Add alertmanager bridge for prometheus alerts; replace Discord bridge…

… with mautrix/discord (#588)

* add hookshot bridge

Signed-off-by: jessebot <jessebot@linux.com>

* remove hookshot bridge pvc until we have a need for it

Signed-off-by: jessebot <jessebot@linux.com>

* make sure we evaluate if hookshot is enabled everywhere

Signed-off-by: jessebot <jessebot@linux.com>

* tidy up existingSecret and existingConfigmap logic to use named templates

Signed-off-by: jessebot <jessebot@linux.com>

* fix volumes to use projected.sources for single directory with multiple secrets and configmaps

Signed-off-by: jessebot <jessebot@linux.com>

* fix incorrect secret values and missing n in nindent for security context

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* clean up pem generation docs

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* add all three ports for the services as listed in the hookshot helm chart

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* fix missing port parameter for bridge-hookshot deployment ports

Signed-off-by: jessebot <jessebot@linux.com>

* fix generic webhook docs

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* add more doc links for permissions and metrics

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* fix conditional for creating name of configmap

Signed-off-by: jessebot <jessebot@linux.com>

* fix base64 encoding of secrets

Signed-off-by: jessebot <jessebot@linux.com>

* fix projected volumes

Signed-off-by: jessebot <jessebot@linux.com>

* change yml to yaml for registration hookshot secret

Signed-off-by: jessebot <jessebot@linux.com>

* change config.yaml to config.yml for hookshot

Signed-off-by: jessebot <jessebot@linux.com>

* fix: listeners for hookshot bridge config was duplicated due to wrong placement of range function

Signed-off-by: jessebot <jessebot@linux.com>

* remove ingress and include as optional path

Signed-off-by: jessebot <jessebot@linux.com>

* add as_token for hookshot registration secret

Signed-off-by: jessebot <jessebot@linux.com>

* try to fix appservice port for registration.yaml

Signed-off-by: jessebot <jessebot@linux.com>

* fix appservice port, take 2

Signed-off-by: jessebot <jessebot@linux.com>

* change back to yml versis yaml for registration file

Signed-off-by: jessebot <jessebot@linux.com>

* fix listeners.resources range for configmap

Signed-off-by: jessebot <jessebot@linux.com>

* generate passkey.pem if there isn't one given or an existing secret for it

Signed-off-by: jessebot <jessebot@linux.com>

* add better docs on how passkey works for hookshot bridge

Signed-off-by: jessebot <jessebot@linux.com>

* fix helm-docs

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* update genPrivateKey function

Signed-off-by: jessebot <jessebot@linux.com>

* explain bridges a bit more in values.yaml

Signed-off-by: jessebot <jessebot@linux.com>

* fix secret templating for passkey.pem for hookshot bridge

Signed-off-by: jessebot <jessebot@linux.com>

* change nindent to indent for passkey.pem for hookshot

Signed-off-by: jessebot <jessebot@linux.com>

* fix ending whitespace for passkey.pem for hookshot bridge

Signed-off-by: jessebot <jessebot@linux.com>

* remove RSA from PRIVATE KEY for passkey.pem for hookshot bridge

Signed-off-by: jessebot <jessebot@linux.com>

* remove replace for RSA for hookshot bridge passkey.pem

Signed-off-by: jessebot <jessebot@linux.com>

* trim plain text passkey and also automatically template our registration for webhook and github

Signed-off-by: jessebot <jessebot@linux.com>

* recommend the /webhook endpoint instead of _hookshot_webhook

Signed-off-by: jessebot <jessebot@linux.com>

* adding encryption and removing spacing

Signed-off-by: jessebot <jessebot@linux.com>

* helm-docs: automated action

Signed-off-by: jessebot <jessebot@linux.com>

* remove more whitespace from registration

Signed-off-by: jessebot <jessebot@linux.com>

* remove extra bridge port from hookshot deployment as I don't _think_ we need it

* re-roll synapse and hookshot bridge deployments if underlying configs/secrets change

* add bridge port to match upstream example

* make registration templatable kinda

* helm-docs: automated action

* fix url on wrong line for hookshot bridge registration

* add back http:// for bridge svc

* add new mautrix discord bridge

* helm-docs: automated action

* first crack at adding mautrix discord bridge

* fix secret for mautrix bridge to template properly

* helm-docs: automated action

* allow for extra volumes to be passed to the mautrix deployment

* always recreate the mautrix/discord deployment and only allow 1 replica as per their docs

* fix default permissions

* fix templating of permissions for mautrix

* fix default permissions to be empty array for mautrix

* helm-docs: automated action

* fix registration for mautrix

* make sure that discord_mautrix is considered for mounting bridges pvc

* helm-docs: automated action

* change mautrix port for service

* fix registration.yaml for mautrix

* quote all templates

* use a volume for the data dir for mautrix/discord, allow existing claims for that and bridges for hookshot as well, update helpers for more useful named tempaltes

* helm-docs: automated action

* fix missing end for mautrix discord helpers

* fix missing not for pvc existingClaim evaluation on mautrix/discord bridge

* turn off readonly root file system for bridge-mautrix-discord/deployment.yaml

* update mautrix securityContext and podSecurityContext

* helm-docs: automated action

* mautrix/discord disable security contexts by default

* helm-docs: automated action

* mautrix/discord: make as_token and hs_token match

* mautrix/discord: fix config-secret.yaml -> secret-config.yaml

* mautrix/discord bridge: make permissions a map {} instead of an array []

* helm-docs: automated action

* attempt to set default permissions for mautrix/discord

* use hostname instead of baseurl for permissions for mautrix/discord

* allow an admin user to be set for permissions for mautrix/discord

* helm-docs: automated action

* fix admin user templating for mautrix/discord

* try to fix registration regex

* mautrix/discord: add existingSecret for registration file or just hs_token/as_token

* helm-docs: automated action

* mautrix/discord: deployment: image.args: remove - from |-

* matrix/discord: remove args entirely from deployment initContainer, and just use command

* fix templating issues due to indentation in templates/bridge-mautrix-discord/deployment.yaml

* mautrix-bridge: update as_token/hs_token for config.yaml

* add debug lines in initcontainer

* mautrix/discord: set command for docker image, so we don't update the registration token by default

* mautrix/discord: specify config file for bridge

* change templating arg order

* mautrix/discord - update correct config.yaml tokens

* getting rid of synapse.ingress.host and adding bridges.discord_mautrix.admin_users

also adding more docs on removals

* bump chart to 13.0.0 as we have breaking changes

* helm-docs: automated action

* remove ingress.host from synapse ingress templating

* change replicasets to use .spec.revisionHistoryLimit to allow us to set less replicaSets being retained when argocd updates a deployment

* helm-docs: automated action

* add note that setting revisionHistoryLimit to 0 means you can't rollback a deployment

* helm-docs: automated action

* add a bunch more docs

* don't require encryption for appservice in mautrix/discord notes

* add hookshot user to registration for matrix

* clean up hookshot registration to match discord a bit more for appservice reg with synapse

* update default appservice service for hookshot

* helm-docs: automated action

* remove bridge port for hookshot deployment

* don't define default avatar urls for bots

* helm-docs: automated action

* clean up service and deployment for hookshot to only create ports if matrix or generic are enabled and set load config container to be alpine for loading speed

* try adding a random alertmanager service

* helm-docs: automated action

* fix values for alertmanager bridge

* helm-docs: automated action

* clean up default values for alertmanager

* helm-docs: automated action

* clean up more alert manager defaults

* quote alertmanager port in env var

* allow existing secret for registration for alertmanager and make sure synapse actually registers the service

* helm-docs: automated action

* add dash to if in deployment for alertmanager

* add http to service for alertmanager

* fix default docker image to be our own for the matrix alertmanager

* helm-docs: automated action

* update alertmanager to 0.9.0

* helm-docs: automated action

* try using 0.10.0-dev of our new image

* helm-docs: automated action

* try using jessebot/matrix-alertmanager-bot:0.10.1-dev

* helm-docs: automated action

* upgrade jessebot/matrix-alertmanager-bot to 0.10.0

* helm-docs: automated action

* finish filling out possible hookshot values

* helm-docs: automated action

* add listeners example comment for hookshot's widgets feature

* helm-docs: automated action

* move alertmanager bridge bot related values under bridges.alertmanager.config.bot and add bot.display_name and bot.avatar

* helm-docs: automated action

* update issues with alertmanager deployment templating and and alertmanager.config.matrix_homeserver_url to alertmanager.config.homeserver_url

* helm-docs: automated action

* fix remaining templating issues with the bridge-alertmanager/deployment.yaml and always use with instead of if when possible

* bridge-alertmanager: fix avatar URL env var

* helm-docs: automated action

* update docs on registration and rooms values for alertmanager

* helm-docs: automated action

* allow existing secret for github hookshot hook

* helm-docs: automated action

* add hookshot /data emptyDir

* hookshot: registration: fix github typo

* fix env from secret for bridge hookshot

* fix github private key pem in hookshot

* helm-docs: automated action

* use empty dir for discord volume

* helm-docs: automated action

* remove pvc for mautrix discord

* fix checking discord config for tokens

* fix yq of github data for hookshot bridge

* fix bridge hookshot registration.yml

* add scratch space for hookshot

* fix scratch typo

* fix where github pem is located

* helm-docs: automated action

* clean up templating names for config files

* fix hookshot securityContexts

* helm-docs: automated action

* don't set securityContexts by default

* helm-docs: automated action

* clean up docs on using new bridges

* helm-docs: automated action

---------

Signed-off-by: jessebot <jessebot@linux.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -16,10 +16,18 @@ helm repo add matrix https://small-hack.github.io/matrix-chart
 # downloads the values.yaml locally
 helm show values matrix/matrix > values.yaml
 
+# You should then edit the values.yaml to your liking.
+
+## NOTE: The most important helm parameter is matrix.hostname
+## without it, this chart may not work!
+
 # install the chart
 helm install my-release-name matrix/matrix --values values.yaml
 ```
 
+**NOTE: The most important helm parameter is `matrix.hostname`. Without it, this chart may not work!**
+
+
 ## Current Features ✨
 
 - Latest version of [Synapse](https://github.com/element-hq/synapse) (the official matrix homeserver)
@@ -35,24 +43,28 @@ helm install my-release-name matrix/matrix --values values.yaml
 - Use s3 to store media using [element-hq/synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider/tree/main)
 - Use [matrix-sliding-sync-chart](https://github.com/small-hack/matrix-sliding-sync-chart) as a sub chart for using [element-x] which requires [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync)
 - Use existing Kubernetes secrets and existing Persistent Volume Claims
+- [mautrix/discord](https://github.com/mautrix/discord) - Discord bridge for syncing between matrix and Discord
+- [small-hack/matrix-alertmanager](https://github.com/small-hack/matrix-alertmanager) - Prometheus Alertmanager bridge for syncing between matrix and Alertmanager
 
-### ⚠️ Optional Features (Untested Since Fork)
+#### ⚠️ Untested Features
 
 These features still need to be tested, but are technically baked into the chart from the fork:
 
 - Use of lightweight Exim relay
-- [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge
 - [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge
 - [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge
 
 # Notes
 
 * [Databases](#databases)
+* [Ingress](#ingress)
 * [Federation](#federation)
     * [Federation not Working](#federation-not-working)
     * [Addiing Trusted Key Servers from an existing Secret](#addiing-trusted-key-servers-from-an-existing-secret)
 * [Notes on using Matrix Sliding Sync](#notes-on-using-matrix-sliding-sync)
 * [Notes on using MAS (Matrix Authentication Service)](#notes-on-using-mas-matrix-authentication-service)
+* [Bridges](#bridges)
+    * [Discord](#discord)
 * [About and Status](#about-and-status)
 
 ## Databases
@@ -66,6 +78,51 @@ You must select one of the following options:
 >
 > You cannot enable both `externalDatabase` and `postgresql`. You must select _one_.
 
+## Ingress
+
+A previous version of this chart supported using the `synapse.ingress.host` parameter. This option has been removed. You must now set a `synapse.ingress.hosts`. Because of this, you must now also set `matrix.hostname` or certain functionality will not work. Example of how to setup ingress and hostname:
+
+```yaml
+matrix:
+  # used for setting up config files that require your homeserver hostname
+  # such as bridging between your matrix homeserver (synapse) and other services
+  # such as discord or WhatsApp
+  hostname: my-synapse-hostname.com
+
+synapse:
+  ingress:
+    className: "nginx"
+    annotations:
+      # required for TLS certs issued by cert-manager
+      cert-manager.io/cluster-issuer: letsencrypt-staging
+
+      # -- This annotation is required for the Nginx ingress provider. You can
+      # remove it if you use a different ingress provider
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        proxy_intercept_errors off;
+
+    hosts:
+      - host: "my-synapse-hostname.com"
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            # if mas.enabled is set to true, you want pathType for / to be Prefix
+            # pathType: Prefix
+
+          # if mas.enabled is set to true, you want to uncomment the following:
+          # - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*"
+          #   pathType: ImplementationSpecific
+          #   backend:
+          #     service:
+          #       value: release-name-mas
+          #       port:
+          #         name: http
+    # -- enable tls for synapse ingress
+    tls:
+      - secretName: "matrix-tls"
+        hosts:
+          - my-synapse-hostname
+```
 
 ## Federation
 
@@ -77,6 +134,7 @@ I managed to finally get past that by adding the following to my values.yaml:
 
 ```yaml
 matrix:
+  hostname: my-synapse-hostname.com
   federation:
     enabled: true
 
@@ -98,6 +156,7 @@ Later on, I realized I could also use [`serve_server_wellknown`](https://element
 
 ```yaml
 matrix:
+  hostname: my-synapse-hostname.com
   federation:
     enabled: true
   serve_server_wellknown: true
@@ -109,6 +168,7 @@ If you'd like to get your [`trusted_key_servers`](https://element-hq.github.io/s
 
 ```yaml
 matrix:
+  hostname: my-synapse-hostname.com
   federation:
     enabled: true
   security:
@@ -140,6 +200,7 @@ To use [sliding sync](https://github.com/matrix-org/sliding-sync), which is requ
 
 ```yaml
 matrix:
+  hostname: my-synapse-hostname.com
   extra_well_known_client_content:
      "org.matrix.msc3575.proxy":
        "url": "https://your-sliding-sync-hostname.com"
@@ -183,6 +244,7 @@ MAS is currently the only way to use OIDC with [element-x]. If you're using MAS
 
 ```yaml
 matrix:
+  hostname: my-synapse-hostname.com
   experimental_features:
     msc3861:
       # Likely needed if using OIDC on synapse and you want to allow usage of Element-X (the beta of element)
@@ -338,6 +400,153 @@ mas:
               set_email_verification: always
 ```
 
+## Bridges
+
+We've only recently started adding/testing [bridges](https://matrix.org/ecosystem/bridges/) to this stack, so there may be some bugs, but so far, we've got the discord bridge upgraded. The rest of the bridges are in a beta/alpha state and although we want to support them, we haven't had the time to test them out since the major fork. If you find something wrong with them, please feel free to submit an Issue or Pull Request.
+
+So far we've tested and gotten working two bots/bridges: Alertmanager and Discord. We wanted to get hookshot working, but try as we might, we could never get the bot to respond to queries in a matrix chat.
+
+### Alertmanager
+
+Check out the [upstream repo](https://github.com/small-hack/matrix-alertmanager) for more info (especially [`.env.default`](https://github.com/small-hack/matrix-alertmanager/blob/main/.env.default)), but here's the gist for configuring it via this chart.
+
+```yaml
+bridges:
+  alertmanager:
+    enabled: false
+
+    existingSecret:
+      # -- optional secret to replace the entire registration.yaml
+      registration: ""
+
+    # this section is for registering the application service with matrix
+    # read more about application services here:
+    # https://spec.matrix.org/v1.11/application-service-api/
+    registration:
+      # -- url of the alertmanager service. if not provided, we will template it
+      # for you like http://matrix-alertmanager-service:3000
+      url: ""
+      # A secret token that the application service will use to authenticate
+      # requests to the homeserver.
+      as_token: ""
+      # -- Use an existing Kubernetes Secret to store your own generated appservice
+      # and homeserver tokens. If this is not set, we'll generate them for you.
+      # Setting this won't override the ENTIRE registration.yaml we generate for
+      # the synapse pod to authenticate mautrix/discord. It will only replaces the tokens.
+      # To replaces the ENTIRE registration.yaml, use
+      # bridges.alertmanager.existingSecret.registration
+      existingSecret: ""
+      existingSecretKeys:
+        # -- key in existingSecret for as_token (application service token). If
+        # provided and existingSecret is set, ignores bridges.alertmanager.registration.as_token
+        as_token: "as_token"
+        # -- key in existingSecret for hs_token (home server token)
+        hs_token: "hs_token"
+
+    encryption: false
+
+    config:
+      # -- secret key for the alertmanager webhook config URL
+      app_alertmanager_secret: ""
+      # -- your homeserver url, e.g. https://homeserver.tld
+      homeserver_url: ""
+
+      bot:
+        # -- optional: display name to set for the bot user
+        display_name: ""
+        # -- optional: mxc:// avatar to set for the bot user
+        avatar_url: ""
+        # -- rooms to send alerts to, separated by a |
+        # Each entry contains the receiver name (from alertmanager) and the
+        # internal id (not the public alias) of the Matrix channel to forward to.
+        # example: reciever1/!789fhdsauoh48:mymatrix.hostname.com
+        rooms: ""
+        # -- Set this to true to make firing alerts do a `@room` mention.
+        # NOTE! Bot should also have enough power in the room for this to be useful.
+        mention_room: false
+
+      # -- set to enable Grafana links, e.g. https://grafana.example.com
+      grafana_url: ""
+      # -- grafana data source, e.g. default
+      grafana_datasource: ""
+      # -- set to enable silence link, e.g. https://alertmanager.example.com
+      alertmanager_url: ""
+```
+
+### Discord
+
+We previously had the halfshot/discord bridge as a part of this stack, but as of July 2024 the image was no longer being updated and hadn't been updated in 3 years, see: [#589](https://github.com/small-hack/matrix-chart/issues/589) for more info. Instead we now offer the [mautrix/discord](https://github.com/mautrix/discord) bridge. You can read their docs [here](https://docs.mau.fi/bridges/go/discord/index.html).
+
+Here's how we got it mostly working on our end via the values.yaml:
+
+```yaml
+matrix:
+  hostname: my-synapse-hostname.com
+
+bridges:
+  discord_mautrix:
+    enabled: true
+    # this just keeps the replicasets from getting
+    # out of control, feel free to set to 10 to
+    # keep more history for rollbacks
+    revisionHistoryLimit: 1
+
+    # -- extra volumes for the mautrix/discord deployment
+    # we created this separately from the chart
+    extraVolumes:
+      - name: sqllite
+        persistentVolumeClaim:
+          claimName: mautrix-discord-bridge-sqlite
+
+    extraVolumeMounts:
+      - name: sqllite
+        mountPath: /sql
+
+    admin_users:
+      - friend
+      - admin
+
+    config:
+      # Homeserver details
+      homeserver:
+        address: "https://my-synapse-hostname.com"
+        domain: "my-synapse-hostname.com"
+
+      appservice:
+        # Database config - we used sqllite because it's easy
+        database:
+          type: sqlite3-fk-wal
+          uri: file:/sql/mautrixdiscord.db?_txlock=immediate
+
+      bridge:
+        encryption:
+          # -- Allow encryption, work in group chat rooms with e2ee enabled
+          allow: true
+          # -- Default to encryption, force-enable encryption in all portals the bridge creates
+          # This will cause the bridge bot to be in private chats for the encryption to work properly.
+          default: true
+```
+
+Example PVC for the sqllite file to persist:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mautrix-discord-bridge-sqlite
+  namespace: matrix
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path
+```
+
+After you set this up, you'll still need to authenticate the matrix bot (mautrix/discord) with your Discord bot. For that, you'll need to follow the instructions in the [mautrix discord docs](https://docs.mau.fi/bridges/go/discord/authentication.html).
+
+
 ## About and Status
 
 This is a fork of [Arkaniad/matrix-chart](https://github.com/Arkaniad/matrix-chart), which is a fork of [typokign/matrix-chart](https://github.com/typokign/matrix-chart). We recently transferred this chart from [@jessebot](https://github.com/jessebot) to the small-hack org to help with maintanence longterm :) Working on full stability, but always happy to receive GitHub Issues or PRs! Please star the repo if you like our work 💙

charts/matrix/Chart.yaml

@@ -8,7 +8,7 @@ sources:
 
 type: application
 
-version: 12.0.0
+version: 13.0.0
 
 # renovate: image=matrixdotorg/synapse
 appVersion: v1.109.0