diff --git a/.gitignore b/.gitignore index 6637f0a..1a359b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ charts/*/charts/ +.idea/ +charts/*/output/ \ No newline at end of file diff --git a/charts/ejabberd/.helmignore b/charts/ejabberd/.helmignore new file mode 100644 index 0000000..f56cea6 --- /dev/null +++ b/charts/ejabberd/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# helm-docs templates +*.gotmpl diff --git a/charts/ejabberd/Chart.yaml b/charts/ejabberd/Chart.yaml new file mode 100644 index 0000000..162f6ed --- /dev/null +++ b/charts/ejabberd/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +name: ejabberd +description: Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server) +type: application +version: 0.1.0 +# renovate: image=ghcr.io/juniorjpdj/containers/ejabberd-captcha +appVersion: 24.02-r1 +kubeVersion: ">=1.22.0-0" +keywords: + - ejabberd + - jabber + - xmpp + - communication + - IM + - instant-messenger +dependencies: + - name: common + repository: https://bjw-s.github.io/helm-charts + version: 3.1.0 +sources: + - https://github.com/processone/ejabberd + - https://github.com/JuniorJPDJ/containers + - https://github.com/JuniorJPDJ/charts/tree/master/charts/ejabberd +annotations: + artifacthub.io/links: |- + - name: App Source + url: https://github.com/processone/ejabberd + - name: Dockerfile Source + url: https://github.com/JuniorJPDJ/containers + - name: Chart Source + url: https://github.com/JuniorJPDJ/charts/tree/master/charts/ejabberd diff --git a/charts/ejabberd/templates/certificates.yaml b/charts/ejabberd/templates/certificates.yaml new file mode 100644 index 0000000..72f7a52 --- /dev/null +++ b/charts/ejabberd/templates/certificates.yaml @@ -0,0 +1,18 @@ +{{- include "bjw-s.common.loader.init" . }} +{{- $dot := . }} +{{- range $name, $v := .Values.certificates }} +{{- if dig "enabled" true $v }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }} +spec: + dnsNames: + {{- toYaml $v.dnsNames | nindent 4 }} + issuerRef: + {{- toYaml $v.issuerRef | nindent 4 }} + secretName: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }}-cert +--- + +{{- end }} +{{- end }} diff --git a/charts/ejabberd/templates/common.yaml b/charts/ejabberd/templates/common.yaml new file mode 100644 index 0000000..69b8722 --- /dev/null +++ b/charts/ejabberd/templates/common.yaml @@ -0,0 +1,53 @@ +{{/* Preprocess values and prepare config file */}} +{{- include "bjw-s.common.loader.init" . }} +{{- define "ejabberd.preprocess" -}} +controllers: + main: + containers: + main: + image: + {{- toYaml .Values.image | nindent 10 }} + +persistence: + {{- $dot := . }} + {{- range $name, $v := .Values.certificates }} + {{- if dig "enabled" true $v }} + {{- printf "%s-cert" $name | nindent 2 }}: + type: secret + name: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }}-cert + globalMounts: + - path: /home/ejabberd/conf/certs/{{ $name }} + readOnly: true + {{- end }} + {{- end }} + +configMaps: + config: + data: + {{- range $name, $cfg := .Values.configs }} + {{ quote $name }}: |- + {{- toYaml $cfg | nindent 8 }} + {{- end }} +{{- end -}} + +{{/* Template for generating certfiles from certificates */}} +{{- define "ejabberd.dynamic_certfiles" -}} +{{- range $name, $v := .Values.certificates }} +{{- if dig "enabled" true $v }} + - /home/ejabberd/conf/certs/{{ $name }}/tls.crt + - /home/ejabberd/conf/certs/{{ $name }}/tls.key +{{- end }} +{{- end }} +{{- end -}} + +{{/* Concatenate certfiles from certificates and provided by user */}} +{{- $ejabberdyml := get .Values.configs "ejabberd.yml" }} +{{- $certfiles := concat (dig "certfiles" (list) $ejabberdyml) (include "ejabberd.dynamic_certfiles" . | fromYamlArray) }} +{{- $_ := set $ejabberdyml "certfiles" (default (list) $certfiles) }} +{{- $_ = set .Values.configs "ejabberd.yml" $ejabberdyml }} + +{{/* Merge values provided by user with those generated by preprocessing */}} +{{- $_ = mustMerge .Values (include "ejabberd.preprocess" . | fromYaml) -}} + +{{/* Render the templates */}} +{{- include "bjw-s.common.loader.all" . }} diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml new file mode 100644 index 0000000..892a645 --- /dev/null +++ b/charts/ejabberd/values.yaml @@ -0,0 +1,316 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml +# + +configs: + ejabberd.yml: + # This config uses envsubst internally to replace ${ENV_VAR_NAME} with environment variable values. + # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script. + # You can put your sensitive variables into secret below and those will be provided as env vars to the container, + # then you can use those in your config. + # Example config from https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + captcha_cmd: "${CAPTCHA_CMD}" + # hosts: + # - localhost + # loglevel: info + # ## If you already have certificates, list them here + # # certfiles: + # # - /etc/letsencrypt/live/domain.tld/fullchain.pem + # # - /etc/letsencrypt/live/domain.tld/privkey.pem + # captcha_url: auto + # listen: + # - port: 5222 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # starttls_required: true + # - port: 5223 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # tls: true + # - port: 5269 + # ip: "::" + # module: ejabberd_s2s_in + # max_stanza_size: 524288 + # shaper: s2s_shaper + # - port: 5443 + # ip: "::" + # module: ejabberd_http + # tls: true + # request_handlers: + # /admin: ejabberd_web_admin + # /api: mod_http_api + # /bosh: mod_bosh + # /captcha: ejabberd_captcha + # /upload: mod_http_upload + # /ws: ejabberd_http_ws + # - port: 1883 + # ip: "::" + # module: mod_mqtt + # backlog: 1000 + # s2s_use_starttls: optional + # acl: + # local: + # user_regexp: "" + # loopback: + # ip: + # - 127.0.0.0/8 + # - ::1/128 + # access_rules: + # local: + # allow: local + # c2s: + # deny: blocked + # allow: all + # announce: + # allow: admin + # configure: + # allow: admin + # muc_create: + # allow: local + # pubsub_createnode: + # allow: local + # trusted_network: + # allow: loopback + # api_permissions: + # "console commands": + # from: + # - ejabberd_ctl + # who: all + # what: "*" + # "admin access": + # who: + # access: + # allow: + # - acl: loopback + # - acl: admin + # oauth: + # scope: "ejabberd:admin" + # access: + # allow: + # - acl: loopback + # - acl: admin + # what: + # - "*" + # - "!stop" + # - "!start" + # "public commands": + # who: + # ip: 127.0.0.1/8 + # what: + # - status + # - connected_users_number + # shaper: + # normal: + # rate: 3000 + # burst_size: 20000 + # fast: 100000 + # shaper_rules: + # max_user_sessions: 10 + # max_user_offline_messages: + # 5000: admin + # 100: all + # c2s_shaper: + # none: admin + # normal: all + # s2s_shaper: fast + # modules: + # mod_adhoc: {} + # mod_admin_extra: {} + # mod_announce: + # access: announce + # mod_avatar: {} + # mod_blocking: {} + # mod_bosh: {} + # mod_caps: {} + # mod_carboncopy: {} + # mod_client_state: {} + # mod_configure: {} + # mod_disco: {} + # mod_fail2ban: {} + # mod_http_api: {} + # mod_http_upload: + # put_url: https://@HOST@:5443/upload + # custom_headers: + # "Access-Control-Allow-Origin": "https://@HOST@" + # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + # "Access-Control-Allow-Headers": "Content-Type" + # mod_last: {} + # mod_mam: + # ## Mnesia is limited to 2GB, better to use an SQL backend + # ## For small servers SQLite is a good fit and is very easy + # ## to configure. Uncomment this when you have SQL configured: + # ## db_type: sql + # assume_mam_usage: true + # default: always + # mod_mqtt: {} + # mod_muc: + # access: + # - allow + # access_admin: + # - allow: admin + # access_create: muc_create + # access_persistent: muc_create + # access_mam: + # - allow + # default_room_options: + # mam: true + # mod_muc_admin: {} + # mod_offline: + # access_max_user_messages: max_user_offline_messages + # mod_ping: {} + # mod_privacy: {} + # mod_private: {} + # mod_proxy65: + # access: local + # max_connections: 5 + # mod_pubsub: + # access_createnode: pubsub_createnode + # plugins: + # - flat + # - pep + # force_node_config: + # ## Avoid buggy clients to make their bookmarks public + # storage:bookmarks: + # access_model: whitelist + # mod_push: {} + # mod_push_keepalive: {} + # mod_register: + # ## Only accept registration requests from the "trusted" + # ## network (see access_rules section above). + # ## Think twice before enabling registration from any + # ## address. See the Jabber SPAM Manifesto for details: + # ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + # ip_access: trusted_network + # mod_roster: + # versioning: true + # mod_s2s_dialback: {} + # mod_shared_roster: {} + # mod_stream_mgmt: + # resend_on_timeout: if_offline + # mod_stun_disco: {} + # mod_vcard: {} + # mod_vcard_xupdate: {} + # mod_version: + # show_os: false + +secrets: + envs: + stringData: + # POSTGRES_SERVER: + # POSTGRES_DB: + # POSTGRES_USER: + # POSTGRES_PASSWORD: + +configMaps: + config: + data: + inetrc: | + {lookup,["file","native"]}. + {host,{127,0,0,1}, ["localhost","hostalias"]}. + {file, resolv, "/etc/resolv.conf"}. + ejabberdctl.cfg: | + NO_TIMEOUT="--no-timeout" + +certificates: + # requires working installation of cert-manager + xmpp-example-com: + enabled: false + dnsNames: ["xmpp.example.com"] + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt + +image: + repository: ghcr.io/juniorjpdj/containers/ejabberd-captcha + pullPolicy: Always + tag: 24.02-r1 + +persistence: + upload: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + retain: true + globalMounts: + - path: /home/ejabberd/upload + readOnly: false + size: 1Gi + database: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + retain: true + globalMounts: + - path: /home/ejabberd/database + readOnly: false + size: 1Gi + logs: + type: emptyDir + retain: true + globalMounts: + - path: /home/ejabberd/logs + readOnly: false + config: + type: configMap + identifier: config + globalMounts: + - path: /home/ejabberd/conf + readOnly: true + tmp: + type: emptyDir + globalMounts: + - path: /tmp + readOnly: false + sizeLimit: 100Mi + +defaultPodOptions: + securityContext: + fsGroup: 9000 + fsGroupChangePolicy: Always + +controllers: + main: + type: statefulset + containers: + main: + # image: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 9000 + runAsGroup: 9000 + envFrom: + - secret: envs + +service: + main: + type: ClusterIP + controller: main + ports: + c2s: + port: 5222 + protocol: TCP + c2s-tls: + port: 5223 + protocol: TCP + s2s: + port: 5269 + protocol: TCP + https: + port: 5443 + protocol: HTTPS + primary: true + mqtt: + port: 1883 + protocol: TCP