{{- if .Values.server.authenticationService.enabled }} {{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }} --- apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} data: admin_token: {{ derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "admin_token" | sha256sum | b64enc }} {{- $clientSecret := derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "client_secret" | sha256sum }} client_secret: {{ $clientSecret | b64enc }} clients.yaml: {{ toYaml (dict "config" (dict "clients" (list (dict "client_id" "0000000000000000000SYNAPSE" "client_auth_method" "client_secret_basic" "client_secret" $clientSecret ) ) ) ) | b64enc }} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: OCIRepository metadata: name: "{{ .Release.Name }}-authentication-service" spec: url: oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service interval: 10m ref: semver: "^0.0.7" --- apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: "{{ .Release.Name }}-authentication-service" spec: chartRef: kind: OCIRepository name: "{{ .Release.Name }}-authentication-service" install: {{- toYaml .Values.commons.helm.release.install | nindent 4 }} test: {{- toYaml .Values.commons.helm.release.test | nindent 4 }} upgrade: {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} driftDetection: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m valuesFrom: - kind: Secret name: {{ $secretName }} valuesKey: admin_token targetPath: "config.matrix.secret" - kind: Secret name: {{ $secretName }} valuesKey: clients.yaml values: config: http: public_base: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/" matrix: homeserver: {{ include "mycloud-matrix.domain" . }} # endpoint: "http://{{ .Release.Name }}-synapse:8008" endpoint: "https://{{ include "mycloud-matrix.host.server" . }}" {{- with .Values.databases.authenticationService }} database: host: {{ .host | quote }} username: {{ .username | quote }} password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-authentication-service" "database_password" | b64enc) | quote }} database: {{ .name | quote }} {{- end }} email: from: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} reply_to: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }} # from: {{ .Values.commons.mail.from | quote }} # reply_to: {{ .Values.commons.mail.from | quote }} {{ $mailHostname := .Values.server.mail.host | default .Values.commons.mail.host }} {{- if $mailHostname }} transport: smtp {{- if .Values.commons.mail.use_tls }} mode: starttls {{- end }} hostname: {{ $mailHostname }} port: 587 username: {{ .Values.commons.mail.username | quote }} password: {{ .Values.commons.mail.password | quote }} {{- else }} transport: "blackhole" {{- end }}{{/* end-if $mailHostname */}} {{- with .Values.commons.tracing }} {{- if .enabled }} telemetry: tracing: exporter: otlp endpoint: {{ .http.endpoint }} propagators: - tracecontext - baggage - jaeger {{- end }} {{- end }} policy: data: admin_users: {{- toYaml .Values.server.authenticationService.admins | nindent 12 }} passwords: enabled: false upstream_oauth2: providers: - id: 0000000000000000000MYC10VD human_name: {{ .Values.commons.theme.title | quote }} issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/" client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }} client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }} token_endpoint_auth_method: client_secret_post scope: "openid email profile" discovery_mode: oidc claims_imports: {{` subject: action: force template: "{{ user.sub }}" localpart: action: force template: "{{ user.preferred_username }}" displayname: action: suggest template: "{{ user.name }}" email: action: force template: "{{ user.email }}" set_email_verification: import `}} ingress: enabled: true annotations: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.ingress.authenticationService.annotations }} {{- toYaml . | nindent 8 }} {{- end }} hosts: - host: "{{ include "mycloud-matrix.host.authenticationService" . }}" paths: - path: / pathType: Prefix - host: "{{ include "mycloud-matrix.host.server" . }}" paths: # v1 - path: "/_matrix/client/v1/login" pathType: Prefix - path: "/_matrix/client/v1/logout" pathType: Prefix - path: "/_matrix/client/v1/refresh" pathType: Prefix # v2 - path: "/_matrix/client/v2/login" pathType: Prefix - path: "/_matrix/client/v2/logout" pathType: Prefix - path: "/_matrix/client/v2/refresh" pathType: Prefix # v3 - path: "/_matrix/client/v3/login" pathType: Prefix - path: "/_matrix/client/v3/logout" pathType: Prefix - path: "/_matrix/client/v3/refresh" pathType: Prefix {{- if .Values.commons.ingress.tls.enabled }} tls: {{- with .Values.commons.ingress.tls.override }} {{- toYaml . | nindent 8 }} {{- else }} - secretName: "mycloud-matrix-server-auth-cert" hosts: - {{ include "mycloud-matrix.host.authenticationService" . | quote }} - secretName: "mycloud-matrix-server-cert" hosts: - {{ include "mycloud-matrix.host.server" . | quote }} {{- end }} {{- end }} prometheus: servicemonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} labels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} {{- end }}{{/* end-if .server.authenticationService.enabled */}}