feat: add helm chart and harden PDU size patch

.github/workflows/build-and-publish.yml

@@ -0,0 +1,287 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches: [master, development]
+    tags: ["v*"]
+  pull_request:
+    branches: [master]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  TEST_TAG: beacon-node:test
+
+jobs:
+  lint:
+    name: Lint Dockerfile
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: docker/Dockerfile
+          failure-threshold: error
+
+  test:
+    name: Build & Validate Image
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image for testing
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Verify custom modules are installed
+        run: |
+          echo "--- Checking crypto_auth_provider.py ---"
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            python -c "import crypto_auth_provider; print('crypto_auth_provider OK')"
+
+          echo "--- Checking beacon_info_module.py ---"
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            python -c "import beacon_info_module; print('beacon_info_module OK')"
+
+      - name: Verify constants.py patch (max size 1048576)
+        run: |
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            python -c "from synapse.api.constants import EventContentFields; print('synapse.api.constants imported OK')"
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            grep -q '1048576' /usr/local/lib/python3.13/site-packages/synapse/api/constants.py \
+            && echo "constants.py patch OK" \
+            || (echo "FAIL: constants.py patch not applied" && exit 1)
+
+      - name: Verify entrypoint script exists and is executable
+        run: |
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            test -x /usr/local/bin/synctl_entrypoint.sh \
+            && echo "entrypoint OK"
+
+      - name: Verify worker configs are present
+        run: |
+          for w in main_process worker1 worker2 worker3 worker4; do
+            docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+              test -f /config/workers/${w}.yaml \
+              && echo "${w}.yaml OK" \
+              || (echo "FAIL: ${w}.yaml missing" && exit 1)
+          done
+
+      - name: Verify pip dependencies
+        run: |
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            python -c "import psycopg2; print('psycopg2 OK')"
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            python -c "import pysodium; print('pysodium OK')"
+
+      - name: Verify config files are present
+        run: |
+          for f in homeserver.yaml synapse.log.config shared_config.yaml; do
+            docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+              test -f /config/${f} \
+              && echo "/config/${f} OK" \
+              || (echo "FAIL: /config/${f} missing" && exit 1)
+          done
+
+      - name: Verify systemd units are present
+        run: |
+          for f in synapse_master.service synapse_worker@.service matrix_synapse.target; do
+            docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+              test -f /etc/systemd/system/${f} \
+              && echo "${f} OK" \
+              || (echo "FAIL: ${f} missing" && exit 1)
+          done
+
+      - name: Verify wait-for.sh is executable
+        run: |
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            test -x /usr/local/bin/wait-for.sh \
+            && echo "wait-for.sh OK"
+
+      - name: Verify /keys directory exists
+        run: |
+          docker run --rm --entrypoint="" ${{ env.TEST_TAG }} \
+            test -d /keys \
+            && echo "/keys OK"
+
+  smoke-test:
+    name: KIND Smoke Test
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Create KIND cluster
+        uses: helm/kind-action@v1
+
+      - name: Load image into KIND
+        run: kind load docker-image ${{ env.TEST_TAG }} --name chart-testing
+
+      - name: Add subchart repos & build deps
+        run: |
+          helm repo add kubelauncher https://kubelauncher.github.io/charts
+          helm dependency build charts/
+
+      - name: Lint chart
+        run: helm lint charts/
+
+      - name: Generate signing key
+        run: |
+          SIGNING_KEY="ed25519 a_test $(openssl rand -base64 32)"
+          echo "SIGNING_KEY=${SIGNING_KEY}" >> "$GITHUB_ENV"
+
+      - name: Install chart
+        run: |
+          helm install beacon-node charts/ \
+            --set image.repository=beacon-node \
+            --set image.tag=test \
+            --set image.digest="" \
+            --set image.pullPolicy=Never \
+            --set serverName=beacon-node-test.local \
+            --set "signingKey=${SIGNING_KEY}" \
+            --set postgresql.enabled=true \
+            --set postgresql.auth.password=testpass \
+            --set postgresql.auth.postgresPassword=testpass \
+            --set redis.enabled=true \
+            --set ingress.enabled=false \
+            --set workers.enabled=true \
+            --wait \
+            --timeout 300s
+
+      - name: Verify pods are running
+        run: |
+          kubectl get pods -o wide
+          kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=beacon-node --timeout=120s
+
+      - name: Check beacon-node logs for errors
+        run: |
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}')
+          kubectl logs "$POD" --tail=50
+          if kubectl logs "$POD" | grep -i "FATAL" | grep -v "reserved for"; then
+            echo "FATAL errors found in logs"
+            exit 1
+          fi
+          echo "No FATAL errors in logs"
+
+      - name: Smoke test Synapse endpoints
+        run: |
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}')
+
+          echo "--- /.well-known/matrix/server ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/.well-known/matrix/server)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.server" || (echo "FAIL: missing m.server" && exit 1)
+
+          echo "--- /.well-known/matrix/client ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/.well-known/matrix/client)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.homeserver" || (echo "FAIL: missing m.homeserver" && exit 1)
+
+          echo "--- /_matrix/client/versions ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/client/versions)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "versions" || (echo "FAIL: missing versions" && exit 1)
+
+          echo "--- /_matrix/federation/v1/version ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/federation/v1/version)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "Synapse" || (echo "FAIL: unexpected version response" && exit 1)
+
+          echo "--- /_matrix/client/v3/login ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/client/v3/login)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.login.password" || (echo "FAIL: login flow missing" && exit 1)
+
+          echo "All smoke tests passed"
+
+      - name: Debug on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl get pods -o wide
+          echo "=== Events ==="
+          kubectl get events --sort-by='.lastTimestamp'
+          echo "=== Beacon node logs ==="
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          [ -n "$POD" ] && kubectl logs "$POD" --tail=100
+          echo "=== PostgreSQL logs ==="
+          PG_POD=$(kubectl get pod -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          [ -n "$PG_POD" ] && kubectl logs "$PG_POD" --tail=50
+
+  publish:
+    name: Publish to GHCR
+    runs-on: ubuntu-latest
+    needs: [test, smoke-test]
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/security-scan.yml

@@ -0,0 +1,61 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - "docker/**"
+      - ".github/workflows/security-scan.yml"
+  pull_request:
+    branches: [master]
+    paths:
+      - "docker/**"
+      - ".github/workflows/security-scan.yml"
+  schedule:
+    - cron: "0 6 * * 1" # Weekly Monday 06:00 UTC
+
+env:
+  TEST_TAG: beacon-node:scan
+
+jobs:
+  trivy:
+    name: Trivy Image Scan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          cache-from: type=gha
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.34.1
+        with:
+          image-ref: ${{ env.TEST_TAG }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Trivy summary (table)
+        uses: aquasecurity/trivy-action@0.34.1
+        if: always()
+        with:
+          image-ref: ${{ env.TEST_TAG }}
+          format: "table"
+          severity: "CRITICAL,HIGH"

.gitignore

@@ -1,2 +1,4 @@
 data
 .vscode
+charts/charts/
+charts/Chart.lock