feat(mycloud-matrix): add matrix-authentication-service support

base-values/mycloud-matrix-beta.yaml

@@ -9,6 +9,8 @@ components:
       databases:
         matrix-sliding-sync:
           type: postgresql
+        matrix-authentication-service:
+          type: postgresql
 
   mycloud-matrix:
     # patch mycloud-core to get another database
@@ -16,3 +18,5 @@ components:
       server:
         slidingSync:
           enabled: true
+        authenticationService:
+          enabled: true

mycloud-matrix/templates/_hosts.tpl

@@ -0,0 +1,19 @@
+{{- define "mycloud-matrix.domain" -}}
+{{ .Values.server.host | default .Values.commons.ingress.domain }}
+{{- end }}
+
+{{- define "mycloud-matrix.domain.auth" -}}
+{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.server" -}}
+{{ .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.slidingSync" -}}
+{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.authenticationService" -}}
+{{ .Values.ingress.authenticationService.host | default (printf "auth.matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}

mycloud-matrix/templates/authentik-application.yaml

@@ -22,17 +22,20 @@ spec:
     {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
   interval: 10m
   values:
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
     {{- $clientHost := .Values.server.auth.webClient | default (printf "element.%s" .Values.commons.ingress.domain) }}
     blueprint:
       authentik:
-        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
+        domain: "https://{{ include "mycloud-matrix.domain.auth" . }}"
       provider:
         type: "oidc"
         name: "Matrix"
         oidc:
           clientType: "confidential"
-          redirectURL: "https://{{ $serverHost }}/_synapse/client/oidc/callback"
+          {{- if .Values.server.authenticationService.enabled }}
+          redirectURL: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/upstream/callback/0000000000000000000MYC10VD"
+          {{- else }}
+          redirectURL: "https://{{ include "mycloud-matrix.host.server" . }}/_synapse/client/oidc/callback"
+          {{- end }}
           clientID: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
           clientSecret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
           signingKey: "authentik Self-signed Certificate"

mycloud-matrix/templates/clients/element.yaml

@@ -29,14 +29,12 @@ spec:
     {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
   interval: 10m
   values:
-    {{- $serverDomain := .Values.server.host | default .Values.commons.ingress.domain }}
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
     {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }}
     image:
       repository: docker.io/vectorim/element-web
     defaultServer:
-      url: https://{{ $serverHost }}
+      url: https://{{ include "mycloud-matrix.host.server" . }}
-      name: {{ $serverDomain }}
+      name: {{ include "mycloud-matrix.domain" . | quote }}
     config:
       sso_redirect_options:
         on_welcome_page: true
@@ -46,7 +44,7 @@ spec:
         {{- with .Values.commons.ingress.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.element.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       hosts:

mycloud-matrix/templates/clients/hydrogen.yaml

@@ -23,17 +23,16 @@ spec:
     {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
   interval: 10m
   values:
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
     {{- $host := .Values.ingress.hydrogen.host | default (printf "hydrogen.%s" .Values.commons.ingress.domain) }}
     hydrogen:
-      defaultHomeServer: {{ $serverHost }}
+      defaultHomeServer: {{ include "mycloud-matrix.host.server" . | quote }}
     ingress:
       enabled: true
       annotations:
         {{- with .Values.commons.ingress.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.hydrogen.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       hosts:

mycloud-matrix/templates/server/authentication-service.yaml

@@ -0,0 +1,173 @@
+{{- if .Values.server.authenticationService.enabled }}
+{{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+data:
+  admin_token: {{ derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "admin_token" | sha256sum | b64enc }}
+  {{- $clientSecret := derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "client_secret" | sha256sum }}
+  client_secret: {{ $clientSecret | b64enc }}
+  clients.yaml: {{ toYaml (dict
+    "config" (dict
+      "clients" (list
+        (dict
+          "client_id" "0000000000000000000SYNAPSE"
+          "client_auth_method" "client_secret_basic"
+          "client_secret" $clientSecret
+        )
+      )
+    )
+  ) | b64enc }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-authentication-service"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./matrix-authentication-service"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  valuesFrom:
+    - kind: Secret
+      name: {{ $secretName }} 
+      valuesKey: admin_token
+      targetPath: "config.matrix.secret"
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: clients.yaml
+  values:
+    config:
+      http:
+        public_base: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+        issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+      matrix:
+        homeserver: {{ include "mycloud-matrix.domain" . }}
+        endpoint: "http://{{ .Release.Name }}-synapse:8008"
+      {{- with .Values.databases.authenticationService }}
+      database:
+        host: {{ .host | quote }}
+        username: {{ .username | quote }}
+        password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-authentication-service" "database_password" | b64enc) | quote }}
+        database: {{ .name | quote }}
+      {{- end }}
+      email:
+        from: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
+        reply_to: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
+        # from: {{ .Values.commons.mail.from | quote }}
+        # reply_to: {{ .Values.commons.mail.from | quote }}
+        {{ $mailHostname :=  .Values.server.mail.host | default .Values.commons.mail.host }}
+        {{- if $mailHostname }}
+        transport: smtp
+        {{- if .Values.commons.mail.use_tls }}
+        mode: starttls
+        {{- end }}
+        hostname: {{ $mailHostname }}
+        port: 587
+        username: {{ .Values.commons.mail.username | quote }}
+        password: {{ .Values.commons.mail.password | quote }}
+        {{- else }}
+        transport: "blackhole"
+        {{- end }}{{/* end-if $mailHostname */}}
+      passwords:
+        enabled: false
+      upstream_oauth2:
+        providers:
+          - id: 0000000000000000000MYC10VD
+            human_name: {{ .Values.commons.theme.title | quote }}
+            issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/"
+            client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
+            client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
+            token_endpoint_auth_method: client_secret_post
+            scope: "openid email profile"
+            discovery_mode: oidc
+            claims_imports:
+              {{`
+              subject:
+                action: force
+                template: "{{ user.sub }}"
+              localpart:
+                action: force
+                template: "{{ user.preferred_username }}"
+              displayname:
+                action: suggest
+                template: "{{ user.name }}"
+              email:
+                action: force
+                template: "{{ user.email }}"
+                set_email_verification: import
+              `}}
+
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.authenticationService.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - host: "{{ include "mycloud-matrix.host.authenticationService" . }}"
+          paths:
+            - path: /
+              pathType: Prefix
+        - host: "{{ include "mycloud-matrix.host.server" . }}"
+          paths:
+            # v1
+            - path: "/_matrix/client/v1/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v1/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v1/refresh"
+              pathType: Prefix
+            # v2
+            - path: "/_matrix/client/v2/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v2/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v2/refresh"
+              pathType: Prefix
+            # v3
+            - path: "/_matrix/client/v3/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v3/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v3/refresh"
+              pathType: Prefix
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-matrix-server-auth-cert"
+          hosts:
+            - {{ include "mycloud-matrix.host.authenticationService" . | quote }}
+        - secretName: "mycloud-matrix-server-cert"
+          hosts:
+            - {{ include "mycloud-matrix.host.server" . | quote }}
+        {{- end }}
+      {{- end }}
+
+
+    prometheus:
+      servicemonitor:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
+{{- end }}{{/* end-if .server.authenticationService.enabled */}}

mycloud-matrix/templates/server/doublepuppet.yaml

@@ -36,7 +36,7 @@ data:
    "namespaces" (dict
      "users" (list
        (dict
-         "regex" (printf "@.*:%s" (.Values.server.host | default .Values.commons.ingress.domain | replace "." "\\." ))
+         "regex" (printf "@.*:%s" (include "mycloud-matrix.domain" . | replace "." "\\." ))
          "exclusive" false
        )
      )

mycloud-matrix/templates/server/sliding-sync.yaml

@@ -23,15 +23,15 @@ spec:
     {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
   interval: 10m
   values:
-    {{- $host := .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}
     config:
       homeserver: http://{{ .Release.Name }}-synapse:8008
-      logLevel: INFO
       postgresql:
-        host: {{ .Values.databases.slidingSync.host | quote }}
+        {{- with .Values.databases.slidingSync }}
-        username: {{ .Values.databases.slidingSync.username | quote }}
+        host: {{ .host | quote }}
-        password: {{ .Values.databases.slidingSync.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }}
+        username: {{ .username | quote }}
-        database: {{ .Values.databases.slidingSync.name | quote }}
+        password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }}
+        database: {{ .name | quote }}
+        {{- end }}
 
     ingress:
       enabled: true
@@ -39,12 +39,11 @@ spec:
         {{- with .Values.commons.ingress.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.slidingSync.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      includeServerName: false
       hosts:
-        - host: "{{ $host }}"
+        - host: {{ include "mycloud-matrix.host.slidingSync" . | quote }}
           paths:
             - path: "/"
               pathType: Prefix
@@ -55,7 +54,7 @@ spec:
         {{- else }}
         - secretName: "mycloud-matrix-sliding-sync-cert"
           hosts:
-            - "{{ $host }}"
+            - {{ include "mycloud-matrix.host.slidingSync" . | quote }}
         {{- end }}
       {{- end }}
 

mycloud-matrix/templates/server/synapse.yaml

@@ -22,11 +22,21 @@ spec:
   driftDetection:
     {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
   interval: 10m
+  {{- if .Values.server.authenticationService.enabled }}
+  valuesFrom:
+    {{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }}
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: client_secret
+      targetPath: "extraSecrets.experimental_features.msc3861.client_secret"
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: admin_token
+      targetPath: "extraSecrets.experimental_features.msc3861.admin_token"
+  {{- end }}
   values:
-    {{- $domain := .Values.server.host | default .Values.commons.ingress.domain }}
+    serverName: {{ include "mycloud-matrix.domain" . | quote }}
-    {{- $host := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+    publicServerName: {{ include "mycloud-matrix.host.server" . | quote }}
-    serverName: {{ $domain }}
-    publicServerName: {{ $host }}
     config:
       enableRegistration: false
       useStructuredLogging: true
@@ -57,11 +67,20 @@ spec:
         # TODO
         # notif_from: {{ .Values.server.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
         notif_from: {{ .Values.server.mail.from | default .Values.commons.mail.from | quote }}
+      {{- if .Values.server.authenticationService.enabled }}
+      experimental_features:
+        msc3861:
+          enabled: true
+          issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+          client_id: 0000000000000000000SYNAPSE
+          client_auth_method: client_secret_basic
+          account_management_url: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
+      {{- else }}
       oidc_providers:
         - idp_id: mycloud
           idp_name: {{ .Values.commons.theme.title | quote }}
           discover: true
-          issuer: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-matrix/"
+          issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/"
           client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
           client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
           scopes:
@@ -74,6 +93,7 @@ spec:
               localpart_template: "{{ user.preferred_username }}"
               display_name_template: "{{ user.name|capitalize }}"
               `}}
+      {{- end }}
     extraLoggers:
       synapse.storage.SQL:
         level: WARNING
@@ -156,10 +176,15 @@ spec:
       enabled: true
       client:
         "m.homeserver":
-          base_url: "https://{{ $host }}/"
+          base_url: "https://{{ include "mycloud-matrix.host.server" . }}/"
         {{- if .Values.server.slidingSync.enabled }}
         "org.matrix.msc3575.proxy":
-          url: "https://{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}/"
+          url: "https://{{ include "mycloud-matrix.host.slidingSync" . }}"
+        {{- end }}
+        {{- if .Values.server.authenticationService.enabled }}
+        "org.matrix.msc2965.authentication":
+          issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+          account: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
         {{- end }}
       resources:
         requests:
@@ -183,16 +208,16 @@ spec:
         {{- with .Values.commons.ingress.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.server.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       includeServerName: false
       hosts:
-        - "{{ $host }}"
+        - {{ include "mycloud-matrix.host.server" . | quote }}
       csHosts:
-        - "{{ $host }}"
+        - {{ include "mycloud-matrix.host.server" . | quote }}
       wkHosts:
-        - "{{ .Values.commons.ingress.domain }}"
+        - {{ include "mycloud-matrix.domain" . | quote }}
       {{- if .Values.commons.ingress.tls.enabled }}
       tls:
         {{- with .Values.commons.ingress.tls.override }}
@@ -200,8 +225,8 @@ spec:
         {{- else }}
         - secretName: "mycloud-matrix-server-cert"
           hosts:
-            - "{{ .Values.commons.ingress.domain }}"
+            - {{ include "mycloud-matrix.domain" . | quote }}
-            - "{{ $host }}"
+            - {{ include "mycloud-matrix.host.server" . | quote }}
         {{- end }}
       {{- end }}
 
@@ -218,10 +243,12 @@ spec:
     postgresql:
       enabled: false
     externalPostgresql:
-      host: {{ .Values.databases.server.host | quote }}
+      {{- with .Values.databases.server }}
-      username: {{ .Values.databases.server.username | quote }}
+      host: {{ .host | quote }}
-      password: {{ .Values.databases.server.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }}
+      username: {{ .username | quote }}
-      database: {{ .Values.databases.server.name | quote }}
+      password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }}
+      database: {{ .name | quote }}
+      {{- end }}
 
     prometheus:
       podmonitor:

mycloud-matrix/values.yaml

@@ -64,6 +64,8 @@ server:
   scaling: false
   slidingSync:
     enabled: false
+  authenticationService:
+    enabled: false
 
   auth:
     # -- generated by .commons.masterPassword
@@ -93,6 +95,10 @@ ingress:
     # -- default: sliding.matrix.(.commons.ingress.domain)
     host:
     annotations:
+  authenticationService:
+    # -- default: auth.matrix.(.commons.ingress.domain)
+    host:
+    annotations:
   element:
     enabled: true
     # -- default: element.(.commons.ingress.domain)
@@ -119,6 +125,13 @@ databases:
     username: matrix-sliding-sync
     # -- generated by .commons.masterPassword (equal to mycloud-services)
     password:
+  authenticationService:
+    # -- default is from mycloud-services
+    host: mycloud-services-postgresql
+    name: matrix-authentication-service
+    username: matrix-authentication-service
+    # -- generated by .commons.masterPassword (equal to mycloud-services)
+    password:
   bridge:
     signal:
       # -- default is from mycloud-services