add helm chart for MAS deployments #2653
Conversation
There was a problem hiding this comment.
Thanks for this! I've really quickly skimmed through, this isn't a full review.
I'm not yet sure whether this should live in this repository or somewhere else, as I'm not sure I have enough time to maintain this and make sure it doesn't break. Maybe we could do something like synapse does and have it in a contrib/ directory, to make it explicit as it being an external contribution, but not necessarily well tested?
helm/Chart.yaml
Outdated
| description: A Helm chart for matrix-authentication-service | ||
| type: application | ||
| version: 0.1.0 | ||
| appVersion: "1.16.0" |
There was a problem hiding this comment.
That doesn't feel right, latest version is 0.9.0
There was a problem hiding this comment.
yes, thats a remain from helm create
| resources: {{- range .Values.config.listeners.resources }} | ||
| - name: {{ .name }} | ||
| {{- if .path }} | ||
| path: {{ .path -}} | ||
| {{- end }} | ||
| {{- if .playground }} | ||
| playground: {{ .playground }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
If anyway the chart exposes everything on a single port (which is fine!), I wouldn't expose the various resources in the values, but rather flags like graphqlPlayground, metrics, etc. and change that section accordingly
There was a problem hiding this comment.
which listener make sense to expose by default and which should always be optional besides graphqlPlayground and metrics ?
helm/configs/config.yaml
Outdated
| {{- if .Values.config.listeners.binds.type.address.enabled }} | ||
| # First option: listen to the given address | ||
| - address: {{ .Values.config.listeners.binds.address | quote }} | ||
| {{- end }} | ||
| {{- if .Values.config.listeners.binds.type.hp.enabled }} | ||
| # Second option: listen on the given host and port combination | ||
| - host: {{ .Values.config.listeners.binds.host.name }} | ||
| port: {{ .Values.config.listeners.binds.host.port }} | ||
| {{- end }} | ||
| {{- if .Values.config.listeners.binds.type.socket.enabled }} | ||
| # Third option: listen on the given UNIX socket | ||
| - socket: {{ .Values.config.listeners.binds.socket }} | ||
| {{- end }} |
There was a problem hiding this comment.
Is it useful to bind on other host/ports? Why would you want to use unix sockets here?
There was a problem hiding this comment.
Is it useful to bind on other host/ports?
almost never, no. There are obscure one node use cases, however you're right, this should be something that covers a regular use case instead
helm/configs/config.yaml
Outdated
| {{- if .Values.telemetry.useJaeger.enabled }} | ||
| protocol: {{ .Values.telemetry.useJaeger.protocol }} | ||
| endpoint: {{ .Values.telemetry.useJaeger.endpoint }} | ||
| username: {{ .Values.telemetry.useJaeger.username }} | ||
| password: {{ .Values.telemetry.useJaeger.password }} | ||
| agent_host: {{ .Values.telemetry.useJaeger.agent_host }} | ||
| agent_port: {{ .Values.telemetry.useJaeger.agent_port }} | ||
| {{- end }} | ||
| {{- if .Values.telemetry.useZipkin.enabled }} | ||
| collector_endpoint: {{ .Values.telemetry.useZipkin.collector_endpoint }} | ||
| {{- end }} |
There was a problem hiding this comment.
The jaeger and zipkin exporters were removed in 0.9.0
helm/configs/config.yaml
Outdated
| # Settings related to upstream OAuth 2.0/OIDC providers. This section must be synced to the database using the config sync command. | ||
| # https://matrix-org.github.io/matrix-authentication-service/usage/cli/config.html#config-sync---prune---dry-run |
There was a problem hiding this comment.
This is not the case anymore, as they get synced automatically on startup now
helm/values.yaml
Outdated
| wellKnown: | ||
| issuer: https://auth.example.com/ | ||
| authEnd: https://auth.example.com/authorize | ||
| tokenEnd: https://auth.example.com/oauth2/token | ||
| jwks: https://auth.example.com/oauth2/keys.json | ||
| registerEnd: https://auth.example.com/oauth2/registration | ||
| introEnd: https://auth.example.com/oauth2/introspect | ||
| revokeEnd: https://auth.example.com/oauth2/revoke |
There was a problem hiding this comment.
Why would an end user need to configure this?
helm/values.yaml
Outdated
| type: | ||
| address: | ||
| enabled: false | ||
| hp: | ||
| enabled: true | ||
| socket: | ||
| enabled: false |
There was a problem hiding this comment.
why would you need to change this? also hp feels unnecessarily obscure
helm/values.yaml
Outdated
| secrets: | ||
| # Encryption secret (used for encrypting cookies and database fields) | ||
| # This must be a 32-byte long hex-encoded key | ||
| encrypt: |
There was a problem hiding this comment.
Can't we have helm automatically generate something here and put that in a secret?
helm/values.yaml
Outdated
| keys: | ||
| - kid: keyid#1 | ||
| key: |- | ||
|
|
||
| - kid: keyid#2 | ||
| key: |- | ||
|
|
||
| - kid: keyid#3 | ||
| key: | | ||
|
|
||
| - kid: keyid#4 | ||
| key: | |
There was a problem hiding this comment.
Same here: you could generate a RSA key and a ECDSA P-256 key with Helm and that would be enough
There was a problem hiding this comment.
this is now done as well as for secrets.encryption
There was a problem hiding this comment.
The configuration keys feel quite inconsistent. Sometimes you use camelCase, sometimes snake_case ; sometimes it's a 1-1 mapping of what is in the MAS config, sometimes it's another term used…
There was a problem hiding this comment.
I did try to use the original MAS config, as I am a fan of referring to the regular documentation rather than just doing something entirely else. Sometimes however my mind gets off track. the hp for host+port was indeed quite odd
- remove deprecated monitoring options - remove separate deployment of well-known endpoints - adjust values key pairs to be more in line with the regular configuration keys - use built in /health endpoint - use remove options that dont make sense in kubernetes context
I'd be for a |
|
Thanks for this! This would be awesome to move forward, because then I can archive a chart I recently stood up for the same thing here: Please feel free to take anything from my chart above to help your cause too :) |
| {{- end }} | ||
| - name: health | ||
| path: /health | ||
| {{- if .Values.telemetry.metrics.enabled }} |
There was a problem hiding this comment.
what is the idea behind putting some config values below .Values.config and others like this not?
| # Confidential client | ||
| - client_id: {{ .Values.clients.client_id }} | ||
| client_auth_method: {{ .Values.clients.client_auth_method }} | ||
| client_secret: {{ .Values.clients.client_secret }} |
There was a problem hiding this comment.
i understand that secrets handling mostly depends on custom integrations, but having secrets in a configmap is not so typical. anance's synapse chart for instance puts them into separate config files from secrets. it has pros and cons.
| After initialising the pod you need to sync MAS with it's config | ||
|
|
||
| ```bash | ||
| kubectl exec -it -n mas deployments/mas -- mas-cli config sync |
There was a problem hiding this comment.
the sync could be run from an init container. since the migrations and basic sync are now performed automatically on start up we added:
- name: mas-sync-clients
image: ghcr.io/matrix-org/matrix-authentication-service:0.9.0
command: ["/usr/local/bin/mas-cli", "config", "sync", "--config=/config/config.yaml", "--prune"]
volumeMounts:
- mountPath: /config
name: config
| repository: ghcr.io/matrix-org/matrix-authentication-service | ||
| pullPolicy: IfNotPresent | ||
| # Overrides the image tag whose default is the chart appVersion. | ||
| tag: "0.9.0" |
There was a problem hiding this comment.
why not use appVersion from the chart as default (ref)?
This PR intends to add a helm chart.
Although this does not automate the setup and configuration of the authentication service it may be something people might want to have as basis