helmchart/n8n
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

fix: preserve encryption key across helm upgrades using lookup
Helm Chart Release / release-chart (push) Successful in 4s
Details

Browse Source 
Use lookup to check for an existing Secret before generating a new
random key. Priority order:
  1. values.yaml n8n.encryptionKey (explicit)
  2. Existing Secret in the cluster (upgrade-safe)
  3. randAlphaNum 32 (first install only)

This prevents the "Mismatching encryption keys" error caused by
randAlphaNum generating a new key on every helm upgrade.
Same stable-value pattern applied to basicAuth password.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-05-03 06:39:50 +09:00
parent 87b2a833cc
commit 134d3e8bfc
3 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/secret.yaml
+17 -3
View File
@@ -1,17 +1,31 @@
{{- if not .Values.n8n.existingSecret -}}
{{- $secretName := include "n8n.fullname" . -}}
{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "n8n.fullname" . }}
name: {{ $secretName }}
labels:
{{- include "n8n.labels" . | nindent 4 }}
annotations:
helm.sh/resource-policy: keep
type: Opaque
data:
encryption-key: {{ .Values.n8n.encryptionKey | default (randAlphaNum 32) | b64enc | quote }}
{{- if .Values.n8n.encryptionKey }}
encryption-key: {{ .Values.n8n.encryptionKey | b64enc | quote }}
{{- else if $existing }}
encryption-key: {{ index $existing.data "encryption-key" }}
{{- else }}
encryption-key: {{ randAlphaNum 32 | b64enc | quote }}
{{- end }}
{{- if and .Values.n8n.basicAuth.enabled (not .Values.n8n.basicAuth.existingSecret) }}
basic-auth-password: {{ .Values.n8n.basicAuth.password | default (randAlphaNum 16) | b64enc | quote }}
{{- if .Values.n8n.basicAuth.password }}
basic-auth-password: {{ .Values.n8n.basicAuth.password | b64enc | quote }}
{{- else if $existing }}
basic-auth-password: {{ index $existing.data "basic-auth-password" | default (randAlphaNum 16 | b64enc) }}
{{- else }}
basic-auth-password: {{ randAlphaNum 16 | b64enc | quote }}
{{- end }}
{{- end }}
{{- if and (eq .Values.n8n.database.type "postgresdb") (not .Values.n8n.database.postgresdb.existingSecret) }}
postgres-password: {{ .Values.n8n.database.postgresdb.password | b64enc | quote }}