Skip to content

Commit

Permalink
Adding existingSecret.registation and existingSecret.passkey; Always …
Browse files Browse the repository at this point in the history
…store registration and passkey data in a Kubernetes secret; use projected volume to ensure all data in one directory

Signed-off-by: jessebot <[email protected]>
  • Loading branch information
jessebot committed Jul 5, 2024
1 parent 2763801 commit c073b97
Show file tree
Hide file tree
Showing 7 changed files with 91 additions and 21 deletions.
15 changes: 9 additions & 6 deletions helm/hookshot/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# hookshot

![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square)
![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0-replaced-by-ci](https://img.shields.io/badge/AppVersion-0.0.0--replaced--by--ci-informational?style=flat-square)
Deploy a Matrix Hookshot instance to Kubernetes

Status: Beta
Expand Down Expand Up @@ -39,7 +39,7 @@ To configure Hookshot-specific parameters, the value `.Values.hookshot.config` a

## Existing configuration

If you have an existing configuration file for Hookshot, you can create a configmap like so:
If you have an existing configuration file for hookshot, you can create a configmap like so:

``` bash
kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem
Expand Down Expand Up @@ -74,9 +74,12 @@ You'll need to configure your Ingress connectivity according to your environment
| affinity | object | `{}` | Affinity settings for deployment |
| autoscaling.enabled | bool | `false` | |
| fullnameOverride | string | `""` | Full name override for helm chart |
| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
| hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration |
| hookshot.passkey | string | `""` | |
| hookshot.config | object | `{"bridge":{"bindAddress":"127.0.0.1","domain":"example.com","mediaUrl":"https://example.com","port":9993,"url":"http://localhost:8008"},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks"]},{"bindAddress":"127.0.0.1","port":9001,"resources":["metrics","provisioning"]},{"bindAddress":"0.0.0.0","port":9002,"resources":["widgets"]}],"logging":{"colorize":true,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"passFile":"/data/passkey.pem"}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
| hookshot.config.passFile | string | `"/data/passkey.pem"` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate |
| hookshot.existingConfigMap | string | `""` | Name of existing ConfigMap with valid Hookshot configuration |
| hookshot.existingSecret.passkey | string | `""` | Name of existing Secret with valid Hookshot passkey.pem If set, ignores hookshot.passkey |
| hookshot.existingSecret.registration | string | `""` | Name of existing Secret with valid Hookshot registration.yaml. If set, ignores hookshot.registration |
| hookshot.passkey | string | `""` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate |
| hookshot.registration.as_token | string | `""` | |
| hookshot.registration.hs_token | string | `""` | |
| hookshot.registration.id | string | `"matrix-hookshot"` | |
Expand Down Expand Up @@ -119,4 +122,4 @@ You'll need to configure your Ingress connectivity according to your environment
| tolerations | list | `[]` | Tolerations for deployment |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
22 changes: 22 additions & 0 deletions helm/hookshot/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,28 @@ Helper for configmap name
{{- end }}
{{- end }}

{{/*
Helper for secret name for registration
*/}}
{{- define "hookshot.registrationSecretName" -}}
{{- if .Values.hookshot.existingSecret.registration }}
{{- printf "%s" .Values.hookshot.existingSecret.registration -}}
{{- else }}
{{- printf "%s-registration-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}

{{/*
Helper for secret name for passkey.pem
*/}}
{{- define "hookshot.passkeySecretName" -}}
{{- if .Values.hookshot.existingSecret.passkey }}
{{- printf "%s" .Values.hookshot.existingSecret.passkey -}}
{{- else }}
{{- printf "%s-passkey-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
Expand Down
14 changes: 9 additions & 5 deletions helm/hookshot/templates/_pod.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,8 @@ containers:
{{- toYaml .Values.containerSecurityContext | nindent 6 }}
{{- end }}
volumeMounts:
{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }}
- name: config
mountPath: "/data"
{{- end }}
ports:
- name: webhook
containerPort: 9000
Expand All @@ -58,7 +56,7 @@ containers:
containerPort: 9002
protocol: TCP
env:

envFrom:
{{- if .Values.envFromSecret }}
- secretRef:
Expand Down Expand Up @@ -109,8 +107,14 @@ tolerations:
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "hookshot.configMapName" . }}
projected:
sources:
configMap:
name: {{ template "hookshot.configMapName" . }}
secret:
secretName: {{ template "hookshot.registrationSecretName" . }}
secret:
secretName: {{ template "hookshot.passkeySecretName" . }}
{{- $root := . }}
{{- range .Values.extraConfigmapMounts }}
- name: {{ tpl .name $root }}
Expand Down
10 changes: 3 additions & 7 deletions helm/hookshot/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
{{- if not .Values.hookshot.existingConfigMap }}
---
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -12,10 +12,6 @@ metadata:
{{ toYaml . | indent 4 }}
{{- end }}
data:
config.yml: |
{{ toYaml .Values.hookshot.config | indent 4 }}
registration.yml: |
{{ toYaml .Values.hookshot.registration | indent 4 }}
passkey.pem: |
{{ .Values.hookshot.passkey | indent 4 }}
config.yml: |-
{{- toYaml .Values.hookshot.config | nindent 4 }}
{{- end }}
17 changes: 17 additions & 0 deletions helm/hookshot/templates/passkey-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if not .Values.hookshot.existingSecret.passkey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "hookshot.passkeySecretName" . }}
namespace: {{ template "hookshot.namespace" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
data:
passkey.pem: |-
{{ toYaml .Values.hookshot.passkey | nindent 4 }}
{{- end }}
17 changes: 17 additions & 0 deletions helm/hookshot/templates/registration-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if not .Values.hookshot.existingSecret.registration }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "hookshot.registrationSecretName" . }}
namespace: {{ template "hookshot.namespace" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
data:
registration.yaml: |-
{{- toYaml .Values.hookshot.registration | nindent 4 }}
{{- end }}
17 changes: 14 additions & 3 deletions helm/hookshot/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,17 @@ tolerations: []
# -- Affinity settings for deployment
affinity: {}
hookshot:
existingSecret:
# -- Name of existing Secret with valid Hookshot registration.yaml.
# If set, ignores hookshot.registration
registration: ""
# -- Name of existing Secret with valid Hookshot passkey.pem
# If set, ignores hookshot.passkey
passkey: ""

# -- Name of existing ConfigMap with valid Hookshot configuration
existingConfigMap:
existingConfigMap: ""

# -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified.
config:
# This is an example configuration file
Expand All @@ -113,9 +122,9 @@ hookshot:
mediaUrl: https://example.com
port: 9993
bindAddress: 127.0.0.1
passFile: passkey.pem
# A passkey used to encrypt tokens stored inside the bridge.
# -- A passkey used to encrypt tokens stored inside the bridge.
# Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
passFile: /data/passkey.pem
logging:
# Logging settings. You can have a severity debug,info,warn,error
level: info
Expand Down Expand Up @@ -298,4 +307,6 @@ hookshot:
sender_localpart: hookshot
url: "http://example.com"
rate_limited: false
# -- A passkey used to encrypt tokens stored inside the bridge.
# Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
passkey: ""

0 comments on commit c073b97

Please sign in to comment.