Skip to content

Commit

Permalink
Upgrade PostgreSQL subchart to 12.12.10 and update OIDC config to b…
Browse files Browse the repository at this point in the history
…etter match homeserver.yaml `oidc_providers` list (#474)

* upgrade postgresql and change to current synapse OIDC standards

* make sure oidc is false by default, was only true during testing

* add some more notes for OIDC and status

* fix painful dyslexia typos of odic to oidc

* upgrade postgresql in Chart.lock and charts directory

* lint the values.yaml

* update the fullname templating for postgresql to use postgresql.v1.primary.fullname instead of postgresql.primary.fullname
  • Loading branch information
jessebot authored Oct 29, 2023
1 parent e582878 commit fad36ba
Show file tree
Hide file tree
Showing 11 changed files with 146 additions and 270 deletions.
14 changes: 8 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,31 +13,33 @@ helm repo add matrix https://jessebot.github.io/matrix-chart
helm install my-release-name matrix --values values.yaml
```


## Current Features
## Current Features ✨

- Latest version of [Synapse](https://github.com/matrix-org/synapse) (the official homeserver edition of matrix)
- Ingress definitions for federated Synapse (Matrix homeserver) and Element (frontend and CMS for matrix)

### Optional Features

- Use (existing) Kubernetes Secrets for confidential data, such as passwords
- Use OIDC configs for SSO
- Use OIDC configs for SSO (see synapse [docs](https://github.com/matrix-org/synapse/blob/747416e94cd8f137b9173c132f7c44ea1c59534d/docs/openid.md) for more info)
- Latest version of [Element](https://element.io/)
- [Bitnami PostgreSQL subchart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) to deploy a cluster - needs some work to standardize though, so we also support external postgresql servers
- [Coturn TURN server subchart](https://github.com/jessebot/coturn-chart) for VoIP calls
- Use s3 to store stuff :D
- Use [s3 to store stuff](https://github.com/matrix-org/synapse-s3-storage-provider/tree/main)

#### ⚠️ Optional Features (Untested Since Fork)

These features still need to be tested, but are technically baked into the chart:

- Choice of lightweight Exim relay or external mail server for email notifications
- [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge
- [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge
- [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge


## Status

Working on full stability, but always happy to receive GitHub Issues or PRs 💙

This chart is now maintained mostly by me, @jessebot, but I'd love contributors as well! My goal is to provide regular updates using dependabot (maybe renovatebot soon) and provide some level of basic security from a k8s perspective. The aim as of right now has been removing any plaintext secrets and allowing for existing PVCs. I'm also trying to standardize the chart more by following predictable values.yaml patterns.

Note: I may stop supporting this if a larger entity maintains a better matrix chart (e.g. Bitnami releases a matrix helm chart), as then I'll just write PRs directly to them. At that time I'll put in a note in this README before publically archiving the repo.
Note: I may stop supporting this if a larger entity maintains a better matrix chart (e.g. Bitnami releases a matrix helm chart), as then I'll just write PRs directly to them. At that time I'll put in a note in this README before publically archiving the repo. As of right now though, in October 2023, there are no other actively maintained matrix helm charts for matrix that meet all my needs or are regularly updated to justify creating PRs.
6 changes: 3 additions & 3 deletions charts/matrix/Chart.lock
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
dependencies:
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 12.8.2
version: 12.12.10
- name: coturn
repository: https://jessebot.github.io/coturn-chart
version: 4.2.1
digest: sha256:985196577925eac88439aaad965d1f040d249087c95f8438614a051651efd6ac
generated: "2023-08-11T11:05:27.126156044Z"
digest: sha256:0cf269ad4d55165ccfe045bf081dff19db8439916ee853bc7199419c2603d189
generated: "2023-10-29T10:22:45.281145835+01:00"
4 changes: 2 additions & 2 deletions charts/matrix/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ sources:

type: application

version: 4.6.3
version: 4.7.0

# renovate: image=matrixdotorg/synapse
appVersion: v1.95.0
Expand All @@ -20,7 +20,7 @@ maintainers:

dependencies:
- name: postgresql
version: 12.8.2
version: 12.12.10
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
- name: coturn
Expand Down
51 changes: 25 additions & 26 deletions charts/matrix/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# matrix

![Version: 4.6.3](https://img.shields.io/badge/Version-4.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.95.0](https://img.shields.io/badge/AppVersion-v1.95.0-informational?style=flat-square)
![Version: 4.7.0](https://img.shields.io/badge/Version-4.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.95.0](https://img.shields.io/badge/AppVersion-v1.95.0-informational?style=flat-square)

A Helm chart to deploy a Matrix homeserver stack into Kubernetes

Expand All @@ -21,7 +21,7 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
| Repository | Name | Version |
|------------|------|---------|
| https://jessebot.github.io/coturn-chart | coturn | 4.2.1 |
| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.8.2 |
| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.12.10 |

## Values

Expand Down Expand Up @@ -231,30 +231,29 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
| matrix.logging.rootLogLevel | string | `"WARNING"` | Root log level is the default log level for log outputs that don't have more specific settings. |
| matrix.logging.sqlLogLevel | string | `"WARNING"` | beware: increasing this to DEBUG will make synapse log sensitive information such as access tokens. |
| matrix.logging.synapseLogLevel | string | `"WARNING"` | The log level for the synapse server |
| matrix.oidc_config.authorization_endpoint | string | `"https://accounts.example.com/oauth2/auth"` | oauth2 authorization endpoint. Required if provider discovery disabled. |
| matrix.oidc_config.client_auth_method | string | `"client_secret_post"` | auth method to use when exchanging the token. Valid values are: 'client_secret_basic' (default), 'client_secret_post' and 'none'. |
| matrix.oidc_config.client_id | string | `"provided-by-your-issuer"` | oauth2 client id to use. Required if 'enabled' is true. |
| matrix.oidc_config.client_secret | string | `"provided-by-your-issuer"` | oauth2 client secret to use. Required if 'enabled' is true. |
| matrix.oidc_config.discover | bool | `true` | set to false to disable use of the OIDC discovery mechanism to discover endpoints. |
| matrix.oidc_config.enabled | bool | `false` | set to true to enable authorization against an OpenID Connect server |
| matrix.oidc_config.existingSecret | string | `""` | existing secret to use for the OIDC config |
| matrix.oidc_config.issuer | string | `"https://accounts.example.com/"` | OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints. Required if 'enabled' is true. |
| matrix.oidc_config.jwks_uri | string | `"https://accounts.example.com/.well-known/jwks.json"` | URI where to fetch the JWKS. Required if discovery is disabled and the "openid" scope is used. |
| matrix.oidc_config.scopes | list | `["openid","profile"]` | list of scopes to request. should normally include the "openid" scope. Defaults to ["openid"]. |
| matrix.oidc_config.secretKeys.authorization_endpoint | string | `"authorization_endpoint"` | key in secret with the authorization_endpoint if discovery is disabled |
| matrix.oidc_config.secretKeys.client_id | string | `"client_id"` | key in secret with the client_id |
| matrix.oidc_config.secretKeys.client_secret | string | `"client_secret"` | key in secret with the client_secret |
| matrix.oidc_config.secretKeys.issuer | string | `"issuer"` | key in secret with the issuer |
| matrix.oidc_config.secretKeys.jwks_uri | string | `"jwks_uri"` | key in secret with the if discovery is disabled and openid is scope |
| matrix.oidc_config.secretKeys.token_endpoint | string | `"token_endpoint"` | key in secret with the token_endpoint if discovery is disabled |
| matrix.oidc_config.secretKeys.userinfo_endpoint | string | `"userinfo_endpoint"` | key in secret with the userinfo_endpoint if discovery is disabled |
| matrix.oidc_config.skip_verification | bool | `false` | |
| matrix.oidc_config.token_endpoint | string | `"https://accounts.example.com/oauth2/token"` | the oauth2 token endpoint. Required if provider discovery is disabled. |
| matrix.oidc_config.user_mapping_provider.config.display_name_template | string | `""` | |
| matrix.oidc_config.user_mapping_provider.config.localpart_template | string | `""` | |
| matrix.oidc_config.user_mapping_provider.config.subject_claim | string | `""` | name of the claim containing a unique identifier for user. Defaults to `sub`, which OpenID Connect compliant providers should provide. |
| matrix.oidc_config.user_mapping_provider.module | string | `""` | The custom module's class. Uncomment to use a custom module. Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers for information on implementing a custom mapping provider. example: module: mapping_provider.OidcMappingProvider |
| matrix.oidc_config.userinfo_endpoint | string | `"https://accounts.example.com/userinfo"` | the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not requested. |
| matrix.oidc.enabled | bool | `false` | set to true to enable authorization against an OpenID Connect server |
| matrix.oidc.existingSecret | string | `""` | existing secret to use for the OIDC config |
| matrix.oidc.providers | list | `[{"authorization_endpoint":"https://accounts.example.com/oauth2/auth","backchannel_logout_enabled":true,"client_auth_method":"client_secret_post","client_id":"provided-by-your-issuer","client_secret":"provided-by-your-issuer","discover":true,"idp_brand":"","idp_id":"","idp_name":"","issuer":"https://accounts.example.com/","scopes":["openid","profile"],"skip_verification":false,"token_endpoint":"https://accounts.example.com/oauth2/token","user_mapping_provider":{"config":{"display_name_template":"","localpart_template":"","picture_template":"{{ user.data.profile_image_url }}","subject_claim":""}},"userinfo_endpoint":"https://accounts.example.com/userinfo"}]` | each of these will be templated under oidc_providers in homeserver.yaml ref: https://matrix-org.github.io/synapse/latest/openid.html?search= |
| matrix.oidc.providers[0] | object | `{"authorization_endpoint":"https://accounts.example.com/oauth2/auth","backchannel_logout_enabled":true,"client_auth_method":"client_secret_post","client_id":"provided-by-your-issuer","client_secret":"provided-by-your-issuer","discover":true,"idp_brand":"","idp_id":"","idp_name":"","issuer":"https://accounts.example.com/","scopes":["openid","profile"],"skip_verification":false,"token_endpoint":"https://accounts.example.com/oauth2/token","user_mapping_provider":{"config":{"display_name_template":"","localpart_template":"","picture_template":"{{ user.data.profile_image_url }}","subject_claim":""}},"userinfo_endpoint":"https://accounts.example.com/userinfo"}` | id of your identity provider, e.g. dex |
| matrix.oidc.providers[0].authorization_endpoint | string | `"https://accounts.example.com/oauth2/auth"` | oauth2 authorization endpoint. Required if provider discovery disabled. |
| matrix.oidc.providers[0].client_auth_method | string | `"client_secret_post"` | auth method to use when exchanging the token. Valid values are: 'client_secret_basic' (default), 'client_secret_post' and 'none'. |
| matrix.oidc.providers[0].client_id | string | `"provided-by-your-issuer"` | oauth2 client id to use. Required if 'enabled' is true. |
| matrix.oidc.providers[0].client_secret | string | `"provided-by-your-issuer"` | oauth2 client secret to use. Required if 'enabled' is true. |
| matrix.oidc.providers[0].discover | bool | `true` | turn off discovery by setting this to false |
| matrix.oidc.providers[0].idp_brand | string | `""` | optional styling hint for clients |
| matrix.oidc.providers[0].idp_name | string | `""` | human readable comment of your identity provider, e.g. "My Dex Server" |
| matrix.oidc.providers[0].issuer | string | `"https://accounts.example.com/"` | OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints. Required if 'enabled' is true. |
| matrix.oidc.providers[0].scopes | list | `["openid","profile"]` | list of scopes to request. should normally include the "openid" scope. Defaults to ["openid"]. |
| matrix.oidc.providers[0].token_endpoint | string | `"https://accounts.example.com/oauth2/token"` | the oauth2 token endpoint. Required if provider discovery is disabled. |
| matrix.oidc.providers[0].user_mapping_provider.config | object | `{"display_name_template":"","localpart_template":"","picture_template":"{{ user.data.profile_image_url }}","subject_claim":""}` | The custom module's class. Uncomment to use a custom module. Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers for information on implementing a custom mapping provider. example: module: mapping_provider.OidcMappingProvider Custom configuration values for the module. This section will be passed as a Python dictionary to the user mapping provider module's `parse_config` method. The examples below are intended for the default provider: they should be changed if using a custom provider. |
| matrix.oidc.providers[0].user_mapping_provider.config.subject_claim | string | `""` | name of the claim containing a unique identifier for user. Defaults to `sub`, which OpenID Connect compliant providers should provide. |
| matrix.oidc.providers[0].userinfo_endpoint | string | `"https://accounts.example.com/userinfo"` | the OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope is not requested. |
| matrix.oidc.secretKeys.authorization_endpoint | string | `""` | key in secret with the authorization_endpoint if discovery is disabled |
| matrix.oidc.secretKeys.client_id | string | `"client_id"` | key in secret with the client_id |
| matrix.oidc.secretKeys.client_secret | string | `"client_secret"` | key in secret with the client_secret |
| matrix.oidc.secretKeys.issuer | string | `"issuer"` | key in secret with the issuer |
| matrix.oidc.secretKeys.token_endpoint | string | `""` | key in secret with the token_endpoint if discovery is disabled |
| matrix.oidc.secretKeys.userinfo_endpoint | string | `""` | key in secret with the userinfo_endpoint if discovery is disabled |
| matrix.presence | bool | `true` | Set to false to disable presence (online/offline indicators) |
| matrix.registration.allowGuests | bool | `false` | Allow users to join rooms as a guest |
| matrix.registration.autoJoinRooms | list | `[]` | Rooms to automatically join all new users to |
Expand Down
Binary file added charts/matrix/charts/postgresql-12.12.10.tgz
Binary file not shown.
Binary file removed charts/matrix/charts/postgresql-12.8.2.tgz
Binary file not shown.
11 changes: 0 additions & 11 deletions charts/matrix/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -156,14 +156,3 @@ Helper function to get the registration secret containing the sharedSecret
{{ template "matrix.fullname" . }}-registration-secret
{{- end }}
{{- end }}

{{/*
Helper function to get the OIDC secret containing the OIDC client id, client secret, and issuer
*/}}
{{- define "matrix.oidc.secretName" -}}
{{- if .Values.matrix.oidc_config.existingSecret -}}
{{ .Values.matrix.oidc_config.existingSecret }}
{{- else -}}
{{ template "matrix.fullname" . }}-oidc-secret
{{- end }}
{{- end }}
87 changes: 5 additions & 82 deletions charts/matrix/templates/synapse/_homeserver.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1492,94 +1492,18 @@ saml2_config:
#
#template_dir: "res/templates"


# OpenID Connect integration. The following settings can be used to make Synapse
# use an OpenID Connect Provider for authentication, instead of its internal
# password database.
#
# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
#
oidc_config:
# Uncomment the following to enable authorization against an OpenID Connect
# server. Defaults to false.
#
enabled: {{ .Values.matrix.oidc_config.enabled }}

{{- if .Values.matrix.oidc_config.enabled }}
# Uncomment the following to disable use of the OIDC discovery mechanism to
# discover endpoints. Defaults to true.
discover: {{ .Values.matrix.oidc_config.discover }}

# auth method to use when exchanging the token.
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and
# 'none'.
#
client_auth_method: {{ .Values.matrix.oidc_config.client_auth_method }}

# list of scopes to request. This should normally include the "openid" scope.
# Defaults to ["openid"].
#
{{- if .Values.matrix.oidc_config.scopes }}
scopes:
{{- range .Values.matrix.oidc_config.scopes }}
- {{ . | quote }}
{{- if .Values.matrix.oidc.enabled }}
oidc_providers:
{{- range .Values.matrix.oidc.providers }}
- {{ . | toYaml | indent 4 | trim }}
{{- end }}
{{- end }}

# Uncomment to skip metadata verification. Defaults to false.
#
# Use this if you are connecting to a provider that is not OpenID Connect
# compliant.
# Avoid this in production.
#
skip_verification: {{ .Values.matrix.oidc_config.skip_verification }}

# An external module can be provided here as a custom solution to mapping
# attributes returned from a OIDC provider onto a matrix user.
#
user_mapping_provider:
# The custom module's class. Uncomment to use a custom module.
# Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
#
# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
# for information on implementing a custom mapping provider.
#
{{- if .Values.matrix.oidc_config.user_mapping_provider.module }}
module: {{ .Values.matrix.oidc_config.user_mapping_provider.module }}
{{- end }}

# Custom configuration values for the module. This section will be passed as
# a Python dictionary to the user mapping provider module's `parse_config`
# method.
#
# The examples below are intended for the default provider: they should be
# changed if using a custom provider.
#
config:
# name of the claim containing a unique identifier for the user.
# Defaults to `sub`, which OpenID Connect compliant providers should provide.
#
{{- if .Values.matrix.oidc_config.user_mapping_provider.config.subject_claim }}
subject_claim: {{ .Values.matrix.oidc_config.user_mapping_provider.config.subject_claim }}
{{- end }}
# Jinja2 template for the localpart of the MXID.
#
# When rendering, this template is given the following variables:
# * user: The claims returned by the UserInfo Endpoint and/or in the ID
# Token
#
# This must be configured if using the default mapping provider.
{{- if .Values.matrix.oidc_config.user_mapping_provider.config.localpart_template }}
localpart_template: {{ .Values.matrix.oidc_config.user_mapping_provider.config.localpart_template }}
{{- end }}

{{- if .Values.matrix.oidc_config.user_mapping_provider.config.display_name_template }}
# Jinja2 template for the display name to set on first login.
# If unset, no displayname will be set.
display_name_template: {{ .Values.matrix.oidc_config.user_mapping_provider.config.display_name_template }}
{{- end }}
{{- end }}

{{- end }}

# Enable CAS for registration and login.
#
Expand All @@ -1591,7 +1515,6 @@ oidc_config:
# #required_attributes:
# # name: value


# Additional settings to use with single-sign on systems such as OpenID Connect,
# SAML2 and CAS.
#
Expand Down
Loading

0 comments on commit fad36ba

Please sign in to comment.