Mastodon vapid init.
This commit is contained in:
@@ -12,6 +12,7 @@ resources:
|
|||||||
- pvc-assets.yaml
|
- pvc-assets.yaml
|
||||||
- pvc-system.yaml
|
- pvc-system.yaml
|
||||||
- db-init-job.yaml
|
- db-init-job.yaml
|
||||||
|
- vapid-init-job.yaml
|
||||||
- deployment-web.yaml
|
- deployment-web.yaml
|
||||||
- deployment-sidekiq.yaml
|
- deployment-sidekiq.yaml
|
||||||
- deployment-streaming.yaml
|
- deployment-streaming.yaml
|
||||||
|
|||||||
@@ -51,9 +51,9 @@ defaultSecrets:
|
|||||||
- key: otpSecret
|
- key: otpSecret
|
||||||
default: "{{ random.AlphaNum 128 }}"
|
default: "{{ random.AlphaNum 128 }}"
|
||||||
- key: vapidPrivateKey
|
- key: vapidPrivateKey
|
||||||
# Must be generated with: bundle exec rake mastodon:webpush:generate_vapid_key
|
# Generated by vapid-init-job.yaml on first deploy
|
||||||
- key: vapidPublicKey
|
- key: vapidPublicKey
|
||||||
# Must be generated with: bundle exec rake mastodon:webpush:generate_vapid_key
|
# Generated by vapid-init-job.yaml on first deploy
|
||||||
- key: activeRecordPrimaryKey
|
- key: activeRecordPrimaryKey
|
||||||
default: "{{ random.AlphaNum 32 }}"
|
default: "{{ random.AlphaNum 32 }}"
|
||||||
- key: activeRecordDeterministicKey
|
- key: activeRecordDeterministicKey
|
||||||
|
|||||||
68
mastodon/vapid-init-job.yaml
Normal file
68
mastodon/vapid-init-job.yaml
Normal file
@@ -0,0 +1,68 @@
|
|||||||
|
apiVersion: batch/v1
|
||||||
|
kind: Job
|
||||||
|
metadata:
|
||||||
|
name: mastodon-vapid-init
|
||||||
|
namespace: {{ .namespace }}
|
||||||
|
spec:
|
||||||
|
ttlSecondsAfterFinished: 300
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
component: vapid-init
|
||||||
|
spec:
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 991
|
||||||
|
runAsGroup: 991
|
||||||
|
fsGroup: 991
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
containers:
|
||||||
|
- name: vapid-init
|
||||||
|
image: {{ .image }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop: [ALL]
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Check if VAPID keys already exist in the secret
|
||||||
|
if [ -n "$VAPID_PRIVATE_KEY" ] && [ "$VAPID_PRIVATE_KEY" != "null" ] && \
|
||||||
|
[ -n "$VAPID_PUBLIC_KEY" ] && [ "$VAPID_PUBLIC_KEY" != "null" ]; then
|
||||||
|
echo "VAPID keys already exist in secret, skipping generation"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Generating VAPID keys..."
|
||||||
|
bundle exec rake mastodon:webpush:generate_vapid_key > /tmp/vapid_output.txt
|
||||||
|
|
||||||
|
echo "VAPID keys generated:"
|
||||||
|
cat /tmp/vapid_output.txt
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "NOTE: These keys must be manually added to secrets.yaml:"
|
||||||
|
echo " apps.mastodon.vapidPrivateKey: <VAPID_PRIVATE_KEY from above>"
|
||||||
|
echo " apps.mastodon.vapidPublicKey: <VAPID_PUBLIC_KEY from above>"
|
||||||
|
env:
|
||||||
|
- name: VAPID_PRIVATE_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mastodon-secrets
|
||||||
|
key: vapidPrivateKey
|
||||||
|
optional: true
|
||||||
|
- name: VAPID_PUBLIC_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mastodon-secrets
|
||||||
|
key: vapidPublicKey
|
||||||
|
optional: true
|
||||||
|
- name: RAILS_ENV
|
||||||
|
value: production
|
||||||
|
- name: LOCAL_DOMAIN
|
||||||
|
value: "{{ .domain }}"
|
||||||
Reference in New Issue
Block a user