wrenix/helm-charts
1
0
Fork 0
Code Issues 8 Pull requests 8 Projects Packages Activity

feat(matrix-synapse): init

Browse source
This commit is contained in:
WrenIX 2024-02-11 23:14:38 +01:00
parent b41a2a9f45
commit 465d04e3a8
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
26 changed files with 3698 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/modules/charts/nav.adoc
View file

@ -10,6 +10,7 @@
** xref:headscale-ui.adoc[headscale-ui]
** xref:hydrogen-web.adoc[hydrogen-web]
** xref:jellyfin.adoc[jellyfin]
** xref:matrix-synapse.adoc[matrix-synapse]
** xref:miniserve.adoc[miniserve]
** xref:monitoring.adoc[monitoring]
** xref:ntfy.adoc[ntfy]

1
docs/modules/charts/pages/matrix-synapse.adoc Symbolic link
View file

@ -0,0 +1 @@
../../../../matrix-synapse/README.adoc

2
matrix-synapse/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
charts/*.tgz
values_test.yaml

22
matrix-synapse/.helmignore Normal file
View file

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
matrix-synapse/Chart.lock Normal file
View file

@ -0,0 +1,9 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 12.12.10
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 17.17.1
digest: sha256:dcac7ce7b24d359b39fbfe093b8be525d995d3799fbb0a9752858980a51f8600
generated: "2024-02-11T23:16:42.94262676+01:00"

22
matrix-synapse/Chart.yaml Normal file
View file

@ -0,0 +1,22 @@
---
apiVersion: v2
name: matrix-synapse
description: Matrix reference homeserver
icon: https://matrix.org/images/matrix-logo.svg
type: application
version: 0.0.1
# renovate: image=ghcr.io/element-hq/synapse
appVersion: 1.100.0
maintainers:
- name: WrenIX
url: https://wrenix.eu
dependencies:
- name: postgresql
version: ^12.1.4
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
- name: redis
version: ^17.3.17
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled

1106
matrix-synapse/README.adoc Normal file
View file

File diff suppressed because it is too large Load diff

0
matrix-synapse/_docs.gotmpl Normal file
View file

1
matrix-synapse/ci/ct-values.yaml Normal file
View file

@ -0,0 +1 @@
serverName: "example.org"

41
matrix-synapse/templates/NOTES.txt Normal file
View file

@ -0,0 +1,41 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if .Values.signingkey.job.enabled }}
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **
{{- end }}
{{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself.
{{- else }}
Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
{{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }}
{{- if $.Values.ingress.tls }}
https://{{ . }}
{{- else }}
http://{{ . }}
{{- end }}
{{- end }}
{{ if not .Values.wellknown.enabled }}
Note that for federation to work you will need to either add an SRV record or
set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible
Matrix client - and register an account - as soon as final setup is done.
You can also create an admin user with the following command;
{{- else }}
You can create a user in your new Synapse install by running the following
command; (replacing USERNAME and PASSWORD)
{{- end }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=synapse" -o jsonpath="{.items[0].metadata.name}")
kubectl exec --namespace {{ .Release.Namespace }} $POD_NAME -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user.

258
matrix-synapse/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,258 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "matrix-synapse.name" -}}
{{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "matrix-synapse.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := .Values.nameOverride | default .Chart.Name -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default replication name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.replicationname" -}}
{{- printf "%s-%s" .Release.Name "replication" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.workername" -}}
{{- with get . "root" }}
{{- $ = . }}
{{- end }}
{{- printf "%s-%s" $.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default external component name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.externalname" -}}
{{- with get . "root" }}
{{- $ = . }}
{{- end }}
{{- printf "%s-%s" $.Release.Name .external | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "matrix-synapse.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "matrix-synapse.labels" -}}
helm.sh/chart: {{ include "matrix-synapse.chart" . }}
{{ include "matrix-synapse.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "matrix-synapse.selectorLabels" -}}
app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Pull secrets
*/}}
{{- define "matrix-synapse.imagePullSecrets" -}}
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
imagePullSecrets:
{{- with .Values.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.wellknown.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.volumePermissions.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.postgresql.fullname" -}}
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set postgres host
*/}}
{{- define "matrix-synapse.postgresql.host" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }}
{{- end -}}
{{- end -}}
{{/*
Set postgres secret
*/}}
{{- define "matrix-synapse.postgresql.secret" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set postgres port
*/}}
{{- define "matrix-synapse.postgresql.port" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.service -}}
{{- .Values.postgresql.service.port | default 5432 }}
{{- else -}}
5432
{{- end -}}
{{- else -}}
{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}}
{{- end -}}
{{- end -}}
{{/*
Set postgresql username
*/}}
{{- define "matrix-synapse.postgresql.username" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.username is required" .Values.postgresql.auth.username }}
{{- else -}}
{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql password
*/}}
{{- define "matrix-synapse.postgresql.password" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }}
{{- else if not (and .Values.externalPostgresql.existingSecret .Values.externalPostgresql.existingSecretPasswordKey) -}}
{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql database
*/}}
{{- define "matrix-synapse.postgresql.database" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.postgresqlDatabase -}}
{{- fail "You need to switch to the new postgresql.auth values." -}}
{{- end -}}
{{- .Values.postgresql.auth.database | default "synapse" }}
{{- else -}}
{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.redis.fullname" -}}
{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set redis host
*/}}
{{- define "matrix-synapse.redis.host" -}}
{{- if .Values.redis.enabled -}}
{{- printf "%s-%s" (include "matrix-synapse.redis.fullname" .) "master" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }}
{{- end -}}
{{- end -}}
{{/*
Set redis secret
*/}}
{{- define "matrix-synapse.redis.secret" -}}
{{- if .Values.redis.enabled -}}
{{- template "matrix-synapse.redis.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set redis port
*/}}
{{- define "matrix-synapse.redis.port" -}}
{{- if .Values.redis.enabled -}}
{{- .Values.redis.master.service.port | default 6379 }}
{{- else -}}
{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }}
{{- end -}}
{{- end -}}
{{/*
Set redis password
*/}}
{{- define "matrix-synapse.redis.password" -}}
{{- if (and .Values.redis.enabled .Values.redis.password) -}}
{{ .Values.redis.password }}
{{- else if (and .Values.redis.enabled .Values.redis.auth.password) -}}
{{ .Values.redis.auth.password }}
{{- else if .Values.externalRedis.password -}}
{{ .Values.externalRedis.password }}
{{- end -}}
{{- end -}}
{{/*
Set redis database id
*/}}
{{- define "matrix-synapse.redis.dbid" -}}
{{- if .Values.redis.dbid -}}
{{ .Values.redis.dbid }}
{{- else if .Values.externalRedis.dbid -}}
{{ .Values.externalRedis.dbid }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "matrix-synapse.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "matrix-synapse.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

169
matrix-synapse/templates/configmap.yaml Normal file
View file

@ -0,0 +1,169 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
log.yaml: |
version: 1
formatters:
{{- if .Values.config.useStructuredLogging }}
structured:
class: synapse.logging.TerseJsonFormatter
{{- else }}
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
{{- end }}
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: {{ if .Values.config.useStructuredLogging }}structured{{ else }}precise{{ end }}
filters: [context]
level: {{ .Values.config.logLevel | default "INFO" }}
loggers:
synapse:
level: {{ .Values.config.logLevel | default "INFO" }}
{{- with .Values.extraLoggers -}}
{{ . | toYaml | nindent 8 }}
{{- end }}
root:
level: {{ .Values.config.logLevel | default "INFO" }}
handlers: [console]
homeserver.yaml: |
# NOTE:
# Secrets are stored in separate configs to better fit K8s concepts
## Server ##
server_name: {{ required "You need to specify a serverName" .Values.serverName | quote }}
public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" (.Values.publicServerName | default .Values.serverName)) | quote }}
pid_file: /homeserver.pid
web_client: False
soft_file_limit: 0
log_config: "/synapse/config/log.yaml"
report_stats: {{ required "You need to specify config.reportStats" .Values.config.reportStats }}
instance_map:
main:
host: {{ include "matrix-synapse.replicationname" . }}
port: 9093
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.name $config.listeners (has "replication" $config.listeners) }}
{{- $name := $worker | replace "_" "-" }}
{{ $config.name | quote }}:
host: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) | quote }}
port: 9093
{{- end }}{{/* end-if .enabled ... */}}
{{- end }}{{/* end-range .workers */}}
## Ports ##
{{- $bindAddresses := .Values.config.bindAddresses }}
listeners:
- port: 8008
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
- client
- federation
{{- with .Values.config.extraMainListenerTypes }}
{{- . | toYaml | nindent 14 }}
{{- end }}
compress: false
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [replication]
compress: false
{{- if .Values.config.extraListeners }}
{{ .Values.config.extraListeners | toYaml | nindent 6 }}
{{- end }}
## Files ##
media_store_path: "/synapse/data/media"
uploads_path: "/synapse/data/uploads"
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
enable_registration_captcha: true
{{- end }}
{{- if .Values.config.turnUris }}
## Turn ##
turn_uris:
{{ toYaml .Values.config.turnUris | nindent 6 }}
{{- end }}
## Registration ##
enable_registration: {{ .Values.config.enableRegistration | default false }}
## Metrics ###
enable_metrics: true
## Signing Keys ##
signing_key_path: "/synapse/keys/signing.key"
# The trusted servers to download signing keys from.
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
## Workers ##
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
# For pusher worker
start_pushers: false
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
# For appservice worker
notify_appservices_from_worker: {{ $config.name | quote }}
{{- else if or (eq $worker "federation_sender") (eq ($config.app | default "") "federation_sender") }}
# For federation_sender worker
send_federation: false
{{- else if or (eq $worker "media_repository") (eq ($config.app | default "") "media_repository") }}
# For media_repository worker
enable_media_repo: false
{{- else if or (eq $worker "user_dir") (eq ($config.app | default "") "user_dir") }}
# For user_dir worker
update_user_directory_from_worker: {{ $config.name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraConfig }}
## Extra config ##
{{ . | toYaml | nindent 4 }}
{{- end }}

204
matrix-synapse/templates/deployment.yaml Normal file
View file

@ -0,0 +1,204 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- if (and .Values.postgresql.enabled (and (not .Values.postgresql.auth.password) (not .Values.postgresql.existingSecret))) -}}
{{- fail "You must specify a static postgres password or existing secret if using the included postgres chart" -}}
{{- end -}}
{{- if (and .Values.redis.enabled (and .Values.redis.usePassword (and (not .Values.redis.auth.password) (not .Values.redis.auth.existingSecret)))) -}}
{{- fail "You must specify a static redis password or existing secret if using the included redis chart" -}}
{{- end -}}
---
# Server: {{ required "A valid serverName is required" .Values.serverName }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: synapse
spec:
replicas: 1
strategy:
{{- toYaml .Values.synapse.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: synapse
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.synapse.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: synapse
{{- with .Values.synapse.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "matrix-synapse.serviceAccountName" . }}
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
{{- if $needsVolumePermissions }}
initContainers:
- name: volume-permissions
command:
- sh
- -c
- |
chown {{ .Values.volumePermissions.uid }}:{{ .Values.volumePermissions.gid }} -R /synapse/data
{{- with .Values.volumePermissions.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
resources:
{{- toYaml .Values.volumePermissions.resources | nindent 12 }}
securityContext:
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: synapse
{{- with .Values.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
env:
{{- if or .Values.postgresql.enabled .Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.postgresql.enabled }}
name: {{ .Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" .) }}
key: password
{{- else }}
name: {{ .Values.externalPostgresql.existingSecret }}
key: {{ .Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and .Values.redis.enabled (default .Values.redis.usePassword true)) .Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.redis.enabled }}
name: {{ .Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" .) }}
key: redis-password
{{- else }}
name: {{ .Values.externalRedis.existingSecret }}
key: {{ .Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with .Values.synapse.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if .Values.synapse.extraCommands }}
{{ range .Values.synapse.extraCommands }}
{{ . }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.homeserver \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/
securityContext:
{{- toYaml .Values.synapse.securityContext | nindent 12 }}
ports:
- name: http
containerPort: 8008
protocol: TCP
- name: replication
containerPort: 9093
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP
{{- with .Values.synapse.livenessProbe }}
livenessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.readinessProbe }}
readinessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.startupProbe }}
startupProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /synapse/config
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
- name: media
mountPath: /synapse/data
- name: tmpdir
mountPath: /tmp
{{- with .Values.synapse.extraVolumeMounts }}
{{- . | toYaml | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.synapse.resources | nindent 12 }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" . }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" . }}
- name: signingkey
secret:
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "root" . "worker" "signingkey")) | quote }}
items:
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
- name: tmpdir
emptyDir: {}
- name: media
{{- $mediaworker := false }}
{{- range $worker, $config := .Values.workers }}
{{- if eq $worker "media_repository" }}
{{- $mediaworker = ($config.enabled | default false) }}
{{- end }}
{{- end }}
{{- if and .Values.persistence.enabled (not $mediaworker) }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.synapse.extraVolumes }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.synapse.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

195
matrix-synapse/templates/ingress.yaml Normal file
View file

@ -0,0 +1,195 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") -}}
{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if $v1Ingress -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- if .secretName }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- $csHosts := .Values.ingress.csHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }}
{{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }}
http:
paths:
{{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "root" $ "worker" $name) }}
{{- if has $host $csHosts }}
{{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if has . $wkHosts }}
{{- if $.Values.wellknown.enabled }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $wkName }}
port:
number: {{ $.Values.wellknown.service.port | default 80 }}
pathType: Prefix
{{- else }}
serviceName: {{ $wkName }}
servicePort: {{ $.Values.wellknown.service.port | default 80 }}
{{- end }}
{{- else }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

22
matrix-synapse/templates/pvc.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

86
matrix-synapse/templates/secrets.yaml Normal file
View file

@ -0,0 +1,86 @@
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
stringData:
config.yaml: |
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
{{- end }}
{{- if .Values.config.turnSecret }}
## Turn ##
turn_shared_secret: {{ .Values.config.turnSecret | quote }}
{{- end }}
## Registration ##
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
## API Configuration ##
{{- if .Values.config.macaroonSecretKey }}
macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }}
{{- end }}
## Database configuration ##
database:
name: "psycopg2"
{{- $postgresConfig := .Values.externalPostgresql }}
{{- if .Values.postgresql.enabled }}
{{- $postgresConfig = .Values.postgresql }}
{{- end }}
{{- with $postgresConfig.options }}
{{- toYaml . | nindent 6 }}
{{- end }}
args:
host: {{ include "matrix-synapse.postgresql.host" . | quote }}
port: {{ include "matrix-synapse.postgresql.port" . }}
sslmode: {{ $postgresConfig.sslmode | default "prefer" | quote }}
user: {{ include "matrix-synapse.postgresql.username" . | quote }}
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
{{- if and $postgresPass (not .Values.postgresql.existingSecret) }}
password: {{ $postgresPass | quote }}
{{- else }}
password: "@@POSTGRES_PASSWORD@@"
{{- end }}
database: {{ include "matrix-synapse.postgresql.database" . | quote }}
cp_min: 5
cp_max: 10
{{- with $postgresConfig.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
## Redis configuration ##
redis:
enabled: true
host: {{ include "matrix-synapse.redis.host" . | quote }}
{{- with (include "matrix-synapse.redis.port" .) }}
port: {{ . }}
{{- end }}
{{- $redisPass := include "matrix-synapse.redis.password" . }}
{{- if or .Values.redis.auth.enabled .Values.redis.usePassword .Values.redis.password .Values.redis.auth.password .Values.externalRedis.password }}
{{- if and $redisPass (not .Values.redis.auth.existingSecret) }}
password: {{ $redisPass | quote }}
{{- else }}
password: "@@REDIS_PASSWORD@@"
{{- end }}
{{- end }}
{{- with (include "matrix-synapse.redis.dbid" .) }}
dbid: {{ . }}
{{- end }}
{{- with .Values.extraSecrets }}
## Extra secrets ##
{{ . | toYaml | nindent 4 }}
{{- end }}

64
matrix-synapse/templates/service.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort | default "http" }}
protocol: TCP
name: http
selector:
app.kubernetes.io/component: synapse
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.replicationname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 9093
targetPort: replication
protocol: TCP
name: replication
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: synapse
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.listeners }}
{{- $name := $worker | replace "_" "-" }}
{{- $release := $.Release.Name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8083
targetPort: listener
protocol: TCP
name: listener
{{- if has "replication" $config.listeners }}
- port: 9093
targetPort: replication
protocol: TCP
name: replication
{{- end }}
selector:
{{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
{{- end }}
{{- end }}

12
matrix-synapse/templates/serviceaccount.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name | default (include "matrix-synapse.fullname" .) }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

139
matrix-synapse/templates/signing-key/job.yaml Normal file
View file

@ -0,0 +1,139 @@
{{- $secretName := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey") }}
{{- if .Values.signingkey.job.enabled }}
{{- if .Values.signingkey.existingSecret }}
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
{{- end }}
{{- $name := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey-job") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/resource-policy: keep
type: Opaque
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
{{- with .Values.signingkey.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
{{- include "matrix-synapse.labels" . | nindent 8 }}
app.kubernetes.io/component: signingkey-job
spec:
containers:
- name: signing-key-generate
{{- with .Values.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
command:
- sh
- -c
- |
echo "Generating signing key..."
if which generate_signing_key.py >/dev/null; then
generate_signing_key.py -o /synapse/keys/signing.key
else
generate_signing_key -o /synapse/keys/signing.key
fi
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /synapse/keys
name: matrix-synapse-keys
- name: signing-key-upload
{{- with .Values.signingkey.job.publishImage }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
command:
- sh
- -c
- |
# check if key already exists
key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing.key']}" 2> /dev/null)
[ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
[ -n "$key" ] && echo "Key already created, exiting." && exit 0
# wait for config
while [ ! -f /synapse/keys/signing.key ]; do
echo "Waiting for key.."
sleep 5;
done
# update secret
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
[ $? -ne 0 ] && echo "Failed to update secret." && exit 1
echo "Key successfully created."
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /synapse/keys
name: matrix-synapse-keys
readOnly: true
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: matrix-synapse-keys
emptyDir: {}
parallelism: 1
completions: 1
backoffLimit: 1
{{- end }}

16
matrix-synapse/templates/tests/test-connection.yaml Normal file
View file

@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "matrix-synapse.fullname" . }}:{{ $.Values.service.port }}/_matrix/client/versions']
restartPolicy: Never

23
matrix-synapse/templates/wellknown/configmap.yaml Normal file
View file

@ -0,0 +1,23 @@
{{- if .Values.wellknown.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: wellknown
data:
server: |-
{{- with .Values.wellknown.server }}
{{- toJson . | nindent 4 }}
{{- else }}
{{- dict "m.server" (printf "%s:%d" (.Values.publicServerName | default .Values.serverName) 443) | toJson | nindent 4 }}
{{- end }}
client: |-
{{- with .Values.wellknown.client }}
{{- toJson . | nindent 4 }}
{{- else }}
{{- dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | nindent 4 }}
{{- end }}
{{- end -}}{{/* end-if .wellknown.enabled */}}

75
matrix-synapse/templates/wellknown/deployment.yaml Normal file
View file

@ -0,0 +1,75 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: wellknown
spec:
replicas: {{ .Values.wellknown.replicaCount }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: wellknown
template:
metadata:
annotations:
checksum/config: {{ include (print .Template.BasePath "/wellknown/configmap.yaml") . | sha256sum }}
{{- with .Values.wellknown.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
{{- with .Values.wellknown.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
app.kubernetes.io/component: wellknown
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers:
- name: wellknown
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
{{- with .Values.wellknown.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
ports:
- containerPort: {{ .Values.wellknown.containerPort }}
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumeMounts:
- name: "data"
mountPath: "/usr/share/nginx/html/.well-known/matrix/"
{{- with .Values.wellknown.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.wellknown.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.wellknown.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: "data"
configMap:
name: {{ $wkName }}
{{- end }}

20
matrix-synapse/templates/wellknown/service.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.wellknown.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: wellknown
spec:
type: {{ .Values.wellknown.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.wellknown.service.port | default 80 }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: wellknown
{{- end }}

80
matrix-synapse/templates/worker/configmap.yaml Normal file
View file

@ -0,0 +1,80 @@
{{- $any := false }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $any = true }}
{{- end }}
{{- end }}
{{- if $any }}
{{- $wkName := include "matrix-synapse.workername" (dict "root" . "worker" "workers") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}"
{{- if $config.name -}}
{{- if (gt ($config.replicaCount | int) 1) -}}
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
{{- end }}
worker_name: {{ $config.name }}
{{- end }}
{{- $bindAddresses := $config.bindAddresses | default $.Values.config.bindAddresses | default (list "::") }}
worker_listeners:
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
{{- if has "replication" $config.listeners }}
{{- if not $config.name }}
{{- fail "Workers with replication listeners must have unique names." }}
{{- end }}
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names: [replication]
compress: false
{{- end }}
- port: 8083
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
{{- toYaml (without $config.listeners "replication") | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- if $config.extraConfig }}
# Extra config
{{ toYaml $config.extraConfig | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

217
matrix-synapse/templates/worker/deployment.yaml Normal file
View file

@ -0,0 +1,217 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
{{- with ($config.strategy | default $default.strategy) }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}
checksum/worker-config: {{ include (print $.Template.BasePath "/worker/configmap.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "matrix-synapse.serviceAccountName" $ }}
{{- include "matrix-synapse.imagePullSecrets" $ | nindent 6 }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
{{- with $.Values.volumePermissions.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
command:
- sh
- -c
- |
chown {{ $.Values.volumePermissions.uid }}:{{ $.Values.volumePermissions.gid }} -R /synapse/data
securityContext:
runAsNonRoot: false
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 12 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if (or $config.extraCommands $default.extraCommands) }}
{{- with $config.extraCommands | default $default.extraCommands }}
{{ range . }}
{{ . | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }} \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/ \
-c /synapse/config/{{ $name }}.worker
env:
{{- if or $.Values.postgresql.enabled $.Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.postgresql.enabled }}
name: {{ $.Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" $) }}
key: password
{{- else }}
name: {{ $.Values.externalPostgresql.existingSecret }}
key: {{ $.Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and $.Values.redis.enabled (default $.Values.redis.usePassword true)) $.Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.redis.enabled }}
name: {{ $.Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" $) }}
key: redis-password
{{- else }}
name: {{ $.Values.externalRedis.existingSecret }}
key: {{ $.Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with $config.extraEnv | default $default.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
{{- with $.Values.image }}
image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
{{- end }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
{{- if has "replication" $config.listeners }}
- name: replication
containerPort: 9093
protocol: TCP
{{- end }}
{{- if (or $config.readinessProbe $default.readinessProbe) }}
readinessProbe:
{{- $config.readinessProbe | default $default.readinessProbe | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if (or $config.livenessProbe $default.livenessProbe) }}
livenessProbe:
{{- $config.livenessProbe | default $default.livenessProbe | toYaml | nindent 12 }}
{{- end }}
{{- if (or $config.startupProbe $default.startupProbe) }}
startupProbe:
{{- $config.startupProbe | default $default.startupProbe | toYaml | nindent 12 }}
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /synapse/config/log.yaml
subPath: log.yaml
- name: worker-config
mountPath: /synapse/config/{{ $name }}.worker
subPath: {{ $name }}.worker
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: worker-config
configMap:
name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "root" $ "worker" "signingkey")) | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ $.Values.persistence.existingClaim | default (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes | default $default.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

913
matrix-synapse/values.yaml Normal file
View file

@ -0,0 +1,913 @@
---
global:
image:
# -- if set it will overwrite all registry entries
registry:
# -- if set it will overwrite all pullPolicy
pullPolicy:
image:
registry: ghcr.io
repository: element-hq/synapse
# -- Overrides the image tag whose default is the chart appVersion.
tag:
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
# -- Override part of the installed name, will still keep release name.
nameOverride:
# -- Override the full name of the installed chart.
fullnameOverride:
# -- The Matrix domain name, this is what will be used for the domain part in your MXIDs.
serverName:
# -- The public Matrix server name, this will be used for any public URLs in config as well as for client API links in the ingress.
publicServerName:
## The source of the signing key used by Synapse in federation.
##
signingkey:
## Enable a Kubernetes job to generate and store a signing key if one does not
## exist.
## If you have already run a Matrix server at some point on your domain then
## you will want to keep the old signing key, either by using the `existingSecret`
## configuration, or by including the old key under `extraConfig.old_signing_keys`
##
## If you lose your signing key then any federation traffic from your instance
## might not be trusted any more by the wider network.
##
## After the initial install, the job should be disabled to speed up subsequent upgrades.
##
job:
enabled: true
## Annotations to apply to the signing-key-job.
##
annotations: {}
publishImage:
registry: docker.io
repository: bitnami/kubectl
tag: latest
pullPolicy: IfNotPresent
## Specify an existing signing key secret, will need to be created in advance.
##
# existingSecret: secret-name
# existingSecretKey: signing.key
## Resources to apply to the signing key generation job
##
resources: {}
# limits:
# cpu: 100m
# memory: 250Mi
# requests:
# cpu: 100m
# memory: 250Mi
## Matrix configuration values that affect other parts of the chart, for any
## value not handled by this block, you will want to instead set it in
## extraConfig below.
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
config:
## The publicly accessible URL for the Synapse instance, will default to
## https://<publicServerName>.
##
# publicBaseurl: 'https://matrix.example.com'
## The log level for Synapse and all modules.
##
# logLevel: INFO
## Should usage stats be reported
##
reportStats: false
## Protect registration with recaptcha. (optional)
##
# recaptcha:
# publicKey: ''
# privateKey: ''
## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC
## calls.
##
# turnUris: []
# turnSecret: ''
## Registration configuration, note that registration with the
## container-internal register_new_matrix_user tool is always possible.
##
# enableRegistration: false
## NB; this value will default to a random string if not specified.
# registrationSharedSecret: ''
## NB; Strongly recommended to set this to a secure value.
# macaroonSecretKey: ''
# -- A set of trusted servers to contact if another server doesn't respond to a signing key request.
trustedKeyServers:
- server_name: matrix.org
# verify_keys:
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
# -- The bind addresses to use for the default listeners
bindAddresses:
- '::'
## Extra listeners to configure.
##
extraListeners: []
# - port: 9000
# bind_addresses: ['::']
# type: manhole
## Extra listener types to add onto the main listener.
##
extraMainListenerTypes: []
# - consent
## Logging
# use TerseJsonFormatter structured logging
# Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
useStructuredLogging: false
## Specify arbitrary Synapse configuration here;
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraConfig: {}
# old_signing_keys:
# "ed25519:id": { key: "base64string", expired_ts: 123456789123 }
# use_presence: false
# enable_search: false
# federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
# dynamic_thumbnails: true
## Specify additional loggers configutation here;
## Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
extraLoggers: {}
# synapse.storage.SQL:
# level: WARNING
## Specify arbitrary - secret - Synapse configuration here;
## These values will be stored in secrets instead of configmaps
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraSecrets: {}
# password_config:
# pepper: ''
## Configuration to apply to the main Synapse pod.
##
synapse:
## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository
## is enabled for the main Synapse pod)
## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## Annotations to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: "/_synapse/metrics"
# prometheus.io/port: "9090"
## Labels to apply to the main Synapse pod.
##
labels: {}
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## Additional volumes to mount into Synapse
##
extraVolumes: []
# - name: spamcheck
# flexVolume:
# driver: ananace/git-live
# options:
# repo: https://github.com/company/synapse-module
# interval: 1d
# readOnly: true
extraVolumeMounts: []
# - name: spamcheck
# mountPath: /usr/local/lib/python3.7/site-packages/company
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Configuration for the pod security policy, Synapse will by always run as
## its own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: http
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: http
## Startup probe configuration to use
##
startupProbe:
failureThreshold: 12
httpGet:
path: /health
port: http
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {}
## Configuration for handling Synapse workers, which are useful for handling
## high-load deployments.
##
## More information is available at;
## https://github.com/matrix-org/synapse/blob/master/docs/workers.md
##
workers:
## Default configuration, this is inherited into all workers, and can also be
## overriden on each worker type.
##
default:
## The number of worker replicas, note that some workers require special
## handling. Refer to the information URL above.
##
replicaCount: 1
## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository)
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## A specific name for this worker, can't be set globally.
## Note that this can only be set when replicaCount is 1
# name:
## Additional configuration to set for the worker, can't be set globally.
# extraConfig: {}
## Annotations to apply to the worker.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: /_synapse/metrics
# prometheus.io/port: 9090
## Additional environment variables to add to the worker.
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "1.0"
## Additional volumes to add to the worker.
## Useful for the media repo, or for adding Python modules.
##
volumes: []
volumeMounts: []
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Security context information to set to the worker.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Container security context information to set to the worker.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the worker.
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
## Defaults to allowing workers 60 seconds to start up
##
startupProbe:
failureThreshold: 6
httpGet:
path: /health
port: metrics
## Node selector configuration to set on the worker.
##
nodeSelector: {}
## Toleration configuration to set on the worker.
##
tolerations: []
## Affinity configuration to set on the worker.
##
affinity: {}
## The generic worker can be used to handle most endpoints.
## Be careful when enabling the sync endpoints as they can eat large amounts of
## resources. Refer to the information URL above for more info.
## Proper load balancing with the K8s Ingress resource may not be possible.
##
generic_worker:
enabled: false
generic: true
listeners: [client, federation]
csPaths:
## Sync requests
# - "/_matrix/client/(r0|v3)/sync$"
- "/_matrix/client/(api/v1|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Client API requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "/_matrix/client/v1/rooms/.*/hierarchy$"
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
- "/_matrix/client/(r0|v3|unstable)/devices$"
- "/_matrix/client/versions$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
## Encryption requests
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
## Registration/login requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "/_matrix/client/(r0|v3|unstable)/register$"
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
## Event sending requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
## User directory search requests
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
## Worker event streams
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
##
## The typing event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
## The to_device event stream
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
## The account_data event stream
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
## The receipts event stream
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
## The presence event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
paths:
## Federation requests
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
- "/_matrix/federation/v1/backfill/"
- "/_matrix/federation/v1/get_missing_events/"
- "/_matrix/federation/v1/publicRooms"
- "/_matrix/federation/v1/query/"
- "/_matrix/federation/v1/make_join/"
- "/_matrix/federation/v1/make_leave/"
- "/_matrix/federation/(v1|v2)/send_join/"
- "/_matrix/federation/(v1|v2)/send_leave/"
- "/_matrix/federation/(v1|v2)/invite/"
- "/_matrix/federation/v1/event_auth/"
- "/_matrix/federation/v1/exchange_third_party_invite/"
- "/_matrix/federation/v1/user/devices/"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/hierarchy/"
## Inbound federation transaction request
- "/_matrix/federation/v1/send/"
## To separate the generic worker into specific concerns - for example federation transaction receiving;
## NB; This worker should have incoming traffic routed based on source IP, which is
## left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
# federation_reader:
# enabled: true
# generic: true
# listeners: [federation]
# paths:
# - "/_matrix/federation/v1/send/"
## Or /sync handling.
## NB; Care should be taken to route users to the same instance when scaling this worker,
## this is left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
# synchrotron:
# enabled: true
# generic: true
# listeners: [client]
# csPaths:
# - "/_matrix/client/(v2_alpha|r0|v3)/sync$"
# - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Specialized - non-generic workers below;
## This worker deals with pushing notifications.
## NB; Only one instance of this worker can be run at a time, refer to the
## information URL above.
##
pusher:
enabled: false
## This worker handles sending data to registered appservices.
## NB; Only one instance of this worker can be run at at time, refer to the
## information URL above.
##
appservice:
enabled: false
generic: true
name: appservices
## This worker handles sending federation traffic to other Synapse servers.
##
federation_sender:
enabled: false
## Specialized workers can also be run as multiple separate instances,
## make sure to read the relevant documentation.
##
# federation_sender_other:
# app: federation_sender
# enabled: false
## This worker deals with serving and storing media.
## NB; Running multiple instances will conflict with background jobs.
##
media_repository:
enabled: false
listeners: [media]
csPaths:
- "/_matrix/media/.*"
- "/_synapse/admin/v1/purge_media_cache$"
- "/_synapse/admin/v1/room/.*/media"
- "/_synapse/admin/v1/user/.*/media"
- "/_synapse/admin/v1/media/"
- "/_synapse/admin/v1/quarantine_media/"
- "/_synapse/admin/v1/users/.*/media$"
paths:
- "/_matrix/media/.*"
## This worker deals with user directory searches.
##
user_dir:
enabled: false
name: userdir
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
## This worker handles key uploads, and may also stub out presence if that is
## disabled. If you set extraConfig.use_presence=false then you may want to
## uncomment the second path.
##
frontend_proxy:
enabled: false
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without
## adding SRV-records to DNS.
##
wellknown:
enabled: false
image:
registry: docker.io
repository: library/nginx
tag: 1.25.3
pullPolicy: IfNotPresent
replicaCount: 1
podLabels: {}
podAnnotations: []
podSecurityContext: {}
securityContext: {}
containerPort: 80
env: []
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
service:
type: ClusterIP
port: 8080
annotations: {}
# -- The host and port combo to serve on .well-known/matrix/server.
# m.server: matrix.example.com:443
server: {}
# -- Data to serve on .well-known/matrix/client.
# m.homeserver:
# base_url: https://matrix.example.com
client: {}
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
auth:
# XXX Change me!
password: synapse
## Or use existing secret with "password" key
## instead of static password
##
# existingSecret: postgresql-secret
username: synapse
database: synapse
primary:
initdb:
args: "--lc-collate=C --lc-ctype=C"
persistence:
# storageClass: "-"
size: 16Gi
# -- set extra configuration
# ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
# e.g. txn_limit, allow_unsafe_locale
options: {}
# -- Extra arguments for the database connection
# ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
extraArgs: {}
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
## The name of an existing secret with postgresql credentials
# existingSecret: postgres-secrets
## Password key to be retrieved from existing secret
# existingSecretPasswordKey: postgres-password
database: synapse
# sslmode: prefer
# -- set extra configuration
# ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
# e.g. txn_limit, allow_unsafe_locale
options: {}
# -- Extra arguments for the database connection
# ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
extraArgs: {}
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
## Database ID for non-default database
# dbid: 0
auth:
enabled: true
# XXX Change me!
password: synapse
## Or use existing secret with "redis-password" key
## instead of static password
##
# existingSecret: redis-secret
architecture: standalone
master:
kind: Deployment
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
service:
port: 6379
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Database ID for non-default database
# dbid: 0
## The name of an existing secret with redis credentials
# existingSecret: redis-secrets
## Password key to be retrieved from existing secret
# existingSecretPasswordKey: redis-password
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Set up an init container to chown the mounted media if necessary.
##
volumePermissions:
enabled: false
uid: 666
gid: 666
image:
registry: docker.io
repository: library/alpine
tag: 3.19.1
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
## Configuration for the main Synapse service.
## To use TLS inside Synapse itself, add an TLS listener, and change the ports
## configured in here.
##
service:
type: ClusterIP
port: 8008
targetPort: http
## The K8s ingress configuration, this will be quite heavily used in order to
## set up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up
## your own routing instead.
##
ingress:
enabled: true
## Generate traefik-compatible regex paths instead of nginx-compatible ones.
##
traefikPaths: false
## Annotations to apply to the created ingress resource.
##
annotations: {}
# nginx.ingress.kubernetes.io/use-regex: "true"
# # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default
# nginx.ingress.kubernetes.io/proxy-body-size: 10m
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Hosts to add to the ingress configuration for handling Client-to-Server
## API request paths.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
csHosts: []
# - matrix.example.com
## Additional hosts to add to the ingress configuration for handling
## Server-to-Server API requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
hosts: []
# - example.com
## Additional hosts to add to the ingress configuration for handling
## well-known requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
wkHosts: []
# - example.com
## Additional paths to add to the Server-to-Server ingress blocks, will be
## inserted before the /_matrix catch-all path.
##
paths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Additional paths to add to the Client-to-Server ingress blocks, will be
## inserted before the /_matrix and /_synapse catch-all paths.
##
csPaths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port:
# number: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path.
##
includeUnderscoreSynapse: true
## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way.
##
includeServerName: true
## TLS configuration to include in the ingress configuration
##
tls: []
# - secretName: chart-example-tls
# hosts:
# - example.com
# - matrix.example.com
## Set the name of the IngressClass cluster resource (optional)
## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec
# className: can-be-anything
## Specifies whether a service account should be created, and annotations to add.
##
serviceAccount:
create: false
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
# name: non-default-service-name