Add Gateway/HTTPRoute alternative ingress#1050
Open
JoshuaHassler wants to merge 3 commits intoelement-hq:mainfrom
Open
Add Gateway/HTTPRoute alternative ingress#1050JoshuaHassler wants to merge 3 commits intoelement-hq:mainfrom
JoshuaHassler wants to merge 3 commits intoelement-hq:mainfrom
Conversation
Add support for kubernetes Gateway/HTTPRoute resources as an alternative ingress. - Add conditional logic for HTTPRoute/Ingress generation - Add HTTPRoute configuration to values files - Refactor ingress values to seperate common keys - Add option to disable ingress all together - Add optional Gateway resource
|
|
Author
|
It seems the CLAassistant has answered one of my questions 😄. I'll update the files. |
Member
|
👋 thanks for raising this PR. Sorry I meant to reply to this yesterday but it got put to one side and forgot to pick it back up. Supporting the Gateway API is definitely something we would accept and would like in ESS Community. We would want to get the design & structure of the values correct given how fundamental this would be to the whole stack. I haven't looked at this PR in huge detail yet, but wanted to raise some initial queries. I don't necessarily know the correct answer yet to all of these but they're just things that came to mind on a first pass
Other observations
I'll try to look at this in more detail next week, especially as we discuss the questions I've asked above. Once again, thanks for raising this |
dyff of changes in rendered templates of CI manifestsFull contents of manifests and dyffs are available in https://github.com/element-hq/ess-helm/actions/runs/22161565420/artifacts/5592879875 all-enabled-values.yaml@@ Deployment/ess-ci/release-name-haproxy - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-authentication-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-sfu - spec.template.spec @@
- restartPolicy: Always
@@ Ingress/ess-ci/release-name-synapse - metadata @@
+ test: true
@@ Job/ess-ci/release-name-deployment-markers-post - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-deployment-markers-pre - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-init-secrets - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ StatefulSet/ess-ci/release-name-hookshot - spec.template.spec @@
- restartPolicy: Always
@@ StatefulSet/ess-ci/release-name-postgres - spec.template.spec @@
- restartPolicy: Always
@@ StatefulSet/ess-ci/release-name-synapse-main - spec.template.spec @@
- restartPolicy: Always
element-admin-checkov-values.yaml@@ ConfigMap/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- data:
- default.conf: |
- # Built from https://github.com/element-hq/element-admin/blob/main/docker/nginx.conf
- # * /health added for k8s
- # * setting a charset
- # * setting error_page
- # * listening on IPv6
- # * setting server_name
- # * adding 'Cache-Control: no-cache' to root
- # * ensuring security headers are applied even where there's location blocks
- server {
- listen 8080;
- listen [::]:8080 ipv6only=on;
- server_name localhost;
-
- root /dist; # noqa
- index index.html;
- charset utf-8;
-
- # Enable gzip compression
- gzip on;
- gzip_static on;
-
- # Cache static assets
- location /assets {
- expires 1y;
- add_header Cache-Control "public, max-age=31536000, immutable";
- include /etc/nginx/security_headers.conf;
- }
-
- include /etc/nginx/security_headers.conf;
-
- # Set no-cache for the index.html
- # so that browsers always check for a new copy of Element Admin.
- # NB http://your-domain/ and http://your-domain/? are also covered by this
- location / {
- add_header Cache-Control "no-cache";
- index /index.runtime.html /index.html;
- try_files $uri $uri/ /;
- include /etc/nginx/security_headers.conf;
- }
-
- location = /health {
- allow all;
- default_type 'application/json';
- return 200 '{"status": "ok"}';
- }
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- }
- # Customisations that we do at the http rather than the server level
- http_customisations.conf: |
- server_tokens off;
- set_real_ip_from 0.0.0.0/0;
- set_real_ip_from ::/0;
- real_ip_header X-Forwarded-For;
- # For repeated inclusion in default.conf because the add_header directives need to be repeated as per
- # https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header as they are only inherited from
- # the server block iff there's no add_header directives in the location block
- security_headers.conf: |
- # Copyright 2025 New Vector Ltd
- # Copyright 2025 Element Creations Ltd
- # SPDX-License-Identifier: AGPL-3.0-only
-
- add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Frame-Options "DENY" always;
- add_header X-Robots-Tag "noindex, nofollow, noarchive, noimageindex" always;
- add_header X-XSS-Protection "1; mode=block" always;
- add_header Referrer-Policy "strict-origin-when-cross-origin" always;
- add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
@@ Deployment/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- k8s.element.io/element-admin-config-hash: "6b669cd646bf3a19cda81458eb79e5295db17683"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-admin
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 2
- maxUnavailable: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- k8s.element.io/element-admin-config-hash: "6b669cd646bf3a19cda81458eb79e5295db17683"
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- spec:
- automountServiceAccountToken: false
- serviceAccountName: release-name-element-admin
- securityContext:
- fsGroup: 10104
- runAsGroup: 10104
- runAsNonRoot: true
- runAsUser: 10104
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Always
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-admin
- matchLabelKeys:
- - pod-template-hash
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: element-admin
- image: "oci.element.io/element-admin:0.1.10"
- imagePullPolicy: Always
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- ports:
- - containerPort: 8080
- name: http
- protocol: TCP
- livenessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- readinessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- startupProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- resources:
- limits:
- memory: 200Mi
- requests:
- cpu: 50m
- memory: 50Mi
- volumeMounts:
- - mountPath: /tmp
- name: nginx-tmp
- volumes:
- - emptyDir:
- medium: Memory
- name: nginx-tmp
@@ Ingress/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- tls:
- - hosts:
- - "admin.ess.localhost"
- rules:
- - host: "admin.ess.localhost"
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: release-name-element-admin
- port:
- name: http
@@ Service/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- type: ClusterIP
- internalTrafficPolicy: Cluster
- ipFamilyPolicy: PreferDualStack
- ports:
- - port: 8080
- targetPort: http
- name: http
- selector:
- app.kubernetes.io/instance: release-name-element-admin
@@ ServiceAccount/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- automountServiceAccountToken: false
element-admin-minimal-values.yaml@@ ConfigMap/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- data:
- default.conf: |
- # Built from https://github.com/element-hq/element-admin/blob/main/docker/nginx.conf
- # * /health added for k8s
- # * setting a charset
- # * setting error_page
- # * listening on IPv6
- # * setting server_name
- # * adding 'Cache-Control: no-cache' to root
- # * ensuring security headers are applied even where there's location blocks
- server {
- listen 8080;
- listen [::]:8080 ipv6only=on;
- server_name localhost;
-
- root /dist; # noqa
- index index.html;
- charset utf-8;
-
- # Enable gzip compression
- gzip on;
- gzip_static on;
-
- # Cache static assets
- location /assets {
- expires 1y;
- add_header Cache-Control "public, max-age=31536000, immutable";
- include /etc/nginx/security_headers.conf;
- }
-
- include /etc/nginx/security_headers.conf;
-
- # Set no-cache for the index.html
- # so that browsers always check for a new copy of Element Admin.
- # NB http://your-domain/ and http://your-domain/? are also covered by this
- location / {
- add_header Cache-Control "no-cache";
- index /index.runtime.html /index.html;
- try_files $uri $uri/ /;
- include /etc/nginx/security_headers.conf;
- }
-
- location = /health {
- allow all;
- default_type 'application/json';
- return 200 '{"status": "ok"}';
- }
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- }
- # Customisations that we do at the http rather than the server level
- http_customisations.conf: |
- server_tokens off;
- set_real_ip_from 0.0.0.0/0;
- set_real_ip_from ::/0;
- real_ip_header X-Forwarded-For;
- # For repeated inclusion in default.conf because the add_header directives need to be repeated as per
- # https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header as they are only inherited from
- # the server block iff there's no add_header directives in the location block
- security_headers.conf: |
- # Copyright 2025 New Vector Ltd
- # Copyright 2025 Element Creations Ltd
- # SPDX-License-Identifier: AGPL-3.0-only
-
- add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Frame-Options "DENY" always;
- add_header X-Robots-Tag "noindex, nofollow, noarchive, noimageindex" always;
- add_header X-XSS-Protection "1; mode=block" always;
- add_header Referrer-Policy "strict-origin-when-cross-origin" always;
- add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
@@ Deployment/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- k8s.element.io/element-admin-config-hash: "6b669cd646bf3a19cda81458eb79e5295db17683"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-admin
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 2
- maxUnavailable: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- k8s.element.io/element-admin-config-hash: "6b669cd646bf3a19cda81458eb79e5295db17683"
- spec:
- automountServiceAccountToken: false
- serviceAccountName: release-name-element-admin
- securityContext:
- fsGroup: 10104
- runAsGroup: 10104
- runAsNonRoot: true
- runAsUser: 10104
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Always
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-admin
- matchLabelKeys:
- - pod-template-hash
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: element-admin
- image: "oci.element.io/element-admin:0.1.10"
- imagePullPolicy: Always
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- ports:
- - containerPort: 8080
- name: http
- protocol: TCP
- livenessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- readinessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- startupProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: http
- scheme: HTTP
- resources:
- limits:
- memory: 200Mi
- requests:
- cpu: 50m
- memory: 50Mi
- volumeMounts:
- - mountPath: /tmp
- name: nginx-tmp
- volumes:
- - emptyDir:
- medium: Memory
- name: nginx-tmp
@@ Ingress/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- tls:
- - hosts:
- - "admin.ess.localhost"
- rules:
- - host: "admin.ess.localhost"
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: release-name-element-admin
- port:
- name: http
@@ Service/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- spec:
- type: ClusterIP
- internalTrafficPolicy: Cluster
- ipFamilyPolicy: PreferDualStack
- ports:
- - port: 8080
- targetPort: http
- name: http
- selector:
- app.kubernetes.io/instance: release-name-element-admin
@@ ServiceAccount/ess-ci/release-name-element-admin @@
- ---
- # Source: matrix-stack/templates/element-admin/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-admin-client
- app.kubernetes.io/name: element-admin
- app.kubernetes.io/instance: release-name-element-admin
- app.kubernetes.io/version: "0.1.10"
- name: release-name-element-admin
- namespace: ess-ci
- automountServiceAccountToken: false
element-web-checkov-values.yaml@@ ConfigMap/ess-ci/release-name-element-web-nginx @@
- ---
- # Source: matrix-stack/templates/element-web/nginx_configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web-nginx
- namespace: ess-ci
- data:
- default.conf: |
- # Copy of https://github.com/element-hq/element-web/blob/v1.11.97/docker/nginx-templates/default.conf.template but
- # * not as a template, using a hard-coded port
- # * the recommendations from https://github.com/element-hq/element-web/tree/v1.11.97?tab=readme-ov-file#configuration-best-practices added
- # * /health added for k8s
- # * setting a charset
- # * ensuring our security headers include are applied, whether or not paths are in location blocks or not
- server {
- listen 8080;
- listen [::]:8080 ipv6only=on;
- server_name localhost;
-
- root /usr/share/nginx/html; # noqa
- index index.html;
- charset utf-8;
-
- include /etc/nginx/security_headers.conf;
-
- # Set no-cache for the version, config and index.html
- # so that browsers always check for a new copy of Element Web.
- # NB http://your-domain/ and http://your-domain/? are also covered by this
-
- location = /index.html {
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- location = /version {
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- # covers config.json and config.hostname.json requests as it is prefix.
- location /config {
- # Serving /app/config.json as per https://github.com/element-hq/element-web/blob/v1.11.97/docker/docker-entrypoint.d/18-load-element-modules.sh#L15
- root /tmp/element-web-config;
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- location /modules {
- alias /modules;
- }
- location = /health {
- allow all;
- default_type 'application/json';
- return 200 '{"status": "ok"}';
- }
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- }
- # Customisations that we do at the http rather than the server level
- http_customisations.conf: |
- server_tokens off;
- set_real_ip_from 0.0.0.0/0;
- set_real_ip_from ::/0;
- real_ip_header X-Forwarded-For;
- # For repeated inclusion in default.conf because the add_header directives need to be repeated as per
- # https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header as they are only inherited from
- # the server block iff there's no add_header directives in the location block
- security_headers.conf: |
- # Copyright 2025 New Vector Ltd
- # Copyright 2025 Element Creations Ltd
- # SPDX-License-Identifier: AGPL-3.0-only
-
- add_header Content-Security-Policy "frame-ancestors 'self'";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-Robots-Tag "noindex, nofollow, noarchive, noimageindex";
- add_header X-XSS-Protection "1; mode=block";
@@ ConfigMap/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- data:
- config.json: |
- {
- "bug_report_endpoint_url": "https://rageshakes.element.io/api/submit",
- "default_server_config": {
- "m.homeserver": {}
- },
- "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx",
- "mobile_guide_app_variant": "element",
- "setting_defaults": {}
- }
@@ Deployment/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- k8s.element.io/element-web-config-hash: "994c7bbea2846e7cd12de639bba56e30f0974be0"
- k8s.element.io/nginx-config-hash: "ebf74e60cb1f5e455ca5140db2681c39df455fd6"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-web
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 2
- maxUnavailable: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- k8s.element.io/element-web-config-hash: "994c7bbea2846e7cd12de639bba56e30f0974be0"
- k8s.element.io/nginx-config-hash: "ebf74e60cb1f5e455ca5140db2681c39df455fd6"
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- spec:
- automountServiceAccountToken: false
- serviceAccountName: release-name-element-web
- securityContext:
- fsGroup: 10004
- runAsGroup: 10004
- runAsNonRoot: true
- runAsUser: 10004
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Always
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-web
- matchLabelKeys:
- - pod-template-hash
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: element-web
- image: "oci.element.io/element-web:v1.12.10"
- imagePullPolicy: Always
- env:
- - name: NGINX_ENVSUBST_TEMPLATE_DIR
- value: /non-existant-so-that-this-works-with-read-only-root-filesystem
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- ports:
- - containerPort: 8080
- name: element
- protocol: TCP
- livenessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- readinessProbe:
- failureThreshold: 3
- periodSeconds: 3
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- startupProbe:
- failureThreshold: 4
- periodSeconds: 3
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- resources:
- limits:
- memory: 200Mi
- requests:
- cpu: 50m
- memory: 50Mi
- volumeMounts:
- - mountPath: /app/config.json
- name: config
- readOnly: true
- subPath: config.json
- - mountPath: /etc/nginx/conf.d/default.conf
- name: nginx-config
- readOnly: true
- subPath: default.conf
- - mountPath: /etc/nginx/conf.d/http_customisations.conf
- name: nginx-config
- readOnly: true
- subPath: http_customisations.conf
- - mountPath: /etc/nginx/security_headers.conf
- name: nginx-config
- readOnly: true
- subPath: security_headers.conf
- - mountPath: /tmp
- name: nginx-tmp
- volumes:
- - configMap:
- defaultMode: 420
- name: release-name-element-web
- name: config
- - configMap:
- defaultMode: 420
- name: release-name-element-web-nginx
- name: nginx-config
- - emptyDir:
- medium: Memory
- name: nginx-tmp
@@ Ingress/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- tls:
- - hosts:
- - "element.ess.localhost"
- rules:
- - host: "element.ess.localhost"
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: release-name-element-web
- port:
- name: web
@@ Service/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- type: ClusterIP
- internalTrafficPolicy: Cluster
- ipFamilyPolicy: PreferDualStack
- ports:
- - port: 80
- targetPort: element
- name: web
- selector:
- app.kubernetes.io/instance: release-name-element-web
@@ ServiceAccount/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- automountServiceAccountToken: false
element-web-minimal-values.yaml@@ ConfigMap/ess-ci/release-name-element-web-nginx @@
- ---
- # Source: matrix-stack/templates/element-web/nginx_configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web-nginx
- namespace: ess-ci
- data:
- default.conf: |
- # Copy of https://github.com/element-hq/element-web/blob/v1.11.97/docker/nginx-templates/default.conf.template but
- # * not as a template, using a hard-coded port
- # * the recommendations from https://github.com/element-hq/element-web/tree/v1.11.97?tab=readme-ov-file#configuration-best-practices added
- # * /health added for k8s
- # * setting a charset
- # * ensuring our security headers include are applied, whether or not paths are in location blocks or not
- server {
- listen 8080;
- listen [::]:8080 ipv6only=on;
- server_name localhost;
-
- root /usr/share/nginx/html; # noqa
- index index.html;
- charset utf-8;
-
- include /etc/nginx/security_headers.conf;
-
- # Set no-cache for the version, config and index.html
- # so that browsers always check for a new copy of Element Web.
- # NB http://your-domain/ and http://your-domain/? are also covered by this
-
- location = /index.html {
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- location = /version {
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- # covers config.json and config.hostname.json requests as it is prefix.
- location /config {
- # Serving /app/config.json as per https://github.com/element-hq/element-web/blob/v1.11.97/docker/docker-entrypoint.d/18-load-element-modules.sh#L15
- root /tmp/element-web-config;
- add_header Cache-Control "no-cache";
- include /etc/nginx/security_headers.conf;
- }
- location /modules {
- alias /modules;
- }
- location = /health {
- allow all;
- default_type 'application/json';
- return 200 '{"status": "ok"}';
- }
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- }
- # Customisations that we do at the http rather than the server level
- http_customisations.conf: |
- server_tokens off;
- set_real_ip_from 0.0.0.0/0;
- set_real_ip_from ::/0;
- real_ip_header X-Forwarded-For;
- # For repeated inclusion in default.conf because the add_header directives need to be repeated as per
- # https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header as they are only inherited from
- # the server block iff there's no add_header directives in the location block
- security_headers.conf: |
- # Copyright 2025 New Vector Ltd
- # Copyright 2025 Element Creations Ltd
- # SPDX-License-Identifier: AGPL-3.0-only
-
- add_header Content-Security-Policy "frame-ancestors 'self'";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-Robots-Tag "noindex, nofollow, noarchive, noimageindex";
- add_header X-XSS-Protection "1; mode=block";
@@ ConfigMap/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- data:
- config.json: |
- {
- "bug_report_endpoint_url": "https://rageshakes.element.io/api/submit",
- "default_server_config": {
- "m.homeserver": {}
- },
- "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx",
- "mobile_guide_app_variant": "element",
- "setting_defaults": {}
- }
@@ Deployment/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- k8s.element.io/element-web-config-hash: "994c7bbea2846e7cd12de639bba56e30f0974be0"
- k8s.element.io/nginx-config-hash: "ebf74e60cb1f5e455ca5140db2681c39df455fd6"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-web
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 2
- maxUnavailable: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- k8s.element.io/element-web-config-hash: "994c7bbea2846e7cd12de639bba56e30f0974be0"
- k8s.element.io/nginx-config-hash: "ebf74e60cb1f5e455ca5140db2681c39df455fd6"
- spec:
- automountServiceAccountToken: false
- serviceAccountName: release-name-element-web
- securityContext:
- fsGroup: 10004
- runAsGroup: 10004
- runAsNonRoot: true
- runAsUser: 10004
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Always
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-element-web
- matchLabelKeys:
- - pod-template-hash
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: element-web
- image: "oci.element.io/element-web:v1.12.10"
- imagePullPolicy: Always
- env:
- - name: NGINX_ENVSUBST_TEMPLATE_DIR
- value: /non-existant-so-that-this-works-with-read-only-root-filesystem
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- ports:
- - containerPort: 8080
- name: element
- protocol: TCP
- livenessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- readinessProbe:
- failureThreshold: 3
- periodSeconds: 3
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- startupProbe:
- failureThreshold: 4
- periodSeconds: 3
- successThreshold: 1
- timeoutSeconds: 1
- httpGet:
- path: /health
- port: element
- scheme: HTTP
- resources:
- limits:
- memory: 200Mi
- requests:
- cpu: 50m
- memory: 50Mi
- volumeMounts:
- - mountPath: /app/config.json
- name: config
- readOnly: true
- subPath: config.json
- - mountPath: /etc/nginx/conf.d/default.conf
- name: nginx-config
- readOnly: true
- subPath: default.conf
- - mountPath: /etc/nginx/conf.d/http_customisations.conf
- name: nginx-config
- readOnly: true
- subPath: http_customisations.conf
- - mountPath: /etc/nginx/security_headers.conf
- name: nginx-config
- readOnly: true
- subPath: security_headers.conf
- - mountPath: /tmp
- name: nginx-tmp
- volumes:
- - configMap:
- defaultMode: 420
- name: release-name-element-web
- name: config
- - configMap:
- defaultMode: 420
- name: release-name-element-web-nginx
- name: nginx-config
- - emptyDir:
- medium: Memory
- name: nginx-tmp
@@ Ingress/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- tls:
- - hosts:
- - "element.ess.localhost"
- rules:
- - host: "element.ess.localhost"
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: release-name-element-web
- port:
- name: web
@@ Service/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- spec:
- type: ClusterIP
- internalTrafficPolicy: Cluster
- ipFamilyPolicy: PreferDualStack
- ports:
- - port: 80
- targetPort: element
- name: web
- selector:
- app.kubernetes.io/instance: release-name-element-web
@@ ServiceAccount/ess-ci/release-name-element-web @@
- ---
- # Source: matrix-stack/templates/element-web/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-client
- app.kubernetes.io/name: element-web
- app.kubernetes.io/instance: release-name-element-web
- app.kubernetes.io/version: "v1.12.10"
- name: release-name-element-web
- namespace: ess-ci
- automountServiceAccountToken: false
example-default-enabled-components-checkov-values.yaml@@ Deployment/ess-ci/release-name-haproxy - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-authentication-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-sfu - spec.template.spec @@
- restartPolicy: Always
@@ Ingress/ess-ci/release-name-synapse - metadata @@
+ test: true
@@ Job/ess-ci/release-name-deployment-markers-post - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-deployment-markers-pre - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-init-secrets - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ StatefulSet/ess-ci/release-name-postgres - spec.template.spec @@
- restartPolicy: Always
@@ StatefulSet/ess-ci/release-name-synapse-main - spec.template.spec @@
- restartPolicy: Always
example-default-enabled-components-values.yaml@@ Deployment/ess-ci/release-name-haproxy - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-authentication-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec @@
- restartPolicy: Always
@@ Deployment/ess-ci/release-name-matrix-rtc-sfu - spec.template.spec @@
- restartPolicy: Always
@@ Ingress/ess-ci/release-name-synapse - metadata @@
+ test: true
@@ Job/ess-ci/release-name-deployment-markers-post - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-deployment-markers-pre - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ Job/ess-ci/release-name-init-secrets - spec.template.spec.restartPolicy @@
- Never
+ OnFailure
@@ StatefulSet/ess-ci/release-name-postgres - spec.template.spec @@
- restartPolicy: Always
@@ StatefulSet/ess-ci/release-name-synapse-main - spec.template.spec @@
- restartPolicy: Always
hookshot-checkov-values.yaml@@ ConfigMap/ess-ci/release-name-hookshot @@
- ---
- # Source: matrix-stack/templates/hookshot/hookshot_configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: release-name-hookshot
- namespace: ess-ci
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-integrations
- app.kubernetes.io/name: hookshot
- app.kubernetes.io/instance: release-name-hookshot
- app.kubernetes.io/version: "7.3.2"
- data:
- config-underride.yaml: |
- widgets:
- roomSetupWidget:
- addOnInvite: true
-
- permissions:
- # Allow all users to send commands to existing services
- - actor: "ess.localhost"
- services:
- - service: "*"
- level: manageConnections
- config-override.yaml: |
- bridge:
- domain: "ess.localhost"
- port: 9993
- bindAddress: 0.0.0.0
-
- passFile: /secrets/release-name-generated/HOOKSHOT_RSA_PASSKEY
-
- cache:
- redisUri: "redis://release-name-redis.ess-ci.svc.cluster.local.:6379"
-
- logging:
- level: info
-
- metrics:
- enabled: true
-
- listeners:
- - port: 7775
- bindAddress: 0.0.0.0
- resources:
- - webhooks
- - port: 7777
- bindAddress: 0.0.0.0
- resources:
- - metrics
- - port: 7778
- bindAddress: 0.0.0.0
- resources:
- - widgets
-
- generic:
-
- urlPrefix: https://hookshot.ess.localhost/webhook
-
-
- widgets:
- publicUrl: https://hookshot.ess.localhost/widgetapi/v1/static
@@ ConfigMap/ess-ci/release-name-init-secrets @@
- ---
- # Source: matrix-stack/templates/init-secrets/configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: release-name-init-secrets
- namespace: ess-ci
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-weight": "-11"
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-tools
- app.kubernetes.io/name: init-secrets
- app.kubernetes.io/instance: release-name-init-secrets
- app.kubernetes.io/version: "0.7.3"
- data:
- hookshot-registration.yaml: |
- rate_limited: false
- namespaces: {}
- id: hookshot
- as_token: "${AS_TOKEN}"
- hs_token: "${HS_TOKEN}"
- url: "http://release-name-hookshot.ess-ci.svc.cluster.local.:9993"
- sender_localpart: hookshot
-
- org.matrix.msc3202: true
@@ ConfigMap/ess-ci/release-name-redis @@
- ---
- # Source: matrix-stack/templates/redis/redis_configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-pubsub-small-cache
- app.kubernetes.io/name: redis
- app.kubernetes.io/instance: release-name-redis
- app.kubernetes.io/version: "7.4-alpine"
- name: release-name-redis
- namespace: ess-ci
- data:
- redis.conf: |
- # Do not require a password
- protected-mode no
- port 6379
-
- tcp-backlog 511
- tcp-keepalive 300
-
- # Never close the connection
- timeout 0
-
- # We run the redis in a container so disable both of these
- daemonize no
- supervised no
-
- loglevel notice
- logfile ''
-
- databases 16
- always-show-logo no
- stop-writes-on-bgsave-error yes
-
- # We never save to the disk
- save ''
-
- replica-serve-stale-data yes
- replica-read-only yes
- repl-diskless-sync no
- repl-diskless-sync-delay 5
- repl-diskless-load disabled
- repl-disable-tcp-nodelay no
- replica-priority 100
- acllog-max-len 128
-
- lazyfree-lazy-eviction no
- lazyfree-lazy-expire no
- lazyfree-lazy-server-del no
- replica-lazy-flush no
-
- lazyfree-lazy-user-del no
-
- lazyfree-lazy-user-flush no
- oom-score-adj no
- oom-score-adj-values 0 200 800
-
- disable-thp yes
-
- appendonly no
- appendfilename 'appendonly.aof'
- appendfsync everysec
-
- no-appendfsync-on-rewrite no
-
- auto-aof-rewrite-percentage 100
- auto-aof-rewrite-min-size 64mb
- aof-load-truncated yes
- aof-use-rdb-preamble yes
- lua-time-limit 5000
- slowlog-log-slower-than 10000
- slowlog-max-len 128
- latency-monitor-threshold 0
- notify-keyspace-events ""
- hash-max-ziplist-entries 512
- hash-max-ziplist-value 64
- list-max-ziplist-size -2
- list-compress-depth 0
- set-max-intset-entries 512
- zset-max-ziplist-entries 128
- zset-max-ziplist-value 64
- hll-sparse-max-bytes 3000
- stream-node-max-bytes 4096
- stream-node-max-entries 100
- activerehashing yes
- client-output-buffer-limit normal 0 0 0
- client-output-buffer-limit replica 256mb 64mb 60
- client-output-buffer-limit pubsub 32mb 8mb 60
-
- # Hz is the freuqency at which background tasks are performed, we keep this low to save CPU
- hz 1
-
- # The hz value is increased to scale with the number of clients connected.
- dynamic-hz yes
-
- aof-rewrite-incremental-fsync yes
- rdb-save-incremental-fsync yes
- jemalloc-bg-thread yes
-
- maxmemory 40mb
- maxmemory-policy allkeys-lru
@@ Deployment/ess-ci/release-name-redis @@
- ---
- # Source: matrix-stack/templates/redis/redis_deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-pubsub-small-cache
- app.kubernetes.io/name: redis
- app.kubernetes.io/instance: release-name-redis
- app.kubernetes.io/version: "7.4-alpine"
- k8s.element.io/redis-config-hash: "3034b3cfe78419348e36bb348fad98b46a736334"
- name: release-name-redis
- namespace: ess-ci
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/instance: release-name-redis
- strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 2
- maxUnavailable: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-pubsub-small-cache
- app.kubernetes.io/name: redis
- app.kubernetes.io/instance: release-name-redis
- app.kubernetes.io/version: "7.4-alpine"
- k8s.element.io/redis-config-hash: "3034b3cfe78419348e36bb348fad98b46a736334"
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- spec:
- automountServiceAccountToken: false
- serviceAccountName: release-name-redis
- securityContext:
- fsGroup: 10002
- runAsGroup: 10002
- runAsNonRoot: true
- runAsUser: 10002
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Always
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-redis
- matchLabelKeys:
- - pod-template-hash
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: redis
- args:
- - "/config/redis.conf"
- image: "docker.io/library/redis:7.4-alpine"
- imagePullPolicy: Always
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- ports:
- - containerPort: 6379
- name: redis
- protocol: TCP
- startupProbe:
- failureThreshold: 5
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- tcpSocket:
- port: redis
- livenessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- tcpSocket:
- port: redis
- readinessProbe:
- failureThreshold: 3
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- exec:
- command:
- - redis-cli
- - ping
- resources:
- limits:
- memory: 50Mi
- requests:
- cpu: 50m
- memory: 50Mi
- volumeMounts:
- - mountPath: /config/redis.conf
- name: config
- readOnly: true
- subPath: redis.conf
- volumes:
- - configMap:
- name: "release-name-redis"
- defaultMode: 420
- name: config
@@ Ingress/ess-ci/release-name-hookshot @@
- ---
- # Source: matrix-stack/templates/hookshot/hookshot_ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-integrations
- app.kubernetes.io/name: hookshot
- app.kubernetes.io/instance: release-name-hookshot
- app.kubernetes.io/version: "3.2-alpine"
- name: release-name-hookshot
- namespace: ess-ci
- spec:
- tls:
- - hosts:
- - "hookshot.ess.localhost"
- rules:
- - host: "hookshot.ess.localhost"
- http:
- paths:
- - path: /widgetapi/v1
- pathType: Prefix
- backend:
- service:
- name: "release-name-hookshot"
- port:
- name: widgets
- - path: /
- pathType: Prefix
- backend:
- service:
- name: "release-name-hookshot"
- port:
- name: webhooks
@@ Job/ess-ci/release-name-init-secrets @@
- ---
- # Source: matrix-stack/templates/init-secrets/job.yaml
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: release-name-init-secrets
- namespace: ess-ci
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-weight": "-10"
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- checkov.io/skip4: CKV_K8S_38=The job needs a service account
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-tools
- app.kubernetes.io/name: init-secrets
- app.kubernetes.io/instance: release-name-init-secrets
- app.kubernetes.io/version: "0.7.3"
- spec:
- backoffLimit: 6
- completionMode: NonIndexed
- completions: 1
- manualSelector: false
- parallelism: 1
- podReplacementPolicy: TerminatingOrFailed
- template:
- metadata:
- annotations:
- checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed
- checkov.io/skip2: CKV_K8S_43=No digests
- checkov.io/skip3: CKV2_K8S_6=No network policy yet
- checkov.io/skip4: CKV_K8S_38=The job needs a service account
- labels:
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-tools
- app.kubernetes.io/name: init-secrets
- app.kubernetes.io/instance: release-name-init-secrets
- app.kubernetes.io/version: "0.7.3"
- spec:
- automountServiceAccountToken: true
- serviceAccountName: release-name-init-secrets
- securityContext:
- fsGroup: 10010
- runAsGroup: 10010
- runAsNonRoot: true
- runAsUser: 10010
- seccompProfile:
- type: RuntimeDefault
- supplementalGroups: []
- restartPolicy: Never
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/instance: release-name-init-secrets
- matchLabelKeys: []
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: ScheduleAnyway
- containers:
- - name: init-secrets
- image: "ghcr.io/element-hq/ess-helm/matrix-tools:0.7.3"
- imagePullPolicy: Always
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- resources:
- limits:
- memory: 200Mi
- requests:
- cpu: 50m
- memory: 50Mi
- env:
- - name: NAMESPACE
- value: ess-ci
- args:
- - "generate-secrets"
- - "-secrets"
- - "release-name-generated:HOOKSHOT_REGISTRATION:registration:/registration-templates/hookshot-registration.yaml,release-name-generated:HOOKSHOT_RSA_PASSKEY:rsa:4096:pem"
- - "-labels"
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.7.3"
- volumeMounts:
- - mountPath: "/registration-templates"
- name: registration-templates
- readOnly: true
- volumes:
- - configMap:
- defaultMode: 420
- name: release-name-init-secrets
- name: registration-templates
@@ Role/ess-ci/release-name-init-secrets @@
- ---
- # Source: matrix-stack/templates/init-secrets/role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: release-name-init-secrets
- namespace: ess-ci
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-tools
- app.kubernetes.io/name: init-secrets
- app.kubernetes.io/instance: release-name-init-secrets
- app.kubernetes.io/version: "0.7.3"
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-weight": "-11"
- rules:
- - apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
- - apiGroups: [""]
- resources: ["secrets"]
- resourceNames: ["release-name-generated"]
- verbs: ["get", "update"]
@@ RoleBinding/ess-ci/release-name-init-secrets @@
- ---
- # Source: matrix-stack/templates/init-secrets/rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: release-name-init-secrets
- namespace: ess-ci
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-tools
- app.kubernetes.io/name: init-secrets
- app.kubernetes.io/instance: release-name-init-secrets
- app.kubernetes.io/version: "0.7.3"
- annotations:
- "helm.sh/hook": pre-install,pre-upgrade
- "helm.sh/hook-weight": "-11"
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: release-name-init-secrets
- subjects:
- - kind: ServiceAccount
- name: release-name-init-secrets
- namespace: ess-ci
@@ Secret/ess-ci/release-name-hookshot @@
- ---
- # Source: matrix-stack/templates/hookshot/hookshot_secret.yaml
- apiVersion: v1
- kind: Secret
- metadata:
- name: release-name-hookshot
- namespace: ess-ci
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-integrations
- app.kubernetes.io/name: hookshot
- app.kubernetes.io/instance: release-name-hookshot
- app.kubernetes.io/version: "7.3.2"
- type: Opaque
- data:
@@ Service/ess-ci/release-name-hookshot @@
- ---
- # Source: matrix-stack/templates/hookshot/hookshot_service.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: release-name-hookshot
- namespace: ess-ci
- labels:
- helm.sh/chart: "matrix-stack-26.2.3-dev"
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: matrix-stack
- app.kubernetes.io/component: matrix-integrations
- app.kub...*[Comment body truncated]* |
Author
|
Hey @benbz, no problem, you guys seem quite busy. I don't use GitHub for work, so I didn't know whether it would auto-add a reviewer. To shed some initial light on your questions:
For the actual Gateway config, I think that it should be promoted from In terms of overall structure, I am not 100% sure what the best approach is, but this was my thought process.
I don't know how much of this code base you share with Pro, but IMO the main benefit of the last approach is that it tends to require less refactoring when you add a new ingress type. For instance, if you have a customer request for Istio
It should be. I currently use a wildcard certificate issued by Let's Encrypt. You just specify the secret name as the If you are using cert manager, the built-in gateway config will cause it to issue a cert with each hostname specified. This was so it could be used without setting up a DNS-01 solver. I don't have strong opinions on this. The gateway setup is a bit more complicated than it needs to be to make it work with a standard HTTP solver. It can be simplified once cert-manger supports specifying the certificate on the HTTPRoute resource (current WIP it looks like).
Managing Kubernetes deployments is part of my day job, so I have seen far too many charts lol. From my perspective, there is no industry consensus on how to expose this config. For me, the easier to work with charts tend to handle it similarly to this structure. For example Harbor and the Gerrit Operator. For the functionality, basically all charts I work with that provide a gateway/http route based ingress provide the following features that I am specifically looking to add:
As a last though I have structured it to be an exclusive "ingress or httproute" for each component. This is not actually a requirement, and I can change it so that both are possible. I just think having it exclusive makes a user less likely to shoot themselves in the foot by accident. I'll look into getting the tests updated and passing this weekend. Thanks again! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds support for the Kubernetes v1 Gateway spec as an alternative to the traditional Ingress resources. This logic supports using Ingresses as they are now, using HTTPRoutes only, or a mix. HTTPRoutes can be connected to an existing gateway, or a new gateway can be generated for the user. I tried to unify the template logic and reuse existing code wherever possible. Currently using this in production on my home server, and I have run what tests I could figure out how to locally 🙂
A few key notes:
As an outside contributor, how should I handle the copyright notices? I don't see a CLA, but all the files are currently copyrighted by Element.
I am not sure what test fragments you may want me to add, since I intentionally tried to make it pass without changing the minimum config.
Thanks for all the work making ess-comunity possible, and I look forward to your review!