add APP_KEY generation and parameter

charts/pixelfed/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.1
+version: 0.12.0
 
 # This is the version number of the application being deployed.
 # renovate:image=ghcr.io/mattlqx/docker-pixelfed

charts/pixelfed/templates/deployment.yaml

@@ -67,6 +67,18 @@ spec:
               {{- toYaml . | nindent 12 }}
             {{- end }}
 
+            # pixelfed app key
+            - name: APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  {{- if and .Values.pixelfed.app.existingSecret .Values.pixelfed.app.existingSecretKey }}
+                  name: {{ .Values.pixelfed.app.existingSecret }}
+                  key: {{ .Values.pixelfed.app.existingSecretKey }}
+                  {{- else }}
+                  name: {{ include "pixelfed.fullname" . }}-app-key
+                  key: key
+                  {{- end }}
+
             # valkey AKA redis
             {{- if and .Values.externalValkey.enabled .Values.externalValkey.existingSecretKeys.host }}
             - name: REDIS_HOST

charts/pixelfed/templates/secret_app_key.yaml

@@ -0,0 +1,13 @@
+{{- if not .Values.pixelfed.app.existingSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "pixelfed.fullname" . }}-app-key
+data:
+  {{ if .Values.pixelfed.app.key }}
+  key: {{ .Values.pixelfed.app.key | b64enc }}
+  {{- else }}
+  key: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+{{- end }}

charts/pixelfed/values.yaml

@@ -305,6 +305,17 @@ pixelfed:
 
   # app specific settings
   app:
+    # -- This key is used by the Illuminate encrypter service and should
+    # be set to a random, 32 character string, otherwise these encrypted strings
+    # will not be safe. If you don't generate one, we'll generate one for you
+    # however it will change everytime you upgrade the helm chart, so it should
+    # only be used for testing. In production, please set this, or pixelfed.app.existingSecret
+    key: ""
+    # -- use an existing Kuberentes Secret to store the app key
+    # If set, ignores pixelfed.app.key
+    existingSecret: ""
+    # -- key in pixelfed.app.existingSecret to use for the app key
+    existingSecretKey: ""
     # -- The name of your server/instance
     name: "Pixelfed"
     # -- The app environment, keep it set to "production"