matrix-synapse: Slight chart restructuring

Now supports generic images, workers are moved closer to the new
generic_worker design, additional worker configuration can be specified

charts/matrix-synapse/scripts/signing-key.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -eu
+
+check_key() {
+  set +e
+
+  echo "Checking for existing signing key..."
+  key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)"
+  [ $? -ne 0 ] && return 1
+  [ -z "$key" ] && return 2
+  return 0
+}
+
+create_key() {
+  echo "Waiting for new signing key to be generated..."
+  begin=$(date +%s)
+  end=$((begin + 300)) # 5 minutes
+  while true; do
+    [ -f /synapse/keys/signing.key ] && return 0
+    [ "$(date +%s)" -gt $end ] && return 1
+    sleep 5
+  done
+}
+
+store_key() {
+  echo "Storing signing key in Kubernetes secret..."
+  kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
+}
+
+if check_key; then
+  echo "Key already in place, exiting."
+  exit
+fi
+
+if ! create_key; then
+  echo "Timed out waiting for a signing key to appear."
+  exit 1
+fi
+
+store_key

charts/matrix-synapse/templates/configuration-scripts.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "matrix-synapse.fullname" . }}-scripts
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}

charts/matrix-synapse/templates/deployment.yaml

@@ -74,9 +74,9 @@ spec:
               {{- end }}
               {{- end }}
 
-              /matrix-synapse $@
+              exec python -B -m synapse.app.homeserver \
-          args:
+                          -c /synapse/config/homeserver.yaml \
-            - synapse.app.homeserver
+                          -c /synapse/config/conf.d/
           env:
 {{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
           {{- if and .Values.postgresql.enabled (not $postgresPass) }}
@@ -122,6 +122,8 @@ spec:
           volumeMounts:
             - name: config
               mountPath: /synapse/config
+            - name: scripts
+              mountPath: /opt/k8s-synapse
             - name: tmpconf
               mountPath: /synapse/config/conf.d
             - name: secrets
@@ -139,6 +141,10 @@ spec:
         - name: config
           configMap:
             name: {{ include "matrix-synapse.fullname" . }}
+        - name: scripts
+          configMap:
+            name: {{ include "matrix-synapse.fullname" . }}-scripts
+            defaultMode: 0755
         - name: secrets
           secret:
             secretName: {{ include "matrix-synapse.fullname" . }}

charts/matrix-synapse/templates/signing-key-job.yaml

@@ -68,8 +68,6 @@ spec:
             - sh
             - -c
             - |
-              echo "Copying key upload script..."
-              cp /key-upload /scripts/
               echo "Generating signing key..."
               /usr/local/bin/generate_signing_key.py -o /synapse/keys/signing.key
           image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
@@ -78,8 +76,6 @@ spec:
           resources:
             {{- toYaml .Values.signingkey.resources | nindent 12 }}
           volumeMounts:
-            - mountPath: /scripts
-              name: scripts
             - mountPath: /synapse/keys
               name: matrix-synapse-keys
         - command:
@@ -88,13 +84,12 @@ spec:
             - |
               printf "Checking rights to update secret... "
               kubectl auth can-i update secret/${SECRET_NAME}
-              echo "Waiting for key upload script"
+              /scripts/signing-key.sh
-              while ! [ -f /scripts/key-upload ]; do sleep 1; done
-              /scripts/key-upload
           env:
             - name: SECRET_NAME
               value: {{ $secretName }}
-          image: bitnami/kubectl
+          image: "{{ .Values.signingkey.job.image.repository }}:{{ default .Values.signingkey.job.image.tag "latest" }}"
+          imagePullPolicy: {{ .Values.signingkey.job.image.pullPolicy }}
           name: signing-key-upload
           resources:
             {{- toYaml .Values.signingkey.resources | nindent 12 }}
@@ -109,7 +104,12 @@ spec:
       serviceAccount: {{ $name }}
       volumes:
         - name: scripts
-          emptyDir: {}
+          configMap:
+            name: {{ include "matrix-synapse.fullname" . }}-scripts
+            defaultMode: 0755
         - name: matrix-synapse-keys
           emptyDir: {}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
 {{- end }}

charts/matrix-synapse/templates/worker-configuration.yaml

@@ -21,7 +21,13 @@ data:
     {{- $name := $worker | replace "_" "-" }}
 
   {{ $name }}.worker: |
-    worker_app: "synapse.app.{{ $worker }}"
+    worker_app: "synapse.app.{{ $config.generic | ternary "generic_worker" $worker }}"
+{{- if $config.name -}}
+{{-   if (ne $config.replicaCount 1) -}}
+{{-     fail "Replica count must be 1 if a worker has a unique name." -}}
+{{-   end }}
+    worker_name: {{ $config.name }}
+{{- end }}
 
     worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
     worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
@@ -45,11 +51,17 @@ data:
         x_forwarded: true
 
         resources:
-          - names: {{- toYaml $config.listeners | nindent 14 }}
+          - names:
+              {{- toYaml $config.listeners | nindent 14 }}
             compress: false
     {{- end }}
 
     worker_log_config: /synapse/config/log.yaml
+    {{- if $config.extraConfig }}
+
+    # Extra config
+    {{ toYaml $config.extraConfig | nindent 4 }}
+    {{- end }}
   {{- end }}
 {{- end }}
 {{- end }}

charts/matrix-synapse/templates/worker-deployment.yaml

@@ -20,7 +20,8 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
+        checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
         checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
       {{- with ($config.annotations | default $default.annotations) }}
         {{ . | toYaml | nindent 8 }}
@@ -62,7 +63,10 @@ spec:
                     -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
                        > /synapse/config/conf.d/secrets.yaml
 
-              /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
+              exec python -B -m synapse.app.{{ $config.generic | ternary "generic_worker" $worker }} \
+                          -c /synapse/config/homeserver.yaml \
+                          -c /synapse/config/conf.d/ \
+                          -c /synapse/config/{{ $name }}.worker
           env:
           {{- if $.Values.postgresql.enabled }}
             - name: POSTGRES_PASSWORD

charts/matrix-synapse/values.yaml

@@ -31,6 +31,11 @@ signingkey:
   job:
     enabled: true
 
+    image:
+      repository: bitnami/kubectl
+      # tag: ''
+      pullPolicy: IfNotPresent
+
   ## Specify an existing signing key secret, will need to be created in advance.
   ##
   # existingSecret:
@@ -236,6 +241,13 @@ workers:
     ##
     replicaCount: 1
 
+    ## A specific name for this worker, can't be set globally.
+    ## Note that this can only be set when replicaCount is 1
+    #name: 
+    
+    ## Additional configuration to set for the worker, can't be set globally.
+    #extraConfig: {}
+
     ## Annotations to apply to the worker.
     ##
     annotations: {}
@@ -303,6 +315,7 @@ workers:
   ##
   generic_worker:
     enabled: false
+    generic: true
     listeners: [client, federation]
     csPaths:
     # - "/_matrix/client/(v2_alpha|r0)/sync"
@@ -350,9 +363,34 @@ workers:
       - "/_matrix/federation/v1/event_auth/"
       - "/_matrix/federation/v1/exchange_third_party_invite/"
       - "/_matrix/federation/v1/user/devices/"
+      - "/_matrix/federation/v1/send/"
       - "/_matrix/federation/v1/get_groups_publicised"
       - "/_matrix/key/v2/query"
-      - "/_matrix/federation/v1/send/"
+
+  ## To separate the generic worker into specific concerns - for example federation transaction receiving;
+  ## NB; This worker should have incoming traffic routed based on source IP, which is
+  ##     left as an exercise to the reader.
+  ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
+  #federation_reader:
+  #  enabled: true
+  #  generic: true
+  #  listeners: [federation]
+  #  paths:
+  #     - "/_matrix/federation/v1/send/"
+
+  ## Or /sync handling.
+  ## NB; Care should be taken to route users to the same instance when scaling this worker,
+  ##     this is left as an exercise to the reader.
+  ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
+  #synchrotron:
+  #  enabled: true
+  #  generic: true
+  #  listeners: [client]
+  #  csPaths:
+  #    - "/_matrix/client/(v2_alpha|r0)/sync"
+  #    - "/_matrix/client/(api/v1|v2_alpha|r0)/events"
+  #    - "/_matrix/client/(api/v1|r0)/initialSync"
+  #    - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
 
   ## This worker deals with pushing notifications.
   ## NB; Only one instance of this worker can be run at a time, refer to the
@@ -494,7 +532,8 @@ postgresql:
   postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
 
   persistence:
-    size: 16G
+    # storageClass: "-"
+    size: 16Gi
 
 ## An externally configured Postgres server to use for Synapse's database, note
 ## that the database needs to have both COLLATE and CTYPE set to "C".