From 54fa93a422e1803c0c077fec86e5c0bd8ee0c5ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 18:08:56 +0200 Subject: [PATCH 1/3] fnux-playground: add TLS and replication to openldap chart --- apps/fnux-playground/README.md | 3 ++ .../ldap1.fnux-playground.yaml | 6 ---- .../ldapN.fnux-playground.yaml | 10 +++++++ apps/fnux-playground/openldap/Chart.yaml | 2 +- .../openldap/templates/deployment.yaml | 29 ++++++++++++++----- apps/fnux-playground/openldap/values.yaml | 19 +++++++----- 6 files changed, 47 insertions(+), 22 deletions(-) delete mode 100644 apps/fnux-playground/ldap1.fnux-playground.yaml create mode 100644 apps/fnux-playground/ldapN.fnux-playground.yaml diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md index c8c71ef..c406b84 100644 --- a/apps/fnux-playground/README.md +++ b/apps/fnux-playground/README.md @@ -9,6 +9,9 @@ image](https://github.com/osixia/docker-openldap). A TLS certificate is automatically generated via Let'sEncrypt, but renewal is not handled yet. TODO: handle TLS certificate renewal. +NOTE: replication with the osixia image is somewhat broken, see: + https://github.com/osixia/docker-openldap/issues/203 + -> Worked around the issue with https://github.com/ungleich/docker-openldap/commit/3c7c9ece1e67bce0bfe1fdb66a63f5c8c59359f4 ``` kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet diff --git a/apps/fnux-playground/ldap1.fnux-playground.yaml b/apps/fnux-playground/ldap1.fnux-playground.yaml deleted file mode 100644 index 9026f01..0000000 --- a/apps/fnux-playground/ldap1.fnux-playground.yaml +++ /dev/null @@ -1,6 +0,0 @@ -clusterDomain: "c1.k8s.ooo" - -# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; -ldapLogLevel: "256" -ldapOrganisation: "ungleich glarus ag" -ldapDomain: "ungleich.ch" diff --git a/apps/fnux-playground/ldapN.fnux-playground.yaml b/apps/fnux-playground/ldapN.fnux-playground.yaml new file mode 100644 index 0000000..da29629 --- /dev/null +++ b/apps/fnux-playground/ldapN.fnux-playground.yaml @@ -0,0 +1,10 @@ +clusterDomain: "c1.k8s.ooo" + +ldap: + # See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; + logLevel: "256" + oganisation: "ungleich glarus ag" + domain: "ungleich.ch" + adminPasswordSecretRef: "ldap-openldap" + enableReplication: "true" + replicationHosts: "#PYTHON2BASH:['ldaps://ldap1.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}','ldaps://ldap2.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}']" diff --git a/apps/fnux-playground/openldap/Chart.yaml b/apps/fnux-playground/openldap/Chart.yaml index 1b45324..137d4fc 100644 --- a/apps/fnux-playground/openldap/Chart.yaml +++ b/apps/fnux-playground/openldap/Chart.yaml @@ -21,4 +21,4 @@ version: 0.1.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.5.0" +appVersion: "1.5.0-serverid-hostname-fallback-2" diff --git a/apps/fnux-playground/openldap/templates/deployment.yaml b/apps/fnux-playground/openldap/templates/deployment.yaml index 7bd9e91..ca9be71 100644 --- a/apps/fnux-playground/openldap/templates/deployment.yaml +++ b/apps/fnux-playground/openldap/templates/deployment.yaml @@ -30,8 +30,8 @@ spec: mountPath: /etc/letsencrypt containers: - name: "openldap" - image: "osixia/openldap:{{ .Chart.AppVersion }}" - args: ["--loglevel", "debug"] + image: "ungleich/openldap:{{ .Chart.AppVersion }}" + args: ["--loglevel", "trace"] ports: - name: ldap containerPort: 389 @@ -53,16 +53,21 @@ spec: - name: HOSTNAME value: "{{ tpl .Values.fqdn . }}" - name: LDAP_LOG_LEVEL - value: "{{ tpl .Values.ldapLogLevel . }}" + value: "{{ tpl .Values.ldap.logLevel . }}" - name: LDAP_ORGANISATION - value: "{{ tpl .Values.ldapOrganisation . }}" + value: "{{ tpl .Values.ldap.organisation . }}" - name: LDAP_DOMAIN - value: "{{ tpl .Values.ldapDomain . }}" + value: "{{ tpl .Values.ldap.domain . }}" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}" - key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}" + name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}" + key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}" + - name: LDAP_CONFIG_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}" + key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}" - name: LDAP_TLS_CRT_FILENAME value: "live/{{ tpl .Values.fqdn . }}/cert.pem" - name: LDAP_TLS_KEY_FILENAME @@ -71,6 +76,14 @@ spec: value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem" - name: LDAP_TLS_VERIFY_CLIENT value: "try" + - name: LDAP_REPLICATION + value: "{{ .Values.ldap.enableReplication }}" + - name: LDAP_REPLICATION_HOSTS + value: "{{ tpl .Values.ldap.replicationHosts . }}" + - name: LDAP_REPLICATION_CONFIG_SYNCPROV + value: "{{ tpl .Values.ldap.replicationConfigSyncprov . }}" + - name: LDAP_REPLICATION_DB_SYNCPROV + value: "{{ tpl .Values.ldap.replicationDbSyncprov . }}" volumeMounts: - name: "{{ tpl .Values.identifier . }}-openldap-data" mountPath: "/etc/ldap/slapd.d" @@ -111,7 +124,7 @@ spec: value: "{{ tpl .Values.fqdn . }}" - name: EMAIL value: "{{ .Values.letsencryptEmail }}" - {{ if eq .Values.letsencryptStaging "no" }} + {{ if not .Values.letsencryptStaging }} - name: STAGING value: "no" {{ end }} diff --git a/apps/fnux-playground/openldap/values.yaml b/apps/fnux-playground/openldap/values.yaml index f0c48f9..52e9196 100644 --- a/apps/fnux-playground/openldap/values.yaml +++ b/apps/fnux-playground/openldap/values.yaml @@ -2,13 +2,18 @@ clusterDomain: "c1.k8s.ooo" fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" identifier: "{{ .Release.Name }}" -# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; -ldapLogLevel: "256" -ldapOrganisation: "ungleich glarus ag" -ldapDomain: "{{ tpl .Values.fqdn . }}" -ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap" -ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD" +ldap: + # See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; + logLevel: "256" + organisation: "ungleich glarus ag" + domain: "{{ tpl .Values.fqdn . }}" + adminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap" + adminPasswordSecretKey: "LDAP_ADMIN_PASSWORD" + enableReplication: false + replicationHosts: "" + replicationConfigSyncprov: 'binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=no' + replicationDbSyncprov: 'binddn=\"cn=admin,$$LDAP_BASE_DN\" bindmethod=simple credentials=$$LDAP_ADMIN_PASSWORD searchbase=\"$$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=no' # TLS certificate generation. letsencryptEmail: "technik@ungleich.ch" -letsencryptStaging: "no" +letsencryptStaging: false From 3bf9d54ff07954bdc65ec5dbff3efff96c1e99c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 18:12:25 +0200 Subject: [PATCH 2/3] fnux-playground: expand matrix configuration --- .../matrix.fnux-playground.yaml | 89 ++++++++++++++----- 1 file changed, 69 insertions(+), 20 deletions(-) diff --git a/apps/fnux-playground/matrix.fnux-playground.yaml b/apps/fnux-playground/matrix.fnux-playground.yaml index e9d8d80..5063b44 100644 --- a/apps/fnux-playground/matrix.fnux-playground.yaml +++ b/apps/fnux-playground/matrix.fnux-playground.yaml @@ -1,26 +1,36 @@ -# TODO: set redis & PGSQL password, investigate workers. +# Note: as of writing we can't template the variables of this file, although +# I'm pretty sure upstream would accept a patch for this. -# Synapse configuration. +# Shared variables. +clusterName: "c2.k8s.ooo" + +# The Matrix domain name, this is what will be used for the domain part in +# your MXIDs. +serverName: "matrix.fnux-playground.svc.c2.k8s.ooo" + +# The public Matrix server name, this will be used for any public URLs +# in config as well as for client API links in the ingress. +publicServerName: "matrix.fnux-playground.svc.c2.k8s.ooo" + +# Generic configuration that apply to mixed components. config: + # Log level for Synapse and all modules. logLevel: INFO -# Synapse persistence. -persistence: - enabled: true - storageClass: "rook-cephfs" - accessMode: ReadWriteMany - size: 10Gi - -# PGSQL persistence. -postgresql: - enabled: true - persistence: - storageClass: "rook-cephfs" - size: 16Gi - -# First/initial startup is slow! The synapse pod get killed before the database -# is fully initialied if we don't explicitely wait. +# Configuration to apply to the main Synapse pod. synapse: + ## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository + ## is enabled for the main Synapse pod) + ## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + strategy: + type: RollingUpdate + # First/initial startup is slow! The synapse pod get killed before the + # database is fully initialied if we don't explicitely wait. + # XXX: we should probably use a startupProbe, but this need to be patched + # upstream. livenessProbe: httpGet: path: /health @@ -32,6 +42,22 @@ synapse: port: http initialDelaySeconds: 180 +# Configuration for handling Synapse workers, which are useful for handling +# high-load deployments. +# +# More information is available at; +# https://github.com/matrix-org/synapse/blob/master/docs/workers.md +# +# workers: ... + +# Persistence configuration for the media repository function. This PVC will +# be mounted in either Synapse or a media_repo worker. +persistence: + enabled: true + storageClass: "rook-cephfs" + accessMode: ReadWriteMany + size: 10Gi + # Serve /.well-known URIs, making federation possible without adding # SRV-records to DNS. wellknown: @@ -44,10 +70,33 @@ wellknown: # Data served on .well-known/matrix/server. # See https://matrix.org/docs/spec/server_server/latest#get-well-known-matrix-server server: - m.server: "matrix.fnux-playground.svc.c1.k8s.oo:443" + m.server: "matrix.fnux-playground.svc.c2.k8s.ooo" # Data served on .well-known/matrix/client. # See https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client client: m.homeserver: - base_url: "https://matrix.ungleich.ch" + base_url: "https://matrix.fnux-playground.svc.c2.k8s.ooo" + +# PGSQL database server configuration. +postgresql: + enabled: true + postgresqlPassword: "secret" + postgresqlUsername: synapse + postgresqlDatabase: synapse + persistence: + storageClass: "rook-cephfs" + size: 16Gi + +## Redis server for use with workers/sharding. +redis: + enabled: true + usePassword: true + password: "secret" + +# The K8s ingress configuration, this will be quite heavily used in order to +# set up all routing necessary for use with a sharded Synapse instance. If +# you're not using a Ingress compatible K8s ingress, you will need to set up +# your own routing instead. +ingress: + enabled: true From 4f9678be3a3dc69c811b1017142aa1bcf8dd2e93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 18:16:26 +0200 Subject: [PATCH 3/3] fnux-playground: refresh openldap instructions/example --- apps/fnux-playground/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md index c406b84..5de1ac4 100644 --- a/apps/fnux-playground/README.md +++ b/apps/fnux-playground/README.md @@ -15,7 +15,8 @@ NOTE: replication with the osixia image is somewhat broken, see: ``` kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet -helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml +helm install ldap1 ./openldap -f ldapN.fnux-playground.yaml +helm install ldap2 ./openldap -f ldapN.fnux-playground.yaml ``` ## Matrix Synapse