From 72342cde8044d6c4796ca3a1bfe86ac539982dbc Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:06:23 +0100 Subject: [PATCH 01/14] chores around renovate, security context, and appVersion move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue Signed-off-by: jessebot --- README.md | 2 +- charts/pixelfed/Chart.yaml | 6 ++++-- charts/pixelfed/README.md | 8 +++++--- charts/pixelfed/values.yaml | 20 +++++++++++-------- .../pixelfed/renovate.json => renovate.json | 5 +++-- 5 files changed, 25 insertions(+), 16 deletions(-) rename charts/pixelfed/renovate.json => renovate.json (91%) diff --git a/README.md b/README.md index 04dab49..10a8300 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ A helm chart to setup [Pixelfed](https://github.com/pixelfed/pixelfed), a federa This chart is still in a testing phase and may not be fully stable yet. -Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to the latest _released_ version of Pixelfed. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479). +Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to a specific nightly build of the upstream `dev` branch of the official pixelfed repo. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479). ## Features diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index 29f97fb..2b12bb9 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -15,11 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.15.0 +version: 0.16.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed -appVersion: "v0.12.4-nginx" +appVersion: "sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig" +# the below verison is currently broken on migrations :( +# appVersion: "v0.12.4-nginx" maintainers: - name: "jessebot" diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 9700204..30ac5e9 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # pixelfed -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig](https://img.shields.io/badge/AppVersion-sha256--ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes @@ -183,7 +183,9 @@ A Helm chart for deploying Pixelfed on Kubernetes | pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger | | podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | -| podSecurityContext | object | `{}` | securityContext for the whole pod | +| podSecurityContext.fsGroup | int | `33` | group to mount the filesystem as | +| podSecurityContext.runAsGroup | int | `33` | group to run the pixelfed pod as | +| podSecurityContext.runAsUser | int | `33` | user to run the pixelfed pod as | | postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false | | postgresql.fullnameOverride | string | `"postgresql"` | | | postgresql.global.storageClass | string | `""` | | @@ -192,7 +194,7 @@ A Helm chart for deploying Pixelfed on Kubernetes | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | | resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage | | revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks | -| securityContext | object | `{}` | securityContext for the pixelfed container | +| securityContext.runAsUser | int | `33` | user to run the pixelfed container as | | service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports | | service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. | | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 8994a6b..561de54 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -54,15 +54,19 @@ podAnnotations: {} # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} -# -- securityContext for the whole pod -podSecurityContext: {} - # runAsUser: 33 - # runAsGroup: 33 - # fsGroup: 33 +# securityContext for the whole pixelfed pod +podSecurityContext: + # -- user to run the pixelfed pod as + runAsUser: 33 + # -- group to run the pixelfed pod as + runAsGroup: 33 + # -- group to mount the filesystem as + fsGroup: 33 -# -- securityContext for the pixelfed container -securityContext: {} - # runAsUser: 33 +# securityContext for the pixelfed container +securityContext: + # -- user to run the pixelfed container as + runAsUser: 33 # runAsNonRoot: true # readOnlyRootFilesystem: true # capabilities: diff --git a/charts/pixelfed/renovate.json b/renovate.json similarity index 91% rename from charts/pixelfed/renovate.json rename to renovate.json index 532a0d2..3f860f4 100644 --- a/charts/pixelfed/renovate.json +++ b/renovate.json @@ -26,8 +26,9 @@ }, { "matchManagers": ["github-actions"], - "matchUpdateTypes": ["patch","minor"], - "automerge": true + "matchUpdateTypes": ["patch", "minor"], + "automerge": true, + "ignoreTests": true } ] } From fea9c83b2c1a31106054efc3b3c03a6bb0430b45 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:30:46 +0100 Subject: [PATCH 02/14] add setting mail username/password to the default testing --- .github/workflows/ci-helm-lint-test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index 38a007d..8870187 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -81,4 +81,6 @@ jobs: id: install if: steps.list-changed.outputs.changed == 'true' run: | - ct install --target-branch ${{ github.event.repository.default_branch }} + ct install \ + --target-branch ${{ github.event.repository.default_branch }} \ + --helm-extra-set-args "--set=pixelfed.mail.username=test --set=pixelfed.mail.password=test" From 04b772a8986c6d22c67b3dee3634aa9d0103e519 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:42:33 +0100 Subject: [PATCH 03/14] set more defaults for the ci tests --- .github/workflows/ci-helm-lint-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index 8870187..dc22e38 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -83,4 +83,4 @@ jobs: run: | ct install \ --target-branch ${{ github.event.repository.default_branch }} \ - --helm-extra-set-args "--set=pixelfed.mail.username=test --set=pixelfed.mail.password=test" + --helm-extra-set-args "--set=pixelfed.mail.username=test --set=pixelfed.mail.password=testing1234567 --set=valkey.auth.password=testing1234567 --set=postgresql.auth.password=testing1234567 --set=postgresql.auth.postgresPassword=testing1234567 --set=postgresql.auth.database=pixelfed --set=postgresql.auth.username=pixelfed" From 3bcccd4aea90c332fc847a9111baad49b90efdec Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:53:04 +0100 Subject: [PATCH 04/14] use test values file instead of cli args for ct --- .github/workflows/ci-helm-lint-test.yml | 4 +-- .../test-values/postgresql-plain.yaml | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 charts/pixelfed/test-values/postgresql-plain.yaml diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index dc22e38..f034d80 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -81,6 +81,4 @@ jobs: id: install if: steps.list-changed.outputs.changed == 'true' run: | - ct install \ - --target-branch ${{ github.event.repository.default_branch }} \ - --helm-extra-set-args "--set=pixelfed.mail.username=test --set=pixelfed.mail.password=testing1234567 --set=valkey.auth.password=testing1234567 --set=postgresql.auth.password=testing1234567 --set=postgresql.auth.postgresPassword=testing1234567 --set=postgresql.auth.database=pixelfed --set=postgresql.auth.username=pixelfed" + ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml" --skip-clean-up diff --git a/charts/pixelfed/test-values/postgresql-plain.yaml b/charts/pixelfed/test-values/postgresql-plain.yaml new file mode 100644 index 0000000..3cc7bf5 --- /dev/null +++ b/charts/pixelfed/test-values/postgresql-plain.yaml @@ -0,0 +1,29 @@ +# This file is strictly for testing a base functionality of this chart +# it uses postgresql and valkey and provides credentials for them as well as mail + +pixelfed: + mail: + username: test + password: testing1234567 + +valkey: + auth: + enabled: true + password: testing1234567 + primary: + replicaCount: 2 + disableCommands: + - FLUSHALL + persistence: + enabled: false + replica: + replicaCount: 0 + persistence: + enabled: false + +postgresql: + auth: + password: testing1234567 + postgresPassword: testing1234567 + username: pixelfed + database: pixelfed From f91f2b51fca50831f5da4dc3fb637e741e042ec6 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:58:11 +0100 Subject: [PATCH 05/14] try using dev-nginx as for tag otherwise we get Deployment.apps pixelfed-w49e3rc6mr is invalid: [metadata.labels: Invalid value: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig: must be no more than 63 characters, spec.template.labels: Invalid value: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig: must be no more than 63 characters] --- charts/pixelfed/Chart.yaml | 2 +- charts/pixelfed/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index 2b12bb9..770171e 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -19,7 +19,7 @@ version: 0.16.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed -appVersion: "sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig" +appVersion: "dev-nginx" # the below verison is currently broken on migrations :( # appVersion: "v0.12.4-nginx" diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 30ac5e9..1c4cafd 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # pixelfed -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig](https://img.shields.io/badge/AppVersion-sha256--ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: dev-nginx](https://img.shields.io/badge/AppVersion-dev--nginx-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes From f86f0e968de5a1c6c09772f6e01856d064f211d9 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 10:17:31 +0100 Subject: [PATCH 06/14] add testing a specific healthcheck endpoint for pixelfed ci testing --- charts/pixelfed/templates/tests/test-connection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pixelfed/templates/tests/test-connection.yaml b/charts/pixelfed/templates/tests/test-connection.yaml index 5de5cfb..e064074 100644 --- a/charts/pixelfed/templates/tests/test-connection.yaml +++ b/charts/pixelfed/templates/tests/test-connection.yaml @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "pixelfed.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "pixelfed.fullname" . }}:{{ .Values.service.port }}/api/service/health-check'] restartPolicy: Never From a5a2dd152864c0adaebd00fdcd7292047c8bdf14 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 10:22:17 +0100 Subject: [PATCH 07/14] remove notes for now, as we don't have some that make sense for pixelfed --- charts/pixelfed/templates/NOTES.txt | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 charts/pixelfed/templates/NOTES.txt diff --git a/charts/pixelfed/templates/NOTES.txt b/charts/pixelfed/templates/NOTES.txt deleted file mode 100644 index cde4eb9..0000000 --- a/charts/pixelfed/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "pixelfed.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "pixelfed.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "pixelfed.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "pixelfed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} From 1e6f43d97fb7d56b8e233a81250f917291e551b2 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 10:37:32 +0100 Subject: [PATCH 08/14] set default liveness/readiness probes for the ci test --- charts/pixelfed/test-values/postgresql-plain.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/pixelfed/test-values/postgresql-plain.yaml b/charts/pixelfed/test-values/postgresql-plain.yaml index 3cc7bf5..4d6790a 100644 --- a/charts/pixelfed/test-values/postgresql-plain.yaml +++ b/charts/pixelfed/test-values/postgresql-plain.yaml @@ -27,3 +27,13 @@ postgresql: postgresPassword: testing1234567 username: pixelfed database: pixelfed + +livenessProbe: + httpGet: + path: /api/service/health-check + port: http + +readinessProbe: + httpGet: + path: /api/service/health-check + port: http From bec985e272daa2e0bd6c4697ba0dbc175eb74174 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 10:58:08 +0100 Subject: [PATCH 09/14] change liveness and readiness probes for ci tests --- charts/pixelfed/test-values/postgresql-plain.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/pixelfed/test-values/postgresql-plain.yaml b/charts/pixelfed/test-values/postgresql-plain.yaml index 4d6790a..861b9ea 100644 --- a/charts/pixelfed/test-values/postgresql-plain.yaml +++ b/charts/pixelfed/test-values/postgresql-plain.yaml @@ -29,11 +29,21 @@ postgresql: database: pixelfed livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 httpGet: path: /api/service/health-check port: http readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 httpGet: path: /api/service/health-check port: http From 7a16c2659b22db704a2ea9c99d18d630f6022dc2 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 21:45:37 +0100 Subject: [PATCH 10/14] always template out app_domain --- README.md | 1 + charts/pixelfed/templates/configmap_env.yaml | 4 +--- charts/pixelfed/test-values/postgresql-plain.yaml | 2 ++ 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 10a8300..2ecd0af 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is helm repo add pixelfed https://small-hack.github.io/pixelfed-chart # download the values.yaml and edit it with your own values such as YOUR hostname +# especially important is pixelfed.app.domain helm show values pixelfed/pixelfed > values.yaml # install the chart diff --git a/charts/pixelfed/templates/configmap_env.yaml b/charts/pixelfed/templates/configmap_env.yaml index 833ea80..e169d72 100644 --- a/charts/pixelfed/templates/configmap_env.yaml +++ b/charts/pixelfed/templates/configmap_env.yaml @@ -10,9 +10,7 @@ data: APP_PORT: {{ .Values.service.targetPort | quote}} APP_URL: {{ .Values.pixelfed.app.url }} APP_LOCALE: {{ .Values.pixelfed.app.locale }} - {{- with .Values.pixelfed.app.domain }} - APP_DOMAIN: {{ . }} - {{- end }} + APP_DOMAIN: {{ .Values.pixelfed.app.domain | required ".Values.pixelfed.app.domain is required" }} {{- with .Values.pixelfed.exp_loops }} EXP_LOOPS: {{ . }} diff --git a/charts/pixelfed/test-values/postgresql-plain.yaml b/charts/pixelfed/test-values/postgresql-plain.yaml index 861b9ea..cac6564 100644 --- a/charts/pixelfed/test-values/postgresql-plain.yaml +++ b/charts/pixelfed/test-values/postgresql-plain.yaml @@ -2,6 +2,8 @@ # it uses postgresql and valkey and provides credentials for them as well as mail pixelfed: + app: + domain: "example.com" mail: username: test password: testing1234567 From fb2ec0ab1d29264f53863e973816b2f5804ce16d Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 21:54:06 +0100 Subject: [PATCH 11/14] add pixelfed service target port --- charts/pixelfed/README.md | 2 +- charts/pixelfed/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 1c4cafd..6e1da1e 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -196,7 +196,7 @@ A Helm chart for deploying Pixelfed on Kubernetes | revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks | | securityContext.runAsUser | int | `33` | user to run the pixelfed container as | | service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports | -| service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. | +| service.targetPort | int | `8080` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. | | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? | diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 561de54..e10bd7a 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -80,7 +80,7 @@ service: # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 # -- Port to attach to on the pods. Also sets what port nginx listens on inside the container. - targetPort: 80 + targetPort: 8080 # This block is for setting up the ingress for more information can be found here: # https://kubernetes.io/docs/concepts/services-networking/ingress/ From 9a939c1ea916cf025c83fa3d6cff2779825e4b06 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 21:57:24 +0100 Subject: [PATCH 12/14] allow cleanup in ci --- .github/workflows/ci-helm-lint-test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index f034d80..1b58133 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -81,4 +81,6 @@ jobs: id: install if: steps.list-changed.outputs.changed == 'true' run: | - ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml" --skip-clean-up + ct install \ + --target-branch ${{ github.event.repository.default_branch }} \ + --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml" From fed9924325eb4026beb9d41241ed82780e67d510 Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 22:00:58 +0100 Subject: [PATCH 13/14] try pinning the sha again for now --- charts/pixelfed/Chart.yaml | 4 ++-- charts/pixelfed/README.md | 4 ++-- charts/pixelfed/values.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index 770171e..c7efcd0 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -19,8 +19,8 @@ version: 0.16.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed -appVersion: "dev-nginx" -# the below verison is currently broken on migrations :( +appVersion: "7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1" +# the below verison is currently broken on migrations in postgresql :( # appVersion: "v0.12.4-nginx" maintainers: diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 6e1da1e..bb643df 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # pixelfed -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: dev-nginx](https://img.shields.io/badge/AppVersion-dev--nginx-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1](https://img.shields.io/badge/AppVersion-7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes @@ -57,7 +57,7 @@ A Helm chart for deploying Pixelfed on Kubernetes | fullnameOverride | string | `""` | This is to override the chart name, but used in more places | | image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. | | image.registry | string | `"ghcr.io"` | | -| image.repository | string | `"mattlqx/docker-pixelfed"` | you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) | +| image.repository | string | `"mattlqx/docker-pixelfed@sha256"` | you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. you may want to set this to dev-nginx if you experice issue with the default tag | | imagePullSecrets | list | `[]` | This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | ingress.annotations | object | `{}` | | diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index e10bd7a..1783023 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -9,7 +9,7 @@ replicaCount: 1 image: registry: ghcr.io # -- you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) - repository: mattlqx/docker-pixelfed + repository: mattlqx/docker-pixelfed@sha256 # -- This sets the pull policy for images. pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. From 6c443c3b25c8008a607773aa7a5ae7c00b32e90e Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 22:11:38 +0100 Subject: [PATCH 14/14] update image.tag directly for sha --- charts/pixelfed/Chart.yaml | 4 +--- charts/pixelfed/README.md | 4 ++-- charts/pixelfed/values.yaml | 7 ++++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index c7efcd0..18d9bf1 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -19,9 +19,7 @@ version: 0.16.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed -appVersion: "7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1" -# the below verison is currently broken on migrations in postgresql :( -# appVersion: "v0.12.4-nginx" +appVersion: "v0.12.4-nginx" maintainers: - name: "jessebot" diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index bb643df..262c4fd 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # pixelfed -![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1](https://img.shields.io/badge/AppVersion-7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes @@ -58,7 +58,7 @@ A Helm chart for deploying Pixelfed on Kubernetes | image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. | | image.registry | string | `"ghcr.io"` | | | image.repository | string | `"mattlqx/docker-pixelfed@sha256"` | you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. you may want to set this to dev-nginx if you experice issue with the default tag | +| image.tag | string | `"7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1"` | Overrides the image tag whose default is the chart appVersion (v0.12.4-nginx is currently broken due to migration errors with postgresl, so please either pin a sha tag or use dev-nging as the tag) | | imagePullSecrets | list | `[]` | This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | ingress.annotations | object | `{}` | | | ingress.className | string | `""` | ingress class name, e.g. nginx | diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 1783023..a4b4606 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -12,9 +12,10 @@ image: repository: mattlqx/docker-pixelfed@sha256 # -- This sets the pull policy for images. pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion. - # you may want to set this to dev-nginx if you experice issue with the default tag - tag: "" + # -- Overrides the image tag whose default is the chart appVersion + # (v0.12.4-nginx is currently broken due to migration errors with postgresl, + # so please either pin a sha tag or use dev-nging as the tag) + tag: "7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1" # -- This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: []