nodejs/hookshot
nodejs/hookshot
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-hookshot.git synced 2025-03-10 13:17:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add basic Helm chart for Hookshot (#719)

Browse Source 
* Import basic chart

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Test chart-releaser workflow

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Use latest version of chart-releaser action

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Test chart version bump

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Remove pages index

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Test bump Chart.yaml

* Add preliminary docs

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Docs tidying

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Add changelog for helm chart

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Update helm/hookshot/README.md

Co-authored-by: Will Hunt <will@half-shot.uk>

* Update values.yaml with most recent default config (incl. comments)

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Add pre-build stage for helm chart to template appVersion and config into values

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Add lint / validate to helm chart

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Fix helm validate workflow & Rename

Signed-off-by: Rhea Danzey <rdanzey@element.io>

* Update .github/workflows/helm.yml

Co-authored-by: Will Hunt <will@half-shot.uk>

---------

Signed-off-by: Rhea Danzey <rdanzey@element.io>
Co-authored-by: Will Hunt <will@half-shot.uk>
This commit is contained in:
Rhea Danzey 2023-06-08 12:17:54 -05:00 committed by GitHub
parent 93400c72db
commit b102798a23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 1188 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/helm-lint.yml vendored Normal file
View File

@ -0,0 +1,27 @@
name: Helm Chart - Validate
on:
push:
branches: [ main ]
paths-ignore:
- changelog.d/**'
pull_request:
branches: [ main ]
paths-ignore:
- changelog.d/**'
workflow_dispatch:
jobs:
lint-helm:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Lint Helm
uses: WyriHaximus/github-action-helm3@v3
with:
exec: helm lint ./helm/hookshot/
- name: Validate
uses: nlamirault/helm-kubeconform-action@v0.1.0
with:
charts: ./helm/

50
.github/workflows/helm.yml vendored Normal file
View File

@ -0,0 +1,50 @@
name: Helm Chart - Release
on:
push:
branches:
- main
paths:
- 'helm/**' # only execute if we have helm chart changes
workflow_dispatch:
jobs:
release:
# depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
# see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v3
with:
version: v3.10.0
- name: Pre-build chart
uses: mikefarah/yq@v4.34.1
with:
cmd: |
HOOKSHOT_VERSION="$(cat package.json | yq .version)"
yq ".appVersion=\"$HOOKSHOT_VERSION\"" helm/hookshot/Chart.yaml
yq -i eval-all 'select(fileIndex==0).hookshot.config = select(fileIndex==1) | select(fileIndex==0)' \
helm/hookshot/values.yaml \
config.sample.yml
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
config: helm/cr.yaml
charts_dir: helm/

1
changelog.d/719.feature Normal file
View File

@ -0,0 +1 @@
Added basic helm chart to repository with GitHub Actions / chart-releaser builds

14
docs/setup.md
View File

@ -11,7 +11,6 @@ Hookshot memory requirements may increase depending on the traffic and the numbe
You **must** have administrative access to an existing homeserver in order to set up Hookshot, as
Hookshot requires the homeserver to be configured with its appservice registration.
## Local installation
This bridge requires at least Node 16 and Rust installed.
@ -47,6 +46,11 @@ docker run \
Where `/etc/matrix-hookshot` would contain the configuration files `config.yml` and `registration.yml`. The `passKey` file should also be stored alongside these files. In your config, you should use the path `/data/passkey.pem`.
## Installation via Helm
There's now a basic chart defined in [helm/hookshot](/helm/hookshot/) that can be used to deploy the Hookshot Docker container in a Kubernetes-native way.
More information on this method is available [here](https://github.com/matrix-org/matrix-hookshot/helm/hookshot/README.md)
## Configuration
@ -59,10 +63,12 @@ You may validate your config without starting the service by running `yarn valid
For Docker you can run `docker run --rm -v /absolute-path-to/config.yml:/config.yml halfshot/matrix-hookshot node Config/Config.js /config.yml`
Copy `registration.sample.yml` into `registration.yml` and fill in:
- At a minimum, you will need to replace the `as_token` and `hs_token` and change the domain part of the namespaces. The sample config can be also found at our [github repo](https://raw.githubusercontent.com/matrix-org/matrix-hookshot/main/registration.sample.yml) for your convienence.
You will need to link the registration file to the homeserver. Consult your homeserver documentation
on how to add appservices. [Synapse documents the process here](https://matrix-org.github.io/synapse/latest/application_services.html).
### Homeserver Configuration
In addition to providing the registration file above, you also need to tell Hookshot how to reach the homeserver which is hosting it. For clarity, hookshot expects to be able to connect to an existing homeserver which has the Hookshot registration file configured.
@ -79,7 +85,6 @@ bridge:
The `port` and `bindAddress` must not conflict with the other listeners in the bridge config. This listeners should **not** be reachable
over the internet to users, as it's intended to be used by the homeserver exclusively. This service listens on `/_matrix/app/`.
### Permissions
The bridge supports fine grained permission control over what services a user can access.
@ -94,6 +99,7 @@ permissions:
```
You must configure a set of "actors" with access to services. An `actor` can be:
- A MxID (also known as a User ID) e.g. `"@Half-Shot:half-shot.uk"`
- A homeserver domain e.g. `matrix.org`
- A roomId. This will allow any member of this room to complete actions. e.g. `"!TlZdPIYrhwNvXlBiEk:half-shot.uk"`
@ -102,6 +108,7 @@ You must configure a set of "actors" with access to services. An `actor` can be:
MxIDs. room IDs and `*` **must** be wrapped in quotes.
Each permission set can have a services. The `service` field can be:
- `github`
- `gitlab`
- `jira`
@ -111,6 +118,7 @@ Each permission set can have a services. The `service` field can be:
- `*`, for any service.
The `level` can be:
- `commands` Can run commands within connected rooms, but NOT log in to the bridge.
- `login` All the above, and can also log in to the bridge.
- `notifications` All the above, and can also bridge their notifications.
@ -202,7 +210,6 @@ Please note that the appservice HTTP listener is configured <strong>separately</
in the upstream library. See <a href="https://github.com/turt2live/matrix-bot-sdk/issues/191">this issue</a> for details.
</section>
### Services configuration
You will need to configure some services. Each service has its own documentation file inside the setup subdirectory.
@ -230,7 +237,6 @@ logging:
timestampFormat: HH:mm:ss:SSS
```
#### JSON Logging
Enabling the `json` option will configure hookshot to output structured JSON logs. The schema looks like:

2
helm/cr.yaml Normal file
View File

@ -0,0 +1,2 @@
release-name-template: "helm-{{ .Name }}-{{ .Version }}"

6
helm/ct.yaml Normal file
View File

@ -0,0 +1,6 @@
remote: origin
target-branch: main
chart-repos: []
chart-dirs:
- helm
validate-maintainers: false

1
helm/hookshot/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.tgz

24
helm/hookshot/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
*.tgz

7
helm/hookshot/.yamllint Normal file
View File

@ -0,0 +1,7 @@
---
extends: default
rules:
line-length:
level: warning
max: 120
braces: disable

22
helm/hookshot/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: v2
name: hookshot
description: Deploy a Matrix Hookshot instance to Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.13
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.0.0-replaced-by-ci"

122
helm/hookshot/README.md Normal file
View File

@ -0,0 +1,122 @@
# hookshot
![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square)
Deploy a Matrix Hookshot instance to Kubernetes
Status: Beta
## About
This chart creates a basic Hookshot deployment inside Kubernetes.
# Installation
You'll need to have the Helm repository added to your local environment:
``` bash
helm repo add hookshot https://matrix-org.github.io/matrix-hookshot
helm repo update
```
Which should allow you to see the Hookshot chart in the repo:
``` bash
helm search repo hookshot
NAME CHART VERSION APP VERSION DESCRIPTION
matrix-org/hookshot 0.1.13 1.16.0 A Helm chart for Kubernetes
```
Before you can install, however, you'll need to make sure to configure Hookshot properly.
# Configuration
You'll need to create a `values.yaml` for your deployment of this chart. You can use the [included defaults](./values.yaml) as a starting point.
## Helm Values
To configure Hookshot-specific parameters, the value `.Values.hookshot.config` accepts an arbitrary YAML map as configuration. This gets templated into the container by [templates/configmap.yaml](./templates/configmap.yaml) - thus anything you can set in the [Example Configuration](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html) can be set here.
## Existing configuration
If you have an existing configuration file for Hookshot, you can create a configmap like so:
``` bash
kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem
```
Note that the filenames must remain as listed based on the templating done in [templates/configmap.yaml](./templates/configmap.yaml)
Once created, you can set `.Values.hookshot.existingConfigMap` to `custom-hookshot-config` (or whichever name you chose for your secret) and set `.Values.hookshot.config` to `{}` or null to prevent confusion with the default parameters.
# Installation
Once you have your `values.yaml` file ready you can install the chart like this:
``` bash
helm install hookshot --create-namespace --namespace hookshot matrix-org/hookshot -f values.yaml
```
And upgrades can be done via:
``` bash
helm upgrade hookshot --namespace hookshot matrix-org/hookshot -f values.yaml
```
# External access
You'll need to configure your Ingress connectivity according to your environment. This chart should be compatible with most Ingress controllers and has been tested successfully with [ingress-nginx](https://github.com/kubernetes/ingress-nginx) and EKS ALB. You should also ensure that you have a way to provision certificates i.e. [cert-manager](https://cert-manager.io/) as HTTPS is required for appservice traffic.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Affinity settings for deployment |
| autoscaling.enabled | bool | `false` | |
| fullnameOverride | string | `""` | Full name override for helm chart |
| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
| hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration |
| hookshot.passkey | string | `""` | |
| hookshot.registration.as_token | string | `""` | |
| hookshot.registration.hs_token | string | `""` | |
| hookshot.registration.id | string | `"matrix-hookshot"` | |
| hookshot.registration.namespaces.rooms | list | `[]` | |
| hookshot.registration.namespaces.users | list | `[]` | |
| hookshot.registration.rate_limited | bool | `false` | |
| hookshot.registration.sender_localpart | string | `"hookshot"` | |
| hookshot.registration.url | string | `"http://example.com"` | |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for Hookshot image |
| image.repository | string | `"halfshot/matrix-hookshot"` | Repository to pull hookshot image from |
| image.tag | string | `nil` | Image tag to pull. Defaults to chart's appVersion value as set in Chart.yaml |
| imagePullSecrets | list | `[]` | List of names of k8s secrets to be used as ImagePullSecrets for the pod |
| ingress.appservice.annotations | object | `{}` | Annotations for appservice ingress |
| ingress.appservice.className | string | `""` | Ingress class name for appservice ingress |
| ingress.appservice.enabled | bool | `false` | Enable ingress for appservice |
| ingress.appservice.hosts | list | `[]` | Host configuration for appservice ingress |
| ingress.appservice.tls | list | `[]` | TLS configuration for appservice ingress |
| ingress.webhook.annotations | object | `{}` | Annotations for webhook ingress |
| ingress.webhook.className | string | `""` | Ingress class name for webhook ingress |
| ingress.webhook.enabled | bool | `false` | Enable ingress for webhook |
| ingress.webhook.hosts | list | `[]` | Host configuration for webhook ingress |
| ingress.webhook.tls | list | `[]` | TLS configuration for webhook ingress |
| nameOverride | string | `""` | Name override for helm chart |
| nodeSelector | object | `{}` | Node selector parameters |
| podAnnotations | object | `{}` | Extra annotations for Hookshot pod |
| podSecurityContext | object | `{}` | Pod security context settings |
| replicaCount | int | `1` | Number of replicas to deploy. Consequences of using multiple Hookshot replicas currently unknown. |
| resources | object | `{}` | Pod resource requests / limits |
| securityContext | object | `{}` | Security context settings |
| service.annotations | object | `{}` | Extra annotations for service |
| service.appservice.port | int | `9002` | Appservice port as configured in container |
| service.labels | object | `{}` | Extra labels for service |
| service.metrics.port | int | `9001` | Metrics port as configured in container |
| service.port | int | `80` | Port for Hookshot service |
| service.type | string | `"ClusterIP"` | Service type for Hookshot service |
| service.webhook.port | int | `9000` | Webhook port as configured in container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| tolerations | list | `[]` | Tolerations for deployment |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

74
helm/hookshot/README.md.gotmpl Normal file
View File

@ -0,0 +1,74 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.badgesSection" . }}
{{ template "chart.description" . }}
Status: Beta
## About
This chart creates a basic Hookshot deployment inside Kubernetes.
# Installation
You'll need to have the Helm repository added to your local environment:
``` bash
helm repo add hookshot https://matrix-org.github.io/matrix-hookshot
helm repo update
```
Which should allow you to see the Hookshot chart in the repo:
``` bash
helm search repo hookshot
NAME CHART VERSION APP VERSION DESCRIPTION
matrix-org/hookshot 0.1.13 1.16.0 A Helm chart for Kubernetes
```
Before you can install, however, you'll need to make sure to configure Hookshot properly.
# Configuration
You'll need to create a `values.yaml` for your deployment of this chart. You can use the [included defaults](./values.yaml) as a starting point.
## Helm Values
To configure Hookshot-specific parameters, the value `.Values.hookshot.config` accepts an arbitrary YAML map as configuration. This gets templated into the container by [templates/configmap.yaml](./templates/configmap.yaml) - thus anything you can set in the [Example Configuration](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html) can be set here.
## Existing configuration
If you have an existing configuration file for hookshot, you can create a configmap like so:
``` bash
kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem
```
Note that the filenames must remain as listed based on the templating done in [templates/configmap.yaml](./templates/configmap.yaml)
Once created, you can set `.Values.hookshot.existingConfigMap` to `custom-hookshot-config` (or whichever name you chose for your secret) and set `.Values.hookshot.config` to `{}` or null to prevent confusion with the default parameters.
# Installation
Once you have your `values.yaml` file ready you can install the chart like this:
``` bash
helm install hookshot --create-namespace --namespace hookshot matrix-org/hookshot -f values.yaml
```
And upgrades can be done via:
``` bash
helm upgrade hookshot --namespace hookshot matrix-org/hookshot -f values.yaml
```
# External access
You'll need to configure your Ingress connectivity according to your environment. This chart should be compatible with most Ingress controllers and has been tested successfully with [ingress-nginx](https://github.com/kubernetes/ingress-nginx) and EKS ALB. You should also ensure that you have a way to provision certificates i.e. [cert-manager](https://cert-manager.io/) as HTTPS is required for appservice traffic.
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}

22
helm/hookshot/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hookshot.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hookshot.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "hookshot.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hookshot.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

85
helm/hookshot/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,85 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "hookshot.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "hookshot.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Helper for configmap name
*/}}
{{- define "hookshot.configMapName" -}}
{{- if .Values.hookshot.existingConfigMap }}
{{- printf "%s" .Values.hookshot.existingConfigMap -}}
{{- else }}
{{- printf "%s-config" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hookshot.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "hookshot.labels" -}}
helm.sh/chart: {{ include "hookshot.chart" . }}
{{ include "hookshot.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "hookshot.selectorLabels" -}}
app.kubernetes.io/name: {{ include "hookshot.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "hookshot.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "hookshot.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "hookshot.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}

160
helm/hookshot/templates/_pod.tpl Normal file
View File

@ -0,0 +1,160 @@
{{- define "hookshot.pod" -}}
{{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
serviceAccountName: {{ template "hookshot.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }}
{{- if .Values.securityContext }}
securityContext:
{{ toYaml .Values.securityContext | indent 2 }}
{{- end }}
{{- if .Values.hostAliases }}
hostAliases:
{{ toYaml .Values.hostAliases | indent 2 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
initContainers:
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- $root := . }}
{{- range .Values.image.pullSecrets }}
- name: {{ tpl . $root }}
{{- end}}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if .Values.image.sha }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.image.sha }}"
{{- else }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.command }}
command:
{{- range .Values.command }}
- {{ . }}
{{- end }}
{{- end}}
{{- if .Values.containerSecurityContext }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 6 }}
{{- end }}
volumeMounts:
{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }}
- name: config
mountPath: "/data"
{{- end }}
ports:
- name: webhook
containerPort: 9000
protocol: TCP
- name: metrics
containerPort: 9001
protocol: TCP
- name: appservice
containerPort: 9002
protocol: TCP
env:
envFrom:
{{- if .Values.envFromSecret }}
- secretRef:
name: {{ tpl .Values.envFromSecret . }}
{{- end }}
{{- if .Values.envRenderSecret }}
- secretRef:
name: {{ template "hookshot.fullname" . }}-env
{{- end }}
{{- range .Values.envFromSecrets }}
- secretRef:
name: {{ tpl .name $ }}
optional: {{ .optional | default false }}
{{- end }}
{{- range .Values.envFromConfigMaps }}
- configMapRef:
name: {{ tpl .name $ }}
optional: {{ .optional | default false }}
{{- end }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 6 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 6 }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{ tpl (.Values.lifecycleHooks | toYaml) . | nindent 6 }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 6 }}
{{- with .Values.extraContainers }}
{{ tpl . $ | indent 2 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 2 }}
{{- end }}
{{- $root := . }}
{{- with .Values.affinity }}
affinity:
{{ tpl (toYaml .) $root | indent 2 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml . | indent 2 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 2 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "hookshot.configMapName" . }}
{{- $root := . }}
{{- range .Values.extraConfigmapMounts }}
- name: {{ tpl .name $root }}
configMap:
name: {{ tpl .configMap $root }}
{{- if .items }}
items: {{ toYaml .items | nindent 6 }}
{{- end }}
{{- end }}
{{- range .Values.extraSecretMounts }}
{{- if .secretName }}
- name: {{ .name }}
secret:
secretName: {{ .secretName }}
defaultMode: {{ .defaultMode }}
{{- if .items }}
items: {{ toYaml .items | nindent 6 }}
{{- end }}
{{- else if .projected }}
- name: {{ .name }}
projected: {{- toYaml .projected | nindent 6 }}
{{- else if .csi }}
- name: {{ .name }}
csi: {{- toYaml .csi | nindent 6 }}
{{- end }}
{{- end }}
{{- range .Values.extraVolumeMounts }}
- name: {{ .name }}
{{- if .existingClaim }}
persistentVolumeClaim:
claimName: {{ .existingClaim }}
{{- else if .hostPath }}
hostPath:
path: {{ .hostPath }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- range .Values.extraEmptyDirMounts }}
- name: {{ .name }}
emptyDir: {}
{{- end -}}
{{- if .Values.extraContainerVolumes }}
{{ tpl (toYaml .Values.extraContainerVolumes) . | indent 2 }}
{{- end }}
{{- end }}

21
helm/hookshot/templates/configmap.yaml Normal file
View File

@ -0,0 +1,21 @@
---
{{- if not .Values.hookshot.existingConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "hookshot.configMapName" . }}
namespace: {{ template "hookshot.namespace" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
data:
config.yml: |
{{ toYaml .Values.hookshot.config | indent 4 }}
registration.yml: |
{{ toYaml .Values.hookshot.registration | indent 4 }}
passkey.pem: |
{{ .Values.hookshot.passkey | indent 4 }}
{{- end }}

24
helm/hookshot/templates/deployment.yaml Normal file
View File

@ -0,0 +1,24 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hookshot.fullname" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "hookshot.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "hookshot.selectorLabels" . | nindent 8 }}
spec:
{{- include "hookshot.pod" . | nindent 6 }}

29
helm/hookshot/templates/hpa.yaml Normal file
View File

@ -0,0 +1,29 @@
---
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "hookshot.fullname" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "hookshot.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

62
helm/hookshot/templates/ingress-appservice.yaml Normal file
View File

@ -0,0 +1,62 @@
---
{{- if .Values.ingress.appservice.enabled -}}
{{- $fullName := include "hookshot.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.appservice.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.appservice.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.appservice.annotations "kubernetes.io/ingress.class" .Values.ingress.appservice.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-appservice
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.ingress.appservice.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.appservice.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.appservice.className }}
{{- end }}
{{- if .Values.ingress.appservice.tls }}
tls:
{{- range .Values.ingress.appservice.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.appservice.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ .port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

62
helm/hookshot/templates/ingress.yaml Normal file
View File

@ -0,0 +1,62 @@
---
{{- if .Values.ingress.webhook.enabled -}}
{{- $fullName := include "hookshot.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.webhook.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.webhook.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.webhook.annotations "kubernetes.io/ingress.class" .Values.ingress.webhook.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.ingress.webhook.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.webhook.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.webhook.className }}
{{- end }}
{{- if .Values.ingress.webhook.tls }}
tls:
{{- range .Values.ingress.webhook.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.webhook.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ .port }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ .port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

31
helm/hookshot/templates/service.yaml Normal file
View File

@ -0,0 +1,31 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "hookshot.fullname" . }}
{{- with .Values.service.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.service.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.webhook.port }}
targetPort: webhook
protocol: TCP
name: webhook
- port: {{ .Values.service.metrics.port }}
targetPort: metrics
protocol: TCP
name: metrics
- port: {{ .Values.service.appservice.port }}
targetPort: appservice
protocol: TCP
name: appservice
selector:
{{- include "hookshot.selectorLabels" . | nindent 4 }}

12
helm/hookshot/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hookshot.serviceAccountName" . }}
labels:
{{- include "hookshot.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

16
helm/hookshot/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "hookshot.fullname" . }}-test-connection"
labels:
{{- include "hookshot.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "hookshot.fullname" . }}:{{ .Values.service.webhook.port }}']
restartPolicy: Never

312
helm/hookshot/values.yaml Normal file
View File

@ -0,0 +1,312 @@
---
# -- Number of replicas to deploy. Consequences of using multiple Hookshot replicas currently unknown.
replicaCount: 1
image:
# -- Repository to pull hookshot image from
repository: halfshot/matrix-hookshot
# -- Pull policy for Hookshot image
pullPolicy: IfNotPresent
# -- Image tag to pull. Defaults to chart's appVersion value as set in Chart.yaml
tag:
# -- List of names of k8s secrets to be used as ImagePullSecrets for the pod
imagePullSecrets: []
# -- Name override for helm chart
nameOverride: ""
# -- Full name override for helm chart
fullnameOverride: ""
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Extra annotations for Hookshot pod
podAnnotations: {}
# -- Pod security context settings
podSecurityContext: {}
# fsGroup: 2000
# -- Security context settings
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
# -- Service type for Hookshot service
type: ClusterIP
# -- Port for Hookshot service
port: 80
# -- Extra annotations for service
annotations: {}
# -- Extra labels for service
labels: {}
webhook:
# -- Webhook port as configured in container
port: 9000
metrics:
# -- Metrics port as configured in container
port: 9001
appservice:
# -- Appservice port as configured in container
port: 9002
ingress:
webhook:
# -- Enable ingress for webhook
enabled: false
# -- Ingress class name for webhook ingress
className: ""
# -- Annotations for webhook ingress
annotations: {}
# -- Host configuration for webhook ingress
hosts: []
# -- TLS configuration for webhook ingress
tls: []
appservice:
# -- Enable ingress for appservice
enabled: false
# -- Ingress class name for appservice ingress
className: ""
# -- Annotations for appservice ingress
annotations: {}
# -- Host configuration for appservice ingress
hosts: []
# -- TLS configuration for appservice ingress
tls: []
# -- Pod resource requests / limits
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
# -- Node selector parameters
nodeSelector: {}
# -- Tolerations for deployment
tolerations: []
# -- Affinity settings for deployment
affinity: {}
hookshot:
# -- Name of existing ConfigMap with valid Hookshot configuration
existingConfigMap:
# -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified.
config:
bridge:
# Basic homeserver configuration
#
domain: example.com
url: http://localhost:8008
mediaUrl: https://example.com
port: 9993
bindAddress: 127.0.0.1
github:
# (Optional) Configure this to enable GitHub support
#
auth:
# Authentication for the GitHub App.
#
id: 123
privateKeyFile: github-key.pem
webhook:
# Webhook settings for the GitHub app.
#
secret: secrettoken
oauth:
# (Optional) Settings for allowing users to sign in via OAuth.
#
client_id: foo
client_secret: bar
redirect_uri: https://example.com/bridge_oauth/
defaultOptions:
# (Optional) Default options for GitHub connections.
#
showIssueRoomLink: false
hotlinkIssues:
prefix: "#"
userIdPrefix: _github_
# (Optional) Prefix used when creating ghost users for GitHub accounts.
#
gitlab:
# (Optional) Configure this to enable GitLab support
#
instances:
gitlab.com:
url: https://gitlab.com
webhook:
secret: secrettoken
publicUrl: https://example.com/hookshot/
userIdPrefix: _gitlab_
# (Optional) Prefix used when creating ghost users for GitLab accounts.
#
figma:
# (Optional) Configure this to enable Figma support
#
publicUrl: https://example.com/hookshot/
instances:
your-instance:
teamId: your-team-id
accessToken: your-personal-access-token
passcode: your-webhook-passcode
jira:
# (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com)
#
webhook:
# Webhook settings for JIRA
#
secret: secrettoken
oauth:
# (Optional) OAuth settings for connecting users to JIRA. See documentation for more information
#
client_id: foo
client_secret: bar
redirect_uri: https://example.com/bridge_oauth/
generic:
# (Optional) Support for generic webhook events.
#'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments
#
#
enabled: false
enableHttpGet: false
urlPrefix: https://example.com/webhook/
userIdPrefix: _webhooks_
allowJsTransformationFunctions: false
waitForComplete: false
feeds:
# (Optional) Configure this to enable RSS/Atom feed support
#
enabled: false
pollIntervalSeconds: 600
pollTimeoutSeconds: 30
provisioning:
# (Optional) Provisioning API for integration managers
#
secret: "!secretToken"
passFile: passkey.pem
# A passkey used to encrypt tokens stored inside the bridge.
# Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
#
bot:
# (Optional) Define profile information for the bot user
#
displayname: Hookshot Bot
avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
serviceBots:
# (Optional) Define additional bot users for specific services
#
- localpart: feeds
displayname: Feeds
avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
prefix: "!feeds"
service: feeds
metrics:
# (Optional) Prometheus metrics support
#
enabled: true
queue:
# (Optional) Message queue / cache configuration options for large scale deployments.
# For encryption to work, must be set to monolithic mode and have a host & port specified.
#
monolithic: true
port: 6379
host: localhost
logging:
# (Optional) Logging settings. You can have a severity debug,info,warn,error
#
level: info
colorize: true
json: false
timestampFormat: HH:mm:ss:SSS
widgets:
# (Optional) EXPERIMENTAL support for complimentary widgets
#
addToAdminRooms: false
disallowedIpRanges:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 192.0.0.0/24
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- ::1/128
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
roomSetupWidget:
addOnInvite: false
publicUrl: https://example.com/widgetapi/v1/static/
branding:
widgetTitle: Hookshot Configuration
permissions:
# (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help
#
- actor: example.com
services:
- service: "*"
level: admin
listeners:
# (Optional) HTTP Listener configuration.
# Bind resource endpoints to ports and addresses.
# 'port' must be specified. Each listener must listen on a unique port.
# 'bindAddress' will default to '127.0.0.1' if not specified, which may not be suited to Docker environments.
# 'resources' may be any of webhooks, widgets, metrics, provisioning
#
- port: 9000
bindAddress: 0.0.0.0
resources:
- webhooks
- port: 9001
bindAddress: 127.0.0.1
resources:
- metrics
- provisioning
- port: 9002
bindAddress: 0.0.0.0
resources:
- widgets
registration:
id: matrix-hookshot
as_token: ""
hs_token: ""
namespaces:
rooms: []
users: []
sender_localpart: hookshot
url: "http://example.com"
rate_limited: false
passkey: ""