From fca4fd1daa09f7261753bc98103f653a9ce463b1 Mon Sep 17 00:00:00 2001 From: Alex Dunn Date: Fri, 19 Feb 2021 00:52:32 -0800 Subject: [PATCH] helm: add support for S3 storage (#15748) --- chart/Chart.yaml | 2 +- chart/readme.md | 1 - chart/templates/configmap-env.yaml | 10 ++++++++++ chart/templates/cronjob-media-remove.yaml | 4 ++++ chart/templates/deployment-sidekiq.yaml | 4 ++++ chart/templates/deployment-web.yaml | 4 ++++ chart/templates/job-assets-precompile.yaml | 4 ++++ chart/templates/job-chewy-upgrade.yaml | 4 ++++ chart/templates/job-create-admin.yaml | 4 ++++ chart/templates/job-db-migrate.yaml | 4 ++++ chart/templates/pvc-assets.yaml | 3 ++- chart/templates/pvc-system.yaml | 3 ++- chart/templates/secrets.yaml | 4 ++++ chart/values.yaml | 8 ++++++++ 14 files changed, 55 insertions(+), 4 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 8f95a1f63..d72b7df1a 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.0 +version: 1.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/chart/readme.md b/chart/readme.md index e699542ff..9f7a88958 100644 --- a/chart/readme.md +++ b/chart/readme.md @@ -24,7 +24,6 @@ The variables that _must_ be configured are: Currently this chart does _not_ support: - Hidden services -- S3/Minio/GCS - Single Sign-On - Swift - configurations using `WEB_DOMAIN` diff --git a/chart/templates/configmap-env.yaml b/chart/templates/configmap-env.yaml index cc7231db4..701368e49 100644 --- a/chart/templates/configmap-env.yaml +++ b/chart/templates/configmap-env.yaml @@ -27,6 +27,16 @@ data: RAILS_ENV: "production" REDIS_HOST: {{ template "mastodon.redis.fullname" . }}-master REDIS_PORT: "6379" + {{- if .Values.mastodon.s3.enabled }} + S3_BUCKET: {{ .Values.mastodon.s3.bucket }} + S3_ENABLED: "true" + S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }} + S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }} + S3_PROTOCOL: "https" + {{- if .Values.mastodon.s3.region }} + S3_REGION: {{ .Values.mastodon.s3.region }} + {{- end }} + {{- end }} {{- if .Values.mastodon.smtp.auth_method }} SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }} {{- end }} diff --git a/chart/templates/cronjob-media-remove.yaml b/chart/templates/cronjob-media-remove.yaml index 8515e4002..3d6e25cc6 100644 --- a/chart/templates/cronjob-media-remove.yaml +++ b/chart/templates/cronjob-media-remove.yaml @@ -14,6 +14,7 @@ spec: name: {{ include "mastodon.fullname" . }}-media-remove spec: restartPolicy: OnFailure + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -35,6 +36,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-media-remove image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -65,9 +67,11 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} {{- end }} diff --git a/chart/templates/deployment-sidekiq.yaml b/chart/templates/deployment-sidekiq.yaml index 8ef157d31..baf6c2b2d 100644 --- a/chart/templates/deployment-sidekiq.yaml +++ b/chart/templates/deployment-sidekiq.yaml @@ -31,6 +31,7 @@ spec: serviceAccountName: {{ include "mastodon.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -52,6 +53,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -84,11 +86,13 @@ spec: secretKeyRef: name: {{ .Release.Name }}-redis key: redis-password + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/chart/templates/deployment-web.yaml b/chart/templates/deployment-web.yaml index 02aa7c9a5..8b8bb4f29 100644 --- a/chart/templates/deployment-web.yaml +++ b/chart/templates/deployment-web.yaml @@ -31,6 +31,7 @@ spec: serviceAccountName: {{ include "mastodon.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if (not .Values.mastodon.s3.enabled) }} volumes: - name: assets persistentVolumeClaim: @@ -38,6 +39,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -72,11 +74,13 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} ports: - name: http containerPort: {{ .Values.mastodon.web.port }} diff --git a/chart/templates/job-assets-precompile.yaml b/chart/templates/job-assets-precompile.yaml index 2aae20582..825a7e916 100644 --- a/chart/templates/job-assets-precompile.yaml +++ b/chart/templates/job-assets-precompile.yaml @@ -14,6 +14,7 @@ spec: name: {{ include "mastodon.fullname" . }}-assets-precompile spec: restartPolicy: Never + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -35,6 +36,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-assets-precompile image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -66,8 +68,10 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} diff --git a/chart/templates/job-chewy-upgrade.yaml b/chart/templates/job-chewy-upgrade.yaml index 8647a9831..cc68a3385 100644 --- a/chart/templates/job-chewy-upgrade.yaml +++ b/chart/templates/job-chewy-upgrade.yaml @@ -15,6 +15,7 @@ spec: name: {{ include "mastodon.fullname" . }}-chewy-upgrade spec: restartPolicy: Never + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -36,6 +37,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-chewy-setup image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -67,9 +69,11 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} {{- end }} diff --git a/chart/templates/job-create-admin.yaml b/chart/templates/job-create-admin.yaml index 1a3d8222b..ffb8bb059 100644 --- a/chart/templates/job-create-admin.yaml +++ b/chart/templates/job-create-admin.yaml @@ -15,6 +15,7 @@ spec: name: {{ include "mastodon.fullname" . }}-create-admin spec: restartPolicy: Never + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -36,6 +37,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-create-admin image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -72,9 +74,11 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} {{- end }} diff --git a/chart/templates/job-db-migrate.yaml b/chart/templates/job-db-migrate.yaml index e107da4d0..72f910e3b 100644 --- a/chart/templates/job-db-migrate.yaml +++ b/chart/templates/job-db-migrate.yaml @@ -14,6 +14,7 @@ spec: name: {{ include "mastodon.fullname" . }}-db-migrate spec: restartPolicy: Never + {{- if (not .Values.mastodon.s3.enabled) }} # ensure we run on the same node as the other rails components; only # required when using PVCs that are ReadWriteOnce {{- if or (eq "ReadWriteOnce" .Values.mastodon.persistence.assets.accessMode) (eq "ReadWriteOnce" .Values.mastodon.persistence.system.accessMode) }} @@ -35,6 +36,7 @@ spec: - name: system persistentVolumeClaim: claimName: {{ template "mastodon.fullname" . }}-system + {{- end }} containers: - name: {{ include "mastodon.fullname" . }}-db-migrate image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -66,8 +68,10 @@ spec: key: redis-password - name: "PORT" value: {{ .Values.mastodon.web.port | quote }} + {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system + {{- end }} diff --git a/chart/templates/pvc-assets.yaml b/chart/templates/pvc-assets.yaml index 12ac72eb3..58b2179df 100644 --- a/chart/templates/pvc-assets.yaml +++ b/chart/templates/pvc-assets.yaml @@ -1,4 +1,4 @@ ---- +{{- if (not .Values.mastodon.s3.enabled) }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -11,3 +11,4 @@ spec: resources: {{- toYaml .Values.mastodon.persistence.assets.resources | nindent 4}} storageClassName: {{ .Values.mastodon.persistence.assets.storageClassName }} +{{- end }} diff --git a/chart/templates/pvc-system.yaml b/chart/templates/pvc-system.yaml index 62dc1e708..52398f0da 100644 --- a/chart/templates/pvc-system.yaml +++ b/chart/templates/pvc-system.yaml @@ -1,4 +1,4 @@ ---- +{{- if (not .Values.mastodon.s3.enabled) }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -11,3 +11,4 @@ spec: resources: {{- toYaml .Values.mastodon.persistence.system.resources | nindent 4}} storageClassName: {{ .Values.mastodon.persistence.system.storageClassName }} +{{- end }} diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml index 63d01d3eb..0452a8ae1 100644 --- a/chart/templates/secrets.yaml +++ b/chart/templates/secrets.yaml @@ -6,6 +6,10 @@ metadata: {{- include "mastodon.labels" . | nindent 4 }} type: Opaque data: + {{- if .Values.mastodon.s3.enabled }} + AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" + AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" + {{- end }} {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" {{- else }} diff --git a/chart/values.yaml b/chart/values.yaml index d752e46ec..a638f4a7d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -41,6 +41,14 @@ mastodon: resources: requests: storage: 100Gi + s3: + enabled: false + access_key: "" + access_secret: "" + bucket: "" + endpoint: https://us-east-1.linodeobjects.com + hostname: us-east-1.linodeobjects.com + region: "" # these must be set manually; autogenerated keys are rotated on each upgrade secrets: secret_key_base: ""