Fix broken dependencies in helm chart and allow using existing secrets in the chart (#18941)

* Add ability to specify an existing Secret (#18139)

Closes #18139

* Allow using secrets with external postgres

* Upgrade CronJob to batch/v1

* Allow using redis.auth.existingSecret

* Helmignore mastodon-*.tgz for easy local development

* Upgrade helm dependencies

* Upgrade postgresql to 11

* Allow putting SMTP password into a secret

* Add optional login to SMTP secret

This to allow setting LOGIN either in values.yaml or
in the secret.

* Switch to bitnami charts full archive

This prevents older versions from disappearing, see
https://github.com/bitnami/charts/issues/10539 for
full context.

Co-authored-by: Ted Tramonte <ted.tramonte@gmail.com>

chart/.helmignore

@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+mastodon-*.tgz

chart/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: elasticsearch
-  repository: https://charts.bitnami.com/bitnami
-  version: 15.10.3
+  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+  version: 19.0.1
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 8.10.14
+  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+  version: 11.1.3
 - name: redis
-  repository: https://charts.bitnami.com/bitnami
-  version: 10.9.0
-digest: sha256:f5c57108f7768fd16391c1a050991c7809f84a640cca308d7d24d87379d04000
-generated: "2021-08-05T08:01:01.457727804Z"
+  repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
+  version: 16.13.2
+digest: sha256:17ea58a3264aa22faff18215c4269f47dabae956d0df273c684972f356416193
+generated: "2022-08-08T21:44:18.0195364+02:00"

chart/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.1
+version: 2.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -24,13 +24,13 @@ appVersion: 3.3.0
 
 dependencies:
   - name: elasticsearch
-    version: 15.10.3
-    repository: https://charts.bitnami.com/bitnami
+    version: 19.0.1
+    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
     condition: elasticsearch.enabled
   - name: postgresql
-    version: 8.10.14
-    repository: https://charts.bitnami.com/bitnami
+    version: 11.1.3
+    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
     condition: postgresql.enabled
   - name: redis
-    version: 10.9.0
-    repository: https://charts.bitnami.com/bitnami
+    version: 16.13.2
+    repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami

chart/templates/_helpers.tpl

@@ -77,3 +77,53 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "mastodon.postgresql.fullname" -}}
 {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Get the mastodon secret.
+*/}}
+{{- define "mastodon.secretName" -}}
+{{- if .Values.mastodon.secrets.existingSecret }}
+    {{- printf "%s" (tpl .Values.mastodon.secrets.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the postgresql secret.
+*/}}
+{{- define "mastodon.postgresql.secretName" -}}
+{{- if (and (or .Values.postgresql.enabled .Values.postgresql.postgresqlHostname) .Values.postgresql.auth.existingSecret) }}
+    {{- printf "%s" (tpl .Values.postgresql.auth.existingSecret $) -}}
+{{- else if .Values.postgresql.enabled -}}
+    {{- printf "%s-postgresql" (tpl .Release.Name $) -}}
+{{- else -}}
+    {{- printf "%s" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the redis secret.
+*/}}
+{{- define "mastodon.redis.secretName" -}}
+{{- if .Values.redis.auth.existingSecret }}
+    {{- printf "%s" (tpl .Values.redis.auth.existingSecret $) -}}
+{{- else if .Values.redis.existingSecret }}
+    {{- printf "%s" (tpl .Values.redis.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-redis" (tpl .Release.Name $) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a mastodon secret object should be created
+*/}}
+{{- define "mastodon.createSecret" -}}
+{{- if (or
+    (and .Values.mastodon.s3.enabled (not .Values.mastodon.s3.existingSecret))
+    (not .Values.mastodon.secrets.existingSecret )
+    (and (not .Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret))
+    ) -}}
+    {{- true -}}
+{{- end -}}
+{{- end -}}

chart/templates/configmap-env.yaml

@@ -10,14 +10,14 @@ data:
   {{- else }}
   DB_HOST: {{ .Values.postgresql.postgresqlHostname }}
   {{- end }}
-  DB_NAME: {{ .Values.postgresql.postgresqlDatabase }}
+  DB_NAME: {{ .Values.postgresql.auth.database }}
   DB_POOL: {{ .Values.mastodon.sidekiq.concurrency | quote }}
   DB_PORT: "5432"
-  DB_USER: {{ .Values.postgresql.postgresqlUsername }}
+  DB_USER: {{ .Values.postgresql.auth.username }}
   DEFAULT_LOCALE: {{ .Values.mastodon.locale }}
   {{- if .Values.elasticsearch.enabled }}
   ES_ENABLED: "true"
-  ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master
+  ES_HOST: {{ template "mastodon.elasticsearch.fullname" . }}-master-hl
   ES_PORT: "9200"
   {{- end }}
   LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}

chart/templates/cronjob-media-remove.yaml

@@ -1,5 +1,5 @@
 {{ if .Values.mastodon.cron.removeMedia.enabled }}
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: {{ include "mastodon.fullname" . }}-media-remove
@@ -49,21 +49,17 @@ spec:
                 - configMapRef:
                     name: {{ include "mastodon.fullname" . }}-env
                 - secretRef:
-                    name: {{ template "mastodon.fullname" . }}
+                    name: {{ template "mastodon.secretName" . }}
               env:
                 - name: "DB_PASS"
                   valueFrom:
                     secretKeyRef:
-                      {{- if .Values.postgresql.enabled }}
-                      name: {{ .Release.Name }}-postgresql
-                      {{- else }}
-                      name: {{ template "mastodon.fullname" . }}
-                      {{- end }}
-                      key: postgresql-password
+                      name: {{ template "mastodon.postgresql.secretName" . }}
+                      key: password
                 - name: "REDIS_PASSWORD"
                   valueFrom:
                     secretKeyRef:
-                      name: {{ .Release.Name }}-redis
+                      name: {{ template "mastodon.redis.secretName" . }}
                       key: redis-password
                 - name: "PORT"
                   value: {{ .Values.mastodon.web.port | quote }}

chart/templates/deployment-sidekiq.yaml

@@ -70,22 +70,31 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
+            {{- if .Values.mastodon.smtp.existingSecret }}
+            - name: "SMTP_LOGIN"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.smtp.existingSecret }}
+                  key: login
+                  optional: true
+            - name: "SMTP_PASSWORD"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mastodon.smtp.existingSecret }}
+                  key: password
+            {{- end -}}
           {{- if (not .Values.mastodon.s3.enabled) }}
           volumeMounts:
             - name: assets

chart/templates/deployment-streaming.yaml

@@ -43,16 +43,12 @@ spec:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.streaming.port | quote }}

chart/templates/deployment-web.yaml

@@ -56,21 +56,17 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}

chart/templates/job-assets-precompile.yaml

@@ -50,21 +50,17 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}

chart/templates/job-chewy-upgrade.yaml

@@ -51,21 +51,17 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}

chart/templates/job-create-admin.yaml

@@ -56,21 +56,17 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}

chart/templates/job-db-migrate.yaml

@@ -50,21 +50,17 @@ spec:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
             - secretRef:
-                name: {{ template "mastodon.fullname" . }}
+                name: {{ template "mastodon.secretName" . }}
           env:
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.postgresql.enabled }}
-                  name: {{ .Release.Name }}-postgresql
-                  {{- else }}
-                  name: {{ template "mastodon.fullname" . }}
-                  {{- end }}
-                  key: postgresql-password
+                  name: {{ template "mastodon.postgresql.secretName" . }}
+                  key: password
             - name: "REDIS_PASSWORD"
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-redis
+                  name: {{ template "mastodon.redis.secretName" . }}
                   key: redis-password
             - name: "PORT"
               value: {{ .Values.mastodon.web.port | quote }}

chart/templates/secrets.yaml

@@ -1,3 +1,4 @@
+{{- if (include "mastodon.createSecret" .) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,9 +8,12 @@ metadata:
 type: Opaque
 data:
   {{- if .Values.mastodon.s3.enabled }}
+  {{- if not .Values.mastodon.s3.existingSecret }}
   AWS_ACCESS_KEY_ID: "{{ .Values.mastodon.s3.access_key | b64enc }}"
   AWS_SECRET_ACCESS_KEY: "{{ .Values.mastodon.s3.access_secret | b64enc }}"
   {{- end }}
+  {{- end }}
+  {{- if not .Values.mastodon.secrets.existingSecret }}
   {{- if not (empty .Values.mastodon.secrets.secret_key_base) }}
   SECRET_KEY_BASE: "{{ .Values.mastodon.secrets.secret_key_base | b64enc }}"
   {{- else }}
@@ -30,6 +34,10 @@ data:
   {{- else }}
   VAPID_PUBLIC_KEY: {{ required "vapid.public_key is required" .Values.mastodon.secrets.vapid.public_key }}
   {{- end }}
+  {{- end }}
   {{- if not .Values.postgresql.enabled }}
-  postgresql-password: "{{ .Values.postgresql.postgresqlPassword | b64enc }}"
+  {{- if not .Values.postgresql.auth.existingSecret }}
+  postgresql-password: "{{ .Values.postgresql.auth.password | b64enc }}"
+  {{- end }}
   {{- end }}
+{{- end -}}

chart/values.yaml

@@ -48,6 +48,9 @@ mastodon:
     enabled: false
     access_key: ""
     access_secret: ""
+    # you can also specify the name of an existing Secret
+    # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+    existingSecret: ""
     bucket: ""
     endpoint: https://us-east-1.linodeobjects.com
     hostname: us-east-1.linodeobjects.com
@@ -61,6 +64,10 @@ mastodon:
     vapid:
       private_key: ""
       public_key: ""
+    # you can also specify the name of an existing Secret
+    # with keys SECRET_KEY_BASE and OTP_SECRET and
+    # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
+    existingSecret: ""
   sidekiq:
     concurrency: 25
   smtp:
@@ -70,13 +77,16 @@ mastodon:
     domain:
     enable_starttls_auto: true
     from_address: notifications@example.com
-    login:
     openssl_verify_mode: peer
-    password:
     port: 587
     reply_to:
     server: smtp.mailgun.org
     tls: false
+    login:
+    password:
+    # you can also specify the name of an existing Secret
+    # with the keys login and password
+    existingSecret:
   streaming:
     port: 4000
     # this should be set manually since os.cpus() returns the number of CPUs on
@@ -127,18 +137,26 @@ postgresql:
   # must match those of that external postgres instance
   enabled: true
   # postgresqlHostname: preexisting-postgresql
-  postgresqlDatabase: mastodon_production
-  # you must set a password; the password generated by the postgresql chart will
-  # be rotated on each upgrade:
-  # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
-  postgresqlPassword: ""
-  postgresqlUsername: postgres
+  auth:
+    database: mastodon_production
+    username: postgres
+    # you must set a password; the password generated by the postgresql chart will
+    # be rotated on each upgrade:
+    # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
+    password: ""
+    # you can also specify the name of an existing Secret
+    # with a key of postgres-password set to the password you want
+    existingSecret: ""
 
 # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
 redis:
   # you must set a password; the password generated by the redis chart will be
   # rotated on each upgrade:
   password: ""
+  # you can also specify the name of an existing Secret
+  # with a key of redis-password set to the password you want
+  # auth:
+    # existingSecret: ""
 
 service:
   type: ClusterIP
@@ -157,45 +175,45 @@ externalAuth:
     # client_secret: SECRETKEY
     # redirect_uri: https://example.com/auth/auth/openid_connect/callback
     # assume_email_is_verified: true
-    # client_auth_method: 
-    # response_type: 
-    # response_mode: 
-    # display: 
-    # prompt: 
-    # send_nonce: 
-    # send_scope_to_token_endpoint: 
-    # idp_logout_redirect_uri: 
-    # http_scheme: 
-    # host: 
-    # port: 
-    # jwks_uri: 
-    # auth_endpoint: 
-    # token_endpoint: 
-    # user_info_endpoint: 
-    # end_session_endpoint: 
+    # client_auth_method:
+    # response_type:
+    # response_mode:
+    # display:
+    # prompt:
+    # send_nonce:
+    # send_scope_to_token_endpoint:
+    # idp_logout_redirect_uri:
+    # http_scheme:
+    # host:
+    # port:
+    # jwks_uri:
+    # auth_endpoint:
+    # token_endpoint:
+    # user_info_endpoint:
+    # end_session_endpoint:
   saml:
     enabled: false
     # acs_url: http://mastodon.example.com/auth/auth/saml/callback
     # issuer: mastodon
     # idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
     # idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
-    # idp_cert_fingerprint: 
+    # idp_cert_fingerprint:
     # name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-    # cert: 
-    # private_key: 
+    # cert:
+    # private_key:
     # want_assertion_signed: true
     # want_assertion_encrypted: true
     # assume_email_is_verified: true
     # uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
-    # attributes_statements: 
+    # attributes_statements:
     #   uid: "urn:oid:0.9.2342.19200300.100.1.1"
     #   email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
     #   full_name: "urn:oid:2.16.840.1.113730.3.1.241"
     #   first_name: "urn:oid:2.5.4.42"
     #   last_name: "urn:oid:2.5.4.4"
-    #   verified: 
-    #   verified_email: 
-  oauth_global: 
+    #   verified:
+    #   verified_email:
+  oauth_global:
     # Force redirect local login to CAS. Does not function with SAML or LDAP.
     oauth_redirect_at_sign_in: false
   cas:
@@ -204,15 +222,15 @@ externalAuth:
     # host: sso.myserver.com
     # port: 443
     # ssl: true
-    # validate_url: 
-    # callback_url: 
-    # logout_url: 
-    # login_url: 
+    # validate_url:
+    # callback_url:
+    # logout_url:
+    # login_url:
     # uid_field: 'user'
-    # ca_path: 
+    # ca_path:
     # disable_ssl_verification: false
     # assume_email_is_verified: true
-    # keys: 
+    # keys:
     #   uid: 'user'
     #   name: 'name'
     #   email: 'email'
@@ -222,7 +240,7 @@ externalAuth:
     #   location: 'location'
     #   image: 'image'
     #   phone: 'phone'
-  pam: 
+  pam:
     enabled: false
     # email_domain: example.com
     # default_service: rpam
@@ -232,9 +250,9 @@ externalAuth:
     # host: myservice.namespace.svc
     # port: 389
     # method: simple_tls
-    # base: 
-    # bind_on: 
-    # password: 
+    # base:
+    # bind_on:
+    # password:
     # uid: cn
     # mail: mail
     # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"