Merge pull request #15 from jessebot/add-postgres-init-and-bump-coturn

fix ci/cd file naming; bump coturn chart version; add postgres init container to check for database being up; disable coturn by default

Author: cloudymax

.github/workflows/ci-helm-release.yml .github/workflows/cd-helm-release.yml.github/workflows/ci-helm-release.yml renamed to .github/workflows/cd-helm-release.yml

@@ -11,6 +11,7 @@ on:
 
 jobs:
   release:
+    environment: helm-release
     permissions:
       contents: write
     runs-on: ubuntu-latest

.github/workflows/ci-helm-workflow.yml .github/workflows/ci-helm-lint-test.yml.github/workflows/ci-helm-workflow.yml renamed to .github/workflows/ci-helm-lint-test.yml

@@ -23,12 +23,12 @@ helm install my-release-name matrix --values values.yaml
 
 - Latest version of [Element](https://element.io/)
 - [Bitnami PostgreSQL subchart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) to deploy a cluster - needs some work to standardize though, so we also support external postgresql servers
+- [Coturn TURN server subchart](https://github.com/jessebot/coturn-chart) for VoIP calls
 
 #### ⚠️ Optional Features (Untested Since Fork)
 
 These features still need to be tested, but are technically baked into the chart:
 - Choice of lightweight Exim relay or external mail server for email notifications
-- [Coturn TURN server subchart](https://github.com/jessebot/coturn-chart) for VoIP calls
 - [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge
 - [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge
 - [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge

README.md

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.6.9
+  version: 12.7.1
 - name: coturn
   repository: https://jessebot.github.io/coturn-chart
-  version: 3.0.5
-digest: sha256:0ff1f8804d56ef0b117b2852b35f40d6feed0651e31cf625f570448836292d50
-generated: "2023-07-26T00:33:15.59096+02:00"
+  version: 4.1.2
+digest: sha256:6315beeffb70ac329400ee6fe69f54e9d06a4c7b1b208c9c929227786d27d167
+generated: "2023-07-29T19:18:47.412173+02:00"

charts/matrix/Chart.lock

@@ -8,7 +8,7 @@ sources:
 
 type: application
 
-version: 4.0.5
+version: 4.1.0
 appVersion: v1.88.0
 
 maintainers:
@@ -21,10 +21,10 @@ maintainers:
 
 dependencies:
   - name: postgresql
-    version: 12.6.9
+    version: 12.7.1
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: coturn
-    version: 3.0.5
+    version: 4.1.2
     repository: https://jessebot.github.io/coturn-chart
     condition: coturn.enabled

charts/matrix/Chart.yaml

@@ -1,6 +1,6 @@
 # matrix
 
-![Version: 4.0.5](https://img.shields.io/badge/Version-4.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.88.0](https://img.shields.io/badge/AppVersion-v1.88.0-informational?style=flat-square)
+![Version: 4.1.0](https://img.shields.io/badge/Version-4.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.88.0](https://img.shields.io/badge/AppVersion-v1.88.0-informational?style=flat-square)
 
 A Helm chart to deploy a Matrix homeserver stack into Kubernetes
 
@@ -21,8 +21,8 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://jessebot.github.io/coturn-chart | coturn | 3.0.5 |
-| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.6.9 |
+| https://jessebot.github.io/coturn-chart | coturn | 4.1.2 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.7.1 |
 
 ## Values
 
@@ -99,10 +99,63 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
 | coturn.certificate.enabled | bool | `false` | set to true to generate a TLS certificate for encrypted comms |
 | coturn.certificate.host | string | `"turn.example.com"` | hostname for TLS cert |
 | coturn.certificate.issuerName | string | `"letsencrypt-staging"` | cert-manager cert Issuer or ClusterIssuer to use |
-| coturn.enabled | bool | `true` | Set to false to disable the included deployment of Coturn |
+| coturn.coturn.auth.existingSecret | string | `""` | existing secret with keys username/password for coturn |
+| coturn.coturn.auth.password | string | `""` | password for the main user of the turn server |
+| coturn.coturn.auth.secretKeys.password | string | `"password"` | key in existing secret for turn server user's password |
+| coturn.coturn.auth.secretKeys.username | string | `"username"` | key in existing secret for turn server user |
+| coturn.coturn.auth.username | string | `"coturn"` | username for the main user of the turn server |
+| coturn.coturn.extraTurnserverConfiguration | string | `"verbose\n"` | extra configuration for turnserver.conf |
+| coturn.coturn.listeningIP | string | `"0.0.0.0"` | coturn's listening IP address |
+| coturn.coturn.logFile | string | `"stdout"` | set the logfile. Defaults to stdout for use with kubectl logs |
+| coturn.coturn.ports.listening | int | `3478` | insecure listening port |
+| coturn.coturn.ports.max | int | `65535` | maximum ephemeral port for coturn |
+| coturn.coturn.ports.min | int | `49152` | minimum ephemeral port for coturn |
+| coturn.coturn.ports.tlsListening | int | `5349` | secure listening port |
+| coturn.coturn.realm | string | `"turn.example.com"` | hostname for the coturn server realm |
+| coturn.enabled | bool | `false` | Set to false to disable the included deployment of Coturn |
 | coturn.existingSecret | string | `""` | Optional: name of an existingSecret with key for sharedSecret |
+| coturn.externalDatabase.database | string | `""` | database to create, ignored if existingSecret is passed in |
+| coturn.externalDatabase.enabled | bool | `false` | enables the use of postgresql instead of the default sqlite for coturn to use the bundled subchart, enable this, and postgresql.enable |
+| coturn.externalDatabase.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials |
+| coturn.externalDatabase.hostname | string | `""` | required if externalDatabase.enabled: true and postgresql.enabled:false |
+| coturn.externalDatabase.password | string | `""` | password for database, ignored if existingSecret is passed in |
+| coturn.externalDatabase.secretKeys.database | string | `""` | key in existing Secret to use for the database name |
+| coturn.externalDatabase.secretKeys.hostname | string | `""` | key in existing Secret to use for the db's hostname |
+| coturn.externalDatabase.secretKeys.password | string | `""` | key in existing Secret to use for db user's password |
+| coturn.externalDatabase.secretKeys.username | string | `""` | key in existing Secret to use for the db user |
+| coturn.externalDatabase.type | string | `"postgresql"` | Currently only postgresql is supported. mysql coming soon |
+| coturn.externalDatabase.username | string | `""` | username for database, ignored if existingSecret is passed in |
+| coturn.image.pullPolicy | string | `"IfNotPresent"` | image pull policy, set to Always if using image.tag: latest |
+| coturn.image.repository | string | `"coturn/coturn"` | container registry and repo for coturn docker image |
+| coturn.image.tag | string | `""` | docker tag for coturn server |
+| coturn.labels | object | `{"component":"coturn"}` | Coturn specific labels |
+| coturn.persistence.accessMode | string | `"ReadWriteOnce"` | access mode for the PVC, ignored if persistence.existingClaim passed in |
+| coturn.persistence.annotations | object | `{}` | annotations for the PVC, ignored if persistence.existingClaim passed in |
+| coturn.persistence.existingClaim | string | `""` | existing PVC to use instead of creating one on the fly |
+| coturn.persistence.size | string | `"1Mi"` | size of the PVC, ignored if persistence.existingClaim passed in |
+| coturn.persistence.storageClass | string | `""` | storageClass for the PVC, ignored if persistence.existingClaim passed in |
 | coturn.ports | object | `{"from":3478,"to":3478}` | UDP port range for TURN connections |
+| coturn.postgresql.enabled | bool | `false` | enables bitnami postgresql subchart, you can disable to use external db |
+| coturn.postgresql.global.postgresql.auth | object | `{"database":"coturn","existingSecret":"","password":"","secretKeys":{"adminPasswordKey":"postgresPassword","database":"database","hostname":"hostname","userPasswordKey":"password","username":"username"},"username":"coturn"}` | global.postgresql.auth overrides postgresql.auth |
+| coturn.postgresql.global.postgresql.auth.database | string | `"coturn"` | database to create, ignored if existingSecret is passed in |
+| coturn.postgresql.global.postgresql.auth.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials |
+| coturn.postgresql.global.postgresql.auth.password | string | `""` | password for db, autogenerated if empty & existingSecret empty |
+| coturn.postgresql.global.postgresql.auth.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existing Secret to use for postgres admin user's password |
+| coturn.postgresql.global.postgresql.auth.secretKeys.database | string | `"database"` | key in existingSecret for database to create |
+| coturn.postgresql.global.postgresql.auth.secretKeys.hostname | string | `"hostname"` | key in existingSecret for database to create |
+| coturn.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existing Secret to use for coturn user's password |
+| coturn.postgresql.global.postgresql.auth.secretKeys.username | string | `"username"` | key in exsiting Secret to use for the coturn user |
+| coturn.postgresql.global.postgresql.auth.username | string | `"coturn"` | username for database, ignored if existingSecret is passed in |
+| coturn.resources | object | `{}` | ref: kubernetes.io/docs/concepts/configuration/manage-resources-containers |
 | coturn.secretKey | string | `"coturnSharedSecret"` | key in existing secret with sharedSecret value. Required if coturn.enabled=true and existingSecret not "" |
+| coturn.securityContext.allowPrivilegeEscalation | bool | `true` | allow priviledged access |
+| coturn.securityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod |
+| coturn.securityContext.capabilities.drop | list | `["ALL"]` | linux cabilities to disallow for the coturn k8s pod |
+| coturn.securityContext.fsGroup | int | `1000` | all processes of the container are also part of the supplementary groupID |
+| coturn.securityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem |
+| coturn.securityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID |
+| coturn.securityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID |
+| coturn.service.externalTrafficPolicy | string | `"Local"` | I don't actually know what this is 🤔 open a PR if you know |
 | coturn.service.type | string | `"ClusterIP"` |  |
 | coturn.sharedSecret | string | `""` | shared secert for comms b/w Synapse/Coturn. autogenerated if not provided |
 | coturn.uris | list | `[]` | URIs of the Coturn servers. If deploying Coturn with this chart, include the public IPs of each node in your cluster (or a DNS round-robin hostname) You can also include an external Coturn instance if you'd prefer |