[apps/matrix] Begin cleanup for single worker approach

This commit is contained in:
Nico Schottelius 2021-12-21 12:02:28 +01:00
parent 52bec8f0c5
commit 58be88f40a
3 changed files with 129 additions and 123 deletions

View file

@ -1,3 +1,65 @@
## Todos / missing 2021-12-21
* Splitting / checking postgresql
* Setting up element-web + config
* Defining the homeserver.yaml
* Integration with certbot
## Components
### General
* Need switches for element-web (?)
* Or always deploy
### element-web
* Needs config: /app/config.json
* Needs FQDN for HTTPS / nginx
* Maybe limit the builtin webserver to localhost?
To add:
```
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
```
### matrix-synapse
* Requires homeserver.yaml for starting
* Need to overwrite the entrypoint
* How/where do we specifiy the postgresql password?
* Maybe in our own init container using alpine?
Need to generate for postgresql:
```
database:
# The database engine name
name: "psycopg2"
# Arguments to pass to the engine
args:
database: "matrix-synapse"
host: "/var/run/postgresql"
user: "matrix-synapse"
password: ""
cp_min: 10
cp_min: 5
```
For configuration set/do not set:
* SYNAPSE_CONFIG_DIR=/config (this contains generated files from us)
* SYNAPSE_DATA_DIR is by default /data, keep as is
Save under:
## Missing ## Missing
- db secret generation (sops?) - db secret generation (sops?)
@ -6,9 +68,12 @@
- Exposing sizes in value.yaml (db, gitea) - Exposing sizes in value.yaml (db, gitea)
- Maybe reducing to 1 PVC? - Maybe reducing to 1 PVC?
## TODOs ## TODOs
- Maybe move postgres into own service -> stays running by default - Move postgres into own service -> stays running by default
## Reset ## Reset

View file

@ -2,22 +2,60 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ .Release.Name }}-matrix name: {{ .Release.Name }}-matrix-element-web
spec: spec:
selector: selector:
matchLabels: matchLabels:
app: {{ .Release.Name }}-matrix app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
replicas: 1 replicas: 1
template: template:
metadata: metadata:
labels: labels:
app: {{ .Release.Name }}-matrix app.kubernetes.io/instance: {{ .Release.Name }}
use-as-service: {{ .Release.Name }} app.kubernetes.io/component: matrix-element-web
spec:
containers:
- name: element-web
image: vectorim/element-web:{{ .Values.elementWebVersion }}
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-element-web
labels:
app: {{ .Release.Name }}-element-web
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
selector:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-matrix-synapse
spec:
selector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse
spec: spec:
initContainers: initContainers:
- name: generate-matrix-signing-key - name: generate-matrix-signing-key
image: ungleich/ungleich-matrix-synapse:{{ .Values.synapseVersion }} image: matrixdotorg/synapse:{{ .Values.synapseVersion }}
imagePullPolicy: Always
command: command:
- "python" - "python"
- "-m" - "-m"
@ -33,61 +71,6 @@ spec:
- name: matrix-config - name: matrix-config
mountPath: "/baseconfig" mountPath: "/baseconfig"
containers: containers:
- name: certbot
image: ungleich/ungleich-certbot
imagePullPolicy: Always
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
# This container will only start *after* the cert has been placed
- name: debug
image: alpine:latest
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: data
mountPath: "/data"
- name: matrix-config
mountPath: "/baseconfig"
- name: postgres-vars
mountPath: "/postgres"
args:
- sleep
- "1000000"
- name: nginx
image: nginx:1.21-alpine
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
# Use subpath to avoid lost+found error
subPath: postgres
- name: matrix - name: matrix
# SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml # SYNAPSE_CONFIG_DIR: where additional configs are placed -> postgres-db.yaml
# SYNAPSE_CONFIG_PATH: the initial config # SYNAPSE_CONFIG_PATH: the initial config
@ -111,22 +94,22 @@ spec:
volumes: volumes:
- name: etcletsencrypt - name: etcletsencrypt
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs claimName: {{ .Release.Name }}-letsencrypt-certs
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data claimName: {{ .Release.Name }}-data
- name: postgres-data - name: postgres-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data claimName: {{ .Release.Name }}-postgres-data
- name: postgres-vars - name: postgres-vars
secret: secret:
secretName: {{ tpl .Values.identifier . }}-postgres-config secretName: {{ .Release.Name }}-postgres-config
- name: nginx-config - name: nginx-config
configMap: configMap:
name: {{ tpl .Values.identifier . }}-nginx-config name: {{ .Release.Name }}-nginx-config
- name: matrix-config - name: matrix-config
configMap: configMap:
name: {{ tpl .Values.identifier . }}-matrix-config name: {{ .Release.Name }}-matrix-config
items: items:
- key: homeserver.yaml - key: homeserver.yaml
path: homeserver.yaml path: homeserver.yaml
@ -137,9 +120,9 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ tpl .Values.identifier . }} name: {{ .Release.Name }}
labels: labels:
app: {{ tpl .Values.identifier . }} app: {{ .Release.Name }}
spec: spec:
type: ClusterIP type: ClusterIP
ports: ports:
@ -154,9 +137,9 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ tpl .Values.identifier . }}-web name: {{ .Release.Name }}-web
labels: labels:
app: {{ tpl .Values.identifier . }}-web app: {{ .Release.Name }}-web
spec: spec:
type: ClusterIP type: ClusterIP
ports: ports:
@ -171,7 +154,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs name: {{ .Release.Name }}-letsencrypt-certs
spec: spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@ -183,7 +166,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ tpl .Values.identifier . }}-data name: {{ .Release.Name }}-data
spec: spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@ -195,7 +178,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ tpl .Values.identifier . }}-postgres-data name: {{ .Release.Name }}-postgres-data
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
@ -204,45 +187,10 @@ spec:
storage: 500Mi storage: 500Mi
storageClassName: rook-ceph-block storageClassName: rook-ceph-block
--- ---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: {{ tpl .Values.identifier . }}-getcert
# spec:
# template:
# metadata:
# labels:
# app: certbot-letsencrypt-getcert
# use-as-service: {{ .Release.Name }}
# spec:
# restartPolicy: Never
# containers:
# - name: certbot
# image: ungleich/ungleich-certbot
# ports:
# - containerPort: 80
# env:
# - name: DOMAIN
# value: "{{ tpl .Values.fqdn . }}"
# - name: EMAIL
# value: "{{ .Values.email }}"
# {{ if eq .Values.letsencryptStaging "no" }}
# - name: STAGING
# value: "no"
# {{ end }}
# volumeMounts:
# - name: etcletsencrypt
# mountPath: "/etc/letsencrypt"
# volumes:
# - name: etcletsencrypt
# persistentVolumeClaim:
# claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
# backoffLimit: 3
#---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ tpl .Values.identifier . }}-nginx-config name: {{ .Release.Name }}-nginx-config
data: data:
default.conf: | default.conf: |
server { server {
@ -268,7 +216,7 @@ data:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ .Release.Name }}-postgres-config
annotations: annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData: stringData:
@ -279,7 +227,7 @@ stringData:
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ tpl .Values.identifier . }}-matrix-config name: {{ .Release.Name }}-matrix-config
data: data:
homeserver.yaml: | homeserver.yaml: |
server_name: "{{ .Values.server_name }}" server_name: "{{ .Values.server_name }}"
@ -360,8 +308,3 @@ data:
synapse.storage.SQL: synapse.storage.SQL:
level: INFO level: INFO
# example of enabling debugging for a component:
#
# synapse.federation.transport.server:
# level: DEBUG

View file

@ -2,9 +2,7 @@ clusterDomain: c2.k8s.ooo
email: technik@ungleich.ch email: technik@ungleich.ch
letsencryptStaging: "yes" letsencryptStaging: "yes"
# This is how the service and the data volumes are named - i.e. the
# persistent thing
identifier: "{{ .Release.Name }}"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
# This needs delegation / configuration on fn.nf # This needs delegation / configuration on fn.nf
@ -18,5 +16,5 @@ enable_registration: false
# Maximum size of one particular file # Maximum size of one particular file
max_filesize_in_mb: 100 max_filesize_in_mb: 100
elementVersion: "1.7.32" elementWebVersion: "v1.9.8"
synapseVersion: "v1.48.0" synapseVersion: "v1.49.0"