Add IRC bridging + other production stuff

[encadyma]

This is so that the Matrix server can bridge properly. The bridge itself has not been placed inside the Kubernetes deployment yet, though the configuration files are there. Fixes #4 and #2 + more.

Also incorporates secret templating, Postgres integration, etc.

[encadyma]

So I've made some changes for the sake of testing it on app-matrix, which included changing the original Docker image versions to personal builds. There's a lot of cleanup to be done on this branch before I'm happy with getting it merged, which I'm outlining here:

• [x] Replace image versions (though how could this be done with appservice-irc?)
• [x] Separate Synapse and bridge into two *deployments? (the current setup was just convenient)
• [x] What to do about building appservice-irc? It's currently in a subdirectory, but can Jenkins/other build tool be configured to build image in subdirectories too?
• [x] Remove secrets, inject passkey.pem somehow

[bjb568]

Yeet.

[cg505]

• [ ] Replace image versions (though how could this be done with appservice-irc?)
• [ ] Separate Synapse and bridge into two pods? (the current setup was just convenient)
• [ ] What to do about building appservice-irc? It's currently in a subdirectory, but can Jenkins/other build tool be configured to build image in subdirectories too?

Take a look at how ocfweb does this stuff. For instance, it just builds all the images with the same tag: https://github.com/ocf/ocfweb/blob/d7d22d7ee88ce0599f69ea3d93f7de7749fd814f/Makefile#L36-L38 (DOCKER_REVISION is set by Jenkins) Obviously we don't have a shared "base" here, but we can just run docker build twice in the same Makefile.

• [ ] Remove secrets, inject passkey.pem somehow

See inline comments.

[encadyma]

All secrets have been templated out. For documentation purposes:

• General secrets (values such as the macaroon secret, used by the bridge + Synapse) can be found in privshare/kubernetes/secrets/matrix.yaml.
• Two secret resources were created, one for bridge and one for synapse. Configuration files that required secrets were moved here. Their templated files can be found in the form of kubernetes/secrets/<secret name>/*.erb. These are then mounted onto /etc/matrix-<resource>, described in the Kubernetes configuration.
• Secret files (including the matrix.ocf.berkeley.edu.signing.key and passkey.pem) are in privshare/docker/matrix and mounted onto the container at /etc/matrix-shared.

It's now ready to be reviewed!

[encadyma]

if our entire dockerfile is literally just FROM ..., we shouldn't build a docker image at all. we can just use the upstream docker image directly in the kubernetes yaml.

I think it makes it more consistent that they are built here, and since Matrix as a whole is an evolving standard, we might need to do some patching to the images in case of breaking changes, etc. It's also nice to be able to see and update image versions from one file Makefile.

[cg505]

if our entire dockerfile is literally just FROM ..., we shouldn't build a docker image at all. we can just use the upstream docker image directly in the kubernetes yaml.

I think it makes it more consistent that they are built here, and since Matrix as a whole is an evolving standard, we might need to do some patching to the images in case of breaking changes, etc. It's also nice to be able to see and update image versions from one file Makefile.

it feels weird, but I guess that makes sense

[encadyma]

if our entire dockerfile is literally just FROM ..., we shouldn't build a docker image at all. we can just use the upstream docker image directly in the kubernetes yaml.

I think it makes it more consistent that they are built here, and since Matrix as a whole is an evolving standard, we might need to do some patching to the images in case of breaking changes, etc. It's also nice to be able to see and update image versions from one file Makefile.

it feels weird, but I guess that makes sense

Latest commit patches both Dockerfiles, ~20 minutes after the latest comment