Skip to content

Commit

Permalink
Merge pull request #1 from jessebot/fix-deployment-to-grab-secret
Browse files Browse the repository at this point in the history
Use env vars secret in deployment; update ci/cd; add readme
  • Loading branch information
jessebot authored May 17, 2024
2 parents b28d102 + 51687a0 commit f74666e
Show file tree
Hide file tree
Showing 11 changed files with 222 additions and 48 deletions.
3 changes: 1 addition & 2 deletions .github/workflows/cd-helm-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,7 @@ jobs:

- name: Add dependency chart repos
run: |
helm repo add coturn https://small-hack.github.io/coturn-chart/
helm dep update charts/matrix
helm dep update charts/matrix-sliding-sync
- name: Run chart-releaser
id: helm-release
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/ci-helm-lint-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Lint and Test Chart
on:
pull_request:
paths:
- 'charts/matrix/**'
- 'charts/matrix-sliding-sync/**'

permissions:
contents: read
Expand All @@ -24,7 +24,6 @@ jobs:
- name: Add dependency chart repos
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add coturn https://small-hack.github.io/coturn-chart
- name: Set up chart-testing
uses: helm/[email protected]
Expand All @@ -49,4 +48,4 @@ jobs:
- name: Run chart-testing (install)
id: install
if: steps.list-changed.outputs.changed == 'true'
run: ct install --target-branch ${{ github.event.repository.default_branch }}
run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args '--set=postgresql.volumePermissions.enabled=false --set=postgresql.primary.networkPolicy.enabled=false'
21 changes: 19 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
# matrix sliding-sync helm chart
# Matrix Sliding Sync helm chart

This is a helm chart implementing [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync/tree/main).
<a href="https://github.com/small-hack/matrix-sliding-sync-chart/releases"><img src="https://img.shields.io/github/v/release/small-hack/matrix-sliding-sync-chart?style=plastic&labelColor=blue&color=green&logo=GitHub&logoColor=white"></a>

This is a helm chart implementing [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync/tree/main) for deployment on Kubernetes. It was originally designed for use as a subchart for [small-hack/matrix-chart](https://github.com/small-hack/matrix-chart), but it can be used stand alone as well.

See the [`README.md`](https://github.com/small-hack/matrix-sliding-sync-chart/blob/main/charts/matrix/README.md) for docs auto-generated from the [`values.yaml`](https://github.com/small-hack/matrix-sliding-sync-chart/blob/main/charts/matrix/values.yaml).

Read through the parameters and modify them locally before installing the chart:

```bash
# add the helm repo locally
helm repo add matrix-sliding-sync https://small-hack.github.io/matrix-sliding-sync-chart

# downloads the values.yaml locally
helm show values matrix-sliding-sync/matrix-sliding-sync > values.yaml

# install the chart
helm install my-release-name matrix-sliding-sync/matrix-sliding-sync --values values.yaml
```
6 changes: 5 additions & 1 deletion charts/matrix-sliding-sync/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.1.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand All @@ -30,3 +30,7 @@ dependencies:
version: 15.1.4
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled

maintainers:
- name: jessebot
url: https://github.com/jessebot
38 changes: 23 additions & 15 deletions charts/matrix-sliding-sync/README.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
# matrix-sliding-sync

![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.17](https://img.shields.io/badge/AppVersion-v0.99.17-informational?style=flat-square)
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.17](https://img.shields.io/badge/AppVersion-v0.99.17-informational?style=flat-square)

A Helm chart for Kubernetes

## Maintainers

| Name | Email | Url |
| ---- | ------ | --- |
| jessebot | | <https://github.com/jessebot> |

## Requirements

| Repository | Name | Version |
Expand All @@ -19,11 +25,11 @@ A Helm chart for Kubernetes
| autoscaling.maxReplicas | int | `100` | |
| autoscaling.minReplicas | int | `1` | |
| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| externalDatabase.database | string | `"matrix"` | name of the database to try and connect to |
| externalDatabase.database | string | `"matrix-sliding-sync"` | name of the database to try and connect to |
| externalDatabase.enabled | bool | `false` | enable using an external database *instead of* the Bitnami PostgreSQL sub-chart if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
| externalDatabase.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
| externalDatabase.hostname | string | `""` | hostname of db server. Can be left blank if using postgres subchart |
| externalDatabase.password | string | `"changeme"` | password of matrix postgres user - ignored using exsitingSecret |
| externalDatabase.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
| externalDatabase.port | int | `5432` | which port to use to connect to your database server |
| externalDatabase.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
| externalDatabase.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
Expand All @@ -34,7 +40,7 @@ A Helm chart for Kubernetes
| externalDatabase.sslkey | string | `""` | optional: tls/ssl key for postgresql connections |
| externalDatabase.sslmode | string | `""` | sslmode to use, example: verify-full |
| externalDatabase.sslrootcert | string | `""` | optional: tls/ssl root cert for postgresql connections |
| externalDatabase.username | string | `"matrix"` | username of matrix postgres user |
| externalDatabase.username | string | `"matrix-sliding-sync"` | username of matrix-sliding-sync postgres user |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/matrix-org/sliding-sync"` | |
Expand All @@ -56,14 +62,14 @@ A Helm chart for Kubernetes
| podSecurityContext | object | `{}` | |
| postgresql.enabled | bool | `true` | Whether to deploy the Bitnami Postgresql sub chart If postgresql.enabled is set to true, externalDatabase.enabled must be set to false else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
| postgresql.global.postgresql.auth.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
| postgresql.global.postgresql.auth.password | string | `"changeme"` | password of matrix postgres user - ignored using exsitingSecret |
| postgresql.global.postgresql.auth.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
| postgresql.global.postgresql.auth.port | int | `5432` | which port to use to connect to your database server |
| postgresql.global.postgresql.auth.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
| postgresql.global.postgresql.auth.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
| postgresql.global.postgresql.auth.secretKeys.databaseHostname | string | `"hostname"` | key in existingSecret with hostname of the database |
| postgresql.global.postgresql.auth.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix to connect to db |
| postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix to connect to db |
| postgresql.global.postgresql.auth.username | string | `"matrix-sliding-sync"` | username of matrix postgres user |
| postgresql.global.postgresql.auth.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix-sliding-sync to connect to db |
| postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix-sliding-sync to connect to db |
| postgresql.global.postgresql.auth.username | string | `"matrix-sliding-sync"` | username of matrix-sliding-sync postgres user |
| postgresql.primary.initdb | object | `{"scriptsConfigMap":"{{ .Release.Name }}-postgresql-initdb"}` | run the scripts in templates/postgresql/initdb-configmap.yaml If using an external Postgres server, make sure to configure the database ref: https://github.com/matrix-org/synapse/blob/master/docs/postgres.md |
| postgresql.primary.persistence | object | `{"enabled":false,"size":"8Gi"}` | persistent volume claim configuration for postgresql to persist data |
| postgresql.primary.persistence.enabled | bool | `false` | Enable PostgreSQL Primary data persistence using PVC |
Expand All @@ -84,16 +90,18 @@ A Helm chart for Kubernetes
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| syncv3.bindaddr | string | `"0.0.0.0:8008"` | SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket) |
| syncv3.db | string | `""` | SYNCV3_DB - Required. The postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING |
| syncv3.log_level | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
| syncv3.max_db_conn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
| syncv3.otlp_password | string | `""` | SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. |
| syncv3.otlp_url | string | `""` | SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. |
| syncv3.otlp_username | string | `""` | SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. |
| syncv3.db | object | `{"dbname":"matrix-sliding-sync","existingSecret":"","host":"","password":"","sslmode":"disable","user":"matrix-sliding-sync"}` | templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING like this: user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal password='DATABASE_PASSWORD_HERE' |
| syncv3.existingSecret | string | `""` | existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncv3.db and syncvc.otlp. |
| syncv3.logLevel | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
| syncv3.maxDbConn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
| syncv3.otlp.existingSecret | string | `nil` | |
| syncv3.otlp.password | string | `""` | SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. |
| syncv3.otlp.url | string | `""` | SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. |
| syncv3.otlp.username | string | `""` | SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. |
| syncv3.pprof | string | `""` | SYNCV3_PPROF - Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen. |
| syncv3.prom | string | `""` | SYNCV3_PROM - Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address. |
| syncv3.secret | string | `""` | SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. |
| syncv3.sentry_dsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://[email protected]/123 - if unset does not send sentry events. |
| syncv3.sentryDsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://[email protected]/123 - if unset does not send sentry events. |
| syncv3.server | string | `""` | SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket) |
| syncv3.tlsCert | string | `""` | SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address. |
| syncv3.tlsKey | string | `""` | SYNCV3_TLS_KEY - Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file. |
Expand Down
35 changes: 35 additions & 0 deletions charts/matrix-sliding-sync/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,38 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Helper function to get postgres instance name
*/}}
{{- define "postgresql.name" -}}
{{- if .Values.postgresql.enabled -}}
{{ include "matrix-sliding-sync.fullname" . }}-postgresql
{{- end }}
{{- end }}

{{/*
Helper function to get the postgres secret containing the database credentials
*/}}
{{- define "matrix-sliding-sync.postgresql.secretName" -}}
{{- if and .Values.postgresql.enabled .Values.postgresql.global.postgresql.auth.existingSecret -}}
{{ .Values.postgresql.global.postgresql.auth.existingSecret }}
{{- else if and .Values.externalDatabase.enabled .Values.externalDatabase.existingSecret -}}
{{ .Values.externalDatabase.existingSecret }}
{{- else -}}
{{ template "matrix-sliding-sync.fullname" . }}-db-secret
{{- end }}
{{- end }}

{{/*
templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING like this: user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal password='DATABASE_PASSWORD_HERE'
*/}}
{{- define "matrix-sliding-sync.dbConnString" -}}
{{- if and .Values.postgresql.enabled (not .Values.syncv3.existingSecret) }}
{{- if .Values.syncv3.db.password }}
{{- printf "user=%s dbname=%s sslmode=%s host=%s password=%s" .Values.syncv3.db.user .Values.syncv3.db.dbname .Values.syncv3.db.sslmode .Values.syncv3.db.host .Values.syncv3.db.password }}
{{- else -}}
{{- printf "user=%s dbname=%s sslmode=%s host=%s" .Values.syncv3.db.user .Values.syncv3.db.dbname .Values.syncv3.db.sslmode .Values.syncv3.db.host }}
{{- end }}
{{- end }}
{{- end }}
42 changes: 41 additions & 1 deletion charts/matrix-sliding-sync/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,40 @@ spec:
serviceAccountName: {{ include "matrix-sliding-sync.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
{{- if .Values.postgresql.enabled }}
- name: postgresql-isready
image: {{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.databaseUsername }}
- name: DATABASE_HOSTNAME
{{- if not .Values.postgresql.global.postgresql.auth.existingSecret }}
value: {{ template "postgresql.v1.primary.fullname" .Subcharts.postgresql }}
{{ else }}
valueFrom:
secretKeyRef:
name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.databaseHostname }}
{{- end }}
{{- if .Values.postgresql.sslmode }}
- name: PGSSLMODE
value: {{ .Values.postgresql.sslmode }}
- name: PGSSLCERT
value: {{ .Values.postgresql.sslcert }}
- name: PGSSLKEY
value: {{ .Values.postgresql.sslkey }}
- name: PGSSLROOTCERT
value: {{ .Values.postgresql.sslrootcert }}
{{- end }}
command:
- "sh"
- "-c"
- "until pg_isready -h $DATABASE_HOSTNAME -U $POSTGRES_USER; do sleep 2; done"
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
Expand All @@ -50,7 +84,13 @@ spec:
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
envFrom:
- secretRef:
{{- if .Values.syncv3.existingSecret }}
name: {{ .Values.syncv3.existingSecret }}
{{- else }}
name: {{ include "matrix-sliding-sync.fullname" . }}-env
{{- end }}

{{- with .Values.volumes }}
volumes:
Expand Down
13 changes: 13 additions & 0 deletions charts/matrix-sliding-sync/templates/initdb-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.postgresql.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-sliding-sync.fullname" . }}-postgresql-initdb
labels:
{{ include "matrix-sliding-sync.labels" . | nindent 4}}
data:
matrix.sql: |
CREATE DATABASE matrix ENCODING 'UTF8' LOCALE 'C' TEMPLATE template0 OWNER {{ .Values.postgresql.global.postgresql.auth.username }};
GRANT ALL PRIVILEGES ON DATABASE matrix-sliding-sync TO {{ .Values.postgresql.global.postgresql.auth.username }};
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO {{ .Values.postgresql.global.postgresql.auth.username }};
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,46 @@
apiVersion: v1
kind: Secret
metadata:
name: sliding-sync-env
name: {{ include "matrix-sliding-sync.fullname" . }}-env
data:
SYNCV3_SERVER: {{ .Values.syncv3.server | b64enc | quote }}
SYNCV3_DB: {{ .Values.syncv3.db | b64enc | quote }}
{{- if .Values.syncv3.secret }}
SYNCV3_SECRET: {{ .Values.syncv3.secret | b64enc | quote }}
{{- else }}
SYNCV3_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
{{- end }}
SYNCV3_SERVER: {{ .Values.syncv3.server | b64enc | quote }}
{{- if not .Values.syncv3.db.existingSecret }}
SYNCV3_DB: {{ include "matrix-sliding-sync.dbConnString" . | b64enc | quote }}
{{- end }}
SYNCV3_BINDADDR: {{ .Values.syncv3.bindaddr | b64enc | quote }}
{{ if .Values.syncv3.tlsCert }}
SYNCV3_TLS_CERT: {{ .Values.syncv3.tlsCert | b64enc | quote }}
{{- end }}
{{ if .Values.syncv3.tlsKey }}
SYNCV3_TLS_KEY: {{ .Values.syncv3.tlsKey | b64enc | quote }}
{{- end }}
{{ if not .Values.syncv3.pprof }}
SYNCV3_PPROF: {{ .Values.syncv3.pprof | b64enc | quote }}
{{- end }}
{{ if not .Values.syncv3.prom }}
SYNCV3_PROM: {{ .Values.syncv3.prom | b64enc | quote }}
SYNCV3_OTLP_URL: {{ .Values.syncv3.otlpUrl | b64enc | quote }}
SYNCV3_OTLP_USERNAME: {{ .Values.syncv3.otlpUsername | b64enc | quote }}
SYNCV3_OTLP_PASSWORD: {{ .Values.syncv3.otlpPassword | b64enc | quote }}
{{- end }}
{{ if not .Values.syncv3.otlp.existingSecret }}
{{ if .Values.syncv3.otlp.url }}
SYNCV3_OTLP_URL: {{ .Values.syncv3.otlp.url | b64enc | quote }}
{{- end }}
{{ if .Values.syncv3.otlp.username }}
SYNCV3_OTLP_USERNAME: {{ .Values.syncv3.otlp.username | b64enc | quote }}
{{- end }}
{{ if .Values.syncv3.otlp.password }}
SYNCV3_OTLP_PASSWORD: {{ .Values.syncv3.otlp.password | b64enc | quote }}
{{- end }}
{{- end }}
{{ if .Values.syncv3.sentryDsn }}
SYNCV3_SENTRY_DSN: {{ .Values.syncv3.sentryDsn | b64enc | quote }}
{{- end }}
SYNCV3_LOG_LEVEL: {{ .Values.syncv3.logLevel | b64enc | quote }}
{{ if .Values.syncv3.maxDbConn }}
SYNCV3_MAX_DB_CONN: {{ .Values.syncv3.maxDbConn | b64enc | quote }}

{{- end }}
{{- end }}
Loading

0 comments on commit f74666e

Please sign in to comment.