From 2a7be687cdbb9a96a5ab6be5c1707346b9409567 Mon Sep 17 00:00:00 2001
From: Tim Campbell <timetinytim@gmail.com>
Date: Wed, 17 Apr 2024 13:48:05 +0200
Subject: [PATCH 1/3] Added values for active record encryption

---
 CHANGELOG.md           | 18 ++++++++++++++++++
 Chart.yaml             |  2 +-
 templates/_helpers.tpl |  6 +++---
 templates/secrets.yaml | 15 +++++++++++++++
 values.yaml            | 18 ++++++++++++++----
 5 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ef3161..2b6c100 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,21 @@
+# 5.1.0
+
+- Added values for Active Record Encryption in Redis:
+    ```yaml
+    mastodon:
+      secrets:
+        activeRecordEncryption:
+          primaryKey:
+          deterministicKey:
+          keyDerivationSalt:
+    ```
+
+- Small bugfix related to automatic secret generation
+
+# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
+
+- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
+
 # [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
 
 - adds support for multiple Sidekiq deployments to be configured to manage
diff --git a/Chart.yaml b/Chart.yaml
index fea5144..15efa48 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 5.0.0
+version: 5.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 2c50146..81872f9 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -106,7 +106,7 @@ Get the mastodon secret.
 {{- if .Values.mastodon.secrets.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -117,7 +117,7 @@ Get the smtp secret.
 {{- if .Values.mastodon.smtp.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s-smtp" (include "common.names.fullname" .) -}}
+    {{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -130,7 +130,7 @@ Get the postgresql secret.
 {{- else if .Values.postgresql.enabled -}}
     {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
diff --git a/templates/secrets.yaml b/templates/secrets.yaml
index d1776ac..0eec2ab 100644
--- a/templates/secrets.yaml
+++ b/templates/secrets.yaml
@@ -34,6 +34,21 @@ data:
   {{- else }}
   VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
   {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
   {{- end }}
   {{- if not .Values.postgresql.enabled }}
   {{- if not .Values.postgresql.auth.existingSecret }}
diff --git a/values.yaml b/values.yaml
index 3c7d948..3afcc10 100644
--- a/values.yaml
+++ b/values.yaml
@@ -78,7 +78,7 @@ mastodon:
     permission: ""
     # -- If you have a caching proxy, enter its base URL here.
     alias_host: ""
-    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming 
+    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
     # override_path_style: "true"
   deepl:
     enabled: false
@@ -99,9 +99,19 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
+    activeRecordEncryption:
+      primaryKey: ""
+      deterministicKey: ""
+      keyDerivationSalt: ""
     # -- you can also specify the name of an existing Secret
-    # with keys SECRET_KEY_BASE and OTP_SECRET and
-    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+    # with keys:
+    # - SECRET_KEY_BASE
+    # - OTP_SECRET
+    # - VAPID_PRIVATE_KEY
+    # - VAPID_PUBLIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
     existingSecret: ""
 
   # -- The number of old revisions to keep for each Deployment in Kubernetes.
@@ -285,7 +295,7 @@ mastodon:
   # Specify extra environment variables to be added to all Mastodon pods.
   # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
   extraEnvVars: {}
-  
+
   # Alternatively specify extra environment variables stored in a ConfigMap.
   # The specified ConfigMap should contain the additional environment variables in key-value format.
   # extraEnvFrom: <config-map-name>

From 5fb5416a11ce986f3f4424fd1da3cde2250cf9a2 Mon Sep 17 00:00:00 2001
From: Tim Campbell <timetinytim@gmail.com>
Date: Wed, 17 Apr 2024 13:51:47 +0200
Subject: [PATCH 2/3] Add dev values for testing

---
 dev-values.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dev-values.yaml b/dev-values.yaml
index b3a963e..18b4095 100644
--- a/dev-values.yaml
+++ b/dev-values.yaml
@@ -7,6 +7,11 @@ mastodon:
     vapid:
       private_key: dummy-vapid-private_key
       public_key: dummy-vapid-public_key
+    activeRecordEncryption:
+      primaryKey: dummy-are-primary_key
+      deterministicKey: dummy-are-deterministic_key
+      keyDerivationSalt: dummy-are-key_derivation_salt
+
 
 # ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
 redis:

From 674d9c4252751095a1ce00b26270ab5c567ddd81 Mon Sep 17 00:00:00 2001
From: Matthew Abbott <abbottmg@users.noreply.github.com>
Date: Thu, 18 Apr 2024 04:47:34 -0500
Subject: [PATCH 3/3] Add values to inject trusted certs into streaming (#92)

Co-authored-by: Tim Campbell <timetinytim@gmail.com>
---
 templates/deployment-streaming.yaml | 28 ++++++++++++++++++++++++++++
 values.yaml                         |  8 ++++++++
 2 files changed, 36 insertions(+)

diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml
index e64d38f..8d66361 100644
--- a/templates/deployment-streaming.yaml
+++ b/templates/deployment-streaming.yaml
@@ -39,6 +39,16 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.mastodon.streaming.extraCerts }}
+      {{- $name := .name | default "extra-certs" }}
+      volumes:
+        - name: {{ $name }}
+          secret:
+            secretName: {{ .existingSecret }}
+            items:
+            - key: ca.crt
+              path: trusted-ca.crt
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-streaming
           {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
@@ -50,6 +60,12 @@ spec:
           command:
             - node
             - ./streaming
+          {{- with .Values.mastodon.streaming.extraCerts }}
+          {{- $name := .name | default "extra-certs" }}
+          volumeMounts:
+          - name: {{ $name }}
+            mountPath: "/usr/local/share/ca-certificates"
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
@@ -58,6 +74,18 @@ spec:
                 name: {{ .Values.mastodon.extraEnvFrom }}
             {{- end}}
           env:
+            {{- with .Values.mastodon.streaming.extraCerts }}
+            - name: "NODE_EXTRA_CA_CERTS"
+              value: "/usr/local/share/ca-certificates/trusted-ca.crt"
+            {{- with .sslMode }}
+            - name: "DB_SSLMODE"
+              value: {{ . }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.postgresql.postgresqlReplicaHostname }}
+            - name: "DB_HOST"
+              value: {{ . }}
+            {{- end }}
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
diff --git a/values.yaml b/values.yaml
index 3afcc10..e2cefda 100644
--- a/values.yaml
+++ b/values.yaml
@@ -230,6 +230,14 @@ mastodon:
     # requests:
     #   cpu: 250m
     #   memory: 128Mi
+    # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
+    extraCerts: {}
+    # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
+    #  existingSecret:
+    # -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
+    #  name:
+    # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
+    #  sslMode:
   web:
     port: 3000
     # -- Number of Web Pods running