Merge pull request #72 from small-hack/add-active-record-encryption-keys

add activeRedcordEncryption keys

README.md

@@ -14,10 +14,10 @@ helm show values mastodon/mastodon > values.yaml
 helm install --namespace mastodon --create-namespace mastodon/mastodon --values values.yaml
 ```
 
-This chart is tested with k8s 1.27+ and helm 3.6.0+.
+This chart is tested with k8s v1.31+ and helm 3.16.0+.
 
 ## Known caveats for this chart
-Currently, you need to run PostgreSQL and Redis helm charts independently of this one, because there's a helm hook job called db-migrate that we can't figure out how to make run after the dependency charts are fully installed, but before everything else. If you know the answer to this, please open an issue/pr here and let us know!
+Currently, you need to run PostgreSQL and Redis (or Valkey) helm charts independently of this one, because there's a helm hook job called db-migrate that we can't figure out how to make run after the dependency charts are fully installed, but before everything else. If you know the answer to this, please open an issue/pr here and let us know!
 
 # Configuration
 

charts/mastodon/Chart.yaml

@@ -9,7 +9,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 9.3.0
+version: 9.4.0
 
 # renovate: image=ghcr.io/mastodon/mastodon
 appVersion: v4.3.1

charts/mastodon/README.md

@@ -1,6 +1,6 @@
 # mastodon
 
-![Version: 9.3.0](https://img.shields.io/badge/Version-9.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.3.1](https://img.shields.io/badge/AppVersion-v4.3.1-informational?style=flat-square)
+![Version: 9.4.0](https://img.shields.io/badge/Version-9.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.3.1](https://img.shields.io/badge/AppVersion-v4.3.1-informational?style=flat-square)
 
 Mastodon is a free, open-source social network server based on ActivityPub.
 
@@ -97,7 +97,10 @@ Mastodon is a free, open-source social network server based on ActivityPub.
 | mastodon.s3.secretKeys.s3Endpoint | string | `""` |  |
 | mastodon.s3.secretKeys.s3Hostname | string | `""` |  |
 | mastodon.s3.secretKeys.s3Region | string | `""` |  |
-| mastodon.secrets.existingSecret | string | `""` | the name of an existing Secret to use. keys must be: VAPID_PRIVATE_KEY, VAPID_PUBLIC_KEY, SECRET_KEY_BASE, OTP_SECRET |
+| mastodon.secrets.activeRecordEncryption.deterministicKey | string | `""` |  |
+| mastodon.secrets.activeRecordEncryption.keyDerivationSalt | string | `""` |  |
+| mastodon.secrets.activeRecordEncryption.primaryKey | string | `""` |  |
+| mastodon.secrets.existingSecret | string | `""` | the name of an existing Secret to use. keys must be: VAPID_PRIVATE_KEY VAPID_PUBLIC_KEY SECRET_KEY_BASE OTP_SECRET ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT |
 | mastodon.secrets.otp_secret | string | `""` |  |
 | mastodon.secrets.secret_key_base | string | `""` | must be set manually; autogenerated keys are rotated on each upgrade |
 | mastodon.secrets.vapid.private_key | string | `""` |  |

charts/mastodon/dev-values.yaml

@@ -103,6 +103,10 @@ mastodon:
     vapid:
       private_key: dummy-vapid-private_key
       public_key: dummy-vapid-public_key
+    activeRecordEncryption:
+      primaryKey: "dummy-are-primary_key"
+      deterministicKey: "dummy-are-deterministic_key"
+      keyDerivationSalt: "dummy-are-key_derivation_salt"
     # -- you can also specify the name of an existing Secret
     # with keys SECRET_KEY_BASE and OTP_SECRET and
     # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY

charts/mastodon/templates/secret.yaml

@@ -27,4 +27,19 @@ data:
   {{- else }}
   VAPID_PUBLIC_KEY: {{ required "mastodon.secrets.vapid.public_key is required if not using mastodon.secrets.existingSecret" .Values.mastodon.secrets.vapid.public_key }}
   {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.primaryKey) }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.primaryKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: {{ required "activeRecordEncryption.primaryKey is required" .Values.mastodon.secrets.activeRecordEncryption.primaryKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.deterministicKey) }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: "{{ .Values.mastodon.secrets.activeRecordEncryption.deterministicKey | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: {{ required "activeRecordEncryption.deterministicKey is required" .Values.mastodon.secrets.activeRecordEncryption.deterministicKey }}
+  {{- end }}
+  {{- if not (empty .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt) }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: "{{ .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt | b64enc }}"
+  {{- else }}
+  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: {{ required "activeRecordEncryption.keyDerivationSalt is required" .Values.mastodon.secrets.activeRecordEncryption.keyDerivationSalt }}
+  {{- end }}
 {{- end }}

charts/mastodon/values.yaml

@@ -145,7 +145,18 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
-    # -- the name of an existing Secret to use. keys must be: VAPID_PRIVATE_KEY, VAPID_PUBLIC_KEY, SECRET_KEY_BASE, OTP_SECRET
+    activeRecordEncryption:
+      primaryKey: ""
+      deterministicKey: ""
+      keyDerivationSalt: ""
+    # -- the name of an existing Secret to use. keys must be:
+    # VAPID_PRIVATE_KEY
+    # VAPID_PUBLIC_KEY
+    # SECRET_KEY_BASE
+    # OTP_SECRET
+    # ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    # ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    # ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
     existingSecret: ""
 
   sidekiq: