Merge changes Ic148ff25,I131049da,Ib1054844,Id9c47f61
* changes:
kube/redis: fix /data partition permissions
app/matrix/matrix.hackerspace.pl: migrate to matrix-ng
app/matrix: backport matrix.metadata(component) into matrix-ng
app/matrix/matrix.hackerspace.pl: update appservice-irc-freenode node
diff --git a/app/matrix/lib/matrix-ng.libsonnet b/app/matrix/lib/matrix-ng.libsonnet
index 976b8b5..5c0ef2a 100644
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet
@@ -23,6 +23,11 @@
# .riotConfig → .riot.config
# .synapseConfig → .synapse.config
#
+# When migrating from CAS to OpenID Connect authentication scheme following need
+# to be ensured:
+# * https://{homeserver}/_synapse/oidc/callback is added to allowed callback URLs list
+# * openid scope is enabled for configured client
+#
# Sequencing appservices is fun. The appservice needs to run first (for
# instance, via a bootstrap job), and on startup it will spit out a
# registration file. This registration file then needs to be fed to synapse -
@@ -117,6 +122,17 @@
wellKnown: false,
},
+ # DEPRECATED: this needs to be removed in favor of namespace.Contain() in
+ # modules that depend on this (appservices/instance defintions)
+ metadata(component):: {
+ namespace: cfg.namespace,
+ labels: {
+ "app.kubernetes.io/name": "matrix",
+ "app.kubernetes.io/managed-by": "kubecfg",
+ "app.kubernetes.io/component": component,
+ },
+ },
+
namespace: kube.Namespace(cfg.namespace),
postgres3: postgres {
diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet
index 6488fbb..7e6deea 100644
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@@ -1,4 +1,4 @@
-local matrix = import "lib/matrix.libsonnet";
+local matrix = import "lib/matrix-ng.libsonnet";
local irc = import "lib/appservice-irc.libsonnet";
local telegram = import "lib/appservice-telegram.libsonnet";
@@ -9,15 +9,15 @@
namespace: "matrix",
webDomain: "matrix.hackerspace.pl",
serverName: "hackerspace.pl",
- cas: {
+ oidc+: {
enable: true,
- oauth2: {
- clientID: "matrix",
- clientSecret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
- scope: "profile:read",
- authorizeURL: "https://sso.hackerspace.pl/oauth/authorize",
- tokenURL: "https://sso.hackerspace.pl/oauth/token",
- userinfoURL: "https://sso.hackerspace.pl/api/1/profile",
+ config+: {
+ allow_existing_users: true,
+ issuer: "https://sso.hackerspace.pl",
+ client_id: "matrix",
+ client_secret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
+ user_profile_method: "userinfo_endpoint",
+ client_auth_method: "client_secret_post",
},
},
},
@@ -30,7 +30,7 @@
metadata: app.metadata("appservice-irc-freenode"),
// TODO(q3k): add labels to blessed nodes
nodeSelector: {
- "kubernetes.io/hostname": "bc01n03.hswaw.net",
+ "kubernetes.io/hostname": "bc01n02.hswaw.net",
},
config+: {
homeserver+: {
diff --git a/kube/redis.libsonnet b/kube/redis.libsonnet
index e596ac2..6c69d2b 100644
--- a/kube/redis.libsonnet
+++ b/kube/redis.libsonnet
@@ -81,6 +81,8 @@
},
securityContext: {
runAsUser: 100,
+ runAsGroup: 101,
+ fsGroup: 101,
},
},
},