feat(mycloud-matrix): add matrix-authentication-service support

2024-03-11 08:33:28 +01:00 · 2024-03-11 08:33:28 +01:00 · 6539a4b62b
commit 6539a4b62b
parent bb2ac61ed1
10 changed files with 274 additions and 39 deletions
--- a/base-values/mycloud-matrix-sliding-sync.yaml
+++ b/base-values/mycloud-matrix-sliding-sync.yaml
@ -9,6 +9,8 @@ components:
      databases:
        matrix-sliding-sync:
          type: postgresql
+        matrix-authentication-service:
+          type: postgresql

  mycloud-matrix:
    # patch mycloud-core to get another database
@ -16,3 +18,5 @@ components:
      server:
        slidingSync:
          enabled: true
+        authenticationService:
+          enabled: true
--- a/mycloud-matrix/templates/_hosts.tpl
+++ b/mycloud-matrix/templates/_hosts.tpl
@ -0,0 +1,19 @@
+{{- define "mycloud-matrix.domain" -}}
+{{ .Values.server.host | default .Values.commons.ingress.domain }}
+{{- end }}
+
+{{- define "mycloud-matrix.domain.auth" -}}
+{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.server" -}}
+{{ .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.slidingSync" -}}
+{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}
+
+{{- define "mycloud-matrix.host.authenticationService" -}}
+{{ .Values.ingress.authenticationService.host | default (printf "auth.matrix.%s" .Values.commons.ingress.domain) }}
+{{- end }}
--- a/mycloud-matrix/templates/authentik-application.yaml
+++ b/mycloud-matrix/templates/authentik-application.yaml
@ -22,17 +22,20 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
    {{- $clientHost := .Values.server.auth.webClient | default (printf "element.%s" .Values.commons.ingress.domain) }}
    blueprint:
      authentik:
-        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
+        domain: "https://{{ include "mycloud-matrix.domain.auth" . }}"
      provider:
        type: "oidc"
        name: "Matrix"
        oidc:
          clientType: "confidential"
-          redirectURL: "https://{{ $serverHost }}/_synapse/client/oidc/callback"
+          {{- if .Values.server.authenticationService.enabled }}
+          redirectURL: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/upstream/callback/0000000000000000000MYC10VD"
+          {{- else }}
+          redirectURL: "https://{{ include "mycloud-matrix.host.server" . }}/_synapse/client/oidc/callback"
+          {{- end }}
          clientID: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
          clientSecret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
          signingKey: "authentik Self-signed Certificate"
--- a/mycloud-matrix/templates/clients/element.yaml
+++ b/mycloud-matrix/templates/clients/element.yaml
@ -29,14 +29,12 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
-    {{- $serverDomain := .Values.server.host | default .Values.commons.ingress.domain }}
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
    {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }}
    image:
      repository: docker.io/vectorim/element-web
    defaultServer:
-      url: https://{{ $serverHost }}
-      name: {{ $serverDomain }}
+      url: https://{{ include "mycloud-matrix.host.server" . }}
+      name: {{ include "mycloud-matrix.domain" . | quote }}
    config:
      sso_redirect_options:
        on_welcome_page: true
@ -46,7 +44,7 @@ spec:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.element.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
--- a/mycloud-matrix/templates/clients/hydrogen.yaml
+++ b/mycloud-matrix/templates/clients/hydrogen.yaml
@ -23,17 +23,16 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
-    {{- $serverHost := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
    {{- $host := .Values.ingress.hydrogen.host | default (printf "hydrogen.%s" .Values.commons.ingress.domain) }}
    hydrogen:
-      defaultHomeServer: {{ $serverHost }}
+      defaultHomeServer: {{ include "mycloud-matrix.host.server" . | quote }}
    ingress:
      enabled: true
      annotations:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.hydrogen.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
--- a/mycloud-matrix/templates/server/authentication-service.yaml
+++ b/mycloud-matrix/templates/server/authentication-service.yaml
@ -0,0 +1,173 @@
+{{- if .Values.server.authenticationService.enabled }}
+{{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+data:
+  admin_token: {{ derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "admin_token" | sha256sum | b64enc }}
+  {{- $clientSecret := derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "client_secret" | sha256sum }}
+  client_secret: {{ $clientSecret | b64enc }}
+  clients.yaml: {{ toYaml (dict
+    "config" (dict
+      "clients" (list
+        (dict
+          "client_id" "0000000000000000000SYNAPSE"
+          "client_auth_method" "client_secret_basic"
+          "client_secret" $clientSecret
+        )
+      )
+    )
+  ) | b64enc }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: "{{ .Release.Name }}-authentication-service"
+spec:
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "flux-system"
+      chart: "./matrix-authentication-service"
+      reconcileStrategy: "Revision"
+  install:
+    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+  test:
+    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
+  upgrade:
+    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+  driftDetection:
+    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
+  interval: 10m
+  valuesFrom:
+    - kind: Secret
+      name: {{ $secretName }} 
+      valuesKey: admin_token
+      targetPath: "config.matrix.secret"
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: clients.yaml
+  values:
+    config:
+      http:
+        public_base: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+        issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+      matrix:
+        homeserver: {{ include "mycloud-matrix.domain" . }}
+        endpoint: "http://{{ .Release.Name }}-synapse:8008"
+      {{- with .Values.databases.authenticationService }}
+      database:
+        host: {{ .host | quote }}
+        username: {{ .username | quote }}
+        password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-authentication-service" "database_password" | b64enc) | quote }}
+        database: {{ .name | quote }}
+      {{- end }}
+      email:
+        from: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
+        reply_to: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
+        # from: {{ .Values.commons.mail.from | quote }}
+        # reply_to: {{ .Values.commons.mail.from | quote }}
+        {{ $mailHostname :=  .Values.server.mail.host | default .Values.commons.mail.host }}
+        {{- if $mailHostname }}
+        transport: smtp
+        {{- if .Values.commons.mail.use_tls }}
+        mode: starttls
+        {{- end }}
+        hostname: {{ $mailHostname }}
+        port: 587
+        username: {{ .Values.commons.mail.username | quote }}
+        password: {{ .Values.commons.mail.password | quote }}
+        {{- else }}
+        transport: "blackhole"
+        {{- end }}{{/* end-if $mailHostname */}}
+      passwords:
+        enabled: false
+      upstream_oauth2:
+        providers:
+          - id: 0000000000000000000MYC10VD
+            human_name: {{ .Values.commons.theme.title | quote }}
+            issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/"
+            client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
+            client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
+            token_endpoint_auth_method: client_secret_post
+            scope: "openid email profile"
+            discovery_mode: oidc
+            claims_imports:
+              {{`
+              subject:
+                action: force
+                template: "{{ user.sub }}"
+              localpart:
+                action: force
+                template: "{{ user.preferred_username }}"
+              displayname:
+                action: suggest
+                template: "{{ user.name }}"
+              email:
+                action: force
+                template: "{{ user.email }}"
+                set_email_verification: import
+              `}}
+
+    ingress:
+      enabled: true
+      annotations:
+        {{- with .Values.commons.ingress.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.ingress.authenticationService.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      hosts:
+        - host: "{{ include "mycloud-matrix.host.authenticationService" . }}"
+          paths:
+            - path: /
+              pathType: Prefix
+        - host: "{{ include "mycloud-matrix.host.server" . }}"
+          paths:
+            # v1
+            - path: "/_matrix/client/v1/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v1/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v1/refresh"
+              pathType: Prefix
+            # v2
+            - path: "/_matrix/client/v2/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v2/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v2/refresh"
+              pathType: Prefix
+            # v3
+            - path: "/_matrix/client/v3/login"
+              pathType: Prefix
+            - path: "/_matrix/client/v3/logout"
+              pathType: Prefix
+            - path: "/_matrix/client/v3/refresh"
+              pathType: Prefix
+      {{- if .Values.commons.ingress.tls.enabled }}
+      tls:
+        {{- with .Values.commons.ingress.tls.override }}
+        {{- toYaml . | nindent 8 }}
+        {{- else }}
+        - secretName: "mycloud-matrix-server-auth-cert"
+          hosts:
+            - {{ include "mycloud-matrix.host.authenticationService" . | quote }}
+        - secretName: "mycloud-matrix-server-cert"
+          hosts:
+            - {{ include "mycloud-matrix.host.server" . | quote }}
+        {{- end }}
+      {{- end }}
+
+
+    prometheus:
+      servicemonitor:
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
+        labels:
+          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
+{{- end }}{{/* end-if .server.authenticationService.enabled */}}
--- a/mycloud-matrix/templates/server/doublepuppet.yaml
+++ b/mycloud-matrix/templates/server/doublepuppet.yaml
@ -36,7 +36,7 @@ data:
   "namespaces" (dict
     "users" (list
       (dict
-         "regex" (printf "@.*:%s" (.Values.server.host | default .Values.commons.ingress.domain | replace "." "\\." ))
+         "regex" (printf "@.*:%s" (include "mycloud-matrix.domain" . | replace "." "\\." ))
         "exclusive" false
       )
     )
--- a/mycloud-matrix/templates/server/sliding-sync.yaml
+++ b/mycloud-matrix/templates/server/sliding-sync.yaml
@ -23,15 +23,15 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
-    {{- $host := .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}
    config:
      homeserver: http://{{ .Release.Name }}-synapse:8008
-      logLevel: INFO
      postgresql:
-        host: {{ .Values.databases.slidingSync.host | quote }}
-        username: {{ .Values.databases.slidingSync.username | quote }}
-        password: {{ .Values.databases.slidingSync.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }}
-        database: {{ .Values.databases.slidingSync.name | quote }}
+        {{- with .Values.databases.slidingSync }}
+        host: {{ .host | quote }}
+        username: {{ .username | quote }}
+        password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-sliding-sync" "database_password" | b64enc) | quote }}
+        database: {{ .name | quote }}
+        {{- end }}

    ingress:
      enabled: true
@ -39,12 +39,11 @@ spec:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.slidingSync.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-      includeServerName: false
      hosts:
-        - host: "{{ $host }}"
+        - host: {{ include "mycloud-matrix.host.slidingSync" . | quote }}
          paths:
            - path: "/"
              pathType: Prefix
@ -55,7 +54,7 @@ spec:
        {{- else }}
        - secretName: "mycloud-matrix-sliding-sync-cert"
          hosts:
-            - "{{ $host }}"
+            - {{ include "mycloud-matrix.host.slidingSync" . | quote }}
        {{- end }}
      {{- end }}

--- a/mycloud-matrix/templates/server/synapse.yaml
+++ b/mycloud-matrix/templates/server/synapse.yaml
@ -22,11 +22,21 @@ spec:
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
+  {{- if .Values.server.authenticationService.enabled }}
+  valuesFrom:
+    {{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }}
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: client_secret
+      targetPath: "extraSecrets.experimental_features.msc3861.client_secret"
+    - kind: Secret
+      name: {{ $secretName }}
+      valuesKey: admin_token
+      targetPath: "extraSecrets.experimental_features.msc3861.admin_token"
+  {{- end }}
  values:
-    {{- $domain := .Values.server.host | default .Values.commons.ingress.domain }}
-    {{- $host := .Values.ingress.server.host | default (printf "matrix.%s" .Values.commons.ingress.domain) }}
-    serverName: {{ $domain }}
-    publicServerName: {{ $host }}
+    serverName: {{ include "mycloud-matrix.domain" . | quote }}
+    publicServerName: {{ include "mycloud-matrix.host.server" . | quote }}
    config:
      enableRegistration: false
      useStructuredLogging: true
@ -57,11 +67,20 @@ spec:
        # TODO
        # notif_from: {{ .Values.server.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
        notif_from: {{ .Values.server.mail.from | default .Values.commons.mail.from | quote }}
+      {{- if .Values.server.authenticationService.enabled }}
+      experimental_features:
+        msc3861:
+          enabled: true
+          issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+          client_id: 0000000000000000000SYNAPSE
+          client_auth_method: client_secret_basic
+          account_management_url: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
+      {{- else }}
      oidc_providers:
        - idp_id: mycloud
          idp_name: {{ .Values.commons.theme.title | quote }}
          discover: true
-          issuer: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-matrix/"
+          issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/"
          client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
          client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
          scopes:
@ -74,6 +93,7 @@ spec:
              localpart_template: "{{ user.preferred_username }}"
              display_name_template: "{{ user.name|capitalize }}"
              `}}
+      {{- end }}
    extraLoggers:
      synapse.storage.SQL:
        level: WARNING
@ -156,10 +176,15 @@ spec:
      enabled: true
      client:
        "m.homeserver":
-          base_url: "https://{{ $host }}/"
+          base_url: "https://{{ include "mycloud-matrix.host.server" . }}/"
        {{- if .Values.server.slidingSync.enabled }}
        "org.matrix.msc3575.proxy":
-          url: "https://{{ .Values.ingress.slidingSync.host | default (printf "sliding.matrix.%s" .Values.commons.ingress.domain) }}/"
+          url: "https://{{ include "mycloud-matrix.host.slidingSync" . }}"
+        {{- end }}
+        {{- if .Values.server.authenticationService.enabled }}
+        "org.matrix.msc2965.authentication":
+          issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
+          account: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
        {{- end }}
      resources:
        requests:
@ -183,16 +208,16 @@ spec:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        {{- with .Values.ingress.annotations }}
+        {{- with .Values.ingress.server.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      includeServerName: false
      hosts:
-        - "{{ $host }}"
+        - {{ include "mycloud-matrix.host.server" . | quote }}
      csHosts:
-        - "{{ $host }}"
+        - {{ include "mycloud-matrix.host.server" . | quote }}
      wkHosts:
-        - "{{ .Values.commons.ingress.domain }}"
+        - {{ include "mycloud-matrix.domain" . | quote }}
      {{- if .Values.commons.ingress.tls.enabled }}
      tls:
        {{- with .Values.commons.ingress.tls.override }}
@ -200,8 +225,8 @@ spec:
        {{- else }}
        - secretName: "mycloud-matrix-server-cert"
          hosts:
-            - "{{ .Values.commons.ingress.domain }}"
-            - "{{ $host }}"
+            - {{ include "mycloud-matrix.domain" . | quote }}
+            - {{ include "mycloud-matrix.host.server" . | quote }}
        {{- end }}
      {{- end }}

@ -218,10 +243,12 @@ spec:
    postgresql:
      enabled: false
    externalPostgresql:
-      host: {{ .Values.databases.server.host | quote }}
-      username: {{ .Values.databases.server.username | quote }}
-      password: {{ .Values.databases.server.password | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }}
-      database: {{ .Values.databases.server.name | quote }}
+      {{- with .Values.databases.server }}
+      host: {{ .host | quote }}
+      username: {{ .username | quote }}
+      password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-synapse" "database_password" | b64enc) | quote }}
+      database: {{ .name | quote }}
+      {{- end }}

    prometheus:
      podmonitor:
--- a/mycloud-matrix/values.yaml
+++ b/mycloud-matrix/values.yaml
@ -64,6 +64,8 @@ server:
  scaling: false
  slidingSync:
    enabled: false
+  authenticationService:
+    enabled: false

  auth:
    # -- generated by .commons.masterPassword
@ -93,6 +95,10 @@ ingress:
    # -- default: sliding.matrix.(.commons.ingress.domain)
    host:
    annotations:
+  authenticationService:
+    # -- default: auth.matrix.(.commons.ingress.domain)
+    host:
+    annotations:
  element:
    enabled: true
    # -- default: element.(.commons.ingress.domain)
@ -119,6 +125,13 @@ databases:
    username: matrix-sliding-sync
    # -- generated by .commons.masterPassword (equal to mycloud-services)
    password:
+  authenticationService:
+    # -- default is from mycloud-services
+    host: mycloud-services-postgresql
+    name: matrix-authentication-service
+    username: matrix-authentication-service
+    # -- generated by .commons.masterPassword (equal to mycloud-services)
+    password:
  bridge:
    signal:
      # -- default is from mycloud-services