More synapse chart work

This commit is contained in:
Alexander Olofsson 2020-08-09 00:15:10 +02:00
parent 414338d47a
commit 7739b52dea
No known key found for this signature in database
GPG key ID: D439C9470CB04C73
11 changed files with 444 additions and 158 deletions

View file

@ -6,6 +6,9 @@ appVersion: 1.18.0
type: application type: application
version: 0.1.0 version: 0.1.0
maintainers:
- name: Alexander Olofsson
email: ace@haxalot.com
dependencies: dependencies:
- name: postgresql - name: postgresql

View file

@ -0,0 +1,16 @@
Matrix Synapse
==============
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
## Prerequisites
- Kubernetes 1.15+
- Helm 3.0+
- Ingress installed in the cluster
**NB**; Matrix requires the use of valid certificates.
## Installing

View file

@ -1,9 +1,11 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if not .Values.ingress.enabled }} {{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself. accesses to the services yourself.
{{- else }} {{- else }}
Your Synapse install is now running, you should be able to access it on the Your Synapse install is now starting, you should soon be able to access it on
following URL(s); the following URL(s);
{{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }} {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
{{- if $.Values.ingress.tls }} {{- if $.Values.ingress.tls }}
https://{{ . }} https://{{ . }}
@ -11,4 +13,23 @@ https://{{ . }}
http://{{ . }} http://{{ . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{ if not .Values.wellknown.enabled }}
Note that for federation to work you will need to either add an SRV record or
set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }} {{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible
Matrix client - and register an account - as soon as final setup is done.
You can also create an admin user with the following command;
{{- else }}
You can create a user in your new Synapse install by running the following
command;
{{- end }}
kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user.

View file

@ -86,7 +86,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- if contains $name .Release.Name -}} {{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}} {{- else -}}
{{- printf "%s-%s" .Release.Name "synapse-postgresql" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -99,7 +99,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- if contains $name .Release.Name -}} {{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}} {{- else -}}
{{- printf "%s-%s" .Release.Name "synapse-redis" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -111,7 +111,7 @@ Set postgres host
{{- if .Values.postgresql.enabled -}} {{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}} {{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalPostgresql.host is required" .Values.externalPostgresql.host }} {{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -137,7 +137,7 @@ Set postgres port
5432 5432
{{- end -}} {{- end -}}
{{- else -}} {{- else -}}
{{- required "A valid .Values.externalPostgresql.port is required" .Values.externalPostgresql.port -}} {{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -148,7 +148,7 @@ Set postgresql username
{{- if .Values.postgresql.enabled -}} {{- if .Values.postgresql.enabled -}}
{{- default "postgres" .Values.postgresql.postgresqlUsername }} {{- default "postgres" .Values.postgresql.postgresqlUsername }}
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalPostgresql.username is required" .Values.externalPostgresql.username }} {{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -159,7 +159,7 @@ Set postgresql password
{{- if .Values.postgresql.enabled -}} {{- if .Values.postgresql.enabled -}}
{{- default "" .Values.postgresql.postgresqlPassword }} {{- default "" .Values.postgresql.postgresqlPassword }}
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalPostgresql.password is required" .Values.externalPostgresql.password }} {{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -170,7 +170,7 @@ Set postgresql database
{{- if .Values.postgresql.enabled -}} {{- if .Values.postgresql.enabled -}}
{{- default "synapse" .Values.postgresql.postgresqlDatabase }} {{- default "synapse" .Values.postgresql.postgresqlDatabase }}
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalPostgresql.database is required" .Values.externalPostgresql.database }} {{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -181,7 +181,7 @@ Set redis host
{{- if .Values.redis.enabled -}} {{- if .Values.redis.enabled -}}
{{- template "matrix-synapse.redis.fullname" . -}}-master {{- template "matrix-synapse.redis.fullname" . -}}-master
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalRedis.host is required" .Values.externalRedis.host }} {{ required "A valid externalRedis.host is required" .Values.externalRedis.host }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -203,7 +203,7 @@ Set redis port
{{- if .Values.redis.enabled -}} {{- if .Values.redis.enabled -}}
{{- default 6379 .Values.redis.redisPort }} {{- default 6379 .Values.redis.redisPort }}
{{- else -}} {{- else -}}
{{ required "A valid .Values.externalRedis.port is required" .Values.externalRedis.port }} {{ required "A valid externalRedis.port is required" .Values.externalRedis.port }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

View file

@ -33,14 +33,14 @@ data:
## Server ## ## Server ##
server_name: {{ .Values.config.serverName | quote }} server_name: {{ required "You need to specify a server name" .Values.config.serverName | quote }}
public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" .Values.config.serverName) | quote }}
pid_file: /homeserver.pid pid_file: /homeserver.pid
web_client: False web_client: False
soft_file_limit: 0 soft_file_limit: 0
log_config: "/synapse/config/log.yaml" log_config: "/synapse/config/log.yaml"
trusted_third_party_id_servers: trusted_third_party_id_servers: {{- .Values.config.thirdPartyIDServers | toYaml | nindent 6 }}
{{ .Values.config.thirdPartyIDServers | toYaml | indent 6 }}
## Ports ## ## Ports ##
@ -70,6 +70,9 @@ data:
resources: resources:
- names: [replication] - names: [replication]
compress: false compress: false
{{- if .Values.config.extraListeners }}
{{ .Values.config.extraListeners | toYaml | nindent 6 }}
{{- end }}
## Performance ## ## Performance ##
@ -161,13 +164,13 @@ data:
# The trusted servers to download signing keys from. # The trusted servers to download signing keys from.
perspectives: perspectives:
servers: servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}
{{ .Values.config.perspectiveServers | toYaml | indent 8 }}
## Workers ## ## Workers ##
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}} {{- $default := .Values.workers.default }}
{{- if $config.enabled -}} {{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- if eq $worker "pusher" }} {{- if eq $worker "pusher" }}
start_pushers: false start_pushers: false
{{- else if eq $worker "appservice" }} {{- else if eq $worker "appservice" }}
@ -185,7 +188,7 @@ data:
{{- with .Values.extraConfig }} {{- with .Values.extraConfig }}
## Extra config ## ## Extra config ##
{{ . | toYaml }} {{ . | toYaml | nindent 4 }}
{{- end }} {{- end }}
{{- $default := .Values.workers.default -}} {{- $default := .Values.workers.default -}}
@ -196,23 +199,11 @@ data:
{{ $name }}.worker: | {{ $name }}.worker: |
worker_app: "synapse.app.{{ $worker }}" worker_app: "synapse.app.{{ $worker }}"
# The replication listener on the synapse to talk to.
worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008 worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }} worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
worker_replication_http_port: 9093 worker_replication_http_port: 9093
{{- if or $config.listeners ($config.metrics | default $default.metrics) }}
worker_listeners: worker_listeners:
{{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names:
{{ toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }}
{{- if $config.metrics | default $default.metrics }}
- type: http - type: http
bind_addresses: ['0.0.0.0'] bind_addresses: ['0.0.0.0']
tls: false tls: false
@ -220,7 +211,13 @@ data:
resources: resources:
- names: [metrics] - names: [metrics]
compress: false compress: false
{{- end }} {{- if $config.listeners }}
- type: http
tls: false
port: 8083
resources:
- names: {{- toYaml $config.listeners | nindent 14 }}
compress: false
{{- end }} {{- end }}
worker_log_config: /synapse/config/log.yaml worker_log_config: /synapse/config/log.yaml

View file

@ -1,6 +1,7 @@
{{- if not .Values.config.serverName -}} {{- if not .Values.config.serverName -}}
{{- fail "A valid .Values.config.serverName is required" -}} {{- fail "A valid .Values.config.serverName is required" -}}
{{- end -}} {{- end -}}
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@ -8,21 +9,27 @@ metadata:
name: {{ include "matrix-synapse.fullname" . }} name: {{ include "matrix-synapse.fullname" . }}
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
component: synapse app.kubernetes.io/component: synapse
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector: selector:
matchLabels: matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }} {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
component: synapse app.kubernetes.io/component: synapse
template: template:
metadata: metadata:
annotations: annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.annotations }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels: labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }} {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
component: synapse app.kubernetes.io/component: synapse
{{- with .Values.labels }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec: spec:
{{- with .Values.imagePullSecrets }} {{- with .Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
@ -59,6 +66,9 @@ spec:
name: {{ include "matrix-synapse.redis.fullname" . }} name: {{ include "matrix-synapse.redis.fullname" . }}
key: redis-password key: redis-password
{{- end }} {{- end }}
{{- with .Values.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext: securityContext:
{{- toYaml .Values.securityContext | nindent 12 }} {{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}" image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
@ -147,24 +157,27 @@ metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels: labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }} {{- include "matrix-synapse.labels" $ | nindent 4 }}
component: worker app.kubernetes.io/component: {{ $name }}
worker: {{ $name }}
spec: spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }} replicas: {{ $config.replicaCount | default $default.replicaCount }}
selector: selector:
matchLabels: matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }} {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
component: worker app.kubernetes.io/component: {{ $name }}
worker: {{ $name }}
template: template:
metadata: metadata:
annotations: annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels: labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }} {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
component: worker app.kubernetes.io/component: {{ $name }}
worker: {{ $name }} {{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec: spec:
{{- with $.Values.imagePullSecrets }} {{- with $.Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
@ -172,6 +185,19 @@ spec:
{{- end }} {{- end }}
securityContext: securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }} {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command: ["chown", "-R", "666:666", "/synapse/data"]
image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
securityContext:
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers: containers:
- name: {{ $name }} - name: {{ $name }}
command: command:
@ -184,16 +210,32 @@ spec:
> /synapse/config/conf.d/secrets.yaml > /synapse/config/conf.d/secrets.yaml
/matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
env:
{{- if $.Values.postgresql.enabled }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.postgresql.fullname" $ }}
key: postgresql-password
{{- end }}
{{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "matrix-synapse.redis.fullname" $ }}
key: redis-password
{{- end }}
{{- with default $config.extraEnv $default.extraEnv }}
{{ . | toYaml }}
{{- end }}
securityContext: securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }} {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}" image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }} imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports: ports:
{{- if $config.metrics | default $default.metrics }}
- name: metrics - name: metrics
containerPort: 9090 containerPort: 9090
protocol: TCP protocol: TCP
{{- end }}
{{- if $config.listeners }} {{- if $config.listeners }}
- name: listener - name: listener
containerPort: 8083 containerPort: 8083

View file

@ -56,11 +56,22 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
- path: /_matrix - path: /_matrix
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}
servicePort: 8008 servicePort: 8008
{{- if $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
serviceName: {{ $fullName }}
servicePort: 8008
{{- end }}
- path: /.well-known/matrix/client - path: /.well-known/matrix/client
backend: backend:
serviceName: {{ $fullName }} serviceName: {{ $fullName }}

View file

@ -21,7 +21,7 @@ stringData:
## Registration ## ## Registration ##
registration_shared_secret: {{ .Values.config.registrationSharedSecret | quote }} registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
## API Configuration ## ## API Configuration ##
@ -32,7 +32,6 @@ stringData:
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }} {{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }} {{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }} {{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
database.yaml: |
## Database configuration ## ## Database configuration ##
database: database:
@ -53,8 +52,6 @@ stringData:
{{- $redisHost := include "matrix-synapse.redis.host" . }} {{- $redisHost := include "matrix-synapse.redis.host" . }}
{{- $redisPort := include "matrix-synapse.redis.port" . }} {{- $redisPort := include "matrix-synapse.redis.port" . }}
{{- $redisPass := include "matrix-synapse.redis.password" . }} {{- $redisPass := include "matrix-synapse.redis.password" . }}
{{- if $redisHost }}
redis.yaml: |
## Redis configuration ## ## Redis configuration ##
redis: redis:
@ -67,17 +64,19 @@ stringData:
password: "@@REDIS_PASSWORD@@" password: "@@REDIS_PASSWORD@@"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}
{{- if not .Values.signingkey.existingSecret }} {{- if and .Values.signingkey.job.enabled (not .Values.signingkey.existingSecret) }}
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }} {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
{{- if not (lookup "v1" "Secret" .Release.Namespace $name) }} {{- if not (lookup "v1" "Secret" .Release.Namespace $name) }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
annotations:
helm.sh/resource-policy: keep
name: {{ $name }} name: {{ $name }}
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
job: {{ $name }} app.kubernetes.io/component: signingkey-job
{{- end }} {{- end }}
{{- end }} {{- end }}

View file

@ -13,7 +13,7 @@ spec:
protocol: TCP protocol: TCP
name: http name: http
selector: selector:
component: synapse app.kubernetes.io/component: synapse
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }} {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
--- ---
apiVersion: v1 apiVersion: v1
@ -31,7 +31,7 @@ spec:
name: replication name: replication
selector: selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }} {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
component: synapse app.kubernetes.io/component: synapse
{{- $default := .Values.workers.default }} {{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }} {{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.listeners }} {{- if and $config.enabled $config.listeners }}
@ -53,7 +53,6 @@ spec:
name: listener name: listener
selector: selector:
{{- include "matrix-synapse.selectorLabels" $ | nindent 4 }} {{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
component: worker app.kubernetes.io/component: {{ $name }}
worker: {{ $name }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View file

@ -3,6 +3,7 @@
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }} {{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
{{- end }} {{- end }}
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }} {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -10,6 +11,7 @@ metadata:
name: {{ $name }} name: {{ $name }}
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
@ -17,11 +19,14 @@ metadata:
name: {{ $name }} name: {{ $name }}
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- secrets - secrets
resourceNames:
- {{ $secretName }}
verbs: verbs:
- get - get
- update - update
@ -31,6 +36,9 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ $name }} name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
@ -46,16 +54,14 @@ metadata:
name: {{ $name }} name: {{ $name }}
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 4 }} {{- include "matrix-synapse.labels" . | nindent 4 }}
component: job app.kubernetes.io/component: signingkey-job
job: signing-key-generation
spec: spec:
ttlSecondsAfterFinished: 0 ttlSecondsAfterFinished: 0
template: template:
metadata: metadata:
labels: labels:
{{- include "matrix-synapse.labels" . | nindent 8 }} {{- include "matrix-synapse.labels" . | nindent 8 }}
component: job app.kubernetes.io/component: signingkey-job
job: signing-key-generation
spec: spec:
containers: containers:
- command: - command:
@ -85,22 +91,22 @@ spec:
- sh - sh
- -c - -c
- | - |
printf "Checking rights to create secret... " printf "Checking rights to update secret... "
kubectl auth can-i create secret/${SECRET_NAME} kubectl auth can-i update secret/${SECRET_NAME}
echo "Waiting for key upload script" echo "Waiting for key upload script"
while ! [ -f /scripts/key-upload ]; do sleep 1; done while ! [ -f /scripts/key-upload ]; do sleep 1; done
/scripts/key-upload /scripts/key-upload
env: env:
- name: SECRET_NAME - name: SECRET_NAME
value: {{ $name }} value: {{ $secretName }}
image: bitnami/kubectl image: bitnami/kubectl
name: signing-key-upload name: signing-key-upload
resources: resources:
requests: requests:
memory: 50Mi memory: 100Mi
cpu: 100m cpu: 100m
limits: limits:
memory: 50Mi memory: 100Mi
cpu: 100m cpu: 100m
volumeMounts: volumeMounts:
- mountPath: /scripts - mountPath: /scripts
@ -109,6 +115,7 @@ spec:
- mountPath: /synapse/keys - mountPath: /synapse/keys
name: matrix-synapse-keys name: matrix-synapse-keys
readOnly: true readOnly: true
restartPolicy: Never
serviceAccount: {{ $name }} serviceAccount: {{ $name }}
volumes: volumes:
- name: scripts - name: scripts

View file

@ -1,63 +1,116 @@
--- ---
# Docker image configuration, used for Synapse and workers ## Docker image configuration, used for Synapse and workers.
##
image: image:
repository: ananace/matrix-synapse repository: ananace/matrix-synapse
## Tag to override with, will default to the application version.
##
# tag: '' # tag: ''
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
imagePullSecrets: [] ## Override part of the installed name, will still keep release name.
nameOverride: "" ##
fullnameOverride: "" # nameOverride: ""
## Override the full name of the installed chart.
##
# fullnameOverride: ""
## The source of the signing key used by Synapse in federation.
##
signingkey: signingkey:
## Enable a Kubernetes job to generate and store a signing key if one does not
## exist.
##
job: job:
enabled: true enabled: true
## Specify an existing signing key secret, will need to be created in advance.
##
# existingSecret: # existingSecret:
# existingSecretKey: # existingSecretKey: signing.key
## Common Matrix configuration values, for any value not handled by this block,
## you will want to instead set it in extraConfig.
##
config: config:
## The Matrix domain name, this is what will be used for the domain part in
## your MXIDs.
##
# serverName: 'example.com' # serverName: 'example.com'
eventCacheSize: 10K
maxUploadSize: 10M
logLevel: INFO ## The publicly accessible URL for the Synapse instance, will default to
## https://<serverName>.
##
# publicBaseurl: 'https://example.com'
## The size of the event cache.
##
# eventCacheSize: 10K
## The maximum allowed size of uploaded media.
##
# maxUploadSize: 10M
## The log level for Synapse and all modules.
##
# logLevel: INFO
## The recaptcha configuration for registering. (optional)
##
# recaptcha: # recaptcha:
# publicKey: # publicKey:
# privateKey: # privateKey:
## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC
## calls.
##
# turnUris: [] # turnUris: []
turnSecret: '' # turnSecret: ''
enableRegistration: false ## Registration configuration, note that registration with the
registrationSharedSecret: '' ## container-internal register_new_matrix_user tool is always possible.
allowGuests: false ##
# enableRegistration: false
## Note; this value will default to a random string if not specified.
# registrationSharedSecret: ''
# allowGuests: false
reportStats: false ## Should the Synapse instance report stats.
##
federationBlacklistIPs: # reportStats: false
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/64'
- 'fc00::/7'
## Servers to contact when doing 3PID lookups - for example when searching for
## Matrix users by email/phone number.
##
thirdPartyIDServers: thirdPartyIDServers:
- matrix.org - matrix.org
- vector.im - vector.im
## A set of fallback servers - and their key fingerprint - to contact if a
## server doesn't respond to a signing key request.
##
perspectiveServers: perspectiveServers:
matrix.org: matrix.org:
verify_keys: verify_keys:
ed25519:auto: ed25519:auto:
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
# Specify arbitrary synapse configuration; ## Extra listeners to configure.
##
extraListeners: []
# - port: 9000
# bind_addresses: ['::']
# type: manhole
## Specify arbitrary synapse configuration here;
##
extraConfig: {} extraConfig: {}
# use_presence: false # use_presence: false
# enable_search: false # enable_search: false
@ -66,14 +119,39 @@ extraConfig: {}
# - nyc.example.com # - nyc.example.com
# - syd.example.com # - syd.example.com
## Annotations to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: 9090
## Labels to apply to the main Synapse pod.
##
labels: {}
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: {}
# - name: USE_JEMALLOC
# value: "1"
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without any
## DNS changes.
##
wellknown: wellknown:
enabled: false enabled: false
# host: matrix.example.com # host: matrix.example.com
# port: 443 # port: 443
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql: postgresql:
enabled: true enabled: true
nameOverride: synapse-postgresql
postgresqlUsername: synapse postgresqlUsername: synapse
postgresqlDatabase: synapse postgresqlDatabase: synapse
@ -83,6 +161,9 @@ postgresql:
persistence: persistence:
size: 16G size: 16G
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql: externalPostgresql:
# host: postgres # host: postgres
port: 5432 port: 5432
@ -91,9 +172,12 @@ externalPostgresql:
database: synapse database: synapse
# sslMode: require # sslMode: require
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis: redis:
enabled: true enabled: true
nameOverride: synapse-redis
# usePassword: false # usePassword: false
# password: synapse # password: synapse
@ -101,20 +185,26 @@ redis:
enabled: false enabled: false
master: master:
persistence: persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false enabled: false
statefulset: statefulset:
updateStrategy: RollingUpdate updateStrategy: RollingUpdate
## An externally configured Redis server to use for workers/sharding.
##
externalRedis: externalRedis:
# host: redis # host: redis
port: 6379 port: 6379
# password: synapse # password: synapse
# Persistence configuration for the media repository. ## Persistence configuration for the media repository function.
# This PVC will be mounted in either Synapse or a media_repo worker. ## This PVC will be mounted in either Synapse or a media_repo worker.
# ##
# NB; If you want to be able to scale this, you will have to set the ## NB; If you want to be able to scale this, you will have to set the
# accessMode to RWX/ReadWriteMany. ## accessMode to RWX/ReadWriteMany.
##
persistence: persistence:
enabled: true enabled: true
# existingClaim: synapse-data # existingClaim: synapse-data
@ -123,32 +213,55 @@ persistence:
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
# Configuration for handling Synapse workers, which are useful for handling ## Configuration for handling Synapse workers, which are useful for handling
# high-load deployments. ## high-load deployments.
# More information is available at; ##
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md ## More information is available at;
## https://github.com/matrix-org/synapse/blob/master/docs/workers.md
##
workers: workers:
# Default configuration, this is inherited into all workers ## Default configuration, this is inherited into all workers, and can also be
## overriden on each worker type.
##
default: default:
# The number of worker replicas, note that some workers require special ## The number of worker replicas, note that some workers require special
# handling. Refer to the information URL above. ## handling. Refer to the information URL above.
##
replicaCount: 1 replicaCount: 1
# Should workers provide Prometheus metrics. ## Annotations to apply to the worker.
metrics: false ##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: 9090
# Additional volume mounts to add to the worker. ## Additional environment variables to add to the worker.
# Useful for the media repo. ##
extraEnv: {}
# - name: USE_JEMALLOC
# value: "1"
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## Additional volume mounts to add to the worker.
## Useful for the media repo.
##
volumeMounts: {} volumeMounts: {}
# Additional volumes to add to the worker. ## Additional volumes to add to the worker.
# Useful for the media repo. ## Useful for the media repo.
##
volumes: {} volumes: {}
## Security context information to set to the worker.
##
podSecurityContext: {} podSecurityContext: {}
# fsGroup: 666 # fsGroup: 666
# runAsGroup: 666 # runAsGroup: 666
# runAsUser: 666 # runAsUser: 666
## Container security context information to set to the worker.
##
securityContext: {} securityContext: {}
# capabilities: # capabilities:
# drop: # drop:
@ -156,6 +269,9 @@ workers:
# readOnlyRootFilesystem: true # readOnlyRootFilesystem: true
# runAsNonRoot: true # runAsNonRoot: true
# runAsUser: 666 # runAsUser: 666
## Resources to apply to the worker.
##
resources: {} resources: {}
# limits: # limits:
# cpu: 100m # cpu: 100m
@ -163,14 +279,24 @@ workers:
# requests: # requests:
# cpu: 100m # cpu: 100m
# memory: 128Mi # memory: 128Mi
## Node selector configuration to set on the worker.
##
nodeSelector: {} nodeSelector: {}
## Toleration configuration to set on the worker.
##
tolerations: [] tolerations: []
## Affinity configuration to set on the worker.
##
affinity: {} affinity: {}
# The generic worker can be used to handle most endpoints. ## The generic worker can be used to handle most endpoints.
# Be careful when enabling the sync endpoints as they can eat large amounts of ## Be careful when enabling the sync endpoints as they can eat large amounts of
# resources. Refer to the information URL above for more info. ## resources. Refer to the information URL above for more info.
# Proper load balancing with the K8s Ingress resource may not be possible. ## Proper load balancing with the K8s Ingress resource may not be possible.
##
generic_worker: generic_worker:
enabled: false enabled: false
listeners: [client, federation] listeners: [client, federation]
@ -223,24 +349,28 @@ workers:
- "/_matrix/client/(api/v1|r0|unstable)/join/" - "/_matrix/client/(api/v1|r0|unstable)/join/"
- "/_matrix/client/(api/v1|r0|unstable)/profile/" - "/_matrix/client/(api/v1|r0|unstable)/profile/"
# This worker deals with pushing notifications. ## This worker deals with pushing notifications.
# NB; Only one instance of this worker can be run at a time, refer to the ## NB; Only one instance of this worker can be run at a time, refer to the
# information URL above. ## information URL above.
##
pusher: pusher:
enabled: false enabled: false
# This worker handles sending data to registered appservices. ## This worker handles sending data to registered appservices.
# NB; Only one instance of this worker can be run at at time, refer to the ## NB; Only one instance of this worker can be run at at time, refer to the
# information URL above. ## information URL above.
##
appservice: appservice:
enabled: false enabled: false
# This worker handles sending federation traffic to other Synapse servers. ## This worker handles sending federation traffic to other Synapse servers.
##
federation_sender: federation_sender:
enabled: false enabled: false
# This worker deals with serving and storing media. ## This worker deals with serving and storing media.
# NB; Running multiple instances will conflict with background jobs. ## NB; Running multiple instances will conflict with background jobs.
##
media_repository: media_repository:
enabled: false enabled: false
listeners: [media] listeners: [media]
@ -252,16 +382,18 @@ workers:
- "/_synapse/admin/v1/media/.*" - "/_synapse/admin/v1/media/.*"
- "/_synapse/admin/v1/quarantine_media/.*" - "/_synapse/admin/v1/quarantine_media/.*"
# This worker deals with user directory searches. ## This worker deals with user directory searches.
##
user_dir: user_dir:
enabled: false enabled: false
listeners: [client] listeners: [client]
paths: paths:
- "/_matrix/client/(api/v1|r0|unstable)/user_directory/search" - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
# This worker handles key uploads, and may also stub out presence if that is ## This worker handles key uploads, and may also stub out presence if that is
# disabled. If you set extraConfig.use_presence=false then you may want to ## disabled. If you set extraConfig.use_presence=false then you may want to
# uncomment the second path. ## uncomment the second path.
##
frontend_proxy: frontend_proxy:
enabled: false enabled: false
listeners: [client] listeners: [client]
@ -269,11 +401,38 @@ workers:
- "/_matrix/client/(api/v1|r0|unstable)/keys/upload" - "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status" # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
## Set up an init container to chown the mounted media if necessary.
##
volumePermissions:
enabled: false
image:
repository: alpine
tag: latest
pullPolicy: Always
resources: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
## Configuration for the pod security policy, Synapse will by default run as its
## own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {} podSecurityContext: {}
# fsGroup: 666 # fsGroup: 666
# runAsGroup: 666 # runAsGroup: 666
# runAsUser: 666 # runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {} securityContext: {}
# capabilities: # capabilities:
# drop: # drop:
@ -282,44 +441,76 @@ securityContext: {}
# runAsNonRoot: true # runAsNonRoot: true
# runAsUser: 666 # runAsUser: 666
## The K8s ingress configuration, this will be quite heavily used in order to set
## up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up
## your own routing instead.
##
ingress: ingress:
enabled: true enabled: true
# Generate traefik-compatible regex paths instead of nginx-compatible ones ## Generate traefik-compatible regex paths instead of nginx-compatible ones.
##
traefikPaths: false traefikPaths: false
# Annotations to apply to the created ingress resource ## Annotations to apply to the created ingress resource.
##
annotations: annotations:
nginx.ingress.kubernetes.io/use-regex: "true" # nginx.ingress.kubernetes.io/use-regex: "true"
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
# Additional hosts to add to the ingress configuration ## Additional hosts to add to the ingress configuration.
# NB; config.serverName is included if includeServerName is set (default) ## NB; config.serverName is included if includeServerName is set. (default)
##
hosts: [] hosts: []
# - matrix.example.com # - matrix.example.com
# Should config.serverName be included in the list of ingress paths, can be ## Additional paths to add to the ingress blocks, will be inserted before the
# set to false if the main domain is managed in some external way. ## /_matrix and /synapse catch-all paths.
##
paths: []
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path.
##
includeUnderscoreSynapse: true
## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way.
##
# includeServerName: false # includeServerName: false
# TLS configuration to include in the ingress configuration ## TLS configuration to include in the ingress configuration
##
tls: [] tls: []
# - secretName: chart-example-tls # - secretName: chart-example-tls
# hosts: # hosts:
# - example.com # - example.com
# - matrix.example.com # - matrix.example.com
## Resources to apply to the main Synapse pod.
##
resources: {} resources: {}
# limits: # limits:
# cpu: 100m # cpu: 1000m
# memory: 128Mi # memory: 2500Mi
# requests: # requests:
# cpu: 100m # cpu: 1000m
# memory: 128Mi # memory: 2500Mi
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {} nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: [] tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {} affinity: {}