small-hack · holysoles · Jan 25, 2025 · Jan 28, 2025 · Jan 29, 2025 · Jan 29, 2025
diff --git a/charts/pixelfed/Chart.lock b/charts/pixelfed/Chart.lock
@@ -8,5 +8,8 @@ dependencies:
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 20.2.2
-digest: sha256:ab9c547cea93017a3a65f289e1573ee936a6925d3762200bb24d6e5dc512003c
-generated: "2025-01-23T22:50:42.4566+01:00"
+- name: minio
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 14.10.5
+digest: sha256:7df7ad6adc934f88fc660a95c9e9dd342f7daf39e0351b84415d4d8e7608e7e6
+generated: "2025-01-23T20:17:44.237852195-06:00"
diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.19.1
+version: 0.20.0
 
 # This is the version number of the application being deployed.
 # renovate:image=ghcr.io/mattlqx/docker-pixelfed
@@ -41,3 +41,8 @@ dependencies:
     version: 20.2.2
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: mariadb.enabled
+
+  - name: minio
+    version: 14.10.5
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: minio.enabled
diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md
@@ -1,6 +1,6 @@
 # Pixelfed Helm Chart
 
-![Version: 0.19.1](https://img.shields.io/badge/Version-0.19.1-informational?style=flat-square)  ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
+![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
 
 A Helm chart for deploying Pixelfed on Kubernetes
 
@@ -96,6 +96,7 @@ These are all subcharts that you can choose to install, but you can also bring y
 | Repository | Name | Version |
 |------------|------|---------|
 | oci://registry-1.docker.io/bitnamicharts | mariadb | 20.2.2 |
+| oci://registry-1.docker.io/bitnamicharts | minio | 14.10.5 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 16.4.5 |
 | oci://registry-1.docker.io/bitnamicharts | valkey | 2.2.3 |
 
@@ -182,6 +183,20 @@ persistence:
 | mariadb.auth.rootPassword | string | `"newRootPassword123"` | Password for the root user. Ignored if existing secret is provided. |
 | mariadb.auth.username | string | `"pixelfed"` | Name for a custom user to create |
 | mariadb.enabled | bool | `false` | enable mariadb subchart - currently experimental for this chart read more about the values: https://github.com/bitnami/charts/tree/main/bitnami/mariadb |
+| minio.disableWebUI | bool | `true` | disable the minio web ui |
+| minio.enabled | bool | `false` | enable the bundled [minio sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/minio/README.md#parameters). |
+| minio.fullnameOverride | string | `"minio"` |  |
+| minio.global.storageClass | string | `""` |  |
+| minio.provisioning.buckets | list | `[{"name":"pixelfed"}]` | buckets to provision. Only one bucket is supported for auto configuration in this chart. |
+| minio.provisioning.enabled | bool | `true` | enable the provisioning of minio buckets/policies/users during the deployment |
+| minio.provisioning.extraCommands | list | `["mc anonymous set download provisioning/pixelfed"]` | commands to run after provisioning. |
+| minio.provisioning.policies | list | `[{"name":"pixelfed-full","statements":[{"actions":["s3:*"],"effect":"Allow","resources":["arn:aws:s3:::pixelfed","arn:aws:s3:::pixelfed/*"]}]}]` | policies to provision. Only one policy is supported for auto configuration in this chart. |
+| minio.provisioning.users | list | `[{"disabled":false,"password":"pixelfedMinio","policies":["pixelfed-full"],"setPolicies":true,"username":"minio-pf"}]` | users to provision. Only one user is supported for auto configuration in this chart. Should be changed to a random password. |
+| minio.tls.autoGenerated | bool | `true` |  |
+| minio.tls.enabled | bool | `true` |  |
+| minio.tls.pixelfedInitContainer | object | `{"args":["apt update && apt install -y ca-certificates && update-ca-certificates && cp -r /etc/ssl/certs/* /cacert/"],"command":["/bin/sh","-c"],"image":"debian:latest","name":"add-minio-cert","securityContext":{"runAsGroup":0,"runAsUser":0},"volumeMounts":[{"mountPath":"/usr/local/share/ca-certificates/minio.crt","name":"minio-crt","readOnly":false,"subPath":"ca.crt"},{"mountPath":"/cacert","name":"cert-tmp","readOnly":false}]}` | use an init container to add the autogenerated minio certificate to the pixelfed container |
+| minio.tls.pixelfedVolumeMounts | list | `[{"mountPath":"/etc/ssl/certs","name":"cert-tmp","readOnly":false}]` | mount the shared ca-certificates directory to the pixelfed container |
+| minio.tls.pixelfedVolumes | list | `[{"name":"minio-crt","secret":{"secretName":"minio-crt"}},{"emptyDir":{},"name":"cert-tmp"}]` | mounts for the minio certificate and the temporary directory |
 | nameOverride | string | `""` | This is to override the chart name. |
 | nodeSelector | object | `{}` | put the pixelfed pod on a specific node/nodegroup |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | accessMode |
@@ -220,7 +235,7 @@ persistence:
 | pixelfed.exp_emc | bool | `true` | Experimental Configuration |
 | pixelfed.exp_loops | bool | `false` | exp loops (as in loops video? 🤷 |
 | pixelfed.filesystem.cloud | string | `"s3"` | Many applications store files both locally and in the cloud. For this reason, you may specify a default “cloud” driver here. This driver will be bound as the Cloud disk implementation in the container. |
-| pixelfed.filesystem.driver | string | `"local"` |  |
+| pixelfed.filesystem.driver | string | `"s3"` | if you want to use s3, you need to set this to s3 TODO |
 | pixelfed.force_https_urls | bool | `true` | Force https url generation |
 | pixelfed.horizon.dark_mode | bool | `false` | darkmode for the web interface in the admin panel |
 | pixelfed.horizon.prefix | string | `"horizon-"` | prefix will be used when storing all Horizon data in Redis |
@@ -281,6 +296,7 @@ persistence:
 | pixelfed.pf.max_user_blocks | int | `50` | The max number of user blocks per account |
 | pixelfed.pf.max_user_mutes | int | `50` | The max number of user mutes per account |
 | pixelfed.pf.max_users | int | `1000` | Limit max user registrations |
+| pixelfed.pf.media_fast_process | bool | `true` | Posts are published without waiting for media to be optimized/uploaded to S3. However, posts may be federated without S3 urls. |
 | pixelfed.pf.optimize_images | bool | `true` | Enable image optimization |
 | pixelfed.pf.optimize_videos | bool | `true` | Enable video optimization |
 | pixelfed.s3.access_key_id | string | `""` | s3 access_key_id. ignored if s3.existingSecretKeys.access_key_id is set |
@@ -295,6 +311,7 @@ persistence:
 | pixelfed.s3.secret_access_key | string | `""` | s3 secret_access_key. ignored if s3.existingSecretKeys.secret_access_key is set |
 | pixelfed.s3.url | string | `""` | s3 url including protocol such as https://s3.domain.com |
 | pixelfed.s3.use_path_style_endpoint | bool | `false` | use S3 path type instead of using a DNS subdomain |
+| pixelfed.s3.visibility | string | `"public"` | visibility of the bucket |
 | pixelfed.session_domain | string | `""` | domain of session? |
 | pixelfed.stories_enabled | bool | `false` | Enable the Stories feature |
 | pixelfed.timezone | string | `"europe/amsterdam"` | timezone for docker container |

diff --git a/charts/pixelfed/charts/minio-14.10.5.tgz b/charts/pixelfed/charts/minio-14.10.5.tgz
diff --git a/charts/pixelfed/templates/_helpers.tpl b/charts/pixelfed/templates/_helpers.tpl
@@ -67,3 +67,56 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Ensure minio password is set appropriately
+*/}}
+{{- if .Values.minio.enabled }}
+    {{- if or (len (index .Values.minio.provisioning.users 0 "password") lt 8) (len (index .Values.minio.provisioning.users 0 "password") gt 40) }}
+        {{- fail "pixelfed minio default user password not set. Set with --set minio.provisioning.users[0].password=..." }}
+    {{- end }}
+{{- end }}
+
+{{/*
+Helper variable to check if autogenerated minio cert are enabled.
+*/}}
+{{- define "pixelfed.minio.autogeneratedTls" -}}
+{{- if and .Values.minio.tls.enabled .Values.minio.tls.autoGenerated }}
+{{- true }}
+{{- else }}
+{{- false }}
+{{- end }}
+{{- end }}
+
+{{/*
+Merge extraInitContainers with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedInitContainers" -}}
+{{- $mergedInitContainers := .Values.extraInitContainers }}
+{{- if (include "pixelfed.minio.autogeneratedTls" .) }}
+{{- $mergedInitContainers = append $mergedInitContainers .Values.minio.tls.pixelfedInitContainer }}
+{{- end }}
+{{- toYaml $mergedInitContainers }}
+{{- end }}
+
+{{/*
+Merge extraVolumes with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedVolumes" -}}
+{{- $mergedVolumes := .Values.extraVolumes }}
+{{- if (include "pixelfed.minio.autogeneratedTls" .) }}
+{{- $mergedVolumes = concat $mergedVolumes .Values.minio.tls.pixelfedVolumes }}
+{{- end }}
+{{- toYaml $mergedVolumes }}
+{{- end }}
+
+{{/*
+Merge extraVolumeMounts with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedVolumeMounts" -}}
+{{- $mergedVolumeMounts := .Values.extraVolumeMounts }}
+{{- if (include "pixelfed.minio.autogeneratedTls" .) }}
+{{- $mergedVolumeMounts = concat $mergedVolumeMounts .Values.minio.tls.pixelfedVolumeMounts }}
+{{- end }}
+{{- toYaml $mergedVolumeMounts }}
+{{- end }}
diff --git a/charts/pixelfed/templates/configmap_env.yaml b/charts/pixelfed/templates/configmap_env.yaml
@@ -120,6 +120,22 @@ data:
   MAIL_FROM_ADDRESS: "{{ .Values.pixelfed.mail.from_address }}"
   MAIL_FROM_NAME: "{{ .Values.pixelfed.mail.from_name }}"
 
+  # s3
+  AWS_VISIBILITY: {{ .Values.pixelfed.s3.visibility }} #TODO override based on minio deployment
+  {{- if not .Values.minio.enabled }}
+  AWS_DEFAULT_REGION: {{ .Values.pixelfed.s3.region }}
+  AWS_BUCKET: {{ .Values.pixelfed.s3.bucket }}
+  AWS_USE_PATH_STYLE_ENDPOINT: {{ .Values.pixelfed.s3.use_path_style_endpoint | quote }}
+  {{- else }}
+  {{- if .Values.pixelfed.s3.bucket }}
+  AWS_BUCKET: {{ .Values.pixelfed.s3.bucket }}
+  {{- else }}
+  AWS_BUCKET: {{ index .Values.minio.provisioning.buckets 0 "name" }}
+  {{- end }}
+  AWS_DEFAULT_REGION: "us-east-1" # unneeded for minio, but required for s3 driver
+  AWS_USE_PATH_STYLE_ENDPOINT: "true" # expected for minio
+  {{- end }}
+
   # database configuration
   DB_CONNECTION: {{ .Values.pixelfed.db.connection }}
   DB_APPLY_NEW_MIGRATIONS_AUTOMATICALLY: "{{ .Values.pixelfed.db.apply_new_migrations_automatically }}"

diff --git a/charts/pixelfed/templates/deployment.yaml b/charts/pixelfed/templates/deployment.yaml
@@ -37,9 +37,9 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.extraInitContainers }}
+      {{- with (include "pixelfed.mergedInitContainers" .) }}
       initContainers:
-        {{- toYaml . | nindent 8 }}
+        {{- . | nindent 8 }}
       {{- end }}
       containers:
         {{- with .Values.extraContainers }}
@@ -173,6 +173,48 @@ spec:
                   key: password
                   {{- end }}
 
+            # s3
+            - name: AWS_URL
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.url }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: url
+                  {{- end }}
+            - name: AWS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.endpoint }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: endpoint
+                  {{- end }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.access_key_id }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: access_key_id
+                  {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.secret_access_key }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: secret_access_key
+                  {{- end }}
+
             # database configuration
             {{- if .Values.externalDatabase.enabled }}
             - name: DB_HOST
@@ -259,10 +301,10 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
 
-          {{- if or .Values.extraVolumeMounts .Values.phpConfigs .Values.persistence.enabled }}
+          {{- if or (include "pixelfed.mergedVolumeMounts" .) .Values.phpConfigs .Values.persistence.enabled }}
           volumeMounts:
-            {{- with .Values.extraVolumeMounts }}
-              {{- toYaml . | nindent 12 }}
+            {{- with (include "pixelfed.mergedVolumeMounts" .) }}
+              {{- . | nindent 12 }}
             {{- end }}
             {{- range $key, $value := .Values.phpConfigs }}
             - name: phpconfig
@@ -275,10 +317,10 @@ spec:
             {{- end }}
           {{- end }}{{/* end volumeMounts */}}
 
-      {{- if or .Values.phpConfigs .Values.extraVolumes .Values.persistence.enabled }}
+      {{- if or .Values.phpConfigs (include "pixelfed.mergedVolumes" .) .Values.persistence.enabled }}
       volumes:
-        {{- with .Values.extraVolumes }}
-          {{- toYaml . | nindent 8 }}
+        {{- with (include "pixelfed.mergedVolumes" .) }}
+          {{- . | nindent 8 }}
         {{- end }}
         {{- if .Values.persistence.enabled }}
         - name: storage

diff --git a/charts/pixelfed/templates/deployment_backend.yaml b/charts/pixelfed/templates/deployment_backend.yaml
@@ -39,9 +39,9 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.extraInitContainers }}
+      {{- with (include "pixelfed.mergedInitContainers" .) }}
       initContainers:
-        {{- toYaml . | nindent 8 }}
+        {{- . | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}-backend
@@ -120,6 +120,48 @@ spec:
                   key: valkey-password
                   {{- end }}
 
+            # s3
+            - name: AWS_URL
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.url }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: url
+                  {{- end }}
+            - name: AWS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.endpoint }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: endpoint
+                  {{- end }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.access_key_id }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: access_key_id
+                  {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.secret_access_key }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: secret_access_key
+                  {{- end }}
+
             # database configuration
             {{- if .Values.externalDatabase.enabled }}
             - name: DB_HOST
@@ -196,10 +238,10 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
 
-          {{- if or .Values.extraVolumeMounts .Values.phpConfigs }}
+          {{- if or (include "pixelfed.mergedVolumeMounts" .) .Values.phpConfigs .Values.persistence.enabled }}
           volumeMounts:
-            {{- with .Values.extraVolumeMounts }}
-              {{- toYaml . | nindent 12 }}
+            {{- with (include "pixelfed.mergedVolumeMounts" .) }}
+              {{- . | nindent 12 }}
             {{- end }}
             {{- range $key, $value := .Values.phpConfigs }}
             - name: phpconfig
@@ -208,10 +250,19 @@ spec:
             {{- end }}
           {{- end }}{{/* end volumeMounts */}}
 
-      {{- if or .Values.phpConfigs .Values.extraVolumes }}
+      {{- if or .Values.phpConfigs (include "pixelfed.mergedVolumes" .) .Values.persistence.enabled }}
       volumes:
-        {{- with .Values.extraVolumes }}
-          {{- toYaml . | nindent 8 }}
+        {{- with (include "pixelfed.mergedVolumes" .) }}
+          {{- . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.persistence.enabled }}
+        - name: storage
+          persistentVolumeClaim:
+            {{- if .Values.persistence.existingClaim }}
+            claimName: {{ .Values.persistence.existingClaim }}
+            {{- else }}
+            claimName: {{ include "pixelfed.fullname" . }}
+            {{- end }}
         {{- end }}
         {{- if .Values.phpConfigs }}
         - name: phpconfig

diff --git a/charts/pixelfed/templates/secret_s3.yaml b/charts/pixelfed/templates/secret_s3.yaml
@@ -0,0 +1,37 @@
+{{- if and (not .Values.pixelfed.s3.existingSecret) (and .Values.minio.enabled .Values.minio.provisioning.enabled) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "pixelfed.fullname" . }}-s3
+data:
+  {{- if .Values.pixelfed.s3.url }}
+  url: {{ .Values.pixelfed.s3.url | b64enc }}
+  {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }}
+  url: {{ printf "https://%s:%v/%s" .Values.minio.fullnameOverride .Values.minio.service.ports.api (index .Values.minio.provisioning.buckets 0 "name") | b64enc }}
+  {{- end }}
+
+  {{- if .Values.pixelfed.s3.endpoint }}
+  endpoint: {{ .Values.pixelfed.s3.endpoint | b64enc }}
+  {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }}
+  endpoint: {{ printf "https://%s:%v" .Values.minio.fullnameOverride .Values.minio.service.ports.api | b64enc }}
+  {{- end }}
+
+  {{- if .Values.pixelfed.s3.bucket }}
+  bucket: {{ .Values.pixelfed.s3.bucket | b64enc }}
+  {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }}
+  bucket: {{ index .Values.minio.provisioning.buckets 0 "name" | b64enc }}
+  {{- end }}
+
+  {{- if .Values.pixelfed.s3.access_key_id }}
+  access_key_id: {{ .Values.pixelfed.s3.access_key_id | b64enc }}
+  {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }}
+  access_key_id: {{ index .Values.minio.provisioning.users 0 "username" | b64enc  }}
+  {{- end }}
+
+  {{- if .Values.pixelfed.s3.secret_access_key }}
+  secret_access_key: {{ .Values.pixelfed.s3.secret_access_key | b64enc }}
+  {{- else if and .Values.minio.enabled .Values.minio.provisioning.enabled }}
+  secret_access_key: {{ index .Values.minio.provisioning.users 0 "password" | b64enc }}
+  {{- end }}
+{{- end }}