wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions
flux-charts/mycloud-matrix/templates/server/authentication-service.yaml

196 lines
7.2 KiB
YAML
Raw Blame History

{{- if .Values.server.authenticationService.enabled }}
{{ $secretName := printf "%s-authentication-service-secrets" .Release.Name }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
data:
admin_token: {{ derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "admin_token" | sha256sum | b64enc }}
{{- $clientSecret := derivePassword 1 "long" $.Values.commons.masterPassword "matrix-auth" "client_secret" | sha256sum }}
client_secret: {{ $clientSecret | b64enc }}
clients.yaml: {{ toYaml (dict
"config" (dict
"clients" (list
(dict
"client_id" "0000000000000000000SYNAPSE"
"client_auth_method" "client_secret_basic"
"client_secret" $clientSecret
)
)
)
) | b64enc }}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: "{{ .Release.Name }}-authentication-service"
spec:
url: oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service
interval: 10m
ref:
semver: "^0.15"
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-authentication-service"
spec:
chartRef:
kind: OCIRepository
name: "{{ .Release.Name }}-authentication-service"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
valuesFrom:
- kind: Secret
name: {{ $secretName }}
valuesKey: admin_token
targetPath: "config.matrix.secret"
- kind: Secret
name: {{ $secretName }}
valuesKey: clients.yaml
values:
config:
http:
public_base: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
issuer: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/"
matrix:
homeserver: {{ include "mycloud-matrix.domain" . }}
# endpoint: "http://{{ .Release.Name }}-synapse:8008"
endpoint: "https://{{ include "mycloud-matrix.host.server" . }}"
{{- with .Values.databases.authenticationService }}
database:
host: {{ .host | quote }}
username: {{ .username | quote }}
password: {{ .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "matrix-authentication-service" "database_password" | b64enc) | quote }}
database: {{ .name | quote }}
{{- end }}
email:
from: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
reply_to: {{ .Values.server.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "matrix" .Values.commons.mail.from) | quote }}
# from: {{ .Values.commons.mail.from | quote }}
# reply_to: {{ .Values.commons.mail.from | quote }}
{{ $mailHostname := .Values.server.mail.host | default .Values.commons.mail.host }}
{{- if $mailHostname }}
transport: smtp
{{- if .Values.commons.mail.use_tls }}
mode: starttls
{{- end }}
hostname: {{ $mailHostname }}
port: 587
username: {{ .Values.commons.mail.username | quote }}
password: {{ .Values.commons.mail.password | quote }}
{{- else }}
transport: "blackhole"
{{- end }}{{/* end-if $mailHostname */}}
{{- with .Values.commons.tracing }}
{{- if .enabled }}
telemetry:
tracing:
exporter: otlp
endpoint: {{ .http.endpoint }}
propagators:
- tracecontext
- baggage
- jaeger
{{- end }}
{{- end }}
policy:
data:
admin_users:
{{- toYaml .Values.server.authenticationService.admins | nindent 12 }}
passwords:
enabled: false
upstream_oauth2:
providers:
- id: 0000000000000000000MYC10VD
human_name: {{ .Values.commons.theme.title | quote }}
issuer: "https://{{ include "mycloud-matrix.domain.auth" . }}/application/o/mycloud-matrix/"
client_id: {{ .Values.server.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientID") | sha256sum }}
client_secret: {{ .Values.server.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "matrix" "auth.clientSecret") | sha256sum }}
token_endpoint_auth_method: client_secret_post
scope: "openid email profile"
discovery_mode: oidc
claims_imports:
{{`
subject:
action: force
template: "{{ user.sub }}"
localpart:
action: force
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: force
template: "{{ user.email }}"
set_email_verification: import
`}}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.authenticationService.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
hosts:
- host: "{{ include "mycloud-matrix.host.authenticationService" . }}"
paths:
- path: /
pathType: Prefix
- host: "{{ include "mycloud-matrix.host.server" . }}"
paths:
# v1
- path: "/_matrix/client/v1/login"
pathType: Prefix
- path: "/_matrix/client/v1/logout"
pathType: Prefix
- path: "/_matrix/client/v1/refresh"
pathType: Prefix
# v2
- path: "/_matrix/client/v2/login"
pathType: Prefix
- path: "/_matrix/client/v2/logout"
pathType: Prefix
- path: "/_matrix/client/v2/refresh"
pathType: Prefix
# v3
- path: "/_matrix/client/v3/login"
pathType: Prefix
- path: "/_matrix/client/v3/logout"
pathType: Prefix
- path: "/_matrix/client/v3/refresh"
pathType: Prefix
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "mycloud-matrix-server-auth-cert"
hosts:
- {{ include "mycloud-matrix.host.authenticationService" . | quote }}
- secretName: "mycloud-matrix-server-cert"
hosts:
- {{ include "mycloud-matrix.host.server" . | quote }}
{{- end }}
{{- end }}
prometheus:
servicemonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
{{- end }}{{/* end-if .server.authenticationService.enabled */}}
Reference in a new issue View git blame Copy permalink