diff --git a/charts-wip/matrix-synapse/README.md b/charts-wip/matrix-synapse/README.md index 6325d2c..6bdc748 100644 --- a/charts-wip/matrix-synapse/README.md +++ b/charts-wip/matrix-synapse/README.md @@ -13,4 +13,46 @@ Matrix Synapse ## Installing +To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on. +You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS. + +When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on. +When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs. + +## Installation Examples + +Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information. + +### On main domain / with subdomain MXIDs + +For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs. +If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as; + + helm install matrix-synapse --set config.serverName=chosenin.space --set wellknown.enabled=true + +This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`. + +You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case) + + helm install matrix-synapse --set config.serverName=matrix.chosenin.space --set wellknown.enabled=true + +### On separate subdomain + +If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known; + +For DNS, you could install the chart as; + + helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={example.com} --set ingress.csHosts={matrix.example.com} + +This will add only federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. You will also need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use. +To get federation working with such a setup, you would need to add an SRV record to your DNS - for example; +`_matrix._tcp.example.com 10 1 443 matrix.example.com` + +If you want to use a well-known file for federation instead, then your install might look more like; + + helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set wellknown.enabled=true --set wellknown.host=matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={matrix.example.com} --set ingress.csHosts={matrix.example.com} --set ingress.wkHosts={example.com} + +With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server`, which the included wellknown server will do. +When using well-known federation, your Synapse cert would only need to be valid for `matrix.example.com`. + diff --git a/charts-wip/matrix-synapse/templates/NOTES.txt b/charts-wip/matrix-synapse/templates/NOTES.txt index 013441a..d9b0443 100644 --- a/charts-wip/matrix-synapse/templates/NOTES.txt +++ b/charts-wip/matrix-synapse/templates/NOTES.txt @@ -1,9 +1,10 @@ ** Note, this chart may take a while to finish setup, please be patient ** - {{- if not .Values.ingress.enabled }} + Synapse has been installed without an ingress, you will need to manage accesses to the services yourself. {{- else }} + Your Synapse install is now starting, you should soon be able to access it on the following URL(s); {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }} @@ -19,6 +20,7 @@ set up a /.well-known/matrix/server response. Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md for more information. {{- end }} +{{- end }} {{- if .Values.config.enableRegistration }} You should be able to connect to your Synapse install with any compatible @@ -30,6 +32,6 @@ You can create a user in your new Synapse install by running the following command; {{- end }} - kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008 + kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse.fullname" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008 You can also specify --no-admin to create a non-admin user. diff --git a/charts-wip/matrix-synapse/templates/_helpers.tpl b/charts-wip/matrix-synapse/templates/_helpers.tpl index 98c8cfd..6080eb7 100644 --- a/charts-wip/matrix-synapse/templates/_helpers.tpl +++ b/charts-wip/matrix-synapse/templates/_helpers.tpl @@ -25,21 +25,29 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{/* -Create a default fully qualified app name. +Create a default replication name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "matrix-synapse.replicationname" -}} -{{- printf "%s-%s-%s" .Release.Name .Chart.Name "matrix-synapse-replication" | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s-%s" .Release.Name .Chart.Name "replication" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* -Create a default fully qualified app name. +Create a default worker name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "matrix-synapse.workername" -}} {{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default external component name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "matrix-synapse.externalname" -}} +{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -74,6 +82,24 @@ app.kubernetes.io/name: {{ include "matrix-synapse.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{/* +Pull secrets +*/}} +{{- define "matrix-synapse.imagePullSecrets" -}} +{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }} +imagePullSecrets: +{{- with .Values.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} +{{- end }} +{{- with .Values.wellknown.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} +{{- end }} +{{- with .Values.volumePermissions.image.pullSecrets }} + {{- . | toYaml | nindent 2 }} +{{- end }} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/charts-wip/matrix-synapse/templates/configuration.yaml b/charts-wip/matrix-synapse/templates/configuration.yaml index 9213a6a..70f9799 100644 --- a/charts-wip/matrix-synapse/templates/configuration.yaml +++ b/charts-wip/matrix-synapse/templates/configuration.yaml @@ -20,12 +20,12 @@ data: class: logging.StreamHandler formatter: precise filters: [context] - level: {{ .Values.config.logLevel }} + level: {{ .Values.config.logLevel | default "INFO" }} loggers: synapse: - level: {{ .Values.config.logLevel }} + level: {{ .Values.config.logLevel | default "INFO" }} root: - level: {{ .Values.config.logLevel }} + level: {{ .Values.config.logLevel | default "INFO" }} handlers: [console] homeserver.yaml: | # NOTE: @@ -116,22 +116,22 @@ data: url_preview_enabled: false max_spider_size: "10M" - {{- if .Values.config.recaptcha }} + ## Captcha ## recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }} - enable_registration_captcha: True + enable_registration_captcha: true recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" {{- end }} - {{- if .Values.config.turnUris }} + ## Turn ## turn_uris: {{ toYaml .Values.config.turnUris | nindent 6 }} turn_user_lifetime: "1h" - turn_allow_guests: True + turn_allow_guests: true {{- end }} ## Registration ## @@ -143,7 +143,7 @@ data: ## Metrics ### - enable_metrics: True + enable_metrics: true report_stats: {{ .Values.config.reportStats | default false }} ## API Configuration ## @@ -167,7 +167,6 @@ data: servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }} ## Workers ## - {{- $default := .Values.workers.default }} {{- range $worker, $config := .Values.workers }} {{- if $config.enabled }} @@ -184,42 +183,9 @@ data: {{- end }} {{- end }} {{- end }} - {{- with .Values.extraConfig }} + ## Extra config ## {{ . | toYaml | nindent 4 }} {{- end }} - -{{- $default := .Values.workers.default -}} -{{- range $worker, $config := .Values.workers -}} - {{- if $config.enabled -}} - {{- $name := $worker | replace "_" "-" }} - - {{ $name }}.worker: | - worker_app: "synapse.app.{{ $worker }}" - - worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008 - worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }} - worker_replication_http_port: 9093 - - worker_listeners: - - type: http - bind_addresses: ['0.0.0.0'] - tls: false - port: 9090 - resources: - - names: [metrics] - compress: false - {{- if $config.listeners }} - - type: http - tls: false - port: 8083 - resources: - - names: {{- toYaml $config.listeners | nindent 14 }} - compress: false - {{- end }} - - worker_log_config: /synapse/config/log.yaml - {{- end }} -{{- end }} diff --git a/charts-wip/matrix-synapse/templates/deployment.yaml b/charts-wip/matrix-synapse/templates/deployment.yaml index 9c98f75..ba58803 100644 --- a/charts-wip/matrix-synapse/templates/deployment.yaml +++ b/charts-wip/matrix-synapse/templates/deployment.yaml @@ -11,7 +11,7 @@ metadata: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: synapse spec: - replicas: {{ .Values.replicaCount }} + replicas: 1 selector: matchLabels: {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} @@ -21,24 +21,21 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} - {{- with .Values.annotations }} + {{- with .Values.synapse.annotations }} {{ . | toYaml | nindent 8 }} {{- end }} labels: {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} app.kubernetes.io/component: synapse - {{- with .Values.labels }} + {{- with .Values.synapse.labels }} {{ . | toYaml | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }} containers: - - name: {{ .Chart.Name }} + - name: synapse command: - sh - -c @@ -69,10 +66,10 @@ spec: {{- with .Values.extraEnv }} {{ . | toYaml }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} ports: - name: http containerPort: 8008 @@ -113,9 +110,9 @@ spec: secretName: {{ include "matrix-synapse.fullname" . }} - name: signingkey secret: - secretName: {{ default .Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }} + secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }} items: - - key: {{ default .Values.signingkey.existingSecretKey "signing.key" | quote }} + - key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }} path: signing.key - name: tmpconf emptyDir: {} @@ -129,7 +126,7 @@ spec: {{- end }} {{- if and .Values.persistence.enabled (not $mediaworker) }} persistentVolumeClaim: - claimName: {{ default .Values.persistence.existingClaim (include "matrix-synapse.fullname" .) }} + claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }} {{- else }} emptyDir: {} {{- end }} @@ -145,164 +142,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - -{{- $default := .Values.workers.default }} -{{- range $worker, $config := .Values.workers }} -{{- if $config.enabled }} -{{- $name := $worker | replace "_" "-" }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} - labels: - {{- include "matrix-synapse.labels" $ | nindent 4 }} - app.kubernetes.io/component: {{ $name }} -spec: - replicas: {{ $config.replicaCount | default $default.replicaCount }} - selector: - matchLabels: - {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }} - app.kubernetes.io/component: {{ $name }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} - checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} - {{- with ($config.annotations | default $default.annotations) }} - {{ . | toYaml | nindent 8 }} - {{- end }} - labels: - {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }} - app.kubernetes.io/component: {{ $name }} - {{- with ($config.labels | default $default.labels) }} - {{ . | toYaml | nindent 8 }} - {{- end }} - spec: - {{- with $.Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - securityContext: - {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }} - {{- if and $needsVolumePermissions (eq $name "media-repository") }} - initContainers: - - name: volume-permissions - command: ["chown", "-R", "666:666", "/synapse/data"] - image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}" - imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }} - securityContext: - runAsUser: 0 - resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }} - volumeMounts: - - name: media - mountPath: /synapse/data - {{- end }} - containers: - - name: {{ $name }} - command: - - sh - - -c - - | - cat /synapse/secrets/*.yaml | \ - sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ - -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ - > /synapse/config/conf.d/secrets.yaml - - /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker - env: - {{- if $.Values.postgresql.enabled }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "matrix-synapse.postgresql.fullname" $ }} - key: postgresql-password - {{- end }} - {{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "matrix-synapse.redis.fullname" $ }} - key: redis-password - {{- end }} - {{- with default $config.extraEnv $default.extraEnv }} - {{ . | toYaml }} - {{- end }} - securityContext: - {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }} - image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}" - imagePullPolicy: {{ $.Values.image.pullPolicy }} - ports: - - name: metrics - containerPort: 9090 - protocol: TCP - {{- if $config.listeners }} - - name: listener - containerPort: 8083 - protocol: TCP - livenessProbe: - tcpSocket: - port: listener - readinessProbe: - tcpSocket: - port: listener - {{- end }} - resources: - {{- $config.resources | default $default.resources | toYaml | nindent 12 }} - volumeMounts: - - name: config - mountPath: /synapse/config - - name: tmpconf - mountPath: /synapse/config/conf.d - - name: secrets - mountPath: /synapse/secrets - - name: signingkey - mountPath: /synapse/keys - {{- if eq $name "media-repository" }} - - name: media - mountPath: /synapse/data - {{- end }} - {{- with $config.volumeMounts | default $default.volumeMounts }} - {{ . | toYaml | nindent 12 }} - {{- end }} - {{- with $config.nodeSelector | default $default.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $config.affinity | default $default.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $config.tolerations | default $default.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ include "matrix-synapse.fullname" $ }} - - name: secrets - secret: - secretName: {{ include "matrix-synapse.fullname" $ }} - - name: signingkey - secret: - secretName: {{ default $.Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }} - items: - - key: {{ default $.Values.signingkey.existingSecretKey "signing.key" | quote }} - path: signing.key - - name: tmpconf - emptyDir: {} - {{- if eq $name "media-repository" }} - - name: media - {{- if $.Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ default $.Values.persistence.existingClaim (include "matrix-synapse.fullname" $) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- end }} - {{- with $config.volumes }} - {{ . | toYaml | nindent 8 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts-wip/matrix-synapse/templates/ingress.yaml b/charts-wip/matrix-synapse/templates/ingress.yaml index 7a41823..1772e82 100644 --- a/charts-wip/matrix-synapse/templates/ingress.yaml +++ b/charts-wip/matrix-synapse/templates/ingress.yaml @@ -1,6 +1,6 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "matrix-synapse.fullname" . -}} -{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}} +{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1beta1 {{- else -}} @@ -27,51 +27,88 @@ spec: {{- end }} {{- end }} rules: - {{- $hosts := .Values.ingress.hosts }} - {{- if default .Values.ingress.includeServerName true }} - {{- $hosts = concat (list .Values.config.serverName) $hosts }} + {{- $csHosts := .Values.ingress.csHosts }} + {{- if .Values.ingress.includeServerName }} + {{- $csHosts = concat (list .Values.config.serverName) $csHosts }} {{- end }} + {{- $s2sHosts := .Values.ingress.hosts }} + {{- if .Values.ingress.includeServerName }} + {{- $s2sHosts = concat (list .Values.config.serverName) $s2sHosts }} + {{- end }} + {{- $wkHosts := .Values.ingress.wkHosts }} + {{- if .Values.ingress.includeServerName }} + {{- $wkHosts = concat (list .Values.config.serverName) $wkHosts }} + {{- end }} + {{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }} {{- range $hosts }} + {{- $host := . }} - host: {{ . | quote }} http: paths: {{- $default := $.Values.workers.default }} {{- range $worker, $config := $.Values.workers }} {{- $name := $worker | replace "_" "-" }} - {{- if and $config.enabled $config.listeners $config.paths }} + {{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }} {{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} - {{- range $config.paths }} - {{- if $.Values.ingress.traefikPaths }} + {{- if has $host $csHosts }} + {{- range $config.csPaths }} + {{- if $.Values.ingress.traefikPaths }} - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} backend: serviceName: {{ $service }} servicePort: 8083 - {{- else }} + {{- else }} - path: {{ . | quote }} backend: serviceName: {{ $service }} servicePort: 8083 + {{- end }} + {{- end }} + {{- end }} + {{- if has $host $s2sHosts }} + {{- range $config.paths }} + {{- if $.Values.ingress.traefikPaths }} + - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} + backend: + serviceName: {{ $service }} + servicePort: 8083 + {{- else }} + - path: {{ . | quote }} + backend: + serviceName: {{ $service }} + servicePort: 8083 + {{- end }} {{- end }} {{- end }} {{- end }} {{- end }} + {{- if has . $csHosts }} + {{- with $.Values.ingress.csPaths }} + {{ . | toYaml | nindent 10 }} + {{- end }} + {{- end }} + {{- if has . $s2sHosts }} {{- with $.Values.ingress.paths }} {{ . | toYaml | nindent 10 }} {{- end }} + {{- end }} + {{- if or (has . $csHosts) (has . $s2sHosts) }} - path: /_matrix backend: serviceName: {{ $fullName }} servicePort: 8008 + {{- end }} - {{- if $.Values.ingress.includeUnderscoreSynapse }} + {{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }} - path: /_synapse backend: serviceName: {{ $fullName }} servicePort: 8008 {{- end }} + {{- if has . $wkHosts }} - path: /.well-known/matrix/client backend: serviceName: {{ $fullName }} @@ -83,5 +120,6 @@ spec: serviceName: {{ $wkName }} servicePort: 80 {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/charts-wip/matrix-synapse/templates/secrets.yaml b/charts-wip/matrix-synapse/templates/secrets.yaml index a325d7c..4a758fe 100644 --- a/charts-wip/matrix-synapse/templates/secrets.yaml +++ b/charts-wip/matrix-synapse/templates/secrets.yaml @@ -12,26 +12,30 @@ stringData: recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }} {{- end }} - {{- if .Values.config.turnSecret }} + ## Turn ## turn_shared_secret: {{ .Values.config.turnSecret | quote }} - {{- end }} + {{- end }} ## Registration ## registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }} ## API Configuration ## - macaroon_secret_key: {{ required "You must specify a macaroon as config.macaroonSecretKey" .Values.config.macaroonSecretKey | quote }} + {{- if .Values.config.macaroonSecretKey }} + + macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }} + {{- end }} {{- $postgresHost := include "matrix-synapse.postgresql.host" . }} {{- $postgresDB := include "matrix-synapse.postgresql.database" . }} {{- $postgresUser := include "matrix-synapse.postgresql.username" . }} {{- $postgresPort := include "matrix-synapse.postgresql.port" . }} {{- $postgresPass := include "matrix-synapse.postgresql.password" . }} + ## Database configuration ## database: @@ -52,6 +56,7 @@ stringData: {{- $redisHost := include "matrix-synapse.redis.host" . }} {{- $redisPort := include "matrix-synapse.redis.port" . }} {{- $redisPass := include "matrix-synapse.redis.password" . }} + ## Redis configuration ## redis: diff --git a/charts-wip/matrix-synapse/templates/signing-key-job.yaml b/charts-wip/matrix-synapse/templates/signing-key-job.yaml index 0720795..941ea46 100644 --- a/charts-wip/matrix-synapse/templates/signing-key-job.yaml +++ b/charts-wip/matrix-synapse/templates/signing-key-job.yaml @@ -26,7 +26,7 @@ rules: resources: - secrets resourceNames: - - {{ $secretName }} + - {{ $secretName }} verbs: - get - update diff --git a/charts-wip/matrix-synapse/templates/tests/test-connection.yaml b/charts-wip/matrix-synapse/templates/tests/test-connection.yaml index 59b4a7a..b53f310 100644 --- a/charts-wip/matrix-synapse/templates/tests/test-connection.yaml +++ b/charts-wip/matrix-synapse/templates/tests/test-connection.yaml @@ -4,7 +4,7 @@ kind: Pod metadata: name: "{{ include "matrix-synapse.fullname" . }}-test-connection" labels: -{{ include "matrix-synapse.labels" . | nindent 4 }} + {{- include "matrix-synapse.labels" . | nindent 4 }} annotations: "helm.sh/hook": test-success spec: diff --git a/charts-wip/matrix-synapse/templates/well-known.yaml b/charts-wip/matrix-synapse/templates/well-known.yaml index 8fe8ff3..ee662c7 100644 --- a/charts-wip/matrix-synapse/templates/well-known.yaml +++ b/charts-wip/matrix-synapse/templates/well-known.yaml @@ -1,5 +1,5 @@ {{- if .Values.wellknown.enabled }} -{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}} +{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}} --- apiVersion: v1 kind: ConfigMap @@ -10,9 +10,6 @@ metadata: component: well-known data: lighttpd.conf: | - var.basedir = "/var/www/localhost" - var.logdir = "/var/log/lighttpd" - var.statedir = "/var/lib/lighttpd" server.modules = ( "mod_rewrite", "mod_status", @@ -21,13 +18,13 @@ data: include "mime-types.conf" server.username = "lighttpd" server.groupname = "lighttpd" - server.document-root = var.basedir + "/htdocs" + server.document-root = {{ .Values.wellknown.htdocsPath | quote }} server.pid-file = "/run/lighttpd.pid" server.errorlog = "/dev/stderr" - status.status-url = "/server-status" url.rewrite-once = ( "^/\.well-known/matrix/server" => "/server.json" ) + status.status-url = "/server-status" accesslog.filename = "/dev/stderr" server.json: |- @@ -59,7 +56,7 @@ metadata: {{- include "matrix-synapse.labels" . | nindent 4 }} component: well-known spec: - replicas: {{ default .Values.wellknown.replicaCount 1 }} + replicas: {{ .Values.wellknown.replicaCount | default 1 }} selector: matchLabels: {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} @@ -72,10 +69,15 @@ spec: {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} component: well-known spec: + {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }} containers: - name: lighttpd - image: m4rcu5/lighttpd - imagePullPolicy: Always + image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}" + imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }} + securityContext: + {{- toYaml .Values.wellknown.securityContext | nindent 12 }} ports: - containerPort: 80 name: http @@ -91,11 +93,25 @@ spec: - mountPath: /etc/lighttpd/lighttpd.conf name: files subPath: lighttpd.conf - - mountPath: /var/www/localhost/htdocs/server.json + - mountPath: {{ .Values.wellknown.htdocsPath }}/server.json name: files subPath: server.json + resources: + {{- toYaml .Values.wellknown.resources | nindent 12 }} volumes: - name: files configMap: name: {{ $wkName }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts-wip/matrix-synapse/templates/worker-configuration.yaml b/charts-wip/matrix-synapse/templates/worker-configuration.yaml new file mode 100644 index 0000000..60cd51f --- /dev/null +++ b/charts-wip/matrix-synapse/templates/worker-configuration.yaml @@ -0,0 +1,41 @@ +{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $wkName }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} +data: +{{- $default := .Values.workers.default -}} +{{- range $worker, $config := .Values.workers -}} + {{- if $config.enabled -}} + {{- $name := $worker | replace "_" "-" }} + + {{ $name }}.worker: | + worker_app: "synapse.app.{{ $worker }}" + + worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008 + worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }} + worker_replication_http_port: 9093 + + worker_listeners: + - type: http + bind_addresses: ['0.0.0.0'] + tls: false + port: 9090 + resources: + - names: [metrics] + compress: false + {{- if $config.listeners }} + - type: http + tls: false + port: 8083 + resources: + - names: {{- toYaml $config.listeners | nindent 14 }} + compress: false + {{- end }} + + worker_log_config: /synapse/config/log.yaml + {{- end }} +{{- end }} diff --git a/charts-wip/matrix-synapse/templates/worker-deployment.yaml b/charts-wip/matrix-synapse/templates/worker-deployment.yaml new file mode 100644 index 0000000..a4f1c42 --- /dev/null +++ b/charts-wip/matrix-synapse/templates/worker-deployment.yaml @@ -0,0 +1,171 @@ +{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }} +{{- $default := .Values.workers.default }} +{{- range $worker, $config := .Values.workers }} +{{- if $config.enabled }} +{{- $name := $worker | replace "_" "-" }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} + labels: + {{- include "matrix-synapse.labels" $ | nindent 4 }} + app.kubernetes.io/component: {{ $name }} +spec: + replicas: {{ $config.replicaCount | default $default.replicaCount }} + selector: + matchLabels: + {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: {{ $name }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} + {{- with ($config.annotations | default $default.annotations) }} + {{ . | toYaml | nindent 8 }} + {{- end }} + labels: + {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }} + app.kubernetes.io/component: {{ $name }} + {{- with ($config.labels | default $default.labels) }} + {{ . | toYaml | nindent 8 }} + {{- end }} + spec: + {{- with $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }} + {{- if and $needsVolumePermissions (eq $name "media-repository") }} + initContainers: + - name: volume-permissions + command: ["chown", "-R", "666:666", "/synapse/data"] + image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}" + imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }} + securityContext: + runAsUser: 0 + resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }} + volumeMounts: + - name: media + mountPath: /synapse/data + {{- end }} + containers: + - name: {{ $name }} + command: + - sh + - -c + - | + cat /synapse/secrets/*.yaml | \ + sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ + -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ + > /synapse/config/conf.d/secrets.yaml + + /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker + env: + {{- if $.Values.postgresql.enabled }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "matrix-synapse.postgresql.fullname" $ }} + key: postgresql-password + {{- end }} + {{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "matrix-synapse.redis.fullname" $ }} + key: redis-password + {{- end }} + {{- with $config.extraEnv | default $default.extraEnv }} + {{ . | toYaml }} + {{- end }} + securityContext: + {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }} + image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}" + imagePullPolicy: {{ $.Values.image.pullPolicy }} + ports: + - name: metrics + containerPort: 9090 + protocol: TCP + {{- if $config.listeners }} + - name: listener + containerPort: 8083 + protocol: TCP + livenessProbe: + tcpSocket: + port: listener + readinessProbe: + tcpSocket: + port: listener + {{- end }} + resources: + {{- $config.resources | default $default.resources | toYaml | nindent 12 }} + volumeMounts: + - name: config + mountPath: /synapse/config/homeserver.yaml + subPath: homeserver.yaml + - name: config + mountPath: /synapse/config/log.yaml + subPath: log.yaml + - name: worker-config + mountPath: /synapse/config/{{ $name }}.worker + subPath: {{ $name }}.worker + - name: tmpconf + mountPath: /synapse/config/conf.d + - name: secrets + mountPath: /synapse/secrets + - name: signingkey + mountPath: /synapse/keys + {{- if eq $name "media-repository" }} + - name: media + mountPath: /synapse/data + {{- end }} + {{- with $config.volumeMounts | default $default.volumeMounts }} + {{ . | toYaml | nindent 12 }} + {{- end }} + {{- with $config.nodeSelector | default $default.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $config.affinity | default $default.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $config.tolerations | default $default.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "matrix-synapse.fullname" $ }} + - name: worker-config + configMap: + name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }} + - name: secrets + secret: + secretName: {{ include "matrix-synapse.fullname" $ }} + - name: signingkey + secret: + secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }} + items: + - key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }} + path: signing.key + - name: tmpconf + emptyDir: {} + {{- if eq $name "media-repository" }} + - name: media + {{- if $.Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ $.Values.persistence.existingClaim | (include "matrix-synapse.fullname" $) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- with $config.volumes }} + {{ . | toYaml | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts-wip/matrix-synapse/values.yaml b/charts-wip/matrix-synapse/values.yaml index fc790ad..b6ae0c3 100644 --- a/charts-wip/matrix-synapse/values.yaml +++ b/charts-wip/matrix-synapse/values.yaml @@ -109,7 +109,7 @@ config: # bind_addresses: ['::'] # type: manhole -## Specify arbitrary synapse configuration here; +## Specify arbitrary Synapse configuration here; ## extraConfig: {} # use_presence: false @@ -119,99 +119,72 @@ extraConfig: {} # - nyc.example.com # - syd.example.com -## Annotations to apply to the main Synapse pod. +## Configuration to apply to the main Synapse pod. ## -annotations: {} -# prometheus.io/scrape: "true" -# prometheus.io/port: 9090 +synapse: + ## Annotations to apply to the main Synapse pod. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: 9090 -## Labels to apply to the main Synapse pod. -## -labels: {} + ## Labels to apply to the main Synapse pod. + ## + labels: {} -## Additional environment variables to apply to the main Synapse pod -## -extraEnv: {} -# - name: USE_JEMALLOC -# value: "1" -# - name: SYNAPSE_CACHE_FACTOR -# value: "2" + ## Additional environment variables to apply to the main Synapse pod + ## + extraEnv: {} + # - name: USE_JEMALLOC + # value: "1" + # - name: SYNAPSE_CACHE_FACTOR + # value: "2" -## This will set up a Lighttpd server to respond to any -## /.well-known/matrix/server requests, to make federation possible without any -## DNS changes. -## -wellknown: - enabled: false - # host: matrix.example.com - # port: 443 + ## Configuration for the pod security policy, Synapse will by default run as its + ## own user, even if not set. + ## Note that changing this may also require you to use the volumePermission + ## helper depending on your storage. + ## + ## NB; The synapse install is currently unable to run as anything but UID:GID + ## 666:666. + ## + podSecurityContext: {} + # fsGroup: 666 + # runAsGroup: 666 + # runAsUser: 666 -## This configuration is for setting up the internally provided Postgres server, -## if you instead want to use an existing server, then you may want to set -## enabled to false and configure the externalPostgresql block. -## -postgresql: - enabled: true + ## Configuration for the container security policy, refer to the above + ## podSecurityContext for more relevant information. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 666 - postgresqlUsername: synapse - postgresqlDatabase: synapse + ## Resources to apply to the main Synapse pod. + ## + resources: {} + # limits: + # cpu: 1000m + # memory: 2500Mi + # requests: + # cpu: 1000m + # memory: 2500Mi - postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" + ## Node selectors to set for the main Synapse pod. + ## + nodeSelector: {} - persistence: - size: 16G + ## Tolerations to set for the main Synapse pod. + ## + tolerations: [] -## An externally configured Postgres server to use for Synapse's database, note -## that the database needs to have both COLLATE and CTYPE set to "C". -## -externalPostgresql: - # host: postgres - port: 5432 - username: synapse - # password: synapse - database: synapse - # sslMode: require - -## This configuration is for the internal Redis that's deployed for use with -## workers/sharding, for an external Redis server you want to set enabled to -## false and configure the externalRedis block. -## -redis: - enabled: true - - # usePassword: false - # password: synapse - cluster: - enabled: false - master: - persistence: - ## Note that Synapse only uses redis as a synchronization utility, so no - ## data will ever need to be persisted. - ## - enabled: false - statefulset: - updateStrategy: RollingUpdate - -## An externally configured Redis server to use for workers/sharding. -## -externalRedis: - # host: redis - port: 6379 - # password: synapse - -## Persistence configuration for the media repository function. -## This PVC will be mounted in either Synapse or a media_repo worker. -## -## NB; If you want to be able to scale this, you will have to set the -## accessMode to RWX/ReadWriteMany. -## -persistence: - enabled: true - # existingClaim: synapse-data - - # storageClass: "-" - accessMode: ReadWriteOnce - size: 10Gi + ## Affinity to set for the main Synapse pod. + ## + affinity: {} ## Configuration for handling Synapse workers, which are useful for handling ## high-load deployments. @@ -300,11 +273,33 @@ workers: generic_worker: enabled: false listeners: [client, federation] - paths: + csPaths: # - "/_matrix/client/(v2_alpha|r0)/sync" - "/_matrix/client/(api/v1|v2_alpha|r0)/events" # - "/_matrix/client/(api/v1|r0)/initialSync" # - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync" + - "/_matrix/client/(api/v1|r0|unstable)/publicRooms" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state" + - "/_matrix/client/(api/v1|r0|unstable)/account/3pid" + - "/_matrix/client/(api/v1|r0|unstable)/keys/query" + - "/_matrix/client/(api/v1|r0|unstable)/keys/changes" + - "/_matrix/client/versions" + - "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer" + - "/_matrix/client/(api/v1|r0|unstable)/joined_groups" + - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups" + - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/" + - "/_matrix/client/(api/v1|r0|unstable)/login" + - "/_matrix/client/(r0|unstable)/register" + - "/_matrix/client/(r0|unstable)/auth/.*/fallback/web" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/" + - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)" + - "/_matrix/client/(api/v1|r0|unstable)/join/" + - "/_matrix/client/(api/v1|r0|unstable)/profile/" + paths: - "/_matrix/federation/v1/event/" - "/_matrix/federation/v1/state/" - "/_matrix/federation/v1/state_ids/" @@ -327,27 +322,6 @@ workers: - "/_matrix/federation/v1/get_groups_publicised" - "/_matrix/key/v2/query" - "/_matrix/federation/v1/send/" - - "/_matrix/client/(api/v1|r0|unstable)/publicRooms" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state" - - "/_matrix/client/(api/v1|r0|unstable)/account/3pid" - - "/_matrix/client/(api/v1|r0|unstable)/keys/query" - - "/_matrix/client/(api/v1|r0|unstable)/keys/changes" - - "/_matrix/client/versions" - - "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer" - - "/_matrix/client/(api/v1|r0|unstable)/joined_groups" - - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups" - - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/" - - "/_matrix/client/(api/v1|r0|unstable)/login" - - "/_matrix/client/(r0|unstable)/register" - - "/_matrix/client/(r0|unstable)/auth/.*/fallback/web" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/" - - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)" - - "/_matrix/client/(api/v1|r0|unstable)/join/" - - "/_matrix/client/(api/v1|r0|unstable)/profile/" ## This worker deals with pushing notifications. ## NB; Only one instance of this worker can be run at a time, refer to the @@ -374,20 +348,22 @@ workers: media_repository: enabled: false listeners: [media] - paths: + csPaths: - "/_matrix/media/" - "/_synapse/admin/v1/purge_media_cache" - "/_synapse/admin/v1/room/.*/media.*" - "/_synapse/admin/v1/user/.*/media.*" - "/_synapse/admin/v1/media/.*" - "/_synapse/admin/v1/quarantine_media/.*" + paths: + - "/_matrix/media/" ## This worker deals with user directory searches. ## user_dir: enabled: false listeners: [client] - paths: + csPaths: - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search" ## This worker handles key uploads, and may also stub out presence if that is @@ -397,10 +373,147 @@ workers: frontend_proxy: enabled: false listeners: [client] - paths: + csPaths: - "/_matrix/client/(api/v1|r0|unstable)/keys/upload" # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status" +## This will set up a Lighttpd server to respond to any +## /.well-known/matrix/server requests, to make federation possible without +## adding SRV-records to DNS. +## +wellknown: + enabled: false + replicaCount: 1 + + ## The host and port combo to serve on .well-known/matrix/server. + ## + # host: matrix.example.com + # port: 443 + + ## A custom htdocs path, useful when running another image. + ## + htdocsPath: /var/www/localhost/htdocs + + ## The lighttpd image to run. + ## + image: + repository: m4rcu5/lighttpd + tag: latest + pullPolicy: Always + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Configuration for the pod security policy. + ## + podSecurityContext: {} + # fsGroup: 101 + # runAsGroup: 101 + # runAsUser: 100 + + ## Configuration for the container security policy. + ## + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 100 + + ## Resource configuration to apply to the well-known server. + ## + resources: {} + # limits: + # cpu: 5m + # memory: 15Mi + # requests: + # cpu: 5m + # memory: 15Mi + + ## Node selectors to set for the well-known server. + ## + nodeSelector: {} + + ## Tolerations to set for the well-known server. + ## + tolerations: [] + + ## Affinity to set for the main well-known server. + ## + affinity: {} + +## This configuration is for setting up the internally provided Postgres server, +## if you instead want to use an existing server, then you may want to set +## enabled to false and configure the externalPostgresql block. +## +postgresql: + enabled: true + + postgresqlUsername: synapse + postgresqlDatabase: synapse + + postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" + + persistence: + size: 16G + +## An externally configured Postgres server to use for Synapse's database, note +## that the database needs to have both COLLATE and CTYPE set to "C". +## +externalPostgresql: + # host: postgres + port: 5432 + username: synapse + # password: synapse + database: synapse + # sslMode: require + +## This configuration is for the internal Redis that's deployed for use with +## workers/sharding, for an external Redis server you want to set enabled to +## false and configure the externalRedis block. +## +redis: + enabled: true + + # usePassword: false + # password: synapse + cluster: + enabled: false + master: + persistence: + ## Note that Synapse only uses redis as a synchronization utility, so no + ## data will ever need to be persisted. + ## + enabled: false + statefulset: + updateStrategy: RollingUpdate + +## An externally configured Redis server to use for workers/sharding. +## +externalRedis: + # host: redis + port: 6379 + # password: synapse + +## Persistence configuration for the media repository function. +## This PVC will be mounted in either Synapse or a media_repo worker. +## +## NB; If you want to be able to scale this, you will have to set the +## accessMode to RWX/ReadWriteMany. +## +persistence: + enabled: true + # existingClaim: synapse-data + + # storageClass: "-" + accessMode: ReadWriteOnce + size: 10Gi + ## Set up an init container to chown the mounted media if necessary. ## volumePermissions: @@ -411,36 +524,19 @@ volumePermissions: tag: latest pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} # resources: # requests: # memory: 128Mi # cpu: 100m -## Configuration for the pod security policy, Synapse will by default run as its -## own user, even if not set. -## Note that changing this may also require you to use the volumePermission -## helper depending on your storage. -## -## NB; The synapse install is currently unable to run as anything but UID:GID -## 666:666. -## -podSecurityContext: {} -# fsGroup: 666 -# runAsGroup: 666 -# runAsUser: 666 - -## Configuration for the container security policy, refer to the above -## podSecurityContext for more relevant information. -## -securityContext: {} -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 666 - ## The K8s ingress configuration, this will be quite heavily used in order to set ## up all routing necessary for use with a sharded Synapse instance. ## If you're not using a Ingress compatible K8s ingress, you will need to set up @@ -455,19 +551,37 @@ ingress: ## Annotations to apply to the created ingress resource. ## - annotations: + annotations: {} # nginx.ingress.kubernetes.io/use-regex: "true" # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - ## Additional hosts to add to the ingress configuration. + ## Hosts to add to the ingress configuration for handling Client-to-Server + ## API request paths. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + csHosts: [] + # - matrix.example.com + + ## Additional hosts to add to the ingress configuration for handling + ## Server-to-Server API requests. + ## ## NB; config.serverName is included if includeServerName is set. (default) ## hosts: [] - # - matrix.example.com + # - example.com - ## Additional paths to add to the ingress blocks, will be inserted before the - ## /_matrix and /synapse catch-all paths. + ## Additional hosts to add to the ingress configuration for handling + ## well-known requests. + ## + ## NB; config.serverName is included if includeServerName is set. (default) + ## + wkHosts: [] + # - example.com + + ## Additional paths to add to the Server-to-Server ingress blocks, will be + ## inserted before the /_matrix catch-all path. ## paths: [] # - path: /_matrix/media @@ -475,6 +589,15 @@ ingress: # serviceName: matrix-media-repo # servicePort: 8000 + ## Additional paths to add to the Client-to-Server ingress blocks, will be + ## inserted before the /_matrix and /_synapse catch-all paths. + ## + csPaths: [] + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + ## Should the /_synapse path be included in the ingress, admin APIs are ## provided under this path. ## @@ -483,7 +606,7 @@ ingress: ## Should config.serverName be included in the list of ingress paths, can be ## set to false if the main domain is managed in some external way. ## - # includeServerName: false + includeServerName: true ## TLS configuration to include in the ingress configuration ## @@ -492,25 +615,3 @@ ingress: # hosts: # - example.com # - matrix.example.com - -## Resources to apply to the main Synapse pod. -## -resources: {} -# limits: -# cpu: 1000m -# memory: 2500Mi -# requests: -# cpu: 1000m -# memory: 2500Mi - -## Node selectors to set for the main Synapse pod. -## -nodeSelector: {} - -## Tolerations to set for the main Synapse pod. -## -tolerations: [] - -## Affinity to set for the main Synapse pod. -## -affinity: {}