diff --git a/docs/modules/charts/nav.adoc b/docs/modules/charts/nav.adoc index 4a3096f..b8955e4 100644 --- a/docs/modules/charts/nav.adoc +++ b/docs/modules/charts/nav.adoc @@ -10,6 +10,7 @@ ** xref:headscale-ui.adoc[headscale-ui] ** xref:hydrogen-web.adoc[hydrogen-web] ** xref:jellyfin.adoc[jellyfin] +** xref:matrix-synapse.adoc[matrix-synapse] ** xref:miniserve.adoc[miniserve] ** xref:monitoring.adoc[monitoring] ** xref:ntfy.adoc[ntfy] diff --git a/docs/modules/charts/pages/matrix-synapse.adoc b/docs/modules/charts/pages/matrix-synapse.adoc new file mode 120000 index 0000000..88889a5 --- /dev/null +++ b/docs/modules/charts/pages/matrix-synapse.adoc @@ -0,0 +1 @@ +../../../../matrix-synapse/README.adoc \ No newline at end of file diff --git a/matrix-synapse/.gitignore b/matrix-synapse/.gitignore new file mode 100644 index 0000000..31014c3 --- /dev/null +++ b/matrix-synapse/.gitignore @@ -0,0 +1,2 @@ +charts/*.tgz +values_test.yaml diff --git a/matrix-synapse/.helmignore b/matrix-synapse/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/matrix-synapse/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/matrix-synapse/Chart.lock b/matrix-synapse/Chart.lock new file mode 100644 index 0000000..6e763f7 --- /dev/null +++ b/matrix-synapse/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 12.12.10 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 17.17.1 +digest: sha256:dcac7ce7b24d359b39fbfe093b8be525d995d3799fbb0a9752858980a51f8600 +generated: "2024-02-11T23:16:42.94262676+01:00" diff --git a/matrix-synapse/Chart.yaml b/matrix-synapse/Chart.yaml new file mode 100644 index 0000000..bffea16 --- /dev/null +++ b/matrix-synapse/Chart.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v2 +name: matrix-synapse +description: Matrix reference homeserver +icon: https://matrix.org/images/matrix-logo.svg +type: application +version: 0.0.1 +# renovate: image=ghcr.io/element-hq/synapse +appVersion: 1.100.0 +maintainers: + - name: WrenIX + url: https://wrenix.eu + +dependencies: + - name: postgresql + version: ^12.1.4 + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled + - name: redis + version: ^17.3.17 + repository: https://charts.bitnami.com/bitnami + condition: redis.enabled diff --git a/matrix-synapse/README.adoc b/matrix-synapse/README.adoc new file mode 100644 index 0000000..80da021 --- /dev/null +++ b/matrix-synapse/README.adoc @@ -0,0 +1,1106 @@ + + += matrix-synapse + +image::https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square[Version: 0.0.1] +image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] +image::https://img.shields.io/badge/AppVersion-1.100.0-informational?style=flat-square[AppVersion: 1.100.0] +== Maintainers + +.Maintainers +|=== +| Name | Email | Url + +| WrenIX +| +| +|=== + +== Usage + +Helm must be installed and setup to your kubernetes cluster to use the charts. +Refer to Helm's https://helm.sh/docs[documentation] to get started. +Once Helm has been set up correctly, fetch the charts as follows: + +[source,bash] +---- +helm pull oci://codeberg.org/wrenix/helm-charts/matrix-synapse +---- + +You can install a chart release using the following command: + +[source,bash] +---- +helm install matrix-synapse-release oci://codeberg.org/wrenix/helm-charts/matrix-synapse --values values.yaml +---- + +To uninstall a chart release use `helm`'s delete command: + +[source,bash] +---- +helm uninstall matrix-synapse-release +---- + +== Values + +.Values +|=== +| Key | Type | Default | Description + +| config.bindAddresses +| list +| `["::"]` +| The bind addresses to use for the default listeners + +| config.extraListeners +| list +| `[]` +| + +| config.extraMainListenerTypes +| list +| `[]` +| + +| config.reportStats +| bool +| `false` +| + +| config.trustedKeyServers +| list +| `[{"server_name":"matrix.org"}]` +| A set of trusted servers to contact if another server doesn't respond to a signing key request. + +| config.useStructuredLogging +| bool +| `false` +| + +| externalPostgresql.database +| string +| `"synapse"` +| + +| externalPostgresql.extraArgs +| object +| `{}` +| Extra arguments for the database connection ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + +| externalPostgresql.options +| object +| `{}` +| set extra configuration ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config e.g. txn_limit, allow_unsafe_locale + +| externalPostgresql.port +| int +| `5432` +| + +| externalPostgresql.username +| string +| `"synapse"` +| + +| externalRedis.port +| int +| `6379` +| + +| extraConfig +| object +| `{}` +| + +| extraLoggers +| object +| `{}` +| + +| extraSecrets +| object +| `{}` +| + +| fullnameOverride +| string +| `nil` +| Override the full name of the installed chart. + +| global.image.pullPolicy +| string +| `nil` +| if set it will overwrite all pullPolicy + +| global.image.registry +| string +| `nil` +| if set it will overwrite all registry entries + +| image.pullPolicy +| string +| `"IfNotPresent"` +| + +| image.registry +| string +| `"ghcr.io"` +| + +| image.repository +| string +| `"element-hq/synapse"` +| + +| image.tag +| string +| `nil` +| Overrides the image tag whose default is the chart appVersion. + +| ingress.annotations +| object +| `{}` +| + +| ingress.csHosts +| list +| `[]` +| + +| ingress.csPaths +| list +| `[]` +| + +| ingress.enabled +| bool +| `true` +| + +| ingress.hosts +| list +| `[]` +| + +| ingress.includeServerName +| bool +| `true` +| + +| ingress.includeUnderscoreSynapse +| bool +| `true` +| + +| ingress.paths +| list +| `[]` +| + +| ingress.tls +| list +| `[]` +| + +| ingress.traefikPaths +| bool +| `false` +| + +| ingress.wkHosts +| list +| `[]` +| + +| nameOverride +| string +| `nil` +| Override part of the installed name, will still keep release name. + +| persistence.accessMode +| string +| `"ReadWriteOnce"` +| + +| persistence.enabled +| bool +| `true` +| + +| persistence.size +| string +| `"10Gi"` +| + +| postgresql.auth.database +| string +| `"synapse"` +| + +| postgresql.auth.password +| string +| `"synapse"` +| + +| postgresql.auth.username +| string +| `"synapse"` +| + +| postgresql.enabled +| bool +| `true` +| + +| postgresql.extraArgs +| object +| `{}` +| Extra arguments for the database connection ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + +| postgresql.options +| object +| `{}` +| set extra configuration ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config e.g. txn_limit, allow_unsafe_locale + +| postgresql.primary.initdb.args +| string +| `"--lc-collate=C --lc-ctype=C"` +| + +| postgresql.primary.persistence.size +| string +| `"16Gi"` +| + +| publicServerName +| string +| `nil` +| The public Matrix server name, this will be used for any public URLs in config as well as for client API links in the ingress. + +| redis.architecture +| string +| `"standalone"` +| + +| redis.auth.enabled +| bool +| `true` +| + +| redis.auth.password +| string +| `"synapse"` +| + +| redis.enabled +| bool +| `true` +| + +| redis.master.kind +| string +| `"Deployment"` +| + +| redis.master.persistence.enabled +| bool +| `false` +| + +| redis.master.service.port +| int +| `6379` +| + +| serverName +| string +| `nil` +| The Matrix domain name, this is what will be used for the domain part in your MXIDs. + +| service.port +| int +| `8008` +| + +| service.targetPort +| string +| `"http"` +| + +| service.type +| string +| `"ClusterIP"` +| + +| serviceAccount.annotations +| object +| `{}` +| + +| serviceAccount.create +| bool +| `false` +| + +| signingkey.job.annotations +| object +| `{}` +| + +| signingkey.job.enabled +| bool +| `true` +| + +| signingkey.job.publishImage.pullPolicy +| string +| `"IfNotPresent"` +| + +| signingkey.job.publishImage.registry +| string +| `"docker.io"` +| + +| signingkey.job.publishImage.repository +| string +| `"bitnami/kubectl"` +| + +| signingkey.job.publishImage.tag +| string +| `"latest"` +| + +| signingkey.resources +| object +| `{}` +| + +| synapse.affinity +| object +| `{}` +| + +| synapse.annotations +| object +| `{}` +| + +| synapse.extraCommands +| list +| `[]` +| + +| synapse.extraEnv +| list +| `[]` +| + +| synapse.extraVolumeMounts +| list +| `[]` +| + +| synapse.extraVolumes +| list +| `[]` +| + +| synapse.labels +| object +| `{}` +| + +| synapse.livenessProbe.httpGet.path +| string +| `"/health"` +| + +| synapse.livenessProbe.httpGet.port +| string +| `"http"` +| + +| synapse.nodeSelector +| object +| `{}` +| + +| synapse.podSecurityContext +| object +| `{}` +| + +| synapse.readinessProbe.httpGet.path +| string +| `"/health"` +| + +| synapse.readinessProbe.httpGet.port +| string +| `"http"` +| + +| synapse.resources +| object +| `{}` +| + +| synapse.securityContext +| object +| `{}` +| + +| synapse.startupProbe.failureThreshold +| int +| `12` +| + +| synapse.startupProbe.httpGet.path +| string +| `"/health"` +| + +| synapse.startupProbe.httpGet.port +| string +| `"http"` +| + +| synapse.strategy.type +| string +| `"RollingUpdate"` +| + +| synapse.tolerations +| list +| `[]` +| + +| volumePermissions.enabled +| bool +| `false` +| + +| volumePermissions.gid +| int +| `666` +| + +| volumePermissions.image.pullPolicy +| string +| `"Always"` +| + +| volumePermissions.image.registry +| string +| `"docker.io"` +| + +| volumePermissions.image.repository +| string +| `"library/alpine"` +| + +| volumePermissions.image.tag +| string +| `"3.19.1"` +| + +| volumePermissions.resources +| object +| `{}` +| + +| volumePermissions.uid +| int +| `666` +| + +| wellknown.affinity +| object +| `{}` +| + +| wellknown.client +| object +| `{}` +| Data to serve on .well-known/matrix/client. m.homeserver: base_url: https://matrix.example.com + +| wellknown.containerPort +| int +| `80` +| + +| wellknown.enabled +| bool +| `false` +| + +| wellknown.env +| list +| `[]` +| + +| wellknown.image.pullPolicy +| string +| `"IfNotPresent"` +| + +| wellknown.image.registry +| string +| `"docker.io"` +| + +| wellknown.image.repository +| string +| `"library/nginx"` +| + +| wellknown.image.tag +| string +| `"1.25.3"` +| + +| wellknown.nodeSelector +| object +| `{}` +| + +| wellknown.podAnnotations +| list +| `[]` +| + +| wellknown.podLabels +| object +| `{}` +| + +| wellknown.podSecurityContext +| object +| `{}` +| + +| wellknown.replicaCount +| int +| `1` +| + +| wellknown.resources +| object +| `{}` +| + +| wellknown.securityContext +| object +| `{}` +| + +| wellknown.server +| object +| `{}` +| The host and port combo to serve on .well-known/matrix/server. m.server: matrix.example.com:443 + +| wellknown.service.annotations +| object +| `{}` +| + +| wellknown.service.port +| int +| `8080` +| + +| wellknown.service.type +| string +| `"ClusterIP"` +| + +| wellknown.tolerations +| list +| `[]` +| + +| workers.appservice.enabled +| bool +| `false` +| + +| workers.appservice.generic +| bool +| `true` +| + +| workers.appservice.name +| string +| `"appservices"` +| + +| workers.default.affinity +| object +| `{}` +| + +| workers.default.annotations +| object +| `{}` +| + +| workers.default.extraCommands +| list +| `[]` +| + +| workers.default.extraEnv +| list +| `[]` +| + +| workers.default.livenessProbe.httpGet.path +| string +| `"/health"` +| + +| workers.default.livenessProbe.httpGet.port +| string +| `"metrics"` +| + +| workers.default.nodeSelector +| object +| `{}` +| + +| workers.default.podSecurityContext +| object +| `{}` +| + +| workers.default.readinessProbe.httpGet.path +| string +| `"/health"` +| + +| workers.default.readinessProbe.httpGet.port +| string +| `"metrics"` +| + +| workers.default.replicaCount +| int +| `1` +| + +| workers.default.resources +| object +| `{}` +| + +| workers.default.securityContext +| object +| `{}` +| + +| workers.default.startupProbe.failureThreshold +| int +| `6` +| + +| workers.default.startupProbe.httpGet.path +| string +| `"/health"` +| + +| workers.default.startupProbe.httpGet.port +| string +| `"metrics"` +| + +| workers.default.strategy.type +| string +| `"RollingUpdate"` +| + +| workers.default.tolerations +| list +| `[]` +| + +| workers.default.volumeMounts +| list +| `[]` +| + +| workers.default.volumes +| list +| `[]` +| + +| workers.federation_sender.enabled +| bool +| `false` +| + +| workers.frontend_proxy.csPaths[0] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"` +| + +| workers.frontend_proxy.enabled +| bool +| `false` +| + +| workers.frontend_proxy.listeners[0] +| string +| `"client"` +| + +| workers.generic_worker.csPaths[0] +| string +| `"/_matrix/client/(api/v1|r0|v3)/events$"` +| + +| workers.generic_worker.csPaths[10] +| string +| `"/_matrix/client/(r0|v3|unstable)/account/3pid$"` +| + +| workers.generic_worker.csPaths[11] +| string +| `"/_matrix/client/(r0|v3|unstable)/account/whoami$"` +| + +| workers.generic_worker.csPaths[12] +| string +| `"/_matrix/client/(r0|v3|unstable)/devices$"` +| + +| workers.generic_worker.csPaths[13] +| string +| `"/_matrix/client/versions$"` +| + +| workers.generic_worker.csPaths[14] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"` +| + +| workers.generic_worker.csPaths[15] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"` +| + +| workers.generic_worker.csPaths[16] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"` +| + +| workers.generic_worker.csPaths[17] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/search$"` +| + +| workers.generic_worker.csPaths[18] +| string +| `"/_matrix/client/(r0|v3|unstable)/keys/query$"` +| + +| workers.generic_worker.csPaths[19] +| string +| `"/_matrix/client/(r0|v3|unstable)/keys/changes$"` +| + +| workers.generic_worker.csPaths[1] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"` +| + +| workers.generic_worker.csPaths[20] +| string +| `"/_matrix/client/(r0|v3|unstable)/keys/claim$"` +| + +| workers.generic_worker.csPaths[21] +| string +| `"/_matrix/client/(r0|v3|unstable)/room_keys/"` +| + +| workers.generic_worker.csPaths[22] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/login$"` +| + +| workers.generic_worker.csPaths[23] +| string +| `"/_matrix/client/(r0|v3|unstable)/register$"` +| + +| workers.generic_worker.csPaths[24] +| string +| `"/_matrix/client/v1/register/m.login.registration_token/validity$"` +| + +| workers.generic_worker.csPaths[25] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"` +| + +| workers.generic_worker.csPaths[26] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"` +| + +| workers.generic_worker.csPaths[27] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"` +| + +| workers.generic_worker.csPaths[28] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"` +| + +| workers.generic_worker.csPaths[29] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/join/"` +| + +| workers.generic_worker.csPaths[2] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"` +| + +| workers.generic_worker.csPaths[30] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/profile/"` +| + +| workers.generic_worker.csPaths[31] +| string +| `"/_matrix/client/(r0|v3|unstable)/user_directory/search"` +| + +| workers.generic_worker.csPaths[3] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"` +| + +| workers.generic_worker.csPaths[4] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"` +| + +| workers.generic_worker.csPaths[5] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"` +| + +| workers.generic_worker.csPaths[6] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"` +| + +| workers.generic_worker.csPaths[7] +| string +| `"/_matrix/client/v1/rooms/.*/hierarchy$"` +| + +| workers.generic_worker.csPaths[8] +| string +| `"/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"` +| + +| workers.generic_worker.csPaths[9] +| string +| `"/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"` +| + +| workers.generic_worker.enabled +| bool +| `false` +| + +| workers.generic_worker.generic +| bool +| `true` +| + +| workers.generic_worker.listeners[0] +| string +| `"client"` +| + +| workers.generic_worker.listeners[1] +| string +| `"federation"` +| + +| workers.generic_worker.paths[0] +| string +| `"/_matrix/federation/v1/event/"` +| + +| workers.generic_worker.paths[10] +| string +| `"/_matrix/federation/(v1|v2)/send_leave/"` +| + +| workers.generic_worker.paths[11] +| string +| `"/_matrix/federation/(v1|v2)/invite/"` +| + +| workers.generic_worker.paths[12] +| string +| `"/_matrix/federation/v1/event_auth/"` +| + +| workers.generic_worker.paths[13] +| string +| `"/_matrix/federation/v1/exchange_third_party_invite/"` +| + +| workers.generic_worker.paths[14] +| string +| `"/_matrix/federation/v1/user/devices/"` +| + +| workers.generic_worker.paths[15] +| string +| `"/_matrix/key/v2/query"` +| + +| workers.generic_worker.paths[16] +| string +| `"/_matrix/federation/v1/hierarchy/"` +| + +| workers.generic_worker.paths[17] +| string +| `"/_matrix/federation/v1/send/"` +| + +| workers.generic_worker.paths[1] +| string +| `"/_matrix/federation/v1/state/"` +| + +| workers.generic_worker.paths[2] +| string +| `"/_matrix/federation/v1/state_ids/"` +| + +| workers.generic_worker.paths[3] +| string +| `"/_matrix/federation/v1/backfill/"` +| + +| workers.generic_worker.paths[4] +| string +| `"/_matrix/federation/v1/get_missing_events/"` +| + +| workers.generic_worker.paths[5] +| string +| `"/_matrix/federation/v1/publicRooms"` +| + +| workers.generic_worker.paths[6] +| string +| `"/_matrix/federation/v1/query/"` +| + +| workers.generic_worker.paths[7] +| string +| `"/_matrix/federation/v1/make_join/"` +| + +| workers.generic_worker.paths[8] +| string +| `"/_matrix/federation/v1/make_leave/"` +| + +| workers.generic_worker.paths[9] +| string +| `"/_matrix/federation/(v1|v2)/send_join/"` +| + +| workers.media_repository.csPaths[0] +| string +| `"/_matrix/media/.*"` +| + +| workers.media_repository.csPaths[1] +| string +| `"/_synapse/admin/v1/purge_media_cache$"` +| + +| workers.media_repository.csPaths[2] +| string +| `"/_synapse/admin/v1/room/.*/media"` +| + +| workers.media_repository.csPaths[3] +| string +| `"/_synapse/admin/v1/user/.*/media"` +| + +| workers.media_repository.csPaths[4] +| string +| `"/_synapse/admin/v1/media/"` +| + +| workers.media_repository.csPaths[5] +| string +| `"/_synapse/admin/v1/quarantine_media/"` +| + +| workers.media_repository.csPaths[6] +| string +| `"/_synapse/admin/v1/users/.*/media$"` +| + +| workers.media_repository.enabled +| bool +| `false` +| + +| workers.media_repository.listeners[0] +| string +| `"media"` +| + +| workers.media_repository.paths[0] +| string +| `"/_matrix/media/.*"` +| + +| workers.pusher.enabled +| bool +| `false` +| + +| workers.user_dir.csPaths[0] +| string +| `"/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"` +| + +| workers.user_dir.enabled +| bool +| `false` +| + +| workers.user_dir.listeners[0] +| string +| `"client"` +| + +| workers.user_dir.name +| string +| `"userdir"` +| +|=== + +Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs] diff --git a/matrix-synapse/_docs.gotmpl b/matrix-synapse/_docs.gotmpl new file mode 100644 index 0000000..e69de29 diff --git a/matrix-synapse/ci/ct-values.yaml b/matrix-synapse/ci/ct-values.yaml new file mode 100644 index 0000000..d2e8bc2 --- /dev/null +++ b/matrix-synapse/ci/ct-values.yaml @@ -0,0 +1 @@ +serverName: "example.org" diff --git a/matrix-synapse/templates/NOTES.txt b/matrix-synapse/templates/NOTES.txt new file mode 100644 index 0000000..5d8ce00 --- /dev/null +++ b/matrix-synapse/templates/NOTES.txt @@ -0,0 +1,41 @@ +** Note, this chart may take a while to finish setup, please be patient ** +{{- if .Values.signingkey.job.enabled }} +** Also, remember to disable the signingkey job (signingkey.job.enabled=false) ** +{{- end }} +{{- if not .Values.ingress.enabled }} + +Synapse has been installed without an ingress, you will need to manage +accesses to the services yourself. +{{- else }} + +Your Synapse install is now starting, you should soon be able to access it on +the following URL(s); + {{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }} + {{- if $.Values.ingress.tls }} +https://{{ . }} + {{- else }} +http://{{ . }} + {{- end }} + {{- end }} +{{ if not .Values.wellknown.enabled }} +Note that for federation to work you will need to either add an SRV record or +set up a /.well-known/matrix/server response. +Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md +for more information. +{{- end }} +{{- end }} + +{{- if .Values.config.enableRegistration }} +You should be able to connect to your Synapse install with any compatible +Matrix client - and register an account - as soon as final setup is done. + +You can also create an admin user with the following command; +{{- else }} +You can create a user in your new Synapse install by running the following +command; (replacing USERNAME and PASSWORD) +{{- end }} + + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=synapse" -o jsonpath="{.items[0].metadata.name}") + kubectl exec --namespace {{ .Release.Namespace }} $POD_NAME -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008 + +You can also specify --no-admin to create a non-admin user. diff --git a/matrix-synapse/templates/_helpers.tpl b/matrix-synapse/templates/_helpers.tpl new file mode 100644 index 0000000..0899f14 --- /dev/null +++ b/matrix-synapse/templates/_helpers.tpl @@ -0,0 +1,258 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "matrix-synapse.name" -}} +{{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "matrix-synapse.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := .Values.nameOverride | default .Chart.Name -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default replication name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.replicationname" -}} +{{- printf "%s-%s" .Release.Name "replication" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default worker name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.workername" -}} +{{- with get . "root" }} +{{- $ = . }} +{{- end }} +{{- printf "%s-%s" $.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default external component name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.externalname" -}} +{{- with get . "root" }} +{{- $ = . }} +{{- end }} +{{- printf "%s-%s" $.Release.Name .external | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "matrix-synapse.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "matrix-synapse.labels" -}} +helm.sh/chart: {{ include "matrix-synapse.chart" . }} +{{ include "matrix-synapse.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "matrix-synapse.selectorLabels" -}} +app.kubernetes.io/name: {{ include "matrix-synapse.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Pull secrets +*/}} +{{- define "matrix-synapse.imagePullSecrets" -}} +{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }} +imagePullSecrets: + {{- with .Values.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} + {{- end }} + {{- with .Values.wellknown.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} + {{- end }} + {{- with .Values.volumePermissions.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.postgresql.fullname" -}} +{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Set postgres host +*/}} +{{- define "matrix-synapse.postgresql.host" -}} +{{- if .Values.postgresql.enabled -}} +{{- template "matrix-synapse.postgresql.fullname" . -}} +{{- else -}} +{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }} +{{- end -}} +{{- end -}} + +{{/* +Set postgres secret +*/}} +{{- define "matrix-synapse.postgresql.secret" -}} +{{- if .Values.postgresql.enabled -}} +{{- template "matrix-synapse.postgresql.fullname" . -}} +{{- else -}} +{{- template "matrix-synapse.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set postgres port +*/}} +{{- define "matrix-synapse.postgresql.port" -}} +{{- if .Values.postgresql.enabled -}} +{{- if .Values.postgresql.service -}} +{{- .Values.postgresql.service.port | default 5432 }} +{{- else -}} +5432 +{{- end -}} +{{- else -}} +{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}} +{{- end -}} +{{- end -}} + +{{/* +Set postgresql username +*/}} +{{- define "matrix-synapse.postgresql.username" -}} +{{- if .Values.postgresql.enabled -}} +{{ required "A valid postgresql.auth.username is required" .Values.postgresql.auth.username }} +{{- else -}} +{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }} +{{- end -}} +{{- end -}} + +{{/* +Set postgresql password +*/}} +{{- define "matrix-synapse.postgresql.password" -}} +{{- if .Values.postgresql.enabled -}} +{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }} +{{- else if not (and .Values.externalPostgresql.existingSecret .Values.externalPostgresql.existingSecretPasswordKey) -}} +{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }} +{{- end -}} +{{- end -}} + +{{/* +Set postgresql database +*/}} +{{- define "matrix-synapse.postgresql.database" -}} +{{- if .Values.postgresql.enabled -}} +{{- if .Values.postgresql.postgresqlDatabase -}} +{{- fail "You need to switch to the new postgresql.auth values." -}} +{{- end -}} +{{- .Values.postgresql.auth.database | default "synapse" }} +{{- else -}} +{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }} +{{- end -}} +{{- end -}} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.redis.fullname" -}} +{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Set redis host +*/}} +{{- define "matrix-synapse.redis.host" -}} +{{- if .Values.redis.enabled -}} +{{- printf "%s-%s" (include "matrix-synapse.redis.fullname" .) "master" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }} +{{- end -}} +{{- end -}} + +{{/* +Set redis secret +*/}} +{{- define "matrix-synapse.redis.secret" -}} +{{- if .Values.redis.enabled -}} +{{- template "matrix-synapse.redis.fullname" . -}} +{{- else -}} +{{- template "matrix-synapse.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set redis port +*/}} +{{- define "matrix-synapse.redis.port" -}} +{{- if .Values.redis.enabled -}} +{{- .Values.redis.master.service.port | default 6379 }} +{{- else -}} +{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }} +{{- end -}} +{{- end -}} + +{{/* +Set redis password +*/}} +{{- define "matrix-synapse.redis.password" -}} +{{- if (and .Values.redis.enabled .Values.redis.password) -}} +{{ .Values.redis.password }} +{{- else if (and .Values.redis.enabled .Values.redis.auth.password) -}} +{{ .Values.redis.auth.password }} +{{- else if .Values.externalRedis.password -}} +{{ .Values.externalRedis.password }} +{{- end -}} +{{- end -}} + +{{/* +Set redis database id +*/}} +{{- define "matrix-synapse.redis.dbid" -}} +{{- if .Values.redis.dbid -}} +{{ .Values.redis.dbid }} +{{- else if .Values.externalRedis.dbid -}} +{{ .Values.externalRedis.dbid }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "matrix-synapse.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "matrix-synapse.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/matrix-synapse/templates/configmap.yaml b/matrix-synapse/templates/configmap.yaml new file mode 100644 index 0000000..728f9d4 --- /dev/null +++ b/matrix-synapse/templates/configmap.yaml @@ -0,0 +1,169 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix-synapse.fullname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +data: + log.yaml: | + version: 1 + formatters: + {{- if .Values.config.useStructuredLogging }} + structured: + class: synapse.logging.TerseJsonFormatter + {{- else }} + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + {{- end }} + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + handlers: + console: + class: logging.StreamHandler + formatter: {{ if .Values.config.useStructuredLogging }}structured{{ else }}precise{{ end }} + filters: [context] + level: {{ .Values.config.logLevel | default "INFO" }} + loggers: + synapse: + level: {{ .Values.config.logLevel | default "INFO" }} + {{- with .Values.extraLoggers -}} + {{ . | toYaml | nindent 8 }} + {{- end }} + root: + level: {{ .Values.config.logLevel | default "INFO" }} + handlers: [console] + homeserver.yaml: | + # NOTE: + # Secrets are stored in separate configs to better fit K8s concepts + + ## Server ## + + server_name: {{ required "You need to specify a serverName" .Values.serverName | quote }} + public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" (.Values.publicServerName | default .Values.serverName)) | quote }} + pid_file: /homeserver.pid + web_client: False + soft_file_limit: 0 + log_config: "/synapse/config/log.yaml" + report_stats: {{ required "You need to specify config.reportStats" .Values.config.reportStats }} + + instance_map: + main: + host: {{ include "matrix-synapse.replicationname" . }} + port: 9093 + {{- range $worker, $config := .Values.workers }} + {{- if and $config.enabled $config.name $config.listeners (has "replication" $config.listeners) }} + {{- $name := $worker | replace "_" "-" }} + {{ $config.name | quote }}: + host: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) | quote }} + port: 9093 + {{- end }}{{/* end-if .enabled ... */}} + {{- end }}{{/* end-range .workers */}} + + ## Ports ## + {{- $bindAddresses := .Values.config.bindAddresses }} + + listeners: + - port: 8008 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + x_forwarded: true + + resources: + - names: + - client + - federation + {{- with .Values.config.extraMainListenerTypes }} + {{- . | toYaml | nindent 14 }} + {{- end }} + compress: false + + - port: 9090 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + + resources: + - names: [metrics] + compress: false + + - port: 9093 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + + resources: + - names: [replication] + compress: false + {{- if .Values.config.extraListeners }} + {{ .Values.config.extraListeners | toYaml | nindent 6 }} + {{- end }} + + ## Files ## + + media_store_path: "/synapse/data/media" + uploads_path: "/synapse/data/uploads" + {{- if .Values.config.recaptcha }} + + ## Captcha ## + + recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }} + enable_registration_captcha: true + {{- end }} + {{- if .Values.config.turnUris }} + + ## Turn ## + + turn_uris: + {{ toYaml .Values.config.turnUris | nindent 6 }} + {{- end }} + + ## Registration ## + + enable_registration: {{ .Values.config.enableRegistration | default false }} + + ## Metrics ### + + enable_metrics: true + + ## Signing Keys ## + + signing_key_path: "/synapse/keys/signing.key" + + # The trusted servers to download signing keys from. + trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }} + + ## Workers ## + {{- range $worker, $config := .Values.workers }} + {{- if $config.enabled }} + {{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }} + + # For pusher worker + start_pushers: false + {{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }} + + # For appservice worker + notify_appservices_from_worker: {{ $config.name | quote }} + {{- else if or (eq $worker "federation_sender") (eq ($config.app | default "") "federation_sender") }} + + # For federation_sender worker + send_federation: false + {{- else if or (eq $worker "media_repository") (eq ($config.app | default "") "media_repository") }} + + # For media_repository worker + enable_media_repo: false + {{- else if or (eq $worker "user_dir") (eq ($config.app | default "") "user_dir") }} + + # For user_dir worker + update_user_directory_from_worker: {{ $config.name | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.extraConfig }} + + ## Extra config ## + {{ . | toYaml | nindent 4 }} + {{- end }} diff --git a/matrix-synapse/templates/deployment.yaml b/matrix-synapse/templates/deployment.yaml new file mode 100644 index 0000000..f7ab9e1 --- /dev/null +++ b/matrix-synapse/templates/deployment.yaml @@ -0,0 +1,204 @@ +{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }} +{{- if (and .Values.postgresql.enabled (and (not .Values.postgresql.auth.password) (not .Values.postgresql.existingSecret))) -}} +{{- fail "You must specify a static postgres password or existing secret if using the included postgres chart" -}} +{{- end -}} +{{- if (and .Values.redis.enabled (and .Values.redis.usePassword (and (not .Values.redis.auth.password) (not .Values.redis.auth.existingSecret)))) -}} +{{- fail "You must specify a static redis password or existing secret if using the included redis chart" -}} +{{- end -}} +--- +# Server: {{ required "A valid serverName is required" .Values.serverName }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix-synapse.fullname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: synapse +spec: + replicas: 1 + strategy: + {{- toYaml .Values.synapse.strategy | nindent 4 }} + selector: + matchLabels: + {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: synapse + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- with .Values.synapse.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: synapse + {{- with .Values.synapse.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "matrix-synapse.serviceAccountName" . }} + {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }} + {{- if $needsVolumePermissions }} + initContainers: + - name: volume-permissions + command: + - sh + - -c + - | + chown {{ .Values.volumePermissions.uid }}:{{ .Values.volumePermissions.gid }} -R /synapse/data + {{- with .Values.volumePermissions.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + resources: + {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + securityContext: + runAsNonRoot: false + runAsUser: 0 + volumeMounts: + - name: media + mountPath: /synapse/data + {{- end }} + containers: + - name: synapse + {{- with .Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + env: + {{- if or .Values.postgresql.enabled .Values.externalPostgresql.existingSecret }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.postgresql.enabled }} + name: {{ .Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" .) }} + key: password + {{- else }} + name: {{ .Values.externalPostgresql.existingSecret }} + key: {{ .Values.externalPostgresql.existingSecretPasswordKey }} + {{- end }} + {{- end }} + {{- if or (and .Values.redis.enabled (default .Values.redis.usePassword true)) .Values.externalRedis.existingSecret }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.redis.enabled }} + name: {{ .Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" .) }} + key: redis-password + {{- else }} + name: {{ .Values.externalRedis.existingSecret }} + key: {{ .Values.externalRedis.existingSecretPasswordKey }} + {{- end -}} + {{- end }} + {{- with .Values.synapse.extraEnv }} + {{- . | toYaml | nindent 12 }} + {{- end }} + command: + - sh + - -c + - | + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + {{- if .Values.synapse.extraCommands }} + + {{ range .Values.synapse.extraCommands }} + {{ . }} + {{- end }} + {{- end }} + + exec python -B -m synapse.app.homeserver \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ + securityContext: + {{- toYaml .Values.synapse.securityContext | nindent 12 }} + ports: + - name: http + containerPort: 8008 + protocol: TCP + - name: replication + containerPort: 9093 + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP + {{- with .Values.synapse.livenessProbe }} + livenessProbe: + {{- . | toYaml | nindent 12 }} + {{- end }} + {{- with .Values.synapse.readinessProbe }} + readinessProbe: + {{- . | toYaml | nindent 12 }} + {{- end }} + {{- with .Values.synapse.startupProbe }} + startupProbe: + {{- . | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /synapse/config + - name: tmpconf + mountPath: /synapse/config/conf.d + - name: secrets + mountPath: /synapse/secrets + - name: signingkey + mountPath: /synapse/keys + - name: media + mountPath: /synapse/data + - name: tmpdir + mountPath: /tmp + {{- with .Values.synapse.extraVolumeMounts }} + {{- . | toYaml | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.synapse.resources | nindent 12 }} + volumes: + - name: config + configMap: + name: {{ include "matrix-synapse.fullname" . }} + - name: secrets + secret: + secretName: {{ include "matrix-synapse.fullname" . }} + - name: signingkey + secret: + secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "root" . "worker" "signingkey")) | quote }} + items: + - key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }} + path: signing.key + - name: tmpconf + emptyDir: {} + - name: tmpdir + emptyDir: {} + - name: media + {{- $mediaworker := false }} + {{- range $worker, $config := .Values.workers }} + {{- if eq $worker "media_repository" }} + {{- $mediaworker = ($config.enabled | default false) }} + {{- end }} + {{- end }} + {{- if and .Values.persistence.enabled (not $mediaworker) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- with .Values.synapse.extraVolumes }} + {{- . | toYaml | nindent 8 }} + {{- end }} + {{- with .Values.synapse.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.synapse.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.synapse.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/matrix-synapse/templates/ingress.yaml b/matrix-synapse/templates/ingress.yaml new file mode 100644 index 0000000..8ec00ea --- /dev/null +++ b/matrix-synapse/templates/ingress.yaml @@ -0,0 +1,195 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "matrix-synapse.fullname" . -}} +{{- $wkName := include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") -}} +{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}} +{{- if $v1Ingress -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + {{- if .secretName }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} +{{- end }} + rules: + {{- $csHosts := .Values.ingress.csHosts }} + {{- if .Values.ingress.includeServerName }} + {{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }} + {{- end }} + {{- $s2sHosts := .Values.ingress.hosts }} + {{- if .Values.ingress.includeServerName }} + {{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }} + {{- end }} + {{- $wkHosts := .Values.ingress.wkHosts }} + {{- if .Values.ingress.includeServerName }} + {{- $wkHosts = concat (list .Values.serverName) $wkHosts }} + {{- end }} + {{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }} + {{- range $hosts }} + {{- $host := . }} + - host: {{ . | quote }} + http: + paths: + {{- $default := $.Values.workers.default }} + {{- range $worker, $config := $.Values.workers }} + {{- $name := $worker | replace "_" "-" }} + {{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }} + {{- $service := include "matrix-synapse.workername" (dict "root" $ "worker" $name) }} + {{- if has $host $csHosts }} + {{- range $config.csPaths }} + {{- if $.Values.ingress.traefikPaths }} + - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} + backend: + {{- if $v1Ingress }} + service: + name: {{ $service }} + port: + number: 8083 + pathType: ImplementationSpecific + {{- else }} + serviceName: {{ $service }} + servicePort: 8083 + {{- end }} + {{- else }} + - path: {{ . | quote }} + backend: + {{- if $v1Ingress }} + service: + name: {{ $service }} + port: + number: 8083 + pathType: ImplementationSpecific + {{- else }} + serviceName: {{ $service }} + servicePort: 8083 + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if has $host $s2sHosts }} + {{- range $config.paths }} + {{- if $.Values.ingress.traefikPaths }} + - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} + backend: + {{- if $v1Ingress }} + service: + name: {{ $service }} + port: + number: 8083 + pathType: ImplementationSpecific + {{- else }} + serviceName: {{ $service }} + servicePort: 8083 + {{- end }} + {{- else }} + - path: {{ . | quote }} + backend: + {{- if $v1Ingress }} + service: + name: {{ $service }} + port: + number: 8083 + pathType: ImplementationSpecific + {{- else }} + serviceName: {{ $service }} + servicePort: 8083 + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{- if has . $csHosts }} + {{- with $.Values.ingress.csPaths }} + {{ . | toYaml | nindent 10 }} + {{- end }} + {{- end }} + {{- if has . $s2sHosts }} + {{- with $.Values.ingress.paths }} + {{ . | toYaml | nindent 10 }} + {{- end }} + {{- end }} + + {{- if or (has . $csHosts) (has . $s2sHosts) }} + - path: /_matrix + backend: + {{- if $v1Ingress }} + service: + name: {{ $fullName }} + port: + number: {{ $.Values.service.port }} + pathType: Prefix + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $.Values.service.port }} + {{- end }} + {{- end }} + + {{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }} + - path: /_synapse + backend: + {{- if $v1Ingress }} + service: + name: {{ $fullName }} + port: + number: {{ $.Values.service.port }} + pathType: Prefix + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $.Values.service.port }} + {{- end }} + {{- end }} + + {{- if has . $wkHosts }} + {{- if $.Values.wellknown.enabled }} + - path: /.well-known/matrix + backend: + {{- if $v1Ingress }} + service: + name: {{ $wkName }} + port: + number: {{ $.Values.wellknown.service.port | default 80 }} + pathType: Prefix + {{- else }} + serviceName: {{ $wkName }} + servicePort: {{ $.Values.wellknown.service.port | default 80 }} + {{- end }} + {{- else }} + - path: /.well-known/matrix + backend: + {{- if $v1Ingress }} + service: + name: {{ $fullName }} + port: + number: {{ $.Values.service.port }} + pathType: Prefix + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $.Values.service.port }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/matrix-synapse/templates/pvc.yaml b/matrix-synapse/templates/pvc.yaml new file mode 100644 index 0000000..f038c43 --- /dev/null +++ b/matrix-synapse/templates/pvc.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "matrix-synapse.fullname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} + diff --git a/matrix-synapse/templates/secrets.yaml b/matrix-synapse/templates/secrets.yaml new file mode 100644 index 0000000..0871249 --- /dev/null +++ b/matrix-synapse/templates/secrets.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "matrix-synapse.fullname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +stringData: + config.yaml: | + {{- if .Values.config.recaptcha }} + ## Captcha ## + + recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }} + {{- end }} + {{- if .Values.config.turnSecret }} + + ## Turn ## + + turn_shared_secret: {{ .Values.config.turnSecret | quote }} + + {{- end }} + ## Registration ## + + registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }} + + ## API Configuration ## + + {{- if .Values.config.macaroonSecretKey }} + + macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }} + {{- end }} + + ## Database configuration ## + + database: + name: "psycopg2" + {{- $postgresConfig := .Values.externalPostgresql }} + {{- if .Values.postgresql.enabled }} + {{- $postgresConfig = .Values.postgresql }} + {{- end }} + {{- with $postgresConfig.options }} + {{- toYaml . | nindent 6 }} + {{- end }} + args: + host: {{ include "matrix-synapse.postgresql.host" . | quote }} + port: {{ include "matrix-synapse.postgresql.port" . }} + sslmode: {{ $postgresConfig.sslmode | default "prefer" | quote }} + user: {{ include "matrix-synapse.postgresql.username" . | quote }} + {{- $postgresPass := include "matrix-synapse.postgresql.password" . }} + {{- if and $postgresPass (not .Values.postgresql.existingSecret) }} + password: {{ $postgresPass | quote }} + {{- else }} + password: "@@POSTGRES_PASSWORD@@" + {{- end }} + database: {{ include "matrix-synapse.postgresql.database" . | quote }} + cp_min: 5 + cp_max: 10 + {{- with $postgresConfig.extraArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + + ## Redis configuration ## + + redis: + enabled: true + host: {{ include "matrix-synapse.redis.host" . | quote }} + {{- with (include "matrix-synapse.redis.port" .) }} + port: {{ . }} + {{- end }} + {{- $redisPass := include "matrix-synapse.redis.password" . }} + {{- if or .Values.redis.auth.enabled .Values.redis.usePassword .Values.redis.password .Values.redis.auth.password .Values.externalRedis.password }} + {{- if and $redisPass (not .Values.redis.auth.existingSecret) }} + password: {{ $redisPass | quote }} + {{- else }} + password: "@@REDIS_PASSWORD@@" + {{- end }} + {{- end }} + {{- with (include "matrix-synapse.redis.dbid" .) }} + dbid: {{ . }} + {{- end }} + + {{- with .Values.extraSecrets }} + + ## Extra secrets ## + {{ . | toYaml | nindent 4 }} + {{- end }} diff --git a/matrix-synapse/templates/service.yaml b/matrix-synapse/templates/service.yaml new file mode 100644 index 0000000..10a0254 --- /dev/null +++ b/matrix-synapse/templates/service.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix-synapse.fullname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type | default "ClusterIP" }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort | default "http" }} + protocol: TCP + name: http + selector: + app.kubernetes.io/component: synapse + {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix-synapse.replicationname" . }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 9093 + targetPort: replication + protocol: TCP + name: replication + selector: + {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: synapse +{{- $default := .Values.workers.default }} +{{- range $worker, $config := .Values.workers }} +{{- if and $config.enabled $config.listeners }} +{{- $name := $worker | replace "_" "-" }} +{{- $release := $.Release.Name }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) }} + labels: + {{- include "matrix-synapse.labels" $ | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8083 + targetPort: listener + protocol: TCP + name: listener + {{- if has "replication" $config.listeners }} + - port: 9093 + targetPort: replication + protocol: TCP + name: replication + {{- end }} + selector: + {{- include "matrix-synapse.selectorLabels" $ | nindent 4 }} + app.kubernetes.io/component: {{ $name }} +{{- end }} +{{- end }} diff --git a/matrix-synapse/templates/serviceaccount.yaml b/matrix-synapse/templates/serviceaccount.yaml new file mode 100644 index 0000000..81ca2b8 --- /dev/null +++ b/matrix-synapse/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | default (include "matrix-synapse.fullname" .) }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + annotations: + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/matrix-synapse/templates/signing-key/job.yaml b/matrix-synapse/templates/signing-key/job.yaml new file mode 100644 index 0000000..6b8e7b6 --- /dev/null +++ b/matrix-synapse/templates/signing-key/job.yaml @@ -0,0 +1,139 @@ +{{- $secretName := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey") }} + +{{- if .Values.signingkey.job.enabled }} +{{- if .Values.signingkey.existingSecret }} +{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }} +{{- end }} +{{- $name := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey-job") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job + annotations: + helm.sh/resource-policy: keep +type: Opaque +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ $secretName }} + verbs: + - get + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $name }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job + annotations: + {{- with .Values.signingkey.job.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ttlSecondsAfterFinished: 0 + template: + metadata: + labels: + {{- include "matrix-synapse.labels" . | nindent 8 }} + app.kubernetes.io/component: signingkey-job + spec: + containers: + - name: signing-key-generate + {{- with .Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + command: + - sh + - -c + - | + echo "Generating signing key..." + if which generate_signing_key.py >/dev/null; then + generate_signing_key.py -o /synapse/keys/signing.key + else + generate_signing_key -o /synapse/keys/signing.key + fi + resources: + {{- toYaml .Values.signingkey.resources | nindent 12 }} + volumeMounts: + - mountPath: /synapse/keys + name: matrix-synapse-keys + - name: signing-key-upload + {{- with .Values.signingkey.job.publishImage }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + command: + - sh + - -c + - | + # check if key already exists + key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing.key']}" 2> /dev/null) + [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1 + [ -n "$key" ] && echo "Key already created, exiting." && exit 0 + # wait for config + while [ ! -f /synapse/keys/signing.key ]; do + echo "Waiting for key.." + sleep 5; + done + # update secret + kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}" + [ $? -ne 0 ] && echo "Failed to update secret." && exit 1 + echo "Key successfully created." + resources: + {{- toYaml .Values.signingkey.resources | nindent 12 }} + volumeMounts: + - mountPath: /synapse/keys + name: matrix-synapse-keys + readOnly: true + restartPolicy: Never + serviceAccount: {{ $name }} + volumes: + - name: matrix-synapse-keys + emptyDir: {} + parallelism: 1 + completions: 1 + backoffLimit: 1 +{{- end }} diff --git a/matrix-synapse/templates/tests/test-connection.yaml b/matrix-synapse/templates/tests/test-connection.yaml new file mode 100644 index 0000000..466e954 --- /dev/null +++ b/matrix-synapse/templates/tests/test-connection.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "matrix-synapse.fullname" . }}-test-connection" + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "matrix-synapse.fullname" . }}:{{ $.Values.service.port }}/_matrix/client/versions'] + restartPolicy: Never diff --git a/matrix-synapse/templates/wellknown/configmap.yaml b/matrix-synapse/templates/wellknown/configmap.yaml new file mode 100644 index 0000000..b977b5a --- /dev/null +++ b/matrix-synapse/templates/wellknown/configmap.yaml @@ -0,0 +1,23 @@ +{{- if .Values.wellknown.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: wellknown +data: + server: |- + {{- with .Values.wellknown.server }} + {{- toJson . | nindent 4 }} + {{- else }} + {{- dict "m.server" (printf "%s:%d" (.Values.publicServerName | default .Values.serverName) 443) | toJson | nindent 4 }} + {{- end }} + client: |- + {{- with .Values.wellknown.client }} + {{- toJson . | nindent 4 }} + {{- else }} + {{- dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | nindent 4 }} + {{- end }} +{{- end -}}{{/* end-if .wellknown.enabled */}} diff --git a/matrix-synapse/templates/wellknown/deployment.yaml b/matrix-synapse/templates/wellknown/deployment.yaml new file mode 100644 index 0000000..e4f62d2 --- /dev/null +++ b/matrix-synapse/templates/wellknown/deployment.yaml @@ -0,0 +1,75 @@ +{{- if .Values.wellknown.enabled }} +{{- $wkName := include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") -}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $wkName }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: wellknown +spec: + replicas: {{ .Values.wellknown.replicaCount }} + selector: + matchLabels: + {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: wellknown + template: + metadata: + annotations: + checksum/config: {{ include (print .Template.BasePath "/wellknown/configmap.yaml") . | sha256sum }} + {{- with .Values.wellknown.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} + {{- with .Values.wellknown.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + app.kubernetes.io/component: wellknown + spec: + {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }} + containers: + - name: wellknown + securityContext: + {{- toYaml .Values.wellknown.securityContext | nindent 12 }} + {{- with .Values.wellknown.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + ports: + - containerPort: {{ .Values.wellknown.containerPort }} + name: http + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.wellknown.resources | nindent 12 }} + volumeMounts: + - name: "data" + mountPath: "/usr/share/nginx/html/.well-known/matrix/" + {{- with .Values.wellknown.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.wellknown.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.wellknown.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: "data" + configMap: + name: {{ $wkName }} +{{- end }} diff --git a/matrix-synapse/templates/wellknown/service.yaml b/matrix-synapse/templates/wellknown/service.yaml new file mode 100644 index 0000000..5a4ab4d --- /dev/null +++ b/matrix-synapse/templates/wellknown/service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.wellknown.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix-synapse.externalname" (dict "root" . "external" "wellknown") }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: wellknown +spec: + type: {{ .Values.wellknown.service.type | default "ClusterIP" }} + ports: + - port: {{ .Values.wellknown.service.port | default 80 }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: wellknown +{{- end }} diff --git a/matrix-synapse/templates/worker/configmap.yaml b/matrix-synapse/templates/worker/configmap.yaml new file mode 100644 index 0000000..9078b28 --- /dev/null +++ b/matrix-synapse/templates/worker/configmap.yaml @@ -0,0 +1,80 @@ +{{- $any := false }} +{{- range $worker, $config := .Values.workers }} + {{- if $config.enabled }} + {{- $any = true }} + {{- end }} +{{- end }} + +{{- if $any }} +{{- $wkName := include "matrix-synapse.workername" (dict "root" . "worker" "workers") -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $wkName }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +data: +{{- $default := .Values.workers.default -}} +{{- range $worker, $config := .Values.workers -}} + {{- if $config.enabled -}} + {{- $name := $worker | replace "_" "-" }} + {{- $app := $config.app | default $worker }} + + {{ $name }}.worker: | + worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}" +{{- if $config.name -}} +{{- if (gt ($config.replicaCount | int) 1) -}} +{{- fail "Replica count must be 1 if a worker has a unique name." -}} +{{- end }} + worker_name: {{ $config.name }} +{{- end }} +{{- $bindAddresses := $config.bindAddresses | default $.Values.config.bindAddresses | default (list "::") }} + + worker_listeners: + - port: 9090 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + + resources: + - names: [metrics] + compress: false + {{- if $config.listeners }} + {{- if has "replication" $config.listeners }} + {{- if not $config.name }} + {{- fail "Workers with replication listeners must have unique names." }} + {{- end }} + + - port: 9093 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + x_forwarded: true + + resources: + - names: [replication] + compress: false + {{- end }} + + - port: 8083 + tls: false + bind_addresses: {{ toJson $bindAddresses }} + type: http + x_forwarded: true + + resources: + - names: + {{- toYaml (without $config.listeners "replication") | nindent 14 }} + compress: false + {{- end }} + + worker_log_config: /synapse/config/log.yaml + {{- if $config.extraConfig }} + + # Extra config + {{ toYaml $config.extraConfig | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/matrix-synapse/templates/worker/deployment.yaml b/matrix-synapse/templates/worker/deployment.yaml new file mode 100644 index 0000000..38a19e4 --- /dev/null +++ b/matrix-synapse/templates/worker/deployment.yaml @@ -0,0 +1,217 @@ +{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }} +{{- $default := .Values.workers.default }} +{{- range $worker, $config := .Values.workers }} +{{- if $config.enabled }} +{{- $name := $worker | replace "_" "-" }} +{{- $app := $config.app | default $worker }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" $name) }} + labels: + {{- include "matrix-synapse.labels" $ | nindent 4 }} + app.kubernetes.io/component: {{ $name }} +spec: + replicas: {{ $config.replicaCount | default $default.replicaCount }} + {{- with ($config.strategy | default $default.strategy) }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: {{ $name }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }} + checksum/worker-config: {{ include (print $.Template.BasePath "/worker/configmap.yaml") $ | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} + {{- with ($config.annotations | default $default.annotations) }} + {{ . | toYaml | nindent 8 }} + {{- end }} + labels: + {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }} + app.kubernetes.io/component: {{ $name }} + {{- with ($config.labels | default $default.labels) }} + {{ . | toYaml | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "matrix-synapse.serviceAccountName" $ }} + {{- include "matrix-synapse.imagePullSecrets" $ | nindent 6 }} + securityContext: + {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }} + {{- if and $needsVolumePermissions (eq $name "media-repository") }} + initContainers: + - name: volume-permissions + {{- with $.Values.volumePermissions.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + command: + - sh + - -c + - | + chown {{ $.Values.volumePermissions.uid }}:{{ $.Values.volumePermissions.gid }} -R /synapse/data + securityContext: + runAsNonRoot: false + runAsUser: 0 + resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 12 }} + volumeMounts: + - name: media + mountPath: /synapse/data + {{- end }} + containers: + - name: {{ $name }} + command: + - sh + - -c + - | + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + {{- if (or $config.extraCommands $default.extraCommands) }} + + {{- with $config.extraCommands | default $default.extraCommands }} + {{ range . }} + {{ . | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} + + exec python -B -m synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }} \ + -c /synapse/config/homeserver.yaml \ + -c /synapse/config/conf.d/ \ + -c /synapse/config/{{ $name }}.worker + env: + {{- if or $.Values.postgresql.enabled $.Values.externalPostgresql.existingSecret }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + {{- if $.Values.postgresql.enabled }} + name: {{ $.Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" $) }} + key: password + {{- else }} + name: {{ $.Values.externalPostgresql.existingSecret }} + key: {{ $.Values.externalPostgresql.existingSecretPasswordKey }} + {{- end }} + {{- end }} + {{- if or (and $.Values.redis.enabled (default $.Values.redis.usePassword true)) $.Values.externalRedis.existingSecret }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if $.Values.redis.enabled }} + name: {{ $.Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" $) }} + key: redis-password + {{- else }} + name: {{ $.Values.externalRedis.existingSecret }} + key: {{ $.Values.externalRedis.existingSecretPasswordKey }} + {{- end -}} + {{- end }} + {{- with $config.extraEnv | default $default.extraEnv }} + {{- . | toYaml | nindent 12 }} + {{- end }} + securityContext: + {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }} + {{- with $.Values.image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + ports: + - name: metrics + containerPort: 9090 + protocol: TCP + {{- if $config.listeners }} + - name: listener + containerPort: 8083 + protocol: TCP + {{- if has "replication" $config.listeners }} + - name: replication + containerPort: 9093 + protocol: TCP + {{- end }} + {{- if (or $config.readinessProbe $default.readinessProbe) }} + readinessProbe: + {{- $config.readinessProbe | default $default.readinessProbe | toYaml | nindent 12 }} + {{- end }} + {{- end }} + {{- if (or $config.livenessProbe $default.livenessProbe) }} + livenessProbe: + {{- $config.livenessProbe | default $default.livenessProbe | toYaml | nindent 12 }} + {{- end }} + {{- if (or $config.startupProbe $default.startupProbe) }} + startupProbe: + {{- $config.startupProbe | default $default.startupProbe | toYaml | nindent 12 }} + {{- end }} + resources: + {{- $config.resources | default $default.resources | toYaml | nindent 12 }} + volumeMounts: + - name: config + mountPath: /synapse/config/homeserver.yaml + subPath: homeserver.yaml + - name: config + mountPath: /synapse/config/log.yaml + subPath: log.yaml + - name: worker-config + mountPath: /synapse/config/{{ $name }}.worker + subPath: {{ $name }}.worker + - name: tmpconf + mountPath: /synapse/config/conf.d + - name: secrets + mountPath: /synapse/secrets + - name: signingkey + mountPath: /synapse/keys + {{- if eq $name "media-repository" }} + - name: media + mountPath: /synapse/data + {{- end }} + {{- with $config.volumeMounts | default $default.volumeMounts }} + {{ . | toYaml | nindent 12 }} + {{- end }} + {{- with $config.nodeSelector | default $default.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $config.affinity | default $default.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $config.tolerations | default $default.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "matrix-synapse.fullname" $ }} + - name: worker-config + configMap: + name: {{ include "matrix-synapse.workername" (dict "root" $ "worker" "workers") }} + - name: secrets + secret: + secretName: {{ include "matrix-synapse.fullname" $ }} + - name: signingkey + secret: + secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "root" $ "worker" "signingkey")) | quote }} + items: + - key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }} + path: signing.key + - name: tmpconf + emptyDir: {} + {{- if eq $name "media-repository" }} + - name: media + {{- if $.Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ $.Values.persistence.existingClaim | default (include "matrix-synapse.fullname" $) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- with $config.volumes | default $default.volumes }} + {{ . | toYaml | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/matrix-synapse/values.yaml b/matrix-synapse/values.yaml new file mode 100644 index 0000000..182ffab --- /dev/null +++ b/matrix-synapse/values.yaml @@ -0,0 +1,913 @@ +--- + +global: + image: + # -- if set it will overwrite all registry entries + registry: + # -- if set it will overwrite all pullPolicy + pullPolicy: + +image: + registry: ghcr.io + repository: element-hq/synapse + # -- Overrides the image tag whose default is the chart appVersion. + tag: + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +# -- Override part of the installed name, will still keep release name. +nameOverride: + +# -- Override the full name of the installed chart. +fullnameOverride: + + +# -- The Matrix domain name, this is what will be used for the domain part in your MXIDs. +serverName: + +# -- The public Matrix server name, this will be used for any public URLs in config as well as for client API links in the ingress. +publicServerName: + +## The source of the signing key used by Synapse in federation. +## +signingkey: + ## Enable a Kubernetes job to generate and store a signing key if one does not + ## exist. + ## If you have already run a Matrix server at some point on your domain then + ## you will want to keep the old signing key, either by using the `existingSecret` + ## configuration, or by including the old key under `extraConfig.old_signing_keys` + ## + ## If you lose your signing key then any federation traffic from your instance + ## might not be trusted any more by the wider network. + ## + ## After the initial install, the job should be disabled to speed up subsequent upgrades. + ## + job: + enabled: true + + ## Annotations to apply to the signing-key-job. + ## + annotations: {} + + publishImage: + registry: docker.io + repository: bitnami/kubectl + tag: latest + pullPolicy: IfNotPresent + + ## Specify an existing signing key secret, will need to be created in advance. + ## + # existingSecret: secret-name + # existingSecretKey: signing.key + + ## Resources to apply to the signing key generation job + ## + resources: {} + # limits: + # cpu: 100m + # memory: 250Mi + # requests: + # cpu: 100m + # memory: 250Mi + +## Matrix configuration values that affect other parts of the chart, for any +## value not handled by this block, you will want to instead set it in +## extraConfig below. +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +config: + ## The publicly accessible URL for the Synapse instance, will default to + ## https://. + ## + # publicBaseurl: 'https://matrix.example.com' + + ## The log level for Synapse and all modules. + ## + # logLevel: INFO + + ## Should usage stats be reported + ## + reportStats: false + + ## Protect registration with recaptcha. (optional) + ## + # recaptcha: + # publicKey: '' + # privateKey: '' + + ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC + ## calls. + ## + # turnUris: [] + # turnSecret: '' + + ## Registration configuration, note that registration with the + ## container-internal register_new_matrix_user tool is always possible. + ## + # enableRegistration: false + + ## NB; this value will default to a random string if not specified. + # registrationSharedSecret: '' + + ## NB; Strongly recommended to set this to a secure value. + # macaroonSecretKey: '' + + # -- A set of trusted servers to contact if another server doesn't respond to a signing key request. + trustedKeyServers: + - server_name: matrix.org + # verify_keys: + # "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + # -- The bind addresses to use for the default listeners + bindAddresses: + - '::' + + ## Extra listeners to configure. + ## + extraListeners: [] + # - port: 9000 + # bind_addresses: ['::'] + # type: manhole + + ## Extra listener types to add onto the main listener. + ## + extraMainListenerTypes: [] + # - consent + + ## Logging + # use TerseJsonFormatter structured logging + # Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html + useStructuredLogging: false + +## Specify arbitrary Synapse configuration here; +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +extraConfig: {} +# old_signing_keys: +# "ed25519:id": { key: "base64string", expired_ts: 123456789123 } +# use_presence: false +# enable_search: false +# federation_domain_whitelist: +# - lon.example.com +# - nyc.example.com +# - syd.example.com +# dynamic_thumbnails: true + +## Specify additional loggers configutation here; +## Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html +extraLoggers: {} +# synapse.storage.SQL: +# level: WARNING + +## Specify arbitrary - secret - Synapse configuration here; +## These values will be stored in secrets instead of configmaps +## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml +## +extraSecrets: {} +# password_config: +# pepper: '' + +## Configuration to apply to the main Synapse pod. +## +synapse: + ## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository + ## is enabled for the main Synapse pod) + ## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + strategy: + type: RollingUpdate + + ## Annotations to apply to the main Synapse pod. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/path: "/_synapse/metrics" + # prometheus.io/port: "9090" + + ## Labels to apply to the main Synapse pod. + ## + labels: {} + + ## Additional environment variables to apply to the main Synapse pod + ## + extraEnv: [] + # - name: LD_PRELOAD + # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 + # - name: SYNAPSE_CACHE_FACTOR + # value: "2" + + ## Additional volumes to mount into Synapse + ## + extraVolumes: [] + # - name: spamcheck + # flexVolume: + # driver: ananace/git-live + # options: + # repo: https://github.com/company/synapse-module + # interval: 1d + # readOnly: true + extraVolumeMounts: [] + # - name: spamcheck + # mountPath: /usr/local/lib/python3.7/site-packages/company + + ## Extra commands to run when starting Synapse + ## + extraCommands: [] + # - 'apt-get update -yqq && apt-get install patch -yqq' + # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' + + ## Configuration for the pod security policy, Synapse will by always run as + ## its own user, even if not set. + ## Note that changing this may also require you to use the volumePermission + ## helper depending on your storage. + ## + ## NB; The synapse install is currently unable to run as anything but UID:GID + ## 666:666. + ## + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 + + ## Configuration for the container security policy, refer to the above + ## podSecurityContext for more relevant information. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 + + ## Resources to apply to the main Synapse pod. + ## + resources: {} + # limits: + # cpu: 1000m + # memory: 2500Mi + # requests: + # cpu: 1000m + # memory: 2500Mi + + ## Liveness probe configuration to use + ## + livenessProbe: + httpGet: + path: /health + port: http + + ## Readiness probe configuration to use + ## + readinessProbe: + httpGet: + path: /health + port: http + + ## Startup probe configuration to use + ## + startupProbe: + failureThreshold: 12 + httpGet: + path: /health + port: http + + ## Node selectors to set for the main Synapse pod. + ## + nodeSelector: {} + + ## Tolerations to set for the main Synapse pod. + ## + tolerations: [] + + ## Affinity to set for the main Synapse pod. + ## + affinity: {} + +## Configuration for handling Synapse workers, which are useful for handling +## high-load deployments. +## +## More information is available at; +## https://github.com/matrix-org/synapse/blob/master/docs/workers.md +## +workers: + ## Default configuration, this is inherited into all workers, and can also be + ## overriden on each worker type. + ## + default: + ## The number of worker replicas, note that some workers require special + ## handling. Refer to the information URL above. + ## + replicaCount: 1 + + ## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository) + ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the + ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will + ## terminate the single previous pod, so that the new, incoming pod can attach to the PV + ## + strategy: + type: RollingUpdate + + ## A specific name for this worker, can't be set globally. + ## Note that this can only be set when replicaCount is 1 + # name: + + ## Additional configuration to set for the worker, can't be set globally. + # extraConfig: {} + + ## Annotations to apply to the worker. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/path: /_synapse/metrics + # prometheus.io/port: 9090 + + ## Additional environment variables to add to the worker. + ## + extraEnv: [] + # - name: LD_PRELOAD + # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 + # - name: SYNAPSE_CACHE_FACTOR + # value: "1.0" + + ## Additional volumes to add to the worker. + ## Useful for the media repo, or for adding Python modules. + ## + volumes: [] + volumeMounts: [] + + ## Extra commands to run when starting Synapse + ## + extraCommands: [] + # - 'apt-get update -yqq && apt-get install patch -yqq' + # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' + + ## Security context information to set to the worker. + ## + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 + + ## Container security context information to set to the worker. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 + + ## Resources to apply to the worker. + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Liveness probe configuration to use + ## + livenessProbe: + httpGet: + path: /health + port: metrics + + ## Readiness probe configuration to use + ## + readinessProbe: + httpGet: + path: /health + port: metrics + + ## Readiness probe configuration to use + ## Defaults to allowing workers 60 seconds to start up + ## + startupProbe: + failureThreshold: 6 + httpGet: + path: /health + port: metrics + + ## Node selector configuration to set on the worker. + ## + nodeSelector: {} + + ## Toleration configuration to set on the worker. + ## + tolerations: [] + + ## Affinity configuration to set on the worker. + ## + affinity: {} + + ## The generic worker can be used to handle most endpoints. + ## Be careful when enabling the sync endpoints as they can eat large amounts of + ## resources. Refer to the information URL above for more info. + ## Proper load balancing with the K8s Ingress resource may not be possible. + ## + generic_worker: + enabled: false + generic: true + listeners: [client, federation] + csPaths: + ## Sync requests + # - "/_matrix/client/(r0|v3)/sync$" + - "/_matrix/client/(api/v1|r0|v3)/events$" + # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" + # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" + + ## Client API requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" + - "/_matrix/client/v1/rooms/.*/hierarchy$" + - "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$" + - "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$" + - "/_matrix/client/(r0|v3|unstable)/account/3pid$" + - "/_matrix/client/(r0|v3|unstable)/account/whoami$" + - "/_matrix/client/(r0|v3|unstable)/devices$" + - "/_matrix/client/versions$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/search$" + + ## Encryption requests + - "/_matrix/client/(r0|v3|unstable)/keys/query$" + - "/_matrix/client/(r0|v3|unstable)/keys/changes$" + - "/_matrix/client/(r0|v3|unstable)/keys/claim$" + - "/_matrix/client/(r0|v3|unstable)/room_keys/" + + ## Registration/login requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/login$" + - "/_matrix/client/(r0|v3|unstable)/register$" + - "/_matrix/client/v1/register/m.login.registration_token/validity$" + + ## Event sending requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/join/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/profile/" + + ## User directory search requests + - "/_matrix/client/(r0|v3|unstable)/user_directory/search" + + ## Worker event streams + ## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers + ## + + ## The typing event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" + + ## The to_device event stream + # - "/_matrix/client/(r0|v3|unstable)/sendToDevice/" + + ## The account_data event stream + # - "/_matrix/client/(r0|v3|unstable)/.*/tags" + # - "/_matrix/client/(r0|v3|unstable)/.*/account_data" + + ## The receipts event stream + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" + + ## The presence event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/" + + paths: + ## Federation requests + - "/_matrix/federation/v1/event/" + - "/_matrix/federation/v1/state/" + - "/_matrix/federation/v1/state_ids/" + - "/_matrix/federation/v1/backfill/" + - "/_matrix/federation/v1/get_missing_events/" + - "/_matrix/federation/v1/publicRooms" + - "/_matrix/federation/v1/query/" + - "/_matrix/federation/v1/make_join/" + - "/_matrix/federation/v1/make_leave/" + - "/_matrix/federation/(v1|v2)/send_join/" + - "/_matrix/federation/(v1|v2)/send_leave/" + - "/_matrix/federation/(v1|v2)/invite/" + - "/_matrix/federation/v1/event_auth/" + - "/_matrix/federation/v1/exchange_third_party_invite/" + - "/_matrix/federation/v1/user/devices/" + - "/_matrix/key/v2/query" + - "/_matrix/federation/v1/hierarchy/" + + ## Inbound federation transaction request + - "/_matrix/federation/v1/send/" + + ## To separate the generic worker into specific concerns - for example federation transaction receiving; + ## NB; This worker should have incoming traffic routed based on source IP, which is + ## left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + # federation_reader: + # enabled: true + # generic: true + # listeners: [federation] + # paths: + # - "/_matrix/federation/v1/send/" + + ## Or /sync handling. + ## NB; Care should be taken to route users to the same instance when scaling this worker, + ## this is left as an exercise to the reader. + ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing + # synchrotron: + # enabled: true + # generic: true + # listeners: [client] + # csPaths: + # - "/_matrix/client/(v2_alpha|r0|v3)/sync$" + # - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$" + # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" + # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" + + ## Specialized - non-generic workers below; + + ## This worker deals with pushing notifications. + ## NB; Only one instance of this worker can be run at a time, refer to the + ## information URL above. + ## + pusher: + enabled: false + + ## This worker handles sending data to registered appservices. + ## NB; Only one instance of this worker can be run at at time, refer to the + ## information URL above. + ## + appservice: + enabled: false + generic: true + name: appservices + + ## This worker handles sending federation traffic to other Synapse servers. + ## + federation_sender: + enabled: false + + ## Specialized workers can also be run as multiple separate instances, + ## make sure to read the relevant documentation. + ## + # federation_sender_other: + # app: federation_sender + # enabled: false + + ## This worker deals with serving and storing media. + ## NB; Running multiple instances will conflict with background jobs. + ## + media_repository: + enabled: false + listeners: [media] + csPaths: + - "/_matrix/media/.*" + - "/_synapse/admin/v1/purge_media_cache$" + - "/_synapse/admin/v1/room/.*/media" + - "/_synapse/admin/v1/user/.*/media" + - "/_synapse/admin/v1/media/" + - "/_synapse/admin/v1/quarantine_media/" + - "/_synapse/admin/v1/users/.*/media$" + paths: + - "/_matrix/media/.*" + + ## This worker deals with user directory searches. + ## + user_dir: + enabled: false + name: userdir + listeners: [client] + csPaths: + - "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" + + ## This worker handles key uploads, and may also stub out presence if that is + ## disabled. If you set extraConfig.use_presence=false then you may want to + ## uncomment the second path. + ## + frontend_proxy: + enabled: false + listeners: [client] + csPaths: + - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" + # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status" + +## This will set up a Lighttpd server to respond to any +## /.well-known/matrix/server requests, to make federation possible without +## adding SRV-records to DNS. +## +wellknown: + enabled: false + image: + registry: docker.io + repository: library/nginx + tag: 1.25.3 + pullPolicy: IfNotPresent + + replicaCount: 1 + podLabels: {} + podAnnotations: [] + podSecurityContext: {} + securityContext: {} + containerPort: 80 + env: [] + resources: {} + nodeSelector: {} + tolerations: [] + affinity: {} + + service: + type: ClusterIP + port: 8080 + annotations: {} + + # -- The host and port combo to serve on .well-known/matrix/server. + # m.server: matrix.example.com:443 + server: {} + + # -- Data to serve on .well-known/matrix/client. + # m.homeserver: + # base_url: https://matrix.example.com + client: {} + +## This configuration is for setting up the internally provided Postgres server, +## if you instead want to use an existing server, then you may want to set +## enabled to false and configure the externalPostgresql block. +## +postgresql: + enabled: true + + auth: + # XXX Change me! + password: synapse + + ## Or use existing secret with "password" key + ## instead of static password + ## + # existingSecret: postgresql-secret + + username: synapse + database: synapse + + primary: + initdb: + args: "--lc-collate=C --lc-ctype=C" + + persistence: + # storageClass: "-" + size: 16Gi + + # -- set extra configuration + # ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + # e.g. txn_limit, allow_unsafe_locale + options: {} + + # -- Extra arguments for the database connection + # ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + extraArgs: {} + +## An externally configured Postgres server to use for Synapse's database, note +## that the database needs to have both COLLATE and CTYPE set to "C". +## +externalPostgresql: + # host: postgres + port: 5432 + username: synapse + # password: synapse + + ## The name of an existing secret with postgresql credentials + # existingSecret: postgres-secrets + + ## Password key to be retrieved from existing secret + # existingSecretPasswordKey: postgres-password + + database: synapse + # sslmode: prefer + + # -- set extra configuration + # ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + # e.g. txn_limit, allow_unsafe_locale + options: {} + + # -- Extra arguments for the database connection + # ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config + extraArgs: {} + +## This configuration is for the internal Redis that's deployed for use with +## workers/sharding, for an external Redis server you want to set enabled to +## false and configure the externalRedis block. +## +redis: + enabled: true + + ## Database ID for non-default database + # dbid: 0 + + auth: + enabled: true + # XXX Change me! + password: synapse + + ## Or use existing secret with "redis-password" key + ## instead of static password + ## + # existingSecret: redis-secret + + architecture: standalone + master: + kind: Deployment + persistence: + ## Note that Synapse only uses redis as a synchronization utility, so no + ## data will ever need to be persisted. + ## + enabled: false + service: + port: 6379 + +## An externally configured Redis server to use for workers/sharding. +## +externalRedis: + # host: redis + port: 6379 + # password: synapse + + ## Database ID for non-default database + # dbid: 0 + + ## The name of an existing secret with redis credentials + # existingSecret: redis-secrets + + ## Password key to be retrieved from existing secret + # existingSecretPasswordKey: redis-password + +## Persistence configuration for the media repository function. +## This PVC will be mounted in either Synapse or a media_repo worker. +## +## NB; If you want to be able to scale this, you will have to set the +## accessMode to RWX/ReadWriteMany. +## +persistence: + enabled: true + # existingClaim: synapse-data + + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + +## Set up an init container to chown the mounted media if necessary. +## +volumePermissions: + enabled: false + + uid: 666 + gid: 666 + + image: + registry: docker.io + repository: library/alpine + tag: 3.19.1 + pullPolicy: Always + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Configuration for the main Synapse service. +## To use TLS inside Synapse itself, add an TLS listener, and change the ports +## configured in here. +## +service: + type: ClusterIP + port: 8008 + targetPort: http + +## The K8s ingress configuration, this will be quite heavily used in order to +## set up all routing necessary for use with a sharded Synapse instance. +## If you're not using a Ingress compatible K8s ingress, you will need to set up +## your own routing instead. +## +ingress: + enabled: true + + ## Generate traefik-compatible regex paths instead of nginx-compatible ones. + ## + traefikPaths: false + + ## Annotations to apply to the created ingress resource. + ## + annotations: {} + # nginx.ingress.kubernetes.io/use-regex: "true" + # # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default + # nginx.ingress.kubernetes.io/proxy-body-size: 10m + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + ## Hosts to add to the ingress configuration for handling Client-to-Server + ## API request paths. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + csHosts: [] + # - matrix.example.com + + ## Additional hosts to add to the ingress configuration for handling + ## Server-to-Server API requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + hosts: [] + # - example.com + + ## Additional hosts to add to the ingress configuration for handling + ## well-known requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + wkHosts: [] + # - example.com + + ## Additional paths to add to the Server-to-Server ingress blocks, will be + ## inserted before the /_matrix catch-all path. + ## + paths: [] + # # K8s 1.19+ + # - path: /_matrix/media + # pathType: Prefix + # backend: + # service: + # name: matrix-media-repo + # port: 8000 + # # K8s <1.19 + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + + ## Additional paths to add to the Client-to-Server ingress blocks, will be + ## inserted before the /_matrix and /_synapse catch-all paths. + ## + csPaths: [] + # # K8s 1.19+ + # - path: /_matrix/media + # pathType: Prefix + # backend: + # service: + # name: matrix-media-repo + # port: + # number: 8000 + # # K8s <1.19 + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + + ## Should the /_synapse path be included in the ingress, admin APIs are + ## provided under this path. + ## + includeUnderscoreSynapse: true + + ## Should config.serverName be included in the list of ingress paths, can be + ## set to false if the main domain is managed in some external way. + ## + includeServerName: true + + ## TLS configuration to include in the ingress configuration + ## + tls: [] + # - secretName: chart-example-tls + # hosts: + # - example.com + # - matrix.example.com + + ## Set the name of the IngressClass cluster resource (optional) + ## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec + # className: can-be-anything + +## Specifies whether a service account should be created, and annotations to add. +## +serviceAccount: + create: false + annotations: {} + # eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse + # name: non-default-service-name