Skip to content

Fix MAS/Synapse when using something else than init secrets #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Apr 1, 2025
+292 −24
Merged

Fix MAS/Synapse when using something else than init secrets #336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
680d353
tests: Verify that things that looks like mount paths are mounted
gaelgatelement Apr 1, 2025
f437fae
Synapse / MAS : Fix OIDC shared secret when using in helm values
gaelgatelement Apr 1, 2025
a81511b
make the tests aware of pvcs
gaelgatelement Apr 1, 2025
c65826c
comment the regex for path matching
gaelgatelement Apr 1, 2025
d5c5605
tests: parse content as raw string, add more noqa
gaelgatelement Apr 1, 2025
c9a8bf3
Enhance regex to exclude things that looks like paths
gaelgatelement Apr 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-externally-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Copyright 2024-2025 New Vector Ltd
#
# SPDX-License-Identifier: AGPL-3.0-only
#
# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-externally.yaml synapse-secrets-externally.yaml
# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values

# initSecrets, postgres don't have any required properties to be set and defaults to enabled
elementWeb:
enabled: false
matrixAuthenticationService:
encryptionSecret:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: encryption
ingress:
host: mas.ess.localhost
postgres:
database: mas
host: postgres
password:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: postgresPassword
user: mas
privateKeys:
ecdsaPrime256v1:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: keysEcdsaPrime256v1
ecdsaSecp256k1:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: keysEcdsaSecp256k1
ecdsaSecp384r1:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: keysEcdsaSecp384r1
rsa:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: keysRSA
synapseOIDCClientSecret:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: synapseOIDC
synapseSharedSecret:
secret: '{{ $.Release.Name }}-mas-external'
secretKey: synapseShared
serverName: ess.localhost
synapse:
appservices:
- secret: '{{ $.Release.Name }}-synapse-external'
secretKey: bridge_registration.yaml
ingress:
host: synapse.ess.localhost
macaroon:
secret: '{{ $.Release.Name }}-synapse-external'
secretKey: macaroon
postgres:
database: synapse
host: ess-postgres
password:
secret: '{{ $.Release.Name }}-synapse-external'
secretKey: postgresPassword
user: synapse_user
registrationSharedSecret:
secret: '{{ $.Release.Name }}-synapse-external'
secretKey: registrationSharedSecret
signingKey:
secret: '{{ $.Release.Name }}-synapse-external'
secretKey: signingKey
wellKnownDelegation:
enabled: false
66 changes: 66 additions & 0 deletions charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-in-helm-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Copyright 2024-2025 New Vector Ltd
#
# SPDX-License-Identifier: AGPL-3.0-only
#
# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-in-helm.yaml matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml
# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values

# initSecrets, postgres don't have any required properties to be set and defaults to enabled
elementWeb:
enabled: false
matrixAuthenticationService:
encryptionSecret:
value: CHANGEME-ahohhohgiavee5Koh8ahwo
ingress:
host: mas.ess.localhost
postgres:
database: mas
host: postgres
password:
value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
user: mas
privateKeys:
ecdsaPrime256v1:
value: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
AwEAAKBcZW5jb2duZXQwgggYMIINL6Ado018734nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEH
------END EC PRIVATE KEY-----
ecdsaSecp256k1:
value: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
------END EC PRIVATE KEY-----
ecdsaSecp384r1:
value: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
------END EC PRIVATE KEY-----
rsa:
value: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
------END RSA PRIVATE KEY-----
synapseOIDCClientSecret:
value: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0
synapseSharedSecret:
value: CHANGEME-iaw8eeSef4zeefie8ii3akien9tiaYah
serverName: ess.localhost
synapse:
ingress:
host: synapse.ess.localhost
macaroon:
value: CHANGEME-eek3Eigoh8ux8laeTingeej1
postgres:
database: synapse
host: ess-postgres
password:
value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
user: synapse_user
registrationSharedSecret:
value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
signingKey:
value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw
wellKnownDelegation:
enabled: false
30 changes: 30 additions & 0 deletions charts/matrix-stack/templates/matrix-authentication-service/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,3 +159,33 @@ app.kubernetes.io/version: {{ .image.tag }}
{{- end }}
{{- end }}
{{- end }}


{{- define "element-io.matrix-authentication-service.secret-name" }}
{{- $root := .root }}
{{- with required "element-io.matrix-authentication-service.secret-name requires context" .context }}
{{- $isHook := required "element-io.matrix-authentication-service.secret-name requires context.isHook" .isHook }}
{{- if $isHook }}
{{- $root.Release.Name }}-matrix-authentication-service-hook
{{- else }}
{{- $root.Release.Name }}-matrix-authentication-service
{{- end }}
{{- end }}
{{- end }}


{{- define "element-io.matrix-authentication-service.synapse-secret-data" -}}
{{- $root := .root -}}
{{- with required "element-io.matrix-authentication-service.synapse-secret-data" .context -}}
{{- if $root.Values.synapse.enabled }}
{{- include "element-io.ess-library.check-credential" (dict "root" $root "context" (dict "secretPath" "matrixAuthenticationService.synapseSharedSecret" "initIfAbsent" true)) }}
{{- with .synapseSharedSecret.value }}
SYNAPSE_SHARED_SECRET: {{ . | b64enc }}
{{- end }}
{{- include "element-io.ess-library.check-credential" (dict "root" $root "context" (dict "secretPath" "matrixAuthenticationService.synapseOIDCClientSecret" "initIfAbsent" true)) }}
{{- with .synapseOIDCClientSecret.value }}
SYNAPSE_OIDC_CLIENT_SECRET: {{ . | b64enc }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
19 changes: 4 additions & 15 deletions charts/matrix-stack/templates/matrix-authentication-service/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,15 @@ SPDX-License-Identifier: AGPL-3.0-only
apiVersion: v1
kind: Secret
metadata:
name: {{ $.Release.Name }}-matrix-authentication-service
name: {{ include "element-io.matrix-authentication-service.secret-name" (dict "root" $ "context" (dict "isHook" false)) }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }}
type: Opaque
data:
{{- with (include "element-io.matrix-authentication-service.synapse-secret-data" (dict "root" $ "context" .)) }}
{{- . | nindent 2 }}
{{- end }}
{{- with .additional }}
{{- range $key := (. | keys | uniq | sortAlpha) }}
{{- $prop := index $.Values.matrixAuthenticationService.additional $key }}
Expand All @@ -29,20 +32,6 @@ data:
POSTGRES_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- end }}
{{- if $.Values.synapse.enabled }}
{{- include "element-io.ess-library.check-credential" (dict "root" $ "context" (dict "secretPath" "matrixAuthenticationService.synapseSharedSecret" "initIfAbsent" true)) }}
{{- with .synapseSharedSecret }}
{{- with .value }}
SYNAPSE_SHARED_SECRET: {{ . | b64enc }}
{{- end }}
{{- end }}
{{- include "element-io.ess-library.check-credential" (dict "root" $ "context" (dict "secretPath" "matrixAuthenticationService.synapseOIDCClientSecret" "initIfAbsent" true)) }}
{{- with .synapseOIDCClientSecret }}
{{- with .value }}
SYNAPSE_OIDC_CLIENT_SECRET: {{ . | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- include "element-io.ess-library.check-credential" (dict "root" $ "context" (dict "secretPath" "matrixAuthenticationService.encryptionSecret" "initIfAbsent" true)) }}
{{- with .encryptionSecret }}
{{- with .value }}
Expand Down
27 changes: 27 additions & 0 deletions charts/matrix-stack/templates/matrix-authentication-service/secret_hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- /*
Copyright 2025 New Vector Ltd

SPDX-License-Identifier: AGPL-3.0-only
*/ -}}

{{- with .Values.matrixAuthenticationService -}}
{{- if .enabled -}}
{{- if and $.Values.synapse.enabled $.Values.synapse.checkConfigHook.enabled -}}
{{- if include "element-io.matrix-authentication-service.synapse-secret-data" (dict "root" $ "context" .) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "element-io.matrix-authentication-service.secret-name" (dict "root" $ "context" (dict "isHook" true)) }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
type: Opaque
data:
{{- include "element-io.matrix-authentication-service.synapse-secret-data" (dict "root" $ "context" .) | nindent 2 }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
4 changes: 2 additions & 2 deletions charts/matrix-stack/templates/synapse/_synapse_config.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ experimental_features:
dict "root" $root "context" (dict
"secretPath" "matrixAuthenticationService.synapseOIDCClientSecret"
"initSecretKey" "MAS_SYNAPSE_OIDC_CLIENT_SECRET"
"defaultSecretName" (printf "%s-matrix-authentication-service" $root.Release.Name)
"defaultSecretName" (include "element-io.matrix-authentication-service.secret-name" (dict "root" $root "context" (dict "isHook" $isHook)))
"defaultSecretKey" "SYNAPSE_OIDC_CLIENT_SECRET"
)
) }}
Expand All @@ -122,7 +122,7 @@ experimental_features:
dict "root" $root "context" (dict
"secretPath" "matrixAuthenticationService.synapseSharedSecret"
"initSecretKey" "MAS_SYNAPSE_SHARED_SECRET"
"defaultSecretName" (printf "%s-matrix-authentication-service" $root.Release.Name)
"defaultSecretName" (include "element-io.matrix-authentication-service.secret-name" (dict "root" $root "context" (dict "isHook" $isHook)))
"defaultSecretKey" "SYNAPSE_SHARED_SECRET"
)
) }}
Expand Down
20 changes: 20 additions & 0 deletions charts/matrix-stack/templates/synapse/_synapse_details.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,26 @@ responsibleForMedia
)
)
) -}}
{{- if $root.Values.matrixAuthenticationService.enabled -}}
{{- with $root.Values.matrixAuthenticationService -}}
{{- with .synapseSharedSecret -}}
{{- with .value -}}
{{- $configSecrets = append $configSecrets (include "element-io.matrix-authentication-service.secret-name" (dict "root" $root "context" (dict "isHook" $isHook))) -}}
{{- end -}}
{{- with .secret -}}
{{ $configSecrets = append $configSecrets (tpl . $root) }}
{{- end -}}
{{- end -}}
{{- with .synapseOIDCClientSecret -}}
{{- with .value -}}
{{- $configSecrets = append $configSecrets (include "element-io.matrix-authentication-service.secret-name" (dict "root" $root "context" (dict "isHook" $isHook))) -}}
{{- end -}}
{{- with .secret -}}
{{ $configSecrets = append $configSecrets (tpl . $root) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- with .macaroon.secret -}}
{{ $configSecrets = append $configSecrets (tpl . $root) }}
{{- end -}}
Expand Down
1 change: 1 addition & 0 deletions newsfragments/336.fixed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Synapse/Matrix Authentication Service: Fix shared OIDC secret when init secret is disabled.
34 changes: 27 additions & 7 deletions tests/manifests/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ class DeployableDetails(abc.ABC):
has_service_monitor: bool = field(default=True, hash=False)

paths_consistency_noqa: tuple[str] = field(default=(), hash=False)
skip_path_consistency_for_files: tuple[str] = field(default=(), hash=False)

def __post_init__(self):
if self.helm_key is None:
Expand Down Expand Up @@ -159,7 +160,12 @@ def should_visit_with_values(
has_service_monitor=False,
is_shared_component=True,
),
ComponentDetails(name="haproxy", has_ingress=False, is_shared_component=True),
ComponentDetails(
name="haproxy",
has_ingress=False,
is_shared_component=True,
skip_path_consistency_for_files=["haproxy.cfg", "429.http", "path_map_file", "path_map_file_get"],
),
ComponentDetails(
name="postgres",
has_ingress=False,
Expand All @@ -170,23 +176,29 @@ def should_visit_with_values(
name="element-web",
helm_key="elementWeb",
has_service_monitor=False,
paths_consistency_noqa=("/etc/nginx/nginx.conf", "/etc/nginx/mime.types"),
paths_consistency_noqa=(
"/etc/nginx/nginx.conf",
"/etc/nginx/mime.types",
"/var/log/nginx/access.log",
"/usr/share/nginx/html",
"/json",
"/health",
"/non-existant-so-that-this-works-with-read-only-root-filesystem",
),
),
ComponentDetails(
name="matrix-authentication-service",
helm_key="matrixAuthenticationService",
has_db=True,
shared_component_names=(
"init-secrets",
"postgres",
),
shared_component_names=("init-secrets", "postgres"),
),
ComponentDetails(
name="synapse",
has_db=True,
additional_values_files=[
"synapse-worker-example-values.yaml",
],
skip_path_consistency_for_files=["path_map_file", "path_map_file_get"],
sub_components=[
SubComponentDetails(
name="synapse-redis",
Expand Down Expand Up @@ -240,6 +252,11 @@ def _get_deployables_details_from_base_components_names(base_components_names: l
"synapse",
"well-known",
],
"matrix-authentication-service-synapse-secrets-externally-values.yaml": [
"matrix-authentication-service",
"synapse",
],
"matrix-authentication-service-synapse-secrets-in-helm-values.yaml": ["matrix-authentication-service", "synapse"],
}


Expand All @@ -250,7 +267,10 @@ def _get_deployables_details_from_base_components_names(base_components_names: l
).items()
}

_extra_secret_values_files_to_test = []
_extra_secret_values_files_to_test = [
"matrix-authentication-service-synapse-secrets-in-helm-values.yaml",
"matrix-authentication-service-synapse-secrets-externally-values.yaml",
]
secret_values_files_to_test = [
values_file for details in all_components_details for values_file in details.secret_values_files
] + _extra_secret_values_files_to_test
Expand Down
Loading
Loading