From 36e673cdb6ffc7556d9d389e775e902ba6def8e2 Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Sat, 19 Feb 2022 00:22:27 +0100 Subject: [PATCH] feat(matrix): Add matrix synapse installation to cluster --- apps/base/matrix/database.yaml | 23 ++++ apps/base/matrix/kustomization.yaml | 14 +++ apps/base/matrix/namespace.yaml | 36 ++++++ apps/base/matrix/networkpolicy.yaml | 20 ++++ apps/base/matrix/release.yaml | 84 +++++++++++++ apps/base/matrix/repository.yaml | 8 ++ apps/k8s01/matrix/certificate.yaml | 64 ++++++++++ apps/k8s01/matrix/kustomization.yaml | 8 ++ apps/k8s01/matrix/matrix-synapse-values.yaml | 119 +++++++++++++++++++ apps/k8s01/matrix/signing-key.yaml | 60 ++++++++++ 10 files changed, 436 insertions(+) create mode 100644 apps/base/matrix/database.yaml create mode 100644 apps/base/matrix/kustomization.yaml create mode 100644 apps/base/matrix/namespace.yaml create mode 100644 apps/base/matrix/networkpolicy.yaml create mode 100644 apps/base/matrix/release.yaml create mode 100644 apps/base/matrix/repository.yaml create mode 100644 apps/k8s01/matrix/certificate.yaml create mode 100644 apps/k8s01/matrix/kustomization.yaml create mode 100644 apps/k8s01/matrix/matrix-synapse-values.yaml create mode 100644 apps/k8s01/matrix/signing-key.yaml diff --git a/apps/base/matrix/database.yaml b/apps/base/matrix/database.yaml new file mode 100644 index 000000000..8d0614978 --- /dev/null +++ b/apps/base/matrix/database.yaml @@ -0,0 +1,23 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: matrix-postgres + namespace: matrix +spec: + teamId: "matrix" + volume: + size: 25Gi + numberOfInstances: 1 + users: + synapse: # database owner + - superuser + - createdb + databases: + synapse: synapse # dbname: owner + postgresql: + version: "14" + patroni: + initdb: + encoding: "UTF8" + locale: "C" + data-checksums: "true" diff --git a/apps/base/matrix/kustomization.yaml b/apps/base/matrix/kustomization.yaml new file mode 100644 index 000000000..642587fc7 --- /dev/null +++ b/apps/base/matrix/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: matrix +resources: + - namespace.yaml + - repository.yaml + - release.yaml + - database.yaml + - ../../../shared/networkpolicies/allow-from-same-namespace.yaml + - ../../../shared/networkpolicies/allow-from-ingress.yaml + - ../../../shared/networkpolicies/allow-from-database.yaml + - ../../../shared/networkpolicies/allow-from-monitoring.yaml +patchesStrategicMerge: + - networkpolicy.yaml diff --git a/apps/base/matrix/namespace.yaml b/apps/base/matrix/namespace.yaml new file mode 100644 index 000000000..c839643f5 --- /dev/null +++ b/apps/base/matrix/namespace.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: matrix + labels: + name: matrix +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-reconciler + namespace: matrix +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: matrix-reconciler + namespace: matrix +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: matrix-reconciler + namespace: matrix +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: matrix-reconciler +subjects: + - kind: ServiceAccount + name: matrix-reconciler + namespace: matrix diff --git a/apps/base/matrix/networkpolicy.yaml b/apps/base/matrix/networkpolicy.yaml new file mode 100644 index 000000000..dcc481652 --- /dev/null +++ b/apps/base/matrix/networkpolicy.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/component: synapse +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-monitoring +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/component: synapse diff --git a/apps/base/matrix/release.yaml b/apps/base/matrix/release.yaml new file mode 100644 index 000000000..11884638e --- /dev/null +++ b/apps/base/matrix/release.yaml @@ -0,0 +1,84 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: matrix-synapse + namespace: matrix +spec: + serviceAccountName: matrix-reconciler + timeout: 15m + releaseName: matrix-synapse + chart: + spec: + chart: matrix-synapse + sourceRef: + kind: HelmRepository + name: matrix-synapse + namespace: matrix + version: 2.1.27 + interval: 5m + values: + # serverName: example.com + # publicServerName: matrix.example.com + signingkey: + resources: + limits: + cpu: 100m + memory: 250Mi + requests: + cpu: 100m + memory: 250Mi + synapse: + strategy: + type: Recreate + podSecurityContext: + fsGroup: 666 + runAsGroup: 666 + runAsUser: 666 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 666 + resources: + limits: + cpu: 1500m + memory: 2000Mi + requests: + cpu: 500m + memory: 1000Mi + wellknown: + podSecurityContext: + fsGroup: 101 + runAsGroup: 101 + runAsUser: 100 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + resources: + limits: + cpu: 100m + memory: 15Mi + requests: + cpu: 5m + memory: 15Mi + # Using postgres operator instead + postgresql: + enabled: false + externalPostgresql: + existingSecretPasswordKey: password + sslmode: prefer + redis: + enabled: true + persistence: + enabled: true + storageClass: longhorn + accessMode: ReadWriteMany + size: 10Gi + ingress: + enabled: false diff --git a/apps/base/matrix/repository.yaml b/apps/base/matrix/repository.yaml new file mode 100644 index 000000000..f9249877b --- /dev/null +++ b/apps/base/matrix/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: matrix-synapse + namespace: matrix +spec: + interval: 30m + url: https://ananace.gitlab.io/charts diff --git a/apps/k8s01/matrix/certificate.yaml b/apps/k8s01/matrix/certificate.yaml new file mode 100644 index 000000000..e578dd35e --- /dev/null +++ b/apps/k8s01/matrix/certificate.yaml @@ -0,0 +1,64 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: matrix-tls + namespace: matrix +spec: + dnsNames: + - ENC[AES256_GCM,data:qkOjxo70qwMU7blavLZwc9VRkkcCjQEfYbg=,iv:MST1bVyLe+/K246jUO0TYKk4uQXsoQ3b5LiqzuT7KOk=,tag:/jQSDQNYRwddyjQWLuEkmQ==,type:str] + issuerRef: + name: letsencrypt + kind: ClusterIssuer + secretName: ingress-matrix-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-12T23:47:34Z" + mac: ENC[AES256_GCM,data:+pmUewT1vCUOsxPJoAqrysKU7vpE5MafEqJ6o2BOriL2WUluDSXfzkrC5OqAUiWOjJDnelMCsbL9+JU56Wm456ttEYYonEpj20cEM5kC56kmyyTVSgE+LMlz+hiXs7AP4AETIqNyHdvDmxnuKnwWUDhYofxClSfm6NoNHIiNaDk=,iv:kIDmg5cFTzYw9nGDeHCl25qGGAVAS9roM0+FTXej56A=,tag:VglKBYDWHGHC6TCxSTD6/w==,type:str] + pgp: + - created_at: "2022-01-21T18:13:48Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAAHhDshl1OJqNRUolNvbIXzOuDzssJnvyi6cIZuMmVMsxf + a6wAWAtYOehvtn1ODL7/h4fIpBtfp7d8VuwfJSrh3ghUeiOl3zRzQbmaFA2L5/iG + Jd94tFAVwIl30qjcYqGVB2RF27VF1RElzgDLQh3hiXn1hDC+WmNSnBF5hwnwCFOL + wM4BHuE2AB4TX3PlYSo1n71VSzcCqRzbIxelZasYLnJQVL0VE6AjEd/fHS468R8N + aZ3mhmHW3sWzuLHNREMD2Q3ghkguLhau0VoETlYRI9103I4k7/khFrhAj5l2/PUr + 2SWgpXyRqXVaKPeTiQs3QR8B5jNq3BlZj6Celw5Ig/wx3LY0EhI9e9WFgtSlZxM+ + 2yk65HQGvTIgsbys/z/0skA9vqik9csFRsH9iK42E/+XLvoAT6yxyl0cv1kBEyAS + ggPmKOq8+CT+voHzuh8kZHq9Sa8kH5xL1DQLzX2yIruV3OhTPSK+VlDpjUbycmI2 + qR1oCo/snOJwwwvfl9vu0B8FCwhrz8554ZQBErFfJl6GFiUV8LElRlZh5S9Jiysr + nYJS5gxrcvjF/0Y6EHEfWDRDxvCHoWQpWhl2hRkh5UlQKH0ab+QWLYpISyNJxjfl + orQJdaVX3BQwhqMLwiMLGoaNGrSpmxXveLOZmsdK0obXC67lyE6ZM/Wy6gx2dFnS + 5gFdXCLzQmmjYK8gIlsejQdnxZI2qWavZIN9T70OZQGaDE/S+U1uxKjuGBM7HTcP + 7f1nUa6z96A9ydWs1xHjtm7k172V16PMSrvjQ8KLhFJd9eJDq3ksAA== + =XgF6 + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-01-21T18:13:48Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPAQ//S/9rOkbd3beNH20dxgZ7VuZxgnjiV3Hd3om717njcMm2 + kCfTJ3AmpLtQsT2s1W221tIyCwtHOobj82ANP9KzNi4e6v3LlNTIVHTQiHXk9KJP + AX6JoCOLu3bAI0xcdApNBU2wAlHBVC+T4BUfhPqD5AdHpW++e1qUIsM/6TViunHj + BWoIA0bpXqyOhTm1GbkJrHMgczJn2qgR5lBf8wgGmASd8jlNyfA7SxoKHj8sl/Ji + nucP/90dmyD2eBIJYdYS3anJYa2uP96oioG5xxIyfppnL5dwozDAit3Z5vvnBZNb + 1rrpUnN8H0cCcaj7tmDEmjGfjGwxLKegQRZX7Pg5hwaaOOPGheXf8Ip/DpDf6T0n + Sq24X6DC5gD1RBU+YY6ZayMt/OKpVVVwRlY4BTDIUe4M+ecK/fve5vpDW2M+KWMc + pOkO1B09/prsX0w5XjFh8hb/6HlDDhomiB+BszcRCUDzocRzSEIFwMf7/iTaExe8 + 2fKCCHB4kHo6GHpydlQOpnGMOvDmiNKopXxTkFQUFQjyRmHGXf/u79JNXBjHkniv + ZiokjTEarwMp68dyiaL4L/5Uk+4NG3MetobqSaeW2TbeBwif3G2eFleYscz7QPIR + 5ZBBhU/CoUEz2Xge6t8rlp8PNcQ1yq/R+tZjaeqIIT4++ZxCErhA0lsxyFrgLefU + aAEJAhD7hR3IMDGN2zOZSiw1IBz9P8Jss/oERQiuVpe/eTv5Vqj9vuL+koKftwnF + vSVkNo0fLwNLtnU659Mkoj9utoUL9tAhcCMpP3NehKkBG5RjF9crnIP6zT3lvVU0 + GYyW4Lsfrt/a + =FfV+ + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$ + version: 3.7.1 diff --git a/apps/k8s01/matrix/kustomization.yaml b/apps/k8s01/matrix/kustomization.yaml new file mode 100644 index 000000000..5b0dd92b7 --- /dev/null +++ b/apps/k8s01/matrix/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../base/matrix + - certificate.yaml + - signing-key.yaml +patchesStrategicMerge: + - matrix-synapse-values.yaml diff --git a/apps/k8s01/matrix/matrix-synapse-values.yaml b/apps/k8s01/matrix/matrix-synapse-values.yaml new file mode 100644 index 000000000..2e5cb6d95 --- /dev/null +++ b/apps/k8s01/matrix/matrix-synapse-values.yaml @@ -0,0 +1,119 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: matrix-synapse + namespace: matrix +spec: + values: + serverName: ENC[AES256_GCM,data:WnWLJiiLn5NhVv0OMM8kFJbq3g==,iv:d4VFcaEOxj4TWDDSLwvZXDhU1jFkifbPYcu6izrG+qI=,tag:EJVM9b/Uy148qMy+7yqJkg==,type:str] + publicServerName: ENC[AES256_GCM,data:GB5pmeng6i2AR7WT++rEEr2+PBgNaq5bbHE=,iv:gQ6cDYmYxxr8IEOlvOo4JMV6AXPkF5IRkxBCBdx28D4=,tag:W3qUlkhB/WVDrCuxm5i1Cg==,type:str] + externalPostgresql: + host: ENC[AES256_GCM,data:LCUhWX8Cc0H8cBUm0+Bw,iv:HBEt2koYUAeqszTPrbFVzQ3eLDRBWs3MA3bCJk4JaYo=,tag:Gi4QwEkK8Uf1TiNadXcEqg==,type:str] + existingSecret: ENC[AES256_GCM,data:08Mp9VcwUO0A+AcxSDOJ3wrYUvrjdfxfanllCsmXsp5FKQTcQO5KyBwM0hJ21myP2wqgNCLjli6I/69t,iv:VQwsaFjruzWlVuBB2TIjGXJ/zLNMx51PPI/YaeuN760=,tag:f4Px2YjUG91Mwv1BORIKoA==,type:str] + synapse: + enableRegistration: false + macaroonSecretKey: ENC[AES256_GCM,data:9Iq+YmMmiDm9WGRcnnbPbkguA9Z41vag8oixEeFVrNjUdhvjg1hnMuJTVzbsdOYyvM6WPAYPM50y/yaB+OwZN+gKbeM1VHrydlon4YTE21Rzi80ZI3kiwh2jCMeNJw0ARm6G1gYFkXDQ5QyvI2bnTRj6EWG0g9Fulp4aWQYZqwE=,iv:teBzeP5GvIaUW/mRaEvUWgOfyxVuZ8UN2P8YG0Kg4aM=,tag:1KE7QeogivD4K9H6eNIM2Q==,type:str] + extraSecrets: + password_config: + enabled: ENC[AES256_GCM,data:NlEQzw4=,iv:tt4KOqRlFTr+1CBetsNDPfGVkPViCGKJTDitWAXeRKI=,tag:gz9bv57MTaMDbpMZg9thGQ==,type:bool] + url_preview_enabled: ENC[AES256_GCM,data:sdL0XA==,iv:XzoVIXDAPRLh1DFlOmJRQDIvcwdGPHkArmqy9gQuviw=,tag:5F/dmqYWR1FaVqvEQAdMQw==,type:bool] + url_preview_ip_range_blacklist: + - ENC[AES256_GCM,data:lIQbrdx5Rdp8TlM=,iv:pq2YQ9wO4okCTDj+KJB35mtJb8qO1KXqcIJxbuupqMk=,tag:E6orpDjt4DZIt28nXfvyaA==,type:str] + - ENC[AES256_GCM,data:LVJI7NsfXkWAbg==,iv:qjdUq7jHkUT3wqoKtqFOhBi5lWD4wEQcnUEsZ8RjTUs=,tag:XfwfIFVqfUsOVCEY5MAyfg==,type:str] + - ENC[AES256_GCM,data:5QR/9tftTp6HyB7YmQ==,iv:CfCaP24pbaP7gG5pb7EM1qpcpryJz/CZTr9DODGYlyc=,tag:jEEAbvfbacMMgXZAQbnR+Q==,type:str] + - ENC[AES256_GCM,data:+XAmHsBanOXp1j06TCg=,iv:Hbv2xXGT3oER0aTjKjeViylh16keIPfyl4FeAfFA8mU=,tag:4flbm9I/jgPf6DJlgUBMig==,type:str] + - ENC[AES256_GCM,data:xjzlt2XGItigCDHi/A==,iv:BCDE1/hxDyNsABIVAM6XA0Rp+Mk8wjg7O/ONjDDgZ3Q=,tag:KNx7tKdX+tlla8yfdc1SsA==,type:str] + - ENC[AES256_GCM,data:89w8E2mQqScbXbjznqo=,iv:Mjuodvl9ZG5ODwqwnw72is20CFoDeiR1cWROUHy5xkI=,tag:AZQwua7a9TkFEAEnoAYQfw==,type:str] + - ENC[AES256_GCM,data:7ORoQrn3hw==,iv:w1fIu3LxACLWpD+bmsYfzyjgJC/u7Kw6z61N+byugJ0=,tag:DbyWpoukEIJ+aRcQNFcAvg==,type:str] + - ENC[AES256_GCM,data:5B8DNcAfQUpv,iv:hNbqk2ippZ3Fy4iE4g0kYKUHb+rqGanCvAtaqbh6zyM=,tag:VrwbuBgkwEIp+MMFOYfwhQ==,type:str] + - ENC[AES256_GCM,data:LlwQEL/9Wts=,iv:4CQQmTEdY9AytP6u0++cmKL71r5rMaIwS9OmODMJ7x0=,tag:5kPQmePpfhdll/xMtAfjgQ==,type:str] + max_spider_size: ENC[AES256_GCM,data:0v4J,iv:weHPmidhYW49t1DPgkBTl83CCLvS9Uzh0+YEHtPQrV8=,tag:5wCNhZZm5kGbbO+x2iWvog==,type:str] + oidc_providers: + - idp_id: ENC[AES256_GCM,data:2mY2/Djt8i4=,iv:1PWuCH7VZbT52YTPDEqC8+LRdzryeTDJZzaF+EgjSeA=,tag:Ma6JSKp1YABGUhMIqlKFoQ==,type:str] + idp_name: ENC[AES256_GCM,data:7SKNSEwxyw==,iv:NTD+EShtgR3UKdRLQjtqpfHWQw57tK0VDpitxOdcAnU=,tag:SClNTQwSDyxMxDF1uFRvcw==,type:str] + issuer: ENC[AES256_GCM,data:sAYWbGhlF+2ufpVjxQmX2bs1W7SSxhv49AoFT1hm4kKR+TU68ANvToFPzd/BdnwH1qt4MZYblExYFyb5,iv:zUbBUcLzwx7Z9iWZB+IwABK2tVpDn9pNxkmnFyhj7zw=,tag:OO0jwqIMoP8/8KQuWF/IvA==,type:str] + client_id: ENC[AES256_GCM,data:SxanJfftbKqBqPg=,iv:8Y1+QphtwlORSIW0Z3zYBShU4ZmApnPSkf/zQqyM6NY=,tag:zg+0cym8/sZAje3g04B2CA==,type:str] + client_secret: ENC[AES256_GCM,data:ZhimIMYC3lfxcJb7cOaVlAHjo0HjT6P6c330YCWvhdA=,iv:vIckyNyqmBe6x89JTBHj3/eHQFV1ds5ys/Dq4vF3Flw=,tag:1WtQYX2rrB95XRsYtQYm3w==,type:str] + scopes: + - ENC[AES256_GCM,data:awJ2pwGy,iv:nX4tb7bTfGVtxJYnetGBCJs90EZCxkXwffuNwRD+zb0=,tag:exbWHYCHpOSXuzmKRa9G5w==,type:str] + - ENC[AES256_GCM,data:hTH3/4HEdA==,iv:6nrfocMwwgtkT2h7J5m2WvNlQhtBIURzMO+R9ZhzopA=,tag:0rMqTHfDiDvVvVfn43Iy+g==,type:str] + allow_existing_users: ENC[AES256_GCM,data:81xNQg==,iv:60ZUOpeMmDuSS1On68JvHiXz8mltYhWMJbFReP/xHAI=,tag:uM2ws9KKUAcnonOc+YIRbQ==,type:bool] + user_mapping_provider: + config: + localpart_template: ENC[AES256_GCM,data:NDL9AmCiaWtnPkTfrKQwlJeEfHQABbqIHT/zdBE=,iv:Boc6K3cfqLbaCShkquX2fwodCaV5d9W6575xLAusTLU=,tag:3MXWxdhMoGFxUWH5tVL+LQ==,type:str] + display_name_template: ENC[AES256_GCM,data:ypDKFIznR2SGU320irQX,iv:qEmf94LPlhpa+QQMwYFCoq0X1eGjp3K3v4gGk2WGuKU=,tag:mXfBXWoQQzeSQ1FOwU23qA==,type:str] + attribute_requirements: + - attribute: ENC[AES256_GCM,data:xbDXdTE=,iv:WYfUub5uw2Vzk39ypEA2RLOJImDCZjmDuop6ADZfems=,tag:PTf9JWqdre+e57ERTdgjdg==,type:str] + value: ENC[AES256_GCM,data:XXFh9A==,iv:6I3AGGyB8871uuHCu2v/U0TOhFZebT2vN/UUyOScsTI=,tag:kT5xpsfgImCpnTObRSBezw==,type:str] + persistence: + size: 20Gi + signingkey: + job: + enabled: false + existingSecret: ENC[AES256_GCM,data:YKTvEspxL7nHYLDiPdHveNAJ,iv:234jr9ReQKDiXeBXaS1C18VcKvZnxXCbX0QmCVy2Zcw=,tag:EVLWDXFRFx9nVD96hIdzhg==,type:str] + existingSecretKey: ENC[AES256_GCM,data:FdoImqtEKxTaHwM=,iv:QEn7haBY/SSy1qPBsosBkqkedfLm5XRePDGCfcOsWwQ=,tag:RsUiTiiXA0F+xV/EgaadEw==,type:str] + redis: + auth: + password: ENC[AES256_GCM,data:tRxm78USp+qWMAzpnBx2kGqiutnL+ZGr31ngnrPoloCZqRWIuo/6zQ==,iv:+Lo4i3itTL8WK8rh48eRiEBkOPQ4VPLF4yKYRQ6If/0=,tag:W+YOtuyx50mS606FzvUfgg==,type:str] + ingress: + enabled: true + hosts: + - ENC[AES256_GCM,data:xBwjUfo+b3uBTCqPlx3XZ/IKkTxFXvbgy0w=,iv:ZN/5A/YHSPW7c3Fcx1Fi75uMYBijX0styxTuthv3p2E=,tag:sZ9tihrcgy4pHobebszDTg==,type:str] + includeServerName: ENC[AES256_GCM,data:U6KM0h8=,iv:+MkU2Bq56rlvL0NXVpJI3du8uA+pQ7/7opsQbNCoO5E=,tag:mJhCmEtymqAJtAfSBWdg5g==,type:bool] + includeUnderscoreSynapse: false + tls: + - secretName: ingress-matrix-tls + hosts: + - ENC[AES256_GCM,data:tH7alVVquuJFBwLTQgqZ74IQVH71EqSpP84=,iv:VIjY8P2vOxW1bM7oMBlptEWSIxsBN09dmLah4Yz2VFU=,tag:mD3tASJZ+21QWr4Ba+pqxg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-20T00:29:27Z" + mac: ENC[AES256_GCM,data:tU+6Y9qEumpb3vBo7ZgrY5FRHe0uEo/L53rh0SJoZ2J3SAUMjqh5MQTk2YwLGd6AN8TafiW99T3mqP8Na0h+UaYZfV6mSVoVAnMPMDE0dDegixYs89wAnfKY0H0D4DzdGRXhXlMtkLR2e93jYzLS6eFzZCR9hsu/nIsr8O+fWks=,iv:ajnOG4pCk9Ir1i0G9Vm5/xqh3Yd/5ajUiBy2y603pSc=,tag:vYOaqORpgvySzXl/USCtEw==,type:str] + pgp: + - created_at: "2022-02-18T22:15:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAAWvgnCyXwnROc+uQcRaDXsntYQI1Z48xheaLtpBNSe/RM + a0WY5GnyFDHyrJalngkA+YEqJrVZ+kiMsDWte0awbY6P9fHOo5fEA7HHly2cFdyy + Y8ccoOQSeX9UxRJyivu6BlhVPbDXRztDT6w///NcxYsJrufk0Lg+WcuD1jafmTL1 + 6VCQsSpq/i0Kfr+90TwPMkeliogDqr3WZI61Nvcr2zjJMf2PCVcGZ9U0da55mXCO + s4JWV9CPfz/UCYrBc1DMzivDYYgBSK7XoPdTHiVry0cc9tPTbvzR1zo9C3ZqBHlZ + hRKixkEl2kp/jTztRaAA0/HTqTJal5Wiu83wRCxkzRYpgV0tYkyOr9cnCTJZMI81 + n/vU53c1jWiGenqCv0pek+rPuiRAIYvIMK2idL6hLmX9azRS2lTa7MRLOutZrPEN + O+2/AWSDn4P9TJrbbXmnyp0bWsiMZKMG3W3sFIygoc8jwb1ISkBNegiXqR4UqOhN + 9rJPKiqb4cOBklQ/pZprqm62N5I5cSizHIpez7fSrhJ6alnREONNhja79+biNB2g + EkRp676t9qckIomzevP0U+RBZe7ehn/SCb5dyTsEEheKxIDZ/sxHOlyqKhdZnPbU + BlyVLN+tq9JUDB515RUP3yE/BJnfkfqVF7GHBsIWGgyZBkITd9eNyPhsQIBu/RzS + 5gHdrGyrbkJWqAkZV7zLW/JAHnG7HexOVTEOnLBn4gC7C68wyqFDobIK+eWB9iSv + z6LJnS1Xftz9tPvNxxmdgbPk+sSZSodJNbHckYmj5ueByOL+KXpJAA== + =4ymq + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-02-18T22:15:21Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPAQ/+Mo7VTYxcER7fvtqqGjricQDAWQqyT4+ISFxuKQUPdx6j + y1F1J2/+rIQPkz2CaGBQvdNg0itU/9OerJq3ynwpz95EQN/u1a/nWFfP9KkNRNAR + A6fmp9FcH8AEyZ09kLsTmGhR+m8oJ4pXH7eyF3ilYcbiwCxFTKEttMg/zScaGlRk + fX1rjjgWaGYWoI/2fy3eN4Z8RXaBZE8bsETaosOq0oQbG2fMMU0BRlczwxEvyK3J + /nwOD477yywg/CwFBFVdnLEfAkunC8z7WIX4LEFHSyxvpWYYBPpGUGigU3r8Z6lz + j1hFE3AsaHdKU6yctdDHfMKGUK7buARtsSg+qtPEadqIdo7i4CAECo4utT2g4puY + DhaIwClpJUCPGmBBmy7sAn8fAltJH+0IyAk/XoDw5wpWL0OxFxoe65Ys5ByP5vwb + mCEt20BvTqyMm3i6YFv/srs7hQYy252+kgSUMHWfiQUqz3Vtt3pap7rgVemr35bR + d0iBL5QaDEpBJa1s08x28rPD0f/rkaJpQ9Lf9WmUsutvpHDcTucahLpxiCj3fwUS + RpDlzIZinacWWRZuhxPOmyalenDykayZb1cdEw1DonHqq/i5YLSsGsd/N1T3aj4L + I3MOh96Hk7zonJSa2rzz2fOPC5xFxnYp+jw+mIc8QbLxFu/svie9n25xLhxh2zLU + aAEJAhBqETRlgtFTg502p9XA9PJJCZdZjAlljj8MhnDw3guczfx/3wZEdcHcpiIB + p+2l3X7REMepU0gH9+voV0qb1MIdc+S13jYqJhk7pjoZykupyntIKcr9F36Ow0dS + fD6fcxuuhXNM + =UZPK + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey)$ + version: 3.7.1 diff --git a/apps/k8s01/matrix/signing-key.yaml b/apps/k8s01/matrix/signing-key.yaml new file mode 100644 index 000000000..98d56fbe9 --- /dev/null +++ b/apps/k8s01/matrix/signing-key.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Secret +metadata: + name: matrix-signing-key + namespace: matrix +type: Opaque +data: + signing.key: ENC[AES256_GCM,data:RxGnc8Y9MY66W04GorfE0JDcVlUuBtNsGOm3rmzEe8x+tUIyX0ma64UNkomE2TG/i7ANqzYGAtbYzKpPCorNJuwuOh8cxvKAqm5BiniUqXc=,iv:hdwjV9LjKzEJaL0Uf0C+N/wLN0a4nPJ5FjBkcsKYzmE=,tag:c5jDcLbhI43q1RLb/Imi/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-20T00:46:04Z" + mac: ENC[AES256_GCM,data:RlAPNDwdAVUjlji5e4CDjbihSu/0bJ6qwm5D/jDd6eaIrFQqsewZ1jDPfAayPmNuEn6tFJ5AViSLFCeMCwBE2Jk69qz20WPhckBy21bWM4bkCmCauL3M7ktJ6oA8aKxq56Nn2w0QzdKc96dy9pLJMqy4gtaxbS3BEIkqkgipMFc=,iv:zkIGCWaDX+DoW9eRITov8iJHfw20/0C/V+CUfBT1QN8=,tag:FlOErgPhq4TAEft79fzVng==,type:str] + pgp: + - created_at: "2022-02-20T00:12:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAALcFi3bGOLE5rNCY/Q5Xt4g63R+kH+kE0ItWYNRAV/xJf + 3fnI5GZNGm0QOnTySTIzPfRTNnqcby3i8cbk2KppSUT3uNpAxNyd1+iPHqmRK9Ji + /BiXNS4s+VpwCCU+4C8baaLh+9J1vzXLcSDQjcag/CXz6Bwb8I507e7CkDmkYuwb + c0eZHB5jifDoZfVrFF4HC8k1ot+SfDmkQXwleFlllFlO+jnfj+4T3iGj4lkpImLq + IvqBDx3yjxujJQtzHW1XsRtXrhFCWdruU0ViyamJeuMBkleJjfhug+Taa+kKIe+1 + /O1TxR539oBblbnk2kInI5+qVVoVruxZhI0sbA/95Nqq/NLLOiH9XQfRNyXfWatv + rcvcBQ6xeUxmg7nlr66l0NpCBmS0fJITEtamYtN78PCxuKr/ulbYrt190esRPNl9 + zgfC6slwfYAJcRll2bTrbJfkrxH8qO/4xmluk8OxmEUlCaxMhhZh7uG/STWYV6n9 + wAd0QPRLlN5Sgemt5YNggE0jyH7nW49/IMgMcDB/XmHoqseEZ4Qa08bFIoLvxdFL + YEZhKAlh+4udQPB1IRpk70wsrhO8aF8iSLMseSOAsM/b3LISgdTF0JWaGQvGEOo3 + sI/wQ7eohIcxXpH3Y1ubwqEYwFwpqOcA0T/myxB/80lP0uMSi1JET3Eilm7qhzfS + 5gGjtUePVbUi7/93piIfx/WgprjgeEgVkPHOrbFQea8lhstcx+SFm9ImKroZhPOJ + tswbwtndUbjG8i/r3/BZ48/kw+v6dZG9I14yO91RPasMuuKnNwW8AA== + =8PzD + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-02-20T00:12:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAnr/1S6eA956tAhY4EZQN46/JyTOh2OY2t78xuENYmjH9 + PyH5UPmYxpB/krG1UBmTmMcl6J/pmwXSDmmIOEA7+x6wEyBEiBey5YfytPBpfK7h + 07pfobNLyWv73Po/nABqZtTfgjMd6nz4d73h4rGNIicZKZMS76Su5NrlQNZaJtng + ED5EqncXZOUGp/25WZfAI5caJ/DHiSunfJXMu2Fw0zJxWJFoJvJJrR0CG6eHBspO + iHF1dM2pDIfywy6x1sWnPwCYzKULwbIOpD7G8ulg3unUASL3rQL6GpiGgDomLkW2 + iMO5Qh/d+hbSNs+zrATo50PB4AzMtfzGDRQzXJ6n5UC25Pja8M83akhmXyNHPV5j + HEj2oJrf7iK3wf2XU4CbHlfAfyQxq9PsJRYy3i6VX44Ou+BVpyT4wsjws8B0h4ws + 1gjB764Ii6/xR5ZtYYqH1dHmoGsinrYKAWCXnaBynUtEkGRUgt8kYrVln1KTtjAT + jbXlTcHGeyd29Y2FomsOyqWNnj6erWxjrSLYDCViARiYW+JGQLBJzsSIlDpnJsCg + hDmsrDULjpGahmEI+neHrGyYMYAbxkmRKPGc/KB743/8veS39cCgAk0us1NpQ6Z8 + zahJlhAW21o5vcrAvE0g2aCagBatF/nxZ1IZblbA0Z+ISyFrh8AE64jA4Y84yHzU + ZgEJAhAZ7x/tE+rRbAS6aVREyis6MA73yef64yBOoIveG0i2skxsFgWWom3LJft1 + waO9AP8amxTPsI2Y0dKKu1MvDmbi8NODUj8LQYviqqIfes21cMyK5bmxxNtSEDF6 + qvtHdAeqdg== + =ICMR + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey)$ + version: 3.7.1 -- GitLab