senset/helm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

matrix

Browse Source
This commit is contained in:
Sense T
2025-01-13 20:43:26 +08:00
parent 5536b90ffa
commit e00474109d
87 changed files with 9755 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
matrix/dendrite/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,68 @@
{{- define "validate.config" }}
{{- if and (not .Values.signing_key.create) (eq .Values.signing_key.existingSecret "") -}}
{{- fail "You must create a signing key for configuration.signing_key OR specify an existing secret name in .Values.signing_key.existingSecret to mount it. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
{{- end -}}
{{- if and (not .Values.postgresql.enabled) (eq .Values.dendrite_config.global.database.connection_string "") -}}
{{- fail "Database connection string must be set." -}}
{{- end -}}
{{- end -}}
{{- define "image.name" -}}
{{- with .Values.image -}}
image: {{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}
imagePullPolicy: {{ .pullPolicy }}
{{- end -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dendrite.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dendrite.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dendrite.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "dendrite.labels" -}}
helm.sh/chart: {{ include "dendrite.chart" . }}
{{ include "dendrite.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "dendrite.selectorLabels" -}}
app.kubernetes.io/name: {{ include "dendrite.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

16
matrix/dendrite/templates/_overrides.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- define "override.config" }}
{{- if .Values.postgresql.enabled }}
{{- $_ := set .Values.dendrite_config.global.database "connection_string" (print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite?sslmode=disable") -}}
{{ end }}
global:
private_key: /etc/dendrite/secrets/signing.key
jetstream:
in_memory: false
{{ if (gt (len (.Files.Glob "appservices/*")) 0) }}
app_service_api:
config_files:
{{- range $x, $y := .Files.Glob "appservices/*" }}
- /etc/dendrite/appservices/{{ base $x }}
{{ end }}
{{ end }}
{{ end }}

16
matrix/dendrite/templates/configmap_grafana_dashboards.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.grafana.dashboards.enabled }}
{{- range $path, $bytes := .Files.Glob "grafana_dashboards/*.json" }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "dendrite.fullname" $ }}-grafana-dashboards-{{ base $path }}
labels:
{{- include "dendrite.labels" $ | nindent 4 }}
{{- toYaml $.Values.grafana.dashboards.labels | nindent 4 }}
annotations:
{{- toYaml $.Values.grafana.dashboards.annotations | nindent 4 }}
data:
{{- ($.Files.Glob $path ).AsConfig | nindent 2 }}
{{- end }}
{{- end }}

115
matrix/dendrite/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,115 @@
{{ template "validate.config" . }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: {{ $.Release.Namespace }}
name: {{ include "dendrite.fullname" . }}
labels:
{{- include "dendrite.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "dendrite.selectorLabels" . | nindent 6 }}
replicas: 1
strategy:
type: {{ $.Values.strategy.type }}
{{- if eq $.Values.strategy.type "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ $.Values.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ $.Values.strategy.rollingUpdate.maxUnavailable }}
{{- end }}
template:
metadata:
labels:
{{- include "dendrite.selectorLabels" . | nindent 8 }}
annotations:
confighash: secret-{{ .Values.dendrite_config | toYaml | sha256sum | trunc 32 }}
spec:
volumes:
- name: {{ include "dendrite.fullname" . }}-conf-vol
secret:
secretName: {{ include "dendrite.fullname" . }}-conf
- name: {{ include "dendrite.fullname" . }}-signing-key
secret:
secretName: {{ default (print ( include "dendrite.fullname" . ) "-signing-key") $.Values.signing_key.existingSecret | quote }}
{{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
- name: {{ include "dendrite.fullname" . }}-appservices
secret:
secretName: {{ include "dendrite.fullname" . }}-appservices-conf
{{- end }}
- name: {{ include "dendrite.fullname" . }}-jetstream
persistentVolumeClaim:
claimName: {{ default (print ( include "dendrite.fullname" . ) "-jetstream-pvc") $.Values.persistence.jetstream.existingClaim | quote }}
- name: {{ include "dendrite.fullname" . }}-media
persistentVolumeClaim:
claimName: {{ default (print ( include "dendrite.fullname" . ) "-media-pvc") $.Values.persistence.media.existingClaim | quote }}
- name: {{ include "dendrite.fullname" . }}-search
persistentVolumeClaim:
claimName: {{ default (print ( include "dendrite.fullname" . ) "-search-pvc") $.Values.persistence.search.existingClaim | quote }}
{{- with .Values.extraVolumes }}
{{ . | toYaml | nindent 6 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- include "image.name" . | nindent 8 }}
args:
- '--config'
- '/etc/dendrite/dendrite.yaml'
ports:
- name: http
containerPort: 8008
protocol: TCP
{{- if $.Values.dendrite_config.global.profiling.enabled }}
env:
- name: PPROFLISTEN
value: "localhost:{{- $.Values.dendrite_config.global.profiling.port -}}"
{{- end }}
env:
- name: HTTPS_PROXY
value: "socks5://proxy:1080"
resources:
{{- toYaml $.Values.resources | nindent 10 }}
volumeMounts:
- mountPath: /etc/dendrite/
name: {{ include "dendrite.fullname" . }}-conf-vol
- mountPath: /etc/dendrite/secrets/
name: {{ include "dendrite.fullname" . }}-signing-key
{{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
- mountPath: /etc/dendrite/appservices
name: {{ include "dendrite.fullname" . }}-appservices
readOnly: true
{{ end }}
- mountPath: {{ .Values.dendrite_config.media_api.base_path }}
name: {{ include "dendrite.fullname" . }}-media
- mountPath: {{ .Values.dendrite_config.global.jetstream.storage_path }}
name: {{ include "dendrite.fullname" . }}-jetstream
- mountPath: {{ .Values.dendrite_config.sync_api.search.index_path }}
name: {{ include "dendrite.fullname" . }}-search
{{- with .Values.extraVolumeMounts }}
{{ . | toYaml | nindent 8 }}
{{- end }}
livenessProbe:
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 10
httpGet:
path: /_dendrite/monitor/health
port: http
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 10
httpGet:
path: /_dendrite/monitor/health
port: http
startupProbe:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 10
httpGet:
path: /_dendrite/monitor/up
port: http

116
matrix/dendrite/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,116 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "dendrite.fullname" . -}}
{{- $serverNameHost := .Values.dendrite_config.global.server_name -}}
{{- $wellKnownServerHost := default $serverNameHost (regexFind "^(\\[.+\\])?[^:]*" .Values.dendrite_config.global.well_known_server_name) -}}
{{- $wellKnownClientHost := default $serverNameHost (regexFind "//(\\[.+\\])?[^:/]*" .Values.dendrite_config.global.well_known_client_name | trimAll "/") -}}
{{- $allHosts := list $serverNameHost $wellKnownServerHost $wellKnownClientHost | uniq -}}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "dendrite.labels" . | nindent 4 }}
annotations:
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
kubernetes.io/ingress.class: {{ .Values.ingress.className }}
{{- end }}
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if kindIs "slice" .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- else if .Values.ingress.tls.generate }}
tls:
- hosts:
{{- range $allHosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ $fullName }}-ingress-tls
{{- end }}
rules:
{{- if .Values.ingress.hostName }}
- host: {{ .Values.ingress.hostName | quote }}
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- else }}
- host: {{ $serverNameHost | quote }}
http:
paths:
- path: /.well-known/matrix
pathType: Prefix
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
- host: {{ $wellKnownServerHost | quote }}
http:
paths:
{{- range list "/_matrix/key" "/_matrix/federation" }}
- path: {{ . | quote }}
pathType: Prefix
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}
- host: {{ $wellKnownClientHost | quote }}
http:
paths:
{{- range list "/_matrix/client" "/_matrix/media" }}
- path: {{ . | quote }}
pathType: Prefix
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}
{{- end }}
{{- end }}

100
matrix/dendrite/templates/jobs.yaml Normal file
View File

@@ -0,0 +1,100 @@
{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
{{ $name := (print ( include "dendrite.fullname" . ) "-signing-key") }}
{{ $secretName := (print ( include "dendrite.fullname" . ) "-signing-key") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
app.kubernetes.io/component: signingkey-job
{{- include "dendrite.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
app.kubernetes.io/component: signingkey-job
{{- include "dendrite.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
app.kubernetes.io/component: signingkey-job
{{- include "dendrite.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: generate-signing-key
labels:
{{- include "dendrite.labels" . | nindent 4 }}
spec:
template:
spec:
restartPolicy: "Never"
serviceAccount: {{ $name }}
containers:
- name: upload-key
image: {{ $.Values.image.kubectl }}
command:
- sh
- -c
- |
# check if key already exists
key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing\.key']}" 2> /dev/null)
[ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
[ -n "$key" ] && echo "Key already created, exiting." && exit 0
# wait for signing key
while [ ! -f /etc/dendrite/signing-key.pem ]; do
echo "Waiting for signing key.."
sleep 5;
done
# update secret
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem | tr -d '\n')\"}}"
[ $? -ne 0 ] && echo "Failed to update secret." && exit 1
echo "Signing key successfully created."
volumeMounts:
- mountPath: /etc/dendrite/
name: signing-key
readOnly: true
- name: generate-key
{{- include "image.name" . | nindent 8 }}
command:
- sh
- -c
- |
/usr/bin/generate-keys -private-key /etc/dendrite/signing-key.pem
chown 1001:1001 /etc/dendrite/signing-key.pem
volumeMounts:
- mountPath: /etc/dendrite/
name: signing-key
volumes:
- name: signing-key
emptyDir: {}
parallelism: 1
completions: 1
backoffLimit: 1
{{ end }}

18
matrix/dendrite/templates/prometheus-rules.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and ( .Values.prometheus.rules.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) }}
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "dendrite.fullname" . }}
labels:
{{- include "dendrite.labels" . | nindent 4 }}
{{- with .Values.prometheus.rules.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
spec:
groups:
{{- if .Values.prometheus.rules.additionalRules }}
- name: {{ template "dendrite.name" . }}-Additional
rules: {{- toYaml .Values.prometheus.rules.additionalRules | nindent 4 }}
{{- end }}
{{- end }}

69
matrix/dendrite/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,69 @@
{{ if not .Values.persistence.media.existingClaim }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
helm.sh/resource-policy: keep
name: {{ include "dendrite.fullname" . }}-media-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.persistence.media.capacity }}
{{ $storageClass := .Values.persistence.media.storageClass | default .Values.persistence.storageClass }}
{{- if $storageClass }}
{{- if (eq "-" $storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ $storageClass }}"
{{- end }}
{{- end }}
{{ end }}
{{ if not .Values.persistence.jetstream.existingClaim }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
helm.sh/resource-policy: keep
name: {{ include "dendrite.fullname" . }}-jetstream-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.persistence.jetstream.capacity }}
{{ $storageClass := .Values.persistence.jetstream.storageClass | default .Values.persistence.storageClass }}
{{- if $storageClass }}
{{- if (eq "-" $storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ $storageClass }}"
{{- end }}
{{- end }}
{{ end }}
{{ if not .Values.persistence.search.existingClaim }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
helm.sh/resource-policy: keep
name: {{ include "dendrite.fullname" . }}-search-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.persistence.search.capacity }}
{{ $storageClass := .Values.persistence.search.storageClass | default .Values.persistence.storageClass }}
{{- if $storageClass }}
{{- if (eq "-" $storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ $storageClass }}"
{{- end }}
{{- end }}
{{ end }}

45
matrix/dendrite/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if (gt (len (.Files.Glob "appservices/*")) 0) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dendrite.fullname" . }}-appservices-conf
type: Opaque
data:
{{ (.Files.Glob "appservices/*").AsSecrets | indent 2 }}
{{- end }}
{{- if and .Values.signing_key.create (not .Values.signing_key.existingSecret) }}
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/resource-policy: keep
name: {{ include "dendrite.fullname" . }}-signing-key
type: Opaque
{{- end }}
{{- with .Values.dendrite_config.global.metrics }}
{{- if .enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dendrite.fullname" $ }}-metrics-basic-auth
type: Opaque
stringData:
user: {{ .basic_auth.user | quote }}
password: {{ .basic_auth.password | quote }}
{{- end }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dendrite.fullname" . }}-conf
type: Opaque
stringData:
dendrite.yaml: |
{{ toYaml ( mustMergeOverwrite .Values.dendrite_config ( fromYaml (include "override.config" .) ) .Values.dendrite_config ) | nindent 4 }}

17
matrix/dendrite/templates/service.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{ template "validate.config" . }}
---
apiVersion: v1
kind: Service
metadata:
namespace: {{ $.Release.Namespace }}
name: {{ include "dendrite.fullname" . }}
labels:
{{- include "dendrite.labels" . | nindent 4 }}
spec:
selector:
{{- include "dendrite.selectorLabels" . | nindent 4 }}
ports:
- name: http
protocol: TCP
port: {{ .Values.service.port }}
targetPort: http

28
matrix/dendrite/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if and
(and .Values.prometheus.servicemonitor.enabled .Values.dendrite_config.global.metrics.enabled )
( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" )
}}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "dendrite.fullname" . }}
labels:
{{- include "dendrite.labels" . | nindent 4 }}
{{- with .Values.prometheus.servicemonitor.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: http
basicAuth:
username:
name: {{ include "dendrite.fullname" . }}-metrics-basic-auth
key: "user"
password:
name: {{ include "dendrite.fullname" . }}-metrics-basic-auth
key: "password"
selector:
matchLabels:
{{- include "dendrite.selectorLabels" . | nindent 6 }}
{{- end }}

17
matrix/dendrite/templates/tests/test-version.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "dendrite.fullname" . }}-test-version"
labels:
{{- include "dendrite.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: curl
image: curlimages/curl
imagePullPolicy: IfNotPresent
args:
- 'http://{{- include "dendrite.fullname" . -}}:8008/_matrix/client/versions'
restartPolicy: Never