Clean up WIP synapse chart

This commit is contained in:
Alexander Olofsson 2020-08-09 11:16:36 +02:00
parent a612b3b553
commit 18be04438f
No known key found for this signature in database
GPG key ID: D439C9470CB04C73
13 changed files with 653 additions and 409 deletions

View file

@ -13,4 +13,46 @@ Matrix Synapse
## Installing
To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on.
You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS.
When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on.
When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs.
## Installation Examples
Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information.
### On main domain / with subdomain MXIDs
For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs.
If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as;
helm install matrix-synapse --set config.serverName=chosenin.space --set wellknown.enabled=true
This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`.
You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case)
helm install matrix-synapse --set config.serverName=matrix.chosenin.space --set wellknown.enabled=true
### On separate subdomain
If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known;
For DNS, you could install the chart as;
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={example.com} --set ingress.csHosts={matrix.example.com}
This will add only federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. You will also need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use.
To get federation working with such a setup, you would need to add an SRV record to your DNS - for example;
`_matrix._tcp.example.com 10 1 443 matrix.example.com`
If you want to use a well-known file for federation instead, then your install might look more like;
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set wellknown.enabled=true --set wellknown.host=matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={matrix.example.com} --set ingress.csHosts={matrix.example.com} --set ingress.wkHosts={example.com}
With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server`, which the included wellknown server will do.
When using well-known federation, your Synapse cert would only need to be valid for `matrix.example.com`.

View file

@ -1,9 +1,10 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself.
{{- else }}
Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
{{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
@ -19,6 +20,7 @@ set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible
@ -30,6 +32,6 @@ You can create a user in your new Synapse install by running the following
command;
{{- end }}
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse.fullname" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user.

View file

@ -25,21 +25,29 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{/*
Create a default fully qualified app name.
Create a default replication name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.replicationname" -}}
{{- printf "%s-%s-%s" .Release.Name .Chart.Name "matrix-synapse-replication" | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-%s-%s" .Release.Name .Chart.Name "replication" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.workername" -}}
{{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default external component name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.externalname" -}}
{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
@ -74,6 +82,24 @@ app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Pull secrets
*/}}
{{- define "matrix-synapse.imagePullSecrets" -}}
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
imagePullSecrets:
{{- with .Values.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.wellknown.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.volumePermissions.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

View file

@ -20,12 +20,12 @@ data:
class: logging.StreamHandler
formatter: precise
filters: [context]
level: {{ .Values.config.logLevel }}
level: {{ .Values.config.logLevel | default "INFO" }}
loggers:
synapse:
level: {{ .Values.config.logLevel }}
level: {{ .Values.config.logLevel | default "INFO" }}
root:
level: {{ .Values.config.logLevel }}
level: {{ .Values.config.logLevel | default "INFO" }}
handlers: [console]
homeserver.yaml: |
# NOTE:
@ -116,22 +116,22 @@ data:
url_preview_enabled: false
max_spider_size: "10M"
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
enable_registration_captcha: True
enable_registration_captcha: true
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
{{- end }}
{{- if .Values.config.turnUris }}
## Turn ##
turn_uris:
{{ toYaml .Values.config.turnUris | nindent 6 }}
turn_user_lifetime: "1h"
turn_allow_guests: True
turn_allow_guests: true
{{- end }}
## Registration ##
@ -143,7 +143,7 @@ data:
## Metrics ###
enable_metrics: True
enable_metrics: true
report_stats: {{ .Values.config.reportStats | default false }}
## API Configuration ##
@ -167,7 +167,6 @@ data:
servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}
## Workers ##
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
@ -184,42 +183,9 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraConfig }}
## Extra config ##
{{ . | toYaml | nindent 4 }}
{{- end }}
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ $worker }}"
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
worker_replication_http_port: 9093
worker_listeners:
- type: http
bind_addresses: ['0.0.0.0']
tls: false
port: 9090
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names: {{- toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- end }}
{{- end }}

View file

@ -11,7 +11,7 @@ metadata:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: synapse
spec:
replicas: {{ .Values.replicaCount }}
replicas: 1
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
@ -21,24 +21,21 @@ spec:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.annotations }}
{{- with .Values.synapse.annotations }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: synapse
{{- with .Values.labels }}
{{- with .Values.synapse.labels }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
- name: synapse
command:
- sh
- -c
@ -69,10 +66,10 @@ spec:
{{- with .Values.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
ports:
- name: http
containerPort: 8008
@ -113,9 +110,9 @@ spec:
secretName: {{ include "matrix-synapse.fullname" . }}
- name: signingkey
secret:
secretName: {{ default .Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
items:
- key: {{ default .Values.signingkey.existingSecretKey "signing.key" | quote }}
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
@ -129,7 +126,7 @@ spec:
{{- end }}
{{- if and .Values.persistence.enabled (not $mediaworker) }}
persistentVolumeClaim:
claimName: {{ default .Values.persistence.existingClaim (include "matrix-synapse.fullname" .) }}
claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
@ -145,164 +142,3 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- with $.Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command: ["chown", "-R", "666:666", "/synapse/data"]
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
securityContext:
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
env:
{{- if $.Values.postgresql.enabled }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
key: postgresql-password
{{- end }}
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.redis.fullname" $ }}
key: redis-password
{{- end }}
{{- with default $config.extraEnv $default.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
livenessProbe:
tcpSocket:
port: listener
readinessProbe:
tcpSocket:
port: listener
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ default $.Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ default $.Values.signingkey.existingSecretKey "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ default $.Values.persistence.existingClaim (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,6 +1,6 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
@ -27,51 +27,88 @@ spec:
{{- end }}
{{- end }}
rules:
{{- $hosts := .Values.ingress.hosts }}
{{- if default .Values.ingress.includeServerName true }}
{{- $hosts = concat (list .Values.config.serverName) $hosts }}
{{- $csHosts := .Values.ingress.csHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $csHosts = concat (list .Values.config.serverName) $csHosts }}
{{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.config.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.config.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }}
http:
paths:
{{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners $config.paths }}
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
{{- if has $host $csHosts }}
{{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- else }}
{{- else }}
- path: {{ . | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- else }}
- path: {{ . | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix
backend:
serviceName: {{ $fullName }}
servicePort: 8008
{{- end }}
{{- if $.Values.ingress.includeUnderscoreSynapse }}
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
serviceName: {{ $fullName }}
servicePort: 8008
{{- end }}
{{- if has . $wkHosts }}
- path: /.well-known/matrix/client
backend:
serviceName: {{ $fullName }}
@ -83,5 +120,6 @@ spec:
serviceName: {{ $wkName }}
servicePort: 80
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -12,26 +12,30 @@ stringData:
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
{{- end }}
{{- if .Values.config.turnSecret }}
## Turn ##
turn_shared_secret: {{ .Values.config.turnSecret | quote }}
{{- end }}
{{- end }}
## Registration ##
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
## API Configuration ##
macaroon_secret_key: {{ required "You must specify a macaroon as config.macaroonSecretKey" .Values.config.macaroonSecretKey | quote }}
{{- if .Values.config.macaroonSecretKey }}
macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }}
{{- end }}
{{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
{{- $postgresDB := include "matrix-synapse.postgresql.database" . }}
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
## Database configuration ##
database:
@ -52,6 +56,7 @@ stringData:
{{- $redisHost := include "matrix-synapse.redis.host" . }}
{{- $redisPort := include "matrix-synapse.redis.port" . }}
{{- $redisPass := include "matrix-synapse.redis.password" . }}
## Redis configuration ##
redis:

View file

@ -26,7 +26,7 @@ rules:
resources:
- secrets
resourceNames:
- {{ $secretName }}
- {{ $secretName }}
verbs:
- get
- update

View file

@ -4,7 +4,7 @@ kind: Pod
metadata:
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
labels:
{{ include "matrix-synapse.labels" . | nindent 4 }}
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:

View file

@ -1,5 +1,5 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: ConfigMap
@ -10,9 +10,6 @@ metadata:
component: well-known
data:
lighttpd.conf: |
var.basedir = "/var/www/localhost"
var.logdir = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
server.modules = (
"mod_rewrite",
"mod_status",
@ -21,13 +18,13 @@ data:
include "mime-types.conf"
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = var.basedir + "/htdocs"
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
server.pid-file = "/run/lighttpd.pid"
server.errorlog = "/dev/stderr"
status.status-url = "/server-status"
url.rewrite-once = (
"^/\.well-known/matrix/server" => "/server.json"
)
status.status-url = "/server-status"
accesslog.filename = "/dev/stderr"
server.json: |-
@ -59,7 +56,7 @@ metadata:
{{- include "matrix-synapse.labels" . | nindent 4 }}
component: well-known
spec:
replicas: {{ default .Values.wellknown.replicaCount 1 }}
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
@ -72,10 +69,15 @@ spec:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
component: well-known
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers:
- name: lighttpd
image: m4rcu5/lighttpd
imagePullPolicy: Always
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
ports:
- containerPort: 80
name: http
@ -91,11 +93,25 @@ spec:
- mountPath: /etc/lighttpd/lighttpd.conf
name: files
subPath: lighttpd.conf
- mountPath: /var/www/localhost/htdocs/server.json
- mountPath: {{ .Values.wellknown.htdocsPath }}/server.json
name: files
subPath: server.json
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumes:
- name: files
configMap:
name: {{ $wkName }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,41 @@
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ $worker }}"
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
worker_replication_http_port: 9093
worker_listeners:
- type: http
bind_addresses: ['0.0.0.0']
tls: false
port: 9090
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names: {{- toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- end }}
{{- end }}

View file

@ -0,0 +1,171 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- with $.Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command: ["chown", "-R", "666:666", "/synapse/data"]
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
securityContext:
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
env:
{{- if $.Values.postgresql.enabled }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
key: postgresql-password
{{- end }}
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.redis.fullname" $ }}
key: redis-password
{{- end }}
{{- with $config.extraEnv | default $default.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
livenessProbe:
tcpSocket:
port: listener
readinessProbe:
tcpSocket:
port: listener
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /synapse/config/log.yaml
subPath: log.yaml
- name: worker-config
mountPath: /synapse/config/{{ $name }}.worker
subPath: {{ $name }}.worker
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: worker-config
configMap:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ $.Values.persistence.existingClaim | (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -109,7 +109,7 @@ config:
# bind_addresses: ['::']
# type: manhole
## Specify arbitrary synapse configuration here;
## Specify arbitrary Synapse configuration here;
##
extraConfig: {}
# use_presence: false
@ -119,99 +119,72 @@ extraConfig: {}
# - nyc.example.com
# - syd.example.com
## Annotations to apply to the main Synapse pod.
## Configuration to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: 9090
synapse:
## Annotations to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: 9090
## Labels to apply to the main Synapse pod.
##
labels: {}
## Labels to apply to the main Synapse pod.
##
labels: {}
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: {}
# - name: USE_JEMALLOC
# value: "1"
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: {}
# - name: USE_JEMALLOC
# value: "1"
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without any
## DNS changes.
##
wellknown:
enabled: false
# host: matrix.example.com
# port: 443
## Configuration for the pod security policy, Synapse will by default run as its
## own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
postgresqlUsername: synapse
postgresqlDatabase: synapse
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
persistence:
size: 16G
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
database: synapse
# sslMode: require
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
# usePassword: false
# password: synapse
cluster:
enabled: false
master:
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
statefulset:
updateStrategy: RollingUpdate
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Affinity to set for the main Synapse pod.
##
affinity: {}
## Configuration for handling Synapse workers, which are useful for handling
## high-load deployments.
@ -300,11 +273,33 @@ workers:
generic_worker:
enabled: false
listeners: [client, federation]
paths:
csPaths:
# - "/_matrix/client/(v2_alpha|r0)/sync"
- "/_matrix/client/(api/v1|v2_alpha|r0)/events"
# - "/_matrix/client/(api/v1|r0)/initialSync"
# - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
- "/_matrix/client/versions"
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
- "/_matrix/client/(api/v1|r0|unstable)/login"
- "/_matrix/client/(r0|unstable)/register"
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
- "/_matrix/client/(api/v1|r0|unstable)/join/"
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
paths:
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
@ -327,27 +322,6 @@ workers:
- "/_matrix/federation/v1/get_groups_publicised"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/send/"
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
- "/_matrix/client/versions"
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
- "/_matrix/client/(api/v1|r0|unstable)/login"
- "/_matrix/client/(r0|unstable)/register"
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
- "/_matrix/client/(api/v1|r0|unstable)/join/"
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
## This worker deals with pushing notifications.
## NB; Only one instance of this worker can be run at a time, refer to the
@ -374,20 +348,22 @@ workers:
media_repository:
enabled: false
listeners: [media]
paths:
csPaths:
- "/_matrix/media/"
- "/_synapse/admin/v1/purge_media_cache"
- "/_synapse/admin/v1/room/.*/media.*"
- "/_synapse/admin/v1/user/.*/media.*"
- "/_synapse/admin/v1/media/.*"
- "/_synapse/admin/v1/quarantine_media/.*"
paths:
- "/_matrix/media/"
## This worker deals with user directory searches.
##
user_dir:
enabled: false
listeners: [client]
paths:
csPaths:
- "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
## This worker handles key uploads, and may also stub out presence if that is
@ -397,10 +373,147 @@ workers:
frontend_proxy:
enabled: false
listeners: [client]
paths:
csPaths:
- "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without
## adding SRV-records to DNS.
##
wellknown:
enabled: false
replicaCount: 1
## The host and port combo to serve on .well-known/matrix/server.
##
# host: matrix.example.com
# port: 443
## A custom htdocs path, useful when running another image.
##
htdocsPath: /var/www/localhost/htdocs
## The lighttpd image to run.
##
image:
repository: m4rcu5/lighttpd
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Configuration for the pod security policy.
##
podSecurityContext: {}
# fsGroup: 101
# runAsGroup: 101
# runAsUser: 100
## Configuration for the container security policy.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 100
## Resource configuration to apply to the well-known server.
##
resources: {}
# limits:
# cpu: 5m
# memory: 15Mi
# requests:
# cpu: 5m
# memory: 15Mi
## Node selectors to set for the well-known server.
##
nodeSelector: {}
## Tolerations to set for the well-known server.
##
tolerations: []
## Affinity to set for the main well-known server.
##
affinity: {}
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
postgresqlUsername: synapse
postgresqlDatabase: synapse
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
persistence:
size: 16G
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
database: synapse
# sslMode: require
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
# usePassword: false
# password: synapse
cluster:
enabled: false
master:
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
statefulset:
updateStrategy: RollingUpdate
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Set up an init container to chown the mounted media if necessary.
##
volumePermissions:
@ -411,36 +524,19 @@ volumePermissions:
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
## Configuration for the pod security policy, Synapse will by default run as its
## own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## The K8s ingress configuration, this will be quite heavily used in order to set
## up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up
@ -455,19 +551,37 @@ ingress:
## Annotations to apply to the created ingress resource.
##
annotations:
annotations: {}
# nginx.ingress.kubernetes.io/use-regex: "true"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Additional hosts to add to the ingress configuration.
## Hosts to add to the ingress configuration for handling Client-to-Server
## API request paths.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
csHosts: []
# - matrix.example.com
## Additional hosts to add to the ingress configuration for handling
## Server-to-Server API requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
hosts: []
# - matrix.example.com
# - example.com
## Additional paths to add to the ingress blocks, will be inserted before the
## /_matrix and /synapse catch-all paths.
## Additional hosts to add to the ingress configuration for handling
## well-known requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
wkHosts: []
# - example.com
## Additional paths to add to the Server-to-Server ingress blocks, will be
## inserted before the /_matrix catch-all path.
##
paths: []
# - path: /_matrix/media
@ -475,6 +589,15 @@ ingress:
# serviceName: matrix-media-repo
# servicePort: 8000
## Additional paths to add to the Client-to-Server ingress blocks, will be
## inserted before the /_matrix and /_synapse catch-all paths.
##
csPaths: []
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path.
##
@ -483,7 +606,7 @@ ingress:
## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way.
##
# includeServerName: false
includeServerName: true
## TLS configuration to include in the ingress configuration
##
@ -492,25 +615,3 @@ ingress:
# hosts:
# - example.com
# - matrix.example.com
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {}