add minio subchart

.github/workflows/ci-helm-lint-test.yml

@@ -84,3 +84,45 @@ jobs:
             ct install \
                 --target-branch ${{ github.event.repository.default_branch }} \
                 --helm-extra-set-args "--values ./charts/pixelfed/test-values/postgresql-plain.yaml"
+
+  test_plain_minio:
+    name: Test chart plain with minio subchart
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Add dependency chart repos
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.12.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+            ct install \
+                --target-branch ${{ github.event.repository.default_branch }} \
+                --helm-extra-set-args "--values ./charts/pixelfed/test-values/minio-plain.yaml"

charts/pixelfed/Chart.lock

@@ -8,5 +8,8 @@ dependencies:
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 20.2.2
-digest: sha256:ab9c547cea93017a3a65f289e1573ee936a6925d3762200bb24d6e5dc512003c
-generated: "2025-01-23T22:50:42.4566+01:00"
+- name: minio
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 14.10.5
+digest: sha256:7df7ad6adc934f88fc660a95c9e9dd342f7daf39e0351b84415d4d8e7608e7e6
+generated: "2025-01-23T20:17:44.237852195-06:00"

charts/pixelfed/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.19.1
+version: 0.20.0
 
 # This is the version number of the application being deployed.
 # renovate:image=ghcr.io/mattlqx/docker-pixelfed
@@ -41,3 +41,8 @@ dependencies:
     version: 20.2.2
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: mariadb.enabled
+
+  - name: minio
+    version: 14.10.5
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: minio.enabled

charts/pixelfed/README.md

@@ -1,6 +1,6 @@
 # Pixelfed Helm Chart
 
-![Version: 0.19.1](https://img.shields.io/badge/Version-0.19.1-informational?style=flat-square)  ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
+![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square)
 
 A Helm chart for deploying Pixelfed on Kubernetes
 
@@ -96,6 +96,7 @@ These are all subcharts that you can choose to install, but you can also bring y
 | Repository | Name | Version |
 |------------|------|---------|
 | oci://registry-1.docker.io/bitnamicharts | mariadb | 20.2.2 |
+| oci://registry-1.docker.io/bitnamicharts | minio | 14.10.5 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 16.4.5 |
 | oci://registry-1.docker.io/bitnamicharts | valkey | 2.2.3 |
 
@@ -182,12 +183,26 @@ persistence:
 | mariadb.auth.rootPassword | string | `"newRootPassword123"` | Password for the root user. Ignored if existing secret is provided. |
 | mariadb.auth.username | string | `"pixelfed"` | Name for a custom user to create |
 | mariadb.enabled | bool | `false` | enable mariadb subchart - currently experimental for this chart read more about the values: https://github.com/bitnami/charts/tree/main/bitnami/mariadb |
+| minio.disableWebUI | bool | `true` | disable the minio web ui |
+| minio.enabled | bool | `false` | enable the bundled [minio sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/minio/README.md#parameters). |
+| minio.fullnameOverride | string | `"minio"` |  |
+| minio.global.storageClass | string | `""` |  |
+| minio.provisioning.buckets | list | `[{"name":"pixelfed"}]` | buckets to provision. Only one bucket is supported for auto configuration in this chart. |
+| minio.provisioning.enabled | bool | `true` | enable the provisioning of minio buckets/policies/users during the deployment |
+| minio.provisioning.extraCommands | list | `["mc anonymous set download provisioning/pixelfed"]` | commands to run after provisioning. |
+| minio.provisioning.policies | list | `[{"name":"pixelfed-full","statements":[{"actions":["s3:*"],"effect":"Allow","resources":["arn:aws:s3:::pixelfed","arn:aws:s3:::pixelfed/*"]}]}]` | policies to provision. Only one policy is supported for auto configuration in this chart. |
+| minio.provisioning.users | list | `[{"disabled":false,"password":"pixelfedMinio","policies":["pixelfed-full"],"setPolicies":true,"username":"minio-pf"}]` | users to provision. Only one user is supported for auto configuration in this chart. Should be changed to a random password. |
+| minio.tls.autoGenerated | bool | `true` |  |
+| minio.tls.enabled | bool | `true` |  |
+| minio.tls.pixelfedInitContainer | object | `{"args":["apt update && apt install -y ca-certificates && update-ca-certificates && cp -r /etc/ssl/certs/* /cacert/"],"command":["/bin/sh","-c"],"image":"debian:latest","name":"add-minio-cert","securityContext":{"runAsGroup":0,"runAsUser":0},"volumeMounts":[{"mountPath":"/usr/local/share/ca-certificates/minio.crt","name":"minio-crt","readOnly":false,"subPath":"ca.crt"},{"mountPath":"/cacert","name":"cert-tmp","readOnly":false}]}` | use an init container to add the autogenerated minio certificate to the pixelfed container |
+| minio.tls.pixelfedVolumeMounts | list | `[{"mountPath":"/etc/ssl/certs","name":"cert-tmp","readOnly":false}]` | mount the shared ca-certificates directory to the pixelfed container |
+| minio.tls.pixelfedVolumes | list | `[{"name":"minio-crt","secret":{"secretName":"minio-crt"}},{"emptyDir":{},"name":"cert-tmp"}]` | mounts for the minio certificate and the temporary directory |
 | nameOverride | string | `""` | This is to override the chart name. |
 | nodeSelector | object | `{}` | put the pixelfed pod on a specific node/nodegroup |
-| persistence.accessModes | list | `["ReadWriteOnce"]` | accessMode |
+| persistence.accessModes | list | `["ReadWriteOnce"]` | accessMode. Should be set to '["ReadWriteMany"]' for seperate worker to be able to upload from local storage to S3 |
 | persistence.enabled | bool | `false` | enable persistence for the pixelfed pod |
 | persistence.existingClaim | string | `""` | using an existing PVC instead of creating one with this chart |
-| persistence.storage | string | `"2Gi"` | size of the persistent volume claim to create. Tgnored if persistence.existingClaim is set |
+| persistence.storage | string | `"2Gi"` | size of the persistent volume claim to create. Ignored if persistence.existingClaim is set |
 | persistence.storageClassName | string | `""` | storage class name |
 | phpConfigs | object | `{}` | PHP Configuration files Will be injected in /usr/local/etc/php-fpm.d |
 | pixelfed.account_deletion | bool | `true` | Enable account deletion (may be a requirement in some jurisdictions) |
@@ -281,6 +296,7 @@ persistence:
 | pixelfed.pf.max_user_blocks | int | `50` | The max number of user blocks per account |
 | pixelfed.pf.max_user_mutes | int | `50` | The max number of user mutes per account |
 | pixelfed.pf.max_users | int | `1000` | Limit max user registrations |
+| pixelfed.pf.media_fast_process | bool | `true` | Posts are published without waiting for media to be optimized/uploaded to S3. However, posts may be federated without S3 urls. |
 | pixelfed.pf.optimize_images | bool | `true` | Enable image optimization |
 | pixelfed.pf.optimize_videos | bool | `true` | Enable video optimization |
 | pixelfed.s3.access_key_id | string | `""` | s3 access_key_id. ignored if s3.existingSecretKeys.access_key_id is set |
@@ -295,6 +311,7 @@ persistence:
 | pixelfed.s3.secret_access_key | string | `""` | s3 secret_access_key. ignored if s3.existingSecretKeys.secret_access_key is set |
 | pixelfed.s3.url | string | `""` | s3 url including protocol such as https://s3.domain.com |
 | pixelfed.s3.use_path_style_endpoint | bool | `false` | use S3 path type instead of using a DNS subdomain |
+| pixelfed.s3.visibility | string | `"public"` | visibility of the bucket |
 | pixelfed.session_domain | string | `""` | domain of session? |
 | pixelfed.stories_enabled | bool | `false` | Enable the Stories feature |
 | pixelfed.timezone | string | `"europe/amsterdam"` | timezone for docker container |

charts/pixelfed/templates/_helpers.tpl

@@ -67,3 +67,56 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Ensure minio password is set appropriately
+*/}}
+{{- if .Values.minio.enabled }}
+    {{- if or (len (index .Values.minio.provisioning.users 0 "password") lt 8) (len (index .Values.minio.provisioning.users 0 "password") gt 40) }}
+        {{- fail "pixelfed minio default user password not set. Set with --set minio.provisioning.users[0].password=..." }}
+    {{- end }}
+{{- end }}
+
+{{/*
+Helper variable to check if autogenerated minio cert are enabled.
+*/}}
+{{- define "pixelfed.minio.autogeneratedTls" -}}
+{{- if and .Values.minio.tls.enabled .Values.minio.tls.autoGenerated }}
+true
+{{- else }}
+false
+{{- end }}
+{{- end }}
+
+{{/*
+Merge extraInitContainers with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedInitContainers" -}}
+{{- $mergedInitContainers := .Values.extraInitContainers }}
+{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }}
+{{- $mergedInitContainers = append $mergedInitContainers .Values.minio.tls.pixelfedInitContainer }}
+{{- end }}
+{{- toYaml $mergedInitContainers }}
+{{- end }}
+
+{{/*
+Merge extraVolumes with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedVolumes" -}}
+{{- $mergedVolumes := .Values.extraVolumes }}
+{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }}
+{{- $mergedVolumes = concat $mergedVolumes .Values.minio.tls.pixelfedVolumes }}
+{{- end }}
+{{- toYaml $mergedVolumes }}
+{{- end }}
+
+{{/*
+Merge extraVolumeMounts with any expected ones from the minio subchart.
+*/}}
+{{- define "pixelfed.mergedVolumeMounts" -}}
+{{- $mergedVolumeMounts := .Values.extraVolumeMounts }}
+{{- if eq (include "pixelfed.minio.autogeneratedTls" .) "true" }}
+{{- $mergedVolumeMounts = concat $mergedVolumeMounts .Values.minio.tls.pixelfedVolumeMounts }}
+{{- end }}
+{{- toYaml $mergedVolumeMounts }}
+{{- end }}

charts/pixelfed/templates/configmap_env.yaml

@@ -120,6 +120,23 @@ data:
   MAIL_FROM_ADDRESS: "{{ .Values.pixelfed.mail.from_address }}"
   MAIL_FROM_NAME: "{{ .Values.pixelfed.mail.from_name }}"
 
+  # s3
+  AWS_VISIBILITY: {{ .Values.pixelfed.s3.visibility | quote }}
+  {{- if not .Values.minio.enabled }}
+  AWS_DEFAULT_REGION: {{ .Values.pixelfed.s3.region | quote }}
+  AWS_BUCKET: {{ .Values.pixelfed.s3.bucket | quote }}
+  AWS_USE_PATH_STYLE_ENDPOINT: {{ .Values.pixelfed.s3.use_path_style_endpoint | quote }}
+  {{- else }}
+  # when minio is enabled
+  {{- if .Values.pixelfed.s3.bucket }}
+  AWS_BUCKET: {{ .Values.pixelfed.s3.bucket | quote }}
+  {{- else if .Values.minio.provisioning.enabled }}
+  AWS_BUCKET: {{ index .Values.minio.provisioning.buckets 0 "name" | quote }}
+  {{- end }}
+  AWS_DEFAULT_REGION: "us-east-1" # unneeded for minio, but required for s3 driver
+  AWS_USE_PATH_STYLE_ENDPOINT: "true" # expected for minio
+  {{- end }}
+
   # database configuration
   DB_CONNECTION: {{ .Values.pixelfed.db.connection }}
   DB_APPLY_NEW_MIGRATIONS_AUTOMATICALLY: "{{ .Values.pixelfed.db.apply_new_migrations_automatically }}"

charts/pixelfed/templates/deployment.yaml

@@ -37,9 +37,11 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.extraInitContainers }}
+      {{- with (include "pixelfed.mergedInitContainers" .) }}
+      {{- if len . | gt 0 }}
       initContainers:
-        {{- toYaml . | nindent 8 }}
+        {{- . | nindent 8 }}
+      {{- end }}
       {{- end }}
       containers:
         {{- with .Values.extraContainers }}
@@ -173,6 +175,50 @@ spec:
                   key: password
                   {{- end }}
 
+            # s3
+            {{- if or (.Values.pixelfed.s3.existingSecret) (and .Values.minio.enabled .Values.minio.provisioning.enabled) }}
+            - name: AWS_URL
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.url }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: url
+                  {{- end }}
+            - name: AWS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.endpoint }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: endpoint
+                  {{- end }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.access_key_id }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: access_key_id
+                  {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.pixelfed.s3.existingSecret }}
+                  name: {{ .Values.pixelfed.s3.existingSecret }}
+                  key: {{ .Values.pixelfed.s3.existingSecretKeys.secret_access_key }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-s3
+                  key: secret_access_key
+                  {{- end }}
+            {{- end }}
+
             # database configuration
             {{- if .Values.externalDatabase.enabled }}
             - name: DB_HOST
@@ -259,10 +305,10 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
 
-          {{- if or .Values.extraVolumeMounts .Values.phpConfigs .Values.persistence.enabled }}
+          {{- if or (len (include "pixelfed.mergedVolumeMounts" .) | gt 0) .Values.phpConfigs .Values.persistence.enabled }}
           volumeMounts:
-            {{- with .Values.extraVolumeMounts }}
-              {{- toYaml . | nindent 12 }}
+            {{- with (include "pixelfed.mergedVolumeMounts" .) }}
+              {{- . | nindent 12 }}
             {{- end }}
             {{- range $key, $value := .Values.phpConfigs }}
             - name: phpconfig
@@ -275,10 +321,10 @@ spec:
             {{- end }}
           {{- end }}{{/* end volumeMounts */}}
 
-      {{- if or .Values.phpConfigs .Values.extraVolumes .Values.persistence.enabled }}
+      {{- if or .Values.phpConfigs (len (include "pixelfed.mergedVolumes" .) | gt 0) .Values.persistence.enabled }}
       volumes:
-        {{- with .Values.extraVolumes }}
-          {{- toYaml . | nindent 8 }}
+        {{- with (include "pixelfed.mergedVolumes" .) }}
+          {{- . | nindent 8 }}
         {{- end }}
         {{- if .Values.persistence.enabled }}
         - name: storage