diff --git a/envs/minikube/env-data.ytt.yaml b/envs/minikube/env-data.ytt.yaml index 5a0d096..43bf70c 100644 --- a/envs/minikube/env-data.ytt.yaml +++ b/envs/minikube/env-data.ytt.yaml @@ -14,6 +14,8 @@ environment: - proto: metrics-server - proto: grafana - proto: ocis + - proto: matrix-synapse + - proto: element-web cluster: domain: minikube diff --git a/envs/production/env-data.ytt.yaml b/envs/production/env-data.ytt.yaml index f884d68..2caa677 100644 --- a/envs/production/env-data.ytt.yaml +++ b/envs/production/env-data.ytt.yaml @@ -18,6 +18,8 @@ environment: - proto: cloudnative-pg - proto: metrics-server - proto: ocis + - proto: matrix-synapse + - proto: element-web cluster: domain: tr1ceracop.de diff --git a/prototypes/element-web/app-data.ytt.yaml b/prototypes/element-web/app-data.ytt.yaml new file mode 100644 index 0000000..0f49017 --- /dev/null +++ b/prototypes/element-web/app-data.ytt.yaml @@ -0,0 +1,6 @@ +#@data/values-schema +--- +#@overlay/match-child-defaults missing_ok=True +application: + namespace: matrix + subdomain: matrix diff --git a/prototypes/element-web/argocd/destination-namespace.overlay.ytt.yaml b/prototypes/element-web/argocd/destination-namespace.overlay.ytt.yaml new file mode 100644 index 0000000..cd2916a --- /dev/null +++ b/prototypes/element-web/argocd/destination-namespace.overlay.ytt.yaml @@ -0,0 +1,8 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.all, expects="1+" +--- +spec: + destination: + namespace: #@ data.values.application.namespace diff --git a/prototypes/element-web/helm/element-web.ytt.yaml b/prototypes/element-web/helm/element-web.ytt.yaml new file mode 100644 index 0000000..d9ecd29 --- /dev/null +++ b/prototypes/element-web/helm/element-web.ytt.yaml @@ -0,0 +1,40 @@ +#@ load("@ytt:data", "data") +#@ host = data.values.application.subdomain + "." + data.values.cluster.domain +--- +defaultServer: + url: #@ "https://" + host + name: #@ host + +ingress: + enabled: true + className: #@ data.values.cluster.ingress.className + annotations: + cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer + hosts: + - #@ host + tls: + - secretName: matrix-tls + hosts: + - #@ host + +resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 64Mi + +podSecurityContext: + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + seccompProfile: + type: RuntimeDefault + +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL diff --git a/prototypes/element-web/vendir/base.ytt.yaml b/prototypes/element-web/vendir/base.ytt.yaml new file mode 100644 index 0000000..530cdb0 --- /dev/null +++ b/prototypes/element-web/vendir/base.ytt.yaml @@ -0,0 +1,16 @@ +#@ load("@ytt:data", "data") + +#@ app = data.values.application +--- +apiVersion: vendir.k14s.io/v1alpha1 +kind: Config +directories: + - path: #@ "charts/" + app.name + contents: + - path: . + helmChart: + name: #@ app.name + version: #@ app.version + repository: + url: #@ app.url + lazy: true diff --git a/prototypes/element-web/vendir/vendir-data.ytt.yaml b/prototypes/element-web/vendir/vendir-data.ytt.yaml new file mode 100644 index 0000000..a3f1668 --- /dev/null +++ b/prototypes/element-web/vendir/vendir-data.ytt.yaml @@ -0,0 +1,7 @@ +#@data/values-schema +--- +#@overlay/match-child-defaults missing_ok=True +application: + name: element-web + url: https://gitlab.com/api/v4/projects/12378663/packages/helm/stable + version: 1.4.36 diff --git a/prototypes/element-web/ytt/ns.ytt.yaml b/prototypes/element-web/ytt/ns.ytt.yaml new file mode 100644 index 0000000..e6c1457 --- /dev/null +++ b/prototypes/element-web/ytt/ns.ytt.yaml @@ -0,0 +1,10 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@ ns = data.values.application.namespace + +#@overlay/match by=overlay.all, expects="1+" +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ ns diff --git a/prototypes/matrix-synapse/app-data.ytt.yaml b/prototypes/matrix-synapse/app-data.ytt.yaml new file mode 100644 index 0000000..0f49017 --- /dev/null +++ b/prototypes/matrix-synapse/app-data.ytt.yaml @@ -0,0 +1,6 @@ +#@data/values-schema +--- +#@overlay/match-child-defaults missing_ok=True +application: + namespace: matrix + subdomain: matrix diff --git a/prototypes/matrix-synapse/argocd/destination-namespace.overlay.ytt.yaml b/prototypes/matrix-synapse/argocd/destination-namespace.overlay.ytt.yaml new file mode 100644 index 0000000..cd2916a --- /dev/null +++ b/prototypes/matrix-synapse/argocd/destination-namespace.overlay.ytt.yaml @@ -0,0 +1,8 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#@overlay/match by=overlay.all, expects="1+" +--- +spec: + destination: + namespace: #@ data.values.application.namespace diff --git a/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml b/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml new file mode 100644 index 0000000..05005a0 --- /dev/null +++ b/prototypes/matrix-synapse/helm/matrix-synapse.ytt.yaml @@ -0,0 +1,111 @@ +#@ load("@ytt:data", "data") +#@ host = data.values.application.subdomain + "." + data.values.cluster.domain +--- +argoCD: true + +serverName: #@ host +publicServerName: #@ host + +image: + repository: ghcr.io/element-hq/synapse + +config: + reportStats: false + enableRegistration: false + publicBaseurl: #@ "https://" + host + #! Placeholders kept stable across renders so the chart-managed Secret + #! does not drift in ArgoCD. The real values live in `synapse-secrets` + #! (mittwald-generated) and are written to conf.d/zz-overrides.yaml at + #! pod startup via synapse.extraCommands, overriding these. + registrationSharedSecret: overridden-by-zz-overrides + macaroonSecretKey: overridden-by-zz-overrides + +signingkey: + job: + enabled: false + existingSecret: synapse-signing-key + existingSecretKey: signing.key + +postgresql: + enabled: false + +externalPostgresql: + host: synapse-cnpg-rw.matrix.svc + port: 5432 + username: synapse + database: synapse + existingSecret: synapse-cnpg-app + existingSecretPasswordKey: password + sslmode: disable + +redis: + enabled: false + usePassword: false + password: ~ + auth: + enabled: false + password: ~ + +externalRedis: + host: redis.matrix.svc + port: 6379 + password: ~ + +persistence: + enabled: true + storageClass: #@ data.values.cluster.storageClass.block + accessMode: ReadWriteOnce + size: 10Gi + +service: + type: ClusterIP + port: 8008 + +ingress: + enabled: true + className: #@ data.values.cluster.ingress.className + annotations: + cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer + tls: + - secretName: matrix-tls + hosts: + - #@ host + +wellknown: + enabled: false + +synapse: + strategy: + type: Recreate + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 512Mi + podSecurityContext: + runAsNonRoot: true + runAsUser: 991 + runAsGroup: 991 + fsGroup: 991 + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + extraVolumes: + - name: synapse-secrets + secret: + secretName: synapse-secrets + extraVolumeMounts: + - name: synapse-secrets + mountPath: /synapse/extra-secrets + readOnly: true + extraCommands: + - 'i=0; while [ ! -s /synapse/extra-secrets/registration_shared_secret ] && [ $i -lt 60 ]; do echo "waiting for synapse-secrets"; sleep 2; i=$((i+1)); done' + - 'printf ''registration_shared_secret: "%s"\nmacaroon_secret_key: "%s"\nform_secret: "%s"\n'' "$(cat /synapse/extra-secrets/registration_shared_secret)" "$(cat /synapse/extra-secrets/macaroon_secret_key)" "$(cat /synapse/extra-secrets/form_secret)" > /synapse/config/conf.d/zz-overrides.yaml' + +serviceAccount: + create: true diff --git a/prototypes/matrix-synapse/vendir/base.ytt.yaml b/prototypes/matrix-synapse/vendir/base.ytt.yaml new file mode 100644 index 0000000..530cdb0 --- /dev/null +++ b/prototypes/matrix-synapse/vendir/base.ytt.yaml @@ -0,0 +1,16 @@ +#@ load("@ytt:data", "data") + +#@ app = data.values.application +--- +apiVersion: vendir.k14s.io/v1alpha1 +kind: Config +directories: + - path: #@ "charts/" + app.name + contents: + - path: . + helmChart: + name: #@ app.name + version: #@ app.version + repository: + url: #@ app.url + lazy: true diff --git a/prototypes/matrix-synapse/vendir/vendir-data.ytt.yaml b/prototypes/matrix-synapse/vendir/vendir-data.ytt.yaml new file mode 100644 index 0000000..a5b980a --- /dev/null +++ b/prototypes/matrix-synapse/vendir/vendir-data.ytt.yaml @@ -0,0 +1,7 @@ +#@data/values-schema +--- +#@overlay/match-child-defaults missing_ok=True +application: + name: matrix-synapse + url: https://gitlab.com/api/v4/projects/12378663/packages/helm/stable + version: 3.12.26 diff --git a/prototypes/matrix-synapse/ytt/cnpg-cluster.ytt.yaml b/prototypes/matrix-synapse/ytt/cnpg-cluster.ytt.yaml new file mode 100644 index 0000000..00482d6 --- /dev/null +++ b/prototypes/matrix-synapse/ytt/cnpg-cluster.ytt.yaml @@ -0,0 +1,40 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: synapse-cnpg + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-1" +spec: + instances: 1 + + bootstrap: + initdb: + database: synapse + owner: synapse + localeCollate: C + localeCType: C + + storage: + size: 5Gi + storageClass: #@ data.values.cluster.storageClass.block + + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 128Mi + + postgresql: + parameters: + shared_buffers: "32MB" + effective_cache_size: "96MB" + work_mem: "4MB" + maintenance_work_mem: "32MB" + max_connections: "30" diff --git a/prototypes/matrix-synapse/ytt/ns.ytt.yaml b/prototypes/matrix-synapse/ytt/ns.ytt.yaml new file mode 100644 index 0000000..0fb5789 --- /dev/null +++ b/prototypes/matrix-synapse/ytt/ns.ytt.yaml @@ -0,0 +1,20 @@ +#@ load("@ytt:data", "data") +#@ load("@ytt:overlay", "overlay") + +#@ ns = data.values.application.namespace + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-3" + labels: + pod-security.kubernetes.io/enforce: restricted + +#@overlay/match by=overlay.all, expects="1+" +--- +metadata: + #@overlay/match missing_ok=True + namespace: #@ ns diff --git a/prototypes/matrix-synapse/ytt/random-secrets.ytt.yaml b/prototypes/matrix-synapse/ytt/random-secrets.ytt.yaml new file mode 100644 index 0000000..658b612 --- /dev/null +++ b/prototypes/matrix-synapse/ytt/random-secrets.ytt.yaml @@ -0,0 +1,15 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +--- +apiVersion: v1 +kind: Secret +metadata: + name: synapse-secrets + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-2" + secret-generator.v1.mittwald.de/autogenerate: registration_shared_secret,macaroon_secret_key,form_secret + secret-generator.v1.mittwald.de/length: "64" +type: Opaque diff --git a/prototypes/matrix-synapse/ytt/redis.ytt.yaml b/prototypes/matrix-synapse/ytt/redis.ytt.yaml new file mode 100644 index 0000000..2301b8a --- /dev/null +++ b/prototypes/matrix-synapse/ytt/redis.ytt.yaml @@ -0,0 +1,67 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-1" +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: redis + template: + metadata: + labels: + app.kubernetes.io/name: redis + spec: + securityContext: + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + seccompProfile: + type: RuntimeDefault + containers: + - name: redis + image: docker.io/redis:7-alpine + imagePullPolicy: IfNotPresent + command: ["redis-server", "--save", "", "--appendonly", "no"] + ports: + - name: redis + containerPort: 6379 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + resources: + requests: + cpu: 10m + memory: 16Mi + limits: + memory: 64Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-1" +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: redis + ports: + - name: redis + port: 6379 + targetPort: redis diff --git a/prototypes/matrix-synapse/ytt/signing-key-job.ytt.yaml b/prototypes/matrix-synapse/ytt/signing-key-job.ytt.yaml new file mode 100644 index 0000000..89a70db --- /dev/null +++ b/prototypes/matrix-synapse/ytt/signing-key-job.ytt.yaml @@ -0,0 +1,127 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: synapse-signing-key-init + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-2" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: synapse-signing-key-init + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-2" +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: synapse-signing-key-init + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-2" +subjects: + - kind: ServiceAccount + name: synapse-signing-key-init + namespace: #@ ns +roleRef: + kind: Role + name: synapse-signing-key-init + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: synapse-signing-key-init + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-options: Replace=true,Force=true + argocd.argoproj.io/sync-wave: "-1" +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + serviceAccountName: synapse-signing-key-init + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 991 + runAsGroup: 991 + fsGroup: 991 + seccompProfile: + type: RuntimeDefault + initContainers: + - name: generate + image: ghcr.io/element-hq/synapse:v1.152.0 + command: + - sh + - -c + - | + set -e + if [ -f /shared/signing.key ]; then + exit 0 + fi + if command -v generate_signing_key >/dev/null 2>&1; then + generate_signing_key -o /shared/signing.key + else + generate_signing_key.py -o /shared/signing.key + fi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + volumeMounts: + - name: shared + mountPath: /shared + containers: + - name: store + image: alpine/k8s:1.32.3 + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - -c + - | + set -e + SECRET="synapse-signing-key" + if kubectl get secret "${SECRET}" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret ${SECRET} already exists, skipping" + exit 0 + fi + kubectl create secret generic "${SECRET}" \ + --namespace="${NAMESPACE}" \ + --from-file=signing.key=/shared/signing.key + echo "Created secret ${SECRET}" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + volumeMounts: + - name: shared + mountPath: /shared + readOnly: true + volumes: + - name: shared + emptyDir: + medium: Memory + sizeLimit: 1Mi diff --git a/rendered/argocd/minikube/app-element-web.yaml b/rendered/argocd/minikube/app-element-web.yaml new file mode 100644 index 0000000..83b8beb --- /dev/null +++ b/rendered/argocd/minikube/app-element-web.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + myks.dev/environment: minikube + finalizers: + - resources-finalizer.argocd.argoproj.io + name: app-minikube-element-web + namespace: argocd +spec: + destination: + namespace: matrix + server: https://kubernetes.default.svc + project: env-minikube + source: + path: rendered/envs/minikube/element-web + repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/rendered/argocd/minikube/app-matrix-synapse.yaml b/rendered/argocd/minikube/app-matrix-synapse.yaml new file mode 100644 index 0000000..b4cd1c7 --- /dev/null +++ b/rendered/argocd/minikube/app-matrix-synapse.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + myks.dev/environment: minikube + finalizers: + - resources-finalizer.argocd.argoproj.io + name: app-minikube-matrix-synapse + namespace: argocd +spec: + destination: + namespace: matrix + server: https://kubernetes.default.svc + project: env-minikube + source: + path: rendered/envs/minikube/matrix-synapse + repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/rendered/argocd/production/app-element-web.yaml b/rendered/argocd/production/app-element-web.yaml new file mode 100644 index 0000000..a930b65 --- /dev/null +++ b/rendered/argocd/production/app-element-web.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + myks.dev/environment: production + finalizers: + - resources-finalizer.argocd.argoproj.io + name: app-production-element-web + namespace: argocd +spec: + destination: + namespace: matrix + server: https://kubernetes.default.svc + project: env-production + source: + path: rendered/envs/production/element-web + repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/rendered/argocd/production/app-matrix-synapse.yaml b/rendered/argocd/production/app-matrix-synapse.yaml new file mode 100644 index 0000000..a94a2a4 --- /dev/null +++ b/rendered/argocd/production/app-matrix-synapse.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + myks.dev/environment: production + finalizers: + - resources-finalizer.argocd.argoproj.io + name: app-production-matrix-synapse + namespace: argocd +spec: + destination: + namespace: matrix + server: https://kubernetes.default.svc + project: env-production + source: + path: rendered/envs/production/matrix-synapse + repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/rendered/envs/minikube/element-web/configmap-element-web-nginx.yaml b/rendered/envs/minikube/element-web/configmap-element-web-nginx.yaml new file mode 100644 index 0000000..0e23d05 --- /dev/null +++ b/rendered/envs/minikube/element-web/configmap-element-web-nginx.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +data: + default.conf: | + server { + listen 8080; + listen [::]:8080; + server_name localhost; + + root /usr/share/nginx/html; + index index.html; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + # Set no-cache for the index.html only so that browsers always check for a new copy of Element Web. + location = /index.html { + add_header Cache-Control "no-cache"; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + } +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web-nginx + namespace: matrix diff --git a/rendered/envs/minikube/element-web/configmap-element-web.yaml b/rendered/envs/minikube/element-web/configmap-element-web.yaml new file mode 100644 index 0000000..2a07a4a --- /dev/null +++ b/rendered/envs/minikube/element-web/configmap-element-web.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + config.json: | + {"default_server_config":{"m.homeserver":{"base_url":"https://matrix.minikube","server_name":"matrix.minikube"},"m.identity_server":{"base_url":"https://vector.im"}}} +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix diff --git a/rendered/envs/minikube/element-web/deployment-element-web.yaml b/rendered/envs/minikube/element-web/deployment-element-web.yaml new file mode 100644 index 0000000..a58c338 --- /dev/null +++ b/rendered/envs/minikube/element-web/deployment-element-web.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + template: + metadata: + annotations: + checksum/config: 2d356a5bdaf9a18d891cfa939070f193ac94dc87bcc001a43769c6a0cae50a17 + checksum/config-nginx: 7b910777640c47e06f1153bb1d327cc8b7bbfe8ee1d58e444c5abcc2a4afb7a0 + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + spec: + containers: + - env: + - name: ELEMENT_WEB_PORT + value: "8080" + image: ghcr.io/element-hq/element-web:v1.12.17 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: http + name: element-web + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /app/config.json + name: config + subPath: config.json + - mountPath: /etc/nginx/conf.d/config.json + name: config-nginx + subPath: config.json + securityContext: + fsGroup: 101 + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + serviceAccountName: element-web + volumes: + - configMap: + name: element-web + name: config + - configMap: + name: element-web-nginx + name: config-nginx diff --git a/rendered/envs/minikube/element-web/ingress-element-web.yaml b/rendered/envs/minikube/element-web/ingress-element-web.yaml new file mode 100644 index 0000000..81205d4 --- /dev/null +++ b/rendered/envs/minikube/element-web/ingress-element-web.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + cert-manager.io/cluster-issuer: mkcert + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + ingressClassName: traefik + rules: + - host: matrix.minikube + http: + paths: + - backend: + service: + name: element-web + port: + number: 80 + path: / + pathType: Prefix + tls: + - hosts: + - matrix.minikube + secretName: matrix-tls diff --git a/rendered/envs/minikube/element-web/service-element-web.yaml b/rendered/envs/minikube/element-web/service-element-web.yaml new file mode 100644 index 0000000..caa9c81 --- /dev/null +++ b/rendered/envs/minikube/element-web/service-element-web.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + type: ClusterIP diff --git a/rendered/envs/minikube/element-web/serviceaccount-element-web.yaml b/rendered/envs/minikube/element-web/serviceaccount-element-web.yaml new file mode 100644 index 0000000..d3599e1 --- /dev/null +++ b/rendered/envs/minikube/element-web/serviceaccount-element-web.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix diff --git a/rendered/envs/minikube/matrix-synapse/cluster-synapse-cnpg.yaml b/rendered/envs/minikube/matrix-synapse/cluster-synapse-cnpg.yaml new file mode 100644 index 0000000..44bcd86 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/cluster-synapse-cnpg.yaml @@ -0,0 +1,32 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: synapse-cnpg + namespace: matrix +spec: + bootstrap: + initdb: + database: synapse + localeCType: C + localeCollate: C + owner: synapse + instances: 1 + postgresql: + parameters: + effective_cache_size: 96MB + maintenance_work_mem: 32MB + max_connections: "30" + shared_buffers: 32MB + work_mem: 4MB + resources: + limits: + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + storage: + size: 5Gi + storageClass: standard diff --git a/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml new file mode 100644 index 0000000..e230b30 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/configmap-matrix-synapse.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +data: + homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.minikube\"\npublic_baseurl: \"https://matrix.minikube\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n main:\n host: matrix-synapse-replication\n port: 9093\n\n## Ports ##\n\nlisteners:\n - port: 8008\n tls: false\n bind_addresses: [\"::\"]\n type: http\n x_forwarded: true\n\n resources:\n - names: \n - client\n - federation\n compress: false\n\n - port: 9090\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [metrics]\n compress: false\n\n - port: 9093\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [replication]\n compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n - server_name: matrix.org\n\n## Workers ##\n" + log.yaml: | + version: 1 + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + level: INFO + loggers: + synapse: + level: INFO + root: + level: INFO + handlers: [console] +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix diff --git a/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml new file mode 100644 index 0000000..ffc5013 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml @@ -0,0 +1,142 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: 0750c2f14986445e44cd32eddbea80ce9ef5c78ba14041b3e6a6a0be971d04f1 + checksum/secrets: 54091df516cd7bf15484597ec0c9613cd969341f977e3228b5416997dc9b8c95 + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + spec: + containers: + - command: + - sh + - -c + - | + export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + + i=0; while [ ! -s /synapse/extra-secrets/registration_shared_secret ] && [ $i -lt 60 ]; do echo "waiting for synapse-secrets"; sleep 2; i=$((i+1)); done + printf 'registration_shared_secret: "%s"\nmacaroon_secret_key: "%s"\nform_secret: "%s"\n' "$(cat /synapse/extra-secrets/registration_shared_secret)" "$(cat /synapse/extra-secrets/macaroon_secret_key)" "$(cat /synapse/extra-secrets/form_secret)" > /synapse/config/conf.d/zz-overrides.yaml + + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: synapse-cnpg-app + image: ghcr.io/element-hq/synapse:v1.152.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /health + port: http + name: synapse + ports: + - containerPort: 8008 + name: http + protocol: TCP + - containerPort: 9093 + name: replication + protocol: TCP + - containerPort: 9090 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /health + port: http + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + volumeMounts: + - mountPath: /synapse/config + name: config + - mountPath: /synapse/config/conf.d + name: tmpconf + - mountPath: /synapse/secrets + name: secrets + - mountPath: /synapse/keys + name: signingkey + - mountPath: /synapse/data + name: media + - mountPath: /tmp + name: tmpdir + - mountPath: /synapse/extra-secrets + name: synapse-secrets + readOnly: true + securityContext: + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: matrix-synapse + volumes: + - configMap: + name: matrix-synapse + name: config + - name: secrets + secret: + secretName: matrix-synapse + - name: signingkey + secret: + items: + - key: signing.key + path: signing.key + secretName: synapse-signing-key + - emptyDir: {} + name: tmpconf + - emptyDir: {} + name: tmpdir + - name: media + persistentVolumeClaim: + claimName: matrix-synapse + - name: synapse-secrets + secret: + secretName: synapse-secrets diff --git a/rendered/envs/minikube/matrix-synapse/deployment-redis.yaml b/rendered/envs/minikube/matrix-synapse/deployment-redis.yaml new file mode 100644 index 0000000..2541eaf --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/deployment-redis.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: redis + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: redis + spec: + containers: + - command: + - redis-server + - --save + - "" + - --appendonly + - "no" + image: docker.io/redis:7-alpine + imagePullPolicy: IfNotPresent + name: redis + ports: + - containerPort: 6379 + name: redis + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 16Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + securityContext: + fsGroup: 999 + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault diff --git a/rendered/envs/minikube/matrix-synapse/ingress-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/ingress-matrix-synapse.yaml new file mode 100644 index 0000000..b9ebb4a --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/ingress-matrix-synapse.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + cert-manager.io/cluster-issuer: mkcert + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + ingressClassName: traefik + rules: + - host: matrix.minikube + http: + paths: + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /_matrix + pathType: Prefix + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /_synapse + pathType: Prefix + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /.well-known/matrix + pathType: Prefix + tls: + - hosts: + - matrix.minikube + secretName: matrix-tls diff --git a/rendered/envs/minikube/matrix-synapse/job-synapse-signing-key-init.yaml b/rendered/envs/minikube/matrix-synapse/job-synapse-signing-key-init.yaml new file mode 100644 index 0000000..c57d285 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/job-synapse-signing-key-init.yaml @@ -0,0 +1,84 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-options: Replace=true,Force=true + argocd.argoproj.io/sync-wave: "-1" + name: synapse-signing-key-init + namespace: matrix +spec: + template: + spec: + containers: + - command: + - sh + - -c + - | + set -e + SECRET="synapse-signing-key" + if kubectl get secret "${SECRET}" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret ${SECRET} already exists, skipping" + exit 0 + fi + kubectl create secret generic "${SECRET}" \ + --namespace="${NAMESPACE}" \ + --from-file=signing.key=/shared/signing.key + echo "Created secret ${SECRET}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: alpine/k8s:1.32.3 + name: store + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /shared + name: shared + readOnly: true + initContainers: + - command: + - sh + - -c + - | + set -e + if [ -f /shared/signing.key ]; then + exit 0 + fi + if command -v generate_signing_key >/dev/null 2>&1; then + generate_signing_key -o /shared/signing.key + else + generate_signing_key.py -o /shared/signing.key + fi + image: ghcr.io/element-hq/synapse:v1.152.0 + name: generate + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /shared + name: shared + restartPolicy: OnFailure + securityContext: + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: synapse-signing-key-init + volumes: + - emptyDir: + medium: Memory + sizeLimit: 1Mi + name: shared + ttlSecondsAfterFinished: 300 diff --git a/rendered/envs/minikube/matrix-synapse/namespace-matrix.yaml b/rendered/envs/minikube/matrix-synapse/namespace-matrix.yaml new file mode 100644 index 0000000..1cf3eed --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/namespace-matrix.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-3" + labels: + pod-security.kubernetes.io/enforce: restricted + name: matrix + namespace: matrix diff --git a/rendered/envs/minikube/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml new file mode 100644 index 0000000..ebcf877 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: standard diff --git a/rendered/envs/minikube/matrix-synapse/role-synapse-signing-key-init.yaml b/rendered/envs/minikube/matrix-synapse/role-synapse-signing-key-init.yaml new file mode 100644 index 0000000..1527213 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/role-synapse-signing-key-init.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create diff --git a/rendered/envs/minikube/matrix-synapse/rolebinding-synapse-signing-key-init.yaml b/rendered/envs/minikube/matrix-synapse/rolebinding-synapse-signing-key-init.yaml new file mode 100644 index 0000000..c409e03 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/rolebinding-synapse-signing-key-init.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: synapse-signing-key-init +subjects: + - kind: ServiceAccount + name: synapse-signing-key-init + namespace: matrix diff --git a/rendered/envs/minikube/matrix-synapse/secret-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/secret-matrix-synapse.yaml new file mode 100644 index 0000000..cd3e5f7 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/secret-matrix-synapse.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +stringData: + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"overridden-by-zz-overrides\"\n\n## API Configuration ##\n\nmacaroon_secret_key: \"overridden-by-zz-overrides\"\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"synapse\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"synapse\"\n host: \"synapse-cnpg-rw.matrix.svc\"\n port: 5432\n sslmode: \"disable\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"redis.matrix.svc\"\n port: 6379\n" diff --git a/rendered/envs/minikube/matrix-synapse/secret-synapse-secrets.yaml b/rendered/envs/minikube/matrix-synapse/secret-synapse-secrets.yaml new file mode 100644 index 0000000..9bcf7ad --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/secret-synapse-secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + secret-generator.v1.mittwald.de/autogenerate: registration_shared_secret,macaroon_secret_key,form_secret + secret-generator.v1.mittwald.de/length: "64" + name: synapse-secrets + namespace: matrix +type: Opaque diff --git a/rendered/envs/minikube/matrix-synapse/service-matrix-synapse-replication.yaml b/rendered/envs/minikube/matrix-synapse/service-matrix-synapse-replication.yaml new file mode 100644 index 0000000..5b31649 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/service-matrix-synapse-replication.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse-replication + namespace: matrix +spec: + ports: + - name: replication + port: 9093 + protocol: TCP + targetPort: replication + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP diff --git a/rendered/envs/minikube/matrix-synapse/service-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/service-matrix-synapse.yaml new file mode 100644 index 0000000..1d08da1 --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/service-matrix-synapse.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + ports: + - name: http + port: 8008 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP diff --git a/rendered/envs/minikube/matrix-synapse/service-redis.yaml b/rendered/envs/minikube/matrix-synapse/service-redis.yaml new file mode 100644 index 0000000..f7607dd --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/service-redis.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: redis + namespace: matrix +spec: + ports: + - name: redis + port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis + type: ClusterIP diff --git a/rendered/envs/minikube/matrix-synapse/serviceaccount-matrix-synapse.yaml b/rendered/envs/minikube/matrix-synapse/serviceaccount-matrix-synapse.yaml new file mode 100644 index 0000000..5ece22b --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/serviceaccount-matrix-synapse.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix diff --git a/rendered/envs/minikube/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml b/rendered/envs/minikube/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml new file mode 100644 index 0000000..dfd997d --- /dev/null +++ b/rendered/envs/minikube/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix diff --git a/rendered/envs/production/element-web/configmap-element-web-nginx.yaml b/rendered/envs/production/element-web/configmap-element-web-nginx.yaml new file mode 100644 index 0000000..0e23d05 --- /dev/null +++ b/rendered/envs/production/element-web/configmap-element-web-nginx.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +data: + default.conf: | + server { + listen 8080; + listen [::]:8080; + server_name localhost; + + root /usr/share/nginx/html; + index index.html; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + + # Set no-cache for the index.html only so that browsers always check for a new copy of Element Web. + location = /index.html { + add_header Cache-Control "no-cache"; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + } +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web-nginx + namespace: matrix diff --git a/rendered/envs/production/element-web/configmap-element-web.yaml b/rendered/envs/production/element-web/configmap-element-web.yaml new file mode 100644 index 0000000..0c40893 --- /dev/null +++ b/rendered/envs/production/element-web/configmap-element-web.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + config.json: | + {"default_server_config":{"m.homeserver":{"base_url":"https://matrix.tr1ceracop.de","server_name":"matrix.tr1ceracop.de"},"m.identity_server":{"base_url":"https://vector.im"}}} +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix diff --git a/rendered/envs/production/element-web/deployment-element-web.yaml b/rendered/envs/production/element-web/deployment-element-web.yaml new file mode 100644 index 0000000..f1c092d --- /dev/null +++ b/rendered/envs/production/element-web/deployment-element-web.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + template: + metadata: + annotations: + checksum/config: 258884d3c78bc05fe275db741f0d980e7e157fe0cd432aa4302e6a59d423012a + checksum/config-nginx: 7b910777640c47e06f1153bb1d327cc8b7bbfe8ee1d58e444c5abcc2a4afb7a0 + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + spec: + containers: + - env: + - name: ELEMENT_WEB_PORT + value: "8080" + image: ghcr.io/element-hq/element-web:v1.12.17 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: http + name: element-web + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /app/config.json + name: config + subPath: config.json + - mountPath: /etc/nginx/conf.d/config.json + name: config-nginx + subPath: config.json + securityContext: + fsGroup: 101 + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + serviceAccountName: element-web + volumes: + - configMap: + name: element-web + name: config + - configMap: + name: element-web-nginx + name: config-nginx diff --git a/rendered/envs/production/element-web/ingress-element-web.yaml b/rendered/envs/production/element-web/ingress-element-web.yaml new file mode 100644 index 0000000..83b605b --- /dev/null +++ b/rendered/envs/production/element-web/ingress-element-web.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + cert-manager.io/cluster-issuer: letsencrypt + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + ingressClassName: traefik + rules: + - host: matrix.tr1ceracop.de + http: + paths: + - backend: + service: + name: element-web + port: + number: 80 + path: / + pathType: Prefix + tls: + - hosts: + - matrix.tr1ceracop.de + secretName: matrix-tls diff --git a/rendered/envs/production/element-web/service-element-web.yaml b/rendered/envs/production/element-web/service-element-web.yaml new file mode 100644 index 0000000..caa9c81 --- /dev/null +++ b/rendered/envs/production/element-web/service-element-web.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: element-web + app.kubernetes.io/name: element-web + type: ClusterIP diff --git a/rendered/envs/production/element-web/serviceaccount-element-web.yaml b/rendered/envs/production/element-web/serviceaccount-element-web.yaml new file mode 100644 index 0000000..d3599e1 --- /dev/null +++ b/rendered/envs/production/element-web/serviceaccount-element-web.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: element-web + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: element-web + app.kubernetes.io/version: 1.12.17 + helm.sh/chart: element-web-1.4.36 + name: element-web + namespace: matrix diff --git a/rendered/envs/production/matrix-synapse/cluster-synapse-cnpg.yaml b/rendered/envs/production/matrix-synapse/cluster-synapse-cnpg.yaml new file mode 100644 index 0000000..296005a --- /dev/null +++ b/rendered/envs/production/matrix-synapse/cluster-synapse-cnpg.yaml @@ -0,0 +1,32 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: synapse-cnpg + namespace: matrix +spec: + bootstrap: + initdb: + database: synapse + localeCType: C + localeCollate: C + owner: synapse + instances: 1 + postgresql: + parameters: + effective_cache_size: 96MB + maintenance_work_mem: 32MB + max_connections: "30" + shared_buffers: 32MB + work_mem: 4MB + resources: + limits: + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + storage: + size: 5Gi + storageClass: hcloud-volumes diff --git a/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml new file mode 100644 index 0000000..da566ac --- /dev/null +++ b/rendered/envs/production/matrix-synapse/configmap-matrix-synapse.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +data: + homeserver.yaml: "# NOTE:\n# Secrets are stored in separate configs to better fit K8s concepts\n\n## Server ##\n\nserver_name: \"matrix.tr1ceracop.de\"\npublic_baseurl: \"https://matrix.tr1ceracop.de\"\npid_file: /homeserver.pid\nweb_client: False\nsoft_file_limit: 0\nlog_config: \"/synapse/config/log.yaml\"\nreport_stats: false\n\ninstance_map:\n main:\n host: matrix-synapse-replication\n port: 9093\n\n## Ports ##\n\nlisteners:\n - port: 8008\n tls: false\n bind_addresses: [\"::\"]\n type: http\n x_forwarded: true\n\n resources:\n - names: \n - client\n - federation\n compress: false\n\n - port: 9090\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [metrics]\n compress: false\n\n - port: 9093\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [replication]\n compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n - server_name: matrix.org\n\n## Workers ##\n" + log.yaml: | + version: 1 + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + level: INFO + loggers: + synapse: + level: INFO + root: + level: INFO + handlers: [console] +kind: ConfigMap +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix diff --git a/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml new file mode 100644 index 0000000..472bacb --- /dev/null +++ b/rendered/envs/production/matrix-synapse/deployment-matrix-synapse.yaml @@ -0,0 +1,142 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + strategy: + type: Recreate + template: + metadata: + annotations: + checksum/config: e9410364225cc447e9ce6b06ef65e4740011fa188b0a8ebab877ea04a1d100d7 + checksum/secrets: 54091df516cd7bf15484597ec0c9613cd969341f977e3228b5416997dc9b8c95 + labels: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + spec: + containers: + - command: + - sh + - -c + - | + export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + + i=0; while [ ! -s /synapse/extra-secrets/registration_shared_secret ] && [ $i -lt 60 ]; do echo "waiting for synapse-secrets"; sleep 2; i=$((i+1)); done + printf 'registration_shared_secret: "%s"\nmacaroon_secret_key: "%s"\nform_secret: "%s"\n' "$(cat /synapse/extra-secrets/registration_shared_secret)" "$(cat /synapse/extra-secrets/macaroon_secret_key)" "$(cat /synapse/extra-secrets/form_secret)" > /synapse/config/conf.d/zz-overrides.yaml + + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: synapse-cnpg-app + image: ghcr.io/element-hq/synapse:v1.152.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /health + port: http + name: synapse + ports: + - containerPort: 8008 + name: http + protocol: TCP + - containerPort: 9093 + name: replication + protocol: TCP + - containerPort: 9090 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /health + port: http + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + volumeMounts: + - mountPath: /synapse/config + name: config + - mountPath: /synapse/config/conf.d + name: tmpconf + - mountPath: /synapse/secrets + name: secrets + - mountPath: /synapse/keys + name: signingkey + - mountPath: /synapse/data + name: media + - mountPath: /tmp + name: tmpdir + - mountPath: /synapse/extra-secrets + name: synapse-secrets + readOnly: true + securityContext: + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: matrix-synapse + volumes: + - configMap: + name: matrix-synapse + name: config + - name: secrets + secret: + secretName: matrix-synapse + - name: signingkey + secret: + items: + - key: signing.key + path: signing.key + secretName: synapse-signing-key + - emptyDir: {} + name: tmpconf + - emptyDir: {} + name: tmpdir + - name: media + persistentVolumeClaim: + claimName: matrix-synapse + - name: synapse-secrets + secret: + secretName: synapse-secrets diff --git a/rendered/envs/production/matrix-synapse/deployment-redis.yaml b/rendered/envs/production/matrix-synapse/deployment-redis.yaml new file mode 100644 index 0000000..2541eaf --- /dev/null +++ b/rendered/envs/production/matrix-synapse/deployment-redis.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: redis + namespace: matrix +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: redis + spec: + containers: + - command: + - redis-server + - --save + - "" + - --appendonly + - "no" + image: docker.io/redis:7-alpine + imagePullPolicy: IfNotPresent + name: redis + ports: + - containerPort: 6379 + name: redis + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 16Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + securityContext: + fsGroup: 999 + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault diff --git a/rendered/envs/production/matrix-synapse/ingress-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/ingress-matrix-synapse.yaml new file mode 100644 index 0000000..861fded --- /dev/null +++ b/rendered/envs/production/matrix-synapse/ingress-matrix-synapse.yaml @@ -0,0 +1,45 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + cert-manager.io/cluster-issuer: letsencrypt + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + ingressClassName: traefik + rules: + - host: matrix.tr1ceracop.de + http: + paths: + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /_matrix + pathType: Prefix + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /_synapse + pathType: Prefix + - backend: + service: + name: matrix-synapse + port: + number: 8008 + path: /.well-known/matrix + pathType: Prefix + tls: + - hosts: + - matrix.tr1ceracop.de + secretName: matrix-tls diff --git a/rendered/envs/production/matrix-synapse/job-synapse-signing-key-init.yaml b/rendered/envs/production/matrix-synapse/job-synapse-signing-key-init.yaml new file mode 100644 index 0000000..c57d285 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/job-synapse-signing-key-init.yaml @@ -0,0 +1,84 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-options: Replace=true,Force=true + argocd.argoproj.io/sync-wave: "-1" + name: synapse-signing-key-init + namespace: matrix +spec: + template: + spec: + containers: + - command: + - sh + - -c + - | + set -e + SECRET="synapse-signing-key" + if kubectl get secret "${SECRET}" -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "Secret ${SECRET} already exists, skipping" + exit 0 + fi + kubectl create secret generic "${SECRET}" \ + --namespace="${NAMESPACE}" \ + --from-file=signing.key=/shared/signing.key + echo "Created secret ${SECRET}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: alpine/k8s:1.32.3 + name: store + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /shared + name: shared + readOnly: true + initContainers: + - command: + - sh + - -c + - | + set -e + if [ -f /shared/signing.key ]; then + exit 0 + fi + if command -v generate_signing_key >/dev/null 2>&1; then + generate_signing_key -o /shared/signing.key + else + generate_signing_key.py -o /shared/signing.key + fi + image: ghcr.io/element-hq/synapse:v1.152.0 + name: generate + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /shared + name: shared + restartPolicy: OnFailure + securityContext: + fsGroup: 991 + runAsGroup: 991 + runAsNonRoot: true + runAsUser: 991 + seccompProfile: + type: RuntimeDefault + serviceAccountName: synapse-signing-key-init + volumes: + - emptyDir: + medium: Memory + sizeLimit: 1Mi + name: shared + ttlSecondsAfterFinished: 300 diff --git a/rendered/envs/production/matrix-synapse/namespace-matrix.yaml b/rendered/envs/production/matrix-synapse/namespace-matrix.yaml new file mode 100644 index 0000000..1cf3eed --- /dev/null +++ b/rendered/envs/production/matrix-synapse/namespace-matrix.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-3" + labels: + pod-security.kubernetes.io/enforce: restricted + name: matrix + namespace: matrix diff --git a/rendered/envs/production/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml new file mode 100644 index 0000000..65e19ed --- /dev/null +++ b/rendered/envs/production/matrix-synapse/persistentvolumeclaim-matrix-synapse.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: hcloud-volumes diff --git a/rendered/envs/production/matrix-synapse/role-synapse-signing-key-init.yaml b/rendered/envs/production/matrix-synapse/role-synapse-signing-key-init.yaml new file mode 100644 index 0000000..1527213 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/role-synapse-signing-key-init.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create diff --git a/rendered/envs/production/matrix-synapse/rolebinding-synapse-signing-key-init.yaml b/rendered/envs/production/matrix-synapse/rolebinding-synapse-signing-key-init.yaml new file mode 100644 index 0000000..c409e03 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/rolebinding-synapse-signing-key-init.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: synapse-signing-key-init +subjects: + - kind: ServiceAccount + name: synapse-signing-key-init + namespace: matrix diff --git a/rendered/envs/production/matrix-synapse/secret-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/secret-matrix-synapse.yaml new file mode 100644 index 0000000..cd3e5f7 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/secret-matrix-synapse.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +stringData: + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"overridden-by-zz-overrides\"\n\n## API Configuration ##\n\nmacaroon_secret_key: \"overridden-by-zz-overrides\"\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"synapse\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"synapse\"\n host: \"synapse-cnpg-rw.matrix.svc\"\n port: 5432\n sslmode: \"disable\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"redis.matrix.svc\"\n port: 6379\n" diff --git a/rendered/envs/production/matrix-synapse/secret-synapse-secrets.yaml b/rendered/envs/production/matrix-synapse/secret-synapse-secrets.yaml new file mode 100644 index 0000000..9bcf7ad --- /dev/null +++ b/rendered/envs/production/matrix-synapse/secret-synapse-secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + secret-generator.v1.mittwald.de/autogenerate: registration_shared_secret,macaroon_secret_key,form_secret + secret-generator.v1.mittwald.de/length: "64" + name: synapse-secrets + namespace: matrix +type: Opaque diff --git a/rendered/envs/production/matrix-synapse/service-matrix-synapse-replication.yaml b/rendered/envs/production/matrix-synapse/service-matrix-synapse-replication.yaml new file mode 100644 index 0000000..5b31649 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/service-matrix-synapse-replication.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse-replication + namespace: matrix +spec: + ports: + - name: replication + port: 9093 + protocol: TCP + targetPort: replication + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP diff --git a/rendered/envs/production/matrix-synapse/service-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/service-matrix-synapse.yaml new file mode 100644 index 0000000..1d08da1 --- /dev/null +++ b/rendered/envs/production/matrix-synapse/service-matrix-synapse.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix +spec: + ports: + - name: http + port: 8008 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/component: synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/name: matrix-synapse + type: ClusterIP diff --git a/rendered/envs/production/matrix-synapse/service-redis.yaml b/rendered/envs/production/matrix-synapse/service-redis.yaml new file mode 100644 index 0000000..f7607dd --- /dev/null +++ b/rendered/envs/production/matrix-synapse/service-redis.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-1" + name: redis + namespace: matrix +spec: + ports: + - name: redis + port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis + type: ClusterIP diff --git a/rendered/envs/production/matrix-synapse/serviceaccount-matrix-synapse.yaml b/rendered/envs/production/matrix-synapse/serviceaccount-matrix-synapse.yaml new file mode 100644 index 0000000..5ece22b --- /dev/null +++ b/rendered/envs/production/matrix-synapse/serviceaccount-matrix-synapse.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + labels: + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/version: 1.152.0 + helm.sh/chart: matrix-synapse-3.12.26 + name: matrix-synapse + namespace: matrix diff --git a/rendered/envs/production/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml b/rendered/envs/production/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml new file mode 100644 index 0000000..dfd997d --- /dev/null +++ b/rendered/envs/production/matrix-synapse/serviceaccount-synapse-signing-key-init.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + argocd.argoproj.io/sync-wave: "-2" + name: synapse-signing-key-init + namespace: matrix