first commit

2024-05-01 11:29:32 +02:00 · 2024-05-01 11:29:32 +02:00 · 54c90b1caf
commit 54c90b1caf
15 changed files with 348 additions and 0 deletions
--- a/manifests/bin/deploy.sh
+++ b/manifests/bin/deploy.sh
@ -0,0 +1,56 @@
+#!/bin/bash -e
+set -o pipefail
+
+function kapply() {
+    for f in "$@"; do
+        kubectl apply -f \
+            <(envsubst "$(env | xargs printf '$%s ')" < "manifests/$f")
+    done
+}
+
+function kcreatesec() {
+    kubectl create secret generic --save-config --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kcreatecm() {
+    kubectl create configmap --dry-run=client -oyaml "$@" | kubectl apply -f-
+}
+
+function kgseckey() {
+    local sec="$1"; shift
+    local key="$1"; shift
+
+    kubectl get secret "$sec" -o jsonpath="{.data.$key}" | base64 -d
+}
+
+function kgcmkey() {
+    local cm="$1"; shift
+    local key="$1"; shift
+
+    kubectl get configmap "$cm" -o jsonpath="{.data.$key}"
+}
+
+function get_synapse_key() {
+    kgcmkey synapse-config 'homeserver\.yaml' | awk -F\" "/^\s*$1/{print \$2}" || openssl rand -hex 32
+}
+
+
+kapply common/db.yaml
+
+export POSTGRES_HOST;     POSTGRES_HOST="$(kgseckey postgres-app host)"
+export POSTGRES_PORT;     POSTGRES_PORT="$(kgseckey postgres-app port)"
+export POSTGRES_DB;       POSTGRES_DB="$(kgseckey postgres-app dbname)"
+export POSTGRES_USER;     POSTGRES_USER="$(kgseckey postgres-app user)"
+export POSTGRES_PASSWORD; POSTGRES_PASSWORD="$(kgseckey postgres-app password)"
+
+export API_SECRET;                   API_SECRET="$(get_synapse_key macaroon_secret_key)"
+export TURN_SHARED_SECRET;   TURN_SHARED_SECRET="$(get_synapse_key turn_shared_secret)"
+export REGISTRATION_SECRET; REGISTRATION_SECRET="$(get_synapse_key registration_shared_secret)"
+
+kcreatecm synapse-config \
+    --from-file=homeserver.yaml=<(envsubst "$(env | xargs printf '$%s ')" < homeserver.yaml) \
+    --from-file=log.config=<(envsubst "$(env | xargs printf '$%s ')" < log.config)
+
+kapply common/keys.yaml common/app.yaml
+
+kubectl rollout restart statefulset app
--- a/manifests/bin/devel.sh
+++ b/manifests/bin/devel.sh
@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=1
+
+. ./manifests/bin/deploy.sh
--- a/manifests/bin/prod.sh
+++ b/manifests/bin/prod.sh
@ -0,0 +1,5 @@
+#!/bin/bash -e
+
+export NB_REPLICAS=3
+
+. ./manifests/bin/deploy.sh
--- a/manifests/common/app.yaml
+++ b/manifests/common/app.yaml
@ -0,0 +1,95 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: tls-app
+      hosts:
+        - "$BASE_URL"
+  rules:
+    - host: "$BASE_URL"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: app
+                port:
+                  name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  selector:
+    app: app
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: app
+  labels:
+    app: app
+spec:
+  replicas: $NB_REPLICAS
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: app
+          image: "$IMAGEAPP"
+          ports:
+            - name: http
+              containerPort: 8008
+          env:
+            - name: SYNAPSE_CONFIG_PATH
+              value: /config/homeserver.yaml
+            - name: SYNAPSE_CONFIG_DIR
+              value: /keys/
+          volumeMounts:
+            - name: config
+              mountPath: /config/
+              readOnly: true
+            - name: data
+              mountPath: /data/
+            - name: keys
+              mountPath: /keys/
+      securityContext:
+        fsGroup: 991
+      volumes:
+        - name: config
+          configMap:
+            name: synapse-config
+        - name: keys
+          persistentVolumeClaim:
+            claimName: keys
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: nfs-csi
+        resources:
+          requests:
+            storage: 10Gi
--- a/manifests/common/db.yaml
+++ b/manifests/common/db.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+spec:
+  instances: $NB_REPLICAS
+  storage:
+    size: 10Gi
--- a/manifests/common/keys.yaml
+++ b/manifests/common/keys.yaml
@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: keys
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-csi
+  resources:
+    requests:
+      storage: 10Mi
--- a/manifests/devel/.gitkeep
+++ b/manifests/devel/.gitkeep
--- a/manifests/prod/.gitkeep
+++ b/manifests/prod/.gitkeep