From e28cb019a5cc457ec508aba856448d73d1e9d4b3 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sat, 17 Jul 2021 20:12:27 +0200 Subject: [PATCH] ++matrix --- README.md | 27 ++++++++++++-- apps/matrix/Chart.yaml | 2 +- apps/matrix/templates/deployment.yaml | 52 ++++++++++++++++++++++++--- 3 files changed, 73 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d63af1f..5acb5f3 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ This project is testing, deploying and using IPv6 only k8s clusters. * virtualisation (VMs, kubevirt) * network policies * prometheus in the cluster -* argocd (?) for CI and upgrades +* -argocd (?) for CI and upgrades- using flux * Maybe LoadBalancer support (our ClusterIP already does that though) * (Other) DNS entrys for services * Internal backup / snapshots @@ -138,7 +138,7 @@ We can confirm this on the upstream side, where we also run bird: % birdc show route BIRD 2.0.7 ready. Table master6: -2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-server1 20:04:14.222] * (100) [AS65534i] +2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-srever1 20:04:14.222] * (100) [AS65534i] via 2a0a:e5c0:13:0:225:b3ff:fe20:3554 on eth0 unicast [place7-server3 20:04:14.224] (100) [AS65534i] via 2a0a:e5c0:13:0:224:81ff:fee0:db7a on eth0 @@ -240,7 +240,30 @@ The [guide for creating HA clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) referes to an external load balancer that +## Secrets +Handled via https://github.com/mittwald/kubernetes-secret-generator + +``` +helm repo add mittwald https://helm.mittwald.de +helm repo update +helm upgrade --install kubernetes-secret-generator mittwald/kubernetes-secret-generator +``` + +Generating / creating secrets: + +``` +apiVersion: v1 +kind: Secret +metadata: + name: string-secret + annotations: + secret-generator.v1.mittwald.de/autogenerate: password +data: + username: c29tZXVzZXI= +``` + +This will add a password into it. Password only will ## The IPv4 "problem" diff --git a/apps/matrix/Chart.yaml b/apps/matrix/Chart.yaml index 5512e73..35268ab 100644 --- a/apps/matrix/Chart.yaml +++ b/apps/matrix/Chart.yaml @@ -6,7 +6,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/apps/matrix/templates/deployment.yaml b/apps/matrix/templates/deployment.yaml index 0aa4838..7e22837 100644 --- a/apps/matrix/templates/deployment.yaml +++ b/apps/matrix/templates/deployment.yaml @@ -24,6 +24,25 @@ spec: volumeMounts: - name: etcletsencrypt mountPath: "/etc/letsencrypt" + - name: generate-matrix-signing-key + image: matrixdotorg/synapse:v{{ .Values.synapseVersion }} + env: + - name: SYNAPSE_CONFIG_PATH + value: "/config/homeserver.yaml" + command: + - "python" + - "-m" + - "synapse.app.homeserver" + - "--config-path" + - "/config" + - "--keys-directory" + - "/data" + - "--generate-keys" + volumeMounts: + - name: data + mountPath: "/data" + - name: matrix-config + mountPath: "/config" containers: # This container will only start *after* the cert has been placed - name: nginx @@ -40,7 +59,7 @@ spec: ports: - containerPort: 5432 envFrom: - - configMapRef: + - secretRef: name: {{ tpl .Values.identifier . }}-postgres-config # Use subpath to avoid lost+found error volumeMounts: @@ -52,8 +71,10 @@ spec: ports: - containerPort: 8008 env: - - name: SYNAPSE_CONFIG_PATH - value: "/config/homeserver.yaml" + - name: SYNAPSE_CONFIG_DIR + value: "/config" +# - name: SYNAPSE_CONFIG_PATH +# value: "/config/homeserver.yaml" volumeMounts: - name: data mountPath: "/data" @@ -95,6 +116,23 @@ spec: use-as-service: {{ .Release.Name }} --- apiVersion: v1 +kind: Service +metadata: + name: {{ tpl .Values.identifier . }}-web + labels: + app: {{ tpl .Values.identifier . }}-web +spec: + type: ClusterIP + ports: + # Required for letsencrypt + - port: 80 + name: http + - port: 443 + name: https + selector: + use-as-service: {{ .Release.Name }}-web +--- +apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ tpl .Values.identifier . }}-letsencrypt-certs @@ -192,9 +230,11 @@ data: } --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: {{ tpl .Values.identifier . }}-postgres-config + annotations: + secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD data: POSTGRES_USER: matrix-synapse POSTGRES_DB: matrix-synapse @@ -214,6 +254,8 @@ data: allow_public_rooms_over_federation: false pid_file: "/var/run/matrix/homeserver.pid" + report_stats: false + signing_key_path: "/data/signin.key" listeners: - port: 8008 @@ -249,7 +291,7 @@ data: log_config: "/config/log.yaml" enable_media_repo: true - media_store_path: "/data" + media_store_path: "/data/media" max_upload_size: "{{ .Values.max_filesize_in_mb }}M" enable_registration: {{ .Values.enable_registration }}