RISCI_ATOM
/
mastodon
mirror of https://github.com/tootsuite/mastodon.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291
							replicaCount: 1

image:
  repository: tootsuite/mastodon
  # https://hub.docker.com/r/tootsuite/mastodon/tags
  #
  # alternatively, use `latest` for the latest release or `edge` for the image
  # built from the most recent commit
  #
  # tag: latest
  tag: v3.5.2
  # use `Always` when using `latest` tag
  pullPolicy: IfNotPresent

mastodon:
  # create an initial administrator user; the password is autogenerated and will
  # have to be reset
  createAdmin:
    enabled: false
    username: not_gargron
    email: not@example.com
  cron:
    # run `tootctl media remove` every week
    removeMedia:
      enabled: true
      schedule: "0 0 * * 0"
  # available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
  locale: en
  local_domain: mastodon.local
  # Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
  # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
  # web_domain: mastodon.example.com
  persistence:
    assets:
      # ReadWriteOnce is more widely supported than ReadWriteMany, but limits
      # scalability, since it requires the Rails and Sidekiq pods to run on the
      # same node.
      accessMode: ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
    system:
      accessMode: ReadWriteOnce
      resources:
        requests:
          storage: 100Gi
  s3:
    enabled: false
    access_key: ""
    access_secret: ""
    bucket: ""
    endpoint: https://us-east-1.linodeobjects.com
    hostname: us-east-1.linodeobjects.com
    region: ""
    # If you have a caching proxy, enter its base URL here.
    alias_host: ""
  # these must be set manually; autogenerated keys are rotated on each upgrade
  secrets:
    secret_key_base: ""
    otp_secret: ""
    vapid:
      private_key: ""
      public_key: ""
  sidekiq:
    concurrency: 25
  smtp:
    auth_method: plain
    ca_file: /etc/ssl/certs/ca-certificates.crt
    delivery_method: smtp
    domain:
    enable_starttls_auto: true
    from_address: notifications@example.com
    login:
    openssl_verify_mode: peer
    password:
    port: 587
    reply_to:
    server: smtp.mailgun.org
    tls: false
  streaming:
    port: 4000
    # this should be set manually since os.cpus() returns the number of CPUs on
    # the node running the pod, which is unrelated to the resources allocated to
    # the pod by k8s
    workers: 1
    # The base url for streaming can be set if the streaming API is deployed to
    # a different domain/subdomain.
    # base_url: wws://streaming.example.com
  web:
    port: 3000

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    # cert-manager.io/cluster-issuer: "letsencrypt"
    #
    # ensure that NGINX's upload size matches Mastodon's
    #   for the K8s ingress controller:
    # nginx.ingress.kubernetes.io/proxy-body-size: 40m
    #   for the NGINX ingress controller:
    # nginx.org/client-max-body-size: 40m
  hosts:
    - host: mastodon.local
      paths:
        - path: '/'
  tls:
    - secretName: mastodon-tls
      hosts:
        - mastodon.local

# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
elasticsearch:
  # `false` will disable full-text search
  #
  # if you enable ES after the initial install, you will need to manually run
  # RAILS_ENV=production bundle exec rake chewy:sync
  # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
  enabled: true
  image:
    tag: 7

# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
postgresql:
  # disable if you want to use an existing db; in which case the values below
  # must match those of that external postgres instance
  enabled: true
  # postgresqlHostname: preexisting-postgresql
  postgresqlDatabase: mastodon_production
  # you must set a password; the password generated by the postgresql chart will
  # be rotated on each upgrade:
  # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
  postgresqlPassword: ""
  postgresqlUsername: postgres

# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
redis:
  # you must set a password; the password generated by the redis chart will be
  # rotated on each upgrade:
  password: ""

service:
  type: ClusterIP
  port: 80

externalAuth:
  oidc:
    # OpenID Connect support is proposed in PR #16221 and awaiting merge.
    enabled: false
    # display_name: "example-label"
    # issuer: https://login.example.space/auth/realms/example-space
    # discovery: true
    # scope: "openid,profile"
    # uid_field: uid
    # client_id: mastodon
    # client_secret: SECRETKEY
    # redirect_uri: https://example.com/auth/auth/openid_connect/callback
    # assume_email_is_verified: true
    # client_auth_method: 
    # response_type: 
    # response_mode: 
    # display: 
    # prompt: 
    # send_nonce: 
    # send_scope_to_token_endpoint: 
    # idp_logout_redirect_uri: 
    # http_scheme: 
    # host: 
    # port: 
    # jwks_uri: 
    # auth_endpoint: 
    # token_endpoint: 
    # user_info_endpoint: 
    # end_session_endpoint: 
  saml:
    enabled: false
    # acs_url: http://mastodon.example.com/auth/auth/saml/callback
    # issuer: mastodon
    # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
    # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
    # idp_cert_fingerprint: 
    # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    # cert: 
    # private_key: 
    # want_assertion_signed: true
    # want_assertion_encrypted: true
    # assume_email_is_verified: true
    # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
    # attributes_statements: 
    #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
    #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
    #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
    #   first_name: "urn:oid:2.5.4.42"
    #   last_name: "urn:oid:2.5.4.4"
    #   verified: 
    #   verified_email: 
  oauth_global: 
    # Force redirect local login to CAS. Does not function with SAML or LDAP.
    oauth_redirect_at_sign_in: false
  cas:
    enabled: false
    # url: https://sso.myserver.com
    # host: sso.myserver.com
    # port: 443
    # ssl: true
    # validate_url: 
    # callback_url: 
    # logout_url: 
    # login_url: 
    # uid_field: 'user'
    # ca_path: 
    # disable_ssl_verification: false
    # assume_email_is_verified: true
    # keys: 
    #   uid: 'user'
    #   name: 'name'
    #   email: 'email'
    #   nickname: 'nickname'
    #   first_name: 'firstname'
    #   last_name: 'lastname'
    #   location: 'location'
    #   image: 'image'
    #   phone: 'phone'
  pam: 
    enabled: false
    # email_domain: example.com
    # default_service: rpam
    # controlled_service: rpam
  ldap:
    enabled: false
    # host: myservice.namespace.svc
    # port: 389
    # method: simple_tls
    # base: 
    # bind_on: 
    # password: 
    # uid: cn
    # mail: mail
    # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
    # uid_conversion:
    #   enabled: true
    #   search: "., -"
    #   replace: _

# https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
#
# if you manually change the UID/GID environment variables, ensure these values
# match:
podSecurityContext:
  runAsUser: 991
  runAsGroup: 991
  fsGroup: 991

securityContext: {}

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}