Root cause: Docker Hub sorts tags by last_updated (non-monotonic).
Some versions (e.g. 2.24.x) had older last_updated than 2.23.4, so they
fell off page 1 and were never detected. Workflow stuck at 2.22.2.
Fix:
- Primary source: GitHub Releases API (stable releases, per_page=30)
- Secondary source: Docker Hub page 1 (catches releases before GitHub promotes them)
- Take the maximum of both candidates
- Sanity check: LATEST must be >= CURRENT to prevent false downgrades
- Added --retry 3 and .draft==false filter to GitHub source
Also bump chart and image to 2.26.3 (manual catch-up from 2.22.2).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Recommend explicit encryptionKey setting at install time
- Add kubectl recovery procedure for key mismatch (works even when
pod is in CrashLoopBackOff via a temporary reader pod)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use lookup to check for an existing Secret before generating a new
random key. Priority order:
1. values.yaml n8n.encryptionKey (explicit)
2. Existing Secret in the cluster (upgrade-safe)
3. randAlphaNum 32 (first install only)
This prevents the "Mismatching encryption keys" error caused by
randAlphaNum generating a new key on every helm upgrade.
Same stable-value pattern applied to basicAuth password.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Set N8N_SECURE_COOKIE=true only when ingress.enabled=true AND ingress.tls
is configured. All other cases (LoadBalancer, HTTP Ingress) default to false,
eliminating the secure cookie error without manual configuration.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- README.md: full chart documentation (install, config reference,
persistence, DB options, Ingress example, version history)
- CLAUDE.md: add rule requiring README update on every change
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
claude
pieter