small-hack/smol-k8s-lab
small-hack/smol-k8s-lab
3
1
Fork 0
Code Issues 14 Pull requests 2 Projects Releases 153 Packages Wiki Activity Actions

🐛 Matrix SMTP_PASS from TUI does not get set in matrix-smtp-credentials #226

New issue
Open
opened 2024-05-19 12:56:43 +00:00 by cloudymax · 2 comments
cloudymax commented 2024-05-19 12:56:43 +00:00 (Migrated from github.com)
Copy link

Describe the Bug

The SMTP_PASS for Matrix entered via the TUI does end up in the matrix-smtp-credentials

Input:

Screenshot 2024-05-19 at 14 46 12

Resulting Secret:

> kgs matrix-smtp-credentials
host: toots.com
password:
username: dogoninternet

Steps to Reproduce Bug

  1. run smol-k8s-lab
  2. enable external-secret-operator (with bitwarden)
  3. enable matrix
  4. enter the smtp password in the tui

User info (please complete the following information):

  • OS release: debian12
  • Kubernetes distro: k3s
  • Version of smol-k8s-lab (You can get this with smol-k8s-lab --version): v5.0.4
  • Config file contents:
  matrix:
    description: |
      [link=https://matrix.org/]Matrix[/link] is an open protocol for decentralised, secure communications.
      This deploys a matrix synapse server, element (web frontend), and turn server (voice)

      smol-k8s-lab supports initialization by creating initial secrets for your:
        - matrix, element, and federation hostnames,
        - credentials for: postgresql, admin user, S3 storage, and SMTP

      smol-k8s-lab also sets up an OIDC application via Zitadel.

      To provide sensitive values via environment variables to smol-k8s-lab use:
        - MATRIX_SMTP_PASSWORD
        - MATRIX_BACKUP_S3_ACCESS_ID
        - MATRIX_BACKUP_S3_SECRET_KEY
        - MATRIX_RESTIC_REPO_PASSWORD
    enabled: true
    init:
      enabled: true
      restore:
        enabled: false
        cnpg_restore: true
        restic_snapshot_ids:
          seaweedfs_volume: latest
          seaweedfs_filer: latest
          seaweedfs_master: latest
          matrix_media: latest
          matrix_synapse_config: latest
          matrix_signing_key: latest
      values:
        smtp_user: dogoninternet
        smtp_host: toots.com
        smtp_password:
          value_from:
            env: MATRIX_SMTP_PASSWORD
    backups:
      # cronjob syntax schedule to run matrix pvc backups
      pvc_schedule: 0 0 * * *
      postgres_schedule: 0 45 23 * * *
      s3:
        # these are for pushing remote backups of your local s3 storage, for speed and cost optimization
        endpoint: s3.us-example-example.example.com
        bucket: example-matrix-backups
        region: us-west-004
        secret_access_key:
          value_from:
            env: MATRIX_S3_BACKUP_SECRET_KEY
        access_key_id:
          value_from:
            env: MATRIX_S3_BACKUP_ACCESS_ID
      restic_repo_password:
        value_from:
          env: MATRIX_RESTIC_REPO_PASSWORD
    argo:
      # secrets keys to make available to Argo CD ApplicationSets
      secret_keys:
        # hostname of the synapse matrix server
        hostname: matrix.example.online
        # the hostname of the element web interface
        element_hostname: element.example.online
        # hostname for federation, that others can see you on the fediverse
        federation_hostname: matrix-fed.example.online
        # email for of the admin user
        admin_email: example@example.net
        # enable signing key backups
        signing_key_pvc_enabled: 'true'
        # size of signing key pvc storage
        signing_key_storage: 1Mi
        signing_key_access_mode: ReadWriteOnce
        # enable persistent volume claim for matrix media storage
        media_pvc_enabled: 'true'
        # size of media pvc storage
        media_storage: 10Gi
        media_access_mode: ReadWriteOnce
        # enable persistent volume claim for matrix synapse config storage
        synapse_config_pvc_enabled: 'true'
        # size of synapse config pvc storage
        synapse_config_storage: 2Mi
        synapse_config_access_mode: ReadWriteOnce
        # choose S3 as the local primary object store from either: seaweedfs, or minio
        # SeaweedFS - deploy SeaweedFS filer/s3 gateway
        # MinIO     - deploy MinIO vanilla helm chart
        s3_provider: seaweedfs
        # local s3 provider bucket name
        s3_bucket: matrix
        # the endpoint you'd like to use for your minio or SeaweedFS instance
        s3_endpoint: matrix-s3.example.online
        # how large the backing pvc's capacity should be for minio or seaweedfs
        s3_pvc_capacity: 10Gi
        s3_region: eu-west-1
      # git repo to install the Argo CD app from
      repo: https://github.com/small-hack/argocd-apps
      # path in the argo repo to point to. Trailing slash very important!
      path: matrix/app_of_apps/
      # either the branch or tag to point at in the argo repo above
      revision: test-matrix-chart
      # kubernetes cluster to install the k8s app into, defaults to Argo CD default
      cluster: https://kubernetes.default.svc
      # namespace to install the k8s app in
      namespace: matrix
      # recurse directories in the git repo
      directory_recursion: false
      # source repos for Argo CD App Project (in addition to argo.repo)
      project:
        source_repos:
        - https://small-hack.github.io/cloudnative-pg-cluster-chart
        - https://small-hack.github.io/matrix-chart
        - https://github.com/small-hack/matrix-chart
        - https://operator.min.io/
        - https://seaweedfs.github.io/seaweedfs/helm
        destination:
          # automatically includes the app's namespace and argocd's namespace
          namespaces: []
        name: matrix

  # This app is installed with helm or manifests depending on what is recommended
  # for your k8s distro. Becomes managed by Argo CD if you enable it below

If it's related to the install of something on k8s:

  • output of helm list -a
  • any temp files related to your install under $HOME/.cache/smol-k8s-lab/ (If you're using XDG Base Directory Spec env variables, this could be under $XDG_CACHE_HOME/smol-k8s-lab/)

Additional context, if any

Add any other context about the problem here.

## Describe the Bug The SMTP_PASS for Matrix entered via the TUI does end up in the `matrix-smtp-credentials` Input: <img width="740" alt="Screenshot 2024-05-19 at 14 46 12" src="https://github.com/small-hack/smol-k8s-lab/assets/84841307/f767d46d-cd4f-494c-b1c9-daac4ce66161"> Resulting Secret: ```console > kgs matrix-smtp-credentials host: toots.com password: username: dogoninternet ``` ### Steps to Reproduce Bug 1. run smol-k8s-lab 2. enable external-secret-operator (with bitwarden) 3. enable matrix 4. enter the smtp password in the tui ## User info (please complete the following information): - OS release: debian12 - Kubernetes distro: k3s - Version of `smol-k8s-lab` (You can get this with `smol-k8s-lab --version`): v5.0.4 - Config file contents: ```yaml matrix: description: | [link=https://matrix.org/]Matrix[/link] is an open protocol for decentralised, secure communications. This deploys a matrix synapse server, element (web frontend), and turn server (voice) smol-k8s-lab supports initialization by creating initial secrets for your: - matrix, element, and federation hostnames, - credentials for: postgresql, admin user, S3 storage, and SMTP smol-k8s-lab also sets up an OIDC application via Zitadel. To provide sensitive values via environment variables to smol-k8s-lab use: - MATRIX_SMTP_PASSWORD - MATRIX_BACKUP_S3_ACCESS_ID - MATRIX_BACKUP_S3_SECRET_KEY - MATRIX_RESTIC_REPO_PASSWORD enabled: true init: enabled: true restore: enabled: false cnpg_restore: true restic_snapshot_ids: seaweedfs_volume: latest seaweedfs_filer: latest seaweedfs_master: latest matrix_media: latest matrix_synapse_config: latest matrix_signing_key: latest values: smtp_user: dogoninternet smtp_host: toots.com smtp_password: value_from: env: MATRIX_SMTP_PASSWORD backups: # cronjob syntax schedule to run matrix pvc backups pvc_schedule: 0 0 * * * postgres_schedule: 0 45 23 * * * s3: # these are for pushing remote backups of your local s3 storage, for speed and cost optimization endpoint: s3.us-example-example.example.com bucket: example-matrix-backups region: us-west-004 secret_access_key: value_from: env: MATRIX_S3_BACKUP_SECRET_KEY access_key_id: value_from: env: MATRIX_S3_BACKUP_ACCESS_ID restic_repo_password: value_from: env: MATRIX_RESTIC_REPO_PASSWORD argo: # secrets keys to make available to Argo CD ApplicationSets secret_keys: # hostname of the synapse matrix server hostname: matrix.example.online # the hostname of the element web interface element_hostname: element.example.online # hostname for federation, that others can see you on the fediverse federation_hostname: matrix-fed.example.online # email for of the admin user admin_email: example@example.net # enable signing key backups signing_key_pvc_enabled: 'true' # size of signing key pvc storage signing_key_storage: 1Mi signing_key_access_mode: ReadWriteOnce # enable persistent volume claim for matrix media storage media_pvc_enabled: 'true' # size of media pvc storage media_storage: 10Gi media_access_mode: ReadWriteOnce # enable persistent volume claim for matrix synapse config storage synapse_config_pvc_enabled: 'true' # size of synapse config pvc storage synapse_config_storage: 2Mi synapse_config_access_mode: ReadWriteOnce # choose S3 as the local primary object store from either: seaweedfs, or minio # SeaweedFS - deploy SeaweedFS filer/s3 gateway # MinIO - deploy MinIO vanilla helm chart s3_provider: seaweedfs # local s3 provider bucket name s3_bucket: matrix # the endpoint you'd like to use for your minio or SeaweedFS instance s3_endpoint: matrix-s3.example.online # how large the backing pvc's capacity should be for minio or seaweedfs s3_pvc_capacity: 10Gi s3_region: eu-west-1 # git repo to install the Argo CD app from repo: https://github.com/small-hack/argocd-apps # path in the argo repo to point to. Trailing slash very important! path: matrix/app_of_apps/ # either the branch or tag to point at in the argo repo above revision: test-matrix-chart # kubernetes cluster to install the k8s app into, defaults to Argo CD default cluster: https://kubernetes.default.svc # namespace to install the k8s app in namespace: matrix # recurse directories in the git repo directory_recursion: false # source repos for Argo CD App Project (in addition to argo.repo) project: source_repos: - https://small-hack.github.io/cloudnative-pg-cluster-chart - https://small-hack.github.io/matrix-chart - https://github.com/small-hack/matrix-chart - https://operator.min.io/ - https://seaweedfs.github.io/seaweedfs/helm destination: # automatically includes the app's namespace and argocd's namespace namespaces: [] name: matrix # This app is installed with helm or manifests depending on what is recommended # for your k8s distro. Becomes managed by Argo CD if you enable it below ``` **If it's related to the install of something on k8s**: - output of `helm list -a` - any temp files related to your install under `$HOME/.cache/smol-k8s-lab/` (If you're using XDG Base Directory Spec env variables, this could be under `$XDG_CACHE_HOME/smol-k8s-lab/`) ## Additional context, if any Add any other context about the problem here.
👀 1
jessebot commented 2024-05-22 14:09:46 +00:00 (Migrated from github.com)
Copy link

this is indeed broken, but I'm unsure why. Will look at this weekend 💙

this is indeed broken, but I'm unsure why. Will look at this weekend 💙
jessebot commented 2024-06-27 07:15:41 +00:00 (Migrated from github.com)
Copy link

I've been thinking about this, and since we do an OIDC-only setup for matrix, perhaps we just remove the SMTP feature entirely here? The SMTP feature is generally for account management, and since we use ZITADEL for that, the only other thing it could be used for is email notifications, and I feel like no one actually uses email for that anymore. If I'm wrong, feel free to correct me, but I think for the smol-k8s-lab use case, unless others disagree, using SMTP is more of a hassle than it creates benefits 🤔

Open to other opinions, and the TUI not updating other sensitive values still needs to be fixed btw, just maybe not for matrix.

I've been thinking about this, and since we do an OIDC-only setup for matrix, perhaps we just remove the SMTP feature entirely here? The SMTP feature is generally for account management, and since we use ZITADEL for that, the only other thing it could be used for is email notifications, and I feel like no one actually uses email for that anymore. If I'm wrong, feel free to correct me, but I think for the smol-k8s-lab use case, unless others disagree, using SMTP is more of a hassle than it creates benefits 🤔 Open to other opinions, and the TUI not updating other sensitive values still needs to be fixed btw, just maybe not for matrix.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
go-rewrite
grafana-fixes
gh-pages
cloudymax-patch-1
add-unified-installer
feature/add-pixelfed-app
renovate/textual-1.x
renovate/python-3.x
support-open-bao
update-ingress-nginx
nginx-metrics
v7.0.0b2
v7.0.0b1
v7.0.0a
v6.4.8
v6.4.7
v6.4.6
v6.4.5
v6.4.4
v6.4.3
v6.4.2
v6.4.1
v6.4.0
v6.3.1
v6.3.0
v6.2.0
v6.1.0
v6.0.0
v5.20.4
5.20.3
v5.20.3
v5.20.2
v5.20.1
v5.20.0
v5.19.2
v5.19.1
v5.19.0
v5.18.0
v5.17.4
v5.17.3
v5.17.2
v5.17.1
v5.17.0
v5.16.0
v5.15.0
v5.14.1
v5.14.0
v5.13.3
v5.13.2
v5.13.1
v5.13.0
before-hookshot-removal
v5.12.0
v5.11.0
v5.10.0
v5.9.2
v5.9.1
v5.9.0
v5.8.4
v5.8.3
v5.8.2
v5.8.1
v5.8.0
v5.7.0
v5.6.2
v5.6.1
v5.6.0
v5.5.1
v5.5.0
v5.4.3
v5.4.2
v5.4.1
v5.4.0
v5.3.2
v5.3.1
v5.3.0
v5.2.6
v5.2.5
v5.2.4
v5.2.3
v5.2.2
v5.2.1
v5.2.0
v5.1.0
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.0.2
v4.0.1
v4.0.0
v3.7.1
v3.7.0
v3.6.4
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.5.1
v3.5.0
v3.4.0
v3.3.0
v3.2.2
v3.2.1
v3.2.0
v3.1.0
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v2.0.0b8
v2.0.0b7
v2.0.0b6
v2.0.0b4
v2.0.0b3
v2.0.0b2
v2.0.0b1
v2.0.0a4
v2.0.0a3
v2.0.0a2
v2.0.0a1
v2.0.0a
v1.0.1
v1.0.0
v0.11.2
v0.11.1
v0.11.0
v0.10.14
v0.10.13
v0.10.12
v0.10.11
v0.10.10
v0.10.9
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.16
v0.8.15
v0.8.14
v0.8.13
v0.8.12
v0.8.11
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.7.3
v0.8.1
v0.8.0
v0.7.2
v0.7.1
stable
v0.7.0
v0.6.0
v0.5.0
Labels
Clear labels   
🐛 bug

Something isn't working

  
DO THE THING >:(

very important thing

  
blocked

   
dependencies

Pull requests that update a dependency file

  
k3s

   
kind

   
openbao

   
question

Further information is requested

  
secrets

   
wontfix

This will not be worked on

  
enhancement

New feature request

  
🌱good first issue

Good for newcomers

  
📓documentation

Improvements or additions to documentation

  
📕kyverno

everything to do with kyverno, a policy manager for kubernetes

  
🔐 Bitwarden

anything to do with bitwarden

  
🙋help wanted

Extra attention is needed

  
🦩 MinIO

things to do with object store via minio or minio itself

  
🧸 🧸 Duplicate

This issue or pull request already exists

  
🩹 Bug Fix

   
🪠 CICD

Anything to do with continuous integration/continuous deployment pipelines.

No labels
🐛 bug
DO THE THING >:(
blocked
dependencies
k3s
kind
openbao
question
secrets
wontfix
enhancement
🌱good first issue
📓documentation
📕kyverno
🔐 Bitwarden
🙋help wanted
🦩 MinIO
🧸 🧸 Duplicate
🩹 Bug Fix
🪠 CICD
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
small-hack/smol-k8s-lab#226
No description provided.