Update track 1 (#651)

canonical · Jan 14, 2025 · 2c93eea · 2c93eea
1 parent 55e836f
commit 2c93eea
Show file tree

Hide file tree

Showing 124 changed files with 5,768 additions and 4,383 deletions.
diff --git a/.github/workflows/comment_contributing.yaml b/.github/workflows/comment_contributing.yaml
@@ -0,0 +1,13 @@
+name: Comment on the pull request
+
+on:
+  pull_request:
+    types:
+      - opened
+    branches:
+      - 'track/**'
+
+jobs:
+  comment-on-pr:
+    uses: canonical/operator-workflows/.github/workflows/comment_contributing.yaml@main
+    secrets: inherit
diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml
@@ -11,8 +11,6 @@ jobs:
       extra-arguments: -x --localstack-address 172.17.0.1
       pre-run-script: localstack-installation.sh
       trivy-image-config: "trivy.yaml"
-      juju-channel: 3.1/stable
+      juju-channel: 3.4/stable
       channel: 1.28-strict/stable
-      modules: '["test_charm", "test_nginx", "test_s3", "test_scaling"]'
-      self-hosted-runner: false
-      self-hosted-runner-label: "edge"
+      modules: '["test_charm", "test_nginx", "test_s3", "test_scaling", "test_matrix_auth"]'
diff --git a/.github/workflows/promote_charm.yaml b/.github/workflows/promote_charm.yaml
@@ -7,12 +7,12 @@ on:
         type: choice
         description: 'Origin Channel'
         options:
-        - latest/edge
+        - 1/edge
       destination-channel:
         type: choice
         description: 'Destination Channel'
         options:
-        - latest/stable
+        - 1/stable
     secrets:
       CHARMHUB_TOKEN:
         required: true

diff --git a/.github/workflows/publish_charm.yaml b/.github/workflows/publish_charm.yaml
@@ -3,10 +3,11 @@ name: Publish to edge
 on:
   push:
     branches:
-      - main
-      - track/*
+      - track/1
 
 jobs:
   publish-to-edge:
     uses: canonical/operator-workflows/.github/workflows/publish_charm.yaml@main
     secrets: inherit
+    with:
+      channel: 1/edge
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,62 @@
+# Vulnerabilites related to: Pebble, Node.JS and gosu
+CVE-2021-39293
+CVE-2021-41771
+CVE-2021-41772
+CVE-2021-44716
+CVE-2022-23772
+CVE-2022-23806
+CVE-2022-24675
+CVE-2022-24921
+CVE-2022-25883
+CVE-2022-27664
+CVE-2022-28131
+CVE-2022-28327
+CVE-2022-2879
+CVE-2022-2880
+CVE-2022-29804
+CVE-2022-30580
+CVE-2022-30630
+CVE-2022-30631
+CVE-2022-30632
+CVE-2022-30633
+CVE-2022-30634
+CVE-2022-30635
+CVE-2022-32189
+CVE-2022-41715
+CVE-2022-41716
+CVE-2022-41720
+CVE-2022-41722
+CVE-2022-41723
+CVE-2022-41724
+CVE-2022-41725
+CVE-2022-46175
+CVE-2023-24534
+CVE-2023-24536
+CVE-2023-24537
+CVE-2023-24538
+CVE-2023-24539
+CVE-2023-24540
+CVE-2023-29400
+CVE-2023-29403
+CVE-2023-39325
+CVE-2023-45283
+CVE-2023-45287
+CVE-2023-45288
+CVE-2024-24790
+CVE-2024-29415
+CVE-2024-34156
+CVE-2024-21538
+CVE-2024-24788
+# This should be removed once the following PR is merged.
+# https://github.com/element-hq/synapse/pull/17955
+CVE-2024-52804
+# Fix ongoing:
+# https://github.com/element-hq/synapse/pull/17985
+CVE-2024-53981
+# The 3 following CVEs will be fixed by Synapse 1.120.2
+CVE-2024-52805
+CVE-2024-52815
+CVE-2024-53863
+# This should be removed once pebble releases a new version.
+# https://github.com/canonical/pebble/commit/0c134f8e0d80f4bd8f42011279c8f0737b59a673
+CVE-2024-45338
diff --git a/LICENSE b/LICENSE
@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2024 Canonical Ltd.
+   Copyright 2025 Canonical Ltd.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -23,16 +23,49 @@ For DevOps or SRE teams this charm will make operating Synapse simple and
 straightforward through Juju's clean interface. It will allow easy deployment
 into multiple environments for testing of changes.
 
-## Project and community
+## Get started
+
+To begin, refer to the [Getting Started](https://charmhub.io/synapse/docs/tutorial-getting-started)
+tutorial for step-by-step instructions.
+
+### Basic operations
+
+#### Configure a server name
+
+The configuration `server_name` sets the public-facing domain of the server and
+refers to [`server_name`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name) Synapse configuration.
+
+To change it to `tutorial-synapse.juju.local`, for example, run the following
+command:
+
+```
+juju config synapse server_name=tutorial-synapse.juju.local
+```
+
+#### Create a user
 
-The Synapse Operator is a member of the Ubuntu family. It's an open source
-project that warmly welcomes community projects, contributions, suggestions,
-fixes and constructive feedback.
-* [Code of conduct](https://ubuntu.com/community/code-of-conduct)
-* [Get support](https://discourse.charmhub.io/)
-* [Join our online chat](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)
-* [Contribute](https://charmhub.io/synapse/docs/contributing)
-* [Getting Started](https://charmhub.io/synapse/docs/getting-started)
-Thinking about using the Synapse Operator for your next project? [Get in touch](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)!
-
----
+The following command creates a local user named `alice`.
+
+```
+juju run synapse/0 register-user username=alice password=<secure-password> admin=no
+```
+
+#### Promote user to admin
+
+The following command can be used to promote an existing user to admin.
+
+```
+juju run synapse/0 promote-user-admin username=alice
+```
+
+## Learn more
+* [Read more](https://charmhub.io/synapse)
+* [Developer documentation](https://element-hq.github.io/synapse/latest/development/contributing_guide.html)
+* [Official webpage](https://github.com/element-hq/synapse)
+* [Troubleshooting](https://element-hq.github.io/synapse/latest/usage/administration/admin_faq.html)
+
+
+## Project and community
+* [Issues](https://github.com/canonical/synapse-operator/issues)
+* [Contributing](https://charmhub.io/synapse/docs/contributing)
+* [Matrix](https://matrix.to/#/#charmhub-charmdev:ubuntu.com)
diff --git a/actions.yaml b/actions.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Canonical Ltd.
+# Copyright 2025 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 anonymize-user:
@@ -11,11 +11,6 @@ anonymize-user:
       type: string
   required:
     - username
-reset-instance:
-  description: |
-    Set a new server_name before running this action.
-    Once a server_name is configured, you must start a new instance if you wish a different one.
-    This actions will erase all data and create a instance with the new server_name.
 register-user:
   description: |
     Registers a user for the Synapse server.

diff --git a/charmcraft.yaml b/charmcraft.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Canonical Ltd.
+# Copyright 2025 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 # This file configures Charmcraft.
@@ -12,10 +12,18 @@ bases:
     run-on:
     - name: ubuntu
       channel: "22.04"
+charm-libs:
+  - lib: traefik_k8s.ingress
+    version: "2"
 parts:
   charm:
     build-packages:
-    - cargo
-    - rustc
+      - libpq-dev
+    build-snaps:
+      - rustup
+    override-build: |
+      rustup default stable
+      craftctl default
     charm-binary-python-packages:
-    - psycopg2-binary==2.9.9
+    - psycopg2-binary
+    - cryptography
diff --git a/config.yaml b/config.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Canonical Ltd.
+# Copyright 2025 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 options:
@@ -11,6 +11,12 @@ options:
   backup_passphrase:
     type: string
     description: Passphrase used to encrypt a backup using gpg with symmetric key.
+  block_non_admin_invites:
+    type: boolean
+    default: false
+    description: |
+      When enabled, room invites to users on this server will be blocked
+      (except those sent by local server admins).
   enable_email_notifs:
     type: boolean
     default: false
@@ -22,19 +28,6 @@ options:
     description: |
       Configures whether to enable Mjolnir - moderation tool for Matrix.
       Reference: https://github.com/matrix-org/mjolnir
-  enable_irc_bridge:
-    type: boolean
-    default: false
-    description: |
-      Configures whether to enable IRC bridging for Matrix.
-      Reference: https://github.com/matrix-org/matrix-appservice-irc
-  enable_irc_ident:
-    type: boolean
-    default: false
-    description: |
-      Configures whether to enable IRC ident server.
-      Reference: |
-      https://github.com/matrix-org/matrix-appservice-irc/blob/develop/config.sample.yaml#L437
   enable_password_config:
     type: boolean
     default: true
@@ -57,11 +50,19 @@ options:
       Comma separated list of IP address CIDR ranges that should be allowed for
       federation, identity servers, push servers, and for checking key validity
       for third-party invite events.
-  irc_bridge_admins:
+  invite_checker_blocklist_allowlist_url:
+    type: string
+    description: URL to fetch the JSON file containing the allowlist and
+      blocklist.
+  invite_checker_policy_rooms:
     type: string
     description: |
-      Comma separated list of admins to be allowed to manage the bridge.
-      This takes the form of user1:domainX.com,user2:domainY.com...
+      Comma separated list of rooms to be used by the invite checker module.
+  limit_remote_rooms_complexity:
+    type: float
+    description: if set, the room "complexity" will be checked before a user
+      joins a new remote room. If the complexity is higher, the user will not be
+      able to join the room.
   notif_from:
     type: string
     description: defines the "From" address to use when sending emails.
@@ -72,6 +73,23 @@ options:
       The public-facing base URL that clients use to access this Homeserver.
       Defaults to https://<server_name>/. Only used if there is integration with
       SAML integrator charm.
+  experimental_alive_check:
+    type: string
+    description: Comma separated list of period,threshold and timeout for Synapse
+      pebble alive check. Refer to https://github.com/canonical/pebble/#layer-specification
+      to more details about allowed values.
+      This is an experimental feature and may be removed in future releases.
+    default: "2m,5,20s"
+  rc_joins_remote_burst_count:
+    type: int
+    description: Allows for ratelimiting number of remote rooms a user can join
+      before being throttled.
+    default: 10
+  rc_joins_remote_per_second:
+    type: float
+    description: Allows for ratelimiting number of remote rooms a user can join
+      per second.
+    default: 0.01
   report_stats:
     description: |
       Configures whether to report statistics.

diff --git a/docs/explanation/charm-architecture.md b/docs/explanation/charm-architecture.md
@@ -16,7 +16,7 @@ Pebble `services` are configured through [layers](https://github.com/canonical/p
 and the following containers represent each one a layer forming the effective
 Pebble configuration, or `plan`:
 
-1. An [NGINX](https://www.nginx.com/) container, which can be used to
+1. An [NGINX](https://www.nginx.com/) Pebble layer, which can be used to
 efficiently serve static resources, as well as be the incoming point for all web
 traffic to the pod.
 2. The [Synapse](https://github.com/matrix-org/synapse) container itself, which
@@ -40,31 +40,27 @@ processes startup as explained above.
 ## OCI images
 
 We use [Rockcraft](https://canonical-rockcraft.readthedocs-hosted.com/en/latest/)
-to build OCI Images for Synapse and NGINX.
-The images are defined in [NGINX rock](https://github.com/canonical/synapse-operator/tree/main/nginx_rock/)
-and [Synapse rock](https://github.com/canonical/synapse-operator/tree/main/synapse_rock).
-They are published to [Charmhub](https://charmhub.io/), the official repository
+to build OCI Image for Synapse.
+The image is defined in [Synapse rock](https://github.com/canonical/synapse-operator/tree/main/synapse_rock) and is published to [Charmhub](https://charmhub.io/), the official repository
 of charms.
 This is done by publishing a resource to Charmhub as described in the
 [Juju SDK How-to guides](https://juju.is/docs/sdk/publishing).
 
-## Containers
+## Container
 
-Configuration files for the containers can be found in the respective
-directories that define the rocks, see the section above.
+Configuration files for the container can be found in the respective
+directory that define the rock, see the section above.
 
 ### NGINX
 
-This container is the entry point for all web traffic to the pod (on port
-`8080`). Serves static files directly and forwards non-static requests to
-the Synapse container (on port `8008`).
+NGINX is configured as a Pebble Layer and is the entry point for all web traffic
+to the pod (on port `8080`). Serves static files directly and forwards
+non-static requests to the Synapse container (on port `8008`).
 
 NGINX provides static content cache, reverse proxy, and load balancer among 
 multiple application servers, as well as other features. It can be used in front of
 Synapse server to significantly reduce server and network load.
 
-The workload that this container is running is defined in the [NGINX rock](https://github.com/canonical/synapse-operator/tree/main/nginx_rock/).
-
 ### Synapse
 
 Synapse is a Python application run by the `start.py` script.