From 6539a4b62bdd97f0517c89616a84935e6d5d911f Mon Sep 17 00:00:00 2001 From: WrenIX Date: Mon, 11 Mar 2024 08:33:28 +0100 Subject: [PATCH] feat(mycloud-matrix): add matrix-authentication-service support --- ...ing-sync.yaml => mycloud-matrix-beta.yaml} | 4 + mycloud-matrix/templates/_hosts.tpl | 19 ++ .../templates/authentik-application.yaml | 9 +- mycloud-matrix/templates/clients/element.yaml | 8 +- .../templates/clients/hydrogen.yaml | 5 +- .../server/authentication-service.yaml | 173 ++++++++++++++++++ .../templates/server/doublepuppet.yaml | 2 +- .../templates/server/sliding-sync.yaml | 19 +- mycloud-matrix/templates/server/synapse.yaml | 61 ++++-- mycloud-matrix/values.yaml | 13 ++ 10 files changed, 274 insertions(+), 39 deletions(-) rename base-values/{mycloud-matrix-sliding-sync.yaml => mycloud-matrix-beta.yaml} (73%) create mode 100644 mycloud-matrix/templates/_hosts.tpl create mode 100644 mycloud-matrix/templates/server/authentication-service.yaml diff --git a/base-values/mycloud-matrix-sliding-sync.yaml b/base-values/mycloud-matrix-beta.yaml similarity index 73% rename from base-values/mycloud-matrix-sliding-sync.yaml rename to base-values/mycloud-matrix-beta.yaml index af56424..fb25929 100644 --- a/base-values/mycloud-matrix-sliding-sync.yaml +++ b/base-values/mycloud-matrix-beta.yaml @@ -9,6 +9,8 @@ components: databases: matrix-sliding-sync: type: postgresql + matrix-authentication-service: + type: postgresql mycloud-matrix: # patch mycloud-core to get another database @@ -16,3 +18,5 @@ components: server: slidingSync: enabled: true + authenticationService: + enabled: true diff --git a/mycloud-matrix/templates/_hosts.tpl b/mycloud-matrix/templates/_hosts.tpl new file mode 100644 index 0000000..fe64459 --- /dev/null +++ b/mycloud-matrix/templates/_hosts.tpl @@ -0,0 +1,19 @@ +{{- define "mycloud-matrix.domain" -}} +{{ .Values.server.host | default .Values.commons.ingress.domain }} +{{- end }} + +{{- define "mycloud-matrix.domain.auth" -}} +{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }} +{{- end }} + +{{- define "mycloud-matrix.host.server" -}} +{{ .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} +{{- end }} + +{{- define "mycloud-matrix.host.slidingSync" -}} +{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }} +{{- end }} + +{{- define "mycloud-matrix.host.authenticationService" -}} +{{ .Values.ingress.authenticationService.host | default (printf "auth.matrix.%s" .Values.commons.ingress.domain) }} +{{- end }} diff --git a/mycloud-matrix/templates/authentik-application.yaml b/mycloud-matrix/templates/authentik-application.yaml index 41d409e..19f567a 100644 --- a/mycloud-matrix/templates/authentik-application.yaml +++ b/mycloud-matrix/templates/authentik-application.yaml @@ -22,17 +22,20 @@ spec: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: - {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} {{- $clientHost := .Values.server.auth.webClient | default (printf "element.%s" .Values.commons.ingress.domain) }} blueprint: authentik: - domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}" + domain: "https://{{ include "mycloud-matrix.domain.auth" . }}" provider: type: "oidc" name: "Matrix" oidc: clientType: "confidential" - redirectURL: "https://{{ $serverHost }}/_synapse/client/oidc/callback" + {{- if .Values.server.authenticationService.enabled }} + redirectURL: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/upstream/callback/0000000000000000000MYC10VD" + {{- else }} + redirectURL: "https://{{ include "mycloud-matrix.host.server" . }}/_synapse/client/oidc/callback" + {{- end }} clientID: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} clientSecret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} signingKey: "authentik Self-signed Certificate" diff --git a/mycloud-matrix/templates/clients/element.yaml b/mycloud-matrix/templates/clients/element.yaml index e2407c1..5747244 100644 --- a/mycloud-matrix/templates/clients/element.yaml +++ b/mycloud-matrix/templates/clients/element.yaml @@ -29,14 +29,12 @@ spec: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: - {{- $serverDomain := .Values.server.host | default .Values.commons.ingress.domain }} - {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }} image: repository: docker.io/vectorim/element-web defaultServer: - url: https://{{ $serverHost }} - name: {{ $serverDomain }} + url: https://{{ include "mycloud-matrix.host.server" . }} + name: {{ include "mycloud-matrix.domain" . | quote }} config: sso_redirect_options: on_welcome_page: true @@ -46,7 +44,7 @@ spec: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress.element.annotations }} {{- toYaml . | nindent 8 }} {{- end }} hosts: diff --git a/mycloud-matrix/templates/clients/hydrogen.yaml b/mycloud-matrix/templates/clients/hydrogen.yaml index 1bbafaf..7cfa75b 100644 --- a/mycloud-matrix/templates/clients/hydrogen.yaml +++ b/mycloud-matrix/templates/clients/hydrogen.yaml @@ -23,17 +23,16 @@ spec: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: - {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} {{- $host := .Values.ingress.hydrogen.host | default (printf "hydrogen.%s" .Values.commons.ingress.domain) }} hydrogen: - defaultHomeServer: {{ $serverHost }} + defaultHomeServer: {{ include "mycloud-matrix.host.server" . | quote }} ingress: enabled: true annotations: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress.hydrogen.annotations }} {{- toYaml . | nindent 8 }} {{- end }} hosts: diff --git a/mycloud-matrix/templates/server/authentication-service.yaml b/mycloud-matrix/templates/server/authentication-service.yaml new file mode 100644 index 0000000..7598cb1 --- /dev/null +++ b/mycloud-matrix/templates/server/authentication-service.yaml @@ -0,0 +1,173 @@ +{{- if .Values.server.authenticationService.enabled }} +{{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +data: + admin_token: {{ derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "admin_token" | sha256sum | b64enc }} + {{- $clientSecret := derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "client_secret" | sha256sum }} + client_secret: {{ $clientSecret | b64enc }} + clients.yaml: {{ toYaml (dict + "config" (dict + "clients" (list + (dict + "client_id" "0000000000000000000SYNAPSE" + "client_auth_method" "client_secret_basic" + "client_secret" $clientSecret + ) + ) + ) + ) | b64enc }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: "{{ .Release.Name }}-authentication-service" +spec: + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "flux-system" + chart: "./matrix-authentication-service" + reconcileStrategy: "Revision" + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + driftDetection: + {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} + interval: 10m + valuesFrom: + - kind: Secret + name: {{ $secretName }} + valuesKey: admin_token + targetPath: "config.matrix.secret" + - kind: Secret + name: {{ $secretName }} + valuesKey: clients.yaml + values: + config: + http: + public_base: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" + issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" + matrix: + homeserver: {{ include "mycloud-matrix.domain" . }} + endpoint: "http://{{ .Release.Name }}-synapse:8008" + {{- with .Values.databases.authenticationService }} + database: + host: {{ .host | quote }} + username: {{ .username | quote }} + password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-authentication-service" "database_password" | b64enc) | quote }} + database: {{ .name | quote }} + {{- end }} + email: + from: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} + reply_to: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} + # from: {{ .Values.commons.mail.from | quote }} + # reply_to: {{ .Values.commons.mail.from | quote }} + {{ $mailHostname := .Values.server.mail.host | default .Values.commons.mail.host }} + {{- if $mailHostname }} + transport: smtp + {{- if .Values.commons.mail.use_tls }} + mode: starttls + {{- end }} + hostname: {{ $mailHostname }} + port: 587 + username: {{ .Values.commons.mail.username | quote }} + password: {{ .Values.commons.mail.password | quote }} + {{- else }} + transport: "blackhole" + {{- end }}{{/* end-if $mailHostname */}} + passwords: + enabled: false + upstream_oauth2: + providers: + - id: 0000000000000000000MYC10VD + human_name: {{ .Values.commons.theme.title | quote }} + issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/" + client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} + client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} + token_endpoint_auth_method: client_secret_post + scope: "openid email profile" + discovery_mode: oidc + claims_imports: + {{` + subject: + action: force + template: "{{ user.sub }}" + localpart: + action: force + template: "{{ user.preferred_username }}" + displayname: + action: suggest + template: "{{ user.name }}" + email: + action: force + template: "{{ user.email }}" + set_email_verification: import + `}} + + ingress: + enabled: true + annotations: + {{- with .Values.commons.ingress.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.authenticationService.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + hosts: + - host: "{{ include "mycloud-matrix.host.authenticationService" . }}" + paths: + - path: / + pathType: Prefix + - host: "{{ include "mycloud-matrix.host.server" . }}" + paths: + # v1 + - path: "/_matrix/client/v1/login" + pathType: Prefix + - path: "/_matrix/client/v1/logout" + pathType: Prefix + - path: "/_matrix/client/v1/refresh" + pathType: Prefix + # v2 + - path: "/_matrix/client/v2/login" + pathType: Prefix + - path: "/_matrix/client/v2/logout" + pathType: Prefix + - path: "/_matrix/client/v2/refresh" + pathType: Prefix + # v3 + - path: "/_matrix/client/v3/login" + pathType: Prefix + - path: "/_matrix/client/v3/logout" + pathType: Prefix + - path: "/_matrix/client/v3/refresh" + pathType: Prefix + {{- if .Values.commons.ingress.tls.enabled }} + tls: + {{- with .Values.commons.ingress.tls.override }} + {{- toYaml . | nindent 8 }} + {{- else }} + - secretName: "mycloud-matrix-server-auth-cert" + hosts: + - {{ include "mycloud-matrix.host.authenticationService" . | quote }} + - secretName: "mycloud-matrix-server-cert" + hosts: + - {{ include "mycloud-matrix.host.server" . | quote }} + {{- end }} + {{- end }} + + + prometheus: + servicemonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} +{{- end }}{{/* end-if .server.authenticationService.enabled */}} diff --git a/mycloud-matrix/templates/server/doublepuppet.yaml b/mycloud-matrix/templates/server/doublepuppet.yaml index c468d74..82a8dac 100644 --- a/mycloud-matrix/templates/server/doublepuppet.yaml +++ b/mycloud-matrix/templates/server/doublepuppet.yaml @@ -36,7 +36,7 @@ data: "namespaces" (dict "users" (list (dict - "regex" (printf "@.*:%s" (.Values.server.host | default .Values.commons.ingress.domain | replace "." "\\." )) + "regex" (printf "@.*:%s" (include "mycloud-matrix.domain" . | replace "." "\\." )) "exclusive" false ) ) diff --git a/mycloud-matrix/templates/server/sliding-sync.yaml b/mycloud-matrix/templates/server/sliding-sync.yaml index fab8ce9..1f0173e 100644 --- a/mycloud-matrix/templates/server/sliding-sync.yaml +++ b/mycloud-matrix/templates/server/sliding-sync.yaml @@ -23,15 +23,15 @@ spec: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: - {{- $host := .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }} config: homeserver: http://{{ .Release.Name }}-synapse:8008 - logLevel: INFO postgresql: - host: {{ .Values.databases.slidingSync.host | quote }} - username: {{ .Values.databases.slidingSync.username | quote }} - password: {{ .Values.databases.slidingSync.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }} - database: {{ .Values.databases.slidingSync.name | quote }} + {{- with .Values.databases.slidingSync }} + host: {{ .host | quote }} + username: {{ .username | quote }} + password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }} + database: {{ .name | quote }} + {{- end }} ingress: enabled: true @@ -39,12 +39,11 @@ spec: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress.slidingSync.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - includeServerName: false hosts: - - host: "{{ $host }}" + - host: {{ include "mycloud-matrix.host.slidingSync" . | quote }} paths: - path: "/" pathType: Prefix @@ -55,7 +54,7 @@ spec: {{- else }} - secretName: "mycloud-matrix-sliding-sync-cert" hosts: - - "{{ $host }}" + - {{ include "mycloud-matrix.host.slidingSync" . | quote }} {{- end }} {{- end }} diff --git a/mycloud-matrix/templates/server/synapse.yaml b/mycloud-matrix/templates/server/synapse.yaml index 9853f61..685ba35 100644 --- a/mycloud-matrix/templates/server/synapse.yaml +++ b/mycloud-matrix/templates/server/synapse.yaml @@ -22,11 +22,21 @@ spec: driftDetection: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m + {{- if .Values.server.authenticationService.enabled }} + valuesFrom: + {{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }} + - kind: Secret + name: {{ $secretName }} + valuesKey: client_secret + targetPath: "extraSecrets.experimental_features.msc3861.client_secret" + - kind: Secret + name: {{ $secretName }} + valuesKey: admin_token + targetPath: "extraSecrets.experimental_features.msc3861.admin_token" + {{- end }} values: - {{- $domain := .Values.server.host | default .Values.commons.ingress.domain }} - {{- $host := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }} - serverName: {{ $domain }} - publicServerName: {{ $host }} + serverName: {{ include "mycloud-matrix.domain" . | quote }} + publicServerName: {{ include "mycloud-matrix.host.server" . | quote }} config: enableRegistration: false useStructuredLogging: true @@ -57,11 +67,20 @@ spec: # TODO # notif_from: {{ .Values.server.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} notif_from: {{ .Values.server.mail.from | default .Values.commons.mail.from | quote }} + {{- if .Values.server.authenticationService.enabled }} + experimental_features: + msc3861: + enabled: true + issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" + client_id: 0000000000000000000SYNAPSE + client_auth_method: client_secret_basic + account_management_url: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/" + {{- else }} oidc_providers: - idp_id: mycloud idp_name: {{ .Values.commons.theme.title | quote }} discover: true - issuer: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-matrix/" + issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/" client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} scopes: @@ -74,6 +93,7 @@ spec: localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name|capitalize }}" `}} + {{- end }} extraLoggers: synapse.storage.SQL: level: WARNING @@ -156,10 +176,15 @@ spec: enabled: true client: "m.homeserver": - base_url: "https://{{ $host }}/" + base_url: "https://{{ include "mycloud-matrix.host.server" . }}/" {{- if .Values.server.slidingSync.enabled }} "org.matrix.msc3575.proxy": - url: "https://{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}/" + url: "https://{{ include "mycloud-matrix.host.slidingSync" . }}" + {{- end }} + {{- if .Values.server.authenticationService.enabled }} + "org.matrix.msc2965.authentication": + issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" + account: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/" {{- end }} resources: requests: @@ -183,16 +208,16 @@ spec: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress.server.annotations }} {{- toYaml . | nindent 8 }} {{- end }} includeServerName: false hosts: - - "{{ $host }}" + - {{ include "mycloud-matrix.host.server" . | quote }} csHosts: - - "{{ $host }}" + - {{ include "mycloud-matrix.host.server" . | quote }} wkHosts: - - "{{ .Values.commons.ingress.domain }}" + - {{ include "mycloud-matrix.domain" . | quote }} {{- if .Values.commons.ingress.tls.enabled }} tls: {{- with .Values.commons.ingress.tls.override }} @@ -200,8 +225,8 @@ spec: {{- else }} - secretName: "mycloud-matrix-server-cert" hosts: - - "{{ .Values.commons.ingress.domain }}" - - "{{ $host }}" + - {{ include "mycloud-matrix.domain" . | quote }} + - {{ include "mycloud-matrix.host.server" . | quote }} {{- end }} {{- end }} @@ -218,10 +243,12 @@ spec: postgresql: enabled: false externalPostgresql: - host: {{ .Values.databases.server.host | quote }} - username: {{ .Values.databases.server.username | quote }} - password: {{ .Values.databases.server.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }} - database: {{ .Values.databases.server.name | quote }} + {{- with .Values.databases.server }} + host: {{ .host | quote }} + username: {{ .username | quote }} + password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }} + database: {{ .name | quote }} + {{- end }} prometheus: podmonitor: diff --git a/mycloud-matrix/values.yaml b/mycloud-matrix/values.yaml index 8c8f19d..c11b368 100644 --- a/mycloud-matrix/values.yaml +++ b/mycloud-matrix/values.yaml @@ -64,6 +64,8 @@ server: scaling: false slidingSync: enabled: false + authenticationService: + enabled: false auth: # -- generated by .commons.masterPassword @@ -93,6 +95,10 @@ ingress: # -- default: sliding.matrix.(.commons.ingress.domain) host: annotations: + authenticationService: + # -- default: auth.matrix.(.commons.ingress.domain) + host: + annotations: element: enabled: true # -- default: element.(.commons.ingress.domain) @@ -119,6 +125,13 @@ databases: username: matrix-sliding-sync # -- generated by .commons.masterPassword (equal to mycloud-services) password: + authenticationService: + # -- default is from mycloud-services + host: mycloud-services-postgresql + name: matrix-authentication-service + username: matrix-authentication-service + # -- generated by .commons.masterPassword (equal to mycloud-services) + password: bridge: signal: # -- default is from mycloud-services