mastodon/chart/templates/deployment-web.yaml
Sheogorath cddcafec31
Helm: Major refactoring regarding Deployments, Environment variables and more (#20733)
* fix(chart): Remove non-functional Horizontal Pod Autoscaler

The Horizontal Pod Autoscaler (HPA) refers to a Deployment that
doesn't exist and therefore can not work. As a result it's
pointless to carry it around in this chart and give the wrong
impression it could work. This patch removes it from the helm
chart and drops all references to it.

* refactor(chart): Refactor sidekiq deployments to scale

This patch reworks how the sidekiq deployment is set up, by
splitting it into many sidekiq deployments, but at least one,
which should allow to scale the number of sidekiq jobs as
expected while being friendly to single user instances as well
as larger ones.

Further it introduces per deployment overwrites for the most
relevant pod fields like resources, affinities and processed
queues, number of jobs and the sidekiq security contexts.

The exact implementation was inspired by an upstream issue:

https://github.com/mastodon/mastodon/issues/20453

* fix(chart): Remove linode default values from values

This patch drops the linode defaults from the values.yaml since
these are not obvious and can cause unexpected connections as
well as leaking secrets to linode, when other s3 storage
backends are used and don't explicitly configure these options
by accident.

Mastodon will then try to authenticate to the linode backends
and therefore disclose the authentication secrets.

* refactor(chart): Rework reduce value reference duplication

Since most of the values are simply setup like this:

```
{{- if .Values.someVariable }}
SOME_VARIABLE: {{ .Values.someVariable }}
{{- end }}
```

There is a lot of duplication in the references in order to
full in the variables. There is an equivalent notation, which
reduces the usage of the variable name to just once:

```
{{- with .Values.someVariable }}
SOME_VARIABLE: {{ . }}
{{- end }}
```

What seems like a pointless replacement, will reduce potential
mistakes down the line by possibly only adjusting one of the
two references.

* fix(chart): Switch to new OMNIAUTH_ONLY variable

This patch adjusts the helm chart to use the new `OMNIAUTH_ONLY`
variable, which replaced the former
`OAUTH_REDIRECT_AT_SIGN_IN` variable in the following commit:

https://github.com/mastodon/mastodon/pull/17288
3c8857917e

* fix(chart): Repair connection test to existing service

Currently the connect test can't work, since it's connecting to
a non-existing service this patch fixes the service name to
make the job connect to the mastodon web service to verify the
connection.

* docs(chart): Adjust values.yaml to support helm-docs

This patch updates most values to prepare an introduction of
helm-docs. This should help to make the chart more user
friendly by explaining the variables and provide a standardised
README file, like many other helm charts do.

References:
https://github.com/norwoodj/helm-docs

* refactor(chart): Allow individual overwrites for streaming and web deployment

This patch works how the streaming and web deployments work by
adding various fields to overwrite values such as affinities,
resources, replica count, and security contexts.

BREAKING CHANGE: This commit removes `.Values.replicaCount` in
favour of `.Values.mastodon.web.replicas` and
`.Values.mastodon.streaming.values`.

* feat(chart): Add option for authorized fetch

Currently the helm chart doesn't support authorized fetch aka.
"Secure Mode" this patch fixes that by adding the needed config
option to the values file and the configmap.

* docs(chart): Improve helm-docs compatiblity

This patch adjust a few more comments in the values.yaml to be
picked up by helm-docs. This way, future adoption is properly
prepared.

* fix(chart): Add automatic detection of scheduler sidekiq queue

This patch adds an automatic switch to the `Recreate` strategy
for the sidekiq Pod in order to prevent accidental concurrency
for the scheduler queue.

* fix(chart): Repair broken DB_POOL variable
2022-11-24 21:30:29 +01:00

128 lines
4.4 KiB
YAML

apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "mastodon.fullname" . }}-web
labels:
{{- include "mastodon.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.mastodon.web.replicas }}
selector:
matchLabels:
{{- include "mastodon.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
template:
metadata:
annotations:
{{- with (default .Values.podAnnotations .Values.mastodon.web.podAnnotations) }}
{{- toYaml . | nindent 8 }}
{{- end }}
# roll the pods to pick up any db migrations or other changes
{{- include "mastodon.rollingPodAnnotations" . | nindent 8 }}
labels:
{{- include "mastodon.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: rails
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
{{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumes:
- name: assets
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-assets
- name: system
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
{{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bundle
- exec
- puma
- -C
- config/puma.rb
envFrom:
- configMapRef:
name: {{ include "mastodon.fullname" . }}-env
- secretRef:
name: {{ template "mastodon.secretName" . }}
env:
- name: "DB_PASS"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.postgresql.secretName" . }}
key: password
- name: "REDIS_PASSWORD"
valueFrom:
secretKeyRef:
name: {{ template "mastodon.redis.secretName" . }}
key: redis-password
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_SECRET_ACCESS_KEY
- name: "AWS_ACCESS_KEY_ID"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID
{{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
mountPath: /opt/mastodon/public/assets
- name: system
mountPath: /opt/mastodon/public/system
{{- end }}
ports:
- name: http
containerPort: {{ .Values.mastodon.web.port }}
protocol: TCP
livenessProbe:
tcpSocket:
port: http
readinessProbe:
httpGet:
path: /health
port: http
startupProbe:
httpGet:
path: /health
port: http
failureThreshold: 30
periodSeconds: 5
{{- with (default .Values.resources .Values.mastodon.web.resources) }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (default .Values.affinity .Values.mastodon.web.affinity) }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}