diff --git a/charts/matrix-synapse/scripts/signing-key.sh b/charts/matrix-synapse/scripts/signing-key.sh new file mode 100644 index 0000000..5d1b941 --- /dev/null +++ b/charts/matrix-synapse/scripts/signing-key.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +set -eu + +check_key() { + set +e + + echo "Checking for existing signing key..." + key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$key" ] && return 2 + return 0 +} + +create_key() { + echo "Waiting for new signing key to be generated..." + begin=$(date +%s) + end=$((begin + 300)) # 5 minutes + while true; do + [ -f /synapse/keys/signing.key ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_key() { + echo "Storing signing key in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}" +} + +if check_key; then + echo "Key already in place, exiting." + exit +fi + +if ! create_key; then + echo "Timed out waiting for a signing key to appear." + exit 1 +fi + +store_key diff --git a/charts/matrix-synapse/templates/configuration-scripts.yaml b/charts/matrix-synapse/templates/configuration-scripts.yaml new file mode 100644 index 0000000..a4e79fa --- /dev/null +++ b/charts/matrix-synapse/templates/configuration-scripts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix-synapse.fullname" . }}-scripts + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +data: +{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }} diff --git a/charts/matrix-synapse/templates/deployment.yaml b/charts/matrix-synapse/templates/deployment.yaml index 32d06f8..c7c444c 100644 --- a/charts/matrix-synapse/templates/deployment.yaml +++ b/charts/matrix-synapse/templates/deployment.yaml @@ -74,9 +74,9 @@ spec: {{- end }} {{- end }} - /matrix-synapse $@ - args: - - synapse.app.homeserver + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ env: {{- $postgresPass := include "matrix-synapse.postgresql.password" . }} {{- if and .Values.postgresql.enabled (not $postgresPass) }} @@ -122,6 +122,8 @@ spec: volumeMounts: - name: config mountPath: /synapse/config + - name: scripts + mountPath: /opt/k8s-synapse - name: tmpconf mountPath: /synapse/config/conf.d - name: secrets @@ -139,6 +141,10 @@ spec: - name: config configMap: name: {{ include "matrix-synapse.fullname" . }} + - name: scripts + configMap: + name: {{ include "matrix-synapse.fullname" . }}-scripts + defaultMode: 0755 - name: secrets secret: secretName: {{ include "matrix-synapse.fullname" . }} diff --git a/charts/matrix-synapse/templates/signing-key-job.yaml b/charts/matrix-synapse/templates/signing-key-job.yaml index 9ca62b0..c7b5ecd 100644 --- a/charts/matrix-synapse/templates/signing-key-job.yaml +++ b/charts/matrix-synapse/templates/signing-key-job.yaml @@ -68,8 +68,6 @@ spec: - sh - -c - | - echo "Copying key upload script..." - cp /key-upload /scripts/ echo "Generating signing key..." /usr/local/bin/generate_signing_key.py -o /synapse/keys/signing.key image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}" @@ -78,8 +76,6 @@ spec: resources: {{- toYaml .Values.signingkey.resources | nindent 12 }} volumeMounts: - - mountPath: /scripts - name: scripts - mountPath: /synapse/keys name: matrix-synapse-keys - command: @@ -88,13 +84,12 @@ spec: - | printf "Checking rights to update secret... " kubectl auth can-i update secret/${SECRET_NAME} - echo "Waiting for key upload script" - while ! [ -f /scripts/key-upload ]; do sleep 1; done - /scripts/key-upload + /scripts/signing-key.sh env: - name: SECRET_NAME value: {{ $secretName }} - image: bitnami/kubectl + image: "{{ .Values.signingkey.job.image.repository }}:{{ default .Values.signingkey.job.image.tag "latest" }}" + imagePullPolicy: {{ .Values.signingkey.job.image.pullPolicy }} name: signing-key-upload resources: {{- toYaml .Values.signingkey.resources | nindent 12 }} @@ -109,7 +104,12 @@ spec: serviceAccount: {{ $name }} volumes: - name: scripts - emptyDir: {} + configMap: + name: {{ include "matrix-synapse.fullname" . }}-scripts + defaultMode: 0755 - name: matrix-synapse-keys emptyDir: {} + parallelism: 1 + completions: 1 + backoffLimit: 1 {{- end }} diff --git a/charts/matrix-synapse/templates/worker-configuration.yaml b/charts/matrix-synapse/templates/worker-configuration.yaml index 58aee86..6c37b4b 100644 --- a/charts/matrix-synapse/templates/worker-configuration.yaml +++ b/charts/matrix-synapse/templates/worker-configuration.yaml @@ -21,7 +21,13 @@ data: {{- $name := $worker | replace "_" "-" }} {{ $name }}.worker: | - worker_app: "synapse.app.{{ $worker }}" + worker_app: "synapse.app.{{ $config.generic | ternary "generic_worker" $worker }}" +{{- if $config.name -}} +{{- if (ne $config.replicaCount 1) -}} +{{- fail "Replica count must be 1 if a worker has a unique name." -}} +{{- end }} + worker_name: {{ $config.name }} +{{- end }} worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008 worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }} @@ -45,11 +51,17 @@ data: x_forwarded: true resources: - - names: {{- toYaml $config.listeners | nindent 14 }} + - names: + {{- toYaml $config.listeners | nindent 14 }} compress: false {{- end }} worker_log_config: /synapse/config/log.yaml + {{- if $config.extraConfig }} + + # Extra config + {{ toYaml $config.extraConfig | nindent 4 }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/matrix-synapse/templates/worker-deployment.yaml b/charts/matrix-synapse/templates/worker-deployment.yaml index c05ec1a..74cdd37 100644 --- a/charts/matrix-synapse/templates/worker-deployment.yaml +++ b/charts/matrix-synapse/templates/worker-deployment.yaml @@ -20,7 +20,8 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} + checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} {{- with ($config.annotations | default $default.annotations) }} {{ . | toYaml | nindent 8 }} @@ -62,7 +63,10 @@ spec: -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ > /synapse/config/conf.d/secrets.yaml - /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker + exec python -B -m synapse.app.{{ $config.generic | ternary "generic_worker" $worker }} \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ \ + -c /synapse/config/{{ $name }}.worker env: {{- if $.Values.postgresql.enabled }} - name: POSTGRES_PASSWORD diff --git a/charts/matrix-synapse/values.yaml b/charts/matrix-synapse/values.yaml index 99bd8a6..b7f455e 100644 --- a/charts/matrix-synapse/values.yaml +++ b/charts/matrix-synapse/values.yaml @@ -31,6 +31,11 @@ signingkey: job: enabled: true + image: + repository: bitnami/kubectl + # tag: '' + pullPolicy: IfNotPresent + ## Specify an existing signing key secret, will need to be created in advance. ## # existingSecret: @@ -236,6 +241,13 @@ workers: ## replicaCount: 1 + ## A specific name for this worker, can't be set globally. + ## Note that this can only be set when replicaCount is 1 + #name: + + ## Additional configuration to set for the worker, can't be set globally. + #extraConfig: {} + ## Annotations to apply to the worker. ## annotations: {} @@ -303,6 +315,7 @@ workers: ## generic_worker: enabled: false + generic: true listeners: [client, federation] csPaths: # - "/_matrix/client/(v2_alpha|r0)/sync" @@ -350,9 +363,34 @@ workers: - "/_matrix/federation/v1/event_auth/" - "/_matrix/federation/v1/exchange_third_party_invite/" - "/_matrix/federation/v1/user/devices/" + - "/_matrix/federation/v1/send/" - "/_matrix/federation/v1/get_groups_publicised" - "/_matrix/key/v2/query" - - "/_matrix/federation/v1/send/" + + ## To separate the generic worker into specific concerns - for example federation transaction receiving; + ## NB; This worker should have incoming traffic routed based on source IP, which is + ## left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + #federation_reader: + # enabled: true + # generic: true + # listeners: [federation] + # paths: + # - "/_matrix/federation/v1/send/" + + ## Or /sync handling. + ## NB; Care should be taken to route users to the same instance when scaling this worker, + ## this is left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + #synchrotron: + # enabled: true + # generic: true + # listeners: [client] + # csPaths: + # - "/_matrix/client/(v2_alpha|r0)/sync" + # - "/_matrix/client/(api/v1|v2_alpha|r0)/events" + # - "/_matrix/client/(api/v1|r0)/initialSync" + # - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync" ## This worker deals with pushing notifications. ## NB; Only one instance of this worker can be run at a time, refer to the @@ -494,7 +532,8 @@ postgresql: postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" persistence: - size: 16G + # storageClass: "-" + size: 16Gi ## An externally configured Postgres server to use for Synapse's database, note ## that the database needs to have both COLLATE and CTYPE set to "C".