This removes our dependency on a userspace EoIP implementation that is
mildly broken, and that doesn't build correctly on new gcc versions.
Change-Id: I404c79585336ebaf3bc1761b54ee2433f0841324
Newer versions of alpine edge repos have a `yq` that behaves oddly:
$ kubectl -n matrix-0x3c logs -f appservice-telegram-prod-85d66696c6-9drnl -c generate-config
+ apk add --no-cache yq
fetch https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
(1/1) Installing yq (4.4.1-r0)
Executing busybox-1.31.1-r21.trigger
ERROR: busybox-1.31.1-r21.trigger: script exited with error 127
OK: 11 MiB in 15 packages
+ cp /config/config.yaml /data/config.yaml
+ yq r /registration/registration.yaml as_token
Error: unknown command "r" for "yq"
Run 'yq --help' for usage.
+ yq w -i /data/config.yaml appservice.as_token
Error: unknown command "w" for "yq"
Run 'yq --help' for usage.
This downgrades back to a working yq.
Change-Id: Ifc77bcc88156b02f3ec17e6f84c5615149108777
This will permit any binding to system:admin-namespaces (eg. personal-*
namespaces, per-namespace extra admin access like matrix-0x3c) the
ability to create and updates ingresses.
Change-Id: I522896ebe290fe982d6fe46b7b1d604d22b4f72c
This hairy little ball of recursive object manifestation allows emitting
prototext directly from jsonnet.
Change-Id: I8237c629862cfcdf32ca250fba9eda9926c4f9b4
This has been encountered when introducing redis in our production
matrix deployment. /data partition is owned by root:root by default
otherwise.
Change-Id: Ic148ff25837c6e8da394a5124556481343ea2873
This is used by some external modules (appservices/instance
definitions). In order to reduce scope of (untested) changes in this
rollout, let's temporarily backport that function into matrix-ng.
Change-Id: Ib1054844391497ef1455b25c7f939c68c628ff09
matrix-ng split into multiple submodules causes some changes in keys
that might've been used for homeserver/riot configuration customization.
Migration to kube.Namespace.Contain has also caused change in Deployment
selectors (immutable fields), thus needing manual removal of these
first.
This is, as always, documented in lib/matrix-ng.libsonnet header.
Change-Id: I39a745ee27e3c55ec748818b9cf9b4e8ba1d2df5
This turns admitomatic into a self-standing service that can be used as
an admission controller.
I've tested this E2E on a local k3s server, and have some early test
code for that - but that'll land up in a follow up CR, as it first needs
to be cleaned up.
Change-Id: I46da0fc49f9d1a3a1a96700a36deb82e5057249b
This gives us nearly everything required to run the admission
controller. In addition to checking for allowed domains, we also do some
nginx-inress-controller security checks.
Change-Id: Ib187de6d2c06c58bd8c320503d4f850df2ec8abd
This is a major revamp of our matrix/synapse deployment as a separate
.libsonnet module.
* synapse version bump to 1.25.0
* riot-web version bump to 1.7.18
* Replaced synapse migration hack we used to template configuration with
environment variable replacement done by Kubernetes itself
* Implemented support for OpenID Connect, migration from CAS has been
verified to be working with some additional configuration options
* Moved homeserver signing key into k8s secret, thus making it possible
to run synapse processes without a single data volume
* Split synapse into main process, generic worker and media repository
worker. (latter is the only container using data volume) Both generic
worker and media repository worker is running on a single replica, until
we get proper HTTP routing/loadbalancing
* Riot nginx.conf has been extracted into an external file loaded using
importstr.
Change-Id: I6c4d34bf41e148a302d1cbe725608a5aeb7b87ba
This is the beginning of a validating admission controller which we will
use to permit end-users access to manage Ingresses.
This first pass implements an ingressFilter, which is the main structure
through which allowed namespace/dns combinations will be allowed. The
interface is currently via a test, but in the future this will likely be
configured via a command line, or via a serialized protobuf config.
Change-Id: I22dbed633ea8d8e1fa02c2a1598f37f02ea1b309
This option allows easy customization of certain initial database
properties, like encoding or collation. See:
https://www.postgresql.org/docs/9.5/app-initdb.html
Adding this option in already existing deployments will only cause
postgres pod restart, but no data loss or schema changes!
Intended to be used in further matrix deployment cleanups.
Change-Id: I49a017c21a228f983bea6bafa7dac962a75d05c9
q3k
Norbert Szulc
informatic