Update chart, return better error message when private_key can't be read

2026-01-16 18:43:10 -06:00 · 2023-01-06 14:36:00 +01:00 · 2023-01-06 14:36:00 +01:00 · 914e8eaff8
parent f00c3e26a8
commit 914e8eaff8
7 changed files with 76 additions and 81 deletions
--- a/helm/dendrite/README.md
+++ b/helm/dendrite/README.md
@ -53,18 +53,24 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | persistence.media.capacity | string | `"1Gi"` | PVC Storage Request for the media volume |
 | persistence.search.existingClaim | string | `""` | Use an existing volume claim for the fulltext search index |
 | persistence.search.capacity | string | `"1Gi"` | PVC Storage Request for the search volume |
+| dendrite_config.version | int | `2` |  |
 | dendrite_config.global.server_name | string | `""` | **REQUIRED** Servername for this Dendrite deployment. |
+| dendrite_config.global.private_key | string | `"/etc/dendrite/secrets/signing.key"` | The private key to use. (**NOTE**: This is overriden in Helm) |
 | dendrite_config.global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
 | dendrite_config.global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
 | dendrite_config.global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
+| dendrite_config.global.old_private_keys | string | `nil` | The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) to old signing keys that were formerly in use on this domain name. These keys will not be used for federation request or event signing, but will be provided to any other homeserver that asks when trying to verify old events. |
 | dendrite_config.global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
 | dendrite_config.global.key_validity_period | string | `"168h0m0s"` |  |
-| dendrite_config.global.database.host | string | `""` | Default database host. (**REQUIRED** if not using the postgres dependency) |
-| dendrite_config.global.database.user | string | `""` | Default database user. (**REQUIRED** if not using the postgres dependency) |
-| dendrite_config.global.database.password | string | `""` | Default database password. (**REQUIRED** if not using the postgres dependency) |
+| dendrite_config.global.database.connection_string | string | `""` | The connection string for connections to Postgres. This will be set automatically if using the Postgres dependency |
 | dendrite_config.global.database.max_open_conns | int | `90` | Default database maximum open connections |
 | dendrite_config.global.database.max_idle_conns | int | `5` | Default database maximum idle connections |
 | dendrite_config.global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
+| dendrite_config.global.jetstream.storage_path | string | `"/data/jetstream"` | Persistent directory to store JetStream streams in. |
+| dendrite_config.global.jetstream.addresses | list | `[]` | NATS JetStream server addresses if not using internal NATS. |
+| dendrite_config.global.jetstream.topic_prefix | string | `"Dendrite"` | The prefix for JetStream streams |
+| dendrite_config.global.jetstream.in_memory | bool | `false` | Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`) |
+| dendrite_config.global.jetstream.disable_tls_validation | bool | `true` | Disables TLS validation. This should **NOT** be used in production. |
 | dendrite_config.global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
 | dendrite_config.global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
 | dendrite_config.global.report_stats.enabled | bool | `false` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
@ -86,6 +92,7 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | dendrite_config.global.profiling.port | int | `65432` | pprof port, if enabled |
 | dendrite_config.mscs | object | `{"mscs":["msc2946"]}` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
 | dendrite_config.app_service_api.disable_tls_validation | bool | `false` | Disable the validation of TLS certificates of appservices. This is not recommended in production since it may allow appservice traffic to be sent to an insecure endpoint. |
+| dendrite_config.app_service_api.config_files | list | `[]` | Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists) |
 | dendrite_config.clientapi.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
 | dendrite_config.clientapi.guests_disabled | bool | `true` |  |
 | dendrite_config.clientapi.registration_shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
@ -108,10 +115,11 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | dendrite_config.federation_api.prefer_direct_fetch | bool | `false` |  |
 | dendrite_config.federation_api.disable_http_keepalives | bool | `false` | Prevents Dendrite from keeping HTTP connections open for reuse for future requests. Connections will be closed quicker but we may spend more time on TLS handshakes instead. |
 | dendrite_config.federation_api.key_perspectives | list | See value.yaml | Perspective keyservers, to use as a backup when direct key fetch requests don't succeed. |
-| dendrite_config.mediaapi.max_file_size_bytes | string | `"10485760"` | The max file size for uploaded media files |
-| dendrite_config.mediaapi.dynamic_thumbnails | bool | `false` |  |
-| dendrite_config.mediaapi.max_thumbnail_generators | int | `10` | The maximum number of simultaneous thumbnail generators to run. |
-| dendrite_config.mediaapi.thumbnail_sizes | list | See value.yaml | A list of thumbnail sizes to be generated for media content. |
+| dendrite_config.media_api.base_path | string | `"/data/media_store"` | The path to store media files (e.g. avatars) in |
+| dendrite_config.media_api.max_file_size_bytes | int | `10485760` | The max file size for uploaded media files |
+| dendrite_config.media_api.dynamic_thumbnails | bool | `false` |  |
+| dendrite_config.media_api.max_thumbnail_generators | int | `10` | The maximum number of simultaneous thumbnail generators to run. |
+| dendrite_config.media_api.thumbnail_sizes | list | See value.yaml | A list of thumbnail sizes to be generated for media content. |
 | dendrite_config.sync_api.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
 | dendrite_config.sync_api.search | object | `{"enabled":true,"index_path":"/data/search","language":"en"}` | Configuration for the full-text search engine. |
 | dendrite_config.sync_api.search.enabled | bool | `true` | Whether or not search is enabled. |
--- a/helm/dendrite/templates/_overrides.yaml
+++ b/helm/dendrite/templates/_overrides.yaml
@ -0,0 +1,16 @@
+{{- define "override.config" }}
+{{- if .Values.postgresql.enabled }}
+{{- $_ := set .Values.dendrite_config.global.database "connection_string" (print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite?sslmode=disable") -}}
+{{ end }}
+global:
+  private_key: /etc/dendrite/secrets/signing.key
+  jetstream:
+    in_memory: false
+{{ if (gt (len (.Files.Glob "appservices/*")) 0) }}
+app_service_api:
+  config_files:
+    {{- range $x, $y := .Files.Glob "appservices/*" }}
+    - /etc/dendrite/appservices/{{ base $x }}
+    {{ end }}
+{{ end }}
+{{ end }}
--- a/helm/dendrite/templates/deployment.yaml
+++ b/helm/dendrite/templates/deployment.yaml
@ -71,9 +71,9 @@ spec:
          name: {{ include "dendrite.fullname" . }}-appservices
          readOnly: true
        {{ end }}
-        - mountPath: /data/media_store
+        - mountPath: {{ .Values.dendrite_config.media_api.base_path }}
          name: {{ include "dendrite.fullname" . }}-media
-        - mountPath: /data/jetstream
+        - mountPath: {{ .Values.dendrite_config.global.jetstream.storage_path }}
          name: {{ include "dendrite.fullname" . }}-jetstream
        - mountPath: {{ .Values.dendrite_config.sync_api.search.index_path }}
          name: {{ include "dendrite.fullname" . }}-search
--- a/helm/dendrite/templates/jobs.yaml
+++ b/helm/dendrite/templates/jobs.yaml
@ -73,7 +73,7 @@ spec:
          done
          # update secret
          kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem | tr -d '\n')\"}}"
-          [ $? -ne 0 ] && echo "Failed to update secret."
+          [ $? -ne 0 ] && echo "Failed to update secret." && exit 1
          echo "Signing key successfully created."
        volumeMounts:
        - mountPath: /etc/dendrite/
--- a/helm/dendrite/templates/secrets.yaml
+++ b/helm/dendrite/templates/secrets.yaml
@ -21,10 +21,6 @@ metadata:
 type: Opaque
 {{ end }}

-{{- $connectionString := print "postgresql://" .Values.dendrite_config.global.database.user ":" .Values.dendrite_config.global.database.password "@" .Values.dendrite_config.global.database.host }}
-{{- if .Values.postgresql.enabled }}
-{{- $connectionString = print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite" -}}
-{{ end }}
 ---
 apiVersion: v1
 kind: Secret
@ -34,59 +30,4 @@ metadata:
  namespace: {{ .Release.Namespace }}
 stringData:
  dendrite.yaml: |
-    version: 2
-    global:
-      server_name: {{ .Values.dendrite_config.global.server_name }}
-      private_key: /etc/dendrite/secrets/signing.key
-      key_id: ed25519:auto
-      key_validity_period: {{ .Values.dendrite_config.global.key_validity_period | quote }}
-      database:
-        connection_string: {{ $connectionString }}?sslmode=disable
-        max_open_conns: {{ .Values.dendrite_config.global.database.max_open_conns }}
-        max_idle_conns: {{ .Values.dendrite_config.global.database.max_idle_conns }}
-        conn_max_lifetime: {{ .Values.dendrite_config.global.database.conn_max_lifetime }}
-      cache:
-        max_size_estimated: {{ .Values.dendrite_config.global.cache.max_size_estimated | quote }}
-        max_age: {{ .Values.dendrite_config.global.cache.max_age }}
-      well_known_server_name: {{ .Values.dendrite_config.global.well_known_server_name | quote }}
-      well_known_client_name: {{ .Values.dendrite_config.global.well_known_client_name | quote }}
-      trusted_third_party_id_servers:
-      {{- toYaml .Values.dendrite_config.global.trusted_third_party_id_servers | nindent 8 }}
-      disable_federation: {{ .Values.dendrite_config.global.disable_federation }}
-      report_stats:
-        {{- toYaml .Values.dendrite_config.global.report_stats | nindent 8 }}
-      presence:
-        {{- toYaml .Values.dendrite_config.global.presence | nindent 8 }}
-      server_notices:
-        {{- toYaml .Values.dendrite_config.global.server_notices | nindent 8 }}
-      jetstream:
-        in_memory: false
-        storage_path: /data/jetstream
-      metrics:
-        {{- toYaml .Values.dendrite_config.global.metrics | nindent 8 }}
-      dns_cache:
-        {{- toYaml .Values.dendrite_config.global.dns_cache | nindent 8 }}
-    mscs:
-      mscs:
-        {{- toYaml .Values.dendrite_config.mscs.mscs | nindent 8 }}
-    app_service_api:
-      disable_tls_validation: {{ .Values.dendrite_config.app_service_api.disable_tls_validation }} 
-      config_files:
-        {{- range $x, $y := .Files.Glob "appservices/*" }}
-          - /etc/dendrite/appservices/{{ base $x }}
-        {{ end }}
-    client_api:
-      {{- toYaml .Values.dendrite_config.clientapi | nindent 6 }}
-    federation_api:
-      {{- toYaml .Values.dendrite_config.federation_api | nindent 6 }}
-    media_api:
-      base_path: /data/media_store
-      max_file_size_bytes: {{ int .Values.dendrite_config.mediaapi.max_file_size_bytes }}
-      dynamic_thumbnails: {{ .Values.dendrite_config.mediaapi.dynamic_thumbnails }}
-      max_thumbnail_generators: {{ .Values.dendrite_config.mediaapi.max_thumbnail_generators }}
-      thumbnail_sizes:
-        {{- toYaml .Values.dendrite_config.mediaapi.thumbnail_sizes | nindent 8 }}
-    sync_api:
-      {{- toYaml .Values.dendrite_config.sync_api | nindent 6 }}
-    logging:
-      {{- toYaml .Values.dendrite_config.logging | nindent 6 }}
+    {{ toYaml ( mustMergeOverwrite .Values.dendrite_config  ( fromYaml (include "override.config" .) ) .Values.dendrite_config ) | nindent 4 }}
--- a/helm/dendrite/values.yaml
+++ b/helm/dendrite/values.yaml
@ -42,10 +42,14 @@ persistence:
    capacity: "1Gi"

 dendrite_config:
+  version: 2
  global:
    # -- **REQUIRED** Servername for this Dendrite deployment.
    server_name: ""

+    # -- The private key to use. (**NOTE**: This is overriden in Helm)
+    private_key: /etc/dendrite/secrets/signing.key
+
    # -- The server name to delegate server-server communications to, with optional port
    # e.g. localhost:443
    well_known_server_name: ""
@ -60,6 +64,19 @@ dendrite_config:
      - matrix.org
      - vector.im

+    # -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
+    # to old signing keys that were formerly in use on this domain name. These
+    # keys will not be used for federation request or event signing, but will be
+    # provided to any other homeserver that asks when trying to verify old events.
+    old_private_keys:
+    #  If the old private key file is available:
+    #  - private_key: old_matrix_key.pem
+    #    expired_at: 1601024554498
+    #  If only the public key (in base64 format) and key ID are known:
+    #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
+    #    key_id: ed25519:mykeyid
+    #    expired_at: 1601024554498
+
    # -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
    # to other servers and the federation API will not be exposed.
    disable_federation: false
@ -67,12 +84,9 @@ dendrite_config:
    key_validity_period: 168h0m0s

    database:
-      # -- Default database host. (**REQUIRED** if not using the postgres dependency)
-      host: ""
-      # -- Default database user. (**REQUIRED** if not using the postgres dependency)
-      user: ""
-      # -- Default database password. (**REQUIRED** if not using the postgres dependency)
-      password: ""
+      # -- The connection string for connections to Postgres.
+      # This will be set automatically if using the Postgres dependency
+      connection_string: ""

      # -- Default database maximum open connections
      max_open_conns: 90
@ -81,6 +95,18 @@ dendrite_config:
      # -- Default database maximum lifetime
      conn_max_lifetime: -1

+    jetstream:
+      # -- Persistent directory to store JetStream streams in.
+      storage_path: "/data/jetstream"
+      # -- NATS JetStream server addresses if not using internal NATS.
+      addresses: []
+      # -- The prefix for JetStream streams
+      topic_prefix: "Dendrite"
+      # -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
+      in_memory: false
+      # -- Disables TLS validation. This should **NOT** be used in production.
+      disable_tls_validation: true
+
    cache:
      # -- The estimated maximum size for the global cache in bytes, or in terabytes,
      # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
@ -166,6 +192,8 @@ dendrite_config:
    # not recommended in production since it may allow appservice traffic
    # to be sent to an insecure endpoint.
    disable_tls_validation: false
+    # -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
+    config_files: []


  clientapi:
@ -236,9 +264,11 @@ dendrite_config:
          - key_id: ed25519:a_RXGa
            public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ

-  mediaapi:
+  media_api:
+    # -- The path to store media files (e.g. avatars) in
+    base_path: "/data/media_store"
    # -- The max file size for uploaded media files
-    max_file_size_bytes: "10485760"
+    max_file_size_bytes: 10485760
    # Whether to dynamically generate thumbnails if needed.
    dynamic_thumbnails: false
    # -- The maximum number of simultaneous thumbnail generators to run.
@ -266,7 +296,7 @@ dendrite_config:
      # -- Whether or not search is enabled.
      enabled: true
      # -- The path to store the search index in.
-      index_path: /data/search
+      index_path: "/data/search"
      # -- The language most likely to be used on the server - used when indexing, to
      # ensure the returned results match expectations. A full list of possible languages
      # can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
--- a/setup/config/config.go
+++ b/setup/config/config.go
@ -228,7 +228,7 @@ func loadConfig(

 	privateKeyPath := absPath(basePath, c.Global.PrivateKeyPath)
 	if c.Global.KeyID, c.Global.PrivateKey, err = LoadMatrixKey(privateKeyPath, readFile); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to load private_key: %w", err)
 	}

 	for _, v := range c.Global.VirtualHosts {
@ -242,7 +242,7 @@ func loadConfig(
 		}
 		privateKeyPath := absPath(basePath, v.PrivateKeyPath)
 		if v.KeyID, v.PrivateKey, err = LoadMatrixKey(privateKeyPath, readFile); err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to load private_key for virtualhost %s: %w", v.ServerName, err)
 		}
 	}