++matrix

README.md

@@ -19,7 +19,7 @@ This project is testing, deploying and using IPv6 only k8s clusters.
 * virtualisation (VMs, kubevirt)
 * network policies
 * prometheus in the cluster
-* argocd (?) for CI and upgrades
+* -argocd (?) for CI and upgrades- using flux
 * Maybe LoadBalancer support (our ClusterIP already does that though)
 * (Other) DNS entrys for services
 * Internal backup / snapshots
@@ -138,7 +138,7 @@ We can confirm this on the upstream side, where we also run bird:
 % birdc show route
 BIRD 2.0.7 ready.
 Table master6:
-2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-server1 20:04:14.222] * (100) [AS65534i]
+2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-srever1 20:04:14.222] * (100) [AS65534i]
 	via 2a0a:e5c0:13:0:225:b3ff:fe20:3554 on eth0
                      unicast [place7-server3 20:04:14.224] (100) [AS65534i]
 	via 2a0a:e5c0:13:0:224:81ff:fee0:db7a on eth0
@@ -240,7 +240,30 @@ The [guide for creating HA
 clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
 referes to an external load balancer that
 
+## Secrets
 
+Handled via https://github.com/mittwald/kubernetes-secret-generator
+
+```
+helm repo add mittwald https://helm.mittwald.de
+helm repo update
+helm upgrade --install kubernetes-secret-generator mittwald/kubernetes-secret-generator
+```
+
+Generating / creating secrets:
+
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: string-secret
+  annotations:
+    secret-generator.v1.mittwald.de/autogenerate: password
+data:
+  username: c29tZXVzZXI=
+```
+
+This will add a password into it. Password only will
 
 ## The IPv4 "problem"
 

apps/matrix/Chart.yaml

@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

apps/matrix/templates/deployment.yaml

@@ -24,6 +24,25 @@ spec:
           volumeMounts:
             - name: etcletsencrypt
               mountPath: "/etc/letsencrypt"
+        - name: generate-matrix-signing-key
+          image: matrixdotorg/synapse:v{{ .Values.synapseVersion }}
+          env:
+            - name: SYNAPSE_CONFIG_PATH
+              value: "/config/homeserver.yaml"
+          command:
+            - "python"
+            - "-m"
+            - "synapse.app.homeserver"
+            - "--config-path"
+            - "/config"
+            - "--keys-directory"
+            - "/data"
+            - "--generate-keys"
+          volumeMounts:
+            - name: data
+              mountPath: "/data"
+            - name: matrix-config
+              mountPath: "/config"
       containers:
         # This container will only start *after* the cert has been placed
         - name: nginx
@@ -40,7 +59,7 @@ spec:
           ports:
             - containerPort: 5432
           envFrom:
-          - configMapRef:
+          - secretRef:
               name: {{ tpl .Values.identifier . }}-postgres-config
           # Use subpath to avoid lost+found error
           volumeMounts:
@@ -52,8 +71,10 @@ spec:
           ports:
             - containerPort: 8008
           env:
-            - name: SYNAPSE_CONFIG_PATH
+            - name: SYNAPSE_CONFIG_DIR
-              value: "/config/homeserver.yaml"
+              value: "/config"
+#            - name: SYNAPSE_CONFIG_PATH
+#              value: "/config/homeserver.yaml"
           volumeMounts:
             - name: data
               mountPath: "/data"
@@ -95,6 +116,23 @@ spec:
    use-as-service: {{ .Release.Name }}
 ---
 apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tpl .Values.identifier . }}-web
+  labels:
+    app: {{ tpl .Values.identifier . }}-web
+spec:
+  type: ClusterIP
+  ports:
+   # Required for letsencrypt
+   - port: 80
+     name: http
+   - port: 443
+     name: https
+  selector:
+   use-as-service: {{ .Release.Name }}-web
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ tpl .Values.identifier . }}-letsencrypt-certs
@@ -192,9 +230,11 @@ data:
     }
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: {{ tpl .Values.identifier . }}-postgres-config
+  annotations:
+    secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
 data:
   POSTGRES_USER: matrix-synapse
   POSTGRES_DB: matrix-synapse
@@ -214,6 +254,8 @@ data:
     allow_public_rooms_over_federation: false
 
     pid_file: "/var/run/matrix/homeserver.pid"
+    report_stats: false
+    signing_key_path: "/data/signin.key"
 
     listeners:
       - port: 8008
@@ -249,7 +291,7 @@ data:
     log_config: "/config/log.yaml"
 
     enable_media_repo: true
-    media_store_path: "/data"
+    media_store_path: "/data/media"
     max_upload_size: "{{ .Values.max_filesize_in_mb }}M"
     enable_registration: {{ .Values.enable_registration }}