From a066e0b236ee97a1444587839672d9a0b6876092 Mon Sep 17 00:00:00 2001 From: jessebot Date: Fri, 14 Jul 2023 10:13:18 +0200 Subject: [PATCH] cleaning up secrets and adding more s3 existingSecret secretKeys --- charts/mastodon/Chart.yaml | 2 +- charts/mastodon/dev-values.yaml | 20 +++++++-- charts/mastodon/templates/_helpers.tpl | 15 +------ charts/mastodon/templates/configmap-env.yaml | 6 --- charts/mastodon/templates/deployment-web.yaml | 26 +++++++++-- .../mastodon/templates/secret-mastodon.yaml | 30 +++++++++++++ charts/mastodon/templates/secret-s3.yaml | 16 +++++++ charts/mastodon/templates/secret-smtp.yaml | 2 +- charts/mastodon/templates/secrets.yaml | 43 ------------------- charts/mastodon/values.yaml | 24 ++++++++--- 10 files changed, 107 insertions(+), 77 deletions(-) create mode 100644 charts/mastodon/templates/secret-mastodon.yaml create mode 100644 charts/mastodon/templates/secret-s3.yaml delete mode 100644 charts/mastodon/templates/secrets.yaml diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml index 9064417..267399a 100644 --- a/charts/mastodon/Chart.yaml +++ b/charts/mastodon/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 4.0.8 +version: 4.0.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/mastodon/dev-values.yaml b/charts/mastodon/dev-values.yaml index d84c1e0..004c383 100644 --- a/charts/mastodon/dev-values.yaml +++ b/charts/mastodon/dev-values.yaml @@ -64,9 +64,6 @@ mastodon: enabled: false access_key: "" access_secret: "" - # -- you can also specify the name of an existing Secret - # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - existingSecret: "" bucket: "" endpoint: "" hostname: "" @@ -74,6 +71,17 @@ mastodon: permission: "" # -- If you have a caching proxy, enter its base URL here. alias_host: "" + # -- you can also specify the name of an existing Secret + # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + existingSecret: "" + secretKeys: + s3AccessKeyID: AWS_ACCESS_KEY_ID + s3AccessKey: AWS_SECRET_ACCESS_KEY + s3Bucket: "" + s3Endpoint: "" + s3Hostname: "" + s3Region: "" + # these must be set manually; autogenerated keys are rotated on each upgrade secrets: secret_key_base: dummy-secret_key_base @@ -85,6 +93,12 @@ mastodon: # with keys SECRET_KEY_BASE and OTP_SECRET and # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY # existingSecret: "" + # secretKeys: + # vapidPrivateKey: VAPID_PRIVATE_KEY + # vapidPublicKey: VAPID_PUBLIC_KEY + # secretKeyBase: SECRET_KEY_BASE + # otpSecret: OTP_SECRET + sidekiq: # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext podSecurityContext: {} diff --git a/charts/mastodon/templates/_helpers.tpl b/charts/mastodon/templates/_helpers.tpl index 6331a26..d1de112 100644 --- a/charts/mastodon/templates/_helpers.tpl +++ b/charts/mastodon/templates/_helpers.tpl @@ -58,7 +58,7 @@ Rolling pod annotations {{- if .Values.revisionPodAnnotation }} rollme: {{ .Release.Revision | quote }} {{- end }} -checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }} +checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-mastodon.yaml" ) . | sha256sum | quote }} checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }} {{- end }} @@ -137,19 +137,6 @@ Get the redis secret. {{- end -}} {{- end -}} -{{/* -Return true if a mastodon secret object should be created -*/}} -{{- define "mastodon.createSecret" -}} -{{- if (or - (and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret)) - (not .Values.mastodon.secrets.existingSecret ) - (and (not .Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret)) - ) -}} - {{- true -}} -{{- end -}} -{{- end -}} - {{/* Find highest number of needed database connections to set DB_POOL variable */}} diff --git a/charts/mastodon/templates/configmap-env.yaml b/charts/mastodon/templates/configmap-env.yaml index 11eb9c7..cf29227 100644 --- a/charts/mastodon/templates/configmap-env.yaml +++ b/charts/mastodon/templates/configmap-env.yaml @@ -50,17 +50,11 @@ data: {{- end }} REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} {{- if .Values.mastodon.s3.enabled }} - S3_BUCKET: {{ .Values.mastodon.s3.bucket }} S3_ENABLED: "true" - S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }} - S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }} S3_PROTOCOL: "https" {{- if .Values.mastodon.s3.permission }} S3_PERMISSION: {{ .Values.mastodon.s3.permission }} {{- end }} - {{- with .Values.mastodon.s3.region }} - S3_REGION: {{ . }} - {{- end }} {{- with .Values.mastodon.s3.alias_host }} S3_ALIAS_HOST: {{ . }} {{- end }} diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml index 420c277..d04db8f 100644 --- a/charts/mastodon/templates/deployment-web.yaml +++ b/charts/mastodon/templates/deployment-web.yaml @@ -95,16 +95,36 @@ spec: value: {{ .Values.mastodon.web.persistentTimeout | quote }} {{- end }} {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} - - name: "AWS_SECRET_ACCESS_KEY" + - name: "S3_HOSTNAME" valueFrom: secretKeyRef: name: {{ .Values.mastodon.s3.existingSecret }} - key: AWS_SECRET_ACCESS_KEY + key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }} + - name: "S3_ENDPOINT" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }} + - name: "S3_REGION" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: {{ .Values.mastodon.s3.secretKeys.s3Region }} + - name: "S3_BUCKET" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }} - name: "AWS_ACCESS_KEY_ID" valueFrom: secretKeyRef: name: {{ .Values.mastodon.s3.existingSecret }} - key: AWS_ACCESS_KEY_ID + key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }} + - name: "AWS_SECRET_ACCESS_KEY" + valueFrom: + secretKeyRef: + name: {{ .Values.mastodon.s3.existingSecret }} + key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }} {{- end }} {{- if (not .Values.mastodon.s3.enabled) }} volumeMounts: diff --git a/charts/mastodon/templates/secret-mastodon.yaml b/charts/mastodon/templates/secret-mastodon.yaml new file mode 100644 index 0000000..1e0f9ed --- /dev/null +++ b/charts/mastodon/templates/secret-mastodon.yaml @@ -0,0 +1,30 @@ +{{- if not .Values.mastodon.secrets.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "mastodon.fullname" . }} + labels: + {{- include "mastodon.labels" . | nindent 4 }} +type: Opaque +data: + {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} + SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" + {{- else }} + SECRET_KEY_BASE: {{ required "mastodon.secrets.secret_key_base is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.secret_key_base }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.otp_secret) }} + OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" + {{- else }} + OTP_SECRET: {{ required "mastodon.secrets.otp_secret is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.otp_secret }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} + VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" + {{- else }} + VAPID_PRIVATE_KEY: {{ required "mastodon.secrets.vapid.private_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.private_key }} + {{- end }} + {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} + VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" + {{- else }} + VAPID_PUBLIC_KEY: {{ required "mastodon.secrets.vapid.public_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.public_key }} + {{- end }} +{{- end }} diff --git a/charts/mastodon/templates/secret-s3.yaml b/charts/mastodon/templates/secret-s3.yaml new file mode 100644 index 0000000..85952fe --- /dev/null +++ b/charts/mastodon/templates/secret-s3.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mastodon.fullname" . }}-s3 + labels: + {{- include "mastodon.labels" . | nindent 4 }} +type: Opaque +data: + AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" + AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" + S3_BUCKET: {{ .Values.mastodon.s3.bucket | b64enc }} + S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint | b64enc }} + S3_HOSTNAME: {{ .Values.mastodon.s3.hostname | b64enc }} + S3_REGION: {{ .Values.mastodon.s3.region | b64enc }} +{{- end }} diff --git a/charts/mastodon/templates/secret-smtp.yaml b/charts/mastodon/templates/secret-smtp.yaml index 98b15f3..a7f0a67 100644 --- a/charts/mastodon/templates/secret-smtp.yaml +++ b/charts/mastodon/templates/secret-smtp.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-smtp" (include "common.names.fullname" .) }} + name: {{ include "mastodon.fullname" . }}-smtp labels: {{- include "mastodon.labels" . | nindent 4 }} type: Opaque diff --git a/charts/mastodon/templates/secrets.yaml b/charts/mastodon/templates/secrets.yaml deleted file mode 100644 index d1776ac..0000000 --- a/charts/mastodon/templates/secrets.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if (include "mastodon.createSecret" .) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mastodon.fullname" . }} - labels: - {{- include "mastodon.labels" . | nindent 4 }} -type: Opaque -data: - {{- if .Values.mastodon.s3.enabled }} - {{- if not .Values.mastodon.s3.existingSecret }} - AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}" - AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}" - {{- end }} - {{- end }} - {{- if not .Values.mastodon.secrets.existingSecret }} - {{- if not (empty .Values.mastodon.secrets.secret_key_base) }} - SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}" - {{- else }} - SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.otp_secret) }} - OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}" - {{- else }} - OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }} - VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}" - {{- else }} - VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }} - {{- end }} - {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }} - VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}" - {{- else }} - VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }} - {{- end }} - {{- end }} - {{- if not .Values.postgresql.enabled }} - {{- if not .Values.postgresql.auth.existingSecret }} - password: "{{ .Values.postgresql.auth.password | b64enc }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml index a7d9ac1..aee532a 100644 --- a/charts/mastodon/values.yaml +++ b/charts/mastodon/values.yaml @@ -62,9 +62,6 @@ mastodon: enabled: false access_key: "" access_secret: "" - # -- you can also specify the name of an existing Secret - # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - existingSecret: "" bucket: "" endpoint: "" hostname: "" @@ -72,17 +69,32 @@ mastodon: permission: "" # -- If you have a caching proxy, enter its base URL here. alias_host: "" - # these must be set manually; autogenerated keys are rotated on each upgrade + # -- you can also specify the name of an existing Secret + # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY + existingSecret: "" + secretKeys: + s3AccessKeyID: AWS_ACCESS_KEY_ID + s3AccessKey: AWS_SECRET_ACCESS_KEY + s3Bucket: "" + s3Endpoint: "" + s3Hostname: "" + s3Region: "" + secrets: + # these must be set manually; autogenerated keys are rotated on each upgrade secret_key_base: "" otp_secret: "" vapid: private_key: "" public_key: "" # -- you can also specify the name of an existing Secret - # with keys SECRET_KEY_BASE and OTP_SECRET and - # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY existingSecret: "" + secretKeys: + vapidPrivateKey: VAPID_PRIVATE_KEY + vapidPublicKey: VAPID_PUBLIC_KEY + secretKeyBase: SECRET_KEY_BASE + otpSecret: OTP_SECRET + sidekiq: # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext podSecurityContext: {}