From 2a7be687cdbb9a96a5ab6be5c1707346b9409567 Mon Sep 17 00:00:00 2001 From: Tim Campbell Date: Wed, 17 Apr 2024 13:48:05 +0200 Subject: [PATCH] Added values for active record encryption --- CHANGELOG.md | 18 ++++++++++++++++++ Chart.yaml | 2 +- templates/_helpers.tpl | 6 +++--- templates/secrets.yaml | 15 +++++++++++++++ values.yaml | 18 ++++++++++++++---- 5 files changed, 51 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ef3161..2b6c100 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,21 @@ +# 5.1.0 + +- Added values for Active Record Encryption in Redis: + ```yaml + mastodon: + secrets: + activeRecordEncryption: + primaryKey: + deterministicKey: + keyDerivationSalt: + ``` + +- Small bugfix related to automatic secret generation + +# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2) + +- Updated major versions of chart dependencies (postgres, redis, elasticsearch) + # [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5) - adds support for multiple Sidekiq deployments to be configured to manage diff --git a/Chart.yaml b/Chart.yaml index fea5144..15efa48 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time # you make changes to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 5.0.0 +version: 5.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 2c50146..81872f9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -106,7 +106,7 @@ Get the mastodon secret. {{- if .Values.mastodon.secrets.existingSecret }} {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}} {{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} + {{- printf "%s" (include "mastodon.fullname" .) -}} {{- end -}} {{- end -}} @@ -117,7 +117,7 @@ Get the smtp secret. {{- if .Values.mastodon.smtp.existingSecret }} {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}} {{- else -}} - {{- printf "%s-smtp" (include "common.names.fullname" .) -}} + {{- printf "%s-smtp" (include "mastodon.fullname" .) -}} {{- end -}} {{- end -}} @@ -130,7 +130,7 @@ Get the postgresql secret. {{- else if .Values.postgresql.enabled -}} {{- printf "%s-postgresql" (tpl .Release.Name $) -}} {{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} + {{- printf "%s" (include "mastodon.fullname" .) -}} {{- end -}} {{- end -}} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index d1776ac..0eec2ab 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -34,6 +34,21 @@ data: {{- else }} VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}" + {{- else }} + ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }} + {{- end }} {{- end }} {{- if not .Values.postgresql.enabled }} {{- if not .Values.postgresql.auth.existingSecret }} diff --git a/values.yaml b/values.yaml index 3c7d948..3afcc10 100644 --- a/values.yaml +++ b/values.yaml @@ -78,7 +78,7 @@ mastodon: permission: "" # -- If you have a caching proxy, enter its base URL here. alias_host: "" - # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming + # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming # override_path_style: "true" deepl: enabled: false @@ -99,9 +99,19 @@ mastodon: vapid: private_key: "" public_key: "" + activeRecordEncryption: + primaryKey: "" + deterministicKey: "" + keyDerivationSalt: "" # -- you can also specify the name of an existing Secret - # with keys SECRET_KEY_BASE and OTP_SECRET and - # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY + # with keys: + # - SECRET_KEY_BASE + # - OTP_SECRET + # - VAPID_PRIVATE_KEY + # - VAPID_PUBLIC_KEY + # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY + # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY + # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT existingSecret: "" # -- The number of old revisions to keep for each Deployment in Kubernetes. @@ -285,7 +295,7 @@ mastodon: # Specify extra environment variables to be added to all Mastodon pods. # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.) extraEnvVars: {} - + # Alternatively specify extra environment variables stored in a ConfigMap. # The specified ConfigMap should contain the additional environment variables in key-value format. # extraEnvFrom: