Added values for active record encryption

mastodon · Apr 17, 2024 · 2a7be68 · 2a7be68
1 parent d91a52b
commit 2a7be68
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,21 @@
+# 5.1.0
+
+- Added values for Active Record Encryption in Redis:
+ ```yaml
+ mastodon:
+ secrets:
+ activeRecordEncryption:
+ primaryKey:
+ deterministicKey:
+ keyDerivationSalt:
+ ```
+
+- Small bugfix related to automatic secret generation
+
+# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
+
+- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
+
 # [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
 
 - adds support for multiple Sidekiq deployments to be configured to manage

diff --git a/Chart.yaml b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 5.0.0
+version: 5.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -106,7 +106,7 @@ Get the mastodon secret.
 {{- if .Values.mastodon.secrets.existingSecret }}
  {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
 {{- else -}}
- {{- printf "%s" (include "common.names.fullname" .) -}}
+ {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -117,7 +117,7 @@ Get the smtp secret.
 {{- if .Values.mastodon.smtp.existingSecret }}
  {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
 {{- else -}}
- {{- printf "%s-smtp" (include "common.names.fullname" .) -}}
+ {{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -130,7 +130,7 @@ Get the postgresql secret.
 {{- else if .Values.postgresql.enabled -}}
  {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
 {{- else -}}
- {{- printf "%s" (include "common.names.fullname" .) -}}
+ {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 

diff --git a/templates/secrets.yaml b/templates/secrets.yaml
@@ -34,6 +34,21 @@ data:
  {{- else }}
  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
  {{- end }}
+ {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+ ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+ {{- else }}
+ ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+ {{- end }}
+ {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+ ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+ {{- else }}
+ ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+ {{- end }}
+ {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+ {{- else }}
+ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+ {{- end }}
  {{- end }}
  {{- if not .Values.postgresql.enabled }}
  {{- if not .Values.postgresql.auth.existingSecret }}

diff --git a/values.yaml b/values.yaml
@@ -78,7 +78,7 @@ mastodon:
  permission: ""
  # -- If you have a caching proxy, enter its base URL here.
  alias_host: ""
- # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming 
+ # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
  # override_path_style: "true"
  deepl:
  enabled: false
@@ -99,9 +99,19 @@ mastodon:
  vapid:
  private_key: ""
  public_key: ""
+ activeRecordEncryption:
+ primaryKey: ""
+ deterministicKey: ""
+ keyDerivationSalt: ""
  # -- you can also specify the name of an existing Secret
- # with keys SECRET_KEY_BASE and OTP_SECRET and
- # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+ # with keys:
+ # - SECRET_KEY_BASE
+ # - OTP_SECRET
+ # - VAPID_PRIVATE_KEY
+ # - VAPID_PUBLIC_KEY
+ # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+ # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+ # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
  existingSecret: ""
 
  # -- The number of old revisions to keep for each Deployment in Kubernetes.
@@ -285,7 +295,7 @@ mastodon:
  # Specify extra environment variables to be added to all Mastodon pods.
  # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
  extraEnvVars: {}
- 
+
  # Alternatively specify extra environment variables stored in a ConfigMap.
  # The specified ConfigMap should contain the additional environment variables in key-value format.
  # extraEnvFrom: <config-map-name>