app/matrix: initial oauth2/casproxy setup
diff --git a/app/matrix/prod.jsonnet b/app/matrix/prod.jsonnet
index baa48e4..a105d8f 100644
--- a/app/matrix/prod.jsonnet
+++ b/app/matrix/prod.jsonnet
@@ -1,6 +1,7 @@
# matrix.hackerspace.pl, a matrix/synapse instance
# This needs a secret provisioned, create with:
# kubectl -n matrix create secret generic synapse --from-literal=postgres_password=$(pwgen 24 1)
+# kubectl -n matrix create secret generic oauth2-cas-proxy --from-literal=oauth2_secret=...
# kubectl -n matrix create secret generic appservice-irc-freenode-registration --from-file=registration.yaml=<(kubectl logs -n matrix $(kubectl get pods -n matrix --selector=job-name=appservice-irc-freenode-bootstrap --output=jsonpath='{.items[*].metadata.name}') | tail -n +4)
local kube = import "../../kube/kube.libsonnet";
@@ -17,6 +18,7 @@
synapseImage: "matrixdotorg/synapse:v0.99.4",
riotImage: "bubuntux/riot-web:v1.1.0",
+ casProxyImage: "registry.k0.hswaw.net/informatic/oauth2-cas-proxy:0.1.3"
},
metadata(component):: {
@@ -53,6 +55,42 @@
},
},
+ synapseConfig: kube.ConfigMap("synapse") {
+ metadata+: app.metadata("synapse"),
+ data: {
+ "homeserver.yaml": importstr "homeserver.yaml.j2",
+ },
+ },
+
+ casDeployment: kube.Deployment("oauth2-cas-proxy") {
+ metadata+: app.metadata("oauth2-cas-proxy"),
+ spec+: {
+ replicas: 1,
+ template+: {
+ spec+: {
+ containers_: {
+ proxy: kube.Container("oauth2-cas-proxy") {
+ image: cfg.casProxyImage,
+ ports_: {
+ http: { containerPort: 5000 },
+ },
+ env_: {
+ BASE_URL: "https://matrix.hackerspace.pl",
+ OAUTH2_CLIENT: "matrix",
+ OAUTH2_SECRET: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+
+ casSvc: kube.Service("oauth2-cas-proxy") {
+ metadata+: app.metadata("oauth2-cas-proxy"),
+ target_pod:: app.casDeployment.spec.template,
+ },
+
synapseDeployment: kube.Deployment("synapse") {
metadata+: app.metadata("synapse"),
spec+: {
@@ -61,6 +99,7 @@
spec+: {
volumes_: {
data: kube.PersistentVolumeClaimVolume(app.dataVolume),
+ config: kube.ConfigMapVolume(app.synapseConfig),
} + {
[k]: { secret: { secretName: "appservice-%s-registration" % [k] } }
for k in std.objectFields(app.appservices)
@@ -85,6 +124,10 @@
},
volumeMounts_: {
data: { mountPath: "/data" },
+ config: {
+ mountPath: "/conf/homeserver.yaml",
+ subPath: "homeserver.yaml",
+ },
} + {
[k]: { mountPath: "/appservices/%s" % [k] }
for k in std.objectFields(app.appservices)
@@ -205,6 +248,7 @@
paths: [
{ path: "/", backend: app.riotSvc.name_port },
{ path: "/_matrix", backend: app.synapseSvc.name_port },
+ { path: "/_cas", backend: app.casSvc.name_port },
]
},
}