feat: add mas

2024-04-12 16:28:52 +02:00 · 2024-04-12 16:28:52 +02:00 · 5869dcecae
commit 5869dcecae
parent 8322a356f7
8 changed files with 287 additions and 0 deletions
--- a/charts/matrix-authentication-service/Chart.yaml
+++ b/charts/matrix-authentication-service/Chart.yaml
@ -0,0 +1,19 @@
+apiVersion: v2
+name: matrix-authentication-service
+description: OAuth 2.0 and OpenID Provider for Matrix Homeservers (MSC3861)
+icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
+type: application
+version: 0.1.0
+# renovate: image=ghcr.io/matrix-org/matrix-authentication-service
+appVersion: "0.9.0"
+maintainers:
+- name: Tommy Skaug
+  email: tommy@skaug.me
+keywords:
+- kubernetes
+- matrix
+- authentication
+- elementx
+- service
+sources:
+- https://github.com/matrix-org/matrix-authentication-service
--- a/charts/matrix-authentication-service/templates/_helpers.tpl
+++ b/charts/matrix-authentication-service/templates/_helpers.tpl
@ -0,0 +1,30 @@
+# Define a template for the chart's full name.
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "matrix-authentication-service.fullname" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end }}
+
+# Define a template for standard labels.
+{{/*
+Common labels
+*/}}
+{{- define "matrix-authentication-service.labels" -}}
+helm.sh/chart: {{ include "matrix-authentication-service.chart" . }}
+app.kubernetes.io/name: {{ include "matrix-authentication-service.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+# Define a template for the chart name and version.
+{{/*
+Generate basic labels
+*/}}
+{{- define "matrix-authentication-service.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" -}}
+{{- end }}
+
+# Optionally, add more helper templates as needed.
--- a/charts/matrix-authentication-service/templates/deployment.yaml
+++ b/charts/matrix-authentication-service/templates/deployment.yaml
@ -0,0 +1,102 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "matrix-authentication-service.fullname" . }}
+  labels:
+    {{- include "matrix-authentication-service.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "matrix-authentication-service.fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "matrix-authentication-service.fullname" . }}
+    spec:
+      serviceAccountName: {{ include "matrix-authentication-service.fullname" . }}
+      initContainers:
+        - name: database-migrate
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          env:
+            - name: "MAS_CONFIG"
+              value: "/etc/mas-config.yaml"
+          command:
+            - /usr/local/bin/mas-cli
+            - database
+            - migrate
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: "/etc/mas-config.yaml"
+              subPath: "mas-config.yaml"
+              readOnly: true
+        - name: config-sync
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          env:
+            - name: "MAS_CONFIG"
+              value: "/etc/mas-config.yaml"
+          command:
+            - /usr/local/bin/mas-cli
+            - config
+            - sync
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: "/etc/mas-config.yaml"
+              subPath: "mas-config.yaml"
+              readOnly: true
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          env:
+            - name: "MAS_CONFIG"
+              value: "/etc/mas-config.yaml"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: internal
+              containerPort: 8081
+              protocol: TCP
+            - name: metrics
+              containerPort: 9100
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: "/etc/mas-config.yaml"
+              subPath: "mas-config.yaml"
+              readOnly: true
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ .Values.existingSecretConfigMap }}
+            items:
+             - key: "config.yaml"
+               path: "mas-config.yaml"
--- a/charts/matrix-authentication-service/templates/service.yaml
+++ b/charts/matrix-authentication-service/templates/service.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "matrix-authentication-service.fullname" . }}
+  labels:
+    {{- include "matrix-authentication-service.labels" . | nindent 4 }}
+spec:
+  selector:
+    app: {{ include "matrix-authentication-service.fullname" . }}
+  ports:
+  - port: 8080
+    targetPort: 8080
--- a/charts/matrix-authentication-service/templates/serviceaccount.yaml
+++ b/charts/matrix-authentication-service/templates/serviceaccount.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "matrix-authentication-service.fullname" . }}
+  labels:
+    {{- include "matrix-authentication-service.labels" . | nindent 4 }}
--- a/charts/matrix-authentication-service/templates/servicemonitor.yaml
+++ b/charts/matrix-authentication-service/templates/servicemonitor.yaml
@ -0,0 +1,18 @@
+{{- if .Values.prometheus.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "matrix-authentication-service.fullname" . }}
+  labels:
+    {{- include "matrix-authentication-service.labels" . | nindent 4 }}
+    {{- with .Values.prometheus.servicemonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "matrix-authentication-service.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: metrics
+      path: "/metrics"
+{{- end }}
--- a/charts/matrix-authentication-service/tests/values.yaml
+++ b/charts/matrix-authentication-service/tests/values.yaml
@ -0,0 +1,49 @@
+nameOverride: ""
+fullnameOverride: ""
+
+existingSecretConfigMap: matrix-authentication-service-secret
+
+image:
+  registry: ghcr.io
+  repository: matrix-org/matrix-authentication-service
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag:
+
+replicaCount: 1
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  fsGroup: 1000
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+livenessProbe:
+  httpGet:
+    port: internal
+    path: /health
+readinessProbe:
+  httpGet:
+    port: internal
+    path: /health
+
+prometheus:
+  servicemonitor:
+    enabled: false
+    labels: {}
+
+resources: {}
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
--- a/charts/matrix-authentication-service/values.yaml
+++ b/charts/matrix-authentication-service/values.yaml
@ -0,0 +1,49 @@
+nameOverride: ""
+fullnameOverride: ""
+
+existingSecretConfigMap: matrix-authentication-service-secret
+
+image:
+  registry: ghcr.io
+  repository: matrix-org/matrix-authentication-service
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag:
+
+replicaCount: 1
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  fsGroup: 1000
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+
+livenessProbe:
+  httpGet:
+    port: internal
+    path: /health
+readinessProbe:
+  httpGet:
+    port: internal
+    path: /health
+
+prometheus:
+  servicemonitor:
+    enabled: false
+    labels: {}
+
+resources: {}
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi