From 134d3e8bfcc7b8b085a5da3d18074919f59200cb Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 3 May 2026 06:39:50 +0900 Subject: [PATCH] fix: preserve encryption key across helm upgrades using lookup Use lookup to check for an existing Secret before generating a new random key. Priority order: 1. values.yaml n8n.encryptionKey (explicit) 2. Existing Secret in the cluster (upgrade-safe) 3. randAlphaNum 32 (first install only) This prevents the "Mismatching encryption keys" error caused by randAlphaNum generating a new key on every helm upgrade. Same stable-value pattern applied to basicAuth password. Co-Authored-By: Claude Sonnet 4.6 --- Chart.yaml | 2 +- README.md | 3 ++- templates/secret.yaml | 20 +++++++++++++++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 4010233..8145fd0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: n8n description: A Helm chart for n8n workflow automation on Kubernetes (ARM/Raspberry Pi ready) type: application -version: "2.19.2-a" +version: "2.19.2-b" appVersion: "2.19.2" keywords: - n8n diff --git a/README.md b/README.md index 57ef7b1..48399c5 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ helm install my-n8n cafepieters/n8n \ | `n8n.webhookUrl` | `""` | Webhook ベース URL(未設定時は host/protocol から生成) | | `n8n.timezone` | `Asia/Tokyo` | タイムゾーン | | `n8n.logLevel` | `info` | ログレベル(`error`/`warn`/`info`/`verbose`/`debug`) | -| `n8n.encryptionKey` | `""` | 暗号化キー(空の場合は自動生成) | +| `n8n.encryptionKey` | `""` | 暗号化キー(空の場合は初回インストール時に自動生成、以降は既存値を維持) | | `n8n.existingSecret` | `""` | 既存 Secret 名(指定時は Secret を自動作成しない) | ### Basic認証 @@ -191,6 +191,7 @@ n8n: | バージョン | n8n | 変更内容 | |---|---|---| | 2.19.2 | 2.19.2 | 初回リリース | +| 2.19.2-b | 2.19.2 | 暗号化キーを `lookup` で既存 Secret から維持、`helm upgrade` での再生成を防止 | | 2.19.2-a | 2.19.2 | `N8N_SECURE_COOKIE` を Ingress/TLS 設定から自動判定(HTTP/LoadBalancer 環境対応) | ## ライセンス diff --git a/templates/secret.yaml b/templates/secret.yaml index 3667723..e203be8 100644 --- a/templates/secret.yaml +++ b/templates/secret.yaml @@ -1,17 +1,31 @@ {{- if not .Values.n8n.existingSecret -}} +{{- $secretName := include "n8n.fullname" . -}} +{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}} apiVersion: v1 kind: Secret metadata: - name: {{ include "n8n.fullname" . }} + name: {{ $secretName }} labels: {{- include "n8n.labels" . | nindent 4 }} annotations: helm.sh/resource-policy: keep type: Opaque data: - encryption-key: {{ .Values.n8n.encryptionKey | default (randAlphaNum 32) | b64enc | quote }} + {{- if .Values.n8n.encryptionKey }} + encryption-key: {{ .Values.n8n.encryptionKey | b64enc | quote }} + {{- else if $existing }} + encryption-key: {{ index $existing.data "encryption-key" }} + {{- else }} + encryption-key: {{ randAlphaNum 32 | b64enc | quote }} + {{- end }} {{- if and .Values.n8n.basicAuth.enabled (not .Values.n8n.basicAuth.existingSecret) }} - basic-auth-password: {{ .Values.n8n.basicAuth.password | default (randAlphaNum 16) | b64enc | quote }} + {{- if .Values.n8n.basicAuth.password }} + basic-auth-password: {{ .Values.n8n.basicAuth.password | b64enc | quote }} + {{- else if $existing }} + basic-auth-password: {{ index $existing.data "basic-auth-password" | default (randAlphaNum 16 | b64enc) }} + {{- else }} + basic-auth-password: {{ randAlphaNum 16 | b64enc | quote }} + {{- end }} {{- end }} {{- if and (eq .Values.n8n.database.type "postgresdb") (not .Values.n8n.database.postgresdb.existingSecret) }} postgres-password: {{ .Values.n8n.database.postgresdb.password | b64enc | quote }}