Merge pull request #39 from small-hack/chore/update-image-tag-renovate-and-security-context

chores around renovate, security context, appVersion, and fix ci testing

.github/workflows/ci-helm-lint-test.yml

@@ -81,4 +81,6 @@ jobs:
         id: install
         if: steps.list-changed.outputs.changed == 'true'
         run: |
-            ct install --target-branch ${{ github.event.repository.default_branch }}
+            ct install \
+                --target-branch ${{ github.event.repository.default_branch }} \
+                --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml"

README.md

@@ -5,7 +5,7 @@ A helm chart to setup [Pixelfed](https://github.com/pixelfed/pixelfed), a federa
 
 This chart is still in a testing phase and may not be fully stable yet.
 
-Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to the latest _released_ version of Pixelfed. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479).
+Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to a specific nightly build of the upstream `dev` branch of the official pixelfed repo. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479).
 
 ## Features
 
@@ -25,6 +25,7 @@ Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is
 helm repo add pixelfed https://small-hack.github.io/pixelfed-chart
 
 # download the values.yaml and edit it with your own values such as YOUR hostname
+# especially important is pixelfed.app.domain
 helm show values pixelfed/pixelfed > values.yaml
 
 # install the chart

charts/pixelfed/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.0
+version: 0.16.0
 
 # This is the version number of the application being deployed.
 # renovate:image=ghcr.io/mattlqx/docker-pixelfed

charts/pixelfed/README.md

@@ -1,6 +1,6 @@
 # pixelfed
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
 
 A Helm chart for deploying Pixelfed on Kubernetes
 
@@ -57,8 +57,8 @@ A Helm chart for deploying Pixelfed on Kubernetes
 | fullnameOverride | string | `""` | This is to override the chart name, but used in more places |
 | image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. |
 | image.registry | string | `"ghcr.io"` |  |
-| image.repository | string | `"mattlqx/docker-pixelfed"` | you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) |
+| image.repository | string | `"mattlqx/docker-pixelfed@sha256"` | you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed) |
-| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. you may want to set this to dev-nginx if you experice issue with the default tag |
+| image.tag | string | `"7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1"` | Overrides the image tag whose default is the chart appVersion (v0.12.4-nginx is currently broken due to migration errors with postgresl, so please either pin a sha tag or use dev-nging as the tag) |
 | imagePullSecrets | list | `[]` | This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` | ingress class name, e.g. nginx |
@@ -183,7 +183,9 @@ A Helm chart for deploying Pixelfed on Kubernetes
 | pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger |
 | podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
 | podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
-| podSecurityContext | object | `{}` | securityContext for the whole pod |
+| podSecurityContext.fsGroup | int | `33` | group to mount the filesystem as |
+| podSecurityContext.runAsGroup | int | `33` | group to run the pixelfed pod as |
+| podSecurityContext.runAsUser | int | `33` | user to run the pixelfed pod as |
 | postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false |
 | postgresql.fullnameOverride | string | `"postgresql"` |  |
 | postgresql.global.storageClass | string | `""` |  |
@@ -192,9 +194,9 @@ A Helm chart for deploying Pixelfed on Kubernetes
 | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
 | resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage |
 | revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks |
-| securityContext | object | `{}` | securityContext for the pixelfed container |
+| securityContext.runAsUser | int | `33` | user to run the pixelfed container as |
 | service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
-| service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. |
+| service.targetPort | int | `8080` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. |
 | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |

charts/pixelfed/templates/NOTES.txt

@@ -1,22 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "pixelfed.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "pixelfed.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "pixelfed.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "pixelfed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}

charts/pixelfed/templates/configmap_env.yaml

@@ -10,9 +10,7 @@ data:
   APP_PORT: {{ .Values.service.targetPort | quote}}
   APP_URL: {{ .Values.pixelfed.app.url }}
   APP_LOCALE: {{ .Values.pixelfed.app.locale }}
-  {{- with .Values.pixelfed.app.domain }}
+  APP_DOMAIN: {{ .Values.pixelfed.app.domain | required ".Values.pixelfed.app.domain is required" }}
-  APP_DOMAIN: {{ . }}
-  {{- end }}
 
   {{- with .Values.pixelfed.exp_loops }}
   EXP_LOOPS: {{ . }}

charts/pixelfed/templates/tests/test-connection.yaml

@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args: ['{{ include "pixelfed.fullname" . }}:{{ .Values.service.port }}']
+      args: ['{{ include "pixelfed.fullname" . }}:{{ .Values.service.port }}/api/service/health-check']
   restartPolicy: Never

charts/pixelfed/test-values/postgresql-plain.yaml

@@ -0,0 +1,51 @@
+# This file is strictly for testing a base functionality of this chart
+# it uses postgresql and valkey and provides credentials for them as well as mail
+
+pixelfed:
+  app:
+    domain: "example.com"
+  mail:
+    username: test
+    password: testing1234567
+
+valkey:
+  auth:
+    enabled: true
+    password: testing1234567
+  primary:
+    replicaCount: 2
+    disableCommands:
+      - FLUSHALL
+    persistence:
+      enabled: false
+  replica:
+    replicaCount: 0
+    persistence:
+      enabled: false
+
+postgresql:
+  auth:
+    password: testing1234567
+    postgresPassword: testing1234567
+    username: pixelfed
+    database: pixelfed
+
+livenessProbe:
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+  successThreshold: 1
+  httpGet:
+    path: /api/service/health-check
+    port: http
+
+readinessProbe:
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 3
+  successThreshold: 1
+  httpGet:
+    path: /api/service/health-check
+    port: http

charts/pixelfed/values.yaml

@@ -9,12 +9,13 @@ replicaCount: 1
 image:
   registry: ghcr.io
   # -- you can see the source [ghcr.io/mattlqx/docker-pixelfed](https://ghcr.io/mattlqx/docker-pixelfed)
-  repository: mattlqx/docker-pixelfed
+  repository: mattlqx/docker-pixelfed@sha256
   # -- This sets the pull policy for images.
   pullPolicy: IfNotPresent
-  # -- Overrides the image tag whose default is the chart appVersion.
+  # -- Overrides the image tag whose default is the chart appVersion
-  # you may want to set this to dev-nginx if you experice issue with the default tag
+  # (v0.12.4-nginx is currently broken due to migration errors with postgresl,
-  tag: ""
+  # so please either pin a sha tag or use dev-nging as the tag)
+  tag: "7d1d62c8552683225456c2a552ba8ca36afb24b32f706e425310de5bf84aeab1"
 
 # -- This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []
@@ -54,15 +55,19 @@ podAnnotations: {}
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {}
 
-# -- securityContext for the whole pod
+# securityContext for the whole pixelfed pod
-podSecurityContext: {}
+podSecurityContext:
-  # runAsUser: 33
+  # -- user to run the pixelfed pod as
-  # runAsGroup: 33
+  runAsUser: 33
-  # fsGroup: 33
+  # -- group to run the pixelfed pod as
+  runAsGroup: 33
+  # -- group to mount the filesystem as
+  fsGroup: 33
 
-# -- securityContext for the pixelfed container
+# securityContext for the pixelfed container
-securityContext: {}
+securityContext:
-  # runAsUser: 33
+  # -- user to run the pixelfed container as
+  runAsUser: 33
   # runAsNonRoot: true
   # readOnlyRootFilesystem: true
   # capabilities:
@@ -76,7 +81,7 @@ service:
   # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
   port: 80
   # -- Port to attach to on the pods. Also sets what port nginx listens on inside the container.
-  targetPort: 80
+  targetPort: 8080
 
 # This block is for setting up the ingress for more information can be found here:
 # https://kubernetes.io/docs/concepts/services-networking/ingress/

renovate.json

@@ -27,7 +27,8 @@
       {
         "matchManagers": ["github-actions"],
         "matchUpdateTypes": ["patch", "minor"],
-        "automerge": true
+        "automerge": true,
+        "ignoreTests": true
       }
     ]
 }