Merge changes Ic148ff25,I131049da,Ib1054844,Id9c47f61

* changes: kube/redis: fix /data partition permissions app/matrix/matrix.hackerspace.pl: migrate to matrix-ng app/matrix: backport matrix.metadata(component) into matrix-ng app/matrix/matrix.hackerspace.pl: update appservice-irc-freenode node
2025-03-21 17:34:52 +00:00 · 2021-02-01 11:14:35 +00:00 · 2021-02-01 11:14:35 +00:00 · 65f97238e3
commit 65f97238e3
parent 68c4338004 2759eb7a54
3 changed files with 28 additions and 10 deletions
--- a/app/matrix/lib/matrix-ng.libsonnet
+++ b/app/matrix/lib/matrix-ng.libsonnet
@ -23,6 +23,11 @@
 #    .riotConfig → .riot.config
 #    .synapseConfig → .synapse.config
 #
+# When migrating from CAS to OpenID Connect authentication scheme following need
+# to be ensured:
+#  * https://{homeserver}/_synapse/oidc/callback is added to allowed callback URLs list
+#  * openid scope is enabled for configured client
+#
 # Sequencing appservices is fun. The appservice needs to run first (for
 # instance, via a bootstrap job), and on startup it will spit out a
 # registration file.  This registration file then needs to be fed to synapse -
@ -117,6 +122,17 @@ local synapse = import "./synapse.libsonnet";
        wellKnown: false,
    },

+    # DEPRECATED: this needs to be removed in favor of namespace.Contain() in
+    # modules that depend on this (appservices/instance defintions)
+    metadata(component):: {
+        namespace: cfg.namespace,
+        labels: {
+            "app.kubernetes.io/name": "matrix",
+            "app.kubernetes.io/managed-by": "kubecfg",
+            "app.kubernetes.io/component": component,
+        },
+    },
+
    namespace: kube.Namespace(cfg.namespace),

    postgres3: postgres {
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@ -1,4 +1,4 @@
-local matrix = import "lib/matrix.libsonnet";
+local matrix = import "lib/matrix-ng.libsonnet";
 local irc = import "lib/appservice-irc.libsonnet";
 local telegram = import "lib/appservice-telegram.libsonnet";

@ -9,15 +9,15 @@ matrix {
        namespace: "matrix",
        webDomain: "matrix.hackerspace.pl",
        serverName: "hackerspace.pl",
-        cas: {
+        oidc+: {
            enable: true,
-            oauth2: {
-                clientID: "matrix",
-                clientSecret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
-                scope: "profile:read",
-                authorizeURL: "https://sso.hackerspace.pl/oauth/authorize",
-                tokenURL: "https://sso.hackerspace.pl/oauth/token",
-                userinfoURL: "https://sso.hackerspace.pl/api/1/profile",
+            config+: {
+                allow_existing_users: true,
+                issuer: "https://sso.hackerspace.pl",
+                client_id: "matrix",
+                client_secret: { secretKeyRef: { name: "oauth2-cas-proxy", key: "oauth2_secret" } },
+                user_profile_method: "userinfo_endpoint",
+                client_auth_method: "client_secret_post",
            },
        },
    },
@ -30,7 +30,7 @@ matrix {
                metadata: app.metadata("appservice-irc-freenode"),
                // TODO(q3k): add labels to blessed nodes
                nodeSelector: {
-                    "kubernetes.io/hostname": "bc01n03.hswaw.net",
+                    "kubernetes.io/hostname": "bc01n02.hswaw.net",
                },
                config+: {
                    homeserver+: {
--- a/kube/redis.libsonnet
+++ b/kube/redis.libsonnet
@ -81,6 +81,8 @@ local kube = import "kube.libsonnet";
                    },
                    securityContext: {
                        runAsUser: 100,
+                        runAsGroup: 101,
+                        fsGroup: 101,
                    },
                },
            },