element-hq · gaelgatelement · Feb 5, 2025 · Jan 30, 2025 · Jan 30, 2025 · Jan 30, 2025
@@ -23,7 +23,7 @@ permissions:
 
 jobs:
   tests:
-    runs-on: cpu-s
+    runs-on: memory-m
     container:
       image: ghcr.io/${{ github.repository }}/ci-runner
       credentials:
@@ -38,7 +38,9 @@ jobs:
       run: echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
 
     - name: Lint with golangci-lint
-      run: ls -l /usr/local && echo $PATH && cd matrix-tools && golangci-lint run ./...
+      run: |
+        cd matrix-tools
+        golangci-lint run ./... -v --show-stats --no-config --modules-download-mode readonly --timeout 5m
 
     - name: Run tests
       run: cd matrix-tools && go test -v ./...

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   additional: {
     "default_server_config": {

@@ -2,6 +2,9 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   ingress:
     host: element.ess.localhost

@@ -0,0 +1,20 @@
+# Copyright 2024 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+
+initSecrets:
+  enabled: true
+  annotations:
+    checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
+    checkov.io/skip2: CKV_K8S_43=No digests
+    checkov.io/skip3: CKV2_K8S_6=No network policy yet
+    checkov.io/skip4: CKV_K8S_38=The job needs a service account
+
+elementWeb:
+  enabled: false
+
+synapse:
+  enabled: false
+
+wellKnownDelegation:
+  enabled: false
@@ -0,0 +1,15 @@
+# Copyright 2024 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+
+initSecrets:
+  enabled: true
+
+elementWeb:
+  enabled: false
+
+synapse:
+  enabled: false
+
+wellKnownDelegation:
+  enabled: false
@@ -2,6 +2,9 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,11 @@
 
 serverName: ess.localhost
 
+matrixTools:
+  image:
+    pullPolicy: Never
+    digest: ""
+
 elementWeb:
   ingress:
     host: element.{{ $.Values.serverName }}

@@ -17,9 +17,6 @@ synapse:
   registrationSharedSecret:
     secret: "{{ $.Release.Name }}-synapse-secrets"
     secretKey: registrationSharedSecret
-  macaroon:
-    secret: "{{ $.Release.Name }}-synapse-secrets"
-    secretKey: macaroon
   signingKey:
     secret: "{{ $.Release.Name }}-synapse-secrets"
     secretKey: signingKey

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -4,6 +4,9 @@
 
 serverName: ess.localhost
 
+initSecrets:
+  enabled: false
+
 elementWeb:
   enabled: false
 

@@ -13,7 +13,7 @@ SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
 
 ## The matrix-tools iamge, used in multiple components
 matrixTools:
-{{ image(registry="ghcr.io", repository="element-hq/ess-helm/matrix-tools", tag="0.1.1") | indent(2) }}
+{{ image(registry="ghcr.io", repository="element-hq/ess-helm/matrix-tools", tag="0.2.0") | indent(2) }}
 
 ## The server name of the Matrix Stack. This gets embedded in user IDs & room IDs
 ## It can not change after the initial deployment.

@@ -0,0 +1,42 @@
+{
+  "$id": "file://init-secrets",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "enabled": {
+      "type": "boolean"
+    },
+    "rbac": {
+      "type": "object",
+      "properties": {
+        "create": {
+          "type": "boolean"
+        }
+      }
+    },
+    "labels": {
+      "$ref": "file://common/labels.json"
+    },
+    "annotations": {
+      "$ref": "file://common/workloadAnnotations.json"
+    },
+    "containersSecurityContext": {
+      "$ref": "file://common/containersSecurityContext.json"
+    },
+    "nodeSelector": {
+      "$ref": "file://common/nodeSelector.json"
+    },
+    "podSecurityContext": {
+      "$ref": "file://common/podSecurityContext.json"
+    },
+    "resources": {
+      "$ref": "file://common/resources.json"
+    },
+    "serviceAccount": {
+      "$ref": "file://common/serviceAccount.json"
+    },
+    "tolerations": {
+      "$ref": "file://common/tolerations.json"
+    }
+  }
+}
@@ -0,0 +1,20 @@
+{#
+Copyright 2024 New Vector Ltd
+
+SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+#}
+
+{% import 'sub_schema_values.yaml.j2' as sub_schema_values -%}
+enabled: true
+
+rbac:
+  create: true
+
+{{- sub_schema_values.labels() -}}
+{{- sub_schema_values.workloadAnnotations() -}}
+{{- sub_schema_values.containersSecurityContext() -}}
+{{- sub_schema_values.nodeSelector() -}}
+{{- sub_schema_values.podSecurityContext(user_id='10010', group_id='10010') -}}
+{{- sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='200Mi') -}}
+{{- sub_schema_values.serviceAccount() -}}
+{{- sub_schema_values.tolerations() -}}
@@ -40,6 +40,9 @@
     "topologySpreadConstraints": {
       "$ref": "file://common/topologySpreadConstraints.json"
     },
+    "initSecrets": {
+      "$ref": "file://init-secrets.json"
+    },
     "elementWeb": {
       "$ref": "file://element-web.json"
     },

@@ -9,6 +9,9 @@ SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
 {{ sub_schema_values.ess() }}
 
 ## Components
+initSecrets:
+  {% macro initSecrestValues() %}{% include 'init-secrets.yaml.j2'%}{% endmacro %}
+  {{- initSecrestValues() | trim | indent(2) }}
 
 elementWeb:
   {% macro elementWebValues() %}{% include 'element-web.yaml.j2'%}{% endmacro %}

@@ -9,18 +9,53 @@ SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
 {{- with required "element-io.ess-library.check-credential missing context" .context -}}
 {{- $secretPath := .secretPath -}}
 {{- $secretProperty := .secretProperty -}}
-{{- if and .secretProperty.value (or .secretProperty.secret .secretProperty.secretKey) -}}
-{{- fail (printf "The secret %s must either have a value, or both secret & secretKey properties" $secretPath) -}}
-{{- else if and .secretProperty.secret (not .secretProperty.secretKey) -}}
-{{- fail (printf "The secret %s has a secret but no secretKey property" $secretPath) -}}
-{{- else if and .secretProperty.secretKey (not .secretProperty.secret) -}}
-{{- fail (printf "The secret %s has a secretKey but no secret property" $secretPath) -}}
-{{- else if and .secretProperty.secret .secretProperty.secretKey -}}
-{{- /* OK secret has a secret and a secretKey, do nothing */ -}}
-{{- else if .secretProperty.value -}}
-{{- /* OK secret has a value, do nothing */ -}}
-{{- else -}}
-{{- fail (printf "The secret %s is missing its secret/secretKey properties" $secretPath) -}}
+{{- $initIfAbsent := .initIfAbsent | default false -}}
+{{- if not $initIfAbsent -}}
+  {{- if and .secretProperty.value (or .secretProperty.secret .secretProperty.secretKey) -}}
+  {{- fail (printf "The secret %s must either have a value, or both secret & secretKey properties" $secretPath) -}}
+  {{- else if and .secretProperty.secret (not .secretProperty.secretKey) -}}
+  {{- fail (printf "The secret %s has a secret but no secretKey property" $secretPath) -}}
+  {{- else if and .secretProperty.secretKey (not .secretProperty.secret) -}}
+  {{- fail (printf "The secret %s has a secretKey but no secret property" $secretPath) -}}
+  {{- else if and .secretProperty.secret .secretProperty.secretKey -}}
+  {{- /* OK secret has a secret and a secretKey, do nothing */ -}}
+  {{- else if .secretProperty.value -}}
+  {{- /* OK secret has a value, do nothing */ -}}
+  {{- else -}}
+  {{- fail (printf "The secret %s is missing its secret/secretKey properties" $secretPath) -}}
+  {{- end -}}
 {{- end -}}
 {{- end -}}
 {{- end }}
+
+{{- define "element-io.ess-library.init-secret-path" -}}
+{{- $root := .root -}}
+{{- with required "element-io.ess-library.init-secret-path" .context -}}
+{{- $secretProperty := required "element-io.ess-library.init-secret-path context missing secretProperty" .secretProperty -}}
+{{- $initSecretKey := required "element-io.ess-library.init-secret-path context missing initSecretKey" .initSecretKey -}}
+{{- $defaultSecretName := required "element-io.ess-library.init-secret-path context missing defaultSecretName" .defaultSecretName -}}
+{{- $defaultSecretKey := required "element-io.ess-library.init-secret-path context missing defaultSecretKey" .defaultSecretKey -}}
+{{- if not $secretProperty -}}
+  {{- if $root.Values.initSecrets.enabled -}}
+  {{- printf "%s/%s" (printf "%s-generated" $root.Release.Name) $initSecretKey -}}
+  {{- end -}}
+{{- else -}}
+  {{- include "element-io.ess-library.provided-secret-path" (dict "root" $root "context" (dict "secretProperty" $secretProperty "defaultSecretName" $defaultSecretName "defaultSecretKey" $defaultSecretKey)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "element-io.ess-library.provided-secret-path" -}}
+{{- $root := .root -}}
+{{- with required "element-io.ess-library.provided-secret-path missing context" .context -}}
+{{- $secretProperty := required "element-io.ess-library.provided-secret-path context missing secretProperty" .secretProperty -}}
+{{- $defaultSecretName := required "element-io.ess-library.provided-secret-path context missing defaultSecretName" .defaultSecretName -}}
+{{- $defaultSecretKey := required "element-io.ess-library.provided-secret-path context missing defaultSecretKey" .defaultSecretKey -}}
+{{- if $secretProperty.value -}}
+{{- printf "%s/%s" $defaultSecretName $defaultSecretKey -}}
+{{- else -}}
+{{- printf "%s/%s" (tpl $secretProperty.secret $root) (tpl $secretProperty.secretKey $root) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
@@ -0,0 +1,28 @@
+{{- /*
+Copyright 2024 New Vector Ltd
+
+SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+*/ -}}
+
+{{- define "element-io.init-secrets.labels" -}}
+{{- $root := .root -}}
+{{- with required "element-io.init-secrets.labels missing context" .context -}}
+{{ include "element-io.ess-library.labels.common" (dict "root" $root "context" .labels) }}
+app.kubernetes.io/component: matrix-tools
+app.kubernetes.io/name: init-secrets
+app.kubernetes.io/instance: {{ $root.Release.Name }}-init-secrets
+app.kubernetes.io/version: {{ $root.Values.matrixTools.image.tag }}
+{{- end }}
+{{- end }}
+
+{{- define "element-io.init-secrets.generated-secrets" -}}
+{{- $root := .root -}}
+{{- with $root.Values.synapse }}
+{{- if .enabled -}}
+{{- if not .macaroon }}
+- {{ (printf "%s-generated" $root.Release.Name) }}:SYNAPSE_MACAROON:rand32
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+