DevOps/ansible-role-eom
1
0
Fork 0
Code Issues 17 Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.4

Browse Source
This commit is contained in:
Eric Meehan 2024-11-23 17:23:12 -05:00
parent 81b3f9b324
commit e004e99884
10 changed files with 485 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
tasks/grafana.yaml Normal file
View File

@ -0,0 +1,193 @@
---
# tasks file for grafana
- name: Create Grafana namespace
k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: grafana
- name: Create PVC for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql
namespace: grafana
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi
- name: Create Deployment for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: mysql
namespace: grafana
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql
volumeMounts:
- name: data
mountPath: /var/lib/mysql
ports:
- containerPort: 3306
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ mysql_root_password }}"
- name: MYSQL_DATABASE
value: grafana
- name: MYSQL_USER
value: grafana
- name: MYSQL_PASSWORD
value: "{{ grafana_mysql_password }}"
volumes:
- name: data
persistentVolumeClaim:
claimName: mysql
- name: Create Service for MySQL
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: grafana
spec:
selector:
app: mysql
ports:
- port: 3306
name: mysql
type: ClusterIP
- name: Create a config map for grafana
k8s:
state: present
api_version: v1
kind: ConfigMap
name: grafana
namespace: grafana
definition:
data:
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
- name: Create Deployment for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Deployment
metadata:
name: grafana
namespace: grafana
labels:
app: grafana
spec:
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana
ports:
- containerPort: 3000
env:
- name: GF_DATABASE_TYPE
value: mysql
- name: GF_DATABASE_HOST
value: mysql
- name: GF_DATABASE_USER
value: grafana
- name: GF_DATABASE_PASSWORD
value: "{{ grafana_mysql_password }}"
- name: GF_AUTH_LDAP_ENABLED
value: "true"
- name: GF_AUTH_LDAP_CONFIG_FILE
value: /etc/grafana/cm/ldap.toml
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
value: "true"
volumeMounts:
- name: config
mountPath: /etc/grafana/cm
volumes:
- name: config
configMap:
name: grafana
- name: Create Service for Grafana
k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: grafana
spec:
selector:
app: grafana
ports:
- port: 80
targetPort: 3000
name: grafana
type: ClusterIP
- name: Create Ingress
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: grafana
namespace: grafana
spec:
ingressClassName: nginx
rules:
- host: grafana.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: grafana
port:
number: 80
tls:
- hosts:
- grafana.eom.dev
secretName: grafana

105
tasks/influxdb.yaml
View File

@ -1,32 +1,15 @@
--- ---
# tasks file for influxdb # tasks file for grafana
- name: Create persistent volume for influxdb - name: Create InfluxDB namespace
k8s: k8s:
state: present state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: Namespace
metadata: metadata:
name: "eom-{{ target_namespace }}-influxdb" name: influxdb
spec:
capacity:
storage: 32Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: standard
hostPath:
path: "/data/store-0/eom-{{ target_namespace }}/influxdb"
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- alpha-worker-0
- name: Create a persistent volume claim for influxdb - name: Create PVC for InfluxDB
k8s: k8s:
state: present state: present
definition: definition:
@ -34,24 +17,25 @@
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: influxdb name: influxdb
namespace: "eom-{{ target_namespace }}" namespace: influxdb
spec: spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteOnce
resources: resources:
requests: requests:
storage: 32Gi storage: 128Gi
storageClassName: standard
volumeName: "eom-{{ target_namespace }}-influxdb"
- name: Create a deployment - name: Create Deployment for InfluxDB
k8s: k8s:
state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Deployment kind: Deployment
metadata: metadata:
name: influxdb name: influxdb
namespace: "eom-{{ target_namespace }}" namespace: influxdb
labels:
app: influxdb
spec: spec:
replicas: 1 replicas: 1
selector: selector:
@ -64,32 +48,75 @@
spec: spec:
containers: containers:
- name: influxdb - name: influxdb
image: bitnami/influxdb image: influxdb
env:
- name: DOCKER_INFLUXDB_INIT_MODE
value: setup
- name: DOCKER_INFLUXDB_INIT_USERNAME
value: influxdb
- name: DOCKER_INFLUXDB_INIT_PASSWORD
value: "{{ influxdb_admin_password }}"
- name: DOCKER_INFLUXDB_INIT_ORG
value: DevOps
- name: DOCKER_INFLUXDB_INIT_BUCKET
value: default
- name: DOCKER_INFLUXDB_INIT_RETENTION
value: 1w
- name: DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
value: "{{ influxdb_admin_token }}"
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /var/lib/mysql mountPath: /var/lib/influxdb
ports: ports:
- containerPort: 3306 - containerPort: 8086
env:
key: INFLUXDB_ADMIN_USER_PASSWORD
value: "{{ influxdb_root_password }}"
volumes: volumes:
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: influxdb claimName: influxdb
- name: Expose deployment as a service - name: Create Service for InfluxDB
k8s: k8s:
state: present
definition: definition:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: influxdb name: influxdb
namespace: "eom-{{ target_namespace }}" namespace: influxdb
spec: spec:
selector: selector:
app: influxdb app: influxdb
ports: ports:
- port: 3306 - port: 80
name: influxdb-3306 targetPort: 8086
name: influxdb
type: ClusterIP type: ClusterIP
- name: Create Ingress for InfluxDB
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
name: influxdb
namespace: influxdb
spec:
ingressClassName: nginx
rules:
- host: influxdb.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: influxdb
port:
number: 80
tls:
- hosts:
- influxdb.eom.dev
secretName: influxdb

12
tasks/mail.yaml
View File

@ -103,9 +103,9 @@
- name: LDAP_BIND_PW - name: LDAP_BIND_PW
value: "{{ ldap_readonly_password }}" value: "{{ ldap_readonly_password }}"
- name: LDAP_QUERY_FILTER_DOMAIN - name: LDAP_QUERY_FILTER_DOMAIN
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))" value: "(mail=*@%s)"
- name: LDAP_QUERY_FILTER_USER - name: LDAP_QUERY_FILTER_USER
value: "(|(objectClass=inetOrgPerson))" value: "(mail=%s)"
- name: LDAP_QUERY_FILTER_ALIAS - name: LDAP_QUERY_FILTER_ALIAS
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))" value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
- name: LDAP_QUERY_FILTER_GROUP - name: LDAP_QUERY_FILTER_GROUP
@ -119,17 +119,17 @@
- name: DOVECOT_DEFAULT_PASS_SCHEME - name: DOVECOT_DEFAULT_PASS_SCHEME
value: "MD5-CRYPT" value: "MD5-CRYPT"
- name: DOVECOT_USER_FILTER - name: DOVECOT_USER_FILTER
value: "(|(objectClass=inetOrgPerson))" value: "(&(objectClass=inetOrgPerson)(uid=%n))"
- name: DOVECOT_PASS_ATTRS - name: DOVECOT_PASS_ATTRS
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}" value: "uid=user,userPassword=password"
- name: DOVECOT_USER_ATTRS - name: DOVECOT_USER_ATTRS
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid" value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir"
- name: ENABLE_SASLAUTHD - name: ENABLE_SASLAUTHD
value: "1" value: "1"
- name: SASLAUTHD_MECHANISMS - name: SASLAUTHD_MECHANISMS
value: "ldap" value: "ldap"
- name: SASLAUTHD_LDAP_FILTER - name: SASLAUTHD_LDAP_FILTER
value: "(|(objectClass=inetOrgPerson))" value: "(mail=%U@mail.eom.dev)"
- name: SSL_TYPE - name: SSL_TYPE
value: "manual" value: "manual"
- name: SSL_CERT_PATH - name: SSL_CERT_PATH

2
tasks/main.yaml
View File

@ -1,4 +1,4 @@
--- ---
# tasks file for eom # tasks file for eom
- name: Deploy - name: Deploy
include_tasks: git.yaml include_tasks: mastodon.yaml

80
tasks/mastodon.yaml Normal file
View File

@ -0,0 +1,80 @@
---
# tasks file for mastodon
- name: Add bitnami repository
kubernetes.core.helm_repository:
name: bitnami
repo_url: https://charts.bitnami.com/bitnami
- name: Update Helm repos
command: helm repo update
- name: Deploy Mastodon
kubernetes.core.helm:
name: mastodon
chart_ref: bitnami/mastodon
release_namespace: mastodon
create_namespace: true
timeout: 300s
values:
adminUser: "mastodon"
adminEmail: "mastodon@mail.eom.dev"
adminPassword: "{{ mastodon_admin_password }}"
otpSecret: ""
secretKeyBase: ""
vapidPrivateKey: ""
vapidPublicKey: ""
activeRecordEncryptionDeterministicKey: ""
activeRecordEncryptionKeyDerivationSalt: ""
activeRecordEncryptionPrimaryKey: ""
extraConfig:
LDAP_ENABLED: "true"
LDAP_HOST: openldap.auth.svc.cluster.local
LDAP_PORT: "387"
LDAP_METHOD: plain
LDAP_BASE: dc=eom,dc=dev
LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev
LDAP_PASSWORD: "{{ ldap_readonly_password }}"
LDAP_UID: uid
LDAP_SEARCH_FILTER: "(&(objectClass=posixAccount)(uid=%{uid}))"
LDAP_MAIL: mail
enableS3: false
localDomain: "mastodon.eom.dev"
smtp:
server: "mail.eom.dev"
port: 587
from_address: "mastodon@mail.eom.dev"
domain: "mail.eom.dev"
reply_to: "mastodon@mail.eom.dev"
delivery_method: smtp
ca_file: /etc/ssl/certs/ca-certificates.crt
openssl_verify_mode: none
enable_starttls_auto: true
tls: true
auth_method: starttls
login: "mastodon"
password: "{{ mastodon_mail_password }}"
persistence:
enabled: true
size: 64Gi
redis:
auth:
password: "{{ mastodon_redis_password }}"
postgresql:
auth:
password: "{{ mastodon_postgres_password }}"
minio:
enabled: false
apache:
service:
type: ClusterIP
ports:
http: 80
ingress:
enabled: true
hostname: "mastodon.eom.dev"
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls:
- hosts:
- mastodon.eom.dev
secretName: mastodon-tls

76
tasks/monitor.yaml
View File

@ -125,6 +125,19 @@
containers: containers:
- name: influxdb - name: influxdb
image: influxdb image: influxdb
env:
- name: DOCKER_INFLUXDB_INIT_MODE
value: setup
- name: DOCKER_INFLUXDB_INIT_USERNAME
value: grafana
- name: DOCKER_INFLUXDB_INIT_PASSWORD
value: "{{ grafana_influxdb_password }}"
- name: DOCKER_INFLUXDB_INIT_ORG
value: grafana
- name: DOCKER_INFLUXDB_INIT_BUCKET
value: default
- name: DOCKER_INFLUXDB_INIT_RETENTION
value: 1w
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /var/lib/influxdb mountPath: /var/lib/influxdb
@ -148,10 +161,20 @@
selector: selector:
app: influxdb app: influxdb
ports: ports:
- port: 80 - port: 8086
targetPort: 8086
name: influxdb name: influxdb
type: ClusterIP type: LoadBalancer
- name: Create a config map for grafana
k8s:
state: present
api_version: v1
kind: ConfigMap
name: grafana
namespace: monitor
definition:
data:
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
- name: Create Deployment for Grafana - name: Create Deployment for Grafana
k8s: k8s:
@ -188,6 +211,19 @@
value: grafana value: grafana
- name: GF_DATABASE_PASSWORD - name: GF_DATABASE_PASSWORD
value: "{{ grafana_mysql_password }}" value: "{{ grafana_mysql_password }}"
- name: GF_AUTH_LDAP_ENABLED
value: "true"
- name: GF_AUTH_LDAP_CONFIG_FILE
value: /etc/grafana/cm/ldap.toml
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
value: "true"
volumeMounts:
- name: config
mountPath: /etc/grafana/cm
volumes:
- name: config
configMap:
name: grafana
- name: Create Service for Grafana - name: Create Service for Grafana
k8s: k8s:
@ -221,7 +257,7 @@
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: monitor.eom.dev - host: grafana.eom.dev
http: http:
paths: paths:
- pathType: Prefix - pathType: Prefix
@ -231,35 +267,7 @@
name: grafana name: grafana
port: port:
number: 80 number: 80
- pathType: Prefix
path: /influxdb
backend:
service:
name: influxdb
port:
number: 80
tls: tls:
- hosts: - hosts:
- monitor.eom.dev - grafana.eom.dev
secretName: monitor secretName: grafana
- name: Create Network Policy
k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
namespace: monitor
spec:
podSelector:
matchLabels:
app: monitor
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.0/24

47
tasks/social.yaml
View File

@ -1,47 +0,0 @@
---
# tasks file for social
- name: Deploy Mastodon
kubernetes.core.helm:
name: mastodon
chart_ref: oci://registry-1.docker.io/bitnamicharts/mastodon
release_namespace: mastodon
create_namespace: true
values:
localDomain: mastodon.eom.dev
global:
defaultStorageClass: default
web:
extraEnvVars:
- name: LDAP_ENABLED
value: "yes"
- name: LDAP_HOST
value: openldap.auth.svc.cluster.local
- name: LDAP_PORT
value: 389
- name: LDAP_METHOD
value: plain
- name: LDAP_BASE
value: dc=eom,dc=dev
- name: LDAP_BIND_DN
value: cn=readonly,dc=eom,dc=dev
- name: LDAP_PASSWORD
value: "{{ ldap_readonly_password }}"
- name: LDAP_UID
value: uid
- name: LDAP_MAIL
value: mail
- name: LDAP_SEARCH_FILTER
value: (|(objectClass=inetOrgPerson))
apache:
ingress:
enabled: true
hostname: mastodon.eom.dev
annotations:
cert-manager.io/cluster-issuer: ca-issuer
tls:
- hosts:
- mastodon.eom.dev
secretName: mastodon-tls
postgresql:
auth:
password: "{{ mastodon_postgres_password }}"

29
tasks/www.yaml → tasks/wordpress.yaml
View File

@ -7,7 +7,7 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: www name: wordpress
- name: Create PVC for MySQL - name: Create PVC for MySQL
k8s: k8s:
@ -17,7 +17,7 @@
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: mysql name: mysql
namespace: www namespace: wordpress
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -33,7 +33,7 @@
kind: Deployment kind: Deployment
metadata: metadata:
name: mysql name: mysql
namespace: www namespace: wordpress
labels: labels:
app: mysql app: mysql
spec: spec:
@ -76,7 +76,7 @@
kind: Service kind: Service
metadata: metadata:
name: mysql name: mysql
namespace: www namespace: wordpress
spec: spec:
selector: selector:
app: mysql app: mysql
@ -93,7 +93,7 @@
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: wordpress name: wordpress
namespace: www namespace: wordpress
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -109,7 +109,7 @@
kind: Deployment kind: Deployment
metadata: metadata:
name: wordpress name: wordpress
namespace: www namespace: wordpress
labels: labels:
app: wordpress app: wordpress
spec: spec:
@ -127,7 +127,7 @@
image: wordpress image: wordpress
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /var/www/html mountPath: /var/wordpress/html
ports: ports:
- containerPort: 3000 - containerPort: 3000
env: env:
@ -152,7 +152,7 @@
kind: Service kind: Service
metadata: metadata:
name: wordpress name: wordpress
namespace: www namespace: wordpress
spec: spec:
selector: selector:
app: wordpress app: wordpress
@ -171,7 +171,7 @@
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer cert-manager.io/cluster-issuer: ca-issuer
name: wordpress name: wordpress
namespace: www namespace: wordpress
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
@ -185,7 +185,18 @@
name: wordpress name: wordpress
port: port:
number: 80 number: 80
- host: wordpress.eom.dev
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: wordpress
port:
number: 80
tls: tls:
- hosts: - hosts:
- www.eom.dev - www.eom.dev
- wordpress.eom.dev
secretName: wordpress secretName: wordpress

63
templates/ldap.toml.j2 Normal file
View File

@ -0,0 +1,63 @@
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "openldap.auth.svc.cluster.local"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
# Starting with Grafana v11.0 only ciphers with ECDHE support are accepted for TLS 1.2 connections.
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1 (only for Grafana v10.4 or earlier), TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip SSL cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "cn=readonly,dc=eom,dc=dev"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = "{{ ldap_readonly_password }}"
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'
# Timeout in seconds. Applies to each host specified in the 'host' entry (space separated).
timeout = 30
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))"
# An array of base dns to search through
search_base_dns = ["dc=eom,dc=dev"]
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_filter_user_attribute = "uid"
group_search_base_dns = ["dc=eom,dc=dev"]
# Specify names of the LDAP attributes your LDAP uses
[servers.attributes]
username = "uid"
email = "mail"
name = "givenName"
surname = "sn"
[[servers.group_mappings]]
group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
org_id = 2
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "cn=DevOps Members,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
org_id = 2
org_role = "Viewer"
grafana_admin = true

29
templates/values.yaml.j2
View File

@ -260,17 +260,17 @@ mastodon:
auth_method: plain auth_method: plain
ca_file: /etc/ssl/certs/ca-certificates.crt ca_file: /etc/ssl/certs/ca-certificates.crt
delivery_method: smtp delivery_method: smtp
domain: domain: mail.eom.dev
enable_starttls: "auto" enable_starttls: "auto"
from_address: notifications@example.com from_address: mastodon@mail.eom.dev
return_path: return_path:
openssl_verify_mode: peer openssl_verify_mode: peer
port: 587 port: 587
reply_to: reply_to:
server: smtp.mailgun.org server: mail.eom.dev
tls: false tls: true
login: login: mastodon
password: password: {{ mastodon_mail_password }}
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
# password must be located in keys named `login` and `password` respectively. # password must be located in keys named `login` and `password` respectively.
existingSecret: existingSecret:
@ -455,19 +455,18 @@ mastodon:
ingress: ingress:
enabled: true enabled: true
annotations: annotations:
cert-manager.io/cluster-issuer: ca-issuer
# For choosing an ingress ingressClassName is preferred over annotations # For choosing an ingress ingressClassName is preferred over annotations
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
# #
# To automatically request TLS certificates use one of the following # To automatically request TLS certificates use one of the following
# kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
# cert-manager.io/cluster-issuer: "letsencrypt" cert-manager.io/cluster-issuer: ca-issuer
# #
# ensure that NGINX's upload size matches Mastodon's # ensure that NGINX's upload size matches Mastodon's
# for the K8s ingress controller: # for the K8s ingress controller:
# nginx.ingress.kubernetes.io/proxy-body-size: 40m # nginx.ingress.kubernetes.io/proxy-body-size: 40m
# for the NGINX ingress controller: # for the NGINX ingress controller:
# nginx.org/client-max-body-size: 40m nginx.org/client-max-body-size: 40m
# -- you can specify the ingressClassName if it differs from the default # -- you can specify the ingressClassName if it differs from the default
ingressClassName: nginx ingressClassName: nginx
hosts: hosts:
@ -487,13 +486,13 @@ ingress:
annotations: annotations:
ingressClassName: ingressClassName:
hosts: hosts:
- host: streaming.mastodon.local - host: streaming.mastodon.eom.dev
paths: paths:
- path: "/" - path: "/"
tls: tls:
- secretName: mastodon-tls - secretName: mastodon-tls
hosts: hosts:
- streaming.mastodon.local - streaming.mastodon.eom.dev
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
elasticsearch: elasticsearch:
@ -534,7 +533,7 @@ postgresql:
# you must set a password; the password generated by the postgresql chart will # you must set a password; the password generated by the postgresql chart will
# be rotated on each upgrade: # be rotated on each upgrade:
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
password: {{ mastodon_postgres_password }} password: "{{ mastodon_postgres_password }}"
# Set the password for the "postgres" admin user # Set the password for the "postgres" admin user
# set this to the same value as above if you've previously installed # set this to the same value as above if you've previously installed
# this chart and you're having problems getting mastodon to connect to the DB # this chart and you're having problems getting mastodon to connect to the DB
@ -567,7 +566,7 @@ redis:
auth: auth:
# -- you must set a password; the password generated by the redis chart will be # -- you must set a password; the password generated by the redis chart will be
# rotated on each upgrade: # rotated on each upgrade:
password: "" password: "{{ mastodon_redis_password }}"
# setting password for an existing redis instance will store it in a new Secret # setting password for an existing redis instance will store it in a new Secret
# you can also specify the name of an existing Secret # you can also specify the name of an existing Secret
# with a key of redis-password set to the password you want # with a key of redis-password set to the password you want
@ -696,13 +695,13 @@ externalAuth:
host: openldap.auth.svc.cluster.local host: openldap.auth.svc.cluster.local
port: 389 port: 389
method: plain method: plain
# tls_no_verify: true tls_no_verify: true
base: dc=eom,dc=dev base: dc=eom,dc=dev
bind_dn: cn=readonly,dc=eom,dc=dev bind_dn: cn=readonly,dc=eom,dc=dev
password: {{ ldap_readonly_password }} password: {{ ldap_readonly_password }}
uid: uid uid: uid
mail: mail mail: mail
search_filter: (|(objectClass=inetOrgPerson)) search_filter: "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%{uid}))"
# uid_conversion: # uid_conversion:
# enabled: true # enabled: true
# search: "., -" # search: "., -"