diff --git a/charts-wip/matrix-synapse/Chart.yaml b/charts-wip/matrix-synapse/Chart.yaml index 701e163..00b4321 100644 --- a/charts-wip/matrix-synapse/Chart.yaml +++ b/charts-wip/matrix-synapse/Chart.yaml @@ -6,6 +6,9 @@ appVersion: 1.18.0 type: application version: 0.1.0 +maintainers: + - name: Alexander Olofsson + email: ace@haxalot.com dependencies: - name: postgresql diff --git a/charts-wip/matrix-synapse/README.md b/charts-wip/matrix-synapse/README.md new file mode 100644 index 0000000..6325d2c --- /dev/null +++ b/charts-wip/matrix-synapse/README.md @@ -0,0 +1,16 @@ +Matrix Synapse +============== + +[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org). + +## Prerequisites + +- Kubernetes 1.15+ +- Helm 3.0+ +- Ingress installed in the cluster + +**NB**; Matrix requires the use of valid certificates. + +## Installing + + diff --git a/charts-wip/matrix-synapse/templates/NOTES.txt b/charts-wip/matrix-synapse/templates/NOTES.txt index 5204f88..013441a 100644 --- a/charts-wip/matrix-synapse/templates/NOTES.txt +++ b/charts-wip/matrix-synapse/templates/NOTES.txt @@ -1,9 +1,11 @@ +** Note, this chart may take a while to finish setup, please be patient ** + {{- if not .Values.ingress.enabled }} Synapse has been installed without an ingress, you will need to manage accesses to the services yourself. {{- else }} -Your Synapse install is now running, you should be able to access it on the -following URL(s); +Your Synapse install is now starting, you should soon be able to access it on +the following URL(s); {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }} {{- if $.Values.ingress.tls }} https://{{ . }} @@ -11,4 +13,23 @@ https://{{ . }} http://{{ . }} {{- end }} {{- end }} +{{ if not .Values.wellknown.enabled }} +Note that for federation to work you will need to either add an SRV record or +set up a /.well-known/matrix/server response. +Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md +for more information. {{- end }} + +{{- if .Values.config.enableRegistration }} +You should be able to connect to your Synapse install with any compatible +Matrix client - and register an account - as soon as final setup is done. + +You can also create an admin user with the following command; +{{- else }} +You can create a user in your new Synapse install by running the following +command; +{{- end }} + + kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008 + +You can also specify --no-admin to create a non-admin user. diff --git a/charts-wip/matrix-synapse/templates/_helpers.tpl b/charts-wip/matrix-synapse/templates/_helpers.tpl index 5e0a3c1..98c8cfd 100644 --- a/charts-wip/matrix-synapse/templates/_helpers.tpl +++ b/charts-wip/matrix-synapse/templates/_helpers.tpl @@ -86,7 +86,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- if contains $name .Release.Name -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s" .Release.Name "synapse-postgresql" | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} @@ -99,7 +99,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- if contains $name .Release.Name -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s" .Release.Name "synapse-redis" | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} @@ -111,7 +111,7 @@ Set postgres host {{- if .Values.postgresql.enabled -}} {{- template "matrix-synapse.postgresql.fullname" . -}} {{- else -}} -{{ required "A valid .Values.externalPostgresql.host is required" .Values.externalPostgresql.host }} +{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }} {{- end -}} {{- end -}} @@ -137,7 +137,7 @@ Set postgres port 5432 {{- end -}} {{- else -}} -{{- required "A valid .Values.externalPostgresql.port is required" .Values.externalPostgresql.port -}} +{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}} {{- end -}} {{- end -}} @@ -148,7 +148,7 @@ Set postgresql username {{- if .Values.postgresql.enabled -}} {{- default "postgres" .Values.postgresql.postgresqlUsername }} {{- else -}} -{{ required "A valid .Values.externalPostgresql.username is required" .Values.externalPostgresql.username }} +{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }} {{- end -}} {{- end -}} @@ -159,7 +159,7 @@ Set postgresql password {{- if .Values.postgresql.enabled -}} {{- default "" .Values.postgresql.postgresqlPassword }} {{- else -}} -{{ required "A valid .Values.externalPostgresql.password is required" .Values.externalPostgresql.password }} +{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }} {{- end -}} {{- end -}} @@ -170,7 +170,7 @@ Set postgresql database {{- if .Values.postgresql.enabled -}} {{- default "synapse" .Values.postgresql.postgresqlDatabase }} {{- else -}} -{{ required "A valid .Values.externalPostgresql.database is required" .Values.externalPostgresql.database }} +{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }} {{- end -}} {{- end -}} @@ -181,7 +181,7 @@ Set redis host {{- if .Values.redis.enabled -}} {{- template "matrix-synapse.redis.fullname" . -}}-master {{- else -}} -{{ required "A valid .Values.externalRedis.host is required" .Values.externalRedis.host }} +{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }} {{- end -}} {{- end -}} @@ -203,7 +203,7 @@ Set redis port {{- if .Values.redis.enabled -}} {{- default 6379 .Values.redis.redisPort }} {{- else -}} -{{ required "A valid .Values.externalRedis.port is required" .Values.externalRedis.port }} +{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }} {{- end -}} {{- end -}} diff --git a/charts-wip/matrix-synapse/templates/configuration.yaml b/charts-wip/matrix-synapse/templates/configuration.yaml index 4806f33..9213a6a 100644 --- a/charts-wip/matrix-synapse/templates/configuration.yaml +++ b/charts-wip/matrix-synapse/templates/configuration.yaml @@ -33,14 +33,14 @@ data: ## Server ## - server_name: {{ .Values.config.serverName | quote }} + server_name: {{ required "You need to specify a server name" .Values.config.serverName | quote }} + public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" .Values.config.serverName) | quote }} pid_file: /homeserver.pid web_client: False soft_file_limit: 0 log_config: "/synapse/config/log.yaml" - trusted_third_party_id_servers: -{{ .Values.config.thirdPartyIDServers | toYaml | indent 6 }} + trusted_third_party_id_servers: {{- .Values.config.thirdPartyIDServers | toYaml | nindent 6 }} ## Ports ## @@ -70,6 +70,9 @@ data: resources: - names: [replication] compress: false + {{- if .Values.config.extraListeners }} + {{ .Values.config.extraListeners | toYaml | nindent 6 }} + {{- end }} ## Performance ## @@ -161,58 +164,46 @@ data: # The trusted servers to download signing keys from. perspectives: - servers: -{{ .Values.config.perspectiveServers | toYaml | indent 8 }} + servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }} ## Workers ## -{{- $default := .Values.workers.default -}} -{{- range $worker, $config := .Values.workers -}} -{{- if $config.enabled -}} -{{- if eq $worker "pusher" }} + + {{- $default := .Values.workers.default }} + {{- range $worker, $config := .Values.workers }} + {{- if $config.enabled }} + {{- if eq $worker "pusher" }} start_pushers: false -{{- else if eq $worker "appservice" }} + {{- else if eq $worker "appservice" }} notify_appservices: false -{{- else if eq $worker "federation_sender" }} + {{- else if eq $worker "federation_sender" }} send_federation: false -{{- else if eq $worker "media_repository" }} + {{- else if eq $worker "media_repository" }} enable_media_repo: false -{{- else if eq $worker "user_dir" }} + {{- else if eq $worker "user_dir" }} update_user_directory: false -{{- end }} -{{- end }} -{{- end }} + {{- end }} + {{- end }} + {{- end }} {{- with .Values.extraConfig }} ## Extra config ## - {{ . | toYaml }} + {{ . | toYaml | nindent 4 }} {{- end }} {{- $default := .Values.workers.default -}} {{- range $worker, $config := .Values.workers -}} -{{- if $config.enabled -}} -{{- $name := $worker | replace "_" "-" }} + {{- if $config.enabled -}} + {{- $name := $worker | replace "_" "-" }} {{ $name }}.worker: | worker_app: "synapse.app.{{ $worker }}" - # The replication listener on the synapse to talk to. worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008 worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }} worker_replication_http_port: 9093 - {{- if or $config.listeners ($config.metrics | default $default.metrics) }} worker_listeners: - {{- if $config.listeners }} - - type: http - tls: false - port: 8083 - resources: - - names: - {{ toYaml $config.listeners | nindent 14 }} - compress: false - {{- end }} - {{- if $config.metrics | default $default.metrics }} - type: http bind_addresses: ['0.0.0.0'] tls: false @@ -220,9 +211,15 @@ data: resources: - names: [metrics] compress: false - {{- end }} + {{- if $config.listeners }} + - type: http + tls: false + port: 8083 + resources: + - names: {{- toYaml $config.listeners | nindent 14 }} + compress: false {{- end }} worker_log_config: /synapse/config/log.yaml -{{- end }} + {{- end }} {{- end }} diff --git a/charts-wip/matrix-synapse/templates/deployment.yaml b/charts-wip/matrix-synapse/templates/deployment.yaml index 72f7f7b..9c98f75 100644 --- a/charts-wip/matrix-synapse/templates/deployment.yaml +++ b/charts-wip/matrix-synapse/templates/deployment.yaml @@ -1,6 +1,7 @@ {{- if not .Values.config.serverName -}} {{- fail "A valid .Values.config.serverName is required" -}} {{- end -}} +{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }} --- apiVersion: apps/v1 kind: Deployment @@ -8,21 +9,27 @@ metadata: name: {{ include "matrix-synapse.fullname" . }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} - component: synapse + app.kubernetes.io/component: synapse spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} - component: synapse + app.kubernetes.io/component: synapse template: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- with .Values.annotations }} + {{ . | toYaml | nindent 8 }} + {{- end }} labels: {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} - component: synapse + app.kubernetes.io/component: synapse + {{- with .Values.labels }} + {{ . | toYaml | nindent 8 }} + {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -59,6 +66,9 @@ spec: name: {{ include "matrix-synapse.redis.fullname" . }} key: redis-password {{- end }} + {{- with .Values.extraEnv }} + {{ . | toYaml }} + {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}" @@ -147,24 +157,27 @@ metadata: name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} labels: {{- include "matrix-synapse.labels" $ | nindent 4 }} - component: worker - worker: {{ $name }} + app.kubernetes.io/component: {{ $name }} spec: replicas: {{ $config.replicaCount | default $default.replicaCount }} selector: matchLabels: {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }} - component: worker - worker: {{ $name }} + app.kubernetes.io/component: {{ $name }} template: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} + {{- with ($config.annotations | default $default.annotations) }} + {{ . | toYaml | nindent 8 }} + {{- end }} labels: {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }} - component: worker - worker: {{ $name }} + app.kubernetes.io/component: {{ $name }} + {{- with ($config.labels | default $default.labels) }} + {{ . | toYaml | nindent 8 }} + {{- end }} spec: {{- with $.Values.imagePullSecrets }} imagePullSecrets: @@ -172,6 +185,19 @@ spec: {{- end }} securityContext: {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }} + {{- if and $needsVolumePermissions (eq $name "media-repository") }} + initContainers: + - name: volume-permissions + command: ["chown", "-R", "666:666", "/synapse/data"] + image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}" + imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }} + securityContext: + runAsUser: 0 + resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }} + volumeMounts: + - name: media + mountPath: /synapse/data + {{- end }} containers: - name: {{ $name }} command: @@ -184,16 +210,32 @@ spec: > /synapse/config/conf.d/secrets.yaml /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker + env: + {{- if $.Values.postgresql.enabled }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "matrix-synapse.postgresql.fullname" $ }} + key: postgresql-password + {{- end }} + {{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "matrix-synapse.redis.fullname" $ }} + key: redis-password + {{- end }} + {{- with default $config.extraEnv $default.extraEnv }} + {{ . | toYaml }} + {{- end }} securityContext: {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }} image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} ports: - {{- if $config.metrics | default $default.metrics }} - name: metrics containerPort: 9090 protocol: TCP - {{- end }} {{- if $config.listeners }} - name: listener containerPort: 8083 diff --git a/charts-wip/matrix-synapse/templates/ingress.yaml b/charts-wip/matrix-synapse/templates/ingress.yaml index 5d0f471..7a41823 100644 --- a/charts-wip/matrix-synapse/templates/ingress.yaml +++ b/charts-wip/matrix-synapse/templates/ingress.yaml @@ -56,11 +56,22 @@ spec: {{- end }} {{- end }} + {{- with $.Values.ingress.paths }} + {{ . | toYaml | nindent 10 }} + {{- end }} + - path: /_matrix backend: serviceName: {{ $fullName }} servicePort: 8008 + {{- if $.Values.ingress.includeUnderscoreSynapse }} + - path: /_synapse + backend: + serviceName: {{ $fullName }} + servicePort: 8008 + {{- end }} + - path: /.well-known/matrix/client backend: serviceName: {{ $fullName }} diff --git a/charts-wip/matrix-synapse/templates/secrets.yaml b/charts-wip/matrix-synapse/templates/secrets.yaml index 3574279..a325d7c 100644 --- a/charts-wip/matrix-synapse/templates/secrets.yaml +++ b/charts-wip/matrix-synapse/templates/secrets.yaml @@ -21,7 +21,7 @@ stringData: ## Registration ## - registration_shared_secret: {{ .Values.config.registrationSharedSecret | quote }} + registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }} ## API Configuration ## @@ -32,7 +32,6 @@ stringData: {{- $postgresUser := include "matrix-synapse.postgresql.username" . }} {{- $postgresPort := include "matrix-synapse.postgresql.port" . }} {{- $postgresPass := include "matrix-synapse.postgresql.password" . }} - database.yaml: | ## Database configuration ## database: @@ -53,31 +52,31 @@ stringData: {{- $redisHost := include "matrix-synapse.redis.host" . }} {{- $redisPort := include "matrix-synapse.redis.port" . }} {{- $redisPass := include "matrix-synapse.redis.password" . }} -{{- if $redisHost }} - redis.yaml: | ## Redis configuration ## redis: enabled: true host: {{ $redisHost | quote }} - {{- if or .Values.redis.password .Values.externalRedis.password }} - {{- if $redisPass }} +{{- if or .Values.redis.password .Values.externalRedis.password }} + {{- if $redisPass }} password: {{ $redisPass | quote }} - {{- else }} + {{- else }} password: "@@REDIS_PASSWORD@@" - {{- end }} - {{- end }} + {{- end }} {{- end }} -{{- if not .Values.signingkey.existingSecret }} -{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }} -{{- if not (lookup "v1" "Secret" .Release.Namespace $name) }} + +{{- if and .Values.signingkey.job.enabled (not .Values.signingkey.existingSecret) }} + {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }} + {{- if not (lookup "v1" "Secret" .Release.Namespace $name) }} --- apiVersion: v1 kind: Secret metadata: + annotations: + helm.sh/resource-policy: keep name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} - job: {{ $name }} -{{- end }} + app.kubernetes.io/component: signingkey-job + {{- end }} {{- end }} diff --git a/charts-wip/matrix-synapse/templates/service.yaml b/charts-wip/matrix-synapse/templates/service.yaml index ba7595c..a042535 100644 --- a/charts-wip/matrix-synapse/templates/service.yaml +++ b/charts-wip/matrix-synapse/templates/service.yaml @@ -13,7 +13,7 @@ spec: protocol: TCP name: http selector: - component: synapse + app.kubernetes.io/component: synapse {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} --- apiVersion: v1 @@ -31,7 +31,7 @@ spec: name: replication selector: {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} - component: synapse + app.kubernetes.io/component: synapse {{- $default := .Values.workers.default }} {{- range $worker, $config := .Values.workers }} {{- if and $config.enabled $config.listeners }} @@ -53,7 +53,6 @@ spec: name: listener selector: {{- include "matrix-synapse.selectorLabels" $ | nindent 4 }} - component: worker - worker: {{ $name }} + app.kubernetes.io/component: {{ $name }} {{- end }} {{- end }} diff --git a/charts-wip/matrix-synapse/templates/signing-key-job.yaml b/charts-wip/matrix-synapse/templates/signing-key-job.yaml index 8ef02ec..0720795 100644 --- a/charts-wip/matrix-synapse/templates/signing-key-job.yaml +++ b/charts-wip/matrix-synapse/templates/signing-key-job.yaml @@ -3,6 +3,7 @@ {{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }} {{- end }} {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }} +{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }} --- apiVersion: v1 kind: ServiceAccount @@ -10,6 +11,7 @@ metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -17,11 +19,14 @@ metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job rules: - apiGroups: - "" resources: - secrets + resourceNames: + - {{ $secretName }} verbs: - get - update @@ -31,6 +36,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ $name }} + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + app.kubernetes.io/component: signingkey-job roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -46,16 +54,14 @@ metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} - component: job - job: signing-key-generation + app.kubernetes.io/component: signingkey-job spec: ttlSecondsAfterFinished: 0 template: metadata: labels: {{- include "matrix-synapse.labels" . | nindent 8 }} - component: job - job: signing-key-generation + app.kubernetes.io/component: signingkey-job spec: containers: - command: @@ -85,22 +91,22 @@ spec: - sh - -c - | - printf "Checking rights to create secret... " - kubectl auth can-i create secret/${SECRET_NAME} + printf "Checking rights to update secret... " + kubectl auth can-i update secret/${SECRET_NAME} echo "Waiting for key upload script" while ! [ -f /scripts/key-upload ]; do sleep 1; done /scripts/key-upload env: - name: SECRET_NAME - value: {{ $name }} + value: {{ $secretName }} image: bitnami/kubectl name: signing-key-upload resources: requests: - memory: 50Mi + memory: 100Mi cpu: 100m limits: - memory: 50Mi + memory: 100Mi cpu: 100m volumeMounts: - mountPath: /scripts @@ -109,6 +115,7 @@ spec: - mountPath: /synapse/keys name: matrix-synapse-keys readOnly: true + restartPolicy: Never serviceAccount: {{ $name }} volumes: - name: scripts diff --git a/charts-wip/matrix-synapse/values.yaml b/charts-wip/matrix-synapse/values.yaml index 28baf05..fc790ad 100644 --- a/charts-wip/matrix-synapse/values.yaml +++ b/charts-wip/matrix-synapse/values.yaml @@ -1,63 +1,116 @@ --- -# Docker image configuration, used for Synapse and workers +## Docker image configuration, used for Synapse and workers. +## image: repository: ananace/matrix-synapse + ## Tag to override with, will default to the application version. + ## # tag: '' pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" +## Override part of the installed name, will still keep release name. +## +# nameOverride: "" +## Override the full name of the installed chart. +## +# fullnameOverride: "" + +## The source of the signing key used by Synapse in federation. +## signingkey: + ## Enable a Kubernetes job to generate and store a signing key if one does not + ## exist. + ## job: enabled: true + ## Specify an existing signing key secret, will need to be created in advance. + ## # existingSecret: - # existingSecretKey: + # existingSecretKey: signing.key +## Common Matrix configuration values, for any value not handled by this block, +## you will want to instead set it in extraConfig. +## config: + ## The Matrix domain name, this is what will be used for the domain part in + ## your MXIDs. + ## # serverName: 'example.com' - eventCacheSize: 10K - maxUploadSize: 10M - logLevel: INFO + ## The publicly accessible URL for the Synapse instance, will default to + ## https://. + ## + # publicBaseurl: 'https://example.com' + ## The size of the event cache. + ## + # eventCacheSize: 10K + + ## The maximum allowed size of uploaded media. + ## + # maxUploadSize: 10M + + ## The log level for Synapse and all modules. + ## + # logLevel: INFO + + ## The recaptcha configuration for registering. (optional) + ## # recaptcha: # publicKey: # privateKey: + ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC + ## calls. + ## # turnUris: [] - turnSecret: '' + # turnSecret: '' - enableRegistration: false - registrationSharedSecret: '' - allowGuests: false + ## Registration configuration, note that registration with the + ## container-internal register_new_matrix_user tool is always possible. + ## + # enableRegistration: false + ## Note; this value will default to a random string if not specified. + # registrationSharedSecret: '' + # allowGuests: false - reportStats: false - - federationBlacklistIPs: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' + ## Should the Synapse instance report stats. + ## + # reportStats: false + ## Servers to contact when doing 3PID lookups - for example when searching for + ## Matrix users by email/phone number. + ## thirdPartyIDServers: - matrix.org - vector.im + ## A set of fallback servers - and their key fingerprint - to contact if a + ## server doesn't respond to a signing key request. + ## perspectiveServers: matrix.org: verify_keys: ed25519:auto: key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" -# Specify arbitrary synapse configuration; + ## Extra listeners to configure. + ## + extraListeners: [] + # - port: 9000 + # bind_addresses: ['::'] + # type: manhole + +## Specify arbitrary synapse configuration here; +## extraConfig: {} # use_presence: false # enable_search: false @@ -66,14 +119,39 @@ extraConfig: {} # - nyc.example.com # - syd.example.com +## Annotations to apply to the main Synapse pod. +## +annotations: {} +# prometheus.io/scrape: "true" +# prometheus.io/port: 9090 + +## Labels to apply to the main Synapse pod. +## +labels: {} + +## Additional environment variables to apply to the main Synapse pod +## +extraEnv: {} +# - name: USE_JEMALLOC +# value: "1" +# - name: SYNAPSE_CACHE_FACTOR +# value: "2" + +## This will set up a Lighttpd server to respond to any +## /.well-known/matrix/server requests, to make federation possible without any +## DNS changes. +## wellknown: enabled: false # host: matrix.example.com # port: 443 +## This configuration is for setting up the internally provided Postgres server, +## if you instead want to use an existing server, then you may want to set +## enabled to false and configure the externalPostgresql block. +## postgresql: enabled: true - nameOverride: synapse-postgresql postgresqlUsername: synapse postgresqlDatabase: synapse @@ -83,6 +161,9 @@ postgresql: persistence: size: 16G +## An externally configured Postgres server to use for Synapse's database, note +## that the database needs to have both COLLATE and CTYPE set to "C". +## externalPostgresql: # host: postgres port: 5432 @@ -91,9 +172,12 @@ externalPostgresql: database: synapse # sslMode: require +## This configuration is for the internal Redis that's deployed for use with +## workers/sharding, for an external Redis server you want to set enabled to +## false and configure the externalRedis block. +## redis: enabled: true - nameOverride: synapse-redis # usePassword: false # password: synapse @@ -101,20 +185,26 @@ redis: enabled: false master: persistence: + ## Note that Synapse only uses redis as a synchronization utility, so no + ## data will ever need to be persisted. + ## enabled: false statefulset: updateStrategy: RollingUpdate +## An externally configured Redis server to use for workers/sharding. +## externalRedis: # host: redis port: 6379 # password: synapse -# Persistence configuration for the media repository. -# This PVC will be mounted in either Synapse or a media_repo worker. -# -# NB; If you want to be able to scale this, you will have to set the -# accessMode to RWX/ReadWriteMany. +## Persistence configuration for the media repository function. +## This PVC will be mounted in either Synapse or a media_repo worker. +## +## NB; If you want to be able to scale this, you will have to set the +## accessMode to RWX/ReadWriteMany. +## persistence: enabled: true # existingClaim: synapse-data @@ -123,32 +213,55 @@ persistence: accessMode: ReadWriteOnce size: 10Gi -# Configuration for handling Synapse workers, which are useful for handling -# high-load deployments. -# More information is available at; -# https://github.com/matrix-org/synapse/blob/master/docs/workers.md +## Configuration for handling Synapse workers, which are useful for handling +## high-load deployments. +## +## More information is available at; +## https://github.com/matrix-org/synapse/blob/master/docs/workers.md +## workers: - # Default configuration, this is inherited into all workers + ## Default configuration, this is inherited into all workers, and can also be + ## overriden on each worker type. + ## default: - # The number of worker replicas, note that some workers require special - # handling. Refer to the information URL above. + ## The number of worker replicas, note that some workers require special + ## handling. Refer to the information URL above. + ## replicaCount: 1 - # Should workers provide Prometheus metrics. - metrics: false + ## Annotations to apply to the worker. + ## + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: 9090 - # Additional volume mounts to add to the worker. - # Useful for the media repo. + ## Additional environment variables to add to the worker. + ## + extraEnv: {} + # - name: USE_JEMALLOC + # value: "1" + # - name: SYNAPSE_CACHE_FACTOR + # value: "2" + + ## Additional volume mounts to add to the worker. + ## Useful for the media repo. + ## volumeMounts: {} - # Additional volumes to add to the worker. - # Useful for the media repo. + ## Additional volumes to add to the worker. + ## Useful for the media repo. + ## volumes: {} + ## Security context information to set to the worker. + ## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 + + ## Container security context information to set to the worker. + ## securityContext: {} # capabilities: # drop: @@ -156,6 +269,9 @@ workers: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 666 + + ## Resources to apply to the worker. + ## resources: {} # limits: # cpu: 100m @@ -163,14 +279,24 @@ workers: # requests: # cpu: 100m # memory: 128Mi + + ## Node selector configuration to set on the worker. + ## nodeSelector: {} + + ## Toleration configuration to set on the worker. + ## tolerations: [] + + ## Affinity configuration to set on the worker. + ## affinity: {} - # The generic worker can be used to handle most endpoints. - # Be careful when enabling the sync endpoints as they can eat large amounts of - # resources. Refer to the information URL above for more info. - # Proper load balancing with the K8s Ingress resource may not be possible. + ## The generic worker can be used to handle most endpoints. + ## Be careful when enabling the sync endpoints as they can eat large amounts of + ## resources. Refer to the information URL above for more info. + ## Proper load balancing with the K8s Ingress resource may not be possible. + ## generic_worker: enabled: false listeners: [client, federation] @@ -223,24 +349,28 @@ workers: - "/_matrix/client/(api/v1|r0|unstable)/join/" - "/_matrix/client/(api/v1|r0|unstable)/profile/" - # This worker deals with pushing notifications. - # NB; Only one instance of this worker can be run at a time, refer to the - # information URL above. + ## This worker deals with pushing notifications. + ## NB; Only one instance of this worker can be run at a time, refer to the + ## information URL above. + ## pusher: enabled: false - # This worker handles sending data to registered appservices. - # NB; Only one instance of this worker can be run at at time, refer to the - # information URL above. + ## This worker handles sending data to registered appservices. + ## NB; Only one instance of this worker can be run at at time, refer to the + ## information URL above. + ## appservice: enabled: false - # This worker handles sending federation traffic to other Synapse servers. + ## This worker handles sending federation traffic to other Synapse servers. + ## federation_sender: enabled: false - # This worker deals with serving and storing media. - # NB; Running multiple instances will conflict with background jobs. + ## This worker deals with serving and storing media. + ## NB; Running multiple instances will conflict with background jobs. + ## media_repository: enabled: false listeners: [media] @@ -252,16 +382,18 @@ workers: - "/_synapse/admin/v1/media/.*" - "/_synapse/admin/v1/quarantine_media/.*" - # This worker deals with user directory searches. + ## This worker deals with user directory searches. + ## user_dir: enabled: false listeners: [client] paths: - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search" - # This worker handles key uploads, and may also stub out presence if that is - # disabled. If you set extraConfig.use_presence=false then you may want to - # uncomment the second path. + ## This worker handles key uploads, and may also stub out presence if that is + ## disabled. If you set extraConfig.use_presence=false then you may want to + ## uncomment the second path. + ## frontend_proxy: enabled: false listeners: [client] @@ -269,11 +401,38 @@ workers: - "/_matrix/client/(api/v1|r0|unstable)/keys/upload" # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status" +## Set up an init container to chown the mounted media if necessary. +## +volumePermissions: + enabled: false + + image: + repository: alpine + tag: latest + pullPolicy: Always + + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Configuration for the pod security policy, Synapse will by default run as its +## own user, even if not set. +## Note that changing this may also require you to use the volumePermission +## helper depending on your storage. +## +## NB; The synapse install is currently unable to run as anything but UID:GID +## 666:666. +## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 +## Configuration for the container security policy, refer to the above +## podSecurityContext for more relevant information. +## securityContext: {} # capabilities: # drop: @@ -282,44 +441,76 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 666 +## The K8s ingress configuration, this will be quite heavily used in order to set +## up all routing necessary for use with a sharded Synapse instance. +## If you're not using a Ingress compatible K8s ingress, you will need to set up +## your own routing instead. +## ingress: enabled: true - # Generate traefik-compatible regex paths instead of nginx-compatible ones + ## Generate traefik-compatible regex paths instead of nginx-compatible ones. + ## traefikPaths: false - # Annotations to apply to the created ingress resource + ## Annotations to apply to the created ingress resource. + ## annotations: - nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/use-regex: "true" # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" - # Additional hosts to add to the ingress configuration - # NB; config.serverName is included if includeServerName is set (default) + ## Additional hosts to add to the ingress configuration. + ## NB; config.serverName is included if includeServerName is set. (default) + ## hosts: [] # - matrix.example.com - # Should config.serverName be included in the list of ingress paths, can be - # set to false if the main domain is managed in some external way. + ## Additional paths to add to the ingress blocks, will be inserted before the + ## /_matrix and /synapse catch-all paths. + ## + paths: [] + # - path: /_matrix/media + # backend: + # serviceName: matrix-media-repo + # servicePort: 8000 + + ## Should the /_synapse path be included in the ingress, admin APIs are + ## provided under this path. + ## + includeUnderscoreSynapse: true + + ## Should config.serverName be included in the list of ingress paths, can be + ## set to false if the main domain is managed in some external way. + ## # includeServerName: false - # TLS configuration to include in the ingress configuration + ## TLS configuration to include in the ingress configuration + ## tls: [] # - secretName: chart-example-tls # hosts: # - example.com # - matrix.example.com +## Resources to apply to the main Synapse pod. +## resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# limits: +# cpu: 1000m +# memory: 2500Mi +# requests: +# cpu: 1000m +# memory: 2500Mi +## Node selectors to set for the main Synapse pod. +## nodeSelector: {} +## Tolerations to set for the main Synapse pod. +## tolerations: [] +## Affinity to set for the main Synapse pod. +## affinity: {}