Added values for active record encryption

CHANGELOG.md

@@ -1,3 +1,21 @@
+# 5.1.0
+
+- Added values for Active Record Encryption in Redis:
+    ```yaml
+    mastodon:
+      secrets:
+        activeRecordEncryption:
+          primaryKey:
+          deterministicKey:
+          keyDerivationSalt:
+    ```
+
+- Small bugfix related to automatic secret generation
+
+# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
+
+- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
+
 # [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
 
 - adds support for multiple Sidekiq deployments to be configured to manage

Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 5.0.0
+version: 5.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

templates/_helpers.tpl

@@ -106,7 +106,7 @@ Get the mastodon secret.
 {{- if .Values.mastodon.secrets.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -117,7 +117,7 @@ Get the smtp secret.
 {{- if .Values.mastodon.smtp.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s-smtp" (include "common.names.fullname" .) -}}
+    {{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -130,7 +130,7 @@ Get the postgresql secret.
 {{- else if .Values.postgresql.enabled -}}
     {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 

templates/secrets.yaml

@@ -34,6 +34,21 @@ data:
   {{- else }}
   VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
   {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
   {{- end }}
   {{- if not .Values.postgresql.enabled }}
   {{- if not .Values.postgresql.auth.existingSecret }}

values.yaml

@@ -78,7 +78,7 @@ mastodon:
     permission: ""
     # -- If you have a caching proxy, enter its base URL here.
     alias_host: ""
-    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming 
+    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
     # override_path_style: "true"
   deepl:
     enabled: false
@@ -99,9 +99,19 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
+    activeRecordEncryption:
+      primaryKey: ""
+      deterministicKey: ""
+      keyDerivationSalt: ""
     # -- you can also specify the name of an existing Secret
-    # with keys SECRET_KEY_BASE and OTP_SECRET and
-    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+    # with keys:
+    # - SECRET_KEY_BASE
+    # - OTP_SECRET
+    # - VAPID_PRIVATE_KEY
+    # - VAPID_PUBLIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
     existingSecret: ""
 
   # -- The number of old revisions to keep for each Deployment in Kubernetes.
@@ -285,7 +295,7 @@ mastodon:
   # Specify extra environment variables to be added to all Mastodon pods.
   # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
   extraEnvVars: {}
-  
+
   # Alternatively specify extra environment variables stored in a ConfigMap.
   # The specified ConfigMap should contain the additional environment variables in key-value format.
   # extraEnvFrom: <config-map-name>