Merge pull request #4 from jessebot/feature/s3-credentials-secret

Adding more `s3.secretKeys`, and introducing `mastodon.secrets.secretKeys`
2025-05-18 04:53:21 +00:00 · 2023-07-14 14:41:56 +02:00 · 2023-07-14 14:41:56 +02:00 · 3dbcf67cbc
commit 3dbcf67cbc
parent 0bcae4b8a4 0597b88a17
16 changed files with 335 additions and 93 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,15 @@
 repos:
  - repo: https://github.com/norwoodj/helm-docs
    rev: v1.2.0
    hooks:
      - id: helm-docs
        # args:
        #   # Make the tool search for charts only under the `example-charts` directory
        #   - --chart-search-root=mastodon
        #   # The `./` makes it relative to the chart-search-root set above
        #   - --template-files=./_templates.gotmpl
        #   # Repeating the flag adds this to the list, now [./_templates.gotmpl, README.md.gotmpl]
        #   # A base filename makes it relative to each chart directory found
        #   - --template-files=README.md.gotmpl
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,12 @@
 # To get started helping out
 Please install [pre-commit] and [helm-docs] locally and then install our pre-commit hooks.
 ```bash
 pre-commit install
 pre-commit install-hooks
 ```
 Right now, these just keep the docs up to date, but in the future, will provide other useful tools :)
 [pre-commit]: https://pre-commit.com/#install
 [helm-docs]: https://github.com/norwoodj/helm-docs#installation
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@ The basic usage is:
 This chart is tested with k8s 1.26+ and helm 3.6.0+.
-Known caveats: Currently in chart version `4.0.8`, you need to run postgresql and redis helm charts independently of this one. This is because there's a helm hook job called db-migrate that I can't figure out how to make run after the dependency charts are fully installed, but before everything else. If you know the answer to this, please open an issue here and let me know!
+Known caveats: Currently in chart version `4.0.9`, you need to run postgresql and redis helm charts independently of this one. This is because there's a helm hook job called db-migrate that I can't figure out how to make run after the dependency charts are fully installed, but before everything else. If you know the answer to this, please open an issue/pr here and let me know!
 # Configuration
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.0.8
+version: 4.0.9
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@ -0,0 +1,138 @@
 # mastodon
 ![Version: 4.0.9](https://img.shields.io/badge/Version-4.0.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.4](https://img.shields.io/badge/AppVersion-v4.1.4-informational?style=flat-square)
 Mastodon is a free, open-source social network server based on ActivityPub.
 ## Requirements
 | Repository | Name | Version |
 |------------|------|---------|
 | oci://registry-1.docker.io/bitnamicharts | elasticsearch | 19.10.1 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 12.6.0 |
 | oci://registry-1.docker.io/bitnamicharts | redis | 17.11.6 |
 ## Values
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for all pods unless overwritten |
 | deploymentAnnotations | object | `{}` |  |
 | elasticsearch | object | `{}` | https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters |
 | externalAuth.cas.enabled | bool | `false` |  |
 | externalAuth.ldap.enabled | bool | `false` |  |
 | externalAuth.oauth_global.omniauth_only | bool | `false` | Automatically redirect to OIDC, CAS or SAML, and don't use local account authentication when clicking on Sign-In |
 | externalAuth.oidc.enabled | bool | `false` | OpenID Connect support is proposed in PR #16221 and awaiting merge. |
 | externalAuth.pam.enabled | bool | `false` |  |
 | externalAuth.saml.enabled | bool | `false` |  |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy - use `Always` when using `latest` tag |
 | image.repository | string | `"ghcr.io/mastodon/mastodon"` | image repository to use |
 | image.tag | string | `""` | docker tag. use `latest` for the latest release or `edge` for the image built from the most recent commit |
 | ingress.annotations | string | `nil` |  |
 | ingress.enabled | bool | `true` |  |
 | ingress.hosts[0].host | string | `"mastodon.local"` |  |
 | ingress.hosts[0].paths[0].path | string | `"/"` |  |
 | ingress.ingressClassName | string | `nil` | you can specify the ingressClassName if it differs from the default |
 | ingress.tls[0].hosts[0] | string | `"mastodon.local"` |  |
 | ingress.tls[0].secretName | string | `"mastodon-tls"` |  |
 | jobAnnotations | object | `{}` |  |
 | mastodon.authorizedFetch | bool | `false` | Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch |
 | mastodon.createAdmin | object | `{"existingSecret":"","secretKeys":{"emailKey":"email","passwordKey":"password","usernameKey":"username"}}` | create an initial administrator user; the password is autogenerated and will have to be reset |
 | mastodon.cron.removeMedia | object | `{}` | run `tootctl media remove` every week |
 | mastodon.limitedFederationMode | bool | `false` | Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode |
 | mastodon.local_domain | string | `"mastodon.local"` |  |
 | mastodon.locale | string | `"en"` | available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 |
 | mastodon.metrics.statsd.address | string | `""` | Enable statsd publishing via STATSD_ADDR environment variable |
 | mastodon.persistence.assets.accessMode | string | `"ReadWriteOnce"` | ReadWriteOnce is more widely supported than ReadWriteMany, but limits scalability, since it requires the Rails and Sidekiq pods to run on the same node. |
 | mastodon.persistence.assets.resources.requests.storage | string | `"10Gi"` |  |
 | mastodon.persistence.system.accessMode | string | `"ReadWriteOnce"` |  |
 | mastodon.persistence.system.resources.requests.storage | string | `"100Gi"` |  |
 | mastodon.preparedStatements | bool | `true` |  |
 | mastodon.s3.access_key | string | `""` |  |
 | mastodon.s3.access_secret | string | `""` |  |
 | mastodon.s3.alias_host | string | `""` | If you have a caching proxy, enter its base URL here. |
 | mastodon.s3.bucket | string | `""` |  |
 | mastodon.s3.enabled | bool | `false` |  |
 | mastodon.s3.endpoint | string | `""` |  |
 | mastodon.s3.existingSecret | string | `""` | you can also specify the name of an existing Secret with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY |
 | mastodon.s3.hostname | string | `""` |  |
 | mastodon.s3.permission | string | `""` |  |
 | mastodon.s3.region | string | `""` |  |
 | mastodon.s3.secretKeys.s3AccessKey | string | `"AWS_SECRET_ACCESS_KEY"` |  |
 | mastodon.s3.secretKeys.s3AccessKeyID | string | `"AWS_ACCESS_KEY_ID"` |  |
 | mastodon.s3.secretKeys.s3Bucket | string | `""` |  |
 | mastodon.s3.secretKeys.s3Endpoint | string | `""` |  |
 | mastodon.s3.secretKeys.s3Hostname | string | `""` |  |
 | mastodon.s3.secretKeys.s3Region | string | `""` |  |
 | mastodon.secrets.existingSecret | string | `""` | the name of an existing Secret to use. keys must be: VAPID_PRIVATE_KEY, VAPID_PUBLIC_KEY, SECRET_KEY_BASE, OTP_SECRET |
 | mastodon.secrets.otp_secret | string | `""` |  |
 | mastodon.secrets.secret_key_base | string | `""` | must be set manually; autogenerated keys are rotated on each upgrade |
 | mastodon.secrets.vapid.private_key | string | `""` |  |
 | mastodon.secrets.vapid.public_key | string | `""` |  |
 | mastodon.sidekiq.affinity | object | `{}` | Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity |
 | mastodon.sidekiq.podSecurityContext | object | `{}` | Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext |
 | mastodon.sidekiq.resources | object | `{}` | Resources for all Sidekiq Deployments unless overwritten |
 | mastodon.sidekiq.securityContext | Sidekiq Container | `{}` | Security Context for all Pods, overwrites .Values.securityContext |
 | mastodon.sidekiq.workers[0].affinity | object | `{}` | Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity |
 | mastodon.sidekiq.workers[0].concurrency | int | `25` | Number of threads / parallel sidekiq jobs that are executed per Pod |
 | mastodon.sidekiq.workers[0].name | string | `"all-queues"` |  |
 | mastodon.sidekiq.workers[0].queues | list | `["default,8","push,6","ingress,4","mailers,2","pull","scheduler"]` | Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument |
 | mastodon.sidekiq.workers[0].replicas | int | `1` | Number of Pod replicas deployed by the Deployment |
 | mastodon.sidekiq.workers[0].resources | object | `{}` | Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources |
 | mastodon.singleUserMode | bool | `false` | If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. |
 | mastodon.smtp.auth_method | string | `"plain"` |  |
 | mastodon.smtp.ca_file | string | `"/etc/ssl/certs/ca-certificates.crt"` |  |
 | mastodon.smtp.delivery_method | string | `"smtp"` |  |
 | mastodon.smtp.domain | string | `nil` |  |
 | mastodon.smtp.enable_starttls | string | `"auto"` |  |
 | mastodon.smtp.existingSecret | string | `""` | Instead of defining login/password above, you can specify the name of an existing secret here. Login and password must be located in keys named `login` and `password` respectively. |
 | mastodon.smtp.from_address | string | `"notifications@example.com"` |  |
 | mastodon.smtp.login | string | `nil` |  |
 | mastodon.smtp.openssl_verify_mode | string | `"peer"` |  |
 | mastodon.smtp.password | string | `nil` |  |
 | mastodon.smtp.port | int | `587` |  |
 | mastodon.smtp.reply_to | string | `nil` |  |
 | mastodon.smtp.return_path | string | `nil` |  |
 | mastodon.smtp.server | string | `"smtp.mailgun.org"` |  |
 | mastodon.smtp.tls | bool | `false` |  |
 | mastodon.streaming.affinity | object | `{}` | Affinity for Streaming Pods, overwrites .Values.affinity |
 | mastodon.streaming.base_url | string | `nil` | The base url for streaming can be set if the streaming API is deployed to a different domain/subdomain. |
 | mastodon.streaming.podSecurityContext | object | `{}` | Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext |
 | mastodon.streaming.port | int | `4000` |  |
 | mastodon.streaming.replicas | int | `1` | Number of Streaming Pods running |
 | mastodon.streaming.resources | Streaming Container | `{}` | Resources for Streaming Pods, overwrites .Values.resources |
 | mastodon.streaming.securityContext | Streaming Container | `{}` | Security Context for Streaming Pods, overwrites .Values.securityContext |
 | mastodon.streaming.workers | int | `1` | this should be set manually since os.cpus() returns the number of CPUs on the node running the pod, which is unrelated to the resources allocated to the pod by k8s |
 | mastodon.web.affinity | object | `{}` | Affinity for Web Pods, overwrites .Values.affinity |
 | mastodon.web.maxThreads | string | `"5"` |  |
 | mastodon.web.minThreads | string | `"5"` | Puma-specific options. Below values are based on default behavior in config/puma.rb when no custom values are provided. |
 | mastodon.web.persistentTimeout | string | `"20"` |  |
 | mastodon.web.podSecurityContext | object | `{}` | Pod Security Context for Web Pods, overwrites .Values.podSecurityContext |
 | mastodon.web.port | int | `3000` |  |
 | mastodon.web.replicas | int | `1` | Number of Web Pods running |
 | mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
 | mastodon.web.securityContext | Web Container | `{}` | Security Context for Web Pods, overwrites .Values.securityContext |
 | mastodon.web.workers | string | `"2"` |  |
 | mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
 | nameOverride | string | `""` |  |
 | podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
 | podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsUser":991}` | https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75  if you manually change the UID/GID environment variables, ensure these values match: |
 | postgresql.auth.database | string | `"mastodon_production"` |  |
 | postgresql.auth.existingSecret | string | `""` |  |
 | postgresql.auth.password | string | `""` |  |
 | postgresql.auth.username | string | `"mastodon"` |  |
 | postgresql.enabled | bool | `true` | disable if you want to use an existing db; in which case the values below must match those of that external postgres instance |
 | redis.auth.existingSecret | string | `""` |  |
 | redis.auth.password | string | `""` | you must set a password; the password generated by the redis chart will be rotated on each upgrade: |
 | redis.enabled | bool | `true` |  |
 | redis.hostname | string | `""` |  |
 | redis.port | int | `6379` |  |
 | resources | object | `{}` | Default resources for all Deployments and jobs unless overwritten |
 | revisionPodAnnotation | bool | `true` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
--- a/charts/mastodon/dev-values.yaml
+++ b/charts/mastodon/dev-values.yaml
@ -1,3 +1,6 @@
 nameOverride: ""
 fullnameOverride: ""
 # Chart values used for testing the Helm chart.
 #
 image:
@ -12,8 +15,8 @@ image:
  pullPolicy: IfNotPresent
 mastodon:
-  # -- create an initial administrator user; the password is autogenerated and will
+  # -- create an initial administrator user; the password is autogenerated and 
-  # have to be reset
+  # will have to be reset
  createAdmin:
    # @ignored
    enabled: false
@ -21,7 +24,7 @@ mastodon:
    username: not_gargron
    # @ignored
    email: not@example.commit
-    # existingSecret: mastodon-admin
+    existingSecret: ""
    # secretKeys:
    #   usernameKey: username
    #   passwordKey: password
@ -64,9 +67,6 @@ mastodon:
    enabled: false
    access_key: ""
    access_secret: ""
    # -- you can also specify the name of an existing Secret
    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    existingSecret: ""
    bucket: ""
    endpoint: ""
    hostname: ""
@ -74,6 +74,17 @@ mastodon:
    permission: ""
    # -- If you have a caching proxy, enter its base URL here.
    alias_host: ""
    # -- you can also specify the name of an existing Secret
    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    existingSecret: ""
    secretKeys:
      s3AccessKeyID: AWS_ACCESS_KEY_ID
      s3AccessKey: AWS_SECRET_ACCESS_KEY
      s3Bucket: ""
      s3Endpoint: ""
      s3Hostname: ""
      s3Region: ""
  # these must be set manually; autogenerated keys are rotated on each upgrade
  secrets:
    secret_key_base: dummy-secret_key_base
@ -84,7 +95,8 @@ mastodon:
    # -- you can also specify the name of an existing Secret
    # with keys SECRET_KEY_BASE and OTP_SECRET and
    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
-    # existingSecret: ""
+    existingSecret: ""
  sidekiq:
    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
@ -153,7 +165,7 @@ mastodon:
    password:
    # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
    # password must be located in keys named `login` and `password` respectively.
-    existingSecret:
+    existingSecret: ""
  streaming:
    port: 4000
    # -- this should be set manually since os.cpus() returns the number of CPUs on
--- a/charts/mastodon/templates/_helpers.tpl
+++ b/charts/mastodon/templates/_helpers.tpl
@ -58,7 +58,7 @@ Rolling pod annotations
 {{- if .Values.revisionPodAnnotation }}
 rollme: {{ .Release.Revision | quote }}
 {{- end }}
-checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }}
+checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret.yaml" ) . | sha256sum | quote }}
 checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }}
 {{- end }}
--- a/charts/mastodon/templates/configmap-env.yaml
+++ b/charts/mastodon/templates/configmap-env.yaml
@ -50,17 +50,11 @@ data:
  {{- end }}
  REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
  {{- if .Values.mastodon.s3.enabled }}
  S3_BUCKET: {{ .Values.mastodon.s3.bucket }}
  S3_ENABLED: "true"
  S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
  S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
  S3_PROTOCOL: "https"
  {{- if .Values.mastodon.s3.permission }}
  S3_PERMISSION: {{ .Values.mastodon.s3.permission }}
  {{- end }}
  {{- with .Values.mastodon.s3.region }}
  S3_REGION: {{ . }}
  {{- end }}
  {{- with .Values.mastodon.s3.alias_host }}
  S3_ALIAS_HOST: {{ . }}
  {{- end }}
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@ -68,16 +68,36 @@ spec:
                - name: "PORT"
                  value: {{ .Values.mastodon.web.port | quote }}
                {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
-                - name: "AWS_SECRET_ACCESS_KEY"
+                - name: "S3_HOSTNAME"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
-                      key: AWS_SECRET_ACCESS_KEY
+                      key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }}
                - name: "S3_ENDPOINT"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
                      key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }}
                - name: "S3_REGION"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
                      key: {{ .Values.mastodon.s3.secretKeys.s3Region }}
                - name: "S3_BUCKET"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
                      key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }}
                - name: "AWS_ACCESS_KEY_ID"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
-                      key: AWS_ACCESS_KEY_ID
+                      key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }}
                - name: "AWS_SECRET_ACCESS_KEY"
                  valueFrom:
                    secretKeyRef:
                      name: {{ .Values.mastodon.s3.existingSecret }}
                      key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }}
                {{- end }}
              {{- if (not .Values.mastodon.s3.enabled) }}
              volumeMounts:
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@ -107,16 +107,36 @@ spec:
                  name: {{ include "mastodon.smtp.secretName" $context }}
                  key: password
            {{- if (and $context.Values.mastodon.s3.enabled $context.Values.mastodon.s3.existingSecret) }}
-            - name: "AWS_SECRET_ACCESS_KEY"
+            - name: "S3_HOSTNAME"
              valueFrom:
                secretKeyRef:
-                  name: {{ $context.Values.mastodon.s3.existingSecret }}
+                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_SECRET_ACCESS_KEY
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }}
            - name: "S3_ENDPOINT"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }}
            - name: "S3_REGION"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Region }}
            - name: "S3_BUCKET"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }}
            - name: "AWS_ACCESS_KEY_ID"
              valueFrom:
                secretKeyRef:
-                  name: {{ $context.Values.mastodon.s3.existingSecret }}
+                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_ACCESS_KEY_ID
+                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }}
            - name: "AWS_SECRET_ACCESS_KEY"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }}
            {{- end }}
          {{- if (not $context.Values.mastodon.s3.enabled) }}
          volumeMounts:
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@ -95,16 +95,36 @@ spec:
              value: {{ .Values.mastodon.web.persistentTimeout | quote }}
            {{- end }}
            {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
-            - name: "AWS_SECRET_ACCESS_KEY"
+            - name: "S3_HOSTNAME"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_SECRET_ACCESS_KEY
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }}
            - name: "S3_ENDPOINT"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }}
            - name: "S3_REGION"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Region }}
            - name: "S3_BUCKET"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }}
            - name: "AWS_ACCESS_KEY_ID"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_ACCESS_KEY_ID
+                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }}
            - name: "AWS_SECRET_ACCESS_KEY"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }}
            {{- end }}
          {{- if (not .Values.mastodon.s3.enabled) }}
          volumeMounts:
--- a/charts/mastodon/templates/secret-s3.yaml
+++ b/charts/mastodon/templates/secret-s3.yaml
@ -0,0 +1,16 @@
 {{- if and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "mastodon.fullname" . }}-s3
  labels:
    {{- include "mastodon.labels" . | nindent 4 }}
 type: Opaque
 data:
  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
  S3_BUCKET: {{ .Values.mastodon.s3.bucket | b64enc }}
  S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint | b64enc }}
  S3_HOSTNAME: {{ .Values.mastodon.s3.hostname | b64enc }}
  S3_REGION: {{ .Values.mastodon.s3.region | b64enc }}
 {{- end }}
--- a/charts/mastodon/templates/secret-smtp.yaml
+++ b/charts/mastodon/templates/secret-smtp.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-smtp" (include "common.names.fullname" .) }}
+  name: {{ include "mastodon.fullname" . }}-smtp
  labels:
    {{- include "mastodon.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/mastodon/templates/secret.yaml
+++ b/charts/mastodon/templates/secret.yaml
@ -0,0 +1,30 @@
 {{- if not .Values.mastodon.secrets.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "mastodon.fullname" . }}
  labels:
    {{- include "mastodon.labels" . | nindent 4 }}
 type: Opaque
 data:
  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
  {{- else }}
  SECRET_KEY_BASE: {{ required "mastodon.secrets.secret_key_base is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.secret_key_base }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
  {{- else }}
  OTP_SECRET: {{ required "mastodon.secrets.otp_secret is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.otp_secret }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
  {{- else }}
  VAPID_PRIVATE_KEY: {{ required "mastodon.secrets.vapid.private_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.private_key }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
  {{- else }}
  VAPID_PUBLIC_KEY: {{ required "mastodon.secrets.vapid.public_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.public_key }}
  {{- end }}
 {{- end }}
--- a/charts/mastodon/templates/secrets.yaml
+++ b/charts/mastodon/templates/secrets.yaml
@ -1,43 +0,0 @@
 {{- if (include "mastodon.createSecret" .) -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "mastodon.fullname" . }}
  labels:
    {{- include "mastodon.labels" . | nindent 4 }}
 type: Opaque
 data:
  {{- if .Values.mastodon.s3.enabled }}
  {{- if not .Values.mastodon.s3.existingSecret }}
  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
  {{- end }}
  {{- end }}
  {{- if not .Values.mastodon.secrets.existingSecret }}
  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
  {{- else }}
  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
  {{- else }}
  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
  {{- else }}
  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
  {{- end }}
  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
  {{- else }}
  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
  {{- end }}
  {{- end }}
  {{- if not .Values.postgresql.enabled }}
  {{- if not .Values.postgresql.auth.existingSecret }}
  password: "{{ .Values.postgresql.auth.password | b64enc }}"
  {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@ -1,17 +1,18 @@
 nameOverride: ""
 fullnameOverride: ""
 image:
  repository: ghcr.io/mastodon/mastodon
  # https://github.com/mastodon/mastodon/pkgs/container/mastodon
  # -- image repository to use
  repository: ghcr.io/mastodon/mastodon
  #
-  # alternatively, use `latest` for the latest release or `edge` for the image
+  # -- docker tag. use `latest` for the latest release or `edge` for the image built from the most recent commit
  # built from the most recent commit
  # tag: latest
  tag: ""
-  # use `Always` when using `latest` tag
+  # -- image pullPolicy - use `Always` when using `latest` tag
  pullPolicy: IfNotPresent
 mastodon:
-  # -- create an initial administrator user; the password is autogenerated and will
+  # -- create an initial administrator user; the password is autogenerated and will have to be reset
  # have to be reset
  createAdmin:
    # @ignored
    enabled: false
@ -19,11 +20,11 @@ mastodon:
    username: not_gargron
    # @ignored
    email: not@example.commit
-    # existingSecret: mastodon-admin
+    existingSecret: ""
-    # secretKeys:
+    secretKeys:
-    #   usernameKey: username
+      usernameKey: username
-    #   passwordKey: password
+      passwordKey: password
-    #   emailKey: email
+      emailKey: email
  cron:
    # -- run `tootctl media remove` every week
    removeMedia:
@ -62,9 +63,6 @@ mastodon:
    enabled: false
    access_key: ""
    access_secret: ""
    # -- you can also specify the name of an existing Secret
    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    existingSecret: ""
    bucket: ""
    endpoint: ""
    hostname: ""
@ -72,17 +70,27 @@ mastodon:
    permission: ""
    # -- If you have a caching proxy, enter its base URL here.
    alias_host: ""
-  # these must be set manually; autogenerated keys are rotated on each upgrade
+    # -- you can also specify the name of an existing Secret
    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    existingSecret: ""
    secretKeys:
      s3AccessKeyID: AWS_ACCESS_KEY_ID
      s3AccessKey: AWS_SECRET_ACCESS_KEY
      s3Bucket: ""
      s3Endpoint: ""
      s3Hostname: ""
      s3Region: ""
  secrets:
    # -- must be set manually; autogenerated keys are rotated on each upgrade
    secret_key_base: ""
    otp_secret: ""
    vapid:
      private_key: ""
      public_key: ""
-    # -- you can also specify the name of an existing Secret
+    # -- the name of an existing Secret to use. keys must be: VAPID_PRIVATE_KEY, VAPID_PUBLIC_KEY, SECRET_KEY_BASE, OTP_SECRET
    # with keys SECRET_KEY_BASE and OTP_SECRET and
    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
    existingSecret: ""
  sidekiq:
    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
@ -151,7 +159,7 @@ mastodon:
    password:
    # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
    # password must be located in keys named `login` and `password` respectively.
-    existingSecret:
+    existingSecret: ""
  streaming:
    port: 4000
    # -- this should be set manually since os.cpus() returns the number of CPUs on
@ -284,7 +292,7 @@ redis:
    password: ""
    # you can also specify the name of an existing Secret
    # with a key of redis-password set to the password you want
-    # existingSecret: ""
+    existingSecret: ""
 # @ignored
 service: