feat: add helm chart and harden PDU size patch#9
Open
apham0001 wants to merge 59 commits intoairgap-it:masterfrom
Open
feat: add helm chart and harden PDU size patch#9apham0001 wants to merge 59 commits intoairgap-it:masterfrom
apham0001 wants to merge 59 commits intoairgap-it:masterfrom
Conversation
…ctions - Upgrade Synapse base image from v1.98.0 to v1.148.0 (resolves 5 CVEs) - Update Python paths from 3.11 to 3.13 to match upstream image - Harden Dockerfile (--no-install-recommends, cleanup apt lists, pip --no-cache-dir) - Replace GitLab CI with GitHub Actions: lint, test, publish to GHCR - Remove old .gitlab-ci.yml
fix(security): upgrade Synapse from v1.98.0 to v1.148.0
- Add QEMU + multi-platform build (linux/amd64, linux/arm64) - Add Renovate config to auto-update: - Synapse base image (auto-merge patches) - GitHub Actions (auto-merge minor/patch)
feat: add multi-arch build and Renovate auto-updates
Beacon-node is a derivative work of Synapse (element-hq/synapse) which is licensed under AGPL-3.0.
chore: add AGPL-3.0 license
Enable forkProcessing so Renovate scans this forked repo. Remove legacy k8s/ directory (now managed via Helm chart in iac repo).
chore: enable renovate on fork + remove unused k8s manifests
Scans Docker image for CRITICAL and HIGH CVEs. Runs on docker/ changes, PRs to master, and weekly schedule. Results uploaded to GitHub Security tab (SARIF).
chore(deps): update postgres docker tag to v18
chore(deps): update actions/checkout action to v6
…n-3.x chore(deps): update hadolint/hadolint-action action to v3.3.0
chore(deps): update redis docker tag to v6.2.6
feat: add Trivy security scan for Docker image
Use multi-stage build to compile psycopg2/pysodium in builder stage. Final image only has runtime libs (libsodium23, libpq5) without gcc, *-dev packages, and build toolchain that carry most CVEs.
fix: multi-stage build to reduce CVE surface
chore: switch license from AGPL-3.0 to MIT
chore(deps): update github/codeql-action action to v4
chore(deps): update actions/checkout action to v6
…ion-0.x chore(deps): update aquasecurity/trivy-action action to v0.34.1
chore: remove .gitlab issue templates
feat: enable automerge for all Renovate updates
- postgres:18.2 (doesn't exist) -> postgres:17 - redis:6.2.6-buster (EOL) -> redis:7-alpine - Remove deprecated 'version' key - Add missing redis dependency in basic compose - Update beacon-node image to ghcr.io/apham0001/beacon-node:latest
- postgres:18.2 (doesn't exist) -> postgres:16-bookworm - redis:6.2.6-buster (EOL) -> redis:8-bookworm - Remove deprecated 'version' key - Add missing redis dependency - Update beacon-node image to ghcr.io - Remove docker-compose-optimized.yml
fix: update docker-compose images
chore(deps): update postgres docker tag to v18
chore: rename samples/ to deploy/
chore: update README
chore: switch base image to ghcr.io/element-hq/synapse
fix: update known_servers to octez.io domains
Add /.well-known/matrix/server and /.well-known/matrix/client endpoints directly in beacon_info_module.py instead of relying on nginx ingress server-snippet annotations (deprecated since ingress-nginx 1.9).
feat: serve well-known Matrix endpoints from Synapse module
The previous approach registered two separate resources at /.well-known/matrix/server and /.well-known/matrix/client, which caused a KeyError in Twisted's resource tree when both paths share the /.well-known/matrix prefix. Fix: use a single WellKnownMatrixResource parent with putChild for server and client sub-resources. Also fix docker-compose PG 18 mount point (/var/lib/postgresql instead of /var/lib/postgresql/data) and update readme.
Add {{REDIS_HOST}} placeholder in shared_config.yaml and sed in
entrypoint. Defaults to 'redis' if not set (backwards compatible).
This removes the need for the ExternalName service hack in k8s.
fix: well-known resource tree conflict + docker-compose PG 18 mount
The homeserver.yaml had redis host hardcoded to 'redis' while
shared_config.yaml used the REDIS_HOST placeholder. Both files
now use {{REDIS_HOST}} with fallback to 'redis' if not set.
fix: use REDIS_HOST env var in homeserver.yaml
- Add beacon-node Helm chart (v0.4.1) with kubelauncher subcharts - Harden MAX_PDU_SIZE sed patch with strict regex and build-time verification to fail fast if upstream changes the constant
Runs on chart or docker changes: - Helm dependency build + lint - KIND cluster deploy with smoke tests - Verifies pods healthy, no FATAL errors, well-known endpoints
- Fix kind load cluster name (chart-testing) - Add Synapse API endpoint tests (versions, federation, login) - Increase helm install timeout to 300s - Generate signing key properly
- Add KIND smoke test job to build-and-publish.yml - Runs on every PR (including Renovate Dockerfile bumps) - Publish now requires both test + smoke-test to pass - Remove separate helm-smoke-test.yml to avoid duplication
apham0001
force-pushed
the
feat/helm-chart-and-pdu-fix
branch
from
8c45083 to
140e29a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
helm lint charts/