infra/mastodon-chart-mirror
3
0
Fork 0
mirror of https://github.com/mastodon/chart synced 2025-05-18 13:03:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

cleaning up secrets and adding more s3 existingSecret secretKeys

Browse Source
This commit is contained in:
jessebot 2023-07-14 10:13:18 +02:00
parent 0bcae4b8a4
commit a066e0b236
10 changed files with 107 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/mastodon/Chart.yaml
View File

@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 4.0.8 version: 4.0.9
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to # incremented each time you make changes to the application. Versions are not expected to

20
charts/mastodon/dev-values.yaml
View File

@ -64,9 +64,6 @@ mastodon:
enabled: false enabled: false
access_key: "" access_key: ""
access_secret: "" access_secret: ""
# -- you can also specify the name of an existing Secret
# with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecret: ""
bucket: "" bucket: ""
endpoint: "" endpoint: ""
hostname: "" hostname: ""
@ -74,6 +71,17 @@ mastodon:
permission: "" permission: ""
# -- If you have a caching proxy, enter its base URL here. # -- If you have a caching proxy, enter its base URL here.
alias_host: "" alias_host: ""
# -- you can also specify the name of an existing Secret
# with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecret: ""
secretKeys:
s3AccessKeyID: AWS_ACCESS_KEY_ID
s3AccessKey: AWS_SECRET_ACCESS_KEY
s3Bucket: ""
s3Endpoint: ""
s3Hostname: ""
s3Region: ""
# these must be set manually; autogenerated keys are rotated on each upgrade # these must be set manually; autogenerated keys are rotated on each upgrade
secrets: secrets:
secret_key_base: dummy-secret_key_base secret_key_base: dummy-secret_key_base
@ -85,6 +93,12 @@ mastodon:
# with keys SECRET_KEY_BASE and OTP_SECRET and # with keys SECRET_KEY_BASE and OTP_SECRET and
# VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
# existingSecret: "" # existingSecret: ""
# secretKeys:
# vapidPrivateKey: VAPID_PRIVATE_KEY
# vapidPublicKey: VAPID_PUBLIC_KEY
# secretKeyBase: SECRET_KEY_BASE
# otpSecret: OTP_SECRET
sidekiq: sidekiq:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {} podSecurityContext: {}

15
charts/mastodon/templates/_helpers.tpl
View File

@ -58,7 +58,7 @@ Rolling pod annotations
{{- if .Values.revisionPodAnnotation }} {{- if .Values.revisionPodAnnotation }}
rollme: {{ .Release.Revision | quote }} rollme: {{ .Release.Revision | quote }}
{{- end }} {{- end }}
checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }} checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-mastodon.yaml" ) . | sha256sum | quote }}
checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }} checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }}
{{- end }} {{- end }}
@ -137,19 +137,6 @@ Get the redis secret.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Return true if a mastodon secret object should be created
*/}}
{{- define "mastodon.createSecret" -}}
{{- if (or
(and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret))
(not .Values.mastodon.secrets.existingSecret )
(and (not .Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret))
) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Find highest number of needed database connections to set DB_POOL variable Find highest number of needed database connections to set DB_POOL variable
*/}} */}}

6
charts/mastodon/templates/configmap-env.yaml
View File

@ -50,17 +50,11 @@ data:
{{- end }} {{- end }}
REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }} REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
{{- if .Values.mastodon.s3.enabled }} {{- if .Values.mastodon.s3.enabled }}
S3_BUCKET: {{ .Values.mastodon.s3.bucket }}
S3_ENABLED: "true" S3_ENABLED: "true"
S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
S3_PROTOCOL: "https" S3_PROTOCOL: "https"
{{- if .Values.mastodon.s3.permission }} {{- if .Values.mastodon.s3.permission }}
S3_PERMISSION: {{ .Values.mastodon.s3.permission }} S3_PERMISSION: {{ .Values.mastodon.s3.permission }}
{{- end }} {{- end }}
{{- with .Values.mastodon.s3.region }}
S3_REGION: {{ . }}
{{- end }}
{{- with .Values.mastodon.s3.alias_host }} {{- with .Values.mastodon.s3.alias_host }}
S3_ALIAS_HOST: {{ . }} S3_ALIAS_HOST: {{ . }}
{{- end }} {{- end }}

26
charts/mastodon/templates/deployment-web.yaml
View File

@ -95,16 +95,36 @@ spec:
value: {{ .Values.mastodon.web.persistentTimeout | quote }} value: {{ .Values.mastodon.web.persistentTimeout | quote }}
{{- end }} {{- end }}
{{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }} {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
- name: "AWS_SECRET_ACCESS_KEY" - name: "S3_HOSTNAME"
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }} name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_SECRET_ACCESS_KEY key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }}
- name: "S3_ENDPOINT"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }}
- name: "S3_REGION"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: {{ .Values.mastodon.s3.secretKeys.s3Region }}
- name: "S3_BUCKET"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }}
- name: "AWS_ACCESS_KEY_ID" - name: "AWS_ACCESS_KEY_ID"
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }} name: {{ .Values.mastodon.s3.existingSecret }}
key: AWS_ACCESS_KEY_ID key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }}
- name: "AWS_SECRET_ACCESS_KEY"
valueFrom:
secretKeyRef:
name: {{ .Values.mastodon.s3.existingSecret }}
key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }}
{{- end }} {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }} {{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts: volumeMounts:

30
charts/mastodon/templates/secret-mastodon.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if not .Values.mastodon.secrets.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "mastodon.secrets.secret_key_base is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "mastodon.secrets.otp_secret is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "mastodon.secrets.vapid.private_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "mastodon.secrets.vapid.public_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- end }}

16
charts/mastodon/templates/secret-s3.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "mastodon.fullname" . }}-s3
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
S3_BUCKET: {{ .Values.mastodon.s3.bucket | b64enc }}
S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint | b64enc }}
S3_HOSTNAME: {{ .Values.mastodon.s3.hostname | b64enc }}
S3_REGION: {{ .Values.mastodon.s3.region | b64enc }}
{{- end }}

2
charts/mastodon/templates/secret-smtp.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ printf "%s-smtp" (include "common.names.fullname" .) }} name: {{ include "mastodon.fullname" . }}-smtp
labels: labels:
{{- include "mastodon.labels" . | nindent 4 }} {{- include "mastodon.labels" . | nindent 4 }}
type: Opaque type: Opaque

43
charts/mastodon/templates/secrets.yaml
View File

@ -1,43 +0,0 @@
{{- if (include "mastodon.createSecret" .) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "mastodon.fullname" . }}
labels:
{{- include "mastodon.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.mastodon.s3.enabled }}
{{- if not .Values.mastodon.s3.existingSecret }}
AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
{{- end }}
{{- end }}
{{- if not .Values.mastodon.secrets.existingSecret }}
{{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
{{- else }}
SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.otp_secret) }}
OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
{{- else }}
OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
{{- else }}
VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
{{- end }}
{{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
{{- else }}
VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
{{- end }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
{{- if not .Values.postgresql.auth.existingSecret }}
password: "{{ .Values.postgresql.auth.password | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

24
charts/mastodon/values.yaml
View File

@ -62,9 +62,6 @@ mastodon:
enabled: false enabled: false
access_key: "" access_key: ""
access_secret: "" access_secret: ""
# -- you can also specify the name of an existing Secret
# with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecret: ""
bucket: "" bucket: ""
endpoint: "" endpoint: ""
hostname: "" hostname: ""
@ -72,17 +69,32 @@ mastodon:
permission: "" permission: ""
# -- If you have a caching proxy, enter its base URL here. # -- If you have a caching proxy, enter its base URL here.
alias_host: "" alias_host: ""
# these must be set manually; autogenerated keys are rotated on each upgrade # -- you can also specify the name of an existing Secret
# with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
existingSecret: ""
secretKeys:
s3AccessKeyID: AWS_ACCESS_KEY_ID
s3AccessKey: AWS_SECRET_ACCESS_KEY
s3Bucket: ""
s3Endpoint: ""
s3Hostname: ""
s3Region: ""
secrets: secrets:
# these must be set manually; autogenerated keys are rotated on each upgrade
secret_key_base: "" secret_key_base: ""
otp_secret: "" otp_secret: ""
vapid: vapid:
private_key: "" private_key: ""
public_key: "" public_key: ""
# -- you can also specify the name of an existing Secret # -- you can also specify the name of an existing Secret
# with keys SECRET_KEY_BASE and OTP_SECRET and
# VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
existingSecret: "" existingSecret: ""
secretKeys:
vapidPrivateKey: VAPID_PRIVATE_KEY
vapidPublicKey: VAPID_PUBLIC_KEY
secretKeyBase: SECRET_KEY_BASE
otpSecret: OTP_SECRET
sidekiq: sidekiq:
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
podSecurityContext: {} podSecurityContext: {}