fix: preserve encryption key across helm upgrades using lookup

Use lookup to check for an existing Secret before generating a new
random key. Priority order:
  1. values.yaml n8n.encryptionKey (explicit)
  2. Existing Secret in the cluster (upgrade-safe)
  3. randAlphaNum 32 (first install only)

This prevents the "Mismatching encryption keys" error caused by
randAlphaNum generating a new key on every helm upgrade.
Same stable-value pattern applied to basicAuth password.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: n8n
 description: A Helm chart for n8n workflow automation on Kubernetes (ARM/Raspberry Pi ready)
 type: application
-version: "2.19.2-a"
+version: "2.19.2-b"
 appVersion: "2.19.2"
 keywords:
   - n8n

README.md

@@ -75,7 +75,7 @@ helm install my-n8n cafepieters/n8n \
 | `n8n.webhookUrl` | `""` | Webhook ベース URL（未設定時は host/protocol から生成） |
 | `n8n.timezone` | `Asia/Tokyo` | タイムゾーン |
 | `n8n.logLevel` | `info` | ログレベル（`error`/`warn`/`info`/`verbose`/`debug`） |
-| `n8n.encryptionKey` | `""` | 暗号化キー（空の場合は自動生成） |
+| `n8n.encryptionKey` | `""` | 暗号化キー（空の場合は初回インストール時に自動生成、以降は既存値を維持） |
 | `n8n.existingSecret` | `""` | 既存 Secret 名（指定時は Secret を自動作成しない） |
 
 ### Basic認証
@@ -191,6 +191,7 @@ n8n:
 | バージョン | n8n | 変更内容 |
 |---|---|---|
 | 2.19.2 | 2.19.2 | 初回リリース |
+| 2.19.2-b | 2.19.2 | 暗号化キーを `lookup` で既存 Secret から維持、`helm upgrade` での再生成を防止 |
 | 2.19.2-a | 2.19.2 | `N8N_SECURE_COOKIE` を Ingress/TLS 設定から自動判定（HTTP/LoadBalancer 環境対応） |
 
 ## ライセンス

templates/secret.yaml

@@ -1,17 +1,31 @@
 {{- if not .Values.n8n.existingSecret -}}
+{{- $secretName := include "n8n.fullname" . -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "n8n.fullname" . }}
+  name: {{ $secretName }}
   labels:
     {{- include "n8n.labels" . | nindent 4 }}
   annotations:
     helm.sh/resource-policy: keep
 type: Opaque
 data:
-  encryption-key: {{ .Values.n8n.encryptionKey | default (randAlphaNum 32) | b64enc | quote }}
+  {{- if .Values.n8n.encryptionKey }}
+  encryption-key: {{ .Values.n8n.encryptionKey | b64enc | quote }}
+  {{- else if $existing }}
+  encryption-key: {{ index $existing.data "encryption-key" }}
+  {{- else }}
+  encryption-key: {{ randAlphaNum 32 | b64enc | quote }}
+  {{- end }}
   {{- if and .Values.n8n.basicAuth.enabled (not .Values.n8n.basicAuth.existingSecret) }}
-  basic-auth-password: {{ .Values.n8n.basicAuth.password | default (randAlphaNum 16) | b64enc | quote }}
+  {{- if .Values.n8n.basicAuth.password }}
+  basic-auth-password: {{ .Values.n8n.basicAuth.password | b64enc | quote }}
+  {{- else if $existing }}
+  basic-auth-password: {{ index $existing.data "basic-auth-password" | default (randAlphaNum 16 | b64enc) }}
+  {{- else }}
+  basic-auth-password: {{ randAlphaNum 16 | b64enc | quote }}
+  {{- end }}
   {{- end }}
   {{- if and (eq .Values.n8n.database.type "postgresdb") (not .Values.n8n.database.postgresdb.existingSecret) }}
   postgres-password: {{ .Values.n8n.database.postgresdb.password | b64enc | quote }}