Use an existing Secret in Helm Chart

[tedtramonte]

Pitch

The Helm Chart's values.yaml should accept an existingSecret value for any secret value., and based on that value, either template the Secrets as necessary or refer to the provided existingSecret for the value. For example, refer to many of Bitnami's charts but specifically https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha.

Motivation

This change would allow an entire Mastodon configuration to be stored in Git. An Instance's entire custom-values.yaml would be safe to share publicly as the sensitive info will be stored within the target cluster. This is in-line with modern DevOps practice and just feels good as a proponent of Infrastructure-as-Code.

Further, anyone reading the custom-values.yaml or even the base values.yaml will know that Secrets must/can be configured in advance rather than at deployment (the alternative is having a custom-values.yaml and a separate secrets.yaml that is not stored in the repo, which is not very clear).

This is the one thing that is holding me back from deploying my own instance, and I'm willing to submit a PR adding this functionality if the maintainers are open to it!

[ClearlyClaire]

cc @dunn

[dunn]

That'd be awesome, and I'd be happy to review it.

[tedtramonte]

@dunn Since you seem to be the resident expert, let me ask you. I poked around last night to see how things are set up and I can't actually make sense of how the dependency postgres chart gets the password setting.

With postgresql.enabled: true I see that the -mastodon Secret is generated without the password, as expected. But I don't understand how the postgres chart knows to generate the -postgresql Secret, and further, how Postgres knows to use that secret, considering that postgresqlPassword isn't a top level value for the dependency chart.

I only ask because I was under the impression that dependency chart values can be set by nesting them under the name of the dependency in the values.yaml but setting postgresql.global.postgresql.auth.existingSecret: "testingsecret" had no effect on the templated files.

(Apologies if this is common Helm knowledge, I'm more of a Kustomize stan)

[dunn]

postgresqlPassword isn't a parameter as of version 11 of the chart (https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#what-changes-were-introduced-in-this-major-version) but unfortunately we're still on an older version: https://github.com/mastodon/mastodon/blob/main/chart/Chart.yaml#L31

that's something i've been meaning to get around to, but never have

[tedtramonte]

Wow, I can't believe I forgot technical debt is a thing, and I run CodeIgniter 3 in production... Thank you for that clue!