mastodon · timetinytim · Aug 12, 2025 · Oct 13, 2025 · Oct 15, 2025 · Oct 20, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,15 @@
+# 6.7.0
+
+- LDAP passwords can be given as secrets:
+```yaml
+externalAuth:
+  ldap:
+    passwordSecretRef:
+      name: ldap-auth
+      key: password
+
+```
+
 # 6.6.4
 
 - Update the mastodon version to v4.5.4

diff --git a/Chart.yaml b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time
 # you make changes to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 6.6.4
+version: 6.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/templates/deployment-sidekiq.yaml b/templates/deployment-sidekiq.yaml
@@ -242,6 +242,13 @@ spec:
               value: "true"
             {{- end }}
             {{- end }}
+            {{- if and $context.Values.externalAuth.ldap.enabled $context.Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $context.Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ $context.Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
           {{- if $context.Values.mastodon.metrics.prometheus.enabled }}
           ports:
             - name: prometheus

diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml
@@ -137,6 +137,13 @@ spec:
             {{- end }}
             - name: "PORT"
               value: {{ .Values.mastodon.streaming.port | quote }}
+            {{- if and .Values.externalAuth.ldap.enabled .Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ .Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
             {{- range $k, $v := .Values.mastodon.streaming.extraEnvVars }}
             - name: {{ $k }}
               value: {{ quote $v }}

diff --git a/templates/deployment-web.yaml b/templates/deployment-web.yaml
@@ -216,6 +216,13 @@ spec:
               value: "true"
             {{- end }}
             {{- end }}
+            {{- if and .Values.externalAuth.ldap.enabled .Values.externalAuth.ldap.passwordSecretRef.name }}
+            - name: LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalAuth.ldap.passwordSecretRef.name }}
+                  value: {{ .Values.externalAuth.ldap.passwordSecretRef.key | default "password" }}
+            {{- end }}
             - name: TEST_ENV_VALUE
               value: {{ .Values.mastodon.metrics.statsd.address }}
           volumeMounts:

diff --git a/values.yaml b/values.yaml
@@ -892,6 +892,9 @@ externalAuth:
     # base:
     # bind_dn:
     # password:
+    # passwordSecretRef:
+    #   name:
+    #   key: password
     # uid: cn
     # mail: mail
     # search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"