Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add macaroon_secret_key_path config option #17983

Merged
merged 5 commits into from
Dec 17, 2024

Conversation

V02460
Copy link
Contributor

@V02460 V02460 commented Dec 2, 2024

Another config option on my quest to a *_path variant for every secret. This time it’s macaroon_secret_key_path.

Slightly modified the tests to accommodate for this option (see 9367d18, 087ec0f), hopefully self-explanatory.

Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes. Also useful to NixOS users.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@V02460 V02460 requested a review from a team as a code owner December 2, 2024 15:02
@github-actions github-actions bot deployed to PR Documentation Preview December 2, 2024 15:03 Active
@MadLittleMods MadLittleMods changed the title Add macaroon_secret_key_path config option Add macaroon_secret_key_path config option Dec 16, 2024
@github-actions github-actions bot deployed to PR Documentation Preview December 16, 2024 23:22 Active
@MadLittleMods MadLittleMods merged commit 57bf449 into element-hq:develop Dec 17, 2024
41 checks passed
@MadLittleMods
Copy link
Contributor

Thanks for continuing down the path @V02460 🐡

@remram44
Copy link
Contributor

This is great, the only one left in my config is form_secret

@V02460
Copy link
Contributor Author

V02460 commented Jan 15, 2025

Thanks @remram44, I didn’t caught that one yet! Out of curiosity: What is you usecase? Why are you interested in this?

@remram44
Copy link
Contributor

I maintain a helm chart for Kubernetes: https://github.com/remram44/matrix-helm

The secret values are generated automatically and stored separately (as Kubernetes Secrets) so they need to be injected into the config before Synapse starts.

I was able to remove some code from the injection script thanks to your efforts: remram44/matrix-helm@3569d57

yingziwu added a commit to yingziwu/synapse that referenced this pull request Jan 16, 2025
Please note that this version of Synapse drops support for PostgreSQL 11 and 12. The minimum version of PostgreSQL supported is now version 13.

No significant changes since 1.122.0rc1.

- Remove support for PostgreSQL 11 and 12. Contributed by @clokep. ([\#18034](element-hq/synapse#18034))

- Added the `email.tlsname` config option.  This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the `email.smtp_host` to connect to. ([\#17849](element-hq/synapse#17849))
- Module developers will have access to the user ID of the requester when adding `check_username_for_spam` callbacks to `spam_checker_module_callbacks`. Contributed by Wilson@Pangea.chat. ([\#17916](element-hq/synapse#17916))
- Add endpoints to the Admin API to fetch the number of invites the provided user has sent after a given timestamp,
  fetch the number of rooms the provided user has joined after a given timestamp, and get report IDs of event
  reports against a provided user (i.e. where the user was the sender of the reported event). ([\#17948](element-hq/synapse#17948))
- Support stable account suspension from [MSC3823](matrix-org/matrix-spec-proposals#3823). ([\#17964](element-hq/synapse#17964))
- Add `macaroon_secret_key_path` config option. ([\#17983](element-hq/synapse#17983))

- Fix bug when rejecting withdrew invite with a `third_party_rules` module, where the invite would be stuck for the client. ([\#17930](element-hq/synapse#17930))
- Properly purge state groups tables when purging a room with the Admin API. ([\#18024](element-hq/synapse#18024))
- Fix a bug preventing the admin redaction endpoint from working on messages from remote users. ([\#18029](element-hq/synapse#18029), [\#18043](element-hq/synapse#18043))

- Update `synapse.app.generic_worker` documentation to only recommend `GET` requests for stream writer routes by default, unless the worker is also configured as a stream writer. Contributed by @evoL. ([\#17954](element-hq/synapse#17954))
- Add documentation for the previously-undocumented `last_seen_ts` query parameter to the query user Admin API. ([\#17976](element-hq/synapse#17976))
- Improve documentation for the `TaskScheduler` class. ([\#17992](element-hq/synapse#17992))
- Fix example in reverse proxy docs to include server port. ([\#17994](element-hq/synapse#17994))
- Update Alpine Linux Synapse Package Maintainer within the installation instructions. ([\#17846](element-hq/synapse#17846))

- Add `RoomID` & `EventID` rust types. ([\#17996](element-hq/synapse#17996))
- Fix various type errors across the codebase. ([\#17998](element-hq/synapse#17998))
- Disable DB statement timeout when doing a room purge since it can be quite long. ([\#18017](element-hq/synapse#18017))
- Remove some remaining uses of `twisted.internet.defer.returnValue`. Contributed by Colin Watson. ([\#18020](element-hq/synapse#18020))
- Refactor `get_profile` to no longer include fields with a value of `None`. ([\#18063](element-hq/synapse#18063))

* Bump anyhow from 1.0.93 to 1.0.95. ([\#18012](element-hq/synapse#18012), [\#18045](element-hq/synapse#18045))
* Bump authlib from 1.3.2 to 1.4.0. ([\#18048](element-hq/synapse#18048))
* Bump dawidd6/action-download-artifact from 6 to 7. ([\#17981](element-hq/synapse#17981))
* Bump http from 1.1.0 to 1.2.0. ([\#18013](element-hq/synapse#18013))
- Bump mypy from 1.11.2 to 1.12.1. ([\#17999](element-hq/synapse#17999))
* Bump mypy-zope from 1.0.8 to 1.0.9. ([\#18047](element-hq/synapse#18047))
* Bump pillow from 10.4.0 to 11.0.0. ([\#18015](element-hq/synapse#18015))
* Bump pydantic from 2.9.2 to 2.10.3. ([\#18014](element-hq/synapse#18014))
* Bump pyicu from 2.13.1 to 2.14. ([\#18060](element-hq/synapse#18060))
* Bump pyo3 from 0.23.2 to 0.23.3. ([\#18001](element-hq/synapse#18001))
* Bump python-multipart from 0.0.16 to 0.0.18. ([\#17985](element-hq/synapse#17985))
* Bump sentry-sdk from 2.17.0 to 2.19.2. ([\#18061](element-hq/synapse#18061))
* Bump serde from 1.0.215 to 1.0.217. ([\#18031](element-hq/synapse#18031), [\#18059](element-hq/synapse#18059))
* Bump serde_json from 1.0.133 to 1.0.134. ([\#18044](element-hq/synapse#18044))
* Bump twine from 5.1.1 to 6.0.1. ([\#18049](element-hq/synapse#18049))

**Changelogs for older versions can be found [here](docs/changelogs/).**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants