diff --git a/.github/workflows/ci-helm-workflow.yml b/.github/workflows/ci-helm-workflow.yml index 1d883fc5..ca106d88 100644 --- a/.github/workflows/ci-helm-workflow.yml +++ b/.github/workflows/ci-helm-workflow.yml @@ -2,9 +2,10 @@ name: Lint on: pull_request: - paths: - - '/**' - - '.github/workflows/ci-helm-workflow.yml' + paths-ignore: + - 'README.md' + - '**/README.md' + - '.github/**' permissions: contents: read @@ -15,16 +16,38 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: "0" - - name: Validate schema - id: kubeval + - name: Install Helm + uses: azure/setup-helm@v3.5 + + - name: Add dependency chart repos run: | - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash helm repo add bitnami https://charts.bitnami.com/bitnami - helm plugin install https://github.com/instrumenta/helm-kubeval - helm dependency build - helm lint - helm kubeval .`` \ No newline at end of file + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.4.0 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Run chart-testing (lint) + id: lint + if: steps.list-changed.outputs.changed == 'true' + run: ct lint --target-branch ${{ github.event.repository.default_branch }} + + - name: Create kind cluster + uses: helm/kind-action@v1.8.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + id: install + if: steps.list-changed.outputs.changed == 'true' + run: ct install --target-branch ${{ github.event.repository.default_branch }} diff --git a/README.md b/README.md index f0f7bff2..d6bffb90 100644 --- a/README.md +++ b/README.md @@ -5,22 +5,22 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. This is a fo ## Features - Latest version of [Synapse](https://github.com/matrix-org/synapse) -- (Optional) Latest version of [Element](https://element.io/) -- (Optional) Choice of lightweight Exim relay or external mail server for email notifications -- (Optional) [Coturn TURN server](https://hub.docker.com/r/coturn/coturn) for VoIP calls -- (Optional) PostgreSQL cluster via [Bitnami](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) -- (Optional) [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge -- (Optional) [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge -- (Optional) [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge - Ingress definition for federated Synapse and Element -## Installation +### Opptional Features +- Latest version of [Element](https://element.io/) +- Choice of lightweight Exim relay or external mail server for email notifications +- [Coturn TURN server](https://hub.docker.com/r/coturn/coturn) for VoIP calls +- [Bitnami PostgreSQL sub-chart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) to deploy a cluster - needs some work to standardize though, so we also support external postgresql servers +- [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge +- [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge +- [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge -Some documentation is available in [values.yaml](./charts/matrix/values.yaml) (see [README](./charts/matrix/README.md) for more docs. +## Installation -Choose one of the two options below to install the chart. +Some documentation is available in [`values.yaml`](./charts/matrix/values.yaml). See [charts/matrix/README.md](./charts/matrix/README.md) for docs auto-generated from the `values.yaml`. -### Standard helm +### This is released normally, so you should be able to do: @@ -29,23 +29,3 @@ helm repo add matrix https://jessebot.github.io/matrix-chart helm repo update helm install my-release-name matrix ``` - -### Git - -You can also clone this repo directly and override the values.yaml provided. To do so, run the following commands: - -```bash -git clone https://github.com/dacruz21/matrix-chart.git -cd matrix-chart/charts/matrix -helm dependency update -helm install matrix . -``` - -## Security -Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. - -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.8.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.8.0.tgz.gpg. - -These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. - -If you find any security vulnerabilities in this Helm chart, please contact me by sending a PGP-encrypted email (encrypted to `F13C346C0DE56944`) to david@typokign.com. Vulnerabilities in upstream services should be reported to that service's developers. diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 518c69f5..09826258 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -8,17 +8,18 @@ sources: type: application -version: 3.0.1 +version: 3.1.0 appVersion: 1.88.0 maintainers: - - name: "David Cruz" + # this person hasn't updated their upstream repo in years + - name: "dacruz21" email: "david@typokign.com" url: "https://github.com/dacruz21/" - - name: "Rhea Danzey" + - name: "Arkaniad" email: "rhea@isomemetric.com" url: "https://github.com/Arkaniad/" - - name: "Jesse Hitch" + - name: "jessebot" email: "jessebot@linux.com" url: "https://github.com/jessebot/" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 56aa798f..f80c5cf7 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -1,6 +1,6 @@ # matrix -![Version: 3.0.1](https://img.shields.io/badge/Version-3.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.88.0](https://img.shields.io/badge/AppVersion-1.88.0-informational?style=flat-square) +![Version: 3.1.0](https://img.shields.io/badge/Version-3.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.88.0](https://img.shields.io/badge/AppVersion-1.88.0-informational?style=flat-square) A Helm chart to deploy a Matrix homeserver stack into Kubernetes @@ -10,9 +10,9 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes | Name | Email | Url | | ---- | ------ | --- | -| David Cruz | | | -| Rhea Danzey | | | -| Jesse Hitch | | | +| dacruz21 | | | +| Arkaniad | | | +| jessebot | | | ## Source Code @@ -28,7 +28,7 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| -| bridges.affinity | bool | `false` | | +| bridges.affinity | bool | `false` | Recommended to leave this disabled to allow bridges to be scheduled on separate nodes. Set this to true to reduce latency between the homeserver and bridges, or if your cloud provider does not allow the ReadWriteMany access mode (see below) | | bridges.discord.auth.botToken | string | `""` | Discord bot token for authentication | | bridges.discord.auth.clientId | string | `""` | Discord bot clientID for authentication | | bridges.discord.channelName | string | `"[Discord] :guild :name"` | | @@ -212,7 +212,7 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes | matrix.urlPreviews.rules.maxSize | string | `"10M"` | Maximum size of a crawlable page. Keep this low to prevent a DOS vector | | matrix.urlPreviews.rules.url | object | `{}` | Whitelist and blacklist based on URL pattern matching | | nameOverride | string | `""` | | -| networkPolicies.enabled | bool | `true` | | +| networkPolicies.enabled | bool | `true` | whether to enable kubernetes network policies or not | | postgresql.database | string | `"matrix"` | name of database to use for matrix | | postgresql.enabled | bool | `true` | Whether to deploy the stable/postgresql chart with this chart. If disabled, make sure PostgreSQL is available at the hostname below and credentials are configured below | | postgresql.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials | @@ -223,10 +223,10 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes | postgresql.persistence.size | string | `"8Gi"` | size of postgresql volume claim | | postgresql.port | int | `5432` | which port to use to connect to your database server | | postgresql.secretKeys.database | string | `"database"` | key in existingSecret with name of the database | -| postgresql.secretKeys.databaseHostname | string | `"databaseHostname"` | key in existingSecret with hostname of the database | -| postgresql.secretKeys.databasePassword | string | `"databasePassword"` | key in existingSecret with password for matrix to connect to database | -| postgresql.secretKeys.databasePort | string | `"databasePort"` | key in existingSecret with port of the database | -| postgresql.secretKeys.databaseUsername | string | `"databaseUsername"` | key in existingSecret with username for matrix to connect to database | +| postgresql.secretKeys.databaseHostname | string | `"hostname"` | key in existingSecret with hostname of the database | +| postgresql.secretKeys.databasePassword | string | `"password"` | key in existingSecret with password for matrix to connect to database | +| postgresql.secretKeys.databasePort | string | `"port"` | key in existingSecret with port of the database | +| postgresql.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix to connect to database | | postgresql.securityContext.enabled | bool | `true` | | | postgresql.securityContext.fsGroup | int | `1000` | | | postgresql.securityContext.runAsUser | int | `1000` | | diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 3c539e6a..110661a0 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -120,7 +120,7 @@ Helper function to get the postgres secret containing the database credentials {{- if and .Values.postgresql.enabled .Values.postgresql.existingSecret -}} {{ .Values.postgresql.existingSecret }} {{- else -}} -{{ template "matrix.fullname" . }}-secret +{{ template "matrix.fullname" . }}-db-secret {{- end }} {{- end }} diff --git a/charts/matrix/templates/synapse/database-secret.yaml b/charts/matrix/templates/synapse/database-secret.yaml new file mode 100644 index 00000000..6924bf6b --- /dev/null +++ b/charts/matrix/templates/synapse/database-secret.yaml @@ -0,0 +1,27 @@ +{{/* +if postgresql.existingSecret is not passed in, then we create this secret to +store the credentials without it being in a configmap in plaintext. +*/}} +{{- if not .Values.postgresql.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "matrix.fullname" . }}-db-secret + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }} + helm.sh/chart: {{ include "matrix.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + {{- if .Values.matrix.adminEmail }} + adminEmail: {{ .Values.matrix.adminEmail | b64enc | quote }} + {{- end }} + {{- if not .Values.postgresql.existingSecret }} + hostname: {{ (include "postgresql.name" .) | b64enc | quote }} + database: {{ .Values.postgresql.database | b64enc | quote }} + username: {{ .Values.postgresql.username | b64enc | quote }} + password: {{ .Values.postgresql.password | b64enc | quote }} + port: {{ .Values.postgresql.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/matrix/templates/synapse/mail-secret.yaml b/charts/matrix/templates/synapse/mail-secret.yaml new file mode 100644 index 00000000..6ec642f0 --- /dev/null +++ b/charts/matrix/templates/synapse/mail-secret.yaml @@ -0,0 +1,21 @@ +{{/* +if mail.external.existingSecret is not passed in, then we create this secret to +store the credentials without it being in a configmap in plaintext. +*/}} +{{- if and .Values.mail.enabled (not .Values.mail.external.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "matrix.fullname" . }}-mail-secret + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }} + helm.sh/chart: {{ include "matrix.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + hostname: {{ .Values.mail.external.hostname | b64enc | quote }} + username: {{ .Values.mail.external.username | b64enc | quote }} + password: {{ .Values.mail.external.password | b64enc | quote }} + port: {{ .Values.mail.external.port | b64enc | quote }} +{{- end }} diff --git a/charts/matrix/templates/synapse/secrets.yaml b/charts/matrix/templates/synapse/secrets.yaml deleted file mode 100644 index dae41e9a..00000000 --- a/charts/matrix/templates/synapse/secrets.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -if niether postgresql.existingSecret nor mail.external.existingSecret is passed -in, then we create this secret to store the secret info without it being in a -configmap in plaintext. -*/}} -{{- if and (not .Values.postgresql.existingSecret) (not .Values.mail.external.existingSecret) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "matrix.fullname" . }}-secret - labels: - app.kubernetes.io/name: {{ include "matrix.name" . }} - helm.sh/chart: {{ include "matrix.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -type: Opaque -data: - {{- if .Values.matrix.adminEmail }} - adminEmail: {{ .Values.matrix.adminEmail | b64enc | quote }} - {{- end }} - {{- if not .Values.postgresql.existingSecret }} - databaseHostname: {{ (include "postgresql.name" .) | b64enc | quote }} - database: {{ .Values.postgresql.database | b64enc | quote }} - databaseUsername: {{ .Values.postgresql.username | b64enc | quote }} - databasePassword: {{ .Values.postgresql.password | b64enc | quote }} - databasePort: {{ .Values.postgresql.password | b64enc | quote }} - {{- end }} - {{- if and .Values.mail.enabled (not .Values.mail.external.existingSecret) }} - mail-hostname: {{ .Values.mail.external.hostname | b64enc | quote }} - mail-username: {{ .Values.mail.external.username | b64enc | quote }} - mail-password: {{ .Values.mail.external.password | b64enc | quote }} - mail-port: {{ .Values.mail.external.port | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 9582ba48..6448fc23 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -268,15 +268,15 @@ postgresql: # postgresql.password/username/hostname/database/port secretKeys: # -- key in existingSecret with hostname of the database - databaseHostname: databaseHostname + databaseHostname: hostname # -- key in existingSecret with port of the database - databasePort: databasePort + databasePort: port # -- key in existingSecret with name of the database database: database # -- key in existingSecret with username for matrix to connect to database - databaseUsername: databaseUsername + databaseUsername: username # -- key in existingSecret with password for matrix to connect to database - databasePassword: databasePassword + databasePassword: password # -- Whether to connect to the database over SSL ssl: false @@ -352,7 +352,7 @@ synapse: # -- Labels to be appended to all Synapse resources labels: component: synapse - + # Prometheus metrics for Synapse # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md metrics: @@ -532,7 +532,6 @@ mail: labels: component: mail - # External mail server external: # -- External mail server hostname @@ -732,9 +731,8 @@ bridges: service: type: ClusterIP port: 9005 - # Recommended to leave this disabled to allow bridges to be scheduled on separate nodes. - # Set this to true to reduce latency between the homeserver and bridges, or if your cloud provider does not allow - # the ReadWriteMany access mode (see below) + # -- Recommended to leave this disabled to allow bridges to be scheduled on separate nodes. + # Set this to true to reduce latency between the homeserver and bridges, or if your cloud provider does not allow the ReadWriteMany access mode (see below) affinity: false volume: # -- Capacity of the shared volume for storing bridge/appservice registration files @@ -754,4 +752,5 @@ nameOverride: "" fullnameOverride: "" networkPolicies: + # -- whether to enable kubernetes network policies or not enabled: true