cleaning up secrets and adding more s3 existingSecret secretKeys

2025-05-18 04:53:21 +00:00 · 2023-07-14 10:13:18 +02:00 · 2023-07-14 10:13:18 +02:00 · a066e0b236
commit a066e0b236
parent 0bcae4b8a4
10 changed files with 107 additions and 77 deletions
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.0.8
+version: 4.0.9

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/charts/mastodon/dev-values.yaml
+++ b/charts/mastodon/dev-values.yaml
@ -64,9 +64,6 @@ mastodon:
    enabled: false
    access_key: ""
    access_secret: ""
-    # -- you can also specify the name of an existing Secret
-    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
-    existingSecret: ""
    bucket: ""
    endpoint: ""
    hostname: ""
@ -74,6 +71,17 @@ mastodon:
    permission: ""
    # -- If you have a caching proxy, enter its base URL here.
    alias_host: ""
+    # -- you can also specify the name of an existing Secret
+    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+    existingSecret: ""
+    secretKeys:
+      s3AccessKeyID: AWS_ACCESS_KEY_ID
+      s3AccessKey: AWS_SECRET_ACCESS_KEY
+      s3Bucket: ""
+      s3Endpoint: ""
+      s3Hostname: ""
+      s3Region: ""
+
  # these must be set manually; autogenerated keys are rotated on each upgrade
  secrets:
    secret_key_base: dummy-secret_key_base
@ -85,6 +93,12 @@ mastodon:
    # with keys SECRET_KEY_BASE and OTP_SECRET and
    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
    # existingSecret: ""
+    # secretKeys:
+    #   vapidPrivateKey: VAPID_PRIVATE_KEY
+    #   vapidPublicKey: VAPID_PUBLIC_KEY
+    #   secretKeyBase: SECRET_KEY_BASE
+    #   otpSecret: OTP_SECRET
+
  sidekiq:
    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
--- a/charts/mastodon/templates/_helpers.tpl
+++ b/charts/mastodon/templates/_helpers.tpl
@ -58,7 +58,7 @@ Rolling pod annotations
 {{- if .Values.revisionPodAnnotation }}
 rollme: {{ .Release.Revision | quote }}
 {{- end }}
-checksum/config-secrets: {{ include ( print $.Template.BasePath "/secrets.yaml" ) . | sha256sum | quote }}
+checksum/config-secrets: {{ include ( print $.Template.BasePath "/secret-mastodon.yaml" ) . | sha256sum | quote }}
 checksum/config-configmap: {{ include ( print $.Template.BasePath "/configmap-env.yaml" ) . | sha256sum | quote }}
 {{- end }}

@ -137,19 +137,6 @@ Get the redis secret.
 {{- end -}}
 {{- end -}}

-{{/*
-Return true if a mastodon secret object should be created
-*/}}
-{{- define "mastodon.createSecret" -}}
-{{- if (or
-    (and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret))
-    (not .Values.mastodon.secrets.existingSecret )
-    (and (not .Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret))
-    ) -}}
-    {{- true -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Find highest number of needed database connections to set DB_POOL variable
 */}}
--- a/charts/mastodon/templates/configmap-env.yaml
+++ b/charts/mastodon/templates/configmap-env.yaml
@ -50,17 +50,11 @@ data:
  {{- end }}
  REDIS_PORT: {{ .Values.redis.port | default "6379" | quote }}
  {{- if .Values.mastodon.s3.enabled }}
-  S3_BUCKET: {{ .Values.mastodon.s3.bucket }}
  S3_ENABLED: "true"
-  S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint }}
-  S3_HOSTNAME: {{ .Values.mastodon.s3.hostname }}
  S3_PROTOCOL: "https"
  {{- if .Values.mastodon.s3.permission }}
  S3_PERMISSION: {{ .Values.mastodon.s3.permission }}
  {{- end }}
-  {{- with .Values.mastodon.s3.region }}
-  S3_REGION: {{ . }}
-  {{- end }}
  {{- with .Values.mastodon.s3.alias_host }}
  S3_ALIAS_HOST: {{ . }}
  {{- end }}
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@ -95,16 +95,36 @@ spec:
              value: {{ .Values.mastodon.web.persistentTimeout | quote }}
            {{- end }}
            {{- if (and .Values.mastodon.s3.enabled .Values.mastodon.s3.existingSecret) }}
-            - name: "AWS_SECRET_ACCESS_KEY"
+            - name: "S3_HOSTNAME"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_SECRET_ACCESS_KEY
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Hostname }}
+            - name: "S3_ENDPOINT"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Endpoint }}
+            - name: "S3_REGION"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Region }}
+            - name: "S3_BUCKET"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  key: {{ .Values.mastodon.s3.secretKeys.s3Bucket }}
            - name: "AWS_ACCESS_KEY_ID"
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.mastodon.s3.existingSecret }}
-                  key: AWS_ACCESS_KEY_ID
+                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKeyID }}
+            - name: "AWS_SECRET_ACCESS_KEY"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.s3.existingSecret }}
+                  key: {{ .Values.mastodon.s3.secretKeys.s3AccessKey }}
            {{- end }}
          {{- if (not .Values.mastodon.s3.enabled) }}
          volumeMounts:
--- a/charts/mastodon/templates/secret-mastodon.yaml
+++ b/charts/mastodon/templates/secret-mastodon.yaml
@ -0,0 +1,30 @@
+{{- if not .Values.mastodon.secrets.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "mastodon.fullname" . }}
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
+  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
+  {{- else }}
+  SECRET_KEY_BASE: {{ required "mastodon.secrets.secret_key_base is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.secret_key_base }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
+  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
+  {{- else }}
+  OTP_SECRET: {{ required "mastodon.secrets.otp_secret is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.otp_secret }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
+  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
+  {{- else }}
+  VAPID_PRIVATE_KEY: {{ required "mastodon.secrets.vapid.private_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.private_key }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
+  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
+  {{- else }}
+  VAPID_PUBLIC_KEY: {{ required "mastodon.secrets.vapid.public_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.public_key }}
+  {{- end }}
+{{- end }}
--- a/charts/mastodon/templates/secret-s3.yaml
+++ b/charts/mastodon/templates/secret-s3.yaml
@ -0,0 +1,16 @@
+{{- if and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mastodon.fullname" . }}-s3
+  labels:
+    {{- include "mastodon.labels" . | nindent 4 }}
+type: Opaque
+data:
+  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
+  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
+  S3_BUCKET: {{ .Values.mastodon.s3.bucket | b64enc }}
+  S3_ENDPOINT: {{ .Values.mastodon.s3.endpoint | b64enc }}
+  S3_HOSTNAME: {{ .Values.mastodon.s3.hostname | b64enc }}
+  S3_REGION: {{ .Values.mastodon.s3.region | b64enc }}
+{{- end }}
--- a/charts/mastodon/templates/secret-smtp.yaml
+++ b/charts/mastodon/templates/secret-smtp.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ printf "%s-smtp" (include "common.names.fullname" .) }}
+  name: {{ include "mastodon.fullname" . }}-smtp
  labels:
    {{- include "mastodon.labels" . | nindent 4 }}
 type: Opaque
--- a/charts/mastodon/templates/secrets.yaml
+++ b/charts/mastodon/templates/secrets.yaml
@ -1,43 +0,0 @@
-{{- if (include "mastodon.createSecret" .) -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "mastodon.fullname" . }}
-  labels:
-    {{- include "mastodon.labels" . | nindent 4 }}
-type: Opaque
-data:
-  {{- if .Values.mastodon.s3.enabled }}
-  {{- if not .Values.mastodon.s3.existingSecret }}
-  AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
-  AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.mastodon.secrets.existingSecret }}
-  {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
-  SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
-  {{- else }}
-  SECRET_KEY_BASE: {{ required "secret_key_base is required" .Values.mastodon.secrets.secret_key_base }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.otp_secret) }}
-  OTP_SECRET: "{{ .Values.mastodon.secrets.otp_secret | b64enc }}"
-  {{- else }}
-  OTP_SECRET: {{ required "otp_secret is required" .Values.mastodon.secrets.otp_secret }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.private_key) }}
-  VAPID_PRIVATE_KEY: "{{ .Values.mastodon.secrets.vapid.private_key | b64enc }}"
-  {{- else }}
-  VAPID_PRIVATE_KEY: {{ required "vapid.private_key is required" .Values.mastodon.secrets.vapid.private_key }}
-  {{- end }}
-  {{- if not (empty .Values.mastodon.secrets.vapid.public_key) }}
-  VAPID_PUBLIC_KEY: "{{ .Values.mastodon.secrets.vapid.public_key | b64enc }}"
-  {{- else }}
-  VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
-  {{- end }}
-  {{- end }}
-  {{- if not .Values.postgresql.enabled }}
-  {{- if not .Values.postgresql.auth.existingSecret }}
-  password: "{{ .Values.postgresql.auth.password | b64enc }}"
-  {{- end }}
-  {{- end }}
-{{- end }}
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@ -62,9 +62,6 @@ mastodon:
    enabled: false
    access_key: ""
    access_secret: ""
-    # -- you can also specify the name of an existing Secret
-    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
-    existingSecret: ""
    bucket: ""
    endpoint: ""
    hostname: ""
@ -72,17 +69,32 @@ mastodon:
    permission: ""
    # -- If you have a caching proxy, enter its base URL here.
    alias_host: ""
-  # these must be set manually; autogenerated keys are rotated on each upgrade
+    # -- you can also specify the name of an existing Secret
+    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+    existingSecret: ""
+    secretKeys:
+      s3AccessKeyID: AWS_ACCESS_KEY_ID
+      s3AccessKey: AWS_SECRET_ACCESS_KEY
+      s3Bucket: ""
+      s3Endpoint: ""
+      s3Hostname: ""
+      s3Region: ""
+
  secrets:
+    # these must be set manually; autogenerated keys are rotated on each upgrade
    secret_key_base: ""
    otp_secret: ""
    vapid:
      private_key: ""
      public_key: ""
    # -- you can also specify the name of an existing Secret
-    # with keys SECRET_KEY_BASE and OTP_SECRET and
-    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
    existingSecret: ""
+    secretKeys:
+      vapidPrivateKey: VAPID_PRIVATE_KEY
+      vapidPublicKey: VAPID_PUBLIC_KEY
+      secretKeyBase: SECRET_KEY_BASE
+      otpSecret: OTP_SECRET
+
  sidekiq:
    # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}