[k8s] update matrix resource for Task#10078

This commit is contained in:
root 2021-12-28 14:37:05 +01:00
parent b0cb84f2a8
commit 7abff0ee98
18 changed files with 3622 additions and 0 deletions

View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

View file

@ -0,0 +1,15 @@
apiVersion: v2
name: ungleich-matrix
description: ungleich managed matrix
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.38.0"

81
apps/dev/matrix/README.md Normal file
View file

@ -0,0 +1,81 @@
## Usage and Components
Note: as of 2021-12-25 this chart is available internally as apps/prod/matrix.
### Sample usage
Setting up matrix for ...
- the matrix domain "fn.nf"
- the homeserver matrix.fnnf.svc.p10.k8s.ooo
- element web on m.fn.nf
Using automatic DNS from the p10.k8s.ooo cluster:
```
helm upgrade --install --create-namespace --namespace fnnf \
--set homeServerFQDN=fn.nf,elementWebFQDN=m.fn.nf,letsencryptStaging=no,clusterDomain=p10.k8s.ooo matrix matrix/
```
Setting up matrix.fn.nf in DNS
```
matrix CNAME matrix-element-web.fnnf.svc.p10.k8s.ooo.
```
Creating the two json files
* /.well-known/matrix/server and
* /.well-known/matrix/client
on the fn.nf web server using the samples:
```
% curl -Ls https://m.fn.nf/.well-known/matrix/server > server
% curl -Ls https://m.fn.nf/.well-known/matrix/client > client
```
And finally creating a user:
```
kubectl -n fnnf exec -ti matrix-matrix-synapse-864c4bfb4-4h4cn -c synapse -- register_new_matrix_user http://localhost:8008 -c /config/homeserver.yaml -u admin -p ... -a
```
### Element-Web
* Includes config.json that is being populated by values.yaml
* Includes nginx on port localhost:8080 (http)
* Includes nginx proxy on port 80+443 (http redirect, https)
The service is reachable as `{{ .Release.Name }}-element-web`.
### Synapse
* homeserver.yaml is created from a ConfigMap in /config-ro
* homeserver.yaml is edited using sed to add the postgres password and
stored in /config/homeserver.yaml
* Logging configured to stdout
The service is reachable as `{{ .Release.Name }}`.
### Postgres
Tuned with `--no-locale --encoding=UTF8` using `POSTGRES_INITDB_ARGS` (required by synapse).
The service is reachable as `{{ .Release.Name }}-postgres`.
See
* https://www.postgresql.org/docs/9.5/app-initdb.html
* https://hub.docker.com/_/postgres
* https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md
## Missing
- SMTP settings / secrets (ungleich mail + sops?)
### admin user
docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml --help
### Resource configuration

View file

@ -0,0 +1,34 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ tpl .Values.elementWebFQDN . }};
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.elementWebFQDN . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.elementWebFQDN . }}/privkey.pem;
client_max_body_size {{ .Values.max_filesize_in_mb}}m;
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "{{ tpl .Values.synapseFQDN . }}:443" }';
}
location /.well-known/matrix/client {
default_type application/json;
return 200 '{ "m.homeserver": { "base_url": "https://{{ tpl .Values.synapseFQDN . }}" } }';
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
proxy_pass http://localhost:8080;
}
}

View file

@ -0,0 +1,17 @@
server {
listen 127.0.0.1:8080;
listen [::1]:8080;
server_name localhost;
root /usr/share/nginx/html;
index index.html;
# Set no-cache for the index.html only so that browsers always check for a new copy of Element Web.
location = /index.html {
add_header Cache-Control "no-cache";
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
}

View file

@ -0,0 +1,52 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://{{ tpl .Values.synapseFQDN . }}",
"server_name": "{{ tpl .Values.homeServerFQDN . }}"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
},
"disable_custom_urls": false,
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Element",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
"https://scalar.vector.im/_matrix/integrations/v1",
"https://scalar.vector.im/api",
"https://scalar-staging.vector.im/_matrix/integrations/v1",
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"defaultCountryCode": "GB",
"showLabsSettings": false,
"features": { },
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"{{ tpl .Values.homeServerFQDN . }}"
]
},
"piwik": {
"url": "https://piwik.riot.im/",
"whitelistedHSUrls": ["https://matrix.org"],
"whitelistedISUrls": ["https://vector.im", "https://matrix.org"],
"siteId": 1
},
"enable_presence_by_hs_url": {
"https://matrix.org": false,
"https://matrix-client.matrix.org": false
},
"settingDefaults": {
"breadcrumbs": true
},
"jitsi": {
"preferredDomain": "jitsi.riot.im"
}
}

View file

@ -0,0 +1,28 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ tpl .Values.synapseFQDN . }};
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.synapseFQDN . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.synapseFQDN . }}/privkey.pem;
client_max_body_size {{ .Values.max_filesize_in_mb}}m;
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "{{ tpl .Values.synapseFQDN . }}:443" }';
}
location /.well-known/matrix/client {
default_type application/json;
return 200 '{ "m.homeserver": { "base_url": "https://{{ tpl .Values.synapseFQDN . }}" } }';
}
location ~ /_matrix|/_synapse {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8008;
}
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,27 @@
version: 1
formatters:
fmt:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: fmt
filters: [context]
root:
level: INFO
handlers: [console] # to use file handler instead, switch to [file]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
level: INFO

View file

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-element-web
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
data:
{{ tpl (.Files.Glob "element-web/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-element-web-nginx-proxy
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web-proxy
data:
{{ tpl (.Files.Glob "element-web-nginx-proxy/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,113 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-matrix-element-web
spec:
selector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
annotations:
checksum/config: {{ include (print $.Template.BasePath "/element-web-proxy.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/element-web-conf.yaml") . | sha256sum }}
spec:
containers:
- name: nginx
image: ungleich/ungleich-certbot:1.1.1
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
env:
- name: DOMAIN
value: "{{ tpl .Values.elementWebFQDN . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: nginx-config-proxy
mountPath: "/nginx-configs"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "200m"
- name: element-web
command: ["nginx", "-g", "daemon off;" ]
image: vectorim/element-web:{{ .Values.elementWebVersion }}
ports:
- containerPort: 8080
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: elementwebconfig
mountPath: "/usr/share/nginx/html/config.json"
subPath: config.json
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "200m"
volumes:
- name: nginx-config
configMap:
name: {{ .Release.Name }}-element-web-nginx
- name: nginx-config-proxy
configMap:
name: {{ .Release.Name }}-element-web-nginx-proxy
- name: elementwebconfig
configMap:
name: {{ .Release.Name }}-element-web
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ .Release.Name }}-element-web-letsencrypt-certs
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-element-web
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
spec:
type: ClusterIP
ports:
- port: 80
name: http
- port: 443
name: https
selector:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-element-web-nginx
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-element-web
data:
{{ tpl (.Files.Glob "element-web-nginx/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,76 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-postgres
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
spec:
selector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
spec:
containers:
- name: postgres
image: postgres:14
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ .Release.Name }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
subPath: postgres
resources:
requests:
memory: {{.Values.resources.postgres.requests.memory }}
cpu: {{.Values.resources.postgres.requests.cpu}}
limits:
memory: {{.Values.resources.postgres.limits.memory}}
cpu: {{.Values.resources.postgres.limits.cpu}}
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: {{ .Release.Name }}-postgres-data
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-postgres
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
spec:
type: ClusterIP
ports:
- port: 5432
name: postgres
selector:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-postgres-config
annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
hosting: {{ .Release.Name }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: postgres
stringData:
POSTGRES_USER: "{{ .Values.postgresUser }}"
POSTGRES_DB: "{{ .Values.postgresDBName }}"
POSTGRES_INITDB_ARGS: "--no-locale --encoding=UTF8"

View file

@ -0,0 +1,47 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-element-web-letsencrypt-certs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.letsencrypt.size }}
storageClassName: {{ .Values.storage.letsencrypt.storageClass }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-synapse-letsencrypt-certs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.letsencrypt.size }}
storageClassName: {{ .Values.storage.letsencrypt.storageClass }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.data.size }}
storageClassName: {{ .Values.storage.data.storageClass }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-postgres-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.db.size }}
storageClassName: {{ .Values.storage.db.storageClass }}

View file

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-synapse-conf
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: synapse
data:
{{ tpl (.Files.Glob "synapse/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-synapse-nginx-proxy
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: synapse-nginx
data:
{{ tpl (.Files.Glob "synapse-nginx/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-matrix-synapse
spec:
selector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse
annotations:
checksum/config: {{ include (print $.Template.BasePath "/synapse-proxy.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/synapse-conf.yaml") . | sha256sum }}
spec:
initContainers:
- name: generate-matrix-signing-key
image: matrixdotorg/synapse:{{ .Values.synapseVersion }}
command:
- "python"
- "-m"
- "synapse.app.homeserver"
- "--config-path"
- "/config-ro"
- "--keys-directory"
- "/data"
- "--generate-keys"
volumeMounts:
- name: data
mountPath: "/data"
- name: synapse-conf
mountPath: "/config-ro"
containers:
- name: nginx
image: ungleich/ungleich-certbot:1.1.1
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
env:
- name: DOMAIN
value: "{{ tpl .Values.synapseFQDN . }}"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: nginx-config
mountPath: "/nginx-configs"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "200m"
- name: synapse
image: matrixdotorg/synapse:{{ .Values.synapseVersion }}
command:
- sh
- -c
- "mkdir -p /config; sed \"s,SECRETPOSTGRESPASSWORD,$POSTGRES_PW,\" /config-ro/homeserver.yaml > /config/homeserver.yaml && /start.py run"
ports:
- containerPort: 8008
env:
- name: SYNAPSE_CONFIG_PATH
value: "/config/homeserver.yaml"
- name: SYNAPSE_CONFIG_DIR
value: "/config"
- name: POSTGRES_PW
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-postgres-config
key: POSTGRES_PASSWORD
volumeMounts:
- name: data
mountPath: "/data"
- name: synapse-conf
mountPath: "/config-ro"
resources:
requests:
memory: {{.Values.resources.synapse.requests.memory }}
cpu: {{.Values.resources.synapse.requests.cpu}}
limits:
memory: {{.Values.resources.synapse.limits.memory}}
cpu: {{.Values.resources.synapse.limits.cpu}}
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ .Release.Name }}-synapse-letsencrypt-certs
- name: data
persistentVolumeClaim:
claimName: {{ .Release.Name }}-data
- name: nginx-config
configMap:
name: {{ .Release.Name }}-synapse-nginx-proxy
- name: synapse-conf
configMap:
name: {{ .Release.Name }}-synapse-conf
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse
spec:
type: ClusterIP
ports:
- port: 80
name: http
- port: 443
name: https
selector:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: matrix-synapse

View file

@ -0,0 +1,45 @@
clusterDomain: c2.k8s.ooo
email: technik@ungleich.ch
letsencryptStaging: "yes"
enable_registration: false
# Maximum size of one particular file
max_filesize_in_mb: 100
elementWebVersion: "v1.9.8"
synapseVersion: "v1.49.2"
elementWebFQDN: "{{ .Release.Name }}-element-web.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
synapseFQDN: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
homeServerFQDN: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
postgresUser: "matrix-synapse"
postgresDBName: "matrix-synapse"
storage:
data:
size: 20Gi
storageClass: rook-cephfs
db:
size: 20Gi
storageClass: rook-cephfs
letsencrypt:
size: 50Mi
storageClass: rook-cephfs
resources:
postgres:
requests:
memory: "1280Mi"
cpu: "100m"
limits:
memory: "1280Mi"
cpu: "200m"
synapse:
requests:
memory: "512Mi"
cpu: "400m"
limits:
memory: "512Mi"
cpu: "800m"