++matrix

2021-07-17 20:12:27 +02:00 · 2021-07-17 20:12:27 +02:00 · e28cb019a5
commit e28cb019a5
parent 034885e016
3 changed files with 73 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -19,7 +19,7 @@ This project is testing, deploying and using IPv6 only k8s clusters.
 * virtualisation (VMs, kubevirt)
 * network policies
 * prometheus in the cluster
-* argocd (?) for CI and upgrades
+* -argocd (?) for CI and upgrades- using flux
 * Maybe LoadBalancer support (our ClusterIP already does that though)
 * (Other) DNS entrys for services
 * Internal backup / snapshots
@ -138,7 +138,7 @@ We can confirm this on the upstream side, where we also run bird:
 % birdc show route
 BIRD 2.0.7 ready.
 Table master6:
-2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-server1 20:04:14.222] * (100) [AS65534i]
+2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-srever1 20:04:14.222] * (100) [AS65534i]
 	via 2a0a:e5c0:13:0:225:b3ff:fe20:3554 on eth0
                     unicast [place7-server3 20:04:14.224] (100) [AS65534i]
 	via 2a0a:e5c0:13:0:224:81ff:fee0:db7a on eth0
@ -240,7 +240,30 @@ The [guide for creating HA
 clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
 referes to an external load balancer that

+## Secrets

+Handled via https://github.com/mittwald/kubernetes-secret-generator
+
+```
+helm repo add mittwald https://helm.mittwald.de
+helm repo update
+helm upgrade --install kubernetes-secret-generator mittwald/kubernetes-secret-generator
+```
+
+Generating / creating secrets:
+
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: string-secret
+  annotations:
+    secret-generator.v1.mittwald.de/autogenerate: password
+data:
+  username: c29tZXVzZXI=
+```
+
+This will add a password into it. Password only will

 ## The IPv4 "problem"

--- a/apps/matrix/Chart.yaml
+++ b/apps/matrix/Chart.yaml
@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/apps/matrix/templates/deployment.yaml
+++ b/apps/matrix/templates/deployment.yaml
@ -24,6 +24,25 @@ spec:
          volumeMounts:
            - name: etcletsencrypt
              mountPath: "/etc/letsencrypt"
+        - name: generate-matrix-signing-key
+          image: matrixdotorg/synapse:v{{ .Values.synapseVersion }}
+          env:
+            - name: SYNAPSE_CONFIG_PATH
+              value: "/config/homeserver.yaml"
+          command:
+            - "python"
+            - "-m"
+            - "synapse.app.homeserver"
+            - "--config-path"
+            - "/config"
+            - "--keys-directory"
+            - "/data"
+            - "--generate-keys"
+          volumeMounts:
+            - name: data
+              mountPath: "/data"
+            - name: matrix-config
+              mountPath: "/config"
      containers:
        # This container will only start *after* the cert has been placed
        - name: nginx
@ -40,7 +59,7 @@ spec:
          ports:
            - containerPort: 5432
          envFrom:
-          - configMapRef:
+          - secretRef:
              name: {{ tpl .Values.identifier . }}-postgres-config
          # Use subpath to avoid lost+found error
          volumeMounts:
@ -52,8 +71,10 @@ spec:
          ports:
            - containerPort: 8008
          env:
-            - name: SYNAPSE_CONFIG_PATH
-              value: "/config/homeserver.yaml"
+            - name: SYNAPSE_CONFIG_DIR
+              value: "/config"
+#            - name: SYNAPSE_CONFIG_PATH
+#              value: "/config/homeserver.yaml"
          volumeMounts:
            - name: data
              mountPath: "/data"
@ -95,6 +116,23 @@ spec:
   use-as-service: {{ .Release.Name }}
 ---
 apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tpl .Values.identifier . }}-web
+  labels:
+    app: {{ tpl .Values.identifier . }}-web
+spec:
+  type: ClusterIP
+  ports:
+   # Required for letsencrypt
+   - port: 80
+     name: http
+   - port: 443
+     name: https
+  selector:
+   use-as-service: {{ .Release.Name }}-web
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ tpl .Values.identifier . }}-letsencrypt-certs
@ -192,9 +230,11 @@ data:
    }
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
  name: {{ tpl .Values.identifier . }}-postgres-config
+  annotations:
+    secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
 data:
  POSTGRES_USER: matrix-synapse
  POSTGRES_DB: matrix-synapse
@ -214,6 +254,8 @@ data:
    allow_public_rooms_over_federation: false

    pid_file: "/var/run/matrix/homeserver.pid"
+    report_stats: false
+    signing_key_path: "/data/signin.key"

    listeners:
      - port: 8008
@ -249,7 +291,7 @@ data:
    log_config: "/config/log.yaml"

    enable_media_repo: true
-    media_store_path: "/data"
+    media_store_path: "/data/media"
    max_upload_size: "{{ .Values.max_filesize_in_mb }}M"
    enable_registration: {{ .Values.enable_registration }}