Merge branch 'main' into upgrade-app-to-4.2.8

CHANGELOG.md

@@ -1,3 +1,21 @@
+# 5.1.0
+
+- Added values for Active Record Encryption in Redis:
+    ```yaml
+    mastodon:
+      secrets:
+        activeRecordEncryption:
+          primaryKey:
+          deterministicKey:
+          keyDerivationSalt:
+    ```
+
+- Small bugfix related to automatic secret generation
+
+# [5.0.0](https://github.com/mastodon/chart/commit/63a052b6a5c19dabd172c15c1fd74298dcc544b2)
+
+- Updated major versions of chart dependencies (postgres, redis, elasticsearch)
+
 # [4.0.0](https://github.com/mastodon/chart/compare/920cf37..ae892d5)
 
 - adds support for multiple Sidekiq deployments to be configured to manage

Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 5.0.1
+version: 5.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

dev-values.yaml

@@ -7,6 +7,11 @@ mastodon:
     vapid:
       private_key: dummy-vapid-private_key
       public_key: dummy-vapid-public_key
+    activeRecordEncryption:
+      primaryKey: dummy-are-primary_key
+      deterministicKey: dummy-are-deterministic_key
+      keyDerivationSalt: dummy-are-key_derivation_salt
+
 
 # ref: https://github.com/bitnami/charts/tree/main/bitnami/redis#parameters
 redis:

templates/_helpers.tpl

@@ -106,7 +106,7 @@ Get the mastodon secret.
 {{- if .Values.mastodon.secrets.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -117,7 +117,7 @@ Get the smtp secret.
 {{- if .Values.mastodon.smtp.existingSecret }}
     {{- printf "%s" (tpl .Values.mastodon.smtp.existingSecret $) -}}
 {{- else -}}
-    {{- printf "%s-smtp" (include "common.names.fullname" .) -}}
+    {{- printf "%s-smtp" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 
@@ -130,7 +130,7 @@ Get the postgresql secret.
 {{- else if .Values.postgresql.enabled -}}
     {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
 {{- else -}}
-    {{- printf "%s" (include "common.names.fullname" .) -}}
+    {{- printf "%s" (include "mastodon.fullname" .) -}}
 {{- end -}}
 {{- end -}}
 

templates/deployment-streaming.yaml

@@ -39,6 +39,16 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.mastodon.streaming.extraCerts }}
+      {{- $name := .name | default "extra-certs" }}
+      volumes:
+        - name: {{ $name }}
+          secret:
+            secretName: {{ .existingSecret }}
+            items:
+            - key: ca.crt
+              path: trusted-ca.crt
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-streaming
           {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
@@ -50,6 +60,12 @@ spec:
           command:
             - node
             - ./streaming
+          {{- with .Values.mastodon.streaming.extraCerts }}
+          {{- $name := .name | default "extra-certs" }}
+          volumeMounts:
+          - name: {{ $name }}
+            mountPath: "/usr/local/share/ca-certificates"
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
@@ -58,6 +74,18 @@ spec:
                 name: {{ .Values.mastodon.extraEnvFrom }}
             {{- end}}
           env:
+            {{- with .Values.mastodon.streaming.extraCerts }}
+            - name: "NODE_EXTRA_CA_CERTS"
+              value: "/usr/local/share/ca-certificates/trusted-ca.crt"
+            {{- with .sslMode }}
+            - name: "DB_SSLMODE"
+              value: {{ . }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.postgresql.postgresqlReplicaHostname }}
+            - name: "DB_HOST"
+              value: {{ . }}
+            {{- end }}
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:

templates/secrets.yaml

@@ -34,6 +34,21 @@ data:
   {{- else }}
   VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
   {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
   {{- end }}
   {{- if not .Values.postgresql.enabled }}
   {{- if not .Values.postgresql.auth.existingSecret }}

values.yaml

@@ -78,7 +78,7 @@ mastodon:
     permission: ""
     # -- If you have a caching proxy, enter its base URL here.
     alias_host: ""
-    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming 
+    # -- Set this to true if the storage provider uses domain style 'bucket.endpoint' naming
     # override_path_style: "true"
   deepl:
     enabled: false
@@ -99,9 +99,19 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
+    activeRecordEncryption:
+      primaryKey: ""
+      deterministicKey: ""
+      keyDerivationSalt: ""
     # -- you can also specify the name of an existing Secret
-    # with keys SECRET_KEY_BASE and OTP_SECRET and
+    # with keys:
-    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+    # - SECRET_KEY_BASE
+    # - OTP_SECRET
+    # - VAPID_PRIVATE_KEY
+    # - VAPID_PUBLIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    # - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
     existingSecret: ""
 
   # -- The number of old revisions to keep for each Deployment in Kubernetes.
@@ -220,6 +230,14 @@ mastodon:
     # requests:
     #   cpu: 250m
     #   memory: 128Mi
+    # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
+    extraCerts: {}
+    # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
+    #  existingSecret:
+    # -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
+    #  name:
+    # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
+    #  sslMode:
   web:
     port: 3000
     # -- Number of Web Pods running
@@ -285,7 +303,7 @@ mastodon:
   # Specify extra environment variables to be added to all Mastodon pods.
   # These can be used for configuration not included in this chart (including configuration for Mastodon varietals.)
   extraEnvVars: {}
-  
+
   # Alternatively specify extra environment variables stored in a ConfigMap.
   # The specified ConfigMap should contain the additional environment variables in key-value format.
   # extraEnvFrom: <config-map-name>