Clean up WIP synapse chart
This commit is contained in:
parent
a612b3b553
commit
18be04438f
13 changed files with 653 additions and 409 deletions
|
@ -13,4 +13,46 @@ Matrix Synapse
|
||||||
|
|
||||||
## Installing
|
## Installing
|
||||||
|
|
||||||
|
To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on.
|
||||||
|
You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS.
|
||||||
|
|
||||||
|
When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on.
|
||||||
|
When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs.
|
||||||
|
|
||||||
|
## Installation Examples
|
||||||
|
|
||||||
|
Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information.
|
||||||
|
|
||||||
|
### On main domain / with subdomain MXIDs
|
||||||
|
|
||||||
|
For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs.
|
||||||
|
If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as;
|
||||||
|
|
||||||
|
helm install matrix-synapse --set config.serverName=chosenin.space --set wellknown.enabled=true
|
||||||
|
|
||||||
|
This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`.
|
||||||
|
|
||||||
|
You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case)
|
||||||
|
|
||||||
|
helm install matrix-synapse --set config.serverName=matrix.chosenin.space --set wellknown.enabled=true
|
||||||
|
|
||||||
|
### On separate subdomain
|
||||||
|
|
||||||
|
If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known;
|
||||||
|
|
||||||
|
For DNS, you could install the chart as;
|
||||||
|
|
||||||
|
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={example.com} --set ingress.csHosts={matrix.example.com}
|
||||||
|
|
||||||
|
This will add only federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. You will also need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use.
|
||||||
|
To get federation working with such a setup, you would need to add an SRV record to your DNS - for example;
|
||||||
|
`_matrix._tcp.example.com 10 1 443 matrix.example.com`
|
||||||
|
|
||||||
|
If you want to use a well-known file for federation instead, then your install might look more like;
|
||||||
|
|
||||||
|
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set wellknown.enabled=true --set wellknown.host=matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={matrix.example.com} --set ingress.csHosts={matrix.example.com} --set ingress.wkHosts={example.com}
|
||||||
|
|
||||||
|
With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server`, which the included wellknown server will do.
|
||||||
|
When using well-known federation, your Synapse cert would only need to be valid for `matrix.example.com`.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
** Note, this chart may take a while to finish setup, please be patient **
|
** Note, this chart may take a while to finish setup, please be patient **
|
||||||
|
|
||||||
{{- if not .Values.ingress.enabled }}
|
{{- if not .Values.ingress.enabled }}
|
||||||
|
|
||||||
Synapse has been installed without an ingress, you will need to manage
|
Synapse has been installed without an ingress, you will need to manage
|
||||||
accesses to the services yourself.
|
accesses to the services yourself.
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
|
||||||
Your Synapse install is now starting, you should soon be able to access it on
|
Your Synapse install is now starting, you should soon be able to access it on
|
||||||
the following URL(s);
|
the following URL(s);
|
||||||
{{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
|
{{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
|
||||||
|
@ -19,6 +20,7 @@ set up a /.well-known/matrix/server response.
|
||||||
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
|
||||||
for more information.
|
for more information.
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.config.enableRegistration }}
|
{{- if .Values.config.enableRegistration }}
|
||||||
You should be able to connect to your Synapse install with any compatible
|
You should be able to connect to your Synapse install with any compatible
|
||||||
|
@ -30,6 +32,6 @@ You can create a user in your new Synapse install by running the following
|
||||||
command;
|
command;
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
|
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse.fullname" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
|
||||||
|
|
||||||
You can also specify --no-admin to create a non-admin user.
|
You can also specify --no-admin to create a non-admin user.
|
||||||
|
|
|
@ -25,21 +25,29 @@ If release name contains chart name it will be used as a full name.
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
Create a default fully qualified app name.
|
Create a default replication name.
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
*/}}
|
*/}}
|
||||||
{{- define "matrix-synapse.replicationname" -}}
|
{{- define "matrix-synapse.replicationname" -}}
|
||||||
{{- printf "%s-%s-%s" .Release.Name .Chart.Name "matrix-synapse-replication" | trunc 63 | trimSuffix "-" -}}
|
{{- printf "%s-%s-%s" .Release.Name .Chart.Name "replication" | trunc 63 | trimSuffix "-" -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
Create a default fully qualified app name.
|
Create a default worker name.
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
*/}}
|
*/}}
|
||||||
{{- define "matrix-synapse.workername" -}}
|
{{- define "matrix-synapse.workername" -}}
|
||||||
{{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}}
|
{{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default external component name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
*/}}
|
||||||
|
{{- define "matrix-synapse.externalname" -}}
|
||||||
|
{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
Create chart name and version as used by the chart label.
|
Create chart name and version as used by the chart label.
|
||||||
*/}}
|
*/}}
|
||||||
|
@ -74,6 +82,24 @@ app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Pull secrets
|
||||||
|
*/}}
|
||||||
|
{{- define "matrix-synapse.imagePullSecrets" -}}
|
||||||
|
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- with .Values.image.pullSecrets }}
|
||||||
|
{{- . | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.wellknown.image.pullSecrets }}
|
||||||
|
{{- . | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.volumePermissions.image.pullSecrets }}
|
||||||
|
{{- . | toYaml | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
Create a default fully qualified app name.
|
Create a default fully qualified app name.
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
|
|
@ -20,12 +20,12 @@ data:
|
||||||
class: logging.StreamHandler
|
class: logging.StreamHandler
|
||||||
formatter: precise
|
formatter: precise
|
||||||
filters: [context]
|
filters: [context]
|
||||||
level: {{ .Values.config.logLevel }}
|
level: {{ .Values.config.logLevel | default "INFO" }}
|
||||||
loggers:
|
loggers:
|
||||||
synapse:
|
synapse:
|
||||||
level: {{ .Values.config.logLevel }}
|
level: {{ .Values.config.logLevel | default "INFO" }}
|
||||||
root:
|
root:
|
||||||
level: {{ .Values.config.logLevel }}
|
level: {{ .Values.config.logLevel | default "INFO" }}
|
||||||
handlers: [console]
|
handlers: [console]
|
||||||
homeserver.yaml: |
|
homeserver.yaml: |
|
||||||
# NOTE:
|
# NOTE:
|
||||||
|
@ -116,22 +116,22 @@ data:
|
||||||
|
|
||||||
url_preview_enabled: false
|
url_preview_enabled: false
|
||||||
max_spider_size: "10M"
|
max_spider_size: "10M"
|
||||||
|
|
||||||
{{- if .Values.config.recaptcha }}
|
{{- if .Values.config.recaptcha }}
|
||||||
|
|
||||||
## Captcha ##
|
## Captcha ##
|
||||||
|
|
||||||
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
|
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
|
||||||
enable_registration_captcha: True
|
enable_registration_captcha: true
|
||||||
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
|
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.config.turnUris }}
|
{{- if .Values.config.turnUris }}
|
||||||
|
|
||||||
## Turn ##
|
## Turn ##
|
||||||
|
|
||||||
turn_uris:
|
turn_uris:
|
||||||
{{ toYaml .Values.config.turnUris | nindent 6 }}
|
{{ toYaml .Values.config.turnUris | nindent 6 }}
|
||||||
turn_user_lifetime: "1h"
|
turn_user_lifetime: "1h"
|
||||||
turn_allow_guests: True
|
turn_allow_guests: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
## Registration ##
|
## Registration ##
|
||||||
|
@ -143,7 +143,7 @@ data:
|
||||||
|
|
||||||
## Metrics ###
|
## Metrics ###
|
||||||
|
|
||||||
enable_metrics: True
|
enable_metrics: true
|
||||||
report_stats: {{ .Values.config.reportStats | default false }}
|
report_stats: {{ .Values.config.reportStats | default false }}
|
||||||
|
|
||||||
## API Configuration ##
|
## API Configuration ##
|
||||||
|
@ -167,7 +167,6 @@ data:
|
||||||
servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}
|
servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}
|
||||||
|
|
||||||
## Workers ##
|
## Workers ##
|
||||||
|
|
||||||
{{- $default := .Values.workers.default }}
|
{{- $default := .Values.workers.default }}
|
||||||
{{- range $worker, $config := .Values.workers }}
|
{{- range $worker, $config := .Values.workers }}
|
||||||
{{- if $config.enabled }}
|
{{- if $config.enabled }}
|
||||||
|
@ -184,42 +183,9 @@ data:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- with .Values.extraConfig }}
|
{{- with .Values.extraConfig }}
|
||||||
|
|
||||||
## Extra config ##
|
## Extra config ##
|
||||||
|
|
||||||
{{ . | toYaml | nindent 4 }}
|
{{ . | toYaml | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- $default := .Values.workers.default -}}
|
|
||||||
{{- range $worker, $config := .Values.workers -}}
|
|
||||||
{{- if $config.enabled -}}
|
|
||||||
{{- $name := $worker | replace "_" "-" }}
|
|
||||||
|
|
||||||
{{ $name }}.worker: |
|
|
||||||
worker_app: "synapse.app.{{ $worker }}"
|
|
||||||
|
|
||||||
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
|
|
||||||
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
|
|
||||||
worker_replication_http_port: 9093
|
|
||||||
|
|
||||||
worker_listeners:
|
|
||||||
- type: http
|
|
||||||
bind_addresses: ['0.0.0.0']
|
|
||||||
tls: false
|
|
||||||
port: 9090
|
|
||||||
resources:
|
|
||||||
- names: [metrics]
|
|
||||||
compress: false
|
|
||||||
{{- if $config.listeners }}
|
|
||||||
- type: http
|
|
||||||
tls: false
|
|
||||||
port: 8083
|
|
||||||
resources:
|
|
||||||
- names: {{- toYaml $config.listeners | nindent 14 }}
|
|
||||||
compress: false
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
worker_log_config: /synapse/config/log.yaml
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ metadata:
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
||||||
app.kubernetes.io/component: synapse
|
app.kubernetes.io/component: synapse
|
||||||
spec:
|
spec:
|
||||||
replicas: {{ .Values.replicaCount }}
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
|
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
|
||||||
|
@ -21,24 +21,21 @@ spec:
|
||||||
annotations:
|
annotations:
|
||||||
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
|
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
|
||||||
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
||||||
{{- with .Values.annotations }}
|
{{- with .Values.synapse.annotations }}
|
||||||
{{ . | toYaml | nindent 8 }}
|
{{ . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
labels:
|
labels:
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
|
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
|
||||||
app.kubernetes.io/component: synapse
|
app.kubernetes.io/component: synapse
|
||||||
{{- with .Values.labels }}
|
{{- with .Values.synapse.labels }}
|
||||||
{{ . | toYaml | nindent 8 }}
|
{{ . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
spec:
|
spec:
|
||||||
{{- with .Values.imagePullSecrets }}
|
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
{{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ .Chart.Name }}
|
- name: synapse
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
|
@ -69,10 +66,10 @@ spec:
|
||||||
{{- with .Values.extraEnv }}
|
{{- with .Values.extraEnv }}
|
||||||
{{ . | toYaml }}
|
{{ . | toYaml }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
securityContext:
|
|
||||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
||||||
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
|
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
containerPort: 8008
|
containerPort: 8008
|
||||||
|
@ -113,9 +110,9 @@ spec:
|
||||||
secretName: {{ include "matrix-synapse.fullname" . }}
|
secretName: {{ include "matrix-synapse.fullname" . }}
|
||||||
- name: signingkey
|
- name: signingkey
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ default .Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
|
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
|
||||||
items:
|
items:
|
||||||
- key: {{ default .Values.signingkey.existingSecretKey "signing.key" | quote }}
|
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
||||||
path: signing.key
|
path: signing.key
|
||||||
- name: tmpconf
|
- name: tmpconf
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
@ -129,7 +126,7 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if and .Values.persistence.enabled (not $mediaworker) }}
|
{{- if and .Values.persistence.enabled (not $mediaworker) }}
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ default .Values.persistence.existingClaim (include "matrix-synapse.fullname" .) }}
|
claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -145,164 +142,3 @@ spec:
|
||||||
tolerations:
|
tolerations:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- $default := .Values.workers.default }}
|
|
||||||
{{- range $worker, $config := .Values.workers }}
|
|
||||||
{{- if $config.enabled }}
|
|
||||||
{{- $name := $worker | replace "_" "-" }}
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.labels" $ | nindent 4 }}
|
|
||||||
app.kubernetes.io/component: {{ $name }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ $config.replicaCount | default $default.replicaCount }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
|
|
||||||
app.kubernetes.io/component: {{ $name }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
|
|
||||||
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
|
|
||||||
{{- with ($config.annotations | default $default.annotations) }}
|
|
||||||
{{ . | toYaml | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
|
|
||||||
app.kubernetes.io/component: {{ $name }}
|
|
||||||
{{- with ($config.labels | default $default.labels) }}
|
|
||||||
{{ . | toYaml | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- with $.Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
|
|
||||||
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
|
|
||||||
initContainers:
|
|
||||||
- name: volume-permissions
|
|
||||||
command: ["chown", "-R", "666:666", "/synapse/data"]
|
|
||||||
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
|
|
||||||
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 0
|
|
||||||
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: media
|
|
||||||
mountPath: /synapse/data
|
|
||||||
{{- end }}
|
|
||||||
containers:
|
|
||||||
- name: {{ $name }}
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -c
|
|
||||||
- |
|
|
||||||
cat /synapse/secrets/*.yaml | \
|
|
||||||
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
|
|
||||||
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
|
|
||||||
> /synapse/config/conf.d/secrets.yaml
|
|
||||||
|
|
||||||
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
|
|
||||||
env:
|
|
||||||
{{- if $.Values.postgresql.enabled }}
|
|
||||||
- name: POSTGRES_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
|
|
||||||
key: postgresql-password
|
|
||||||
{{- end }}
|
|
||||||
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
|
|
||||||
- name: REDIS_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ include "matrix-synapse.redis.fullname" $ }}
|
|
||||||
key: redis-password
|
|
||||||
{{- end }}
|
|
||||||
{{- with default $config.extraEnv $default.extraEnv }}
|
|
||||||
{{ . | toYaml }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
|
|
||||||
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
|
|
||||||
imagePullPolicy: {{ $.Values.image.pullPolicy }}
|
|
||||||
ports:
|
|
||||||
- name: metrics
|
|
||||||
containerPort: 9090
|
|
||||||
protocol: TCP
|
|
||||||
{{- if $config.listeners }}
|
|
||||||
- name: listener
|
|
||||||
containerPort: 8083
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: listener
|
|
||||||
readinessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: listener
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /synapse/config
|
|
||||||
- name: tmpconf
|
|
||||||
mountPath: /synapse/config/conf.d
|
|
||||||
- name: secrets
|
|
||||||
mountPath: /synapse/secrets
|
|
||||||
- name: signingkey
|
|
||||||
mountPath: /synapse/keys
|
|
||||||
{{- if eq $name "media-repository" }}
|
|
||||||
- name: media
|
|
||||||
mountPath: /synapse/data
|
|
||||||
{{- end }}
|
|
||||||
{{- with $config.volumeMounts | default $default.volumeMounts }}
|
|
||||||
{{ . | toYaml | nindent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with $config.nodeSelector | default $default.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with $config.affinity | default $default.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with $config.tolerations | default $default.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: {{ include "matrix-synapse.fullname" $ }}
|
|
||||||
- name: secrets
|
|
||||||
secret:
|
|
||||||
secretName: {{ include "matrix-synapse.fullname" $ }}
|
|
||||||
- name: signingkey
|
|
||||||
secret:
|
|
||||||
secretName: {{ default $.Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
|
|
||||||
items:
|
|
||||||
- key: {{ default $.Values.signingkey.existingSecretKey "signing.key" | quote }}
|
|
||||||
path: signing.key
|
|
||||||
- name: tmpconf
|
|
||||||
emptyDir: {}
|
|
||||||
{{- if eq $name "media-repository" }}
|
|
||||||
- name: media
|
|
||||||
{{- if $.Values.persistence.enabled }}
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: {{ default $.Values.persistence.existingClaim (include "matrix-synapse.fullname" $) }}
|
|
||||||
{{- else }}
|
|
||||||
emptyDir: {}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with $config.volumes }}
|
|
||||||
{{ . | toYaml | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{{- if .Values.ingress.enabled -}}
|
{{- if .Values.ingress.enabled -}}
|
||||||
{{- $fullName := include "matrix-synapse.fullname" . -}}
|
{{- $fullName := include "matrix-synapse.fullname" . -}}
|
||||||
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
|
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
|
||||||
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
{{- else -}}
|
{{- else -}}
|
||||||
|
@ -27,19 +27,45 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
rules:
|
rules:
|
||||||
{{- $hosts := .Values.ingress.hosts }}
|
{{- $csHosts := .Values.ingress.csHosts }}
|
||||||
{{- if default .Values.ingress.includeServerName true }}
|
{{- if .Values.ingress.includeServerName }}
|
||||||
{{- $hosts = concat (list .Values.config.serverName) $hosts }}
|
{{- $csHosts = concat (list .Values.config.serverName) $csHosts }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- $s2sHosts := .Values.ingress.hosts }}
|
||||||
|
{{- if .Values.ingress.includeServerName }}
|
||||||
|
{{- $s2sHosts = concat (list .Values.config.serverName) $s2sHosts }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $wkHosts := .Values.ingress.wkHosts }}
|
||||||
|
{{- if .Values.ingress.includeServerName }}
|
||||||
|
{{- $wkHosts = concat (list .Values.config.serverName) $wkHosts }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
|
||||||
{{- range $hosts }}
|
{{- range $hosts }}
|
||||||
|
{{- $host := . }}
|
||||||
- host: {{ . | quote }}
|
- host: {{ . | quote }}
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
{{- $default := $.Values.workers.default }}
|
{{- $default := $.Values.workers.default }}
|
||||||
{{- range $worker, $config := $.Values.workers }}
|
{{- range $worker, $config := $.Values.workers }}
|
||||||
{{- $name := $worker | replace "_" "-" }}
|
{{- $name := $worker | replace "_" "-" }}
|
||||||
{{- if and $config.enabled $config.listeners $config.paths }}
|
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
|
||||||
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
|
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
|
||||||
|
{{- if has $host $csHosts }}
|
||||||
|
{{- range $config.csPaths }}
|
||||||
|
{{- if $.Values.ingress.traefikPaths }}
|
||||||
|
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
|
||||||
|
backend:
|
||||||
|
serviceName: {{ $service }}
|
||||||
|
servicePort: 8083
|
||||||
|
{{- else }}
|
||||||
|
- path: {{ . | quote }}
|
||||||
|
backend:
|
||||||
|
serviceName: {{ $service }}
|
||||||
|
servicePort: 8083
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if has $host $s2sHosts }}
|
||||||
{{- range $config.paths }}
|
{{- range $config.paths }}
|
||||||
{{- if $.Values.ingress.traefikPaths }}
|
{{- if $.Values.ingress.traefikPaths }}
|
||||||
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
|
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
|
||||||
|
@ -55,23 +81,34 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if has . $csHosts }}
|
||||||
|
{{- with $.Values.ingress.csPaths }}
|
||||||
|
{{ . | toYaml | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if has . $s2sHosts }}
|
||||||
{{- with $.Values.ingress.paths }}
|
{{- with $.Values.ingress.paths }}
|
||||||
{{ . | toYaml | nindent 10 }}
|
{{ . | toYaml | nindent 10 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if or (has . $csHosts) (has . $s2sHosts) }}
|
||||||
- path: /_matrix
|
- path: /_matrix
|
||||||
backend:
|
backend:
|
||||||
serviceName: {{ $fullName }}
|
serviceName: {{ $fullName }}
|
||||||
servicePort: 8008
|
servicePort: 8008
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- if $.Values.ingress.includeUnderscoreSynapse }}
|
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
|
||||||
- path: /_synapse
|
- path: /_synapse
|
||||||
backend:
|
backend:
|
||||||
serviceName: {{ $fullName }}
|
serviceName: {{ $fullName }}
|
||||||
servicePort: 8008
|
servicePort: 8008
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if has . $wkHosts }}
|
||||||
- path: /.well-known/matrix/client
|
- path: /.well-known/matrix/client
|
||||||
backend:
|
backend:
|
||||||
serviceName: {{ $fullName }}
|
serviceName: {{ $fullName }}
|
||||||
|
@ -84,4 +121,5 @@ spec:
|
||||||
servicePort: 80
|
servicePort: 80
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -12,26 +12,30 @@ stringData:
|
||||||
|
|
||||||
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
|
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.config.turnSecret }}
|
{{- if .Values.config.turnSecret }}
|
||||||
|
|
||||||
## Turn ##
|
## Turn ##
|
||||||
|
|
||||||
turn_shared_secret: {{ .Values.config.turnSecret | quote }}
|
turn_shared_secret: {{ .Values.config.turnSecret | quote }}
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
## Registration ##
|
## Registration ##
|
||||||
|
|
||||||
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
|
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
|
||||||
|
|
||||||
## API Configuration ##
|
## API Configuration ##
|
||||||
|
|
||||||
macaroon_secret_key: {{ required "You must specify a macaroon as config.macaroonSecretKey" .Values.config.macaroonSecretKey | quote }}
|
{{- if .Values.config.macaroonSecretKey }}
|
||||||
|
|
||||||
|
macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
|
{{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
|
||||||
{{- $postgresDB := include "matrix-synapse.postgresql.database" . }}
|
{{- $postgresDB := include "matrix-synapse.postgresql.database" . }}
|
||||||
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
|
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
|
||||||
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
|
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
|
||||||
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
|
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
|
||||||
|
|
||||||
## Database configuration ##
|
## Database configuration ##
|
||||||
|
|
||||||
database:
|
database:
|
||||||
|
@ -52,6 +56,7 @@ stringData:
|
||||||
{{- $redisHost := include "matrix-synapse.redis.host" . }}
|
{{- $redisHost := include "matrix-synapse.redis.host" . }}
|
||||||
{{- $redisPort := include "matrix-synapse.redis.port" . }}
|
{{- $redisPort := include "matrix-synapse.redis.port" . }}
|
||||||
{{- $redisPass := include "matrix-synapse.redis.password" . }}
|
{{- $redisPass := include "matrix-synapse.redis.password" . }}
|
||||||
|
|
||||||
## Redis configuration ##
|
## Redis configuration ##
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
|
|
|
@ -4,7 +4,7 @@ kind: Pod
|
||||||
metadata:
|
metadata:
|
||||||
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
|
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
|
||||||
labels:
|
labels:
|
||||||
{{ include "matrix-synapse.labels" . | nindent 4 }}
|
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
||||||
annotations:
|
annotations:
|
||||||
"helm.sh/hook": test-success
|
"helm.sh/hook": test-success
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{{- if .Values.wellknown.enabled }}
|
{{- if .Values.wellknown.enabled }}
|
||||||
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
|
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
@ -10,9 +10,6 @@ metadata:
|
||||||
component: well-known
|
component: well-known
|
||||||
data:
|
data:
|
||||||
lighttpd.conf: |
|
lighttpd.conf: |
|
||||||
var.basedir = "/var/www/localhost"
|
|
||||||
var.logdir = "/var/log/lighttpd"
|
|
||||||
var.statedir = "/var/lib/lighttpd"
|
|
||||||
server.modules = (
|
server.modules = (
|
||||||
"mod_rewrite",
|
"mod_rewrite",
|
||||||
"mod_status",
|
"mod_status",
|
||||||
|
@ -21,13 +18,13 @@ data:
|
||||||
include "mime-types.conf"
|
include "mime-types.conf"
|
||||||
server.username = "lighttpd"
|
server.username = "lighttpd"
|
||||||
server.groupname = "lighttpd"
|
server.groupname = "lighttpd"
|
||||||
server.document-root = var.basedir + "/htdocs"
|
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
|
||||||
server.pid-file = "/run/lighttpd.pid"
|
server.pid-file = "/run/lighttpd.pid"
|
||||||
server.errorlog = "/dev/stderr"
|
server.errorlog = "/dev/stderr"
|
||||||
status.status-url = "/server-status"
|
|
||||||
url.rewrite-once = (
|
url.rewrite-once = (
|
||||||
"^/\.well-known/matrix/server" => "/server.json"
|
"^/\.well-known/matrix/server" => "/server.json"
|
||||||
)
|
)
|
||||||
|
status.status-url = "/server-status"
|
||||||
accesslog.filename = "/dev/stderr"
|
accesslog.filename = "/dev/stderr"
|
||||||
|
|
||||||
server.json: |-
|
server.json: |-
|
||||||
|
@ -59,7 +56,7 @@ metadata:
|
||||||
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
||||||
component: well-known
|
component: well-known
|
||||||
spec:
|
spec:
|
||||||
replicas: {{ default .Values.wellknown.replicaCount 1 }}
|
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
|
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
|
||||||
|
@ -72,10 +69,15 @@ spec:
|
||||||
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
|
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
|
||||||
component: well-known
|
component: well-known
|
||||||
spec:
|
spec:
|
||||||
|
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: lighttpd
|
- name: lighttpd
|
||||||
image: m4rcu5/lighttpd
|
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 80
|
- containerPort: 80
|
||||||
name: http
|
name: http
|
||||||
|
@ -91,11 +93,25 @@ spec:
|
||||||
- mountPath: /etc/lighttpd/lighttpd.conf
|
- mountPath: /etc/lighttpd/lighttpd.conf
|
||||||
name: files
|
name: files
|
||||||
subPath: lighttpd.conf
|
subPath: lighttpd.conf
|
||||||
- mountPath: /var/www/localhost/htdocs/server.json
|
- mountPath: {{ .Values.wellknown.htdocsPath }}/server.json
|
||||||
name: files
|
name: files
|
||||||
subPath: server.json
|
subPath: server.json
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.wellknown.resources | nindent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: files
|
- name: files
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ $wkName }}
|
name: {{ $wkName }}
|
||||||
|
{{- with .Values.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: {{ $wkName }}
|
||||||
|
labels:
|
||||||
|
{{- include "matrix-synapse.labels" . | nindent 4 }}
|
||||||
|
data:
|
||||||
|
{{- $default := .Values.workers.default -}}
|
||||||
|
{{- range $worker, $config := .Values.workers -}}
|
||||||
|
{{- if $config.enabled -}}
|
||||||
|
{{- $name := $worker | replace "_" "-" }}
|
||||||
|
|
||||||
|
{{ $name }}.worker: |
|
||||||
|
worker_app: "synapse.app.{{ $worker }}"
|
||||||
|
|
||||||
|
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
|
||||||
|
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
|
||||||
|
worker_replication_http_port: 9093
|
||||||
|
|
||||||
|
worker_listeners:
|
||||||
|
- type: http
|
||||||
|
bind_addresses: ['0.0.0.0']
|
||||||
|
tls: false
|
||||||
|
port: 9090
|
||||||
|
resources:
|
||||||
|
- names: [metrics]
|
||||||
|
compress: false
|
||||||
|
{{- if $config.listeners }}
|
||||||
|
- type: http
|
||||||
|
tls: false
|
||||||
|
port: 8083
|
||||||
|
resources:
|
||||||
|
- names: {{- toYaml $config.listeners | nindent 14 }}
|
||||||
|
compress: false
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
worker_log_config: /synapse/config/log.yaml
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
171
charts-wip/matrix-synapse/templates/worker-deployment.yaml
Normal file
171
charts-wip/matrix-synapse/templates/worker-deployment.yaml
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
|
||||||
|
{{- $default := .Values.workers.default }}
|
||||||
|
{{- range $worker, $config := .Values.workers }}
|
||||||
|
{{- if $config.enabled }}
|
||||||
|
{{- $name := $worker | replace "_" "-" }}
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
|
||||||
|
labels:
|
||||||
|
{{- include "matrix-synapse.labels" $ | nindent 4 }}
|
||||||
|
app.kubernetes.io/component: {{ $name }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ $config.replicaCount | default $default.replicaCount }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
|
||||||
|
app.kubernetes.io/component: {{ $name }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
|
||||||
|
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
|
||||||
|
{{- with ($config.annotations | default $default.annotations) }}
|
||||||
|
{{ . | toYaml | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
|
||||||
|
app.kubernetes.io/component: {{ $name }}
|
||||||
|
{{- with ($config.labels | default $default.labels) }}
|
||||||
|
{{ . | toYaml | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with $.Values.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
|
||||||
|
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
|
||||||
|
initContainers:
|
||||||
|
- name: volume-permissions
|
||||||
|
command: ["chown", "-R", "666:666", "/synapse/data"]
|
||||||
|
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
|
||||||
|
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: media
|
||||||
|
mountPath: /synapse/data
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: {{ $name }}
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
cat /synapse/secrets/*.yaml | \
|
||||||
|
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
|
||||||
|
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
|
||||||
|
> /synapse/config/conf.d/secrets.yaml
|
||||||
|
|
||||||
|
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
|
||||||
|
env:
|
||||||
|
{{- if $.Values.postgresql.enabled }}
|
||||||
|
- name: POSTGRES_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
|
||||||
|
key: postgresql-password
|
||||||
|
{{- end }}
|
||||||
|
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
|
||||||
|
- name: REDIS_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ include "matrix-synapse.redis.fullname" $ }}
|
||||||
|
key: redis-password
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.extraEnv | default $default.extraEnv }}
|
||||||
|
{{ . | toYaml }}
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
|
||||||
|
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
|
||||||
|
imagePullPolicy: {{ $.Values.image.pullPolicy }}
|
||||||
|
ports:
|
||||||
|
- name: metrics
|
||||||
|
containerPort: 9090
|
||||||
|
protocol: TCP
|
||||||
|
{{- if $config.listeners }}
|
||||||
|
- name: listener
|
||||||
|
containerPort: 8083
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: listener
|
||||||
|
readinessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: listener
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: config
|
||||||
|
mountPath: /synapse/config/homeserver.yaml
|
||||||
|
subPath: homeserver.yaml
|
||||||
|
- name: config
|
||||||
|
mountPath: /synapse/config/log.yaml
|
||||||
|
subPath: log.yaml
|
||||||
|
- name: worker-config
|
||||||
|
mountPath: /synapse/config/{{ $name }}.worker
|
||||||
|
subPath: {{ $name }}.worker
|
||||||
|
- name: tmpconf
|
||||||
|
mountPath: /synapse/config/conf.d
|
||||||
|
- name: secrets
|
||||||
|
mountPath: /synapse/secrets
|
||||||
|
- name: signingkey
|
||||||
|
mountPath: /synapse/keys
|
||||||
|
{{- if eq $name "media-repository" }}
|
||||||
|
- name: media
|
||||||
|
mountPath: /synapse/data
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.volumeMounts | default $default.volumeMounts }}
|
||||||
|
{{ . | toYaml | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.nodeSelector | default $default.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.affinity | default $default.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.tolerations | default $default.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "matrix-synapse.fullname" $ }}
|
||||||
|
- name: worker-config
|
||||||
|
configMap:
|
||||||
|
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
|
||||||
|
- name: secrets
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "matrix-synapse.fullname" $ }}
|
||||||
|
- name: signingkey
|
||||||
|
secret:
|
||||||
|
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
|
||||||
|
items:
|
||||||
|
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
|
||||||
|
path: signing.key
|
||||||
|
- name: tmpconf
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if eq $name "media-repository" }}
|
||||||
|
- name: media
|
||||||
|
{{- if $.Values.persistence.enabled }}
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: {{ $.Values.persistence.existingClaim | (include "matrix-synapse.fullname" $) }}
|
||||||
|
{{- else }}
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with $config.volumes }}
|
||||||
|
{{ . | toYaml | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -109,7 +109,7 @@ config:
|
||||||
# bind_addresses: ['::']
|
# bind_addresses: ['::']
|
||||||
# type: manhole
|
# type: manhole
|
||||||
|
|
||||||
## Specify arbitrary synapse configuration here;
|
## Specify arbitrary Synapse configuration here;
|
||||||
##
|
##
|
||||||
extraConfig: {}
|
extraConfig: {}
|
||||||
# use_presence: false
|
# use_presence: false
|
||||||
|
@ -119,99 +119,72 @@ extraConfig: {}
|
||||||
# - nyc.example.com
|
# - nyc.example.com
|
||||||
# - syd.example.com
|
# - syd.example.com
|
||||||
|
|
||||||
## Annotations to apply to the main Synapse pod.
|
## Configuration to apply to the main Synapse pod.
|
||||||
##
|
##
|
||||||
annotations: {}
|
synapse:
|
||||||
# prometheus.io/scrape: "true"
|
## Annotations to apply to the main Synapse pod.
|
||||||
# prometheus.io/port: 9090
|
|
||||||
|
|
||||||
## Labels to apply to the main Synapse pod.
|
|
||||||
##
|
|
||||||
labels: {}
|
|
||||||
|
|
||||||
## Additional environment variables to apply to the main Synapse pod
|
|
||||||
##
|
|
||||||
extraEnv: {}
|
|
||||||
# - name: USE_JEMALLOC
|
|
||||||
# value: "1"
|
|
||||||
# - name: SYNAPSE_CACHE_FACTOR
|
|
||||||
# value: "2"
|
|
||||||
|
|
||||||
## This will set up a Lighttpd server to respond to any
|
|
||||||
## /.well-known/matrix/server requests, to make federation possible without any
|
|
||||||
## DNS changes.
|
|
||||||
##
|
|
||||||
wellknown:
|
|
||||||
enabled: false
|
|
||||||
# host: matrix.example.com
|
|
||||||
# port: 443
|
|
||||||
|
|
||||||
## This configuration is for setting up the internally provided Postgres server,
|
|
||||||
## if you instead want to use an existing server, then you may want to set
|
|
||||||
## enabled to false and configure the externalPostgresql block.
|
|
||||||
##
|
|
||||||
postgresql:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
postgresqlUsername: synapse
|
|
||||||
postgresqlDatabase: synapse
|
|
||||||
|
|
||||||
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
|
|
||||||
|
|
||||||
persistence:
|
|
||||||
size: 16G
|
|
||||||
|
|
||||||
## An externally configured Postgres server to use for Synapse's database, note
|
|
||||||
## that the database needs to have both COLLATE and CTYPE set to "C".
|
|
||||||
##
|
|
||||||
externalPostgresql:
|
|
||||||
# host: postgres
|
|
||||||
port: 5432
|
|
||||||
username: synapse
|
|
||||||
# password: synapse
|
|
||||||
database: synapse
|
|
||||||
# sslMode: require
|
|
||||||
|
|
||||||
## This configuration is for the internal Redis that's deployed for use with
|
|
||||||
## workers/sharding, for an external Redis server you want to set enabled to
|
|
||||||
## false and configure the externalRedis block.
|
|
||||||
##
|
|
||||||
redis:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
# usePassword: false
|
|
||||||
# password: synapse
|
|
||||||
cluster:
|
|
||||||
enabled: false
|
|
||||||
master:
|
|
||||||
persistence:
|
|
||||||
## Note that Synapse only uses redis as a synchronization utility, so no
|
|
||||||
## data will ever need to be persisted.
|
|
||||||
##
|
##
|
||||||
enabled: false
|
annotations: {}
|
||||||
statefulset:
|
# prometheus.io/scrape: "true"
|
||||||
updateStrategy: RollingUpdate
|
# prometheus.io/port: 9090
|
||||||
|
|
||||||
## An externally configured Redis server to use for workers/sharding.
|
## Labels to apply to the main Synapse pod.
|
||||||
##
|
##
|
||||||
externalRedis:
|
labels: {}
|
||||||
# host: redis
|
|
||||||
port: 6379
|
|
||||||
# password: synapse
|
|
||||||
|
|
||||||
## Persistence configuration for the media repository function.
|
## Additional environment variables to apply to the main Synapse pod
|
||||||
## This PVC will be mounted in either Synapse or a media_repo worker.
|
##
|
||||||
##
|
extraEnv: {}
|
||||||
## NB; If you want to be able to scale this, you will have to set the
|
# - name: USE_JEMALLOC
|
||||||
## accessMode to RWX/ReadWriteMany.
|
# value: "1"
|
||||||
##
|
# - name: SYNAPSE_CACHE_FACTOR
|
||||||
persistence:
|
# value: "2"
|
||||||
enabled: true
|
|
||||||
# existingClaim: synapse-data
|
|
||||||
|
|
||||||
# storageClass: "-"
|
## Configuration for the pod security policy, Synapse will by default run as its
|
||||||
accessMode: ReadWriteOnce
|
## own user, even if not set.
|
||||||
size: 10Gi
|
## Note that changing this may also require you to use the volumePermission
|
||||||
|
## helper depending on your storage.
|
||||||
|
##
|
||||||
|
## NB; The synapse install is currently unable to run as anything but UID:GID
|
||||||
|
## 666:666.
|
||||||
|
##
|
||||||
|
podSecurityContext: {}
|
||||||
|
# fsGroup: 666
|
||||||
|
# runAsGroup: 666
|
||||||
|
# runAsUser: 666
|
||||||
|
|
||||||
|
## Configuration for the container security policy, refer to the above
|
||||||
|
## podSecurityContext for more relevant information.
|
||||||
|
##
|
||||||
|
securityContext: {}
|
||||||
|
# capabilities:
|
||||||
|
# drop:
|
||||||
|
# - ALL
|
||||||
|
# readOnlyRootFilesystem: true
|
||||||
|
# runAsNonRoot: true
|
||||||
|
# runAsUser: 666
|
||||||
|
|
||||||
|
## Resources to apply to the main Synapse pod.
|
||||||
|
##
|
||||||
|
resources: {}
|
||||||
|
# limits:
|
||||||
|
# cpu: 1000m
|
||||||
|
# memory: 2500Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 1000m
|
||||||
|
# memory: 2500Mi
|
||||||
|
|
||||||
|
## Node selectors to set for the main Synapse pod.
|
||||||
|
##
|
||||||
|
nodeSelector: {}
|
||||||
|
|
||||||
|
## Tolerations to set for the main Synapse pod.
|
||||||
|
##
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
## Affinity to set for the main Synapse pod.
|
||||||
|
##
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
## Configuration for handling Synapse workers, which are useful for handling
|
## Configuration for handling Synapse workers, which are useful for handling
|
||||||
## high-load deployments.
|
## high-load deployments.
|
||||||
|
@ -300,11 +273,33 @@ workers:
|
||||||
generic_worker:
|
generic_worker:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [client, federation]
|
listeners: [client, federation]
|
||||||
paths:
|
csPaths:
|
||||||
# - "/_matrix/client/(v2_alpha|r0)/sync"
|
# - "/_matrix/client/(v2_alpha|r0)/sync"
|
||||||
- "/_matrix/client/(api/v1|v2_alpha|r0)/events"
|
- "/_matrix/client/(api/v1|v2_alpha|r0)/events"
|
||||||
# - "/_matrix/client/(api/v1|r0)/initialSync"
|
# - "/_matrix/client/(api/v1|r0)/initialSync"
|
||||||
# - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
|
# - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
|
||||||
|
- "/_matrix/client/versions"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/login"
|
||||||
|
- "/_matrix/client/(r0|unstable)/register"
|
||||||
|
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/join/"
|
||||||
|
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
|
||||||
|
paths:
|
||||||
- "/_matrix/federation/v1/event/"
|
- "/_matrix/federation/v1/event/"
|
||||||
- "/_matrix/federation/v1/state/"
|
- "/_matrix/federation/v1/state/"
|
||||||
- "/_matrix/federation/v1/state_ids/"
|
- "/_matrix/federation/v1/state_ids/"
|
||||||
|
@ -327,27 +322,6 @@ workers:
|
||||||
- "/_matrix/federation/v1/get_groups_publicised"
|
- "/_matrix/federation/v1/get_groups_publicised"
|
||||||
- "/_matrix/key/v2/query"
|
- "/_matrix/key/v2/query"
|
||||||
- "/_matrix/federation/v1/send/"
|
- "/_matrix/federation/v1/send/"
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
|
|
||||||
- "/_matrix/client/versions"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/login"
|
|
||||||
- "/_matrix/client/(r0|unstable)/register"
|
|
||||||
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/join/"
|
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
|
|
||||||
|
|
||||||
## This worker deals with pushing notifications.
|
## This worker deals with pushing notifications.
|
||||||
## NB; Only one instance of this worker can be run at a time, refer to the
|
## NB; Only one instance of this worker can be run at a time, refer to the
|
||||||
|
@ -374,20 +348,22 @@ workers:
|
||||||
media_repository:
|
media_repository:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [media]
|
listeners: [media]
|
||||||
paths:
|
csPaths:
|
||||||
- "/_matrix/media/"
|
- "/_matrix/media/"
|
||||||
- "/_synapse/admin/v1/purge_media_cache"
|
- "/_synapse/admin/v1/purge_media_cache"
|
||||||
- "/_synapse/admin/v1/room/.*/media.*"
|
- "/_synapse/admin/v1/room/.*/media.*"
|
||||||
- "/_synapse/admin/v1/user/.*/media.*"
|
- "/_synapse/admin/v1/user/.*/media.*"
|
||||||
- "/_synapse/admin/v1/media/.*"
|
- "/_synapse/admin/v1/media/.*"
|
||||||
- "/_synapse/admin/v1/quarantine_media/.*"
|
- "/_synapse/admin/v1/quarantine_media/.*"
|
||||||
|
paths:
|
||||||
|
- "/_matrix/media/"
|
||||||
|
|
||||||
## This worker deals with user directory searches.
|
## This worker deals with user directory searches.
|
||||||
##
|
##
|
||||||
user_dir:
|
user_dir:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [client]
|
listeners: [client]
|
||||||
paths:
|
csPaths:
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
|
- "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
|
||||||
|
|
||||||
## This worker handles key uploads, and may also stub out presence if that is
|
## This worker handles key uploads, and may also stub out presence if that is
|
||||||
|
@ -397,10 +373,147 @@ workers:
|
||||||
frontend_proxy:
|
frontend_proxy:
|
||||||
enabled: false
|
enabled: false
|
||||||
listeners: [client]
|
listeners: [client]
|
||||||
paths:
|
csPaths:
|
||||||
- "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
|
- "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
|
||||||
# - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
|
# - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
|
||||||
|
|
||||||
|
## This will set up a Lighttpd server to respond to any
|
||||||
|
## /.well-known/matrix/server requests, to make federation possible without
|
||||||
|
## adding SRV-records to DNS.
|
||||||
|
##
|
||||||
|
wellknown:
|
||||||
|
enabled: false
|
||||||
|
replicaCount: 1
|
||||||
|
|
||||||
|
## The host and port combo to serve on .well-known/matrix/server.
|
||||||
|
##
|
||||||
|
# host: matrix.example.com
|
||||||
|
# port: 443
|
||||||
|
|
||||||
|
## A custom htdocs path, useful when running another image.
|
||||||
|
##
|
||||||
|
htdocsPath: /var/www/localhost/htdocs
|
||||||
|
|
||||||
|
## The lighttpd image to run.
|
||||||
|
##
|
||||||
|
image:
|
||||||
|
repository: m4rcu5/lighttpd
|
||||||
|
tag: latest
|
||||||
|
pullPolicy: Always
|
||||||
|
|
||||||
|
## Optionally specify an array of imagePullSecrets.
|
||||||
|
## Secrets must be manually created in the namespace.
|
||||||
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||||
|
##
|
||||||
|
# pullSecrets:
|
||||||
|
# - myRegistryKeySecretName
|
||||||
|
|
||||||
|
## Configuration for the pod security policy.
|
||||||
|
##
|
||||||
|
podSecurityContext: {}
|
||||||
|
# fsGroup: 101
|
||||||
|
# runAsGroup: 101
|
||||||
|
# runAsUser: 100
|
||||||
|
|
||||||
|
## Configuration for the container security policy.
|
||||||
|
##
|
||||||
|
securityContext: {}
|
||||||
|
# capabilities:
|
||||||
|
# drop:
|
||||||
|
# - ALL
|
||||||
|
# readOnlyRootFilesystem: true
|
||||||
|
# runAsNonRoot: true
|
||||||
|
# runAsUser: 100
|
||||||
|
|
||||||
|
## Resource configuration to apply to the well-known server.
|
||||||
|
##
|
||||||
|
resources: {}
|
||||||
|
# limits:
|
||||||
|
# cpu: 5m
|
||||||
|
# memory: 15Mi
|
||||||
|
# requests:
|
||||||
|
# cpu: 5m
|
||||||
|
# memory: 15Mi
|
||||||
|
|
||||||
|
## Node selectors to set for the well-known server.
|
||||||
|
##
|
||||||
|
nodeSelector: {}
|
||||||
|
|
||||||
|
## Tolerations to set for the well-known server.
|
||||||
|
##
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
## Affinity to set for the main well-known server.
|
||||||
|
##
|
||||||
|
affinity: {}
|
||||||
|
|
||||||
|
## This configuration is for setting up the internally provided Postgres server,
|
||||||
|
## if you instead want to use an existing server, then you may want to set
|
||||||
|
## enabled to false and configure the externalPostgresql block.
|
||||||
|
##
|
||||||
|
postgresql:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
postgresqlUsername: synapse
|
||||||
|
postgresqlDatabase: synapse
|
||||||
|
|
||||||
|
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
|
||||||
|
|
||||||
|
persistence:
|
||||||
|
size: 16G
|
||||||
|
|
||||||
|
## An externally configured Postgres server to use for Synapse's database, note
|
||||||
|
## that the database needs to have both COLLATE and CTYPE set to "C".
|
||||||
|
##
|
||||||
|
externalPostgresql:
|
||||||
|
# host: postgres
|
||||||
|
port: 5432
|
||||||
|
username: synapse
|
||||||
|
# password: synapse
|
||||||
|
database: synapse
|
||||||
|
# sslMode: require
|
||||||
|
|
||||||
|
## This configuration is for the internal Redis that's deployed for use with
|
||||||
|
## workers/sharding, for an external Redis server you want to set enabled to
|
||||||
|
## false and configure the externalRedis block.
|
||||||
|
##
|
||||||
|
redis:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# usePassword: false
|
||||||
|
# password: synapse
|
||||||
|
cluster:
|
||||||
|
enabled: false
|
||||||
|
master:
|
||||||
|
persistence:
|
||||||
|
## Note that Synapse only uses redis as a synchronization utility, so no
|
||||||
|
## data will ever need to be persisted.
|
||||||
|
##
|
||||||
|
enabled: false
|
||||||
|
statefulset:
|
||||||
|
updateStrategy: RollingUpdate
|
||||||
|
|
||||||
|
## An externally configured Redis server to use for workers/sharding.
|
||||||
|
##
|
||||||
|
externalRedis:
|
||||||
|
# host: redis
|
||||||
|
port: 6379
|
||||||
|
# password: synapse
|
||||||
|
|
||||||
|
## Persistence configuration for the media repository function.
|
||||||
|
## This PVC will be mounted in either Synapse or a media_repo worker.
|
||||||
|
##
|
||||||
|
## NB; If you want to be able to scale this, you will have to set the
|
||||||
|
## accessMode to RWX/ReadWriteMany.
|
||||||
|
##
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
# existingClaim: synapse-data
|
||||||
|
|
||||||
|
# storageClass: "-"
|
||||||
|
accessMode: ReadWriteOnce
|
||||||
|
size: 10Gi
|
||||||
|
|
||||||
## Set up an init container to chown the mounted media if necessary.
|
## Set up an init container to chown the mounted media if necessary.
|
||||||
##
|
##
|
||||||
volumePermissions:
|
volumePermissions:
|
||||||
|
@ -411,36 +524,19 @@ volumePermissions:
|
||||||
tag: latest
|
tag: latest
|
||||||
pullPolicy: Always
|
pullPolicy: Always
|
||||||
|
|
||||||
|
## Optionally specify an array of imagePullSecrets.
|
||||||
|
## Secrets must be manually created in the namespace.
|
||||||
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||||
|
##
|
||||||
|
# pullSecrets:
|
||||||
|
# - myRegistryKeySecretName
|
||||||
|
|
||||||
resources: {}
|
resources: {}
|
||||||
# resources:
|
# resources:
|
||||||
# requests:
|
# requests:
|
||||||
# memory: 128Mi
|
# memory: 128Mi
|
||||||
# cpu: 100m
|
# cpu: 100m
|
||||||
|
|
||||||
## Configuration for the pod security policy, Synapse will by default run as its
|
|
||||||
## own user, even if not set.
|
|
||||||
## Note that changing this may also require you to use the volumePermission
|
|
||||||
## helper depending on your storage.
|
|
||||||
##
|
|
||||||
## NB; The synapse install is currently unable to run as anything but UID:GID
|
|
||||||
## 666:666.
|
|
||||||
##
|
|
||||||
podSecurityContext: {}
|
|
||||||
# fsGroup: 666
|
|
||||||
# runAsGroup: 666
|
|
||||||
# runAsUser: 666
|
|
||||||
|
|
||||||
## Configuration for the container security policy, refer to the above
|
|
||||||
## podSecurityContext for more relevant information.
|
|
||||||
##
|
|
||||||
securityContext: {}
|
|
||||||
# capabilities:
|
|
||||||
# drop:
|
|
||||||
# - ALL
|
|
||||||
# readOnlyRootFilesystem: true
|
|
||||||
# runAsNonRoot: true
|
|
||||||
# runAsUser: 666
|
|
||||||
|
|
||||||
## The K8s ingress configuration, this will be quite heavily used in order to set
|
## The K8s ingress configuration, this will be quite heavily used in order to set
|
||||||
## up all routing necessary for use with a sharded Synapse instance.
|
## up all routing necessary for use with a sharded Synapse instance.
|
||||||
## If you're not using a Ingress compatible K8s ingress, you will need to set up
|
## If you're not using a Ingress compatible K8s ingress, you will need to set up
|
||||||
|
@ -455,19 +551,37 @@ ingress:
|
||||||
|
|
||||||
## Annotations to apply to the created ingress resource.
|
## Annotations to apply to the created ingress resource.
|
||||||
##
|
##
|
||||||
annotations:
|
annotations: {}
|
||||||
# nginx.ingress.kubernetes.io/use-regex: "true"
|
# nginx.ingress.kubernetes.io/use-regex: "true"
|
||||||
# kubernetes.io/ingress.class: nginx
|
# kubernetes.io/ingress.class: nginx
|
||||||
# kubernetes.io/tls-acme: "true"
|
# kubernetes.io/tls-acme: "true"
|
||||||
|
|
||||||
## Additional hosts to add to the ingress configuration.
|
## Hosts to add to the ingress configuration for handling Client-to-Server
|
||||||
|
## API request paths.
|
||||||
|
##
|
||||||
|
## NB; config.serverName is included if includeServerName is set. (default)
|
||||||
|
##
|
||||||
|
csHosts: []
|
||||||
|
# - matrix.example.com
|
||||||
|
|
||||||
|
## Additional hosts to add to the ingress configuration for handling
|
||||||
|
## Server-to-Server API requests.
|
||||||
|
##
|
||||||
## NB; config.serverName is included if includeServerName is set. (default)
|
## NB; config.serverName is included if includeServerName is set. (default)
|
||||||
##
|
##
|
||||||
hosts: []
|
hosts: []
|
||||||
# - matrix.example.com
|
# - example.com
|
||||||
|
|
||||||
## Additional paths to add to the ingress blocks, will be inserted before the
|
## Additional hosts to add to the ingress configuration for handling
|
||||||
## /_matrix and /synapse catch-all paths.
|
## well-known requests.
|
||||||
|
##
|
||||||
|
## NB; config.serverName is included if includeServerName is set. (default)
|
||||||
|
##
|
||||||
|
wkHosts: []
|
||||||
|
# - example.com
|
||||||
|
|
||||||
|
## Additional paths to add to the Server-to-Server ingress blocks, will be
|
||||||
|
## inserted before the /_matrix catch-all path.
|
||||||
##
|
##
|
||||||
paths: []
|
paths: []
|
||||||
# - path: /_matrix/media
|
# - path: /_matrix/media
|
||||||
|
@ -475,6 +589,15 @@ ingress:
|
||||||
# serviceName: matrix-media-repo
|
# serviceName: matrix-media-repo
|
||||||
# servicePort: 8000
|
# servicePort: 8000
|
||||||
|
|
||||||
|
## Additional paths to add to the Client-to-Server ingress blocks, will be
|
||||||
|
## inserted before the /_matrix and /_synapse catch-all paths.
|
||||||
|
##
|
||||||
|
csPaths: []
|
||||||
|
# - path: /_matrix/media
|
||||||
|
# backend:
|
||||||
|
# serviceName: matrix-media-repo
|
||||||
|
# servicePort: 8000
|
||||||
|
|
||||||
## Should the /_synapse path be included in the ingress, admin APIs are
|
## Should the /_synapse path be included in the ingress, admin APIs are
|
||||||
## provided under this path.
|
## provided under this path.
|
||||||
##
|
##
|
||||||
|
@ -483,7 +606,7 @@ ingress:
|
||||||
## Should config.serverName be included in the list of ingress paths, can be
|
## Should config.serverName be included in the list of ingress paths, can be
|
||||||
## set to false if the main domain is managed in some external way.
|
## set to false if the main domain is managed in some external way.
|
||||||
##
|
##
|
||||||
# includeServerName: false
|
includeServerName: true
|
||||||
|
|
||||||
## TLS configuration to include in the ingress configuration
|
## TLS configuration to include in the ingress configuration
|
||||||
##
|
##
|
||||||
|
@ -492,25 +615,3 @@ ingress:
|
||||||
# hosts:
|
# hosts:
|
||||||
# - example.com
|
# - example.com
|
||||||
# - matrix.example.com
|
# - matrix.example.com
|
||||||
|
|
||||||
## Resources to apply to the main Synapse pod.
|
|
||||||
##
|
|
||||||
resources: {}
|
|
||||||
# limits:
|
|
||||||
# cpu: 1000m
|
|
||||||
# memory: 2500Mi
|
|
||||||
# requests:
|
|
||||||
# cpu: 1000m
|
|
||||||
# memory: 2500Mi
|
|
||||||
|
|
||||||
## Node selectors to set for the main Synapse pod.
|
|
||||||
##
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
## Tolerations to set for the main Synapse pod.
|
|
||||||
##
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
## Affinity to set for the main Synapse pod.
|
|
||||||
##
|
|
||||||
affinity: {}
|
|
||||||
|
|
Loading…
Reference in a new issue