add missing matrix secrets to cluster resources
This commit is contained in:
parent
bdae272d82
commit
f341e6bfb2
88
matrix/config.yaml
Normal file
88
matrix/config.yaml
Normal file
|
|
@ -0,0 +1,88 @@
|
||||||
|
---
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: "synapse-werts-config"
|
||||||
|
namespace: synapse
|
||||||
|
spec:
|
||||||
|
refreshInterval: "5s"
|
||||||
|
secretStoreRef:
|
||||||
|
name: k8s-store
|
||||||
|
kind: SecretStore
|
||||||
|
data:
|
||||||
|
- {"secretKey": "registration_shared_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "registration_shared_secret"}}
|
||||||
|
- {"secretKey": "pepper", "remoteRef": {"key": "synapse-werts-secrets", "property": "password_config__pepper"}}
|
||||||
|
- {"secretKey": "macaroon_secret_key", "remoteRef": {"key": "synapse-werts-secrets", "property": "macaroon_secret_key"}}
|
||||||
|
- {"secretKey": "form_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "form_secret"}}
|
||||||
|
|
||||||
|
- {"secretKey": "oidc_client_id", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_id"}}
|
||||||
|
- {"secretKey": "oidc_client_secret", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_secret"}}
|
||||||
|
|
||||||
|
- {"secretKey": "db_user", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "user"}}
|
||||||
|
- {"secretKey": "db_password", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "password"}}
|
||||||
|
- {"secretKey": "db_dbname", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "dbname"}}
|
||||||
|
- {"secretKey": "db_host", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "host"}}
|
||||||
|
target:
|
||||||
|
name: synapse-werts-config
|
||||||
|
template:
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
"homeserver.yaml": |
|
||||||
|
macaroon_secret_key: "{{.macaroon_secret_key}}"
|
||||||
|
form_secret: "{{.form_secret}}"
|
||||||
|
registration_shared_secret: "{{.registration_shared_secret}}"
|
||||||
|
password_config:
|
||||||
|
enabled: true
|
||||||
|
pepper: "{{ .pepper }}"
|
||||||
|
|
||||||
|
server_name: werts.us
|
||||||
|
public_baseurl: https://chat.werts.us/
|
||||||
|
pid_file: /data/homeserver.pid
|
||||||
|
|
||||||
|
media_store_path: "/data/media_store"
|
||||||
|
report_stats: false
|
||||||
|
trusted_key_servers:
|
||||||
|
- server_name: "matrix.org"
|
||||||
|
signing_key_path: "/data/my.matrix.host.signing.key"
|
||||||
|
limit_remote_rooms:
|
||||||
|
enabled: true
|
||||||
|
complexity: 0.0
|
||||||
|
complexity_error: "only admins are allowed to join federated rooms"
|
||||||
|
admins_can_join: true
|
||||||
|
allow_public_rooms_without_auth: false
|
||||||
|
allow_public_rooms_over_federation: false
|
||||||
|
|
||||||
|
|
||||||
|
listeners:
|
||||||
|
- port: 8008
|
||||||
|
tls: false
|
||||||
|
type: http
|
||||||
|
x_forwarded: true
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- names: [client, federation]
|
||||||
|
compress: false
|
||||||
|
database:
|
||||||
|
name: psycopg2
|
||||||
|
args:
|
||||||
|
user: "{{ .db_user }}"
|
||||||
|
password: "{{ .db_password }}"
|
||||||
|
database: "{{ .db_dbname }}"
|
||||||
|
host: "{{ .db_host }}"
|
||||||
|
cp_min: 5
|
||||||
|
cp_max: 10
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: my_idp
|
||||||
|
idp_name: "werts.us"
|
||||||
|
discover: true
|
||||||
|
issuer: "https://auth.werts.us/realms/werts"
|
||||||
|
scopes: ["openid", "profile"]
|
||||||
|
skip_verification: true
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
subject_claim: "preferred_username"
|
||||||
|
localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
|
||||||
|
display_name_template: "{{"{{"}} user.name {{"}}"}}"
|
||||||
|
email_template: "{{"{{"}} user.email {{"}}"}}"
|
||||||
|
client_id: "{{ .oidc_client_id }}"
|
||||||
|
client_secret: "{{ .oidc_client_secret }}"
|
||||||
17
matrix/secrets-oidc-sealed.yaml
Normal file
17
matrix/secrets-oidc-sealed.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: synapse-werts-secrets-oidc
|
||||||
|
namespace: synapse
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
client_id: AgB0ydrAv3Gcz2mMtgfODxKWztp4IkAP9bPJ680xjKKjK9XnxPBsX9N3YOknMI33W5IQbO6kGaXQv0XCOVxsFyLh5U0DUOp3QIhzR7izLNhGPUqgveXm53A6ALgCB/EK1IXfNMAJZdkXpUDWIQv+zRtbLgpQ+3/p39ORbHdqyOxpHxsnCA5EJtVe2qIj68RVrkTXa7l2DWpD2S3ISCuIzobyN8Tlv9NW9LsRyq7aFaAI5ngYyGOcOAw4CSQ/H0mhv3ICoBBFtmMkv4SvsLvfHHxobibr+iDJ3+X3sExgQ4OkTpDfVhi2EcOgtcm/Vvp+1S5DZPfP9Cs5qfA0USdNNAl8Yt4OMAXtfyN9gkb5aKvNyk/VJA4Zmqre8fs1qmgAFwHfshzF2/Ag4CqjHdNNqrcTbSUxhL0W30MkAPUAvduVdePM9wCm8FZ3D4oar9D7kK3SlgpYHVKthTml06ppWdFrGSGa+9R0EKYT+SNpqErhYcisf3R6rLdk3n5DAUP4Srf7ET7xDiH7ntnqLI/PNn9163K6MVf7qlN9VgJdc5DpV2J3+yW8J3fdieVBqcvUwhAlkFLxlx9pY6bhIcwi0ZTNSkj8gOhmQDmOpa1hqo+Eyrc+P5zPDBa4+Nl2jWeQ7xAgmxpvJwWlj2vi6VB7XdSAc3uv0IFh0b3E5JE3x/yLYbX/DQODYZDM3vTXHjpMqENM00Tuzfg=
|
||||||
|
client_secret: AgBSUKoK1Ije4xhotG5IWvUt3+Saky4qxR/Otxq/ZCcsmeLX77Hg5FYCpzeoqG7DnJy2Y6ndZ6wVW2g6lD/Ch6+wrPN7sjo7Pl1qdr6n8cker9xDww0fkOvLMADVEuAxJZeU6fmGDiebaYtv3Y+gvbQHu4GcZkqEWQo/F5/xRAj2zBRCr8WmthOFnai0eVnqe/ay6PVBwCoTFlM6uMmDWF/Veb7C81QxIadtfcgGtt38eKoeSRflwYXxRaSfPR8i4xm9vICjUfkY1qHJkHVxhIT35EOQJALKfxq1Lftbv7LeN/pgWPUm/k9b32GSQcXykRza04fyZVKyeCEc9FlboOUrYLXdfNkxEwYJb0qEv+x28QoWCfnX2OH3u7fueJD1hCGi9OSqg5IWgqFwqJiBWIkpsPmd5LfF7+DTl+SVlMeGX7ldWfoXWoNiJMhjngKQTttccZ2IwpC+Rv7Ue9AB/4bo+uIKe0woxwPOr1HQwe1Rw8GFZ7LdsU3/TvEOy6dJqige062PlJfgtOnjVJVyyVIq6g5gnkguO9cgssDheBKfKrkcDRxL+9aGFuqaiw4pHKx6DscAS/ujn0DiEc1slX2owxaIUdCrkREKcECgr92zFHlJpi5gHV9PSXvES2h29LnycQkUIOpFq0wOSkRDOPizt/DNPTxbAP28F4828znU1+SIuJsxklt/uqOOElGbnK/ms9wcB0dvKprt255Q2pqtNVY9/Qt3CcxOs2o9T/nBsxN+V10+Af1X4+T40phmpR4BJUpxPr55HpNjBhaiXNiPY4Shvm7a3oiLWUnANbJNI/GOuUx9zw==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: synapse-werts-secrets-oidc
|
||||||
|
namespace: synapse
|
||||||
|
type: Opaque
|
||||||
|
|
||||||
19
matrix/secrets-sealed.yaml
Normal file
19
matrix/secrets-sealed.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: synapse-werts-secrets
|
||||||
|
namespace: synapse
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
form_secret: AgBhY/ppJWTsYA0ItjZI4XPPmFKAf4yH6dDV+cK37W7KKXRtLuUISpvE7VfVkOKsdoDNfirwQDyTKdfL/TU2glt3Xi50xrtaqG3VkkzXp+vd2wIdFHFUqHBhU3WkyVxd42+hszLz9lBHokHkO/ZO4UTBv3nlSTk46abhXiKCcou0z8sPhO9Ed90Xft1MwxydazcG8aJp/BwcpHD+wGattI29cSUvLNYhW6ViUdxul4J3+dOoBDXnrkf4+3PSwYb7OCSWHRupg1KMXpUVcu0/2n3TdPLr3O/leaJDfhGIpO5ZSLHHmouZMuN8RHBQZVg11e9/cfmVqN/qKzuFAeuCfQ13khqvroXlne/OTdPNdvmnSd98TkvCpbDs/SBb5h/AtlSYJM2KbLLTwT85VwoZWYn9iVP4j5bok9EFY97WIrYluONepp8bhOLcnZiei3Pn4qn0UYEo2eXzA00pkyEedZzn2Mte6QhvgoKfZ7pMkYnpmI/8R7QpQOyW+Kf8vIzQIAe16blsQhpqd4R1/ddnwvE0+fHwrZ889jy2S5v4in13NMAfpABBRg0O8ntinhZsx3Cf0nNe/3t6lJAQXWeyhnJtU41WzBntOME7axwDKnzaGPuLQn+BArL616S7S9RPZEH7llr12ABdO3mKuncUGXc4sCTER5tjESBlnFiQIcp8GAwjofJmYYYjpBJNUZIxTZxAZdlRwecZ61CBDIWo7bYXL6WT8cQfPv+7CkxbJ/nt/yEDmeY1/xW6c5n6UisFOYefNQ==
|
||||||
|
macaroon_secret_key: AgCeK1HntBncfkXJmZrejkcLH53s0fN1yr1jENKPon2CPTXpQ/vA58xXHEbxAUJMDsw9PUzCbYLyEk8oPL6i7TZW9D8f/fvsnlZhOIjHObV6s/7XPLe5z+KWUDXMDOGmjMS32Z1w5wLih0/iAch5txOZVX9bk1fAXLf9Lre+0/4qL8p9ieBdcnieM0a7swZdfINckGFNgEjpTU4fdcAMDWAKcgL0v5b5w5etMZ48KIRjmZIiJvXPIxT1teCYxCTFrQD/N4USN9rQ+HXLIyGj8UdEv3HA0T0k/xSOfwlC2Qy9SvjdX+UIDTVxdvXDdBNulorowYlbzmuFaqscnDI50dtrw73s6VjreW91iUJ0kDRAiOgUrTWnaXXOGKU/2hQOorTVfRcUAW5kpkLM355rZGwdzeEP/7qxxBnHwAGGV5vfaGhsP8UNZwRDd+L2R5bYx05IXP73wxXE+NihCHgvDS3wmCSCoPnlGyzrG3oed0Nbi3+mbKqfQCB8IBfzkXX5WoeI6GQF+HwHBY+/msR/hsda+YbqTp+gm13COXFGsijsKUAv7FC3HJ6tM/XXKEDM+DeN2samhLp8NLRwLkxJRzBcVFWifAjBj5ONjdryoN0oZKmbm5D+BpWPBjKDjLG7kjoux/SD7bz/1u0Kbd2TyVMxEl7SP5yAkRruUybQQVWvmz7jKAZnUwPIeu5cxuD8yefXpdfZkJuToPJcblVsmBq7Hq9o5rCaArjJC3qa4BVd+ybauBgXNRMOBamHEeGkv0aO5Q==
|
||||||
|
password_config__pepper: AgCXcCt67yMenHJe/om73r0aR0re98D29GOwwAgYmpaOYCrqWzfjPsbNsHTJhBihcTm4asMrqD3Q1w4IRmCynvB1umretCDhMw1BFoeeePDvIq8F+HN/uEByaHBkcBWGwYZcrgH22qieX1oKr5fcpFqXchdGnZfQUnWC4hqaiuCJtH74P7M/skzuJXqrsR//0AbL83siqogIykqCrYdeHvYAuwwFlT4x/obsVkOF2CXEgxt4tTRUtUQ4IZk9gAzOm+UG5E5R4da9zaBA1wzqmKX9tHFli6vgDJIVkOf/pcazX2fk38f/PyKqyvnmp0TOV6xPdulwajE4NsE5sCSGoHsRYlI7Hkv1BtVvY7ZmzX2P8CpAYchLUb0swKlwP8oehtTx2Wz0CksxPTZB4rYS13aw1446A3CxiS+KDZgDpFm8eMdqw8creUv0gM0xHIlCBf06om3xGr0/ecOeBftvZT9nbWRalOneYctEdv53sj8gx5X2M4amTfejPR62viL9vAAYLTSLylH4k/kJMKA+lgOaHrL5qXlhqUGIn9HE+tI0B6sMZCWWpt7mANGkmSaSnqINd8KUExy8KjkFmsKnyxG166OJHEwF+L3Atb2n+RvAQbAe1wck0LpV6nqZ3AvmSD6Wef4QpFhgvbm5uGNPCt43GtaNzEFAThGrIotdlVUjpn+4cyuPmmxKdA17OlkwrPkd8zqaxQpKIYoWjU7YZwX9OprhNBqvORpc79335JI9XQ==
|
||||||
|
registration_shared_secret: AgALJfyfX/hBVqavMkjOjEGEWoOat6yAbik7ueKv2YzHuND+lEJTIRI6yjgmmeKQed8zhjpZ0BHt5fWsm0cRj7FXjnaEtLJONFoZE6gS8+QNjU2Ictw7NUc9LF2XlS6UR+df09Z9/P+di43Dvoe04yp4brcVtr14OCijndsrbwKc0K2ReG2nFcqsQSsS0cJw0UqWQhfX/dEmMO/hwJxx+dANdh8ieOCbabQTPr+Io49v70CcvZl8AQM4E9zLA866rRqNvs6nY6AWv/BIABVy5+ftx0PcfLTpCZP59+ZKgpDLUBfGDM0xVfLDPn63urC9ct/hBG4O+Ct3ZU3GT+i66SaIPw2ttmRRLBsUWBknwayVnALmZ0ZRHEd/2//AHH10XonY4jEXpdUsPX1Nv3XBUYXJyfW6XARV4el1HGtge4+q2IwNXpClkbCGggWM0RJTxb55t6r7trMuBCPVJdqPeAFrlgmB5uYUK5E1uhnPM3iWr5rHCaG1l85SDSJAiUVoqjAauv6GTLBHDYeuiJBlb9c9nCM7i9sJKpJFjdJBs5X1O0OtEVMFombO9CzLHGmZPTJp9Sn0xTLsBHZvME6QgRana7sF4XsdQET+na3F416b9hzWApdx+2d0pfxQzuXJGASO10Rlk50YiXl67m3OdjCe/mp2TO0i4KttZ2OviDc7X98fgOVh/aKjEhgfRYyupDXmFJ498yjL3Z/CHnXT7/ubcLyVIWiwE7CEuo3PI57uQQ==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: synapse-werts-secrets
|
||||||
|
namespace: synapse
|
||||||
|
type: Opaque
|
||||||
|
|
||||||
69
matrix/ss.yaml
Normal file
69
matrix/ss.yaml
Normal file
|
|
@ -0,0 +1,69 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: eso-store-sa
|
||||||
|
namespace: synapse
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
namespace: synapse
|
||||||
|
name: eso-store-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- authorization.k8s.io
|
||||||
|
resources:
|
||||||
|
- selfsubjectrulesreviews
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: eso-store-rolebinding
|
||||||
|
namespace: synapse
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: eso-store-role
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: eso-store-sa
|
||||||
|
namespace: synapse
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: secret-store-token
|
||||||
|
namespace: synapse
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/service-account.name: eso-store-sa
|
||||||
|
type: kubernetes.io/service-account-token
|
||||||
|
---
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: SecretStore
|
||||||
|
metadata:
|
||||||
|
name: k8s-store
|
||||||
|
namespace: synapse
|
||||||
|
spec:
|
||||||
|
provider:
|
||||||
|
kubernetes:
|
||||||
|
auth:
|
||||||
|
token:
|
||||||
|
bearerToken:
|
||||||
|
name: secret-store-token
|
||||||
|
key: token
|
||||||
|
remoteNamespace: synapse
|
||||||
|
server:
|
||||||
|
caProvider:
|
||||||
|
type: Secret
|
||||||
|
name: secret-store-token
|
||||||
|
key: ca.crt
|
||||||
Loading…
Reference in New Issue
Block a user