pub/charts
1
0
Fork 0
Code Issues Pull requests Releases Packages 19 Activity Actions

Clean up WIP synapse chart

Browse source
This commit is contained in:
Alexander Olofsson 2020-08-09 11:16:36 +02:00
parent a612b3b553
commit 18be04438f
No known key found for this signature in database
GPG key ID: D439C9470CB04C73
13 changed files with 653 additions and 409 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
charts-wip/matrix-synapse/README.md
View file

@ -13,4 +13,46 @@ Matrix Synapse
## Installing ## Installing
To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on.
You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS.
When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on.
When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs.
## Installation Examples
Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information.
### On main domain / with subdomain MXIDs
For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs.
If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as;
helm install matrix-synapse --set config.serverName=chosenin.space --set wellknown.enabled=true
This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`.
You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case)
helm install matrix-synapse --set config.serverName=matrix.chosenin.space --set wellknown.enabled=true
### On separate subdomain
If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known;
For DNS, you could install the chart as;
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={example.com} --set ingress.csHosts={matrix.example.com}
This will add only federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. You will also need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use.
To get federation working with such a setup, you would need to add an SRV record to your DNS - for example;
`_matrix._tcp.example.com 10 1 443 matrix.example.com`
If you want to use a well-known file for federation instead, then your install might look more like;
helm install matrix-synapse --set config.serverName=example.com --set config.publicBaseUrl=https://matrix.example.com --set wellknown.enabled=true --set wellknown.host=matrix.example.com --set ingress.includeServerName=false --set ingress.hosts={matrix.example.com} --set ingress.csHosts={matrix.example.com} --set ingress.wkHosts={example.com}
With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server`, which the included wellknown server will do.
When using well-known federation, your Synapse cert would only need to be valid for `matrix.example.com`.

6
charts-wip/matrix-synapse/templates/NOTES.txt
View file

@ -1,9 +1,10 @@
** Note, this chart may take a while to finish setup, please be patient ** ** Note, this chart may take a while to finish setup, please be patient **
{{- if not .Values.ingress.enabled }} {{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself. accesses to the services yourself.
{{- else }} {{- else }}
Your Synapse install is now starting, you should soon be able to access it on Your Synapse install is now starting, you should soon be able to access it on
the following URL(s); the following URL(s);
{{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }} {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
@ -19,6 +20,7 @@ set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information. for more information.
{{- end }} {{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }} {{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible You should be able to connect to your Synapse install with any compatible
@ -30,6 +32,6 @@ You can create a user in your new Synapse install by running the following
command; command;
{{- end }} {{- end }}
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008 kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse.fullname" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user. You can also specify --no-admin to create a non-admin user.

32
charts-wip/matrix-synapse/templates/_helpers.tpl
View file

@ -25,21 +25,29 @@ If release name contains chart name it will be used as a full name.
{{- end -}} {{- end -}}
{{/* {{/*
Create a default fully qualified app name. Create a default replication name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}} */}}
{{- define "matrix-synapse.replicationname" -}} {{- define "matrix-synapse.replicationname" -}}
{{- printf "%s-%s-%s" .Release.Name .Chart.Name "matrix-synapse-replication" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s-%s" .Release.Name .Chart.Name "replication" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/* {{/*
Create a default fully qualified app name. Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}} */}}
{{- define "matrix-synapse.workername" -}} {{- define "matrix-synapse.workername" -}}
{{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Create a default external component name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.externalname" -}}
{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* {{/*
Create chart name and version as used by the chart label. Create chart name and version as used by the chart label.
*/}} */}}
@ -74,6 +82,24 @@ app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{/*
Pull secrets
*/}}
{{- define "matrix-synapse.imagePullSecrets" -}}
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
imagePullSecrets:
{{- with .Values.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.wellknown.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.volumePermissions.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{/* {{/*
Create a default fully qualified app name. Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

52
charts-wip/matrix-synapse/templates/configuration.yaml
View file

@ -20,12 +20,12 @@ data:
class: logging.StreamHandler class: logging.StreamHandler
formatter: precise formatter: precise
filters: [context] filters: [context]
level: {{ .Values.config.logLevel }} level: {{ .Values.config.logLevel | default "INFO" }}
loggers: loggers:
synapse: synapse:
level: {{ .Values.config.logLevel }} level: {{ .Values.config.logLevel | default "INFO" }}
root: root:
level: {{ .Values.config.logLevel }} level: {{ .Values.config.logLevel | default "INFO" }}
handlers: [console] handlers: [console]
homeserver.yaml: | homeserver.yaml: |
# NOTE: # NOTE:
@ -116,22 +116,22 @@ data:
url_preview_enabled: false url_preview_enabled: false
max_spider_size: "10M" max_spider_size: "10M"
{{- if .Values.config.recaptcha }} {{- if .Values.config.recaptcha }}
## Captcha ## ## Captcha ##
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }} recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
enable_registration_captcha: True enable_registration_captcha: true
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
{{- end }} {{- end }}
{{- if .Values.config.turnUris }} {{- if .Values.config.turnUris }}
## Turn ## ## Turn ##
turn_uris: turn_uris:
{{ toYaml .Values.config.turnUris | nindent 6 }} {{ toYaml .Values.config.turnUris | nindent 6 }}
turn_user_lifetime: "1h" turn_user_lifetime: "1h"
turn_allow_guests: True turn_allow_guests: true
{{- end }} {{- end }}
## Registration ## ## Registration ##
@ -143,7 +143,7 @@ data:
## Metrics ### ## Metrics ###
enable_metrics: True enable_metrics: true
report_stats: {{ .Values.config.reportStats | default false }} report_stats: {{ .Values.config.reportStats | default false }}
## API Configuration ## ## API Configuration ##
@ -167,7 +167,6 @@ data:
servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }} servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}
## Workers ## ## Workers ##
{{- $default := .Values.workers.default }} {{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }} {{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }} {{- if $config.enabled }}
@ -184,42 +183,9 @@ data:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- with .Values.extraConfig }} {{- with .Values.extraConfig }}
## Extra config ## ## Extra config ##
{{ . | toYaml | nindent 4 }} {{ . | toYaml | nindent 4 }}
{{- end }} {{- end }}
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ $worker }}"
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
worker_replication_http_port: 9093
worker_listeners:
- type: http
bind_addresses: ['0.0.0.0']
tls: false
port: 9090
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names: {{- toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- end }}
{{- end }}

186
charts-wip/matrix-synapse/templates/deployment.yaml
View file

@ -11,7 +11,7 @@ metadata:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: synapse app.kubernetes.io/component: synapse
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: 1
selector: selector:
matchLabels: matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }} {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
@ -21,24 +21,21 @@ spec:
annotations: annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.annotations }} {{- with .Values.synapse.annotations }}
{{ . | toYaml | nindent 8 }} {{ . | toYaml | nindent 8 }}
{{- end }} {{- end }}
labels: labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }} {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: synapse app.kubernetes.io/component: synapse
{{- with .Values.labels }} {{- with .Values.synapse.labels }}
{{ . | toYaml | nindent 8 }} {{ . | toYaml | nindent 8 }}
{{- end }} {{- end }}
spec: spec:
{{- with .Values.imagePullSecrets }} {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
containers: containers:
- name: {{ .Chart.Name }} - name: synapse
command: command:
- sh - sh
- -c - -c
@ -69,10 +66,10 @@ spec:
{{- with .Values.extraEnv }} {{- with .Values.extraEnv }}
{{ . | toYaml }} {{ . | toYaml }}
{{- end }} {{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}" image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
ports: ports:
- name: http - name: http
containerPort: 8008 containerPort: 8008
@ -113,9 +110,9 @@ spec:
secretName: {{ include "matrix-synapse.fullname" . }} secretName: {{ include "matrix-synapse.fullname" . }}
- name: signingkey - name: signingkey
secret: secret:
secretName: {{ default .Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }} secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
items: items:
- key: {{ default .Values.signingkey.existingSecretKey "signing.key" | quote }} - key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key path: signing.key
- name: tmpconf - name: tmpconf
emptyDir: {} emptyDir: {}
@ -129,7 +126,7 @@ spec:
{{- end }} {{- end }}
{{- if and .Values.persistence.enabled (not $mediaworker) }} {{- if and .Values.persistence.enabled (not $mediaworker) }}
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ default .Values.persistence.existingClaim (include "matrix-synapse.fullname" .) }} claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
{{- else }} {{- else }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
@ -145,164 +142,3 @@ spec:
tolerations: tolerations:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- with $.Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command: ["chown", "-R", "666:666", "/synapse/data"]
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
securityContext:
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
env:
{{- if $.Values.postgresql.enabled }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
key: postgresql-password
{{- end }}
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.redis.fullname" $ }}
key: redis-password
{{- end }}
{{- with default $config.extraEnv $default.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
livenessProbe:
tcpSocket:
port: listener
readinessProbe:
tcpSocket:
port: listener
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ default $.Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ default $.Values.signingkey.existingSecretKey "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ default $.Values.persistence.existingClaim (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

56
charts-wip/matrix-synapse/templates/ingress.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.ingress.enabled -}} {{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}} {{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}} {{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1 apiVersion: networking.k8s.io/v1beta1
{{- else -}} {{- else -}}
@ -27,51 +27,88 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
rules: rules:
{{- $hosts := .Values.ingress.hosts }} {{- $csHosts := .Values.ingress.csHosts }}
{{- if default .Values.ingress.includeServerName true }} {{- if .Values.ingress.includeServerName }}
{{- $hosts = concat (list .Values.config.serverName) $hosts }} {{- $csHosts = concat (list .Values.config.serverName) $csHosts }}
{{- end }} {{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.config.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.config.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }} {{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }} - host: {{ . | quote }}
http: http:
paths: paths:
{{- $default := $.Values.workers.default }} {{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }} {{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }} {{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners $config.paths }} {{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} {{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
{{- range $config.paths }} {{- if has $host $csHosts }}
{{- if $.Values.ingress.traefikPaths }} {{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend: backend:
serviceName: {{ $service }} serviceName: {{ $service }}
servicePort: 8083 servicePort: 8083
{{- else }} {{- else }}
- path: {{ . | quote }} - path: {{ . | quote }}
backend: backend:
serviceName: {{ $service }} serviceName: {{ $service }}
servicePort: 8083 servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- else }}
- path: {{ . | quote }}
backend:
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }} {{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }} {{ . | toYaml | nindent 10 }}
{{- end }} {{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix - path: /_matrix
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}
servicePort: 8008 servicePort: 8008
{{- end }}
{{- if $.Values.ingress.includeUnderscoreSynapse }} {{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse - path: /_synapse
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}
servicePort: 8008 servicePort: 8008
{{- end }} {{- end }}
{{- if has . $wkHosts }}
- path: /.well-known/matrix/client - path: /.well-known/matrix/client
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}
@ -83,5 +120,6 @@ spec:
serviceName: {{ $wkName }} serviceName: {{ $wkName }}
servicePort: 80 servicePort: 80
{{- end }} {{- end }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

11
charts-wip/matrix-synapse/templates/secrets.yaml
View file

@ -12,26 +12,30 @@ stringData:
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }} recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
{{- end }} {{- end }}
{{- if .Values.config.turnSecret }} {{- if .Values.config.turnSecret }}
## Turn ## ## Turn ##
turn_shared_secret: {{ .Values.config.turnSecret | quote }} turn_shared_secret: {{ .Values.config.turnSecret | quote }}
{{- end }}
{{- end }}
## Registration ## ## Registration ##
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }} registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
## API Configuration ## ## API Configuration ##
macaroon_secret_key: {{ required "You must specify a macaroon as config.macaroonSecretKey" .Values.config.macaroonSecretKey | quote }} {{- if .Values.config.macaroonSecretKey }}
macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }}
{{- end }}
{{- $postgresHost := include "matrix-synapse.postgresql.host" . }} {{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
{{- $postgresDB := include "matrix-synapse.postgresql.database" . }} {{- $postgresDB := include "matrix-synapse.postgresql.database" . }}
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }} {{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }} {{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }} {{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
## Database configuration ## ## Database configuration ##
database: database:
@ -52,6 +56,7 @@ stringData:
{{- $redisHost := include "matrix-synapse.redis.host" . }} {{- $redisHost := include "matrix-synapse.redis.host" . }}
{{- $redisPort := include "matrix-synapse.redis.port" . }} {{- $redisPort := include "matrix-synapse.redis.port" . }}
{{- $redisPass := include "matrix-synapse.redis.password" . }} {{- $redisPass := include "matrix-synapse.redis.password" . }}
## Redis configuration ## ## Redis configuration ##
redis: redis:

2
charts-wip/matrix-synapse/templates/signing-key-job.yaml
View file

@ -26,7 +26,7 @@ rules:
resources: resources:
- secrets - secrets
resourceNames: resourceNames:
- {{ $secretName }} - {{ $secretName }}
verbs: verbs:
- get - get
- update - update

2
charts-wip/matrix-synapse/templates/tests/test-connection.yaml
View file

@ -4,7 +4,7 @@ kind: Pod
metadata: metadata:
name: "{{ include "matrix-synapse.fullname" . }}-test-connection" name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
labels: labels:
{{ include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
annotations: annotations:
"helm.sh/hook": test-success "helm.sh/hook": test-success
spec: spec:

36
charts-wip/matrix-synapse/templates/well-known.yaml
View file

@ -1,5 +1,5 @@
{{- if .Values.wellknown.enabled }} {{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}} {{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -10,9 +10,6 @@ metadata:
component: well-known component: well-known
data: data:
lighttpd.conf: | lighttpd.conf: |
var.basedir = "/var/www/localhost"
var.logdir = "/var/log/lighttpd"
var.statedir = "/var/lib/lighttpd"
server.modules = ( server.modules = (
"mod_rewrite", "mod_rewrite",
"mod_status", "mod_status",
@ -21,13 +18,13 @@ data:
include "mime-types.conf" include "mime-types.conf"
server.username = "lighttpd" server.username = "lighttpd"
server.groupname = "lighttpd" server.groupname = "lighttpd"
server.document-root = var.basedir + "/htdocs" server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
server.pid-file = "/run/lighttpd.pid" server.pid-file = "/run/lighttpd.pid"
server.errorlog = "/dev/stderr" server.errorlog = "/dev/stderr"
status.status-url = "/server-status"
url.rewrite-once = ( url.rewrite-once = (
"^/\.well-known/matrix/server" => "/server.json" "^/\.well-known/matrix/server" => "/server.json"
) )
status.status-url = "/server-status"
accesslog.filename = "/dev/stderr" accesslog.filename = "/dev/stderr"
server.json: |- server.json: |-
@ -59,7 +56,7 @@ metadata:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
component: well-known component: well-known
spec: spec:
replicas: {{ default .Values.wellknown.replicaCount 1 }} replicas: {{ .Values.wellknown.replicaCount | default 1 }}
selector: selector:
matchLabels: matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }} {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
@ -72,10 +69,15 @@ spec:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }} {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
component: well-known component: well-known
spec: spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers: containers:
- name: lighttpd - name: lighttpd
image: m4rcu5/lighttpd image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
imagePullPolicy: Always imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
ports: ports:
- containerPort: 80 - containerPort: 80
name: http name: http
@ -91,11 +93,25 @@ spec:
- mountPath: /etc/lighttpd/lighttpd.conf - mountPath: /etc/lighttpd/lighttpd.conf
name: files name: files
subPath: lighttpd.conf subPath: lighttpd.conf
- mountPath: /var/www/localhost/htdocs/server.json - mountPath: {{ .Values.wellknown.htdocsPath }}/server.json
name: files name: files
subPath: server.json subPath: server.json
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumes: volumes:
- name: files - name: files
configMap: configMap:
name: {{ $wkName }} name: {{ $wkName }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }} {{- end }}

41
charts-wip/matrix-synapse/templates/worker-configuration.yaml Normal file
View file

@ -0,0 +1,41 @@
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ $worker }}"
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
worker_replication_http_port: 9093
worker_listeners:
- type: http
bind_addresses: ['0.0.0.0']
tls: false
port: 9090
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names: {{- toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- end }}
{{- end }}

171
charts-wip/matrix-synapse/templates/worker-deployment.yaml Normal file
View file

@ -0,0 +1,171 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- with $.Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command: ["chown", "-R", "666:666", "/synapse/data"]
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
securityContext:
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
env:
{{- if $.Values.postgresql.enabled }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
key: postgresql-password
{{- end }}
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.redis.fullname" $ }}
key: redis-password
{{- end }}
{{- with $config.extraEnv | default $default.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
livenessProbe:
tcpSocket:
port: listener
readinessProbe:
tcpSocket:
port: listener
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /synapse/config/log.yaml
subPath: log.yaml
- name: worker-config
mountPath: /synapse/config/{{ $name }}.worker
subPath: {{ $name }}.worker
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: worker-config
configMap:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ $.Values.persistence.existingClaim | (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

425
charts-wip/matrix-synapse/values.yaml
View file

@ -109,7 +109,7 @@ config:
# bind_addresses: ['::'] # bind_addresses: ['::']
# type: manhole # type: manhole
## Specify arbitrary synapse configuration here; ## Specify arbitrary Synapse configuration here;
## ##
extraConfig: {} extraConfig: {}
# use_presence: false # use_presence: false
@ -119,99 +119,72 @@ extraConfig: {}
# - nyc.example.com # - nyc.example.com
# - syd.example.com # - syd.example.com
## Annotations to apply to the main Synapse pod. ## Configuration to apply to the main Synapse pod.
## ##
annotations: {} synapse:
# prometheus.io/scrape: "true" ## Annotations to apply to the main Synapse pod.
# prometheus.io/port: 9090 ##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: 9090
## Labels to apply to the main Synapse pod. ## Labels to apply to the main Synapse pod.
## ##
labels: {} labels: {}
## Additional environment variables to apply to the main Synapse pod ## Additional environment variables to apply to the main Synapse pod
## ##
extraEnv: {} extraEnv: {}
# - name: USE_JEMALLOC # - name: USE_JEMALLOC
# value: "1" # value: "1"
# - name: SYNAPSE_CACHE_FACTOR # - name: SYNAPSE_CACHE_FACTOR
# value: "2" # value: "2"
## This will set up a Lighttpd server to respond to any ## Configuration for the pod security policy, Synapse will by default run as its
## /.well-known/matrix/server requests, to make federation possible without any ## own user, even if not set.
## DNS changes. ## Note that changing this may also require you to use the volumePermission
## ## helper depending on your storage.
wellknown: ##
enabled: false ## NB; The synapse install is currently unable to run as anything but UID:GID
# host: matrix.example.com ## 666:666.
# port: 443 ##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## This configuration is for setting up the internally provided Postgres server, ## Configuration for the container security policy, refer to the above
## if you instead want to use an existing server, then you may want to set ## podSecurityContext for more relevant information.
## enabled to false and configure the externalPostgresql block. ##
## securityContext: {}
postgresql: # capabilities:
enabled: true # drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
postgresqlUsername: synapse ## Resources to apply to the main Synapse pod.
postgresqlDatabase: synapse ##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" ## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
persistence: ## Tolerations to set for the main Synapse pod.
size: 16G ##
tolerations: []
## An externally configured Postgres server to use for Synapse's database, note ## Affinity to set for the main Synapse pod.
## that the database needs to have both COLLATE and CTYPE set to "C". ##
## affinity: {}
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
database: synapse
# sslMode: require
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
# usePassword: false
# password: synapse
cluster:
enabled: false
master:
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
statefulset:
updateStrategy: RollingUpdate
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Configuration for handling Synapse workers, which are useful for handling ## Configuration for handling Synapse workers, which are useful for handling
## high-load deployments. ## high-load deployments.
@ -300,11 +273,33 @@ workers:
generic_worker: generic_worker:
enabled: false enabled: false
listeners: [client, federation] listeners: [client, federation]
paths: csPaths:
# - "/_matrix/client/(v2_alpha|r0)/sync" # - "/_matrix/client/(v2_alpha|r0)/sync"
- "/_matrix/client/(api/v1|v2_alpha|r0)/events" - "/_matrix/client/(api/v1|v2_alpha|r0)/events"
# - "/_matrix/client/(api/v1|r0)/initialSync" # - "/_matrix/client/(api/v1|r0)/initialSync"
# - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync" # - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
- "/_matrix/client/versions"
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
- "/_matrix/client/(api/v1|r0|unstable)/login"
- "/_matrix/client/(r0|unstable)/register"
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
- "/_matrix/client/(api/v1|r0|unstable)/join/"
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
paths:
- "/_matrix/federation/v1/event/" - "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/" - "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/" - "/_matrix/federation/v1/state_ids/"
@ -327,27 +322,6 @@ workers:
- "/_matrix/federation/v1/get_groups_publicised" - "/_matrix/federation/v1/get_groups_publicised"
- "/_matrix/key/v2/query" - "/_matrix/key/v2/query"
- "/_matrix/federation/v1/send/" - "/_matrix/federation/v1/send/"
- "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
- "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
- "/_matrix/client/(api/v1|r0|unstable)/keys/query"
- "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
- "/_matrix/client/versions"
- "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
- "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
- "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
- "/_matrix/client/(api/v1|r0|unstable)/login"
- "/_matrix/client/(r0|unstable)/register"
- "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
- "/_matrix/client/(api/v1|r0|unstable)/join/"
- "/_matrix/client/(api/v1|r0|unstable)/profile/"
## This worker deals with pushing notifications. ## This worker deals with pushing notifications.
## NB; Only one instance of this worker can be run at a time, refer to the ## NB; Only one instance of this worker can be run at a time, refer to the
@ -374,20 +348,22 @@ workers:
media_repository: media_repository:
enabled: false enabled: false
listeners: [media] listeners: [media]
paths: csPaths:
- "/_matrix/media/" - "/_matrix/media/"
- "/_synapse/admin/v1/purge_media_cache" - "/_synapse/admin/v1/purge_media_cache"
- "/_synapse/admin/v1/room/.*/media.*" - "/_synapse/admin/v1/room/.*/media.*"
- "/_synapse/admin/v1/user/.*/media.*" - "/_synapse/admin/v1/user/.*/media.*"
- "/_synapse/admin/v1/media/.*" - "/_synapse/admin/v1/media/.*"
- "/_synapse/admin/v1/quarantine_media/.*" - "/_synapse/admin/v1/quarantine_media/.*"
paths:
- "/_matrix/media/"
## This worker deals with user directory searches. ## This worker deals with user directory searches.
## ##
user_dir: user_dir:
enabled: false enabled: false
listeners: [client] listeners: [client]
paths: csPaths:
- "/_matrix/client/(api/v1|r0|unstable)/user_directory/search" - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
## This worker handles key uploads, and may also stub out presence if that is ## This worker handles key uploads, and may also stub out presence if that is
@ -397,10 +373,147 @@ workers:
frontend_proxy: frontend_proxy:
enabled: false enabled: false
listeners: [client] listeners: [client]
paths: csPaths:
- "/_matrix/client/(api/v1|r0|unstable)/keys/upload" - "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status" # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without
## adding SRV-records to DNS.
##
wellknown:
enabled: false
replicaCount: 1
## The host and port combo to serve on .well-known/matrix/server.
##
# host: matrix.example.com
# port: 443
## A custom htdocs path, useful when running another image.
##
htdocsPath: /var/www/localhost/htdocs
## The lighttpd image to run.
##
image:
repository: m4rcu5/lighttpd
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Configuration for the pod security policy.
##
podSecurityContext: {}
# fsGroup: 101
# runAsGroup: 101
# runAsUser: 100
## Configuration for the container security policy.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 100
## Resource configuration to apply to the well-known server.
##
resources: {}
# limits:
# cpu: 5m
# memory: 15Mi
# requests:
# cpu: 5m
# memory: 15Mi
## Node selectors to set for the well-known server.
##
nodeSelector: {}
## Tolerations to set for the well-known server.
##
tolerations: []
## Affinity to set for the main well-known server.
##
affinity: {}
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
postgresqlUsername: synapse
postgresqlDatabase: synapse
postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
persistence:
size: 16G
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
database: synapse
# sslMode: require
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
# usePassword: false
# password: synapse
cluster:
enabled: false
master:
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
statefulset:
updateStrategy: RollingUpdate
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Set up an init container to chown the mounted media if necessary. ## Set up an init container to chown the mounted media if necessary.
## ##
volumePermissions: volumePermissions:
@ -411,36 +524,19 @@ volumePermissions:
tag: latest tag: latest
pullPolicy: Always pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {} resources: {}
# resources: # resources:
# requests: # requests:
# memory: 128Mi # memory: 128Mi
# cpu: 100m # cpu: 100m
## Configuration for the pod security policy, Synapse will by default run as its
## own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## The K8s ingress configuration, this will be quite heavily used in order to set ## The K8s ingress configuration, this will be quite heavily used in order to set
## up all routing necessary for use with a sharded Synapse instance. ## up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up ## If you're not using a Ingress compatible K8s ingress, you will need to set up
@ -455,19 +551,37 @@ ingress:
## Annotations to apply to the created ingress resource. ## Annotations to apply to the created ingress resource.
## ##
annotations: annotations: {}
# nginx.ingress.kubernetes.io/use-regex: "true" # nginx.ingress.kubernetes.io/use-regex: "true"
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
## Additional hosts to add to the ingress configuration. ## Hosts to add to the ingress configuration for handling Client-to-Server
## API request paths.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
csHosts: []
# - matrix.example.com
## Additional hosts to add to the ingress configuration for handling
## Server-to-Server API requests.
##
## NB; config.serverName is included if includeServerName is set. (default) ## NB; config.serverName is included if includeServerName is set. (default)
## ##
hosts: [] hosts: []
# - matrix.example.com # - example.com
## Additional paths to add to the ingress blocks, will be inserted before the ## Additional hosts to add to the ingress configuration for handling
## /_matrix and /synapse catch-all paths. ## well-known requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
wkHosts: []
# - example.com
## Additional paths to add to the Server-to-Server ingress blocks, will be
## inserted before the /_matrix catch-all path.
## ##
paths: [] paths: []
# - path: /_matrix/media # - path: /_matrix/media
@ -475,6 +589,15 @@ ingress:
# serviceName: matrix-media-repo # serviceName: matrix-media-repo
# servicePort: 8000 # servicePort: 8000
## Additional paths to add to the Client-to-Server ingress blocks, will be
## inserted before the /_matrix and /_synapse catch-all paths.
##
csPaths: []
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are ## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path. ## provided under this path.
## ##
@ -483,7 +606,7 @@ ingress:
## Should config.serverName be included in the list of ingress paths, can be ## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way. ## set to false if the main domain is managed in some external way.
## ##
# includeServerName: false includeServerName: true
## TLS configuration to include in the ingress configuration ## TLS configuration to include in the ingress configuration
## ##
@ -492,25 +615,3 @@ ingress:
# hosts: # hosts:
# - example.com # - example.com
# - matrix.example.com # - matrix.example.com
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {}