Merge pull request #10 from small-hack/add-better-connection-url

change sliding sync database connection string templating
small-hack · May 25, 2024 · eb68f9c · eb68f9c
2 parents 0c17033 + b15d394
commit eb68f9c
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 95 deletions.
diff --git a/charts/matrix-sliding-sync/Chart.yaml b/charts/matrix-sliding-sync/Chart.yaml
@@ -15,15 +15,15 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 #
 # renovate: image=ghcr.io/matrix-org/sliding-sync
-appVersion: "v0.99.17"
+appVersion: "v0.99.18"
 
 dependencies:
   - name: postgresql

diff --git a/charts/matrix-sliding-sync/README.md b/charts/matrix-sliding-sync/README.md
@@ -1,6 +1,6 @@
 # matrix-sliding-sync
 
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.17](https://img.shields.io/badge/AppVersion-v0.99.17-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.18](https://img.shields.io/badge/AppVersion-v0.99.18-informational?style=flat-square)
 
 A Helm chart for deploying matrix sliding sync on Kubernetes
 
@@ -25,17 +25,12 @@ A Helm chart for deploying matrix sliding sync on Kubernetes
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| existingEnvSecret | string | `""` | existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values under syncv3 including syncv3.db and syncvc.otlp. |
 | externalDatabase.database | string | `"syncv3"` | name of the database to try and connect to |
 | externalDatabase.enabled | bool | `false` | enable using an external database *instead of* the Bitnami PostgreSQL sub-chart if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
-| externalDatabase.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
 | externalDatabase.hostname | string | `""` | hostname of db server. Can be left blank if using postgres subchart |
 | externalDatabase.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
 | externalDatabase.port | int | `5432` | which port to use to connect to your database server |
-| externalDatabase.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
-| externalDatabase.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
-| externalDatabase.secretKeys.databaseHostname | string | `"hostname"` | key in existingSecret with hostname of the database |
-| externalDatabase.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix to connect to db |
-| externalDatabase.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix to connect to db |
 | externalDatabase.sslcert | string | `""` | optional: tls/ssl cert for postgresql connections |
 | externalDatabase.sslkey | string | `""` | optional: tls/ssl key for postgresql connections |
 | externalDatabase.sslmode | string | `""` | sslmode to use, example: verify-full |
@@ -101,7 +96,10 @@ A Helm chart for deploying matrix sliding sync on Kubernetes
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | syncv3.bindaddr | string | `"0.0.0.0:8008"` | SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket) |
-| syncv3.existingSecret | string | `""` | existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncv3.db and syncvc.otlp. |
+| syncv3.db | string | `""` | SYNCV3_DB - db connection string: https://www.postgresql.org/docs/current/libpq-connect.html if db is empty, you must either provide postgresql or externalDatabase parameters, OR set syncv3.existingDbSecret and syncv3.dbSecretKey |
+| syncv3.dbSecretKey | string | `"SYNCV3_DB"` | db key in existing Db Secret for |
+| syncv3.existingDbSecret | string | `""` | use an existing kubernetes secret for the db connection connection string. if set, ignores syncv3.db |
+| syncv3.existingSyncv3Secret | string | `""` | if set, we'll grab your SYNCV3_SECRET from an existing kubernetes secret and ignore syncv3.secret |
 | syncv3.logLevel | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
 | syncv3.maxDbConn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
 | syncv3.otlp.existingSecret | string | `nil` |  |
@@ -113,6 +111,7 @@ A Helm chart for deploying matrix sliding sync on Kubernetes
 | syncv3.secret | string | `""` | SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. If both syncv3.secret and syncv3.existingSecret are not set, we will autogenerate this value |
 | syncv3.sentryDsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://sliding-sync@sentry.example.com/123 - if unset does not send sentry events. |
 | syncv3.server | string | `""` | SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket) |
+| syncv3.syncv3SecretKey | string | `"SYNCV3_SECRET"` | secret key to get synvcv3 secret from in existing kubernetes secret. |
 | syncv3.tlsCert | string | `""` | SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address. |
 | syncv3.tlsKey | string | `""` | SYNCV3_TLS_KEY - Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file. |
 | tolerations | list | `[]` |  |

diff --git a/charts/matrix-sliding-sync/templates/_helpers.tpl b/charts/matrix-sliding-sync/templates/_helpers.tpl
@@ -166,11 +166,15 @@ Helper function to get postgres ssl mode
 templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 */}}
 {{- define "matrix-sliding-sync.dbConnString" -}}
-{{- if not .Values.syncv3.existingSecret }}
-{{- if or .Values.postgresql.enabled }}
-{{- printf "user=%s dbname=%s sslmode=disable host=%s password=%s" .Values.postgresql.global.postgresql.auth.username .Values.postgresql.global.postgresql.auth.database (include "matrix-sliding-sync.postgresql.hostname" .) .Values.postgresql.global.postgresql.auth.password }}
-{{- else -}}
-{{- printf "user=%s dbname=%s sslmode=%s sslmode=%s host=%s" .Values.externalDatabase.username .Values.externalDatabase.database .Values.externalDatabase.sslmode .Values.externalDatabase.hostname .Values.externalDatabase.password }}
-{{- end }}
-{{- end }}
-{{- end }}
+{{- if and (not .Values.existingEnvSecret) (not .Values.syncv3.existingDbSecret) }}
+{{- if .Values.postgresql.enabled }}
+{{- printf "user=%s dbname=%s host=%s sslmode=disable password=%s" .Values.postgresql.global.postgresql.auth.username .Values.postgresql.global.postgresql.auth.database (include "matrix-sliding-sync.postgresql.hostname" .) .Values.postgresql.global.postgresql.auth.password }}
+{{- else if and .Values.externalDatabase.enabled .Values.externalDatabase.sslmode }}
+{{- printf "user=%s dbname=%s host=%s sslmode=%s sslkey=%s sslcert=%s sslrootcert=%s" .Values.externalDatabase.username .Values.externalDatabase.database .Values.externalDatabase.hostname .Values.externalDatabase.sslmode .Values.externalDatabase.sslkey .Values.externalDatabase.sslcert .Values.externalDatabase.sslrootcert }}
+{{- else if and .Values.externalDatabase.enabled .Values.externalDatabase.password }}
+{{- printf "user=%s dbname=%s sslmode=disable host=%s password=%s" .Values.externalDatabase.username .Values.externalDatabase.database .Values.externalDatabase.hostname .Values.externalDatabase.password }}
+{{- else if .Values.syncv3.db }}
+{{- .Values.syncv3.db }}
+{{- end }}
+{{- end }}{{/* end if existing db secrets and not syncv3.db */}}
+{{- end }}{{/* end define matrix-sliding-sync.dbConnString */}}
diff --git a/charts/matrix-sliding-sync/templates/database-secret.yaml b/charts/matrix-sliding-sync/templates/database-secret.yaml
@@ -2,7 +2,7 @@
 if postgresql.global.postgresql.auth.existingSecret is not passed in, then we create a
 secret to store the credentials without it being in a configmap in plaintext.
 */}}
-{{- if and (not .Values.postgresql.global.postgresql.auth.existingSecret) (not .Values.externalDatabase.existingSecret )}}
+{{- if and .Values.postgresql.enabled (not .Values.postgresql.global.postgresql.auth.existingSecret)}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -15,13 +15,7 @@ metadata:
 type: Opaque
 data:
   hostname: {{ include "matrix-sliding-sync.postgresql.hostname" . | b64enc | quote }}
-  {{- if and .Values.postgresql.enabled (not .Values.postgresql.global.postgresql.auth.existingSecret) }}
   database: {{ .Values.postgresql.global.postgresql.auth.database | b64enc | quote }}
   username: {{ .Values.postgresql.global.postgresql.auth.username | b64enc | quote }}
   password: {{ .Values.postgresql.global.postgresql.auth.password | b64enc | quote }}
-  {{- else if and .Values.externalDatabase.enabled (not .Values.externalDatabase.existingSecret) }}
-  database: {{ .Values.externalDatabase.database | b64enc | quote }}
-  username: {{ .Values.externalDatabase.username | b64enc | quote }}
-  password: {{ .Values.externalDatabase.password | b64enc | quote }}
-  {{- end }}
 {{- end }}
diff --git a/charts/matrix-sliding-sync/templates/deployment.yaml b/charts/matrix-sliding-sync/templates/deployment.yaml
@@ -40,11 +40,13 @@ spec:
                 secretKeyRef:
                   name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
                   key: {{ include "matrix-sliding-sync.postgresql.secretKeys.hostname" . }}
+
             - name: PGUSER
               valueFrom:
                 secretKeyRef:
                   name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
                   key: {{ include "matrix-sliding-sync.postgresql.secretKeys.user" . }}
+
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
@@ -60,8 +62,10 @@ spec:
         {{- end }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -72,51 +76,36 @@ spec:
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           {{- end }}
-          {{- with .Values.readinessProbe.enabled }}
+          {{- if .Values.readinessProbe.enabled }}
           readinessProbe:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           {{- end }}
+          {{- with .Values.resources }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           {{- with .Values.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
-            - name: PGHOST
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
-                  key: {{ include "matrix-sliding-sync.postgresql.secretKeys.hostname" . }}
-            - name: PGDATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
-                  key: {{ include "matrix-sliding-sync.postgresql.secretKeys.database" . }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
-                  key: {{ include "matrix-sliding-sync.postgresql.secretKeys.user" . }}
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
-                  key: {{ include "matrix-sliding-sync.postgresql.secretKeys.password" . }}
-            {{- if or .Values.postgresql.sslmode .Values.externalDatabase.sslmode }}
-            {{- include "matrix-sliding-sync.postgresql.sslEnvVars" . | nindent 12 }}
-            {{- end }}
-            {{- if not .Values.syncv3.existingSecret }}
+            {{- if and (not .Values.existingEnvSecret) (not .Values.syncv3.existingDbSecret) }}
             - name: SYNCV3_DB
               value: {{ include "matrix-sliding-sync.dbConnString" . }}
+            {{- else if .Values.syncv3.existingDbSecret }}
+            - name: SYNCV3_DB
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.syncv3.existingDbSecret }}
+                  key: {{ .Values.syncv3.dbSecretKey }}
             {{- end }}
           envFrom:
             - secretRef:
-          {{- if .Values.syncv3.existingSecret }}
+              {{- if .Values.syncv3.existingSecret }}
                 name: {{ .Values.syncv3.existingSecret }}
-          {{- else }}
+              {{- else }}
                 name: {{ include "matrix-sliding-sync.fullname" . }}-env
-          {{- end }}
+              {{- end }}
 
       {{- with .Values.volumes }}
       volumes:

diff --git a/charts/matrix-sliding-sync/templates/syncv3-env.yaml b/charts/matrix-sliding-sync/templates/syncv3-env.yaml
@@ -1,46 +1,45 @@
-{{- if not .Values.syncv3.existingSecret }}
+{{- if not .Values.existingEnvSecret }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "matrix-sliding-sync.fullname" . }}-env
-{{/* SYNCV3_DB: {{ include "matrix-sliding-sync.dbConnString" . | b64enc | quote }} */}}
 data:
-  {{- if .Values.syncv3.secret }}
+  {{- if and (not .Values.syncv3.existingSyncv3Secret) .Values.syncv3.secret }}
   SYNCV3_SECRET: {{ .Values.syncv3.secret | b64enc | quote }}
-  {{- else }}
+  {{- else if and (not .Values.syncv3.existingSyncv3Secret) (not .Values.syncv3.secret) }}
   SYNCV3_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
   {{- end }}
   SYNCV3_SERVER: {{ .Values.syncv3.server | b64enc | quote }}
   SYNCV3_BINDADDR: {{ .Values.syncv3.bindaddr | b64enc | quote }}
-  {{ if .Values.syncv3.tlsCert }}
-  SYNCV3_TLS_CERT: {{ .Values.syncv3.tlsCert | b64enc | quote }}
+  {{ with .Values.syncv3.tlsCert }}
+  SYNCV3_TLS_CERT: {{ . | b64enc | quote }}
   {{- end }}
-  {{ if .Values.syncv3.tlsKey }}
-  SYNCV3_TLS_KEY: {{ .Values.syncv3.tlsKey | b64enc | quote }}
+  {{ with .Values.syncv3.tlsKey }}
+  SYNCV3_TLS_KEY: {{ . | b64enc | quote }}
   {{- end }}
-  {{ if not .Values.syncv3.pprof }}
-  SYNCV3_PPROF: {{ .Values.syncv3.pprof | b64enc | quote }}
+  {{ with .Values.syncv3.pprof }}
+  SYNCV3_PPROF: {{ . | b64enc | quote }}
   {{- end }}
-  {{ if not .Values.syncv3.prom }}
-  SYNCV3_PROM: {{ .Values.syncv3.prom | b64enc | quote }}
+  {{ with .Values.syncv3.prom }}
+  SYNCV3_PROM: {{ . | b64enc | quote }}
   {{- end }}
   {{ if not .Values.syncv3.otlp.existingSecret }}
-  {{ if .Values.syncv3.otlp.url }}
-  SYNCV3_OTLP_URL: {{ .Values.syncv3.otlp.url | b64enc | quote }}
+  {{ with .Values.syncv3.otlp.url }}
+  SYNCV3_OTLP_URL: {{ . | b64enc | quote }}
   {{- end }}
-  {{ if .Values.syncv3.otlp.username }}
-  SYNCV3_OTLP_USERNAME: {{ .Values.syncv3.otlp.username | b64enc | quote }}
+  {{ with .Values.syncv3.otlp.username }}
+  SYNCV3_OTLP_USERNAME: {{ . | b64enc | quote }}
   {{- end }}
-  {{ if .Values.syncv3.otlp.password }}
-  SYNCV3_OTLP_PASSWORD: {{ .Values.syncv3.otlp.password | b64enc | quote }}
+  {{ with .Values.syncv3.otlp.password }}
+  SYNCV3_OTLP_PASSWORD: {{ . | b64enc | quote }}
   {{- end }}
   {{- end }}
-  {{ if .Values.syncv3.sentryDsn }}
-  SYNCV3_SENTRY_DSN: {{ .Values.syncv3.sentryDsn | b64enc | quote }}
+  {{ with .Values.syncv3.sentryDsn }}
+  SYNCV3_SENTRY_DSN: {{ . | b64enc | quote }}
   {{- end }}
   SYNCV3_LOG_LEVEL: {{ .Values.syncv3.logLevel | b64enc | quote }}
-  {{ if .Values.syncv3.maxDbConn }}
-  SYNCV3_MAX_DB_CONN: {{ .Values.syncv3.maxDbConn | b64enc | quote }}
+  {{ with .Values.syncv3.maxDbConn }}
+  SYNCV3_MAX_DB_CONN: {{ . | b64enc | quote }}
   {{- end }}
 {{- end }}
diff --git a/charts/matrix-sliding-sync/values.yaml b/charts/matrix-sliding-sync/values.yaml
@@ -219,30 +219,30 @@ externalDatabase:
   hostname: ""
   # -- name of the database to try and connect to
   database: "syncv3"
-  # -- Name of existing secret to use for PostgreSQL credentials
-  existingSecret: ""
-  # if externalDatabase.existingSecret is provided, the following are ignored
-  # password, username, hostname, database
-  # secretKeys to grab from existingSecret
-  secretKeys:
-    # -- key in existingSecret with hostname of the database
-    databaseHostname: hostname
-    # -- key in existingSecret with name of the database
-    database: database
-    # -- key in existingSecret with username for matrix to connect to db
-    databaseUsername: username
-    # -- key in existingSecret with password for matrix to connect to db
-    userPasswordKey: password
-    # -- key in existingSecret with the admin postgresql password
-    adminPasswordKey: postgresPassword
+
+# -- existing kubernetes secret for ALL syncv3 env vars listed below. if set,
+# ignores all values under syncv3 including syncv3.db and syncvc.otlp.
+existingEnvSecret: ""
 
 syncv3:
-  # -- existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncv3.db and syncvc.otlp.
-  existingSecret: ""
+  # -- SYNCV3_DB - db connection string:
+  # https://www.postgresql.org/docs/current/libpq-connect.html
+  # if db is empty, you must either provide postgresql or externalDatabase
+  # parameters, OR set syncv3.existingDbSecret and syncv3.dbSecretKey
+  db: ""
+  # -- use an existing kubernetes secret for the db connection connection string.
+  # if set, ignores syncv3.db
+  existingDbSecret: ""
+  # -- db key in existing Db Secret for
+  dbSecretKey: "SYNCV3_DB"
   # -- SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket)
   server: ""
   # -- SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. If both syncv3.secret and syncv3.existingSecret are not set, we will autogenerate this value
   secret: ""
+  # -- if set, we'll grab your SYNCV3_SECRET from an existing kubernetes secret and ignore syncv3.secret
+  existingSyncv3Secret: ""
+  # -- secret key to get synvcv3 secret from in existing kubernetes secret.
+  syncv3SecretKey: "SYNCV3_SECRET"
   # -- SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket)
   bindaddr: "0.0.0.0:8008"
   # -- SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address.