Commit c13981fa authored by Dominik Hebeler's avatar Dominik Hebeler
Browse files

first working chart

parent 1fecc440
values.yaml
# This file is a template, and might need editing before it works on your project.
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Docker.gitlab-ci.yml
# Build a Docker image with CI/CD and push to the GitLab registry.
# Docker-in-Docker documentation: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html
#
# This template uses one generic job with conditional builds
# for the default branch and all other (MR) branches.
variables:
DOCKER_HOST: tcp://docker-dind:2375
docker-build:
# Use the official docker image.
image: docker:latest
stage: build
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Default branch leaves tag empty (= latest tag)
# All other branches are tagged with the escaped branch name (commit ref slug)
script:
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
tag=""
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
else
tag=":$CI_COMMIT_REF_SLUG"
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
fi
- cd docker
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
- docker push "$CI_REGISTRY_IMAGE${tag}"
# Run this job in a branch where a Dockerfile exists
rules:
- if: $CI_COMMIT_BRANCH
exists:
- docker/Dockerfile
......@@ -13,10 +13,10 @@ RUN apt update && \
apt install -y curl
# Install Nodejs
RUN curl -sL https://deb.nodesource.com/setup_12.x | bash -
RUN curl -sfL https://deb.nodesource.com/setup_12.x | bash -
# Install Yarn
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
RUN curl -sfS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
# Install required software components
......@@ -45,17 +45,25 @@ RUN cd /home/mastodon && \
# Install dependencies
RUN cd /home/mastodon/live && \
bundle config --verbose deployment 'true' && \
bundle config --verbose without 'development test' && \
bundle install --verbose -j$(getconf _NPROCESSORS_ONLN) && \
export RAILS_ENV=production && \
bundle config deployment 'true' && \
bundle config without 'development test' && \
bundle install -j$(getconf _NPROCESSORS_ONLN) && \
bundle exec rails assets:precompile && \
yarn install --pure-lockfile && \
pwd && \
ls -alh
USER root
# Install Config Generator script
COPY ./helpers/initConfig.sh /usr/bin/initConfig
RUN chmod +x /usr/bin/initConfig
# Install Entrypoint
COPY ./helpers/entrypoint.sh /usr/bin/entrypoint
RUN chmod +x /usr/bin/entrypoint
USER mastodon
WORKDIR /home/mastodon/live
CMD ["tail", "-f", "/dev/null"]
#!/bin/bash
case "$1" in
"puma")
export RAILS_ENV=production;
export PORT=3000;
export BIND=0.0.0.0
bundle exec rails assets:precompile
/usr/local/bundle/bin/bundle exec puma -C config/puma.rb;
;;
"streaming")
export NODE_ENV=production;
export PORT=4000;
export STREAMING_CLUSTER_NUM=1;
/usr/bin/node ./streaming;
;;
"sidekiq")
export RAILS_ENV=production;
export DB_POOL=25;
export MALLOC_ARENA_MAX=2;
/usr/local/bundle/bin/bundle exec sidekiq -c 25
;;
*)
echo "Unknown command... Chose one of [puma|streaming|sidekiq]";
return 1;
esac
\ No newline at end of file
......@@ -3,11 +3,17 @@
set -e
export RAILS_ENV=production
export DISABLE_DATABASE_ENVIRONMENT_CHECK=1
# Generating empty config
CONFIG=".env.production"
echo "" > $CONFIG
echo "LOCAL_DOMAIN=$LOCAL_DOMAIN" >> $CONFIG;
echo "BIND=0.0.0.0" >> $CONFIG;
echo "SINGLE_USER_MODE=false" >> $CONFIG;
echo "RAILS_SERVE_STATIC_FILES=true" >> $CONFIG;
echo "Generating secrets..."
# Generate SECRET_KEY_BASE
......@@ -30,4 +36,32 @@ VAPID_PUBLIC_KEY=$(bundle exec rake mastodon:webpush:generate_vapid_key);
echo "VAPID_PUBLIC_KEY=$VAPID_PUBLIC_KEY" >> $CONFIG;
echo "VAPID_PUBLIC_KEY generated successfully";
echo $VAPID_PRIVATE_KEY
\ No newline at end of file
# Database Credentials
echo "DB_HOST=$DB_HOST" >> $CONFIG;
echo "DB_PORT=$DB_PORT" >> $CONFIG;
echo "DB_NAME=$DB_NAME" >> $CONFIG;
echo "DB_USER=$DB_USER" >> $CONFIG;
echo "DB_PASS=$DB_PASS" >> $CONFIG;
echo "Configured database credentials.";
# Redis Credentials
echo "REDIS_HOST=127.0.0.1" >> $CONFIG;
echo "REDIS_PORT=6379" >> $CONFIG;
echo "REDIS_PASSWORD=" >> $CONFIG;
echo "Populated Redis credentials.";
# SMTP Configuration TODO
echo "SMTP_SERVER=$SMTP_SERVER" >> $CONFIG;
echo "SMTP_LOGIN=$SMTP_LOGIN" >> $CONFIG;
echo "SMTP_PASSWORD=$SMTP_PASSWORD" >> $CONFIG;
echo "SMTP_PORT=$SMTP_PORT" >> $CONFIG;
echo "SMTP_AUTH_METHOD=$SMTP_AUTH_METHOD" >> $CONFIG;
echo "SMTP_FROM_ADDRESS=$SMTP_FROM_ADDRESS" >> $CONFIG;
echo "SMTP_TLS=true" >> $CONFIG;
echo "SMTP_SSL=false" >> $CONFIG;
echo "SMTP_ENABLE_STARTTLS_AUTO=false" >> $CONFIG;
echo "SMTP_DELIVERY_METHOD=smtp" >> $CONFIG;
bundle exec rails db:setup
cp .env.production /secret/.env.production
\ No newline at end of file
......@@ -6,7 +6,7 @@ Expand the name of the chart.
{{- end }}
{{- define "mastodon.image" -}}
registry.metager.de/open-source/mastodon
registry.metager.de/open-source/mastodon:v3.4.3
{{- end }}
{{/*
......
{{- $secret_name := (printf "%s-config" (include "mastodon.fullname" .)) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secret_name }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- $old_sec := lookup "v1" "Secret" .Release.Namespace $secret_name }}
# check, if a secret is already set
{{- if or (not $old_sec) (not $old_sec.data) }}
# if not set, then generate a new password
.env.production: {{ randAlphaNum 20 | b64enc }}
{{ else }}
# if set, then use the old value
.env.production: {{ index $old_sec.data ".env.production" }}
{{ end }}
\ No newline at end of file
......@@ -2,53 +2,91 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: create-secret
namespace: {{ .Release.Namespace }}
name: update-secret
labels:
{{- include "mastodon.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: create-secret
namespace: {{ .Release.Namespace }}
name: update-secret
labels:
{{- include "mastodon.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ include "mastodon.fullname" . }}-config
verbs:
- get
- create
- patch
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: create-secret
namespace: {{ .Release.Namespace }}
name: update-secret
labels:
{{- include "mastodon.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: update-secrets
name: update-secret
subjects:
- kind: ServiceAccount
name: create-secret
name: update-secret
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "mastodon.fullname" . }}-create-config
labels:
{{- include "mastodon.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook": "post-install"
spec:
template:
spec:
serviceAccountName: update-secret
volumes:
- name: config-volume
emptyDir: {}
containers:
- name: config-generator
image: {{ include "mastodon.image" }}
image: {{ include "mastodon.image" . }}
imagePullPolicy: Always # TODO REMOVE
env:
- name: LOCAL_DOMAIN
value: {{ .Values.mastodon.initConfiguration.hostname | quote }}
- name: DB_HOST
value: {{ .Values.mastodon.initConfiguration.database.host | quote }}
- name: DB_PORT
value: {{ .Values.mastodon.initConfiguration.database.port | quote }}
- name: DB_NAME
value: {{ .Values.mastodon.initConfiguration.database.db | quote }}
- name: DB_USER
value: {{ .Values.mastodon.initConfiguration.database.user | quote }}
- name: DB_PASS
value: {{ .Values.mastodon.initConfiguration.database.password | quote }}
- name: SMTP_SERVER
value: {{ .Values.mastodon.initConfiguration.smtp.server | quote }}
- name: SMTP_LOGIN
value: {{ .Values.mastodon.initConfiguration.smtp.login | quote }}
- name: SMTP_PASSWORD
value: {{ .Values.mastodon.initConfiguration.smtp.password | quote }}
- name: SMTP_PORT
value: {{ .Values.mastodon.initConfiguration.smtp.port | quote }}
- name: SMTP_AUTH_METHOD
value: {{ .Values.mastodon.initConfiguration.smtp.auth_method | quote }}
- name: SMTP_FROM_ADDRESS
value: {{ .Values.mastodon.initConfiguration.smtp.from_address | quote }}
command: ["initConfig"]
volumeMounts:
- mountPath: /secret
name: config-volume
- name: config-secret-creator
image: bitnami/kubectl
env:
......@@ -59,7 +97,9 @@ spec:
command: ["/bin/sh", "-c"]
args:
- while [ ! -f /secret/.env.production ];do sleep 1; done;
kubectl -n $KUBERNETES_NAMESPACE create secret generic $KUBERNETES_SECRET_NAME --from-file=/secret/.env.production
kubectl -n $KUBERNETES_NAMESPACE create secret generic $KUBERNETES_SECRET_NAME --from-file=/secret/.env.production --dry-run -oyaml | kubectl apply -f -
volumeMounts:
- mountPath: /secret
name: config-volume
restartPolicy: Never
backoffLimit: 4
\ No newline at end of file
......@@ -27,35 +27,99 @@ spec:
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
volumes:
- name: {{ include "mastodon.fullname" . }}-config
secret:
secretName: {{ include "mastodon.fullname" . }}-config
- name: packs
emptyDir: {}
- name: assets
emptyDir: {}
containers:
- name: {{ .Chart.Name }}
- name: {{ .Chart.Name }}-puma
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
image: {{ include "mastodon.image" . }}
command: ["entrypoint", "puma"]
imagePullPolicy: Always
volumeMounts:
- name: {{ include "mastodon.fullname" . }}-config
mountPath: "/home/mastodon/live/.env.production"
subPath: ".env.production"
readOnly: true
- name: packs
mountPath: /home/mastodon/live/public/packs
- name: assets
mountPath: /home/mastodon/live/public/assets
ports:
- name: http
containerPort: 80
containerPort: 3000
protocol: TCP
livenessProbe:
httpGet:
path: /
path: /health
port: http
startupProbe:
httpGet:
path: /health
port: http
failureThreshold: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /
path: /health
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
- name: {{ .Chart.Name }}-streaming
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ include "mastodon.image" . }}
command: ["entrypoint", "streaming"]
imagePullPolicy: Always
volumeMounts:
- name: {{ include "mastodon.fullname" . }}-config
mountPath: "/home/mastodon/live/.env.production"
subPath: ".env.production"
readOnly: true
- name: packs
mountPath: /home/mastodon/live/public/packs
- name: assets
mountPath: /home/mastodon/live/public/assets
ports:
- name: streaming
containerPort: 4000
protocol: TCP
livenessProbe:
tcpSocket:
port: streaming
readinessProbe:
tcpSocket:
port: streaming
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-sidekiq
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: {{ include "mastodon.image" . }}
command: ["entrypoint", "sidekiq"]
imagePullPolicy: Always
volumeMounts:
- name: {{ include "mastodon.fullname" . }}-config
mountPath: "/home/mastodon/live/.env.production"
subPath: ".env.production"
readOnly: true
- name: packs
mountPath: /home/mastodon/live/public/packs
- name: assets
mountPath: /home/mastodon/live/public/assets
livenessProbe:
exec:
command: ["bundle", "exec", "sidekiqmon", "processes", "|", "grep", "$(hostname)"]
readinessProbe:
exec:
command: ["bundle", "exec", "sidekiqmon", "processes", "|", "grep", "$(hostname)"]
resources:
{{- toYaml .Values.resources | nindent 12 }}
- name: {{ .Chart.Name }}-redis
image: redis:6
\ No newline at end of file
......@@ -35,7 +35,7 @@ spec:
paths:
- path: /
{{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: ImplementationSpecific
pathType: Prefix
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
......@@ -46,4 +46,19 @@ spec:
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
\ No newline at end of file
{{- end }}
- path: /api/v1/streaming
{{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: 4000
{{- else }}
serviceName: {{ $fullName }}
servicePort: 4000
{{- end }}
\ No newline at end of file
......@@ -11,5 +11,9 @@ spec:
targetPort: http
protocol: TCP
name: http
- port: 4000
targetPort: streaming
protocol: TCP
name: streaming
selector:
{{- include "mastodon.selectorLabels" . | nindent 4 }}
......@@ -7,6 +7,19 @@ mastodon:
initConfiguration:
# You cannot easily change mastodon hostname at later point
hostname: chart-example.local
database:
host: postgres
port: 5432
db: mastodon
user: mastodon
password: test1234
smtp:
server:
login:
password:
port:
auth_method:
from_address:
replicaCount: 1
......@@ -46,7 +59,7 @@ securityContext:
service:
type: ClusterIP
port: 80
port: 3000
ingress:
secretName:
......@@ -77,9 +90,3 @@ autoscaling:
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
mastodon:
initConfiguration:
hostname: suma-ev.social
ingress:
className: "nginx"
annotations:
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment