diff --git a/charts/matrix-authentication-service/Chart.yaml b/charts/matrix-authentication-service/Chart.yaml new file mode 100644 index 0000000..0a65d31 --- /dev/null +++ b/charts/matrix-authentication-service/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: matrix-authentication-service +description: OAuth 2.0 and OpenID Provider for Matrix Homeservers (MSC3861) +icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4 +type: application +version: 0.1.0 +# renovate: image=ghcr.io/matrix-org/matrix-authentication-service +appVersion: "0.9.0" +maintainers: +- name: Tommy Skaug + email: tommy@skaug.me +keywords: +- kubernetes +- matrix +- authentication +- elementx +- service +sources: +- https://github.com/matrix-org/matrix-authentication-service diff --git a/charts/matrix-authentication-service/templates/_helpers.tpl b/charts/matrix-authentication-service/templates/_helpers.tpl new file mode 100644 index 0000000..b50d533 --- /dev/null +++ b/charts/matrix-authentication-service/templates/_helpers.tpl @@ -0,0 +1,30 @@ +# Define a template for the chart's full name. +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-authentication-service.fullname" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end }} + +# Define a template for standard labels. +{{/* +Common labels +*/}} +{{- define "matrix-authentication-service.labels" -}} +helm.sh/chart: {{ include "matrix-authentication-service.chart" . }} +app.kubernetes.io/name: {{ include "matrix-authentication-service.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.Version | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +# Define a template for the chart name and version. +{{/* +Generate basic labels +*/}} +{{- define "matrix-authentication-service.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" -}} +{{- end }} + +# Optionally, add more helper templates as needed. diff --git a/charts/matrix-authentication-service/templates/deployment.yaml b/charts/matrix-authentication-service/templates/deployment.yaml new file mode 100644 index 0000000..5f2aa44 --- /dev/null +++ b/charts/matrix-authentication-service/templates/deployment.yaml @@ -0,0 +1,102 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix-authentication-service.fullname" . }} + labels: + {{- include "matrix-authentication-service.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ include "matrix-authentication-service.fullname" . }} + template: + metadata: + labels: + app: {{ include "matrix-authentication-service.fullname" . }} + spec: + serviceAccountName: {{ include "matrix-authentication-service.fullname" . }} + initContainers: + - name: database-migrate + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- with .Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + env: + - name: "MAS_CONFIG" + value: "/etc/mas-config.yaml" + command: + - /usr/local/bin/mas-cli + - database + - migrate + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: "/etc/mas-config.yaml" + subPath: "mas-config.yaml" + readOnly: true + - name: config-sync + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- with .Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + env: + - name: "MAS_CONFIG" + value: "/etc/mas-config.yaml" + command: + - /usr/local/bin/mas-cli + - config + - sync + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: "/etc/mas-config.yaml" + subPath: "mas-config.yaml" + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- with .Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + env: + - name: "MAS_CONFIG" + value: "/etc/mas-config.yaml" + ports: + - name: http + containerPort: 8080 + protocol: TCP + - name: internal + containerPort: 8081 + protocol: TCP + - name: metrics + containerPort: 9100 + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: "/etc/mas-config.yaml" + subPath: "mas-config.yaml" + readOnly: true + volumes: + - name: config + secret: + secretName: {{ .Values.existingSecretConfigMap }} + items: + - key: "config.yaml" + path: "mas-config.yaml" \ No newline at end of file diff --git a/charts/matrix-authentication-service/templates/service.yaml b/charts/matrix-authentication-service/templates/service.yaml new file mode 100644 index 0000000..4b9e829 --- /dev/null +++ b/charts/matrix-authentication-service/templates/service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix-authentication-service.fullname" . }} + labels: + {{- include "matrix-authentication-service.labels" . | nindent 4 }} +spec: + selector: + app: {{ include "matrix-authentication-service.fullname" . }} + ports: + - port: 8080 + targetPort: 8080 \ No newline at end of file diff --git a/charts/matrix-authentication-service/templates/serviceaccount.yaml b/charts/matrix-authentication-service/templates/serviceaccount.yaml new file mode 100644 index 0000000..9bcfb73 --- /dev/null +++ b/charts/matrix-authentication-service/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "matrix-authentication-service.fullname" . }} + labels: + {{- include "matrix-authentication-service.labels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/matrix-authentication-service/templates/servicemonitor.yaml b/charts/matrix-authentication-service/templates/servicemonitor.yaml new file mode 100644 index 0000000..6bb700d --- /dev/null +++ b/charts/matrix-authentication-service/templates/servicemonitor.yaml @@ -0,0 +1,18 @@ +{{- if .Values.prometheus.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "matrix-authentication-service.fullname" . }} + labels: + {{- include "matrix-authentication-service.labels" . | nindent 4 }} + {{- with .Values.prometheus.servicemonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "matrix-authentication-service.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + path: "/metrics" +{{- end }} \ No newline at end of file diff --git a/charts/matrix-authentication-service/tests/values.yaml b/charts/matrix-authentication-service/tests/values.yaml new file mode 100644 index 0000000..9ecc361 --- /dev/null +++ b/charts/matrix-authentication-service/tests/values.yaml @@ -0,0 +1,49 @@ +nameOverride: "" +fullnameOverride: "" + +existingSecretConfigMap: matrix-authentication-service-secret + +image: + registry: ghcr.io + repository: matrix-org/matrix-authentication-service + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: + +replicaCount: 1 + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + fsGroup: 1000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +livenessProbe: + httpGet: + port: internal + path: /health +readinessProbe: + httpGet: + port: internal + path: /health + +prometheus: + servicemonitor: + enabled: false + labels: {} + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi diff --git a/charts/matrix-authentication-service/values.yaml b/charts/matrix-authentication-service/values.yaml new file mode 100644 index 0000000..9ecc361 --- /dev/null +++ b/charts/matrix-authentication-service/values.yaml @@ -0,0 +1,49 @@ +nameOverride: "" +fullnameOverride: "" + +existingSecretConfigMap: matrix-authentication-service-secret + +image: + registry: ghcr.io + repository: matrix-org/matrix-authentication-service + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: + +replicaCount: 1 + +podAnnotations: {} +podLabels: {} + +podSecurityContext: + fsGroup: 1000 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +livenessProbe: + httpGet: + port: internal + path: /health +readinessProbe: + httpGet: + port: internal + path: /health + +prometheus: + servicemonitor: + enabled: false + labels: {} + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi