chart/values.yaml

image:
  repository: ghcr.io/mastodon/mastodon
  # https://github.com/mastodon/mastodon/pkgs/container/mastodon
  #
  # alternatively, use `latest` for the latest release or `edge` for the image
  # built from the most recent commit
  #
  # tag: latest
  tag: ""
  # use `Always` when using `latest` tag
  pullPolicy: IfNotPresent

mastodon:
  # Labels added to every Mastodon-related object
  labels: {}
  # Labes added to every deployed mastodon pod
  podLabels: {}

  # -- create an initial administrator user; the password is autogenerated and will
  # have to be reset
  createAdmin:
    # @ignored
    enabled: false
    # @ignored
    username: not_gargron
    # @ignored
    email: not@example.com
  hooks:
    # Whether to perform DB schema creation on `helm install`.
    # Please note that this does not work when using the included database
    # (postgresql.enabled=true).
    # NOTE: When using certain GitOps solutions such as Argo CD, this should be
    # disabled, as these apps do not necessarily differentiate between `pre-install`
    # and `pre-upgrade`.
    dbPrepare:
      enabled: true
    # Whether to perform DB migrations on `helm upgrade`.
    dbMigrate:
      enabled: true

    # WARNING: deploySearch is potentially a very expensive job!
    # Only enable this once at a time, when you deploy elasticsearch or when
    # the upgrade notes for a new mastodon version request rebuilding search.
    # Recommended use is via `-f mastodon.hooks.deploySearch.enabled=true`
    # to ensure the job is only dispatched for a single upgrade when required.
    # This job may take days to run on very large instances. Even small
    # instances may take long enough to trigger helm's completion timeout, so
    # DO NOT PANIC if helm complains; simply verify the job is still running.
    #
    # Builds or rebuilds the elasticsearch indices via `tootctl deploy search`
    # with timing hooks to ensure the job runs immediately after install/upgrade
    # and will be restarted if another, corrective upgrade is triggered.
    # Please check the tootctl documentation and upgrade notes to pick values.
    #
    # NOTE: The resource stanza set below is intentionally very conservative.
    # Consider assigning a liberal chunk of your cluster's typical headroom.
    deploySearch:
      enabled: false
      resetChewy: true
      # one index name. Possible values: instances, accounts, tags, statuses, public_statuses
      only: ""
      concurrency: 5
      resources: # this accepts any keys in a full container resources stanza.
        requests:
          cpu: 250m
          memory: 256Mi
        limits:
          cpu: 500m

    # Upload website assets to S3 before deploying using rclone.
    # Whenever there is an update to Mastodon, sometimes there are assets files
    # that are renamed. As the pods are getting redeployed, and old/new pods are
    # present simultaneously, there is a chance that old asset files are
    # requested from pods that don't have them anymore, or new asset files are
    # requested from old pods. Uploading asset files to S3 in this manner solves
    # this potential conflict.
    # Note that you will need to CDN/proxy to send all requests to /assets and
    # /packs to this bucket.
    s3Upload:
      enabled: false
      endpoint:
      bucket:
      acl: public-read
      secretRef:
        name:
        keys:
          accesKeyId: acces-key-id
          secretAccessKey: secret-access-key
      rclone:
        # Any additional environment variables to pass to rclone.
        env: {}
  # Custom labels to add to kubernetes resources
  #labels:
  # -- deploy search to elastsicsearch. Requires .elasticsearch.enabled = true
  cron:
    # -- run `tootctl media remove` every week
    removeMedia:
      # @ignored
      enabled: true
      # @ignored
      schedule: "0 0 * * 0"
  # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
  locale: en
  local_domain: mastodon.local
  # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
  # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
  # Example: mastodon.example.com
  web_domain: null
  # -- If you have multiple domains pointed at your Mastodon server, this setting will allow Mastodon to recognize
  # itself when users are addressed using those other domains.
  alternate_domains: []
  # -- Comma-separated list of public IP addresses of trusted reverse proxy servers reaching Mastodon web and streaming servers
  # Specifying overrides default list. More info: https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip
  # trusted_proxy_ip:
  # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
  singleUserMode: false
  # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
  authorizedFetch: false
  # -- Enables "Limited Federation Mode" for more details see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
  limitedFederationMode: false
  persistence:
    assets:
      # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits
      # scalability, since it requires the Rails and Sidekiq pods to run on the
      # same node.
      accessMode: ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
      # -- name of existing persistent volume claim to use for assets
      existingClaim:
    system:
      accessMode: ReadWriteOnce
      resources:
        requests:
          storage: 100Gi
      # -- name of existing persistent volume claim to use for system
      existingClaim:
  s3:
    enabled: false
    access_key: ""
    access_secret: ""
    # -- you can also specify the name of an existing Secret
    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    existingSecret: ""
    bucket: ""
    endpoint: ""
    hostname: ""
    region: ""
    permission: ""
    # -- If you have a caching proxy, enter its base URL here.
    alias_host: ""
    # When uploading data to S3, if the number of bytes to send exceedes
    # multipart_threshold then a multi part session is automatically started
    # and the data is sent up in chunks. Defaults to 16777216 (16MB).
    multipart_threshold: ""
    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
    # override_path_style: "true"
  deepl:
    enabled: false
    plan:
    apiKeySecretRef:
      name:
      key:
  hcaptcha:
    enabled: false
    siteId:
    secretKeySecretRef:
      name:
      key:
  # these must be set manually; autogenerated keys are rotated on each upgrade
  secrets:
    secret_key_base: ""
    otp_secret: ""
    vapid:
      private_key: ""
      public_key: ""
    activeRecordEncryption:
      primaryKey: ""
      deterministicKey: ""
      keyDerivationSalt: ""
    # -- you can also specify the name of an existing Secret
    # with keys:
    # - SECRET_KEY_BASE
    # - OTP_SECRET
    # - VAPID_PRIVATE_KEY
    # - VAPID_PUBLIC_KEY
    # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
    # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
    # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
    existingSecret: ""

  # -- The number of old revisions to keep for each Deployment in Kubernetes.
  #    See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy
  revisionHistoryLimit: 2

  sidekiq:
    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
    # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
    securityContext: {}
    # -- Resources for all Sidekiq Deployments unless overwritten
    resources: {}
    # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
    affinity: {}
    # -- Annotations to apply to the deployment object(s) for sidekiq.
    # -- These are applied in addition to deploymentAnnotations.
    annotations: {}
    # -- Labels to apply to the deployment object(s) for sidekiq.
    # -- These are applied in addition to mastodon.labels.
    labels: {}
    # -- Annotations to apply to the sidekiq pods.
    # -- These are applied in addition to the global podAnnotations.
    podAnnotations: {}
    # -- Labels to apply to the sidekiq pods.
    # -- These are applied in addition to mastodon.labels.
    podLabels: {}
    # Rollout strategy to use when updating pods.
    # Recreate will help reduce the number of retried jobs when updating when
    # the code introduces a new job as the pods are all replaced immediately.
    # RollingUpdate can help with larger clusters if job retries aren't an
    # issue, as it will reduce strain by replacing pods more slowly. It is
    # strongly recommended to enable the readinessProbe when using RollingUpdate.
    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
    updateStrategy:
      type: Recreate
    # Readiness probe configuration
    # NOTE: Readiness probe will only work on versions of Mastodon built after 2024-07-10.
    readinessProbe:
      enabled: false
      path: /opt/mastodon/tmp/sidekiq_process_has_started_and_will_begin_processing_jobs
      initialDelaySeconds: 10
      periodSeconds: 2
      successThreshold: 1
      timeoutSeconds: 1
    # -- Topology spread constraints for Sidekiq Pods, overwrites .Values.topologySpreadConstraints
    topologySpreadConstraints: {}
    # limits:
    #   cpu: "1"
    #   memory: 768Mi
    # requests:
    #   cpu: 250m
    #   memory: 512Mi

    # Open Telemetry configuration for sidekiq pods. Overrides global settings.
    otel:
      enabled:
      exporterUri:
      namePrefix:
      nameSeparator:

    workers:
      - name: all-queues
        # -- Number of threads / parallel sidekiq jobs that are executed per Pod
        concurrency: 25
        # -- Number of Pod replicas deployed by the Deployment
        replicas: 1
        # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
        resources: {}
        # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
        affinity: {}
        # -- Topology spread constraints for this specific deployment, overwrites .Values.topologySpreadConstraints and .Values.mastodon.sidekiq.topologySpreadConstraints
        topologySpreadConstraints: {}
        # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
        # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
        queues:
          - default,8
          - push,6
          - ingress,4
          - mailers,2
          - pull
          - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
        image:
          repository:
          tag:
        # allows you to mount a custom database.yml from a configmap
        # please note that we do not advise using a read-only replica for sidekiq workers
        customDatabaseConfigYml:
          configMapRef:
            name:
            key:
    #- name: push-pull
    #  concurrency: 50
    #  resources: {}
    #  replicas: 2
    #  queues:
    #    - push
    #    - pull
    #- name: mailers
    #  concurrency: 25
    #  replicas: 2
    #  queues:
    #    - mailers
    #- name: default
    #  concurrency: 25
    #  replicas: 2
    #  queues:
    #    - default
  smtp:
    auth_method: plain
    ca_file: /etc/ssl/certs/ca-certificates.crt
    delivery_method: smtp
    domain:
    enable_starttls: "auto"
    from_address: notifications@example.com
    return_path:
    openssl_verify_mode: peer
    port: 587
    reply_to:
    server: smtp.mailgun.org
    tls: false
    login:
    password:
    # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
    # password must be located in keys named `login` and `password` respectively.
    existingSecret:
  streaming:
    image:
      # streaming image split in Mastodon v4.3.0
      repository: ghcr.io/mastodon/mastodon-streaming
      # other options: `latest` for the latest release or `edge` for most recent commit
      tag: ""
    port: 4000
    # -- this should be set manually since os.cpus() returns the number of CPUs on
    # the node running the pod, which is unrelated to the resources allocated to
    # the pod by k8s
    workers: 1
    # -- The base url for streaming can be set if the streaming API is deployed to
    # a different domain/subdomain.
    base_url: null
    # -- Number of Streaming Pods running
    replicas: 1
    # -- Affinity for Streaming Pods, overwrites .Values.affinity
    affinity: {}
    # -- Annotations to apply to the deployment object for streaming.
    # -- These are applied in addition to deploymentAnnotations.
    annotations: {}
    # -- Labels to apply to the deployment object for streaming.
    # -- These are applied in addition to mastodon.labels.
    labels: {}
    # -- Annotations to apply to the streaming pods.
    # -- These are applied in addition to the global podAnnotations.
    podAnnotations: {}
    # -- Labels to apply to the streaming pods.
    # -- These are applied in addition to mastodon.labels.
    podLabels: {}
    # Rollout strategy to use when updating pods
    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
    updateStrategy:
      type: RollingUpdate
      rollingUpdate:
        maxSurge: 10%
        maxUnavailable: 25%
    # -- Topology spread constraints for Streaming Pods, overwrites .Values.topologySpreadConstraints
    topologySpreadConstraints: {}
    # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
    # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
    securityContext: {}
    # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources
    resources: {}
    # limits:
    #   cpu: "500m"
    #   memory: 512Mi
    # requests:
    #   cpu: 250m
    #   memory: 128Mi
    # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
    pdb:
      enable: false
    # minAvailable: 1
    # maxUnavailable: 1
    # -- Puma-specific options. Below values are based on default behavior in
    # config/puma.rb when no custom values are provided.
    # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
    extraCerts: {}
    # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
    #  existingSecret:
    # -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
    #  name:
    # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
    #  sslMode:

    # Specify extra environment variables to be added to streaming pods.
    extraEnvVars: {}

  web:
    port: 3000
    # -- Number of Web Pods running
    replicas: 1
    # -- Affinity for Web Pods, overwrites .Values.affinity
    affinity: {}
    # -- Annotations to apply to the deployment object for web.
    # -- These are applied in addition to deploymentAnnotations.
    annotations: {}
    # -- Labels to apply to the deployment object for web.
    # -- These are applied in addition to mastodon.labels.
    labels: {}
    # -- Annotations to apply to the web pods.
    # -- These are applied in addition to the global podAnnotations.
    podAnnotations: {}
    # -- Labels to apply to the web pods.
    # -- These are applied in addition to mastodon.labels.
    podLabels: {}
    # Rollout strategy to use when updating pods
    # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
    updateStrategy:
      type: RollingUpdate
      rollingUpdate:
        maxSurge: 10%
        maxUnavailable: 25%
    # -- Topology spread constraints for Web Pods, overwrites .Values.topologySpreadConstraints
    topologySpreadConstraints: {}
    # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
    # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
    securityContext: {}
    # -- (Web Container) Resources for Web Pods, overwrites .Values.resources
    resources: {}
    # limits:
    #   cpu: "1"
    #   memory: 1280Mi
    # requests:
    #   cpu: 250m
    #   memory: 768Mi
    # -- PodDisruptionBudget configuration - See https://kubernetes.io/docs/tasks/run-application/configure-pdb/
    pdb:
      enable: false
    # minAvailable: 1
    # maxUnavailable: 1
    # -- Puma-specific options. Below values are based on default behavior in
    # config/puma.rb when no custom values are provided.
    minThreads: "5"
    maxThreads: "5"
    workers: "2"
    persistentTimeout: "20"
    image:
      repository:
      tag:
    # allows you to mount a custom database.yml from a configmap
    # for example if you want to use a read-only replica
    customDatabaseConfigYml:
      configMapRef:
        name:
        key:

    # Open Telemetry configuration for web pods. Overrides global settings.
    otel:
      enabled:
      exporterUri:
      namePrefix:
      nameSeparator:

  # HTTP cache buster configuration.
  # See the documentation for more information about this feature:
  # https://docs.joinmastodon.org/admin/config/#http-cache-buster
  cacheBuster:
    enabled: false
    httpMethod: "GET"
    # If the cache service requires authentication, specify the header name and
    # secret/token here.
    authHeader:
    authToken:
      existingSecret:

  metrics:
    statsd:
      # -- Enable statsd publishing via STATSD_ADDR environment variable
      address: ""
      # -- Alternatively, you can use this to have a statsd_exporter sidecar container running along all Mastodon containers and exposing metrics in OpenMetric/Prometheus format on each pod
      #   Please note the exporter will not be enabled if metrics.statsd.address is not empty
      exporter:
        enabled: false
        port: 9102

    # Settings for Prometheus metrics. NOTE: Only available in Mastodon v4.4.
    # For more information, see:
    # https://docs.joinmastodon.org/admin/config/#prometheus
    prometheus:
      enabled: false
      # Port for the exporter to listen on
      port: 9394

      # Prometheus for web pods
      web:
        # Collect per-controller/action metrics for every request
        detailed: false

      # Prometheus for sidekiq pods
      sidekiq:
        # Collect per-job metrics for every job
        detailed: false

  # Open Telemetry configuration for all deployments. Component-specific
  # configuration will override these values.
  otel:
    enabled: false
    exporterUri:
    namePrefix: mastodon
    nameSeparator: "-"

  # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
  preparedStatements: true


  # Specify extra environment variables to be added to all Mastodon pods.
  # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
  extraEnvVars: {}

  # Alternatively specify extra environment variables stored in a ConfigMap.
  # The specified ConfigMap should contain the additional environment variables in key-value format.
  # extraEnvFrom: <config-map-name>


ingress:
  enabled: true
  annotations:
    # For choosing an ingress ingressClassName is preferred over annotations
    # kubernetes.io/ingress.class: nginx
    #
    # To automatically request TLS certificates use one of the following
    # kubernetes.io/tls-acme: "true"
    # cert-manager.io/cluster-issuer: "letsencrypt"
    #
    # ensure that NGINX's upload size matches Mastodon's
    #   for the K8s ingress controller:
    # nginx.ingress.kubernetes.io/proxy-body-size: 40m
    #   for the NGINX ingress controller:
    # nginx.org/client-max-body-size: 40m
  # -- you can specify the ingressClassName if it differs from the default
  ingressClassName:
  hosts:
    - host: mastodon.local
      paths:
        - path: "/"
  tls:
    - secretName: mastodon-tls
      hosts:
        - mastodon.local

  # This allows you to have a separate ingress for streaming
  # When enabled, the main ingress will no longer handle streaming requests.
  # You will also need to configure mastodon.streaming.base_url accordingly
  streaming:
    enabled: false
    annotations:
    ingressClassName:
    hosts:
      - host: streaming.mastodon.local
        paths:
          - path: "/"
    tls:
      - secretName: mastodon-tls
        hosts:
          - streaming.mastodon.local

# Configuration for Elasticsearch.
# When enabled, the bitnami helm chart is used for Elasticsearch deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
#
# Please note that we recommend using your own deployment for better management.
elasticsearch:
  # Elasticsearch is powering full-text search. It is optional.

  # `false` will not install Elasticsearch as part of this chart
  #
  # if you enable ES after the initial install, you will need to manually run
  # RAILS_ENV=production bundle exec rake chewy:sync
  # (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
  enabled: true
  # @ignored
  image:
    tag: 7

  # If you are using an external ES cluster, use `enabled: false` and set the hostname, port,
  # and whether the cluster uses TLS.
  # hostname:
  # port: 9200
  # tls: true
  # preset: single_node_cluster

  # This is optional, use it if you ES cluster requires authentication
  # user:
  # Name of an existing secret with a password key
  # existingSecret:

# Configuration for PostgreSQL.
# When enabled, the bitnami helm chart is used for PostgreSQL deployment, and
# all values here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
#
# Please note that we recommend using your own deployment for better management.
postgresql:
  # -- disable if you want to use an existing db; in which case the values below
  # must match those of that external postgres instance.
  # Please note that certain features do not work when enabling the included
  # database, namely automatic schema creation when the app is first installed.
  enabled: true
  # postgresqlHostname: preexisting-postgresql
  # postgresqlPort: 5432

  # If using a connection pooler such as pgbouncer, please specify a hostname/IP
  # that serves as a "direct" connection to the database, rather than going
  # through the connection pooler. This is required for migrations to work
  # properly.
  direct:
    hostname:
    port:
    database:

  auth:
    database: mastodon_production
    username: mastodon
    # you must set a password; the password generated by the postgresql chart will
    # be rotated on each upgrade:
    # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
    password: ""
    # Set the password for the "postgres" admin user
    # set this to the same value as above if you've previously installed
    # this chart and you're having problems getting mastodon to connect to the DB
    # postgresPassword: ""
    # you can also specify the name of an existing Secret
    # with a key of password set to the password you want
    existingSecret: ""

  # Options for a read-only replica.
  # If enabled, mastodon uses existing defaults for postgres for these values as well.
  # NOTE: This feature is only available on Mastodon v4.2+
  # Documentation for more information on this feature:
  # https://docs.joinmastodon.org/admin/scaling/#read-replicas
  readReplica:
    hostname:
    port:
    auth:
      database:
      username:
      password:
      existingSecret:

# Configuration for Redis.
# When enabled, the bitnami helm chart used for Redis deployment, and all values
# here correspond to their values file. Please see the bitnami chart
# documentation:
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
#
# Please note that we recommend using your own deployment for better management.
redis:
  # disable if you want to use an existing redis instance; in which case the
  # values below must match those of that external redis instance
  enabled: true
  hostname: ""
  port: 6379
  auth:
    # -- you must set a password; the password generated by the redis chart will be
    # rotated on each upgrade:
    password: ""
    # setting password for an existing redis instance will store it in a new Secret
    # you can also specify the name of an existing Secret
    # with a key of redis-password set to the password you want
    # existingSecret: ""
  replica:
    replicaCount: 0

  # Configuration for a separate redis instance only for sidekiq processing.
  # If enabled, any values not specified will be copied from the base config.
  # If set to false, the main redis instance will be used, and all values will
  # be ignored.
  sidekiq:
    enabled: false
    hostname: ""
    port: 6379
    auth:
      password: ""
      # you can also specify the name of an existing Secret
      # with a key of redis-password set to the password you want
      existingSecret: ""

  # Configuration for a separate redis instance only for cache.
  # If enabled, any values not specified will be copied from the base config.
  # If set to false, the main redis instance will be used, and all values will
  # be ignored.
  cache:
    enabled: false
    hostname: ""
    port: 6379
    auth:
      password: ""
      # you can also specify the name of an existing Secret
      # with a key of redis-password set to the password you want
      existingSecret: ""

# @ignored
service:
  type: ClusterIP
  port: 80

externalAuth:
  oidc:
    # -- OpenID Connect support is proposed in PR #16221 and awaiting merge.
    enabled: false
    # display_name: "example-label"
    # issuer: https://login.example.space/auth/realms/example-space
    # discovery: true
    # scope: "openid,profile"
    # uid_field: uid
    # client_id: mastodon
    # client_secret: SECRETKEY
    # redirect_uri: https://example.com/auth/auth/openid_connect/callback
    # assume_email_is_verified: true
    # client_auth_method:
    # response_type:
    # response_mode:
    # display:
    # prompt:
    # send_nonce:
    # send_scope_to_token_endpoint:
    # idp_logout_redirect_uri:
    # http_scheme:
    # host:
    # port:
    # jwks_uri:
    # auth_endpoint:
    # token_endpoint:
    # user_info_endpoint:
    # end_session_endpoint:
  saml:
    enabled: false
    # acs_url: http://mastodon.example.com/auth/auth/saml/callback
    # issuer: mastodon
    # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
    # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
    # idp_cert_fingerprint:
    # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    # cert:
    # private_key:
    # want_assertion_signed: true
    # want_assertion_encrypted: true
    # assume_email_is_verified: true
    # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
    # attributes_statements:
    #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
    #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
    #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
    #   first_name: "urn:oid:2.5.4.42"
    #   last_name: "urn:oid:2.5.4.4"
    #   verified:
    #   verified_email:
  oauth_global:
    # -- Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In
    omniauth_only: false
  cas:
    enabled: false
    # url: https://sso.myserver.com
    # host: sso.myserver.com
    # port: 443
    # ssl: true
    # validate_url:
    # callback_url:
    # logout_url:
    # login_url:
    # uid_field: 'user'
    # ca_path:
    # disable_ssl_verification: false
    # assume_email_is_verified: true
    # keys:
    #   uid: 'user'
    #   name: 'name'
    #   email: 'email'
    #   nickname: 'nickname'
    #   first_name: 'firstname'
    #   last_name: 'lastname'
    #   location: 'location'
    #   image: 'image'
    #   phone: 'phone'
  pam:
    enabled: false
    # email_domain: example.com
    # default_service: rpam
    # controlled_service: rpam
  ldap:
    enabled: false
    # host: myservice.namespace.svc
    # port: 636
    # method: simple_tls
    # tls_no_verify: true
    # base:
    # bind_dn:
    # password:
    # uid: cn
    # mail: mail
    # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
    # uid_conversion:
    #   enabled: true
    #   search: "., -"
    #   replace: _

# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
#
# if you manually change the UID/GID environment variables, ensure these values
# match:
podSecurityContext:
  runAsUser: 991
  runAsGroup: 991
  fsGroup: 991

# @ignored
securityContext: {}

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

# Custom annotations to apply to all created mastodon deployment objects. These
# can be used to help mastodon interact with other services in the cluster.
deploymentAnnotations: {}

# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
# need to apply different annotations to the two different sets of pods. The annotations
# set with podAnnotations will be added to all mastodon deployment-managed pods.
podAnnotations: {}

# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
revisionPodAnnotation: true

# The annotations set with jobAnnotations will be added to all mastodon job pods
jobAnnotations: {}

# -- Default resources for all mastodon Deployments and jobs unless overwritten
resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

# @ignored
nodeSelector: {}

# @ignored
tolerations: []

# -- Affinity for all mastodon pods unless overwritten
affinity: {}

# -- Timezone for all mastodon pods unless overwritten
timezone: UTC

# -- Topology Spread Constraints for all mastodon pods unless overwritten
# Please note that you need to use `matchLabelKeys` (Kubernetes 1.25+) if you
# want to spread each deployment independently, or override topologySpreadConstraints
# for each deployment
topologySpreadConstraints: {}

# Default volume mounts for all mastodon pods
volumeMounts: []

# Default volumes for all mastodon pods
volumes: []