fix(element): Add the Matrix User Verification Service deployment

2025-12-08 16:28:36 +01:00 · 2023-10-12 15:23:42 +02:00
parent 785989e91d
commit 30405d182d
10 changed files with 117 additions and 0 deletions
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -59,6 +59,22 @@ releases:
      - "values-synapse.gotmpl"
    condition: "element.enabled"

+  - name: "opendesk-matrix-user-verification-service-bootstrap"
+    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    version: "2.3.0"
+    values:
+      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-matrix-user-verification-service"
+    chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
+    version: "2.3.0"
+    values:
+      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.gotmpl"
+    condition: "element.enabled"
+
  - name: "matrix-neoboard-widget"
    chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
    version: "3.0.0"
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixUserVerificationService.password }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
+  tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  # TODO: the service can't run with read only filesystem or as non-root
+  #readOnlyRootFilesystem: true
+  #runAsGroup: 101
+  #runAsNonRoot: true
+  #runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -63,6 +63,10 @@ jitsi:
        value: "myappid"
      - name: "JWT_APP_SECRET"
        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+      - name: "MATRIX_UVS_SYNC_POWER_LEVELS"
+        value: "true"
+      - name: "MATRIX_UVS_URL"
+        value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.cluster.local"
      - name: TURNS_HOST
        value: "{{ .Values.turn.tls.host }}"
      - name: TURNS_PORT
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -91,6 +91,10 @@ images:
    repository: "nordeck/matrix-meetings-widget"
    tag: "1.5.0@sha256:ba547735f635c5359293d6e497297876397bf630fed0e1d35800a0b9ba2f4a96"
    # @supplier: "Nordeck"
+  matrixUserVerificationService:
+    repository: "matrixdotorg/matrix-user-verification-service"
+    tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
+    # @supplier: "Element"
  memcached:
    repository: "bitnami/memcached"
    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -23,6 +23,7 @@ replicas:
  matrixNeoChoiceWidget: 1
  matrixNeoDateFixBot: 1
  matrixNeoDateFixWidget: 1
+  matrixUserVerificationService: 1
  # clamav-distributed
  milter: 1
  nextcloud: 1
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -142,6 +142,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "50Mi"
+  matrixUserVerificationService:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  memcached:
    limits:
      cpu: 1
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -83,4 +83,6 @@ secrets:
    secret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum) }}
  matrixNeoDateFixBot:
    password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum) }}
+  matrixUserVerificationService:
+    password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum) }}
 ...