From 4e7bfde1fe29f546c7602cff1040cb5a5e297bc8 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 00:39:37 +0200 Subject: [PATCH 01/10] feat: initial version of ejabberd chart --- charts/ejabberd/.helmignore | 25 ++ charts/ejabberd/Chart.yaml | 31 ++ charts/ejabberd/templates/certificates.yaml | 17 ++ charts/ejabberd/templates/common.yaml | 13 + charts/ejabberd/values.yaml | 302 ++++++++++++++++++++ 5 files changed, 388 insertions(+) create mode 100644 charts/ejabberd/.helmignore create mode 100644 charts/ejabberd/Chart.yaml create mode 100644 charts/ejabberd/templates/certificates.yaml create mode 100644 charts/ejabberd/templates/common.yaml create mode 100644 charts/ejabberd/values.yaml diff --git a/charts/ejabberd/.helmignore b/charts/ejabberd/.helmignore new file mode 100644 index 0000000..f56cea6 --- /dev/null +++ b/charts/ejabberd/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# helm-docs templates +*.gotmpl diff --git a/charts/ejabberd/Chart.yaml b/charts/ejabberd/Chart.yaml new file mode 100644 index 0000000..31c3778 --- /dev/null +++ b/charts/ejabberd/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +name: ejabberd +description: Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server) +type: application +version: 0.1.0 +# renovate: image=ghcr.io/juniorjpdj/containers/ejabberd-captcha +appVersion: 24.02-r1 +kubeVersion: ">=1.22.0-0" +keywords: + - ejabberd + - jabber + - xmpp + - communication + - IM + - instant-messenger +dependencies: + - name: common + repository: https://bjw-s.github.io/helm-charts + version: 3.0.4 +sources: + - https://github.com/processone/ejabberd + - https://github.com/JuniorJPDJ/containers + - https://github.com/JuniorJPDJ/charts/tree/master/charts/ejabberd +annotations: + artifacthub.io/links: |- + - name: App Source + url: https://github.com/processone/ejabberd + - name: Dockerfile Source + url: https://github.com/JuniorJPDJ/containers + - name: Chart Source + url: https://github.com/JuniorJPDJ/charts/tree/master/charts/ejabberd diff --git a/charts/ejabberd/templates/certificates.yaml b/charts/ejabberd/templates/certificates.yaml new file mode 100644 index 0000000..d7fb6d4 --- /dev/null +++ b/charts/ejabberd/templates/certificates.yaml @@ -0,0 +1,17 @@ +{{- include "bjw-s.common.loader.init" . }} +{{- range $name, $v := .Values.certificates }} +{{- if $v.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-{{ $name }} +spec: + dnsNames: + {{- toYaml $v.dnsNames | nindent 4 }} + issuerRef: + {{- toYaml $v.issuerRef | nindent 4 }} + secretName: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-{{ $name }}-cert +--- + +{{- end }} +{{- end }} diff --git a/charts/ejabberd/templates/common.yaml b/charts/ejabberd/templates/common.yaml new file mode 100644 index 0000000..9b90c02 --- /dev/null +++ b/charts/ejabberd/templates/common.yaml @@ -0,0 +1,13 @@ +{{/* Preprocess values and prepare config file */}} +{{- define "ejabberd.preprocess" -}} +controllers: + main: + containers: + main: + image: + {{- toYaml .Values.image | nindent 10 }} +{{- end -}} +{{- $_ := merge .Values (include "ejabberd.preprocess" . | fromYaml) -}} + +{{/* Render the templates */}} +{{- include "bjw-s.common.loader.all" . }} diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml new file mode 100644 index 0000000..516a048 --- /dev/null +++ b/charts/ejabberd/values.yaml @@ -0,0 +1,302 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml +# + +configMaps: + config: + data: + ejabberd.yml: + # This config uses envsubst internally to replace ${ENV_VAR_NAME} with environment variable values. + # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script/ + # You can put your sensitive variables into secret below and those will be provided as env vars to the container, + # then you can use those in your config. + # Example config from https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + captcha_cmd: "${CAPTCHA_CMD}" + # hosts: + # - localhost + # loglevel: info + # ## If you already have certificates, list them here + # # certfiles: + # # - /etc/letsencrypt/live/domain.tld/fullchain.pem + # # - /etc/letsencrypt/live/domain.tld/privkey.pem + # captcha_url: auto + # listen: + # - port: 5222 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # starttls_required: true + # - port: 5223 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # tls: true + # - port: 5269 + # ip: "::" + # module: ejabberd_s2s_in + # max_stanza_size: 524288 + # shaper: s2s_shaper + # - port: 5443 + # ip: "::" + # module: ejabberd_http + # tls: true + # request_handlers: + # /admin: ejabberd_web_admin + # /api: mod_http_api + # /bosh: mod_bosh + # /captcha: ejabberd_captcha + # /upload: mod_http_upload + # /ws: ejabberd_http_ws + # - port: 1883 + # ip: "::" + # module: mod_mqtt + # backlog: 1000 + # s2s_use_starttls: optional + # acl: + # local: + # user_regexp: "" + # loopback: + # ip: + # - 127.0.0.0/8 + # - ::1/128 + # access_rules: + # local: + # allow: local + # c2s: + # deny: blocked + # allow: all + # announce: + # allow: admin + # configure: + # allow: admin + # muc_create: + # allow: local + # pubsub_createnode: + # allow: local + # trusted_network: + # allow: loopback + # api_permissions: + # "console commands": + # from: + # - ejabberd_ctl + # who: all + # what: "*" + # "admin access": + # who: + # access: + # allow: + # - acl: loopback + # - acl: admin + # oauth: + # scope: "ejabberd:admin" + # access: + # allow: + # - acl: loopback + # - acl: admin + # what: + # - "*" + # - "!stop" + # - "!start" + # "public commands": + # who: + # ip: 127.0.0.1/8 + # what: + # - status + # - connected_users_number + # shaper: + # normal: + # rate: 3000 + # burst_size: 20000 + # fast: 100000 + # shaper_rules: + # max_user_sessions: 10 + # max_user_offline_messages: + # 5000: admin + # 100: all + # c2s_shaper: + # none: admin + # normal: all + # s2s_shaper: fast + # modules: + # mod_adhoc: {} + # mod_admin_extra: {} + # mod_announce: + # access: announce + # mod_avatar: {} + # mod_blocking: {} + # mod_bosh: {} + # mod_caps: {} + # mod_carboncopy: {} + # mod_client_state: {} + # mod_configure: {} + # mod_disco: {} + # mod_fail2ban: {} + # mod_http_api: {} + # mod_http_upload: + # put_url: https://@HOST@:5443/upload + # custom_headers: + # "Access-Control-Allow-Origin": "https://@HOST@" + # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + # "Access-Control-Allow-Headers": "Content-Type" + # mod_last: {} + # mod_mam: + # ## Mnesia is limited to 2GB, better to use an SQL backend + # ## For small servers SQLite is a good fit and is very easy + # ## to configure. Uncomment this when you have SQL configured: + # ## db_type: sql + # assume_mam_usage: true + # default: always + # mod_mqtt: {} + # mod_muc: + # access: + # - allow + # access_admin: + # - allow: admin + # access_create: muc_create + # access_persistent: muc_create + # access_mam: + # - allow + # default_room_options: + # mam: true + # mod_muc_admin: {} + # mod_offline: + # access_max_user_messages: max_user_offline_messages + # mod_ping: {} + # mod_privacy: {} + # mod_private: {} + # mod_proxy65: + # access: local + # max_connections: 5 + # mod_pubsub: + # access_createnode: pubsub_createnode + # plugins: + # - flat + # - pep + # force_node_config: + # ## Avoid buggy clients to make their bookmarks public + # storage:bookmarks: + # access_model: whitelist + # mod_push: {} + # mod_push_keepalive: {} + # mod_register: + # ## Only accept registration requests from the "trusted" + # ## network (see access_rules section above). + # ## Think twice before enabling registration from any + # ## address. See the Jabber SPAM Manifesto for details: + # ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + # ip_access: trusted_network + # mod_roster: + # versioning: true + # mod_s2s_dialback: {} + # mod_shared_roster: {} + # mod_stream_mgmt: + # resend_on_timeout: if_offline + # mod_stun_disco: {} + # mod_vcard: {} + # mod_vcard_xupdate: {} + # mod_version: + # show_os: false + +secrets: + envs: + stringData: + # POSTGRES_SERVER: + # POSTGRES_DB: + # POSTGRES_USER: + # POSTGRES_PASSWORD: + +certificates: + # requires working installation of cert-manager + xmpp-example-com: + enabled: false + dnsNames: ["xmpp.example.com"] + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt + +image: + repository: ghcr.io/juniorjpdj/containers/ejabberd-captcha + pullPolicy: Always + tag: 24.02-r1 + +persistence: + upload: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + retain: true + globalMounts: + - path: /home/ejabberd/upload + readOnly: false + size: 1Gi + database: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + retain: true + globalMounts: + - path: /home/ejabberd/database + readOnly: false + size: 1Gi + logs: + type: emptyDir + retain: true + globalMounts: + - path: /home/ejabberd/logs + readOnly: false + config: + type: configMap + identifier: config + globalMounts: + - path: /home/ejabberd/conf + readOnly: true + +defaultPodOptions: + securityContext: + fsGroup: 9000 + fsGroupChangePolicy: Always + +controllers: + main: + type: statefulset + containers: + main: + # image: + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9000 + runAsGroup: 9000 + envFrom: + - secret: envs + +service: + main: + type: ClusterIP + controller: main + ports: + c2s: + port: 5222 + protocol: TCP + c2s-tls: + port: 5223 + protocol: TCP + s2s: + port: 5269 + protocol: TCP + https: + port: 5443 + protocol: HTTPS + primary: true + mqtt: + port: 1883 + protocol: TCP From 3f7dd81f5e7548d7ed07ad6bc377dddcb40eba66 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 02:37:13 +0200 Subject: [PATCH 02/10] fix configs --- charts/ejabberd/templates/common.yaml | 8 + charts/ejabberd/values.yaml | 394 +++++++++++++------------- 2 files changed, 204 insertions(+), 198 deletions(-) diff --git a/charts/ejabberd/templates/common.yaml b/charts/ejabberd/templates/common.yaml index 9b90c02..bb1e6cf 100644 --- a/charts/ejabberd/templates/common.yaml +++ b/charts/ejabberd/templates/common.yaml @@ -6,6 +6,14 @@ controllers: main: image: {{- toYaml .Values.image | nindent 10 }} + +configMaps: + config: + data: + {{- range $name, $cfg := .Values.configs }} + {{ quote $name }}: |- + {{- toYaml $cfg | nindent 8 }} + {{- end }} {{- end -}} {{- $_ := merge .Values (include "ejabberd.preprocess" . | fromYaml) -}} diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml index 516a048..a7de394 100644 --- a/charts/ejabberd/values.yaml +++ b/charts/ejabberd/values.yaml @@ -5,204 +5,202 @@ # https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml # -configMaps: - config: - data: - ejabberd.yml: - # This config uses envsubst internally to replace ${ENV_VAR_NAME} with environment variable values. - # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script/ - # You can put your sensitive variables into secret below and those will be provided as env vars to the container, - # then you can use those in your config. - # Example config from https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - captcha_cmd: "${CAPTCHA_CMD}" - # hosts: - # - localhost - # loglevel: info - # ## If you already have certificates, list them here - # # certfiles: - # # - /etc/letsencrypt/live/domain.tld/fullchain.pem - # # - /etc/letsencrypt/live/domain.tld/privkey.pem - # captcha_url: auto - # listen: - # - port: 5222 - # ip: "::" - # module: ejabberd_c2s - # max_stanza_size: 262144 - # shaper: c2s_shaper - # access: c2s - # starttls_required: true - # - port: 5223 - # ip: "::" - # module: ejabberd_c2s - # max_stanza_size: 262144 - # shaper: c2s_shaper - # access: c2s - # tls: true - # - port: 5269 - # ip: "::" - # module: ejabberd_s2s_in - # max_stanza_size: 524288 - # shaper: s2s_shaper - # - port: 5443 - # ip: "::" - # module: ejabberd_http - # tls: true - # request_handlers: - # /admin: ejabberd_web_admin - # /api: mod_http_api - # /bosh: mod_bosh - # /captcha: ejabberd_captcha - # /upload: mod_http_upload - # /ws: ejabberd_http_ws - # - port: 1883 - # ip: "::" - # module: mod_mqtt - # backlog: 1000 - # s2s_use_starttls: optional - # acl: - # local: - # user_regexp: "" - # loopback: - # ip: - # - 127.0.0.0/8 - # - ::1/128 - # access_rules: - # local: - # allow: local - # c2s: - # deny: blocked - # allow: all - # announce: - # allow: admin - # configure: - # allow: admin - # muc_create: - # allow: local - # pubsub_createnode: - # allow: local - # trusted_network: - # allow: loopback - # api_permissions: - # "console commands": - # from: - # - ejabberd_ctl - # who: all - # what: "*" - # "admin access": - # who: - # access: - # allow: - # - acl: loopback - # - acl: admin - # oauth: - # scope: "ejabberd:admin" - # access: - # allow: - # - acl: loopback - # - acl: admin - # what: - # - "*" - # - "!stop" - # - "!start" - # "public commands": - # who: - # ip: 127.0.0.1/8 - # what: - # - status - # - connected_users_number - # shaper: - # normal: - # rate: 3000 - # burst_size: 20000 - # fast: 100000 - # shaper_rules: - # max_user_sessions: 10 - # max_user_offline_messages: - # 5000: admin - # 100: all - # c2s_shaper: - # none: admin - # normal: all - # s2s_shaper: fast - # modules: - # mod_adhoc: {} - # mod_admin_extra: {} - # mod_announce: - # access: announce - # mod_avatar: {} - # mod_blocking: {} - # mod_bosh: {} - # mod_caps: {} - # mod_carboncopy: {} - # mod_client_state: {} - # mod_configure: {} - # mod_disco: {} - # mod_fail2ban: {} - # mod_http_api: {} - # mod_http_upload: - # put_url: https://@HOST@:5443/upload - # custom_headers: - # "Access-Control-Allow-Origin": "https://@HOST@" - # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" - # "Access-Control-Allow-Headers": "Content-Type" - # mod_last: {} - # mod_mam: - # ## Mnesia is limited to 2GB, better to use an SQL backend - # ## For small servers SQLite is a good fit and is very easy - # ## to configure. Uncomment this when you have SQL configured: - # ## db_type: sql - # assume_mam_usage: true - # default: always - # mod_mqtt: {} - # mod_muc: - # access: - # - allow - # access_admin: - # - allow: admin - # access_create: muc_create - # access_persistent: muc_create - # access_mam: - # - allow - # default_room_options: - # mam: true - # mod_muc_admin: {} - # mod_offline: - # access_max_user_messages: max_user_offline_messages - # mod_ping: {} - # mod_privacy: {} - # mod_private: {} - # mod_proxy65: - # access: local - # max_connections: 5 - # mod_pubsub: - # access_createnode: pubsub_createnode - # plugins: - # - flat - # - pep - # force_node_config: - # ## Avoid buggy clients to make their bookmarks public - # storage:bookmarks: - # access_model: whitelist - # mod_push: {} - # mod_push_keepalive: {} - # mod_register: - # ## Only accept registration requests from the "trusted" - # ## network (see access_rules section above). - # ## Think twice before enabling registration from any - # ## address. See the Jabber SPAM Manifesto for details: - # ## https://github.com/ge0rg/jabber-spam-fighting-manifesto - # ip_access: trusted_network - # mod_roster: - # versioning: true - # mod_s2s_dialback: {} - # mod_shared_roster: {} - # mod_stream_mgmt: - # resend_on_timeout: if_offline - # mod_stun_disco: {} - # mod_vcard: {} - # mod_vcard_xupdate: {} - # mod_version: - # show_os: false +configs: + ejabberd.yml: + # This config uses envsubst internally to replace ${ENV_VAR_NAME} with environment variable values. + # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script/ + # You can put your sensitive variables into secret below and those will be provided as env vars to the container, + # then you can use those in your config. + # Example config from https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + captcha_cmd: "${CAPTCHA_CMD}" + # hosts: + # - localhost + # loglevel: info + # ## If you already have certificates, list them here + # # certfiles: + # # - /etc/letsencrypt/live/domain.tld/fullchain.pem + # # - /etc/letsencrypt/live/domain.tld/privkey.pem + # captcha_url: auto + # listen: + # - port: 5222 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # starttls_required: true + # - port: 5223 + # ip: "::" + # module: ejabberd_c2s + # max_stanza_size: 262144 + # shaper: c2s_shaper + # access: c2s + # tls: true + # - port: 5269 + # ip: "::" + # module: ejabberd_s2s_in + # max_stanza_size: 524288 + # shaper: s2s_shaper + # - port: 5443 + # ip: "::" + # module: ejabberd_http + # tls: true + # request_handlers: + # /admin: ejabberd_web_admin + # /api: mod_http_api + # /bosh: mod_bosh + # /captcha: ejabberd_captcha + # /upload: mod_http_upload + # /ws: ejabberd_http_ws + # - port: 1883 + # ip: "::" + # module: mod_mqtt + # backlog: 1000 + # s2s_use_starttls: optional + # acl: + # local: + # user_regexp: "" + # loopback: + # ip: + # - 127.0.0.0/8 + # - ::1/128 + # access_rules: + # local: + # allow: local + # c2s: + # deny: blocked + # allow: all + # announce: + # allow: admin + # configure: + # allow: admin + # muc_create: + # allow: local + # pubsub_createnode: + # allow: local + # trusted_network: + # allow: loopback + # api_permissions: + # "console commands": + # from: + # - ejabberd_ctl + # who: all + # what: "*" + # "admin access": + # who: + # access: + # allow: + # - acl: loopback + # - acl: admin + # oauth: + # scope: "ejabberd:admin" + # access: + # allow: + # - acl: loopback + # - acl: admin + # what: + # - "*" + # - "!stop" + # - "!start" + # "public commands": + # who: + # ip: 127.0.0.1/8 + # what: + # - status + # - connected_users_number + # shaper: + # normal: + # rate: 3000 + # burst_size: 20000 + # fast: 100000 + # shaper_rules: + # max_user_sessions: 10 + # max_user_offline_messages: + # 5000: admin + # 100: all + # c2s_shaper: + # none: admin + # normal: all + # s2s_shaper: fast + # modules: + # mod_adhoc: {} + # mod_admin_extra: {} + # mod_announce: + # access: announce + # mod_avatar: {} + # mod_blocking: {} + # mod_bosh: {} + # mod_caps: {} + # mod_carboncopy: {} + # mod_client_state: {} + # mod_configure: {} + # mod_disco: {} + # mod_fail2ban: {} + # mod_http_api: {} + # mod_http_upload: + # put_url: https://@HOST@:5443/upload + # custom_headers: + # "Access-Control-Allow-Origin": "https://@HOST@" + # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + # "Access-Control-Allow-Headers": "Content-Type" + # mod_last: {} + # mod_mam: + # ## Mnesia is limited to 2GB, better to use an SQL backend + # ## For small servers SQLite is a good fit and is very easy + # ## to configure. Uncomment this when you have SQL configured: + # ## db_type: sql + # assume_mam_usage: true + # default: always + # mod_mqtt: {} + # mod_muc: + # access: + # - allow + # access_admin: + # - allow: admin + # access_create: muc_create + # access_persistent: muc_create + # access_mam: + # - allow + # default_room_options: + # mam: true + # mod_muc_admin: {} + # mod_offline: + # access_max_user_messages: max_user_offline_messages + # mod_ping: {} + # mod_privacy: {} + # mod_private: {} + # mod_proxy65: + # access: local + # max_connections: 5 + # mod_pubsub: + # access_createnode: pubsub_createnode + # plugins: + # - flat + # - pep + # force_node_config: + # ## Avoid buggy clients to make their bookmarks public + # storage:bookmarks: + # access_model: whitelist + # mod_push: {} + # mod_push_keepalive: {} + # mod_register: + # ## Only accept registration requests from the "trusted" + # ## network (see access_rules section above). + # ## Think twice before enabling registration from any + # ## address. See the Jabber SPAM Manifesto for details: + # ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + # ip_access: trusted_network + # mod_roster: + # versioning: true + # mod_s2s_dialback: {} + # mod_shared_roster: {} + # mod_stream_mgmt: + # resend_on_timeout: if_offline + # mod_stun_disco: {} + # mod_vcard: {} + # mod_vcard_xupdate: {} + # mod_version: + # show_os: false secrets: envs: From 3f2ab327663e989cf1ff8046412ea678cb528225 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 02:41:49 +0200 Subject: [PATCH 03/10] add /tmp mount --- charts/ejabberd/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml index a7de394..68084ed 100644 --- a/charts/ejabberd/values.yaml +++ b/charts/ejabberd/values.yaml @@ -254,6 +254,12 @@ persistence: globalMounts: - path: /home/ejabberd/conf readOnly: true + tmp: + type: emptyDir + globalMounts: + - path: /tmp + readOnly: false + sizeLimit: 100Mi defaultPodOptions: securityContext: From 5dcc4b88fd86731f21a1872e3c626b1b06ac82f3 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 02:47:09 +0200 Subject: [PATCH 04/10] add missing config files --- charts/ejabberd/values.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml index 68084ed..4fb937e 100644 --- a/charts/ejabberd/values.yaml +++ b/charts/ejabberd/values.yaml @@ -210,6 +210,16 @@ secrets: # POSTGRES_USER: # POSTGRES_PASSWORD: +configMaps: + config: + data: + inetrc: | + {lookup,["file","native"]}. + {host,{127,0,0,1}, ["localhost","hostalias"]}. + {file, resolv, "/etc/resolv.conf"}. + ejabberdctl.cfg: | + NO_TIMEOUT="--no-timeout" + certificates: # requires working installation of cert-manager xmpp-example-com: From 5aad90da6a4cbfabeaf84b8d4208fbd0821d820d Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 02:48:43 +0200 Subject: [PATCH 05/10] rw rootfs --- charts/ejabberd/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml index 4fb937e..d68331a 100644 --- a/charts/ejabberd/values.yaml +++ b/charts/ejabberd/values.yaml @@ -286,7 +286,7 @@ controllers: capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 9000 runAsGroup: 9000 From 65ce086ce28908e75905dd3df360168d135dc558 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Sat, 13 Apr 2024 03:23:31 +0200 Subject: [PATCH 06/10] fix cert enablement --- charts/ejabberd/templates/certificates.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ejabberd/templates/certificates.yaml b/charts/ejabberd/templates/certificates.yaml index d7fb6d4..58b8e17 100644 --- a/charts/ejabberd/templates/certificates.yaml +++ b/charts/ejabberd/templates/certificates.yaml @@ -1,6 +1,6 @@ {{- include "bjw-s.common.loader.init" . }} {{- range $name, $v := .Values.certificates }} -{{- if $v.enabled }} +{{- if dig "enabled" true $v }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: From 782929f883b00f68b12dd59dfa867954efca7532 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Mon, 15 Apr 2024 22:08:26 +0200 Subject: [PATCH 07/10] bump common lib --- charts/ejabberd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ejabberd/Chart.yaml b/charts/ejabberd/Chart.yaml index 31c3778..162f6ed 100644 --- a/charts/ejabberd/Chart.yaml +++ b/charts/ejabberd/Chart.yaml @@ -16,7 +16,7 @@ keywords: dependencies: - name: common repository: https://bjw-s.github.io/helm-charts - version: 3.0.4 + version: 3.1.0 sources: - https://github.com/processone/ejabberd - https://github.com/JuniorJPDJ/containers From 0c500d1234dad22ba833127a179454d1bc58f22a Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Mon, 15 Apr 2024 22:13:26 +0200 Subject: [PATCH 08/10] fix certs --- charts/ejabberd/templates/certificates.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/ejabberd/templates/certificates.yaml b/charts/ejabberd/templates/certificates.yaml index 58b8e17..72f7a52 100644 --- a/charts/ejabberd/templates/certificates.yaml +++ b/charts/ejabberd/templates/certificates.yaml @@ -1,16 +1,17 @@ {{- include "bjw-s.common.loader.init" . }} +{{- $dot := . }} {{- range $name, $v := .Values.certificates }} {{- if dig "enabled" true $v }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-{{ $name }} + name: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }} spec: dnsNames: {{- toYaml $v.dnsNames | nindent 4 }} issuerRef: {{- toYaml $v.issuerRef | nindent 4 }} - secretName: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-{{ $name }}-cert + secretName: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }}-cert --- {{- end }} From 75b6895965dd715f465cf44540168a0483eda557 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Wed, 5 Jun 2024 22:54:04 +0200 Subject: [PATCH 09/10] mount certs --- .gitignore | 2 ++ charts/ejabberd/templates/common.yaml | 16 ++++++++++++++++ charts/ejabberd/values.yaml | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 6637f0a..1a359b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ charts/*/charts/ +.idea/ +charts/*/output/ \ No newline at end of file diff --git a/charts/ejabberd/templates/common.yaml b/charts/ejabberd/templates/common.yaml index bb1e6cf..185911d 100644 --- a/charts/ejabberd/templates/common.yaml +++ b/charts/ejabberd/templates/common.yaml @@ -1,4 +1,5 @@ {{/* Preprocess values and prepare config file */}} +{{- include "bjw-s.common.loader.init" . }} {{- define "ejabberd.preprocess" -}} controllers: main: @@ -7,6 +8,19 @@ controllers: image: {{- toYaml .Values.image | nindent 10 }} +persistence: + {{- $dot := . }} + {{- range $name, $v := .Values.certificates }} + {{- if dig "enabled" true $v }} + {{- printf "%s-cert" $name | nindent 2 }}: + type: secret + name: {{ include "bjw-s.common.lib.chart.names.fullname" $dot }}-{{ $name }}-cert + globalMounts: + - path: /home/ejabberd/conf/certs/{{ $name }} + readOnly: true + {{- end }} + {{- end }} + configMaps: config: data: @@ -14,6 +28,8 @@ configMaps: {{ quote $name }}: |- {{- toYaml $cfg | nindent 8 }} {{- end }} + + {{- end -}} {{- $_ := merge .Values (include "ejabberd.preprocess" . | fromYaml) -}} diff --git a/charts/ejabberd/values.yaml b/charts/ejabberd/values.yaml index d68331a..892a645 100644 --- a/charts/ejabberd/values.yaml +++ b/charts/ejabberd/values.yaml @@ -8,7 +8,7 @@ configs: ejabberd.yml: # This config uses envsubst internally to replace ${ENV_VAR_NAME} with environment variable values. - # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script/ + # The ${CAPTCHA_CMD} variable is always provided using entrypoint script and points to the captcha-ng.sh script. # You can put your sensitive variables into secret below and those will be provided as env vars to the container, # then you can use those in your config. # Example config from https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example From ba6a00761e5c3713a9156a13a8cb3ca5b41a0ea9 Mon Sep 17 00:00:00 2001 From: JuniorJPDJ Date: Thu, 6 Jun 2024 00:03:03 +0200 Subject: [PATCH 10/10] generate certfiles in ejabberd.yml from .Values.certificatates and concat those with user-provided values --- charts/ejabberd/templates/common.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/charts/ejabberd/templates/common.yaml b/charts/ejabberd/templates/common.yaml index 185911d..69b8722 100644 --- a/charts/ejabberd/templates/common.yaml +++ b/charts/ejabberd/templates/common.yaml @@ -28,10 +28,26 @@ configMaps: {{ quote $name }}: |- {{- toYaml $cfg | nindent 8 }} {{- end }} +{{- end -}} - +{{/* Template for generating certfiles from certificates */}} +{{- define "ejabberd.dynamic_certfiles" -}} +{{- range $name, $v := .Values.certificates }} +{{- if dig "enabled" true $v }} + - /home/ejabberd/conf/certs/{{ $name }}/tls.crt + - /home/ejabberd/conf/certs/{{ $name }}/tls.key +{{- end }} +{{- end }} {{- end -}} -{{- $_ := merge .Values (include "ejabberd.preprocess" . | fromYaml) -}} + +{{/* Concatenate certfiles from certificates and provided by user */}} +{{- $ejabberdyml := get .Values.configs "ejabberd.yml" }} +{{- $certfiles := concat (dig "certfiles" (list) $ejabberdyml) (include "ejabberd.dynamic_certfiles" . | fromYamlArray) }} +{{- $_ := set $ejabberdyml "certfiles" (default (list) $certfiles) }} +{{- $_ = set .Values.configs "ejabberd.yml" $ejabberdyml }} + +{{/* Merge values provided by user with those generated by preprocessing */}} +{{- $_ = mustMerge .Values (include "ejabberd.preprocess" . | fromYaml) -}} {{/* Render the templates */}} {{- include "bjw-s.common.loader.all" . }}