diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index 864f25c..88b5978 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -21,6 +21,10 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4 + - name: Add dependency chart repos + run: | + helm repo add bitnami https://charts.bitnami.com/bitnami + - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -50,6 +54,10 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4 + - name: Add dependency chart repos + run: | + helm repo add bitnami https://charts.bitnami.com/bitnami + - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -70,37 +78,3 @@ jobs: if: steps.list-changed.outputs.changed == 'true' run: | ct install --target-branch ${{ github.event.repository.default_branch }} - - test_user_creation: - name: Test chart with user creation - runs-on: ubuntu-latest - needs: lint - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: "0" - - - name: Install Helm - uses: azure/setup-helm@v4 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) - if [[ -n "$changed" ]]; then - echo "changed=true" >> "$GITHUB_OUTPUT" - fi - - - name: Create kind cluster - uses: helm/kind-action@v1.10.0 - if: steps.list-changed.outputs.changed == 'true' - - - name: Run chart-testing (install with user creation) - id: install - if: steps.list-changed.outputs.changed == 'true' - run: | - ct install --target-branch ${{ github.event.repository.default_branch }} diff --git a/charts/pixelfed/Chart.lock b/charts/pixelfed/Chart.lock new file mode 100644 index 0000000..0c37fbe --- /dev/null +++ b/charts/pixelfed/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.3.4 +- name: valkey + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.2.1 +digest: sha256:6ddd2457b1d98b322978cb171e46195627cd3c46fb141e9f0a21b97ad54c4148 +generated: "2024-12-29T22:53:47.065327+01:00" diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index 18cba4b..44daec9 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -15,8 +15,24 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. -# image=ghcr.io/mattlqx/docker-pixelfed +# renovate:image=ghcr.io/mattlqx/docker-pixelfed appVersion: "v0.12.3-nginx" + +maintainers: + - name: "jessebot" + email: "jessebot@linux.com" + url: "https://github.com/jessebot" + +dependencies: + - name: postgresql + version: 16.3.4 + repository: oci://registry-1.docker.io/bitnamicharts + condition: postgresql.enabled + + - name: valkey + version: 2.2.1 + repository: oci://registry-1.docker.io/bitnamicharts + condition: valkey.enabled diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 23aa6f9..8643049 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,9 +1,22 @@ # pixelfed -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.3-nginx](https://img.shields.io/badge/AppVersion-v0.12.3--nginx-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.3-nginx](https://img.shields.io/badge/AppVersion-v0.12.3--nginx-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| jessebot | | | + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.3.4 | +| oci://registry-1.docker.io/bitnamicharts | valkey | 2.2.1 | + ## Values | Key | Type | Default | Description | @@ -13,6 +26,28 @@ A Helm chart for deploying Pixelfed on Kubernetes | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| externalDatabase.connection | string | `"psql"` | options: sqlite mysql pgsql sqlsrv | +| externalDatabase.database | string | `"pixelfed"` | | +| externalDatabase.enabled | bool | `false` | enable using an external mysql or postgresql cluster | +| externalDatabase.existingSecret | string | `""` | get database credentials from an existing Kubernetes Secret | +| externalDatabase.existingSecretKeys.database | string | `"pixelfed"` | key in existing Kubernetes Secret for database. If set, ignores externalDatabase.database | +| externalDatabase.existingSecretKeys.host | string | `""` | key in existing Kubernetes Secret for host. If set, ignores externalDatabase.host | +| externalDatabase.existingSecretKeys.password | string | `""` | key in existing Kubernetes Secret for password. If set, ignores externalDatabase.password | +| externalDatabase.existingSecretKeys.port | string | `""` | key in existing Kubernetes Secret for port. If set, ignores externalDatabase.port | +| externalDatabase.existingSecretKeys.username | string | `""` | key in existing Kubernetes Secret for username. If set, ignores externalDatabase.username | +| externalDatabase.host | string | `""` | | +| externalDatabase.password | string | `""` | | +| externalDatabase.port | int | `3306` | | +| externalDatabase.username | string | `""` | | +| externalValkey.client | string | `"phpredis"` | | +| externalValkey.enabled | bool | `false` | enable using an external valkey or redis cluster | +| externalValkey.existingSecret | string | `""` | get valkey credentials from an existing Kubernetes Secret | +| externalValkey.existingSecretKeys.host | string | `""` | key in existing Kubernetes Secret for host. If set, ignores externalValkey.host | +| externalValkey.existingSecretKeys.password | string | `""` | key in existing Kubernetes Secret for password. If set, ignores externalValkey.password | +| externalValkey.host | string | `"valkey"` | | +| externalValkey.password | string | `"null"` | | +| externalValkey.port | string | `"6379"` | | +| externalValkey.scheme | string | `"tcp"` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. | | image.registry | string | `"ghcr.io"` | | @@ -30,9 +65,97 @@ A Helm chart for deploying Pixelfed on Kubernetes | livenessProbe.httpGet.port | string | `"http"` | | | nameOverride | string | `""` | This is to override the chart name. | | nodeSelector | object | `{}` | | +| pixelfed.account_deletion | bool | `true` | Enable account deletion (may be a requirement in some jurisdictions) | +| pixelfed.activity_pub.enabled | bool | `false` | | +| pixelfed.activity_pub.inbox | bool | `false` | | +| pixelfed.activity_pub.outbox | bool | `false` | | +| pixelfed.activity_pub.remote_follow | bool | `false` | | +| pixelfed.activity_pub.sharedinbox | bool | `false` | | +| pixelfed.admin_domain | string | `""` | domain of admin interface | +| pixelfed.app.domain | string | `""` | The domain of your server, without https:// | +| pixelfed.app.env | string | `"production"` | The app environment, keep it set to "production" | +| pixelfed.app.locale | string | `"en"` | change this to the language code of your pixelfed instance | +| pixelfed.app.name | string | `"Pixelfed"` | The name of your server/instance | +| pixelfed.app.url | string | `"https://localhost"` | change this to the domain of your pixelfed instance | +| pixelfed.atom_feeds | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#atom_feeds | +| pixelfed.db_apply_new_migrations_automatically | bool | `false` | | +| pixelfed.enable_config_cache | bool | `true` | Enable the config cache to allow you to manage settings via the admin dashboard | +| pixelfed.enforce_email_verification | bool | `true` | Enforce email verification | +| pixelfed.exp_emc | bool | `true` | Experimental Configuration | +| pixelfed.force_https_urls | bool | `true` | Force https url generation | +| pixelfed.image_quality | int | `80` | Set the image optimization quality, between 1-100. Lower uses less space, higher more quality | +| pixelfed.instance.contact_email | string | `""` | The public contact email for your server | +| pixelfed.instance.contact_form | bool | `false` | enable the instance contact form | +| pixelfed.instance.cur_reg | bool | `false` | Enable Curated Registration | +| pixelfed.instance.description | string | `"Pixelfed - Photo sharing for everyone"` | your server description | +| pixelfed.instance.discover_public | bool | `false` | Enable public access to the Discover feature | +| pixelfed.instance.landing.show_directory | bool | `true` | Enable the profile directory on the landing page | +| pixelfed.instance.landing.show_explore | bool | `true` | Enable the popular post explore on the landing page | +| pixelfed.instance.post_embeds | bool | `true` | Enable the post embed feature | +| pixelfed.instance.profile_embeds | bool | `true` | Enable the profile embed feature | +| pixelfed.instance.public_hashtags | bool | `false` | Allow anonymous access to hashtag feeds | +| pixelfed.instance.reports.email_addresses | list | `[]` | A list of email addresses to deliver admin reports to | +| pixelfed.instance.reports.email_autospam | bool | `false` | Enable autospam reports (require INSTANCE_REPORTS_EMAIL_ENABLED) | +| pixelfed.instance.reports.email_enabled | bool | `false` | Send a report email to the admin account for new autospam/reports | +| pixelfed.instance.show_peers | bool | `false` | Enable the api/v1/peers API endpoint | +| pixelfed.mail.driver | string | `"smtp"` | options: "smtp" (default), "sendmail", "mailgun", "mandrill", "ses" "sparkpost", "log", "array" | +| pixelfed.mail.encryption | string | `"tls"` | | +| pixelfed.mail.existingSecret | string | `""` | name of an existing Kubernetes Secret for mail credentials | +| pixelfed.mail.existingSecretKeys.host | string | `""` | key in existing Kubernetes Secret for host. If set, ignores mail.host | +| pixelfed.mail.existingSecretKeys.password | string | `""` | key in existing Kubernetes Secret for password. If set, ignores mail.password | +| pixelfed.mail.existingSecretKeys.port | string | `""` | key in existing Kubernetes Secret for port. If set, ignores mail.port | +| pixelfed.mail.existingSecretKeys.username | string | `""` | key in existing Kubernetes Secret for username. If set, ignores mail.username | +| pixelfed.mail.from_address | string | `"pixelfed@example.com"` | | +| pixelfed.mail.from_name | string | `"Pixelfed"` | | +| pixelfed.mail.host | string | `"smtp.mailtrap.io"` | | +| pixelfed.mail.password | string | `""` | | +| pixelfed.mail.port | int | `2525` | | +| pixelfed.mail.username | string | `""` | | +| pixelfed.max_account_size | int | `1000000` | The max allowed account size in KB | +| pixelfed.max_album_length | int | `6` | The max number of media per post album | +| pixelfed.max_avatar_size | int | `2000` | The max user avatar size in KB | +| pixelfed.max_bio_length | int | `256` | The max user bio length | +| pixelfed.max_caption_length | int | `1000` | The max post caption length | +| pixelfed.max_name_length | int | `32` | The max user display name length | +| pixelfed.max_photo_size | int | `15000` | The max photo/video size in KB | +| pixelfed.min_password_length | int | `16` | The min password length | +| pixelfed.nodeinfo | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#nodeinfo | +| pixelfed.oauth_enabled | bool | `true` | Enable oAuth support, required for mobile/3rd party apps | +| pixelfed.open_registration | bool | `true` | Enable open registration for new accounts | +| pixelfed.pf.admin_invites_enabled | bool | `true` | Enable the Admin Invites feature | +| pixelfed.pf.enable_cloud | bool | `false` | Enable S3/Object Storage | +| pixelfed.pf.enforce_max_users | int | `2000` | in KB | +| pixelfed.pf.hide_nsfw_on_public_feeds | bool | `false` | Hide sensitive posts from public/network feeds | +| pixelfed.pf.local_avatar_to_cloud | bool | `false` | Store local avatars on S3 (Requires S3) | +| pixelfed.pf.max_collection_length | int | `100` | Max collection post limit | +| pixelfed.pf.max_domain_blocks | int | `50` | The max number of domain blocks per account | +| pixelfed.pf.max_user_blocks | int | `50` | The max number of user blocks per account | +| pixelfed.pf.max_user_mutes | int | `50` | The max number of user mutes per account | +| pixelfed.pf.max_users | int | `1000` | Limit max user registrations | +| pixelfed.pf.optimize_images | bool | `true` | Enable image optimization | +| pixelfed.pf.optimize_videos | bool | `true` | Enable video optimization | +| pixelfed.s3.access_key_id | string | `""` | s3 access_key_id. ignored if s3.existingSecretKeys.access_key_id is set | +| pixelfed.s3.bucket | string | `""` | s3 bucket | +| pixelfed.s3.endpoint | string | `""` | s3 endpoint excluding protocol such as s3.domain.com | +| pixelfed.s3.existingSecret | string | `""` | name of an existing Kubernetes Secret for s3 credentials | +| pixelfed.s3.existingSecretKeys.access_key_id | string | `""` | key in existing Kubernetes Secret for access_key_id. If set, ignores s3.access_key_id | +| pixelfed.s3.existingSecretKeys.endpoint | string | `""` | key in existing Kubernetes Secret for endpoint. If set, ignores s3.endpoint | +| pixelfed.s3.existingSecretKeys.secret_access_key | string | `""` | key in existing Kubernetes Secret for secret_access_key. If set, ignores s3.secret_access_key | +| pixelfed.s3.existingSecretKeys.url | string | `""` | key in existing Kubernetes Secret for url. If set, ignores s3.url | +| pixelfed.s3.region | string | `""` | s3 region | +| pixelfed.s3.secret_access_key | string | `""` | s3 secret_access_key. ignored if s3.existingSecretKeys.secret_access_key is set | +| pixelfed.s3.url | string | `""` | s3 url including protocol such as https://s3.domain.com | +| pixelfed.s3.use_path_style_endpoint | bool | `false` | use S3 path type instead of using a DNS subdomain | +| pixelfed.session_domain | string | `""` | domain of session? | +| pixelfed.stories_enabled | bool | `false` | Enable the Stories feature | +| pixelfed.timezone | string | `"europe/amsterdam"` | timezone for docker container | +| pixelfed.trusted_proxies | string | `"*"` | trusted proxies | +| pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger | | podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | podSecurityContext | object | `{}` | | +| postgresql.enabled | bool | `true` | enable the bundled postgresql sub chart from Bitnami. Must set to true if externalDatabase.enabled=false | +| postgresql.fullnameOverride | string | `"postgresql"` | | | readinessProbe.httpGet.path | string | `"/"` | | | readinessProbe.httpGet.port | string | `"http"` | | | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | @@ -45,8 +168,26 @@ A Helm chart for deploying Pixelfed on Kubernetes | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | tolerations | list | `[]` | | +| valkey.auth.enabled | bool | `true` | | +| valkey.auth.existingSecret | string | `""` | | +| valkey.auth.existingSecretPasswordKey | string | `"password"` | | +| valkey.auth.metrics.enabled | bool | `false` | | +| valkey.auth.persistentVolumeClaimRetentionPolicy.enabled | bool | `true` | | +| valkey.auth.persistentVolumeClaimRetentionPolicy.whenDeleted | string | `"Retain"` | | +| valkey.auth.persistentVolumeClaimRetentionPolicy.whenScaled | string | `"Retain"` | | +| valkey.auth.primary.persistence.enabled | bool | `true` | | +| valkey.auth.primary.persistence.existingClaim | string | `""` | | +| valkey.auth.replica.persistence.enabled | bool | `true` | | +| valkey.auth.replica.persistence.existingClaim | string | `""` | | +| valkey.auth.resourcesPreset | string | `"small"` | | +| valkey.auth.tls.authClients | bool | `true` | | +| valkey.auth.tls.autoGenerated | bool | `false` | | +| valkey.auth.tls.enabled | bool | `false` | | +| valkey.enabled | bool | `true` | enable the bundled valkey sub chart from Bitnami. Must set to true if externalValkey.enabled=false | +| valkey.fullnameOverride | string | `"valkey"` | | +| valkey.global.storageClass | string | `""` | | | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. | | volumes | list | `[]` | Additional volumes on the output Deployment definition. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/pixelfed/charts/postgresql-16.3.4.tgz b/charts/pixelfed/charts/postgresql-16.3.4.tgz new file mode 100644 index 0000000..66db705 Binary files /dev/null and b/charts/pixelfed/charts/postgresql-16.3.4.tgz differ diff --git a/charts/pixelfed/charts/valkey-2.2.1.tgz b/charts/pixelfed/charts/valkey-2.2.1.tgz new file mode 100644 index 0000000..12cc106 Binary files /dev/null and b/charts/pixelfed/charts/valkey-2.2.1.tgz differ diff --git a/charts/pixelfed/templates/configmap.yaml b/charts/pixelfed/templates/configmap.yaml new file mode 100644 index 0000000..43f1948 --- /dev/null +++ b/charts/pixelfed/templates/configmap.yaml @@ -0,0 +1,115 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pixelfed-env +data: + env: |- + # app config vars + APP_NAME={{ .Values.pixelfed.app.name }} + APP_ENV={{ .Values.pixelfed.app.env }} + APP_URL={{ .Values.pixelfed.app.url }} + APP_LOCALE={{ .Values.pixelfed.app.locale }} + {{- with .Values.pixelfed.app.domain }} + APP_DOMAIN={{ . }} + {{- end }} + + # registration related env vars + OPEN_REGISTRATION={{ .Values.pixelfed.open_registration | quote }} + ENFORCE_EMAIL_VERIFICATION={{ .Values.pixelfed.enforce_email_verification | quote }} + ACCOUNT_DELETION={{ .Values.pixelfed.account_deletion | quote }} + OAUTH_ENABLED={{ .Values.pixelfed.oauth_enabled | quote }} + + MIN_PASSWORD_LENGTH={{ .Values.pixelfed.min_password_length | quote }} + MAX_ACCOUNT_SIZE={{ .Values.pixelfed.max_account_size | quote }} + MAX_PHOTO_SIZE={{ .Values.pixelfed.max_photo_size | quote }} + MAX_AVATAR_SIZE={{ .Values.pixelfed.max_avatar_size | quote }} + MAX_CAPTION_LENGTH={{ .Values.pixelfed.max_caption_length | quote }} + MAX_BIO_LENGTH={{ .Values.pixelfed.max_bio_length | quote }} + MAX_NAME_LENGTH={{ .Values.pixelfed.max_name_length | quote }} + MAX_ALBUM_LENGTH={{ .Values.pixelfed.max_album_length | quote }} + FORCE_HTTPS_URLS={{ .Values.pixelfed.force_https_urls | quote }} + + # misc + STORIES_ENABLED={{ .Values.pixelfed.stories_enabled | quote }} + ENABLE_CONFIG_CACHE={{ .Values.pixelfed.enable_config_cache | quote }} + IMAGE_QUALITY={{ .Values.pixelfed.image_quality | quote }} + + # instance wide configuration + INSTANCE_DESCRIPTION={{ .Values.pixelfed.instance.description }} + INSTANCE_CONTACT_FORM={{ .Values.pixelfed.instance.contact_form | quote }} + INSTANCE_DISCOVER_PUBLIC={{ .Values.pixelfed.instance.discover_public | quote }} + INSTANCE_PUBLIC_HASHTAGS={{ .Values.pixelfed.instance.public_hashtags | quote }} + {{- with .Values.pixelfed.instance.contact_email }} + INSTANCE_CONTACT_EMAIL={{ .Values.pixelfed.instance.contact_email }} + {{- end }} + INSTANCE_PROFILE_EMBEDS={{ .Values.pixelfed.instance.profile_embeds | quote }} + INSTANCE_POST_EMBEDS={{ .Values.pixelfed.instance.post_embeds | quote }} + INSTANCE_REPORTS_EMAIL_ENABLED={{ .Values.pixelfed.instance.reports.email_enabled | quote }} + {{- with .Values.pixelfed.instance.reports.email_addresses }} + INSTANCE_REPORTS_EMAIL_ADDRESSES={{ join "," . }} + {{- end }} + INSTANCE_REPORTS_EMAIL_AUTOSPAM={{ .Values.pixelfed.instance.reports.email_autospam | quote }} + INSTANCE_LANDING_SHOW_DIRECTORY={{ .Values.pixelfed.instance.landing.show_directory | quote }} + INSTANCE_LANDING_SHOW_EXPLORE={{ .Values.pixelfed.instance.landing.show_explore | quote }} + INSTANCE_CUR_REG={{ .Values.pixelfed.instance.cur_reg | quote }} + INSTANCE_SHOW_PEERS={{ .Values.pixelfed.instance.show_peers | quote }} + + # pixelfed config + PF_HIDE_NSFW_ON_PUBLIC_FEEDS={{ .Values.pixelfed.pf.hide_nsfw_on_public_feeds | quote }} + PF_LOCAL_AVATAR_TO_CLOUD={{ .Values.pixelfed.pf.local_avatar_to_cloud | quote }} + PF_ADMIN_INVITES_ENABLED={{ .Values.pixelfed.pf.admin_invites_enabled | quote }} + PF_MAX_USER_BLOCKS={{ .Values.pixelfed.pf.max_user_blocks | quote }} + PF_MAX_USER_MUTES={{ .Values.pixelfed.pf.max_user_mutes | quote }} + PF_MAX_DOMAIN_BLOCKS={{ .Values.pixelfed.pf.max_domain_blocks | quote }} + PF_ENABLE_CLOUD={{ .Values.pixelfed.pf.enable_cloud | quote }} + PF_MAX_USERS={{ .Values.pixelfed.pf.max_users | quote }} + PF_ENFORCE_MAX_USERS={{ .Values.pixelfed.pf.enforce_max_users | quote }} + PF_OPTIMIZE_IMAGES={{ .Values.pixelfed.pf.optimize_images | quote }} + PF_OPTIMIZE_VIDEOS={{ .Values.pixelfed.pf.optimize_videos | quote }} + PF_MAX_COLLECTION_LENGTH={{ .Values.pixelfed.pf.max_collection_length | quote }} + + # Laravel Configuration + SESSION_DRIVER="redis" + CACHE_DRIVER="redis" + QUEUE_DRIVER="redis" + BROADCAST_DRIVER="log" + LOG_CHANNEL="stack" + HORIZON_PREFIX="horizon-" + + # activity pub + ACTIVITY_PUB={{ .Values.pixelfed.activity_pub.enabled | quote }} + AP_REMOTE_FOLLOW={{ .Values.pixelfed.activity_pub.remote_follow | quote }} + AP_SHAREDINBOX={{ .Values.pixelfed.activity_pub.sharedinbox | quote }} + AP_INBOX={{ .Values.pixelfed.activity_pub.inbox | quote }} + AP_OUTBOX={{ .Values.pixelfed.activity_pub.outbox | quote }} + + # redis + {{- with .Values.externalValkey.host }} + REDIS_HOST={{ . }} + {{- end }} + {{- with .Values.externalValkey.port }} + REDIS_PORT={{ . }} + {{- end }} + {{- with .Values.externalValkey.password }} + REDIS_PASSWORD={{ . }} + {{- end }} + + # mail + MAIL_DRIVER="smtp" + MAIL_HOST="smtp.mailgun.org" + MAIL_PORT="587" + MAIL_FROM_ADDRESS="__CHANGE_ME__" + MAIL_FROM_NAME="${APP_NAME}" + MAIL_USERNAME="" + MAIL_PASSWORD="" + MAIL_ENCRYPTION="tls" + + # db + DB_CONNECTION="pgsql" + DB_HOST="db" + DB_USERNAME="pixelfed" + DB_PASSWORD= + DB_DATABASE="pixelfed_prod" + DB_PORT="3306" + DB_APPLY_NEW_MIGRATIONS_AUTOMATICALLY="false" diff --git a/charts/pixelfed/templates/deployment.yaml b/charts/pixelfed/templates/deployment.yaml index ab73d9a..84c6105 100644 --- a/charts/pixelfed/templates/deployment.yaml +++ b/charts/pixelfed/templates/deployment.yaml @@ -34,12 +34,287 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http containerPort: {{ .Values.service.port }} protocol: TCP + env: + # app data + - name: APP_NAME + value: {{ .Values.pixelfed.app.name }} + - name: APP_ENV + value: {{ .Values.pixelfed.app.env }} + - name: APP_URL + value: {{ .Values.pixelfed.app.url }} + - name: APP_LOCALE + value: {{ .Values.pixelfed.app.locale }} + {{- with .Values.pixelfed.app.domain }} + - name: APP_DOMAIN + value: {{ . }} + {{- end }} + + # registration related + - name: OPEN_REGISTRATION + value: {{ .Values.pixelfed.open_registration | quote }} + - name: ENFORCE_EMAIL_VERIFICATION + value: {{ .Values.pixelfed.enforce_email_verification | quote }} + - name: IMAGE_QUALITY + value: {{ .Values.pixelfed.image_quality | quote }} + - name: ACCOUNT_DELETION + value: {{ .Values.pixelfed.account_deletion | quote }} + - name: OAUTH_ENABLED + value: {{ .Values.pixelfed.oauth_enabled | quote }} + + # limits + - name: MIN_PASSWORD_LENGTH + value: {{ .Values.pixelfed.min_password_length | quote }} + - name: MAX_ACCOUNT_SIZE + value: {{ .Values.pixelfed.max_account_size | quote }} + - name: MAX_PHOTO_SIZE + value: {{ .Values.pixelfed.max_photo_size | quote }} + - name: MAX_AVATAR_SIZE + value: {{ .Values.pixelfed.max_avatar_size | quote }} + - name: MAX_CAPTION_LENGTH + value: {{ .Values.pixelfed.max_caption_length | quote }} + - name: MAX_BIO_LENGTH + value: {{ .Values.pixelfed.max_bio_length | quote }} + - name: MAX_NAME_LENGTH + value: {{ .Values.pixelfed.max_name_length | quote }} + - name: MAX_ALBUM_LENGTH + value: {{ .Values.pixelfed.max_album_length | quote }} + - name: FORCE_HTTPS_URLS + value: {{ .Values.pixelfed.force_https_urls | quote }} + - name: STORIES_ENABLED + value: {{ .Values.pixelfed.stories_enabled | quote }} + - name: ENABLE_CONFIG_CACHE + value: {{ .Values.pixelfed.enable_config_cache | quote }} + + # instance config + - name: INSTANCE_DESCRIPTION + value: {{ .Values.pixelfed.instance.description }} + - name: INSTANCE_CONTACT_FORM + value: {{ .Values.pixelfed.instance.contact_form | quote }} + - name: INSTANCE_DISCOVER_PUBLIC + value: {{ .Values.pixelfed.instance.discover_public | quote }} + - name: INSTANCE_PUBLIC_HASHTAGS + value: {{ .Values.pixelfed.instance.public_hashtags | quote }} + {{- with .Values.pixelfed.instance.contact_email }} + - name: INSTANCE_CONTACT_EMAIL + value: {{ .Values.pixelfed.instance.contact_email }} + {{- end }} + - name: INSTANCE_PROFILE_EMBEDS + value: {{ .Values.pixelfed.instance.profile_embeds | quote }} + - name: INSTANCE_POST_EMBEDS + value: {{ .Values.pixelfed.instance.post_embeds | quote }} + - name: INSTANCE_REPORTS_EMAIL_ENABLED + value: {{ .Values.pixelfed.instance.reports.email_enabled | quote }} + {{- with .Values.pixelfed.instance.reports.email_addresses }} + - name: INSTANCE_REPORTS_EMAIL_ADDRESSES + value: {{ join "," . }} + {{- end }} + - name: INSTANCE_REPORTS_EMAIL_AUTOSPAM + value: {{ .Values.pixelfed.instance.reports.email_autospam | quote }} + - name: INSTANCE_LANDING_SHOW_DIRECTORY + value: {{ .Values.pixelfed.instance.landing.show_directory | quote }} + - name: INSTANCE_LANDING_SHOW_EXPLORE + value: {{ .Values.pixelfed.instance.landing.show_explore | quote }} + - name: INSTANCE_CUR_REG + value: {{ .Values.pixelfed.instance.cur_reg | quote }} + - name: INSTANCE_SHOW_PEERS + value: {{ .Values.pixelfed.instance.show_peers | quote }} + + # public feed + - name: PF_HIDE_NSFW_ON_PUBLIC_FEEDS + value: {{ .Values.pixelfed.pf.hide_nsfw_on_public_feeds | quote }} + - name: PF_LOCAL_AVATAR_TO_CLOUD + value: {{ .Values.pixelfed.pf.local_avatar_to_cloud | quote }} + - name: PF_ADMIN_INVITES_ENABLED + value: {{ .Values.pixelfed.pf.admin_invites_enabled | quote }} + - name: PF_MAX_USER_BLOCKS + value: {{ .Values.pixelfed.pf.max_user_blocks | quote }} + - name: PF_MAX_USER_MUTES + value: {{ .Values.pixelfed.pf.max_user_mutes | quote }} + - name: PF_MAX_DOMAIN_BLOCKS + value: {{ .Values.pixelfed.pf.max_domain_blocks | quote }} + - name: PF_ENABLE_CLOUD + value: {{ .Values.pixelfed.pf.enable_cloud | quote }} + - name: PF_MAX_USERS + value: {{ .Values.pixelfed.pf.max_users | quote }} + - name: PF_ENFORCE_MAX_USERS + value: {{ .Values.pixelfed.pf.enforce_max_users | quote }} + - name: PF_OPTIMIZE_IMAGES + value: {{ .Values.pixelfed.pf.optimize_images | quote }} + - name: PF_OPTIMIZE_VIDEOS + value: {{ .Values.pixelfed.pf.optimize_videos | quote }} + - name: PF_MAX_COLLECTION_LENGTH + value: {{ .Values.pixelfed.pf.max_collection_length | quote }} + + # Laravel Configuration + - name: SESSION_DRIVER + value: "database" + - name: CACHE_DRIVER + value: "redis" + - name: QUEUE_DRIVER + value: "redis" + - name: BROADCAST_DRIVER + value: "log" + - name: LOG_CHANNEL + value: "stack" + - name: HORIZON_PREFIX + value: "horizon-" + + # activity pub + - name: ACTIVITY_PUB + value: {{ .Values.pixelfed.activity_pub.enabled | quote }} + - name: AP_REMOTE_FOLLOW + value: {{ .Values.pixelfed.activity_pub.remote_follow | quote }} + - name: AP_SHAREDINBOX + value: {{ .Values.pixelfed.activity_pub.sharedinbox | quote }} + - name: AP_INBOX + value: {{ .Values.pixelfed.activity_pub.inbox | quote }} + - name: AP_OUTBOX + value: {{ .Values.pixelfed.activity_pub.outbox | quote }} + + # redis + - name: REDIS_HOST + valueFrom: + secretKeyRef: + {{- if .Values.externalValkey.existingSecret }} + name: {{ .Values.externalValkey.existingSecret }} + key: {{ .Values.externalValkey.existingSecretKeys.host }} + {{- else }} + name: pixelfed-valkey + key: host + {{- end }} + - name: REDIS_PORT + valueFrom: + secretKeyRef: + {{- if .Values.externalValkey.existingSecret }} + name: {{ .Values.externalValkey.existingSecret }} + key: {{ .Values.externalValkey.existingSecretKeys.port }} + {{- else }} + name: pixelfed-valkey + key: port + {{- end }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.externalValkey.existingSecret }} + name: {{ .Values.externalValkey.existingSecret }} + key: {{ .Values.externalValkey.existingSecretKeys.password }} + {{- else }} + name: pixelfed-valkey + key: password + {{- end }} + + # mail + - name: MAIL_DRIVER + value: "{{ .Values.pixelfed.mail.driver }}" + - name: MAIL_HOST + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.mail.existingSecret }} + name: {{ .Values.pixelfed.mail.existingSecret }} + key: {{ .Values.pixelfed.mail.existingSecretKeys.host }} + {{- else }} + name: pixelfed-mail + key: host + {{- end }} + - name: MAIL_PORT + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.mail.existingSecret }} + name: {{ .Values.pixelfed.mail.existingSecret }} + key: {{ .Values.pixelfed.mail.existingSecretKeys.port }} + {{- else }} + name: pixelfed-mail + key: port + {{- end }} + - name: MAIL_FROM_ADDRESS + value: "{{ .Values.pixelfed.mail.from_address }}" + - name: MAIL_FROM_NAME + value: "{{ .Values.pixelfed.mail.from_name }}" + - name: MAIL_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.mail.existingSecret }} + name: {{ .Values.pixelfed.mail.existingSecret }} + key: {{ .Values.pixelfed.mail.existingSecretKeys.username }} + {{- else }} + name: pixelfed-mail + key: username + {{- end }} + - name: MAIL_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.pixelfed.mail.existingSecret }} + name: {{ .Values.pixelfed.mail.existingSecret }} + key: {{ .Values.pixelfed.mail.existingSecretKeys.password }} + {{- else }} + name: pixelfed-mail + key: password + {{- end }} + - name: MAIL_ENCRYPTION + value: "{{ .Values.pixelfed.mail.encryption }}" + + # database configuration + - name: DB_CONNECTION + value: {{ .Values.externalDatabase.connection }} + - name: DB_HOST + valueFrom: + secretKeyRef: + {{- if .Values.externalDatabase.existingSecret }} + name: {{ .Values.externalDatabase.existingSecret }} + key: {{ .Values.externalDatabase.existingSecretKeys.username }} + {{- else }} + name: pixelfed-database + key: host + {{- end }} + - name: DB_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.externalDatabase.existingSecret }} + name: {{ .Values.externalDatabase.existingSecret }} + key: {{ .Values.externalDatabase.existingSecretKeys.username }} + {{- else }} + name: pixelfed-database + key: username + {{- end }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.externalDatabase.existingSecret }} + name: {{ .Values.externalDatabase.existingSecret }} + key: {{ .Values.externalDatabase.existingSecretKeys.username }} + {{- else }} + name: pixelfed-database + key: password + {{- end }} + - name: DB_DATABASE + valueFrom: + secretKeyRef: + {{- if .Values.externalDatabase.existingSecret }} + name: {{ .Values.externalDatabase.existingSecret }} + key: {{ .Values.externalDatabase.existingSecretKeys.username }} + {{- else }} + name: pixelfed-database + key: database + {{- end }} + - name: DB_PORT + valueFrom: + secretKeyRef: + {{- if .Values.externalDatabase.existingSecret }} + name: {{ .Values.externalDatabase.existingSecret }} + key: {{ .Values.externalDatabase.existingSecretKeys.username }} + {{- else }} + name: pixelfed-database + key: port + {{- end }} + - name: DB_APPLY_NEW_MIGRATIONS_AUTOMATICALLY + value: "{{ .Values.pixelfed.db_apply_new_migrations_automatically }}" + livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: diff --git a/charts/pixelfed/templates/secret_database.yaml b/charts/pixelfed/templates/secret_database.yaml new file mode 100644 index 0000000..d4767c6 --- /dev/null +++ b/charts/pixelfed/templates/secret_database.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.externalDatabase.enabled ( not .Values.externalDatabase.existingSecret ) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: pixelfed-database +data: + host: {{ .Values.externalDatabase.host }} + port: {{ .Values.externalDatabase.port }} + database: {{ .Values.externalDatabase.database }} + username: {{ .Values.externalDatabase.username }} + password: {{ .Values.externalDatabase.password }} +{{- end }} diff --git a/charts/pixelfed/templates/secret_mail.yaml b/charts/pixelfed/templates/secret_mail.yaml new file mode 100644 index 0000000..7bd73cc --- /dev/null +++ b/charts/pixelfed/templates/secret_mail.yaml @@ -0,0 +1,12 @@ +{{- if not .Values.externalDatabase.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: pixelfed-mail +data: + host: {{ .Values.pixelfed.mail.host }} + port: {{ .Values.pixelfed.mail.port }} + username: {{ .Values.pixelfed.mail.username }} + password: {{ .Values.pixelfed.mail.password }} +{{- end }} diff --git a/charts/pixelfed/templates/secret_valkey.yaml b/charts/pixelfed/templates/secret_valkey.yaml new file mode 100644 index 0000000..5e39bc5 --- /dev/null +++ b/charts/pixelfed/templates/secret_valkey.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.externalValkey.enabled ( not .Values.externalValkey.existingSecret ) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: pixelfed-valkey +data: + host: {{ .Values.externalValkey.host }} + port: {{ .Values.externalValkey.port }} + password: {{ .Values.externalValkey.password }} +{{- end }} diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 7d33b99..677c869 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -62,8 +62,6 @@ ingress: enabled: false className: "" annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: @@ -123,3 +121,320 @@ nodeSelector: {} tolerations: [] affinity: {} + +externalDatabase: + # -- enable using an external mysql or postgresql cluster + enabled: false + # -- options: sqlite mysql pgsql sqlsrv + connection: psql + host: "" + port: 3306 + database: pixelfed + username: "" + password: "" + # options: disable, require, allow, prefer, verify-full + # ssl_mode: "" + # path to ssl root cert + # ssl_root_cert: + # path to ssl cert + # ssl_cert: "" + # path to ssl key + # ssl_key: "" + # -- get database credentials from an existing Kubernetes Secret + existingSecret: "" + existingSecretKeys: + # -- key in existing Kubernetes Secret for host. If set, ignores externalDatabase.host + host: "" + # -- key in existing Kubernetes Secret for port. If set, ignores externalDatabase.port + port: "" + # -- key in existing Kubernetes Secret for database. If set, ignores externalDatabase.database + database: pixelfed + # -- key in existing Kubernetes Secret for username. If set, ignores externalDatabase.username + username: "" + # -- key in existing Kubernetes Secret for password. If set, ignores externalDatabase.password + password: "" + +# External Redis Configuration. Use this if you set valkey.enabled: false +externalValkey: + # -- enable using an external valkey or redis cluster + enabled: false + client: "phpredis" + scheme: "tcp" + host: "valkey" + password: "null" + port: "6379" + # -- get valkey credentials from an existing Kubernetes Secret + existingSecret: "" + existingSecretKeys: + # -- key in existing Kubernetes Secret for host. If set, ignores externalValkey.host + host: "" + # -- key in existing Kubernetes Secret for password. If set, ignores externalValkey.password + password: "" + +# valkey is a fork of redis with a better license +valkey: + # -- enable the bundled valkey sub chart from Bitnami. + # Must set to true if externalValkey.enabled=false + enabled: true + fullnameOverride: "valkey" + global: + storageClass: "" + + # for auth, we get the valkey credentials from an ExternalSecret + auth: + enabled: true + existingSecret: "" + existingSecretPasswordKey: "password" + # TLS settings + tls: + enabled: false + authClients: true + autoGenerated: false + + # primary (control plane) configuration + primary: + persistence: + enabled: true + existingClaim: "" + + # valkey replica configuration + replica: + persistence: + enabled: true + existingClaim: "" + + # persistnent volume retention policy for the StatefulSet + persistentVolumeClaimRetentionPolicy: + enabled: true + whenScaled: Retain + whenDeleted: Retain + + metrics: + # we use a grafana exporter that logs into valkey directly + enabled: false + + # definitions: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + # Options: nano, micro, small, medium, large, xlarge, 2xlarge + # default: nano + resourcesPreset: "small" + + +postgresql: + # -- enable the bundled postgresql sub chart from Bitnami. + # Must set to true if externalDatabase.enabled=false + enabled: true + fullnameOverride: "postgresql" + +pixelfed: + # -- Automatically run [artisan migrate --force] if new migrations are detected. + db_apply_new_migrations_automatically: false + + # -- timezone for docker container + timezone: "europe/amsterdam" + + # -- Experimental Configuration + exp_emc: true + + # -- domain of admin interface + admin_domain: "" + + # -- domain of session? + session_domain: "" + + # -- trusted proxies + trusted_proxies: "*" + + # app specific settings + app: + # -- The name of your server/instance + name: "Pixelfed" + # -- The app environment, keep it set to "production" + env: "production" + # -- change this to the domain of your pixelfed instance + url: "https://localhost" + # -- change this to the language code of your pixelfed instance + locale: "en" + # -- The domain of your server, without https:// + domain: "" + + # -- Enable open registration for new accounts + open_registration: true + + # -- Enforce email verification + enforce_email_verification: true + + # -- The min password length + min_password_length: 16 + + # -- Enable account deletion (may be a requirement in some jurisdictions) + account_deletion: true + + # -- Enable oAuth support, required for mobile/3rd party apps + oauth_enabled: true + + # -- Enable the Stories feature + stories_enabled: false + + # -- Enable the config cache to allow you to manage settings via the admin dashboard + enable_config_cache: true + + # -- Set the image optimization quality, between 1-100. Lower uses less space, higher more quality + image_quality: 80 + + # -- The max allowed account size in KB + max_account_size: 1000000 + + # -- The max photo/video size in KB + max_photo_size: 15000 + + # -- The max user avatar size in KB + max_avatar_size: 2000 + + # -- The max post caption length + max_caption_length: 1000 + + # -- The max user bio length + max_bio_length: 256 + + # -- The max user display name length + max_name_length: 32 + + # -- The max number of media per post album + max_album_length: 6 + + # -- Force https url generation + force_https_urls: true + + # your whole instance, or server, settings + instance: + # -- your server description + description: "Pixelfed - Photo sharing for everyone" + # -- enable the instance contact form + contact_form: false + # -- Enable public access to the Discover feature + discover_public: false + # -- Allow anonymous access to hashtag feeds + public_hashtags: false + # -- The public contact email for your server + contact_email: "" + # -- Enable the profile embed feature + profile_embeds: true + # -- Enable the post embed feature + post_embeds: true + # -- Enable Curated Registration + cur_reg: false + # -- Enable the api/v1/peers API endpoint + show_peers: false + + reports: + # -- Send a report email to the admin account for new autospam/reports + email_enabled: false + # -- A list of email addresses to deliver admin reports to + email_addresses: [] + # -- Enable autospam reports (require INSTANCE_REPORTS_EMAIL_ENABLED) + email_autospam: false + + landing: + # -- Enable the profile directory on the landing page + show_directory: true + # -- Enable the popular post explore on the landing page + show_explore: true + + # public feed settings + pf: + # -- Hide sensitive posts from public/network feeds + hide_nsfw_on_public_feeds: false + # -- Store local avatars on S3 (Requires S3) + local_avatar_to_cloud: false + # -- Enable the Admin Invites feature + admin_invites_enabled: true + # -- The max number of user blocks per account + max_user_blocks: 50 + # -- The max number of user mutes per account + max_user_mutes: 50 + # -- The max number of domain blocks per account + max_domain_blocks: 50 + # -- Enable S3/Object Storage + enable_cloud: false + # -- Limit max user registrations + max_users: 1000 + # -- in KB + enforce_max_users: 2000 + # -- Enable image optimization + optimize_images: true + # -- Enable video optimization + optimize_videos: true + # -- Max collection post limit + max_collection_length: 100 + + # ActivityPub Configuration + activity_pub: + enabled: false + remote_follow: false + inbox: false + outbox: false + sharedinbox: false + + ########################################################### + # Federation + ########################################################### + # -- https://docs.pixelfed.org/technical-documentation/config/#atom_feeds + atom_feeds: "true" + + # -- https://docs.pixelfed.org/technical-documentation/config/#nodeinfo + nodeinfo: "true" + + # -- https://docs.pixelfed.org/technical-documentation/config/#webfinger + webfinger: "true" + + # Mail Configuration (Post-Installer) + mail: + # -- options: "smtp" (default), "sendmail", "mailgun", "mandrill", "ses" + # "sparkpost", "log", "array" + driver: smtp + host: smtp.mailtrap.io + port: 2525 + username: "" + password: "" + encryption: "tls" + from_address: "pixelfed@example.com" + from_name: "Pixelfed" + # -- name of an existing Kubernetes Secret for mail credentials + existingSecret: "" + existingSecretKeys: + # -- key in existing Kubernetes Secret for host. If set, ignores mail.host + host: "" + # -- key in existing Kubernetes Secret for port. If set, ignores mail.port + port: "" + # -- key in existing Kubernetes Secret for username. If set, ignores mail.username + username: "" + # -- key in existing Kubernetes Secret for password. If set, ignores mail.password + password: "" + + # Mail Configuration (Post-Installer) + s3: + # -- s3 url including protocol such as https://s3.domain.com + url: "" + # -- s3 endpoint excluding protocol such as s3.domain.com + endpoint: "" + # -- s3 bucket + bucket: "" + # -- s3 region + region: "" + # -- s3 access_key_id. ignored if s3.existingSecretKeys.access_key_id is set + access_key_id: "" + # -- s3 secret_access_key. ignored if s3.existingSecretKeys.secret_access_key is set + secret_access_key: "" + # -- use S3 path type instead of using a DNS subdomain + use_path_style_endpoint: false + # -- name of an existing Kubernetes Secret for s3 credentials + existingSecret: "" + existingSecretKeys: + # -- key in existing Kubernetes Secret for url. If set, ignores s3.url + url: "" + # -- key in existing Kubernetes Secret for endpoint. If set, ignores s3.endpoint + endpoint: "" + # -- key in existing Kubernetes Secret for access_key_id. If set, ignores s3.access_key_id + access_key_id: "" + # -- key in existing Kubernetes Secret for secret_access_key. If set, ignores s3.secret_access_key + secret_access_key: ""