apiVersion: batch/v1 kind: Job metadata: name: mastodon-db-init namespace: {{ .namespace }} spec: ttlSecondsAfterFinished: 300 template: metadata: labels: component: db-init spec: restartPolicy: OnFailure securityContext: runAsUser: 999 runAsGroup: 999 fsGroup: 999 seccompProfile: type: RuntimeDefault containers: - name: db-init image: postgres:16-alpine securityContext: allowPrivilegeEscalation: false capabilities: drop: [ALL] readOnlyRootFilesystem: false env: - name: PGHOST value: "{{ .dbHostname }}" - name: PGPORT value: "{{ .dbPort }}" - name: PGUSER value: postgres - name: PGPASSWORD valueFrom: secretKeyRef: name: mastodon-secrets key: postgres.password - name: MASTODON_DB value: "{{ .dbName }}" - name: MASTODON_USER value: "{{ .dbUsername }}" - name: MASTODON_PASSWORD valueFrom: secretKeyRef: name: mastodon-secrets key: dbPassword command: - sh - -c - | set -e echo "Waiting for PostgreSQL to be ready..." until pg_isready -h $PGHOST -p $PGPORT -U $PGUSER; do echo "PostgreSQL is unavailable - sleeping" sleep 2 done echo "PostgreSQL is ready" echo "Creating database if it doesn't exist..." psql -v ON_ERROR_STOP=1 <<-EOSQL SELECT 'CREATE DATABASE $MASTODON_DB' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$MASTODON_DB')\gexec EOSQL echo "Creating/updating user..." psql -v ON_ERROR_STOP=1 <<-EOSQL DO \$\$ BEGIN IF NOT EXISTS (SELECT FROM pg_user WHERE usename = '$MASTODON_USER') THEN CREATE USER $MASTODON_USER WITH PASSWORD '$MASTODON_PASSWORD'; ELSE ALTER USER $MASTODON_USER WITH PASSWORD '$MASTODON_PASSWORD'; END IF; END \$\$; EOSQL echo "Granting privileges..." psql -v ON_ERROR_STOP=1 <<-EOSQL GRANT ALL PRIVILEGES ON DATABASE $MASTODON_DB TO $MASTODON_USER; \c $MASTODON_DB GRANT ALL ON SCHEMA public TO $MASTODON_USER; EOSQL echo "Database initialization complete" --- apiVersion: batch/v1 kind: Job metadata: name: mastodon-db-migrate namespace: {{ .namespace }} spec: ttlSecondsAfterFinished: 300 template: metadata: labels: component: db-migrate spec: restartPolicy: OnFailure securityContext: runAsNonRoot: true runAsUser: 991 runAsGroup: 991 fsGroup: 991 seccompProfile: type: RuntimeDefault containers: - name: db-migrate image: {{ .image }} securityContext: allowPrivilegeEscalation: false capabilities: drop: [ALL] readOnlyRootFilesystem: false command: - bundle - exec - rails - db:migrate env: - name: LOCAL_DOMAIN value: "{{ .domain }}" - name: RAILS_ENV value: production - name: SECRET_KEY_BASE valueFrom: secretKeyRef: name: mastodon-secrets key: secretKeyBase - name: OTP_SECRET valueFrom: secretKeyRef: name: mastodon-secrets key: otpSecret - name: ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY valueFrom: secretKeyRef: name: mastodon-secrets key: activeRecordPrimaryKey - name: ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY valueFrom: secretKeyRef: name: mastodon-secrets key: activeRecordDeterministicKey - name: ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT valueFrom: secretKeyRef: name: mastodon-secrets key: activeRecordKeyDerivationSalt - name: DB_HOST value: "{{ .dbHostname }}" - name: DB_PORT value: "{{ .dbPort }}" - name: DB_NAME value: "{{ .dbName }}" - name: DB_USER value: "{{ .dbUsername }}" - name: DB_PASS valueFrom: secretKeyRef: name: mastodon-secrets key: dbPassword - name: REDIS_HOST value: "{{ .redisHostname }}" - name: REDIS_PORT value: "{{ .redisPort }}" - name: REDIS_PASSWORD valueFrom: secretKeyRef: name: mastodon-secrets key: redis.password volumeMounts: - name: assets mountPath: /opt/mastodon/public/assets - name: system mountPath: /opt/mastodon/public/system volumes: - name: assets persistentVolumeClaim: claimName: mastodon-assets - name: system persistentVolumeClaim: claimName: mastodon-system