mirror of
https://github.com/mastodon/mastodon.git
synced 2024-12-15 07:34:58 +01:00
a131f06e12
* Add SAML support * move extAuth below essential components * Add CAS, PAM, LDAP support * Add WEB_DOMAIN and S3_ALIAS_HOST support * SAML defaults aligned * Bump chart version * SSO & WEB_DOMAIN support added * Add OIDC support * Correct typo * Notice for OIDC support Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
289 lines
8.1 KiB
YAML
289 lines
8.1 KiB
YAML
replicaCount: 1
|
|
|
|
image:
|
|
repository: tootsuite/mastodon
|
|
# https://hub.docker.com/r/tootsuite/mastodon/tags
|
|
#
|
|
# alternatively, use `latest` for the latest release or `edge` for the image
|
|
# built from the most recent commit
|
|
#
|
|
# tag: latest
|
|
tag: v3.4.6
|
|
# use `Always` when using `latest` tag
|
|
pullPolicy: IfNotPresent
|
|
|
|
mastodon:
|
|
# create an initial administrator user; the password is autogenerated and will
|
|
# have to be reset
|
|
createAdmin:
|
|
enabled: false
|
|
username: not_gargron
|
|
email: not@example.com
|
|
cron:
|
|
# run `tootctl media remove` every week
|
|
removeMedia:
|
|
enabled: true
|
|
schedule: "0 0 * * 0"
|
|
# available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
|
|
locale: en
|
|
local_domain: mastodon.local
|
|
# Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
|
|
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
|
|
# web_domain: mastodon.example.com
|
|
persistence:
|
|
assets:
|
|
# ReadWriteOnce is more widely supported than ReadWriteMany, but limits
|
|
# scalability, since it requires the Rails and Sidekiq pods to run on the
|
|
# same node.
|
|
accessMode: ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 10Gi
|
|
system:
|
|
accessMode: ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 100Gi
|
|
s3:
|
|
enabled: false
|
|
access_key: ""
|
|
access_secret: ""
|
|
bucket: ""
|
|
endpoint: https://us-east-1.linodeobjects.com
|
|
hostname: us-east-1.linodeobjects.com
|
|
region: ""
|
|
# If you have a caching proxy, enter its base URL here.
|
|
alias_host: ""
|
|
# these must be set manually; autogenerated keys are rotated on each upgrade
|
|
secrets:
|
|
secret_key_base: ""
|
|
otp_secret: ""
|
|
vapid:
|
|
private_key: ""
|
|
public_key: ""
|
|
sidekiq:
|
|
concurrency: 25
|
|
smtp:
|
|
auth_method: plain
|
|
ca_file: /etc/ssl/certs/ca-certificates.crt
|
|
delivery_method: smtp
|
|
domain:
|
|
enable_starttls_auto: true
|
|
from_address: notifications@example.com
|
|
login:
|
|
openssl_verify_mode: peer
|
|
password:
|
|
port: 587
|
|
reply_to:
|
|
server: smtp.mailgun.org
|
|
tls: false
|
|
streaming:
|
|
port: 4000
|
|
# this should be set manually since os.cpus() returns the number of CPUs on
|
|
# the node running the pod, which is unrelated to the resources allocated to
|
|
# the pod by k8s
|
|
workers: 1
|
|
web:
|
|
port: 3000
|
|
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
kubernetes.io/ingress.class: nginx
|
|
kubernetes.io/tls-acme: "true"
|
|
# cert-manager.io/cluster-issuer: "letsencrypt"
|
|
#
|
|
# ensure that NGINX's upload size matches Mastodon's
|
|
# for the K8s ingress controller:
|
|
# nginx.ingress.kubernetes.io/proxy-body-size: 40m
|
|
# for the NGINX ingress controller:
|
|
# nginx.org/client-max-body-size: 40m
|
|
hosts:
|
|
- host: mastodon.local
|
|
paths:
|
|
- path: '/'
|
|
tls:
|
|
- secretName: mastodon-tls
|
|
hosts:
|
|
- mastodon.local
|
|
|
|
# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
|
|
elasticsearch:
|
|
# `false` will disable full-text search
|
|
#
|
|
# if you enable ES after the initial install, you will need to manually run
|
|
# RAILS_ENV=production bundle exec rake chewy:sync
|
|
# (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
|
|
enabled: true
|
|
image:
|
|
tag: 7
|
|
|
|
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
|
|
postgresql:
|
|
# disable if you want to use an existing db; in which case the values below
|
|
# must match those of that external postgres instance
|
|
enabled: true
|
|
# postgresqlHostname: preexisting-postgresql
|
|
postgresqlDatabase: mastodon_production
|
|
# you must set a password; the password generated by the postgresql chart will
|
|
# be rotated on each upgrade:
|
|
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
|
|
postgresqlPassword: ""
|
|
postgresqlUsername: postgres
|
|
|
|
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
|
|
redis:
|
|
# you must set a password; the password generated by the redis chart will be
|
|
# rotated on each upgrade:
|
|
password: ""
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
externalAuth:
|
|
oidc:
|
|
# OpenID Connect support is proposed in PR #16221 and awaiting merge.
|
|
enabled: false
|
|
# display_name: "example-label"
|
|
# issuer: https://login.example.space/auth/realms/example-space
|
|
# discovery: true
|
|
# scope: "openid,profile"
|
|
# uid_field: uid
|
|
# client_id: mastodon
|
|
# client_secret: SECRETKEY
|
|
# redirect_uri: https://example.com/auth/auth/openid_connect/callback
|
|
# assume_email_is_verified: true
|
|
# client_auth_method:
|
|
# response_type:
|
|
# response_mode:
|
|
# display:
|
|
# prompt:
|
|
# send_nonce:
|
|
# send_scope_to_token_endpoint:
|
|
# idp_logout_redirect_uri:
|
|
# http_scheme:
|
|
# host:
|
|
# port:
|
|
# jwks_uri:
|
|
# auth_endpoint:
|
|
# token_endpoint:
|
|
# user_info_endpoint:
|
|
# end_session_endpoint:
|
|
saml:
|
|
enabled: false
|
|
# acs_url: http://mastodon.example.com/auth/auth/saml/callback
|
|
# issuer: mastodon
|
|
# idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
|
|
# idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
|
|
# idp_cert_fingerprint:
|
|
# name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
|
# cert:
|
|
# private_key:
|
|
# want_assertion_signed: true
|
|
# want_assertion_encrypted: true
|
|
# assume_email_is_verified: true
|
|
# uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
# attributes_statements:
|
|
# uid: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
# email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
|
|
# full_name: "urn:oid:2.16.840.1.113730.3.1.241"
|
|
# first_name: "urn:oid:2.5.4.42"
|
|
# last_name: "urn:oid:2.5.4.4"
|
|
# verified:
|
|
# verified_email:
|
|
oauth_global:
|
|
# Force redirect local login to CAS. Does not function with SAML or LDAP.
|
|
oauth_redirect_at_sign_in: false
|
|
cas:
|
|
enabled: false
|
|
# url: https://sso.myserver.com
|
|
# host: sso.myserver.com
|
|
# port: 443
|
|
# ssl: true
|
|
# validate_url:
|
|
# callback_url:
|
|
# logout_url:
|
|
# login_url:
|
|
# uid_field: 'user'
|
|
# ca_path:
|
|
# disable_ssl_verification: false
|
|
# assume_email_is_verified: true
|
|
# keys:
|
|
# uid: 'user'
|
|
# name: 'name'
|
|
# email: 'email'
|
|
# nickname: 'nickname'
|
|
# first_name: 'firstname'
|
|
# last_name: 'lastname'
|
|
# location: 'location'
|
|
# image: 'image'
|
|
# phone: 'phone'
|
|
pam:
|
|
enabled: false
|
|
# email_domain: example.com
|
|
# default_service: rpam
|
|
# controlled_service: rpam
|
|
ldap:
|
|
enabled: false
|
|
# host: myservice.namespace.svc
|
|
# port: 389
|
|
# method: simple_tls
|
|
# base:
|
|
# bind_on:
|
|
# password:
|
|
# uid: cn
|
|
# mail: mail
|
|
# search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
|
|
# uid_conversion:
|
|
# enabled: true
|
|
# search: "., -"
|
|
# replace: _
|
|
|
|
# https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
|
|
#
|
|
# if you manually change the UID/GID environment variables, ensure these values
|
|
# match:
|
|
podSecurityContext:
|
|
runAsUser: 991
|
|
runAsGroup: 991
|
|
fsGroup: 991
|
|
|
|
securityContext: {}
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 100
|
|
targetCPUUtilizationPercentage: 80
|
|
# targetMemoryUtilizationPercentage: 80
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|