From b102798a23c057f0f9218434aea2f3c88ca3d62e Mon Sep 17 00:00:00 2001 From: Rhea Danzey Date: Thu, 8 Jun 2023 12:17:54 -0500 Subject: [PATCH] Add basic Helm chart for Hookshot (#719) * Import basic chart Signed-off-by: Rhea Danzey * Test chart-releaser workflow Signed-off-by: Rhea Danzey * Use latest version of chart-releaser action Signed-off-by: Rhea Danzey * Test chart version bump Signed-off-by: Rhea Danzey * Remove pages index Signed-off-by: Rhea Danzey * Test bump Chart.yaml * Add preliminary docs Signed-off-by: Rhea Danzey * Docs tidying Signed-off-by: Rhea Danzey * Add changelog for helm chart Signed-off-by: Rhea Danzey * Update helm/hookshot/README.md Co-authored-by: Will Hunt * Update values.yaml with most recent default config (incl. comments) Signed-off-by: Rhea Danzey * Add pre-build stage for helm chart to template appVersion and config into values Signed-off-by: Rhea Danzey * Add lint / validate to helm chart Signed-off-by: Rhea Danzey * Fix helm validate workflow & Rename Signed-off-by: Rhea Danzey * Update .github/workflows/helm.yml Co-authored-by: Will Hunt --------- Signed-off-by: Rhea Danzey Co-authored-by: Will Hunt --- .github/workflows/helm-lint.yml | 27 ++ .github/workflows/helm.yml | 50 +++ changelog.d/719.feature | 1 + docs/setup.md | 26 +- helm/cr.yaml | 2 + helm/ct.yaml | 6 + helm/hookshot/.gitignore | 1 + helm/hookshot/.helmignore | 24 ++ helm/hookshot/.yamllint | 7 + helm/hookshot/Chart.yaml | 22 ++ helm/hookshot/README.md | 122 +++++++ helm/hookshot/README.md.gotmpl | 74 +++++ helm/hookshot/templates/NOTES.txt | 22 ++ helm/hookshot/templates/_helpers.tpl | 85 +++++ helm/hookshot/templates/_pod.tpl | 160 +++++++++ helm/hookshot/templates/configmap.yaml | 21 ++ helm/hookshot/templates/deployment.yaml | 24 ++ helm/hookshot/templates/hpa.yaml | 29 ++ .../templates/ingress-appservice.yaml | 62 ++++ helm/hookshot/templates/ingress.yaml | 62 ++++ helm/hookshot/templates/service.yaml | 31 ++ helm/hookshot/templates/serviceaccount.yaml | 12 + .../templates/tests/test-connection.yaml | 16 + helm/hookshot/values.yaml | 312 ++++++++++++++++++ 24 files changed, 1188 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/helm-lint.yml create mode 100644 .github/workflows/helm.yml create mode 100644 changelog.d/719.feature create mode 100644 helm/cr.yaml create mode 100644 helm/ct.yaml create mode 100644 helm/hookshot/.gitignore create mode 100644 helm/hookshot/.helmignore create mode 100644 helm/hookshot/.yamllint create mode 100644 helm/hookshot/Chart.yaml create mode 100644 helm/hookshot/README.md create mode 100644 helm/hookshot/README.md.gotmpl create mode 100644 helm/hookshot/templates/NOTES.txt create mode 100644 helm/hookshot/templates/_helpers.tpl create mode 100644 helm/hookshot/templates/_pod.tpl create mode 100644 helm/hookshot/templates/configmap.yaml create mode 100644 helm/hookshot/templates/deployment.yaml create mode 100644 helm/hookshot/templates/hpa.yaml create mode 100644 helm/hookshot/templates/ingress-appservice.yaml create mode 100644 helm/hookshot/templates/ingress.yaml create mode 100644 helm/hookshot/templates/service.yaml create mode 100644 helm/hookshot/templates/serviceaccount.yaml create mode 100644 helm/hookshot/templates/tests/test-connection.yaml create mode 100644 helm/hookshot/values.yaml diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml new file mode 100644 index 00000000..600e5be5 --- /dev/null +++ b/.github/workflows/helm-lint.yml @@ -0,0 +1,27 @@ +name: Helm Chart - Validate +on: + push: + branches: [ main ] + paths-ignore: + - changelog.d/**' + pull_request: + branches: [ main ] + paths-ignore: + - changelog.d/**' + + workflow_dispatch: +jobs: + lint-helm: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Lint Helm + uses: WyriHaximus/github-action-helm3@v3 + with: + exec: helm lint ./helm/hookshot/ + + - name: Validate + uses: nlamirault/helm-kubeconform-action@v0.1.0 + with: + charts: ./helm/ \ No newline at end of file diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml new file mode 100644 index 00000000..72e1d8d0 --- /dev/null +++ b/.github/workflows/helm.yml @@ -0,0 +1,50 @@ +name: Helm Chart - Release + +on: + push: + branches: + - main + paths: + - 'helm/**' # only execute if we have helm chart changes + workflow_dispatch: + +jobs: + release: + # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions + # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.10.0 + + - name: Pre-build chart + uses: mikefarah/yq@v4.34.1 + with: + cmd: | + HOOKSHOT_VERSION="$(cat package.json | yq .version)" + yq ".appVersion=\"$HOOKSHOT_VERSION\"" helm/hookshot/Chart.yaml + + yq -i eval-all 'select(fileIndex==0).hookshot.config = select(fileIndex==1) | select(fileIndex==0)' \ + helm/hookshot/values.yaml \ + config.sample.yml + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + config: helm/cr.yaml + charts_dir: helm/ \ No newline at end of file diff --git a/changelog.d/719.feature b/changelog.d/719.feature new file mode 100644 index 00000000..4eed3f52 --- /dev/null +++ b/changelog.d/719.feature @@ -0,0 +1 @@ +Added basic helm chart to repository with GitHub Actions / chart-releaser builds \ No newline at end of file diff --git a/docs/setup.md b/docs/setup.md index 240ed739..f6106bbb 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -11,7 +11,6 @@ Hookshot memory requirements may increase depending on the traffic and the numbe You **must** have administrative access to an existing homeserver in order to set up Hookshot, as Hookshot requires the homeserver to be configured with its appservice registration. - ## Local installation This bridge requires at least Node 16 and Rust installed. @@ -47,6 +46,11 @@ docker run \ Where `/etc/matrix-hookshot` would contain the configuration files `config.yml` and `registration.yml`. The `passKey` file should also be stored alongside these files. In your config, you should use the path `/data/passkey.pem`. +## Installation via Helm + +There's now a basic chart defined in [helm/hookshot](/helm/hookshot/) that can be used to deploy the Hookshot Docker container in a Kubernetes-native way. + +More information on this method is available [here](https://github.com/matrix-org/matrix-hookshot/helm/hookshot/README.md) ## Configuration @@ -59,10 +63,12 @@ You may validate your config without starting the service by running `yarn valid For Docker you can run `docker run --rm -v /absolute-path-to/config.yml:/config.yml halfshot/matrix-hookshot node Config/Config.js /config.yml` Copy `registration.sample.yml` into `registration.yml` and fill in: + - At a minimum, you will need to replace the `as_token` and `hs_token` and change the domain part of the namespaces. The sample config can be also found at our [github repo](https://raw.githubusercontent.com/matrix-org/matrix-hookshot/main/registration.sample.yml) for your convienence. You will need to link the registration file to the homeserver. Consult your homeserver documentation on how to add appservices. [Synapse documents the process here](https://matrix-org.github.io/synapse/latest/application_services.html). + ### Homeserver Configuration In addition to providing the registration file above, you also need to tell Hookshot how to reach the homeserver which is hosting it. For clarity, hookshot expects to be able to connect to an existing homeserver which has the Hookshot registration file configured. @@ -79,7 +85,6 @@ bridge: The `port` and `bindAddress` must not conflict with the other listeners in the bridge config. This listeners should **not** be reachable over the internet to users, as it's intended to be used by the homeserver exclusively. This service listens on `/_matrix/app/`. - ### Permissions The bridge supports fine grained permission control over what services a user can access. @@ -94,6 +99,7 @@ permissions: ``` You must configure a set of "actors" with access to services. An `actor` can be: + - A MxID (also known as a User ID) e.g. `"@Half-Shot:half-shot.uk"` - A homeserver domain e.g. `matrix.org` - A roomId. This will allow any member of this room to complete actions. e.g. `"!TlZdPIYrhwNvXlBiEk:half-shot.uk"` @@ -102,6 +108,7 @@ You must configure a set of "actors" with access to services. An `actor` can be: MxIDs. room IDs and `*` **must** be wrapped in quotes. Each permission set can have a services. The `service` field can be: + - `github` - `gitlab` - `jira` @@ -111,11 +118,12 @@ Each permission set can have a services. The `service` field can be: - `*`, for any service. The `level` can be: - - `commands` Can run commands within connected rooms, but NOT log in to the bridge. - - `login` All the above, and can also log in to the bridge. - - `notifications` All the above, and can also bridge their notifications. - - `manageConnections` All the above, and can create and delete connections (either via the provisioner, setup commands, or state events). - - `admin` All permissions. This allows you to perform administrative tasks like deleting connections from all rooms. + +- `commands` Can run commands within connected rooms, but NOT log in to the bridge. +- `login` All the above, and can also log in to the bridge. +- `notifications` All the above, and can also bridge their notifications. +- `manageConnections` All the above, and can create and delete connections (either via the provisioner, setup commands, or state events). +- `admin` All permissions. This allows you to perform administrative tasks like deleting connections from all rooms. When permissions are checked, if a user matches any of the permission set and one of those grants the right level for a service, they are allowed access. If none of the @@ -202,7 +210,6 @@ Please note that the appservice HTTP listener is configured separatelythis issue for details. - ### Services configuration You will need to configure some services. Each service has its own documentation file inside the setup subdirectory. @@ -230,7 +237,6 @@ logging: timestampFormat: HH:mm:ss:SSS ``` - #### JSON Logging Enabling the `json` option will configure hookshot to output structured JSON logs. The schema looks like: @@ -259,4 +265,4 @@ Enabling the `json` option will configure hookshot to output structured JSON log "retrying in 5s" ] } -``` \ No newline at end of file +``` diff --git a/helm/cr.yaml b/helm/cr.yaml new file mode 100644 index 00000000..b60187ea --- /dev/null +++ b/helm/cr.yaml @@ -0,0 +1,2 @@ + +release-name-template: "helm-{{ .Name }}-{{ .Version }}" \ No newline at end of file diff --git a/helm/ct.yaml b/helm/ct.yaml new file mode 100644 index 00000000..ed933e1b --- /dev/null +++ b/helm/ct.yaml @@ -0,0 +1,6 @@ +remote: origin +target-branch: main +chart-repos: [] +chart-dirs: + - helm +validate-maintainers: false \ No newline at end of file diff --git a/helm/hookshot/.gitignore b/helm/hookshot/.gitignore new file mode 100644 index 00000000..aa1ec1ea --- /dev/null +++ b/helm/hookshot/.gitignore @@ -0,0 +1 @@ +*.tgz diff --git a/helm/hookshot/.helmignore b/helm/hookshot/.helmignore new file mode 100644 index 00000000..0cfe4aef --- /dev/null +++ b/helm/hookshot/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +*.tgz diff --git a/helm/hookshot/.yamllint b/helm/hookshot/.yamllint new file mode 100644 index 00000000..90355356 --- /dev/null +++ b/helm/hookshot/.yamllint @@ -0,0 +1,7 @@ +--- +extends: default +rules: + line-length: + level: warning + max: 120 + braces: disable diff --git a/helm/hookshot/Chart.yaml b/helm/hookshot/Chart.yaml new file mode 100644 index 00000000..3128e5b2 --- /dev/null +++ b/helm/hookshot/Chart.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v2 +name: hookshot +description: Deploy a Matrix Hookshot instance to Kubernetes +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.13 +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.0.0-replaced-by-ci" diff --git a/helm/hookshot/README.md b/helm/hookshot/README.md new file mode 100644 index 00000000..53445c0d --- /dev/null +++ b/helm/hookshot/README.md @@ -0,0 +1,122 @@ +# hookshot + +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square) +Deploy a Matrix Hookshot instance to Kubernetes + +Status: Beta + +## About + +This chart creates a basic Hookshot deployment inside Kubernetes. + +# Installation + +You'll need to have the Helm repository added to your local environment: + +``` bash +helm repo add hookshot https://matrix-org.github.io/matrix-hookshot +helm repo update +``` + +Which should allow you to see the Hookshot chart in the repo: + +``` bash +helm search repo hookshot + +NAME CHART VERSION APP VERSION DESCRIPTION +matrix-org/hookshot 0.1.13 1.16.0 A Helm chart for Kubernetes +``` + +Before you can install, however, you'll need to make sure to configure Hookshot properly. + +# Configuration + +You'll need to create a `values.yaml` for your deployment of this chart. You can use the [included defaults](./values.yaml) as a starting point. + +## Helm Values + +To configure Hookshot-specific parameters, the value `.Values.hookshot.config` accepts an arbitrary YAML map as configuration. This gets templated into the container by [templates/configmap.yaml](./templates/configmap.yaml) - thus anything you can set in the [Example Configuration](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html) can be set here. + +## Existing configuration + +If you have an existing configuration file for Hookshot, you can create a configmap like so: + +``` bash +kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem +``` + +Note that the filenames must remain as listed based on the templating done in [templates/configmap.yaml](./templates/configmap.yaml) + +Once created, you can set `.Values.hookshot.existingConfigMap` to `custom-hookshot-config` (or whichever name you chose for your secret) and set `.Values.hookshot.config` to `{}` or null to prevent confusion with the default parameters. + +# Installation + +Once you have your `values.yaml` file ready you can install the chart like this: + +``` bash +helm install hookshot --create-namespace --namespace hookshot matrix-org/hookshot -f values.yaml +``` + +And upgrades can be done via: + +``` bash +helm upgrade hookshot --namespace hookshot matrix-org/hookshot -f values.yaml +``` + +# External access + +You'll need to configure your Ingress connectivity according to your environment. This chart should be compatible with most Ingress controllers and has been tested successfully with [ingress-nginx](https://github.com/kubernetes/ingress-nginx) and EKS ALB. You should also ensure that you have a way to provision certificates i.e. [cert-manager](https://cert-manager.io/) as HTTPS is required for appservice traffic. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity settings for deployment | +| autoscaling.enabled | bool | `false` | | +| fullnameOverride | string | `""` | Full name override for helm chart | +| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. | +| hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration | +| hookshot.passkey | string | `""` | | +| hookshot.registration.as_token | string | `""` | | +| hookshot.registration.hs_token | string | `""` | | +| hookshot.registration.id | string | `"matrix-hookshot"` | | +| hookshot.registration.namespaces.rooms | list | `[]` | | +| hookshot.registration.namespaces.users | list | `[]` | | +| hookshot.registration.rate_limited | bool | `false` | | +| hookshot.registration.sender_localpart | string | `"hookshot"` | | +| hookshot.registration.url | string | `"http://example.com"` | | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Hookshot image | +| image.repository | string | `"halfshot/matrix-hookshot"` | Repository to pull hookshot image from | +| image.tag | string | `nil` | Image tag to pull. Defaults to chart's appVersion value as set in Chart.yaml | +| imagePullSecrets | list | `[]` | List of names of k8s secrets to be used as ImagePullSecrets for the pod | +| ingress.appservice.annotations | object | `{}` | Annotations for appservice ingress | +| ingress.appservice.className | string | `""` | Ingress class name for appservice ingress | +| ingress.appservice.enabled | bool | `false` | Enable ingress for appservice | +| ingress.appservice.hosts | list | `[]` | Host configuration for appservice ingress | +| ingress.appservice.tls | list | `[]` | TLS configuration for appservice ingress | +| ingress.webhook.annotations | object | `{}` | Annotations for webhook ingress | +| ingress.webhook.className | string | `""` | Ingress class name for webhook ingress | +| ingress.webhook.enabled | bool | `false` | Enable ingress for webhook | +| ingress.webhook.hosts | list | `[]` | Host configuration for webhook ingress | +| ingress.webhook.tls | list | `[]` | TLS configuration for webhook ingress | +| nameOverride | string | `""` | Name override for helm chart | +| nodeSelector | object | `{}` | Node selector parameters | +| podAnnotations | object | `{}` | Extra annotations for Hookshot pod | +| podSecurityContext | object | `{}` | Pod security context settings | +| replicaCount | int | `1` | Number of replicas to deploy. Consequences of using multiple Hookshot replicas currently unknown. | +| resources | object | `{}` | Pod resource requests / limits | +| securityContext | object | `{}` | Security context settings | +| service.annotations | object | `{}` | Extra annotations for service | +| service.appservice.port | int | `9002` | Appservice port as configured in container | +| service.labels | object | `{}` | Extra labels for service | +| service.metrics.port | int | `9001` | Metrics port as configured in container | +| service.port | int | `80` | Port for Hookshot service | +| service.type | string | `"ClusterIP"` | Service type for Hookshot service | +| service.webhook.port | int | `9000` | Webhook port as configured in container | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| tolerations | list | `[]` | Tolerations for deployment | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) \ No newline at end of file diff --git a/helm/hookshot/README.md.gotmpl b/helm/hookshot/README.md.gotmpl new file mode 100644 index 00000000..5640e577 --- /dev/null +++ b/helm/hookshot/README.md.gotmpl @@ -0,0 +1,74 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} +{{ template "chart.badgesSection" . }} +{{ template "chart.description" . }} + +Status: Beta + +## About + +This chart creates a basic Hookshot deployment inside Kubernetes. + +# Installation + +You'll need to have the Helm repository added to your local environment: + +``` bash +helm repo add hookshot https://matrix-org.github.io/matrix-hookshot +helm repo update +``` + +Which should allow you to see the Hookshot chart in the repo: + +``` bash +helm search repo hookshot + +NAME CHART VERSION APP VERSION DESCRIPTION +matrix-org/hookshot 0.1.13 1.16.0 A Helm chart for Kubernetes +``` + +Before you can install, however, you'll need to make sure to configure Hookshot properly. + +# Configuration + +You'll need to create a `values.yaml` for your deployment of this chart. You can use the [included defaults](./values.yaml) as a starting point. + +## Helm Values + +To configure Hookshot-specific parameters, the value `.Values.hookshot.config` accepts an arbitrary YAML map as configuration. This gets templated into the container by [templates/configmap.yaml](./templates/configmap.yaml) - thus anything you can set in the [Example Configuration](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html) can be set here. + +## Existing configuration + +If you have an existing configuration file for hookshot, you can create a configmap like so: + +``` bash +kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem +``` + +Note that the filenames must remain as listed based on the templating done in [templates/configmap.yaml](./templates/configmap.yaml) + +Once created, you can set `.Values.hookshot.existingConfigMap` to `custom-hookshot-config` (or whichever name you chose for your secret) and set `.Values.hookshot.config` to `{}` or null to prevent confusion with the default parameters. + +# Installation + +Once you have your `values.yaml` file ready you can install the chart like this: + +``` bash +helm install hookshot --create-namespace --namespace hookshot matrix-org/hookshot -f values.yaml +``` + +And upgrades can be done via: + +``` bash +helm upgrade hookshot --namespace hookshot matrix-org/hookshot -f values.yaml +``` + +# External access + +You'll need to configure your Ingress connectivity according to your environment. This chart should be compatible with most Ingress controllers and has been tested successfully with [ingress-nginx](https://github.com/kubernetes/ingress-nginx) and EKS ALB. You should also ensure that you have a way to provision certificates i.e. [cert-manager](https://cert-manager.io/) as HTTPS is required for appservice traffic. + +{{ template "chart.maintainersSection" . }} +{{ template "chart.sourcesSection" . }} +{{ template "chart.requirementsSection" . }} +{{ template "chart.valuesSection" . }} +{{ template "helm-docs.versionFooter" . }} \ No newline at end of file diff --git a/helm/hookshot/templates/NOTES.txt b/helm/hookshot/templates/NOTES.txt new file mode 100644 index 00000000..438e4d02 --- /dev/null +++ b/helm/hookshot/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hookshot.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hookshot.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hookshot.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hookshot.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/helm/hookshot/templates/_helpers.tpl b/helm/hookshot/templates/_helpers.tpl new file mode 100644 index 00000000..6c5b3bbb --- /dev/null +++ b/helm/hookshot/templates/_helpers.tpl @@ -0,0 +1,85 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "hookshot.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hookshot.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Helper for configmap name +*/}} +{{- define "hookshot.configMapName" -}} +{{- if .Values.hookshot.existingConfigMap }} +{{- printf "%s" .Values.hookshot.existingConfigMap -}} +{{- else }} +{{- printf "%s-config" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hookshot.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "hookshot.labels" -}} +helm.sh/chart: {{ include "hookshot.chart" . }} +{{ include "hookshot.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hookshot.selectorLabels" -}} +app.kubernetes.io/name: {{ include "hookshot.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "hookshot.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "hookshot.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "hookshot.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} diff --git a/helm/hookshot/templates/_pod.tpl b/helm/hookshot/templates/_pod.tpl new file mode 100644 index 00000000..09879a1c --- /dev/null +++ b/helm/hookshot/templates/_pod.tpl @@ -0,0 +1,160 @@ +{{- define "hookshot.pod" -}} +{{- if .Values.schedulerName }} +schedulerName: "{{ .Values.schedulerName }}" +{{- end }} +serviceAccountName: {{ template "hookshot.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} +{{- if .Values.securityContext }} +securityContext: +{{ toYaml .Values.securityContext | indent 2 }} +{{- end }} +{{- if .Values.hostAliases }} +hostAliases: +{{ toYaml .Values.hostAliases | indent 2 }} +{{- end }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +initContainers: + +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- $root := . }} +{{- range .Values.image.pullSecrets }} + - name: {{ tpl . $root }} +{{- end}} +{{- end }} +containers: + - name: {{ .Chart.Name }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . }} + {{- end }} + {{- end}} +{{- if .Values.containerSecurityContext }} + securityContext: +{{- toYaml .Values.containerSecurityContext | nindent 6 }} +{{- end }} + volumeMounts: +{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }} + - name: config + mountPath: "/data" +{{- end }} + ports: + - name: webhook + containerPort: 9000 + protocol: TCP + - name: metrics + containerPort: 9001 + protocol: TCP + - name: appservice + containerPort: 9002 + protocol: TCP + env: + + envFrom: + {{- if .Values.envFromSecret }} + - secretRef: + name: {{ tpl .Values.envFromSecret . }} + {{- end }} + {{- if .Values.envRenderSecret }} + - secretRef: + name: {{ template "hookshot.fullname" . }}-env + {{- end }} + {{- range .Values.envFromSecrets }} + - secretRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + {{- range .Values.envFromConfigMaps }} + - configMapRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- if .Values.lifecycleHooks }} + lifecycle: {{ tpl (.Values.lifecycleHooks | toYaml) . | nindent 6 }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 6 }} +{{- with .Values.extraContainers }} +{{ tpl . $ | indent 2 }} +{{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: +{{ toYaml . | indent 2 }} +{{- end }} +{{- $root := . }} +{{- with .Values.affinity }} +affinity: +{{ tpl (toYaml .) $root | indent 2 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} +topologySpreadConstraints: +{{ toYaml . | indent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: +{{ toYaml . | indent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ template "hookshot.configMapName" . }} +{{- $root := . }} +{{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} + {{- if .items }} + items: {{ toYaml .items | nindent 6 }} + {{- end }} +{{- end }} + +{{- range .Values.extraSecretMounts }} +{{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} + {{- if .items }} + items: {{ toYaml .items | nindent 6 }} + {{- end }} +{{- else if .projected }} + - name: {{ .name }} + projected: {{- toYaml .projected | nindent 6 }} +{{- else if .csi }} + - name: {{ .name }} + csi: {{- toYaml .csi | nindent 6 }} +{{- end }} +{{- end }} +{{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + path: {{ .hostPath }} + {{- else }} + emptyDir: {} + {{- end }} +{{- end }} +{{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} +{{- end -}} +{{- if .Values.extraContainerVolumes }} +{{ tpl (toYaml .Values.extraContainerVolumes) . | indent 2 }} +{{- end }} +{{- end }} diff --git a/helm/hookshot/templates/configmap.yaml b/helm/hookshot/templates/configmap.yaml new file mode 100644 index 00000000..139ce155 --- /dev/null +++ b/helm/hookshot/templates/configmap.yaml @@ -0,0 +1,21 @@ +--- +{{- if not .Values.hookshot.existingConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "hookshot.configMapName" . }} + namespace: {{ template "hookshot.namespace" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: + config.yml: | +{{ toYaml .Values.hookshot.config | indent 4 }} + registration.yml: | +{{ toYaml .Values.hookshot.registration | indent 4 }} + passkey.pem: | +{{ .Values.hookshot.passkey | indent 4 }} +{{- end }} diff --git a/helm/hookshot/templates/deployment.yaml b/helm/hookshot/templates/deployment.yaml new file mode 100644 index 00000000..02d5b49a --- /dev/null +++ b/helm/hookshot/templates/deployment.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hookshot.fullname" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "hookshot.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hookshot.selectorLabels" . | nindent 8 }} + spec: + {{- include "hookshot.pod" . | nindent 6 }} \ No newline at end of file diff --git a/helm/hookshot/templates/hpa.yaml b/helm/hookshot/templates/hpa.yaml new file mode 100644 index 00000000..d3a61dd5 --- /dev/null +++ b/helm/hookshot/templates/hpa.yaml @@ -0,0 +1,29 @@ +--- +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "hookshot.fullname" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "hookshot.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm/hookshot/templates/ingress-appservice.yaml b/helm/hookshot/templates/ingress-appservice.yaml new file mode 100644 index 00000000..3a537d56 --- /dev/null +++ b/helm/hookshot/templates/ingress-appservice.yaml @@ -0,0 +1,62 @@ +--- +{{- if .Values.ingress.appservice.enabled -}} +{{- $fullName := include "hookshot.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.appservice.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.appservice.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.appservice.annotations "kubernetes.io/ingress.class" .Values.ingress.appservice.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-appservice + labels: + {{- include "hookshot.labels" . | nindent 4 }} + {{- with .Values.ingress.appservice.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.appservice.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.appservice.className }} + {{- end }} + {{- if .Values.ingress.appservice.tls }} + tls: + {{- range .Values.ingress.appservice.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.appservice.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ .port }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .port }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/hookshot/templates/ingress.yaml b/helm/hookshot/templates/ingress.yaml new file mode 100644 index 00000000..129d19a3 --- /dev/null +++ b/helm/hookshot/templates/ingress.yaml @@ -0,0 +1,62 @@ +--- +{{- if .Values.ingress.webhook.enabled -}} +{{- $fullName := include "hookshot.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.webhook.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.webhook.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.webhook.annotations "kubernetes.io/ingress.class" .Values.ingress.webhook.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} + {{- with .Values.ingress.webhook.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.webhook.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.webhook.className }} + {{- end }} + {{- if .Values.ingress.webhook.tls }} + tls: + {{- range .Values.ingress.webhook.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.webhook.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ .port }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ .port }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/hookshot/templates/service.yaml b/helm/hookshot/templates/service.yaml new file mode 100644 index 00000000..a55cfbc6 --- /dev/null +++ b/helm/hookshot/templates/service.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "hookshot.fullname" . }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} +{{- with .Values.service.labels }} +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.webhook.port }} + targetPort: webhook + protocol: TCP + name: webhook + - port: {{ .Values.service.metrics.port }} + targetPort: metrics + protocol: TCP + name: metrics + - port: {{ .Values.service.appservice.port }} + targetPort: appservice + protocol: TCP + name: appservice + selector: + {{- include "hookshot.selectorLabels" . | nindent 4 }} diff --git a/helm/hookshot/templates/serviceaccount.yaml b/helm/hookshot/templates/serviceaccount.yaml new file mode 100644 index 00000000..f4950c3c --- /dev/null +++ b/helm/hookshot/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "hookshot.serviceAccountName" . }} + labels: + {{- include "hookshot.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/hookshot/templates/tests/test-connection.yaml b/helm/hookshot/templates/tests/test-connection.yaml new file mode 100644 index 00000000..7e4d49f3 --- /dev/null +++ b/helm/hookshot/templates/tests/test-connection.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "hookshot.fullname" . }}-test-connection" + labels: + {{- include "hookshot.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "hookshot.fullname" . }}:{{ .Values.service.webhook.port }}'] + restartPolicy: Never diff --git a/helm/hookshot/values.yaml b/helm/hookshot/values.yaml new file mode 100644 index 00000000..01cb0eff --- /dev/null +++ b/helm/hookshot/values.yaml @@ -0,0 +1,312 @@ +--- +# -- Number of replicas to deploy. Consequences of using multiple Hookshot replicas currently unknown. +replicaCount: 1 + +image: + # -- Repository to pull hookshot image from + repository: halfshot/matrix-hookshot + # -- Pull policy for Hookshot image + pullPolicy: IfNotPresent + # -- Image tag to pull. Defaults to chart's appVersion value as set in Chart.yaml + tag: + +# -- List of names of k8s secrets to be used as ImagePullSecrets for the pod +imagePullSecrets: [] + +# -- Name override for helm chart +nameOverride: "" + +# -- Full name override for helm chart +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "" + +# -- Extra annotations for Hookshot pod +podAnnotations: {} + +# -- Pod security context settings +podSecurityContext: {} +# fsGroup: 2000 + +# -- Security context settings +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +service: + # -- Service type for Hookshot service + type: ClusterIP + # -- Port for Hookshot service + port: 80 + # -- Extra annotations for service + annotations: {} + # -- Extra labels for service + labels: {} + + webhook: + # -- Webhook port as configured in container + port: 9000 + metrics: + # -- Metrics port as configured in container + port: 9001 + appservice: + # -- Appservice port as configured in container + port: 9002 + +ingress: + webhook: + # -- Enable ingress for webhook + enabled: false + # -- Ingress class name for webhook ingress + className: "" + # -- Annotations for webhook ingress + annotations: {} + # -- Host configuration for webhook ingress + hosts: [] + # -- TLS configuration for webhook ingress + tls: [] + + appservice: + # -- Enable ingress for appservice + enabled: false + # -- Ingress class name for appservice ingress + className: "" + # -- Annotations for appservice ingress + annotations: {} + # -- Host configuration for appservice ingress + hosts: [] + # -- TLS configuration for appservice ingress + tls: [] + +# -- Pod resource requests / limits +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +autoscaling: + enabled: false + +# -- Node selector parameters +nodeSelector: {} +# -- Tolerations for deployment +tolerations: [] + +# -- Affinity settings for deployment +affinity: {} + +hookshot: + # -- Name of existing ConfigMap with valid Hookshot configuration + existingConfigMap: + + # -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. + config: + bridge: + # Basic homeserver configuration + # + domain: example.com + url: http://localhost:8008 + mediaUrl: https://example.com + port: 9993 + bindAddress: 127.0.0.1 + github: + # (Optional) Configure this to enable GitHub support + # + auth: + # Authentication for the GitHub App. + # + id: 123 + privateKeyFile: github-key.pem + webhook: + # Webhook settings for the GitHub app. + # + secret: secrettoken + oauth: + # (Optional) Settings for allowing users to sign in via OAuth. + # + client_id: foo + client_secret: bar + redirect_uri: https://example.com/bridge_oauth/ + defaultOptions: + # (Optional) Default options for GitHub connections. + # + showIssueRoomLink: false + hotlinkIssues: + prefix: "#" + userIdPrefix: _github_ + # (Optional) Prefix used when creating ghost users for GitHub accounts. + # + gitlab: + # (Optional) Configure this to enable GitLab support + # + instances: + gitlab.com: + url: https://gitlab.com + webhook: + secret: secrettoken + publicUrl: https://example.com/hookshot/ + userIdPrefix: _gitlab_ + # (Optional) Prefix used when creating ghost users for GitLab accounts. + # + figma: + # (Optional) Configure this to enable Figma support + # + publicUrl: https://example.com/hookshot/ + instances: + your-instance: + teamId: your-team-id + accessToken: your-personal-access-token + passcode: your-webhook-passcode + jira: + # (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com) + # + webhook: + # Webhook settings for JIRA + # + secret: secrettoken + oauth: + # (Optional) OAuth settings for connecting users to JIRA. See documentation for more information + # + client_id: foo + client_secret: bar + redirect_uri: https://example.com/bridge_oauth/ + generic: + # (Optional) Support for generic webhook events. + #'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments + # + # + enabled: false + enableHttpGet: false + urlPrefix: https://example.com/webhook/ + userIdPrefix: _webhooks_ + allowJsTransformationFunctions: false + waitForComplete: false + feeds: + # (Optional) Configure this to enable RSS/Atom feed support + # + enabled: false + pollIntervalSeconds: 600 + pollTimeoutSeconds: 30 + provisioning: + # (Optional) Provisioning API for integration managers + # + secret: "!secretToken" + passFile: passkey.pem + # A passkey used to encrypt tokens stored inside the bridge. + # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate + # + bot: + # (Optional) Define profile information for the bot user + # + displayname: Hookshot Bot + avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d + serviceBots: + # (Optional) Define additional bot users for specific services + # + - localpart: feeds + displayname: Feeds + avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d + prefix: "!feeds" + service: feeds + metrics: + # (Optional) Prometheus metrics support + # + enabled: true + queue: + # (Optional) Message queue / cache configuration options for large scale deployments. + # For encryption to work, must be set to monolithic mode and have a host & port specified. + # + monolithic: true + port: 6379 + host: localhost + logging: + # (Optional) Logging settings. You can have a severity debug,info,warn,error + # + level: info + colorize: true + json: false + timestampFormat: HH:mm:ss:SSS + widgets: + # (Optional) EXPERIMENTAL support for complimentary widgets + # + addToAdminRooms: false + disallowedIpRanges: + - 127.0.0.0/8 + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 100.64.0.0/10 + - 192.0.0.0/24 + - 169.254.0.0/16 + - 192.88.99.0/24 + - 198.18.0.0/15 + - 192.0.2.0/24 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 224.0.0.0/4 + - ::1/128 + - fe80::/10 + - fc00::/7 + - 2001:db8::/32 + - ff00::/8 + - fec0::/10 + roomSetupWidget: + addOnInvite: false + publicUrl: https://example.com/widgetapi/v1/static/ + branding: + widgetTitle: Hookshot Configuration + permissions: + # (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help + # + - actor: example.com + services: + - service: "*" + level: admin + listeners: + # (Optional) HTTP Listener configuration. + # Bind resource endpoints to ports and addresses. + # 'port' must be specified. Each listener must listen on a unique port. + # 'bindAddress' will default to '127.0.0.1' if not specified, which may not be suited to Docker environments. + # 'resources' may be any of webhooks, widgets, metrics, provisioning + # + - port: 9000 + bindAddress: 0.0.0.0 + resources: + - webhooks + - port: 9001 + bindAddress: 127.0.0.1 + resources: + - metrics + - provisioning + - port: 9002 + bindAddress: 0.0.0.0 + resources: + - widgets + registration: + id: matrix-hookshot + as_token: "" + hs_token: "" + namespaces: + rooms: [] + users: [] + sender_localpart: hookshot + url: "http://example.com" + rate_limited: false + passkey: ""