fix postgres labels

Author: gaelgatelement

charts/matrix-stack/source/matrixAuthenticationService.json

@@ -54,6 +54,33 @@
         "dryRun": {
           "type": "boolean",
           "description": "Run the migration job in dry-run mode. Do not actually migrate the data."
+        },
+        "labels": {
+          "$ref": "file://common/labels.json"
+        },
+        "annotations": {
+          "$ref": "file://common/workloadAnnotations.json"
+        },
+        "extraEnv": {
+          "$ref": "file://common/extraEnv.json"
+        },
+        "containersSecurityContext": {
+          "$ref": "file://common/containersSecurityContext.json"
+        },
+        "nodeSelector": {
+          "$ref": "file://common/nodeSelector.json"
+        },
+        "podSecurityContext": {
+          "$ref": "file://common/podSecurityContext.json"
+        },
+        "resources": {
+          "$ref": "file://common/resources.json"
+        },
+        "serviceAccount": {
+          "$ref": "file://common/serviceAccount.json"
+        },
+        "tolerations": {
+          "$ref": "file://common/tolerations.json"
         }
       }
     },

charts/matrix-stack/source/matrixAuthenticationService.yaml.j2

@@ -30,6 +30,7 @@ privateKeys:
 {{ sub_schema_values.serviceAccount() }}
 {{ sub_schema_values.nodeSelector() }}
 {{ sub_schema_values.tolerations() }}
+{{ sub_schema_values.hostAliases() }}
 {{ sub_schema_values.topologySpreadConstraints() }}
 {{ sub_schema_values.podSecurityContext(user_id=10005, group_id=10005) }}
 {{ sub_schema_values.containersSecurityContext() }}
@@ -50,6 +51,14 @@ syn2mas:
 
   # Syn2Mas relies on the debug image to copy mas-cli to the matrix-tools container
   {{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/matrix-authentication-service', tag='0.16.0-debug') | indent(2) }}
+  {{- sub_schema_values.labels() | indent(2) -}}
+  {{- sub_schema_values.workloadAnnotations() | indent(2) -}}
+  {{- sub_schema_values.containersSecurityContext() | indent(2) -}}
+  {{- sub_schema_values.nodeSelector() | indent(2) -}}
+  {{- sub_schema_values.podSecurityContext(user_id='10005', group_id='10005') | indent(2) -}}
+  {{- sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='350Mi') | indent(2) -}}
+  {{- sub_schema_values.serviceAccount() | indent(2) -}}
+  {{- sub_schema_values.tolerations() | indent(2) }}
 
   ## Runs the syn2mas process in dryRun mode.
   ## Force the authentication to happen with legacy authentication.

charts/matrix-stack/templates/ess-library/_labels.tpl

@@ -39,7 +39,7 @@ app.kubernetes.io/part-of: matrix-stack
 {{- with required "element-io.ess-library.postgres-label requires context" .context -}}
 {{- $essPassword := required "element-io.ess-library.postgres-label context missing essPassword" .essPassword -}}
 {{- $postgresProperty := required "elment-io.ess-library.postgres-label context missing postgresProperty" .postgresProperty -}}
-k8s.element.io/postgres-password-hash: {{ if $postgresProperty -}}
+k8s.element.io/postgres-password-{{ $essPassword | lower }}-hash: {{ if $postgresProperty -}}
     {{- if $postgresProperty.password.value -}}
     {{- $postgresProperty.password.value | sha1sum -}}
     {{- else -}}

charts/matrix-stack/templates/matrix-authentication-service/syn2mas_job.yaml

@@ -10,7 +10,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 {{- $isHook := (not .syn2mas.dryRun) -}}
 {{- $synapseContext := (mustMergeOverwrite ($.Values.synapse | deepCopy) (dict "processType" "main" "isHook" $isHook)) -}}
 {{- $masContext := (mustMergeOverwrite ($.Values.matrixAuthenticationService | deepCopy) (dict "isHook" $isHook)) -}}
-{{- with $masContext -}}
+{{- with (mustMergeOverwrite ($.Values.matrixAuthenticationService.syn2mas | deepCopy) (dict "isHook" $isHook)) -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -20,17 +20,22 @@ metadata:
 {{- end }}
   labels:
     {{- include "element-io.matrix-authentication-service-syn2mas.labels" (dict "root" $ "context" .) | nindent 4 }}
-    k8s.element.io/matrix-authentication-service-config-hash: {{ include "element-io.matrix-authentication-service.configmap-data" (dict "root" $ "context" .) | sha1sum }}
-    k8s.element.io/matrix-authentication-service-secret-hash: {{ include "element-io.matrix-authentication-service.secret-data" (dict "root" $ "context" .) | sha1sum }}
+    k8s.element.io/matrix-authentication-service-config-hash: {{ include "element-io.matrix-authentication-service.configmap-data" (dict "root" $ "context" $masContext) | sha1sum }}
+    k8s.element.io/matrix-authentication-service-secret-hash: {{ include "element-io.matrix-authentication-service.secret-data" (dict "root" $ "context" $masContext) | sha1sum }}
     k8s.element.io/synapse-config-hash: {{ include "element-io.synapse.configmap-data"  (dict "root" $ "context" $synapseContext) | sha1sum }}
     k8s.element.io/synapse-secret-hash: {{ include "element-io.synapse.secret-data"  (dict "root" $ "context" $synapseContext) | sha1sum }}
     {{ include "element-io.ess-library.postgres-label" (dict "root" $ "context" (dict
                                                             "essPassword" "matrixAuthenticationService"
-                                                            "postgresProperty" .postgres
+                                                            "postgresProperty" $masContext.postgres
+                                                            )
+                                        ) }}
+    {{ include "element-io.ess-library.postgres-label" (dict "root" $ "context" (dict
+                                                            "essPassword" "synapse"
+                                                            "postgresProperty" $synapseContext.postgres
                                                             )
                                         ) }}
   annotations:
-{{- if .syn2mas.dryRun }}
+{{- if .dryRun }}
     "helm.sh/hook": post-install,post-upgrade
 {{- else }}
     "helm.sh/hook": pre-install,pre-upgrade
@@ -64,7 +69,7 @@ spec:
 {{- include "element-io.ess-library.pods.commonSpec" (dict "root" $ "context" (dict "componentValues" . "instanceSuffix" "matrix-authentication-service-syn2mas" "deployment" false "usesMatrixTools" true "mountServiceAccountToken" true)) | nindent 6 }}
       initContainers:
       - name: copy-mas-cli
-{{- with .syn2mas.image -}}
+{{- with .image -}}
 {{- if .digest }}
         image: "{{ .registry }}/{{ .repository }}@{{ .digest }}"
         imagePullPolicy: {{ .pullPolicy | default "IfNotPresent" }}
@@ -240,7 +245,7 @@ spec:
 {{- end }}
       containers:
       - name: syn2mas-migrate
-{{- if .syn2mas.dryRun }}
+{{- if .dryRun }}
         args: ["syn2mas", "migrate", "--config", "/conf/config.yaml", "--synapse-config", "/conf/homeserver.yaml", "--dry-run"]
     {{- with .image -}}
     {{- if .digest }}

charts/matrix-stack/templates/matrix-authentication-service/syn2mas_role.yaml

@@ -5,6 +5,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 */ -}}
 {{- with .Values.matrixAuthenticationService -}}
 {{- if and .enabled .syn2mas.enabled -}}
+{{- with .syn2mas -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -40,3 +41,4 @@ rules:
   verbs: ["get", "update"]
 {{- end -}}
 {{- end -}}
+{{- end -}}

charts/matrix-stack/templates/matrix-authentication-service/syn2mas_rolebinding.yaml

@@ -6,6 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 {{- with .Values.matrixAuthenticationService -}}
 {{- if and .enabled .syn2mas.enabled -}}
+{{- with .syn2mas -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -32,3 +33,4 @@ subjects:
   namespace: {{ $.Release.Namespace }}
 {{- end -}}
 {{- end -}}
+{{- end -}}

charts/matrix-stack/templates/matrix-authentication-service/syn2mas_serviceaccount.yaml

@@ -5,6 +5,8 @@ SPDX-License-Identifier: AGPL-3.0-only
 */ -}}
 {{- with .Values.matrixAuthenticationService -}}
 {{- if and .enabled .syn2mas.enabled $.Values.synapse.enabled -}}
+{{- with .syn2mas -}}
 {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "matrix-authentication-service-syn2mas" "extraAnnotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-weight" "0"))) }}
 {{- end }}
 {{- end }}
+{{- end }}

charts/matrix-stack/values.schema.json

@@ -3060,6 +3060,240 @@
             "dryRun": {
               "type": "boolean",
               "description": "Run the migration job in dry-run mode. Do not actually migrate the data."
+            },
+            "labels": {
+              "type": "object",
+              "additionalProperties": {
+                "type": [
+                  "string",
+                  "null"
+                ]
+              }
+            },
+            "annotations": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
+            "extraEnv": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "required": [
+                  "name",
+                  "value"
+                ],
+                "properties": {
+                  "name": {
+                    "type": "string"
+                  },
+                  "value": {
+                    "type": "string"
+                  }
+                },
+                "additionalProperties": false
+              }
+            },
+            "containersSecurityContext": {
+              "properties": {
+                "allowPrivilegeEscalation": {
+                  "type": "boolean"
+                },
+                "capabilities": {
+                  "properties": {
+                    "add": {
+                      "items": {
+                        "type": "string"
+                      },
+                      "type": "array"
+                    },
+                    "drop": {
+                      "items": {
+                        "type": "string"
+                      },
+                      "type": "array"
+                    }
+                  },
+                  "type": "object",
+                  "additionalProperties": false
+                },
+                "readOnlyRootFilesystem": {
+                  "type": "boolean"
+                },
+                "seccompProfile": {
+                  "properties": {
+                    "localhostProfile": {
+                      "type": "string"
+                    },
+                    "type": {
+                      "enum": [
+                        "RuntimeDefault",
+                        "Unconfined",
+                        "Localhost"
+                      ],
+                      "type": "string"
+                    }
+                  },
+                  "type": "object",
+                  "additionalProperties": false
+                }
+              },
+              "type": "object",
+              "additionalProperties": false
+            },
+            "nodeSelector": {
+              "type": "object",
+              "additionalProperties": {
+                "type": "string"
+              }
+            },
+            "podSecurityContext": {
+              "properties": {
+                "fsGroup": {
+                  "format": "int64",
+                  "type": "integer"
+                },
+                "fsGroupChangePolicy": {
+                  "type": "string"
+                },
+                "runAsGroup": {
+                  "format": "int64",
+                  "type": "integer"
+                },
+                "runAsNonRoot": {
+                  "type": "boolean"
+                },
+                "runAsUser": {
+                  "format": "int64",
+                  "type": "integer"
+                },
+                "seLinuxOptions": {
+                  "properties": {
+                    "level": {
+                      "type": "string"
+                    },
+                    "role": {
+                      "type": "string"
+                    },
+                    "type": {
+                      "type": "string"
+                    },
+                    "user": {
+                      "type": "string"
+                    }
+                  },
+                  "type": "object",
+                  "additionalProperties": false
+                },
+                "seccompProfile": {
+                  "properties": {
+                    "localhostProfile": {
+                      "type": "string"
+                    },
+                    "type": {
+                      "enum": [
+                        "RuntimeDefault",
+                        "Unconfined",
+                        "Localhost"
+                      ],
+                      "type": "string"
+                    }
+                  },
+                  "type": "object",
+                  "additionalProperties": false
+                },
+                "supplementalGroups": {
+                  "items": {
+                    "format": "int64",
+                    "type": "integer"
+                  },
+                  "type": "array"
+                }
+              },
+              "type": "object",
+              "additionalProperties": false
+            },
+            "resources": {
+              "properties": {
+                "limits": {
+                  "additionalProperties": {
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                  },
+                  "type": "object"
+                },
+                "requests": {
+                  "additionalProperties": {
+                    "anyOf": [
+                      {
+                        "type": "integer"
+                      },
+                      {
+                        "type": "string"
+                      }
+                    ],
+                    "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+                  },
+                  "type": "object"
+                }
+              },
+              "type": "object",
+              "additionalProperties": false
+            },
+            "serviceAccount": {
+              "type": "object",
+              "properties": {
+                "create": {
+                  "type": "boolean"
+                },
+                "name": {
+                  "type": "string"
+                },
+                "annotations": {
+                  "type": "object",
+                  "additionalProperties": {
+                    "type": "string"
+                  }
+                }
+              },
+              "additionalProperties": false
+            },
+            "tolerations": {
+              "type": "array",
+              "items": {
+                "properties": {
+                  "effect": {
+                    "type": "string",
+                    "enum": [
+                      "NoSchedule",
+                      "PreferNoSchedule",
+                      "NoExecute"
+                    ]
+                  },
+                  "key": {
+                    "type": "string"
+                  },
+                  "operator": {
+                    "type": "string"
+                  },
+                  "tolerationSeconds": {
+                    "type": "number"
+                  },
+                  "value": {
+                    "type": "string"
+                  }
+                },
+                "type": "object",
+                "additionalProperties": false
+              }
             }
           },
           "additionalProperties": false