From 0a2ac14e7145d7335f755b98abee096589961949 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Sat, 7 May 2022 11:32:57 +0000 Subject: [PATCH] Switch matrix to external secrets and DB --- manifests/_apps/matrix_chart.yaml | 157 +-------- manifests/matrix_chart/matrix_chart.yaml | 425 ++++++++++++++++++++++- 2 files changed, 424 insertions(+), 158 deletions(-) diff --git a/manifests/_apps/matrix_chart.yaml b/manifests/_apps/matrix_chart.yaml index d931e36..58b3516 100644 --- a/manifests/_apps/matrix_chart.yaml +++ b/manifests/_apps/matrix_chart.yaml @@ -23,159 +23,4 @@ spec: jsonPointers: - /data ---- - -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: chat-matrix - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: cluster.fun - destination: - namespace: chat - name: cluster-fun (scaleway) - source: - repoURL: 'https://dacruz21.github.io/helm-charts' - targetRevision: 2.7.0 - chart: matrix - helm: - version: v3 - values: |- - matrix: - serverName: "matrix.cluster.fun" - telemetry: false - hostname: "matrix.cluster.fun" - presence: "true" - blockNonAdminInvites: false - enableSearch: "true" - adminEmail: "matrix@marcusnoble.co.uk" - uploads: - maxSize: 500M - maxPixels: 64M - federation: - enabled: false - allowPublicRooms: false - blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - registration: - enabled: false - allowGuests: false - urlPreviews: - enabled: true - rules: - maxSize: 10M - ip: - blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - - volumes: - media: - capacity: 4Gi - signingKey: - capacity: 1Gi - - postgresql: - enabled: true - persistence: - size: 4Gi - - synapse: - image: - repository: "matrixdotorg/synapse" - tag: v1.43.0 - pullPolicy: IfNotPresent - service: - type: ClusterIP - port: 80 - replicaCount: 1 - resources: {} - metrics: - enabled: true - port: 9000 - annotations: true - - riot: - enabled: true - integrations: - enabled: true - ui: "https://scalar.vector.im/" - api: "https://scalar.vector.im/api" - widgets: - - "https://scalar.vector.im/_matrix/integrations/v1" - - "https://scalar.vector.im/api" - - "https://scalar-staging.vector.im/_matrix/integrations/v1" - - "https://scalar-staging.vector.im/api" - - "https://scalar-staging.riot.im/scalar/api" - # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md - labs: - - feature_pinning - - feature_custom_status - - feature_state_counters - - feature_many_integration_managers - - feature_mjolnir - - feature_dm_verification - - feature_bridge_state - - feature_presence_in_room_list - - feature_custom_themes - - feature_new_spinner - # Servers to show in the Explore menu (the current server is always shown) - roomDirectoryServers: [] - # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance. - permalinkPrefix: "https://chat.cluster.fun" - image: - repository: "vectorim/element-web" - tag: v1.9.8 - pullPolicy: IfNotPresent - service: - type: ClusterIP - port: 80 - replicaCount: 2 - resources: {} - - # Settings for Coturn TURN relay, used for routing voice calls - coturn: - enabled: false - - mail: - enabled: false - relay: - enabled: false - - bridges: - irc: - enabled: false - whatsapp: - enabled: false - discord: - enabled: false - - networkPolicies: - enabled: false - - ingress: - enabled: false - syncPolicy: - automated: {} - ignoreDifferences: - - kind: Secret - jsonPointers: - - /data +--- \ No newline at end of file diff --git a/manifests/matrix_chart/matrix_chart.yaml b/manifests/matrix_chart/matrix_chart.yaml index ce6c046..4515760 100644 --- a/manifests/matrix_chart/matrix_chart.yaml +++ b/manifests/matrix_chart/matrix_chart.yaml @@ -28,7 +28,7 @@ spec: pathType: ImplementationSpecific backend: service: - name: chat-matrix-synapse + name: matrix-synapse port: number: 80 @@ -57,7 +57,7 @@ spec: pathType: ImplementationSpecific backend: service: - name: chat-matrix-riot + name: matrix-riot port: number: 80 @@ -124,3 +124,424 @@ data: { "m.server": "matrix.cluster.fun:443" } + + +--- + + +# Source: matrix/templates/riot/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-riot-config + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: element +data: + config.json: | + { + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.cluster.fun" + } + }, + "brand": "Element", + "branding": {}, + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": ["https://scalar.vector.im/_matrix/integrations/v1","https://scalar.vector.im/api","https://scalar-staging.vector.im/_matrix/integrations/v1","https://scalar-staging.vector.im/api","https://scalar-staging.riot.im/scalar/api"], + "showLabsSettings": true, + "features": { + "feature_pinning": "labs", + "feature_custom_status": "labs", + "feature_state_counters": "labs", + "feature_many_integration_managers": "labs", + "feature_mjolnir": "labs", + "feature_dm_verification": "labs", + "feature_bridge_state": "labs", + "feature_presence_in_room_list": "labs", + "feature_custom_themes": "labs", + "feature_new_spinner": "labs" + }, + "roomDirectory": { + "servers": [] + }, + "permalinkPrefix": "https://chat.cluster.fun" + } + nginx.conf: | + worker_processes auto; + + error_log /var/log/nginx/error.log warn; + pid /var/run/pid/nginx.pid; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; + } + default.conf: | + server { + listen 8080; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } +--- +apiVersion: v1 +kind: Secret +metadata: + name: matrix-synapse-config + namespace: chat + annotations: + kube-1password: wbj4oozwyx6m2zz5m42pgcmymy + kube-1password/vault: Kubernetes + kube-1password/secret-text-key: homeserver.yaml + labels: + app.kubernetes.io/name: "matrix" + component: synapse +type: Opaque +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse-config + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: element +data: + matrix.cluster.fun.log.config: | + version: 1 + + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + + loggers: + synapse: + level: WARNING + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARNING + + root: + level: WARNING + handlers: [console] +--- +# Source: matrix/templates/synapse/media-pvc.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: chat-matrix-media-store + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: synapse +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi +--- +# Source: matrix/templates/synapse/signing-key-pvc.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: chat-matrix-signing-key + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: synapse +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +# Source: matrix/templates/riot/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: matrix-riot + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: element +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: matrix-riot +--- +# Source: matrix/templates/synapse/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: synapse + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/_synapse/metrics" + prometheus.io/port: "9000" +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + - port: 9000 + targetPort: metrics + protocol: TCP + name: metrics + selector: + app.kubernetes.io/name: matrix-synapse +--- +# Source: matrix/templates/riot/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-riot + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: element +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: matrix-riot + template: + metadata: + labels: + app.kubernetes.io/name: matrix-riot + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: "riot" + image: "vectorim/element-web:v1.9.8" + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumeMounts: + - mountPath: /app/config.json + name: riot-config + subPath: config.json + readOnly: true + - mountPath: /etc/nginx/nginx.conf + name: riot-config + subPath: nginx.conf + readOnly: true + - mountPath: /etc/nginx/conf.d/default.conf + name: riot-config + subPath: default.conf + readOnly: true + - mountPath: /var/cache/nginx + name: ephemeral + subPath: cache + - mountPath: /var/run/pid + name: ephemeral + subPath: pid + readinessProbe: + httpGet: + path: / + port: http + startupProbe: + httpGet: + path: / + port: http + livenessProbe: + httpGet: + path: / + port: http + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumes: + - name: riot-config + configMap: + name: matrix-riot-config + - name: ephemeral + emptyDir: {} +--- +# Source: matrix/templates/synapse/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: matrix-synapse + namespace: chat + labels: + app.kubernetes.io/name: "matrix" + component: synapse +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: matrix-synapse + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + initContainers: + - name: generate-signing-key + image: "matrixdotorg/synapse:v1.43.0" + imagePullPolicy: IfNotPresent + env: + - name: SYNAPSE_SERVER_NAME + value: matrix.cluster.fun + - name: SYNAPSE_REPORT_STATS + value: "no" + command: ["python"] + args: + - "-m" + - "synapse.app.homeserver" + - "--config-path" + - "/data/homeserver.yaml" + - "--keys-directory" + - "/data/keys" + - "--generate-keys" + volumeMounts: + - name: synapse-config-homeserver + mountPath: /data/homeserver.yaml + subPath: homeserver.yaml + - name: synapse-config-logging + mountPath: /data/matrix.cluster.fun.log.config + subPath: matrix.cluster.fun.log.config + - name: signing-key + mountPath: /data/keys + containers: + - name: "synapse" + image: "matrixdotorg/synapse:v1.43.0" + imagePullPolicy: IfNotPresent + env: + - name: UID + value: "1000" + - name: GID + value: "1000" + ports: + - name: http + containerPort: 8008 + protocol: TCP + - name: metrics + containerPort: 9000 + protocol: TCP + volumeMounts: + - name: synapse-config-homeserver + mountPath: /data/homeserver.yaml + subPath: homeserver.yaml + - name: synapse-config-logging + mountPath: /data/matrix.cluster.fun.log.config + subPath: matrix.cluster.fun.log.config + - name: signing-key + mountPath: /data/keys + - name: media-store + mountPath: /data/media_store + - name: uploads + mountPath: /data/uploads + - name: tmp + mountPath: /tmp + readinessProbe: + httpGet: + path: /_matrix/static/ + port: http + periodSeconds: 10 + timeoutSeconds: 5 + startupProbe: + httpGet: + path: /_matrix/static/ + port: http + failureThreshold: 6 + periodSeconds: 5 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /_matrix/static/ + port: http + periodSeconds: 10 + timeoutSeconds: 5 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumes: + - name: synapse-config-logging + configMap: + name: matrix-synapse-config + - name: synapse-config-homeserver + secret: + secretName: matrix-synapse-config + - name: signing-key + persistentVolumeClaim: + claimName: chat-matrix-signing-key + - name: media-store + persistentVolumeClaim: + claimName: chat-matrix-media-store + - name: uploads + emptyDir: {} + - name: tmp + emptyDir: {} +--- \ No newline at end of file