From c073b971107cb75e6248a42392038c0c9167b720 Mon Sep 17 00:00:00 2001 From: jessebot Date: Fri, 5 Jul 2024 08:29:45 +0200 Subject: [PATCH] Adding existingSecret.registation and existingSecret.passkey; Always store registration and passkey data in a Kubernetes secret; use projected volume to ensure all data in one directory Signed-off-by: jessebot --- helm/hookshot/README.md | 15 ++++++++----- helm/hookshot/templates/_helpers.tpl | 22 +++++++++++++++++++ helm/hookshot/templates/_pod.tpl | 14 +++++++----- helm/hookshot/templates/configmap.yaml | 10 +++------ helm/hookshot/templates/passkey-secret.yaml | 17 ++++++++++++++ .../templates/registration-secret.yaml | 17 ++++++++++++++ helm/hookshot/values.yaml | 17 +++++++++++--- 7 files changed, 91 insertions(+), 21 deletions(-) create mode 100644 helm/hookshot/templates/passkey-secret.yaml create mode 100644 helm/hookshot/templates/registration-secret.yaml diff --git a/helm/hookshot/README.md b/helm/hookshot/README.md index 53445c0d3..a9ea474e6 100644 --- a/helm/hookshot/README.md +++ b/helm/hookshot/README.md @@ -1,6 +1,6 @@ # hookshot -![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square) +![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0-replaced-by-ci](https://img.shields.io/badge/AppVersion-0.0.0--replaced--by--ci-informational?style=flat-square) Deploy a Matrix Hookshot instance to Kubernetes Status: Beta @@ -39,7 +39,7 @@ To configure Hookshot-specific parameters, the value `.Values.hookshot.config` a ## Existing configuration -If you have an existing configuration file for Hookshot, you can create a configmap like so: +If you have an existing configuration file for hookshot, you can create a configmap like so: ``` bash kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem @@ -74,9 +74,12 @@ You'll need to configure your Ingress connectivity according to your environment | affinity | object | `{}` | Affinity settings for deployment | | autoscaling.enabled | bool | `false` | | | fullnameOverride | string | `""` | Full name override for helm chart | -| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. | -| hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration | -| hookshot.passkey | string | `""` | | +| hookshot.config | object | `{"bridge":{"bindAddress":"127.0.0.1","domain":"example.com","mediaUrl":"https://example.com","port":9993,"url":"http://localhost:8008"},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks"]},{"bindAddress":"127.0.0.1","port":9001,"resources":["metrics","provisioning"]},{"bindAddress":"0.0.0.0","port":9002,"resources":["widgets"]}],"logging":{"colorize":true,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"passFile":"/data/passkey.pem"}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. | +| hookshot.config.passFile | string | `"/data/passkey.pem"` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate | +| hookshot.existingConfigMap | string | `""` | Name of existing ConfigMap with valid Hookshot configuration | +| hookshot.existingSecret.passkey | string | `""` | Name of existing Secret with valid Hookshot passkey.pem If set, ignores hookshot.passkey | +| hookshot.existingSecret.registration | string | `""` | Name of existing Secret with valid Hookshot registration.yaml. If set, ignores hookshot.registration | +| hookshot.passkey | string | `""` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate | | hookshot.registration.as_token | string | `""` | | | hookshot.registration.hs_token | string | `""` | | | hookshot.registration.id | string | `"matrix-hookshot"` | | @@ -119,4 +122,4 @@ You'll need to configure your Ingress connectivity according to your environment | tolerations | list | `[]` | Tolerations for deployment | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) \ No newline at end of file +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) \ No newline at end of file diff --git a/helm/hookshot/templates/_helpers.tpl b/helm/hookshot/templates/_helpers.tpl index 6c5b3bbb9..2af20fcb8 100644 --- a/helm/hookshot/templates/_helpers.tpl +++ b/helm/hookshot/templates/_helpers.tpl @@ -35,6 +35,28 @@ Helper for configmap name {{- end }} {{- end }} +{{/* +Helper for secret name for registration +*/}} +{{- define "hookshot.registrationSecretName" -}} +{{- if .Values.hookshot.existingSecret.registration }} +{{- printf "%s" .Values.hookshot.existingSecret.registration -}} +{{- else }} +{{- printf "%s-registration-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Helper for secret name for passkey.pem +*/}} +{{- define "hookshot.passkeySecretName" -}} +{{- if .Values.hookshot.existingSecret.passkey }} +{{- printf "%s" .Values.hookshot.existingSecret.passkey -}} +{{- else }} +{{- printf "%s-passkey-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/helm/hookshot/templates/_pod.tpl b/helm/hookshot/templates/_pod.tpl index 09879a1c1..1804fb9c9 100644 --- a/helm/hookshot/templates/_pod.tpl +++ b/helm/hookshot/templates/_pod.tpl @@ -43,10 +43,8 @@ containers: {{- toYaml .Values.containerSecurityContext | nindent 6 }} {{- end }} volumeMounts: -{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }} - name: config mountPath: "/data" -{{- end }} ports: - name: webhook containerPort: 9000 @@ -58,7 +56,7 @@ containers: containerPort: 9002 protocol: TCP env: - + envFrom: {{- if .Values.envFromSecret }} - secretRef: @@ -109,8 +107,14 @@ tolerations: {{- end }} volumes: - name: config - configMap: - name: {{ template "hookshot.configMapName" . }} + projected: + sources: + configMap: + name: {{ template "hookshot.configMapName" . }} + secret: + secretName: {{ template "hookshot.registrationSecretName" . }} + secret: + secretName: {{ template "hookshot.passkeySecretName" . }} {{- $root := . }} {{- range .Values.extraConfigmapMounts }} - name: {{ tpl .name $root }} diff --git a/helm/hookshot/templates/configmap.yaml b/helm/hookshot/templates/configmap.yaml index 139ce1558..d28209d82 100644 --- a/helm/hookshot/templates/configmap.yaml +++ b/helm/hookshot/templates/configmap.yaml @@ -1,5 +1,5 @@ ---- {{- if not .Values.hookshot.existingConfigMap }} +--- apiVersion: v1 kind: ConfigMap metadata: @@ -12,10 +12,6 @@ metadata: {{ toYaml . | indent 4 }} {{- end }} data: - config.yml: | -{{ toYaml .Values.hookshot.config | indent 4 }} - registration.yml: | -{{ toYaml .Values.hookshot.registration | indent 4 }} - passkey.pem: | -{{ .Values.hookshot.passkey | indent 4 }} + config.yml: |- + {{- toYaml .Values.hookshot.config | nindent 4 }} {{- end }} diff --git a/helm/hookshot/templates/passkey-secret.yaml b/helm/hookshot/templates/passkey-secret.yaml new file mode 100644 index 000000000..bd3d8c030 --- /dev/null +++ b/helm/hookshot/templates/passkey-secret.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.hookshot.existingSecret.passkey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "hookshot.passkeySecretName" . }} + namespace: {{ template "hookshot.namespace" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: + passkey.pem: |- + {{ toYaml .Values.hookshot.passkey | nindent 4 }} +{{- end }} diff --git a/helm/hookshot/templates/registration-secret.yaml b/helm/hookshot/templates/registration-secret.yaml new file mode 100644 index 000000000..bf67e3bcc --- /dev/null +++ b/helm/hookshot/templates/registration-secret.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.hookshot.existingSecret.registration }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "hookshot.registrationSecretName" . }} + namespace: {{ template "hookshot.namespace" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: + registration.yaml: |- + {{- toYaml .Values.hookshot.registration | nindent 4 }} +{{- end }} diff --git a/helm/hookshot/values.yaml b/helm/hookshot/values.yaml index 6a8e0c21b..cb8972ff5 100644 --- a/helm/hookshot/values.yaml +++ b/helm/hookshot/values.yaml @@ -101,8 +101,17 @@ tolerations: [] # -- Affinity settings for deployment affinity: {} hookshot: + existingSecret: + # -- Name of existing Secret with valid Hookshot registration.yaml. + # If set, ignores hookshot.registration + registration: "" + # -- Name of existing Secret with valid Hookshot passkey.pem + # If set, ignores hookshot.passkey + passkey: "" + # -- Name of existing ConfigMap with valid Hookshot configuration - existingConfigMap: + existingConfigMap: "" + # -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. config: # This is an example configuration file @@ -113,9 +122,9 @@ hookshot: mediaUrl: https://example.com port: 9993 bindAddress: 127.0.0.1 - passFile: passkey.pem - # A passkey used to encrypt tokens stored inside the bridge. + # -- A passkey used to encrypt tokens stored inside the bridge. # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate + passFile: /data/passkey.pem logging: # Logging settings. You can have a severity debug,info,warn,error level: info @@ -298,4 +307,6 @@ hookshot: sender_localpart: hookshot url: "http://example.com" rate_limited: false + # -- A passkey used to encrypt tokens stored inside the bridge. + # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate passkey: ""