service +- name: Create Service for InfluxDB k8s: + state: present definition: apiVersion: v1 kind: Service metadata: name: influxdb - namespace: "eom-{{ target_namespace }}" + namespace: influxdb spec: selector: app: influxdb ports: - - port: 3306 - name: influxdb-3306 + - port: 80 + targetPort: 8086 + name: influxdb type: ClusterIP + +- name: Create Ingress for InfluxDB + k8s: + state: present + definition: + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + cert-manager.io/cluster-issuer: ca-issuer + name: influxdb + namespace: influxdb + spec: + ingressClassName: nginx + rules: + - host: influxdb.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: influxdb + port: + number: 80 + tls: + - hosts: + - influxdb.eom.dev + secretName: influxdb diff --git a/tasks/mail.yaml b/tasks/mail.yaml index 8bb4719..39179e0 100644 --- a/tasks/mail.yaml +++ b/tasks/mail.yaml @@ -103,9 +103,9 @@ - name: LDAP_BIND_PW value: "{{ ldap_readonly_password }}" - name: LDAP_QUERY_FILTER_DOMAIN - value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))" + value: "(mail=*@%s)" - name: LDAP_QUERY_FILTER_USER - value: "(|(objectClass=inetOrgPerson))" + value: "(mail=%s)" - name: LDAP_QUERY_FILTER_ALIAS value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))" - name: LDAP_QUERY_FILTER_GROUP @@ -119,17 +119,17 @@ - name: DOVECOT_DEFAULT_PASS_SCHEME value: "MD5-CRYPT" - name: DOVECOT_USER_FILTER - value: "(|(objectClass=inetOrgPerson))" + value: "(&(objectClass=inetOrgPerson)(uid=%n))" - name: DOVECOT_PASS_ATTRS - value: "=user=%{ldap:uid},=password=%{ldap:userPassword}" + value: "uid=user,userPassword=password" - name: DOVECOT_USER_ATTRS - value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid" + value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir" - name: ENABLE_SASLAUTHD value: "1" - name: SASLAUTHD_MECHANISMS value: "ldap" - name: SASLAUTHD_LDAP_FILTER - value: "(|(objectClass=inetOrgPerson))" + value: "(mail=%U@mail.eom.dev)" - name: SSL_TYPE value: "manual" - name: SSL_CERT_PATH diff --git a/tasks/main.yaml b/tasks/main.yaml index d821304..b85eafa 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,4 +1,4 @@ --- # tasks file for eom - name: Deploy - include_tasks: git.yaml + include_tasks: mastodon.yaml diff --git a/tasks/mastodon.yaml b/tasks/mastodon.yaml new file mode 100644 index 0000000..5f2c25e --- /dev/null +++ b/tasks/mastodon.yaml @@ -0,0 +1,80 @@ +--- +# tasks file for mastodon +- name: Add bitnami repository + kubernetes.core.helm_repository: + name: bitnami + repo_url: https://charts.bitnami.com/bitnami + +- name: Update Helm repos + command: helm repo update + +- name: Deploy Mastodon + kubernetes.core.helm: + name: mastodon + chart_ref: bitnami/mastodon + release_namespace: mastodon + create_namespace: true + timeout: 300s + values: + adminUser: "mastodon" + adminEmail: "mastodon@mail.eom.dev" + adminPassword: "{{ mastodon_admin_password }}" + otpSecret: "" + secretKeyBase: "" + vapidPrivateKey: "" + vapidPublicKey: "" + activeRecordEncryptionDeterministicKey: "" + activeRecordEncryptionKeyDerivationSalt: "" + activeRecordEncryptionPrimaryKey: "" + extraConfig: + LDAP_ENABLED: "true" + LDAP_HOST: openldap.auth.svc.cluster.local + LDAP_PORT: "387" + LDAP_METHOD: plain + LDAP_BASE: dc=eom,dc=dev + LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev + LDAP_PASSWORD: "{{ ldap_readonly_password }}" + LDAP_UID: uid + LDAP_SEARCH_FILTER: "(&(objectClass=posixAccount)(uid=%{uid}))" + LDAP_MAIL: mail + enableS3: false + localDomain: "mastodon.eom.dev" + smtp: + server: "mail.eom.dev" + port: 587 + from_address: "mastodon@mail.eom.dev" + domain: "mail.eom.dev" + reply_to: "mastodon@mail.eom.dev" + delivery_method: smtp + ca_file: /etc/ssl/certs/ca-certificates.crt + openssl_verify_mode: none + enable_starttls_auto: true + tls: true + auth_method: starttls + login: "mastodon" + password: "{{ mastodon_mail_password }}" + persistence: + enabled: true + size: 64Gi + redis: + auth: + password: "{{ mastodon_redis_password }}" + postgresql: + auth: + password: "{{ mastodon_postgres_password }}" + minio: + enabled: false + apache: + service: + type: ClusterIP + ports: + http: 80 + ingress: + enabled: true + hostname: "mastodon.eom.dev" + annotations: + cert-manager.io/cluster-issuer: ca-issuer + tls: + - hosts: + - mastodon.eom.dev + secretName: mastodon-tls diff --git a/tasks/monitor.yaml b/tasks/monitor.yaml index abe2965..f4bb0ec 100644 --- a/tasks/monitor.yaml +++ b/tasks/monitor.yaml @@ -125,6 +125,19 @@ containers: - name: influxdb image: influxdb + env: + - name: DOCKER_INFLUXDB_INIT_MODE + value: setup + - name: DOCKER_INFLUXDB_INIT_USERNAME + value: grafana + - name: DOCKER_INFLUXDB_INIT_PASSWORD + value: "{{ grafana_influxdb_password }}" + - name: DOCKER_INFLUXDB_INIT_ORG + value: grafana + - name: DOCKER_INFLUXDB_INIT_BUCKET + value: default + - name: DOCKER_INFLUXDB_INIT_RETENTION + value: 1w volumeMounts: - name: data mountPath: /var/lib/influxdb @@ -148,10 +161,20 @@ selector: app: influxdb ports: - - port: 80 - targetPort: 8086 + - port: 8086 name: influxdb - type: ClusterIP + type: LoadBalancer + +- name: Create a config map for grafana + k8s: + state: present + api_version: v1 + kind: ConfigMap + name: grafana + namespace: monitor + definition: + data: + ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}" - name: Create Deployment for Grafana k8s: @@ -188,6 +211,19 @@ value: grafana - name: GF_DATABASE_PASSWORD value: "{{ grafana_mysql_password }}" + - name: GF_AUTH_LDAP_ENABLED + value: "true" + - name: GF_AUTH_LDAP_CONFIG_FILE + value: /etc/grafana/cm/ldap.toml + - name: GF_AUTH_LDAP_ALLOW_SIGN_UP + value: "true" + volumeMounts: + - name: config + mountPath: /etc/grafana/cm + volumes: + - name: config + configMap: + name: grafana - name: Create Service for Grafana k8s: @@ -221,7 +257,7 @@ spec: ingressClassName: nginx rules: - - host: monitor.eom.dev + - host: grafana.eom.dev http: paths: - pathType: Prefix @@ -231,35 +267,7 @@ name: grafana port: number: 80 - - pathType: Prefix - path: /influxdb - backend: - service: - name: influxdb - port: - number: 80 tls: - hosts: - - monitor.eom.dev - secretName: monitor - -- name: Create Network Policy - k8s: - state: present - definition: - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: networkpolicy - namespace: monitor - spec: - podSelector: - matchLabels: - app: monitor - policyTypes: - - Ingress - ingress: - - from: - - ipBlock: - cidr: 192.168.1.0/24 - + - grafana.eom.dev + secretName: grafana diff --git a/tasks/social.yaml b/tasks/social.yaml deleted file mode 100644 index a0f59ac..0000000 --- a/tasks/social.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -# tasks file for social -- name: Deploy Mastodon - kubernetes.core.helm: - name: mastodon - chart_ref: oci://registry-1.docker.io/bitnamicharts/mastodon - release_namespace: mastodon - create_namespace: true - values: - localDomain: mastodon.eom.dev - global: - defaultStorageClass: default - web: - extraEnvVars: - - name: LDAP_ENABLED - value: "yes" - - name: LDAP_HOST - value: openldap.auth.svc.cluster.local - - name: LDAP_PORT - value: 389 - - name: LDAP_METHOD - value: plain - - name: LDAP_BASE - value: dc=eom,dc=dev - - name: LDAP_BIND_DN - value: cn=readonly,dc=eom,dc=dev - - name: LDAP_PASSWORD - value: "{{ ldap_readonly_password }}" - - name: LDAP_UID - value: uid - - name: LDAP_MAIL - value: mail - - name: LDAP_SEARCH_FILTER - value: (|(objectClass=inetOrgPerson)) - apache: - ingress: - enabled: true - hostname: mastodon.eom.dev - annotations: - cert-manager.io/cluster-issuer: ca-issuer - tls: - - hosts: - - mastodon.eom.dev - secretName: mastodon-tls - postgresql: - auth: - password: "{{ mastodon_postgres_password }}" diff --git a/tasks/www.yaml b/tasks/wordpress.yaml similarity index 87% rename from tasks/www.yaml rename to tasks/wordpress.yaml index 8c6d931..b9e8af1 100644 --- a/tasks/www.yaml +++ b/tasks/wordpress.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Namespace metadata: - name: www + name: wordpress - name: Create PVC for MySQL k8s: @@ -17,7 +17,7 @@ kind: PersistentVolumeClaim metadata: name: mysql - namespace: www + namespace: wordpress spec: accessModes: - ReadWriteOnce @@ -33,7 +33,7 @@ kind: Deployment metadata: name: mysql - namespace: www + namespace: wordpress labels: app: mysql spec: @@ -76,7 +76,7 @@ kind: Service metadata: name: mysql - namespace: www + namespace: wordpress spec: selector: app: mysql @@ -93,7 +93,7 @@ kind: PersistentVolumeClaim metadata: name: wordpress - namespace: www + namespace: wordpress spec: accessModes: - ReadWriteOnce @@ -109,7 +109,7 @@ kind: Deployment metadata: name: wordpress - namespace: www + namespace: wordpress labels: app: wordpress spec: @@ -127,7 +127,7 @@ image: wordpress volumeMounts: - name: data - mountPath: /var/www/html + mountPath: /var/wordpress/html ports: - containerPort: 3000 env: @@ -152,7 +152,7 @@ kind: Service metadata: name: wordpress - namespace: www + namespace: wordpress spec: selector: app: wordpress @@ -171,7 +171,7 @@ annotations: cert-manager.io/cluster-issuer: ca-issuer name: wordpress - namespace: www + namespace: wordpress spec: ingressClassName: nginx rules: @@ -185,7 +185,18 @@ name: wordpress port: number: 80 + - host: wordpress.eom.dev + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: wordpress + port: + number: 80 tls: - hosts: - www.eom.dev + - wordpress.eom.dev secretName: wordpress diff --git a/templates/ldap.toml.j2 b/templates/ldap.toml.j2 new file mode 100644 index 0000000..63abf56 --- /dev/null +++ b/templates/ldap.toml.j2 @@ -0,0 +1,63 @@ +[[servers]] +# Ldap server host (specify multiple hosts space separated) +host = "openldap.auth.svc.cluster.local" +# Default port is 389 or 636 if use_ssl = true +port = 389 +# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS) +use_ssl = false +# If set to true, use LDAP with STARTTLS instead of LDAPS +start_tls = false +# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]) +# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go +# Starting with Grafana v11.0 only ciphers with ECDHE support are accepted for TLS 1.2 connections. +tls_ciphers = [] +# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1 (only for Grafana v10.4 or earlier), TLS1.2, TLS1.3. +min_tls_version = "" +# set to true if you want to skip SSL cert validation +ssl_skip_verify = false +# set to the path to your root CA certificate or leave unset to use system defaults +# root_ca_cert = "/path/to/certificate.crt" +# Authentication against LDAP servers requiring client certificates +# client_cert = "/path/to/client.crt" +# client_key = "/path/to/client.key" + +# Search user bind dn +bind_dn = "cn=readonly,dc=eom,dc=dev" +# Search user bind password +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +bind_password = "{{ ldap_readonly_password }}" +# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion +# bind_password = '$__env{LDAP_BIND_PASSWORD}' + +# Timeout in seconds. Applies to each host specified in the 'host' entry (space separated). +timeout = 30 + +# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" +# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))" +search_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))" + +# An array of base dns to search through +search_base_dns = ["dc=eom,dc=dev"] + +group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" +group_search_filter_user_attribute = "uid" +group_search_base_dns = ["dc=eom,dc=dev"] + +# Specify names of the LDAP attributes your LDAP uses +[servers.attributes] +username = "uid" +email = "mail" +name = "givenName" +surname = "sn" + +[[servers.group_mappings]] +group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev" +org_id = 2 +org_role = "Admin" +grafana_admin = true + +[[servers.group_mappings]] +group_dn = "cn=DevOps Members,ou=DevOps,ou=Organizations,dc=eom,dc=dev" +org_id = 2 +org_role = "Viewer" +grafana_admin = true diff --git a/templates/values.yaml.j2 b/templates/values.yaml.j2 index 89a5ec2..db52ca2 100644 --- a/templates/values.yaml.j2 +++ b/templates/values.yaml.j2 @@ -260,17 +260,17 @@ mastodon: auth_method: plain ca_file: /etc/ssl/certs/ca-certificates.crt delivery_method: smtp - domain: + domain: mail.eom.dev enable_starttls: "auto" - from_address: notifications@example.com + from_address: mastodon@mail.eom.dev return_path: openssl_verify_mode: peer port: 587 reply_to: - server: smtp.mailgun.org - tls: false - login: - password: + server: mail.eom.dev + tls: true + login: mastodon + password: {{ mastodon_mail_password }} # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and # password must be located in keys named `login` and `password` respectively. existingSecret: @@ -455,19 +455,18 @@ mastodon: ingress: enabled: true annotations: - cert-manager.io/cluster-issuer: ca-issuer # For choosing an ingress ingressClassName is preferred over annotations # kubernetes.io/ingress.class: nginx # # To automatically request TLS certificates use one of the following # kubernetes.io/tls-acme: "true" - # cert-manager.io/cluster-issuer: "letsencrypt" + cert-manager.io/cluster-issuer: ca-issuer # # ensure that NGINX's upload size matches Mastodon's # for the K8s ingress controller: # nginx.ingress.kubernetes.io/proxy-body-size: 40m # for the NGINX ingress controller: - # nginx.org/client-max-body-size: 40m + nginx.org/client-max-body-size: 40m # -- you can specify the ingressClassName if it differs from the default ingressClassName: nginx hosts: @@ -487,13 +486,13 @@ ingress: annotations: ingressClassName: hosts: - - host: streaming.mastodon.local + - host: streaming.mastodon.eom.dev paths: - path: "/" tls: - secretName: mastodon-tls hosts: - - streaming.mastodon.local + - streaming.mastodon.eom.dev # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters elasticsearch: @@ -534,7 +533,7 @@ postgresql: # you must set a password; the password generated by the postgresql chart will # be rotated on each upgrade: # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade - password: {{ mastodon_postgres_password }} + password: "{{ mastodon_postgres_password }}" # Set the password for the "postgres" admin user # set this to the same value as above if you've previously installed # this chart and you're having problems getting mastodon to connect to the DB @@ -567,7 +566,7 @@ redis: auth: # -- you must set a password; the password generated by the redis chart will be # rotated on each upgrade: - password: "" + password: "{{ mastodon_redis_password }}" # setting password for an existing redis instance will store it in a new Secret # you can also specify the name of an existing Secret # with a key of redis-password set to the password you want @@ -696,13 +695,13 @@ externalAuth: host: openldap.auth.svc.cluster.local port: 389 method: plain - # tls_no_verify: true + tls_no_verify: true base: dc=eom,dc=dev bind_dn: cn=readonly,dc=eom,dc=dev password: {{ ldap_readonly_password }} uid: uid mail: mail - search_filter: (|(objectClass=inetOrgPerson)) + search_filter: "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%{uid}))" # uid_conversion: # enabled: true # search: "., -"