More synapse chart work

2020-08-09 00:15:10 +02:00 · 2020-08-09 00:15:10 +02:00 · 7739b52dea
commit 7739b52dea
parent 414338d47a
11 changed files with 444 additions and 158 deletions
--- a/charts-wip/matrix-synapse/Chart.yaml
+++ b/charts-wip/matrix-synapse/Chart.yaml
@ -6,6 +6,9 @@ appVersion: 1.18.0

 type: application
 version: 0.1.0
+maintainers:
+  - name: Alexander Olofsson
+    email: ace@haxalot.com

 dependencies:
  - name: postgresql
--- a/charts-wip/matrix-synapse/README.md
+++ b/charts-wip/matrix-synapse/README.md
@ -0,0 +1,16 @@
+Matrix Synapse
+==============
+
+[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
+
+## Prerequisites
+
+- Kubernetes 1.15+
+- Helm 3.0+
+- Ingress installed in the cluster
+
+**NB**; Matrix requires the use of valid certificates.
+
+## Installing
+
+
--- a/charts-wip/matrix-synapse/templates/NOTES.txt
+++ b/charts-wip/matrix-synapse/templates/NOTES.txt
@ -1,9 +1,11 @@
+** Note, this chart may take a while to finish setup, please be patient **
+
 {{- if not .Values.ingress.enabled }}
 Synapse has been installed without an ingress, you will need to manage
 accesses to the services yourself.
 {{- else }}
-Your Synapse install is now running, you should be able to access it on the
-following URL(s);
+Your Synapse install is now starting, you should soon be able to access it on
+the following URL(s);
  {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
    {{- if $.Values.ingress.tls }}
 https://{{ . }}
@ -11,4 +13,23 @@ https://{{ . }}
 http://{{ . }}
    {{- end }}
  {{- end }}
+{{ if not .Values.wellknown.enabled }}
+Note that for federation to work you will need to either add an SRV record or
+set up a /.well-known/matrix/server response.
+Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
+for more information.
 {{- end }}
+
+{{- if .Values.config.enableRegistration }}
+You should be able to connect to your Synapse install with any compatible
+Matrix client - and register an account - as soon as final setup is done.
+
+You can also create an admin user with the following command;
+{{- else }}
+You can create a user in your new Synapse install by running the following
+command;
+{{- end }}
+
+    kubectl exec --namespace {{ .Release.Namespace }} {{ template "matrix-synapse" . }} -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
+
+You can also specify --no-admin to create a non-admin user.
--- a/charts-wip/matrix-synapse/templates/_helpers.tpl
+++ b/charts-wip/matrix-synapse/templates/_helpers.tpl
@ -86,7 +86,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s-%s" .Release.Name "synapse-postgresql" | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@ -99,7 +99,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s-%s" .Release.Name "synapse-redis" | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@ -111,7 +111,7 @@ Set postgres host
 {{- if .Values.postgresql.enabled -}}
 {{- template "matrix-synapse.postgresql.fullname" . -}}
 {{- else -}}
-{{ required "A valid .Values.externalPostgresql.host is required" .Values.externalPostgresql.host }}
+{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }}
 {{- end -}}
 {{- end -}}

@ -137,7 +137,7 @@ Set postgres port
 5432
 {{- end -}}
 {{- else -}}
-{{- required "A valid .Values.externalPostgresql.port is required" .Values.externalPostgresql.port -}}
+{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}}
 {{- end -}}
 {{- end -}}

@ -148,7 +148,7 @@ Set postgresql username
 {{- if .Values.postgresql.enabled -}}
 {{- default "postgres" .Values.postgresql.postgresqlUsername }}
 {{- else -}}
-{{ required "A valid .Values.externalPostgresql.username is required" .Values.externalPostgresql.username }}
+{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }}
 {{- end -}}
 {{- end -}}

@ -159,7 +159,7 @@ Set postgresql password
 {{- if .Values.postgresql.enabled -}}
 {{- default "" .Values.postgresql.postgresqlPassword }}
 {{- else -}}
-{{ required "A valid .Values.externalPostgresql.password is required" .Values.externalPostgresql.password }}
+{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }}
 {{- end -}}
 {{- end -}}

@ -170,7 +170,7 @@ Set postgresql database
 {{- if .Values.postgresql.enabled -}}
 {{- default "synapse" .Values.postgresql.postgresqlDatabase }}
 {{- else -}}
-{{ required "A valid .Values.externalPostgresql.database is required" .Values.externalPostgresql.database }}
+{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }}
 {{- end -}}
 {{- end -}}

@ -181,7 +181,7 @@ Set redis host
 {{- if .Values.redis.enabled -}}
 {{- template "matrix-synapse.redis.fullname" . -}}-master
 {{- else -}}
-{{ required "A valid .Values.externalRedis.host is required" .Values.externalRedis.host }}
+{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }}
 {{- end -}}
 {{- end -}}

@ -203,7 +203,7 @@ Set redis port
 {{- if .Values.redis.enabled -}}
 {{- default 6379 .Values.redis.redisPort }}
 {{- else -}}
-{{ required "A valid .Values.externalRedis.port is required" .Values.externalRedis.port }}
+{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }}
 {{- end -}}
 {{- end -}}

--- a/charts-wip/matrix-synapse/templates/configuration.yaml
+++ b/charts-wip/matrix-synapse/templates/configuration.yaml
@ -33,14 +33,14 @@ data:

    ## Server ##

-    server_name: {{ .Values.config.serverName | quote }}
+    server_name: {{ required "You need to specify a server name" .Values.config.serverName | quote }}
+    public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" .Values.config.serverName) | quote }}
    pid_file: /homeserver.pid
    web_client: False
    soft_file_limit: 0
    log_config: "/synapse/config/log.yaml"

-    trusted_third_party_id_servers:
-{{ .Values.config.thirdPartyIDServers | toYaml | indent 6 }}
+    trusted_third_party_id_servers: {{- .Values.config.thirdPartyIDServers | toYaml | nindent 6 }}

    ## Ports ##

@ -70,6 +70,9 @@ data:
        resources:
          - names: [replication]
            compress: false
+    {{- if .Values.config.extraListeners }}
+      {{ .Values.config.extraListeners | toYaml | nindent 6 }}
+    {{- end }}

    ## Performance ##

@ -161,58 +164,46 @@ data:

    # The trusted servers to download signing keys from.
    perspectives:
-      servers:
-{{ .Values.config.perspectiveServers | toYaml | indent 8 }}
+      servers: {{- .Values.config.perspectiveServers | toYaml | nindent 8 }}

    ## Workers ##
-{{- $default := .Values.workers.default -}}
-{{- range $worker, $config := .Values.workers -}}
-{{- if $config.enabled -}}
-{{- if eq $worker "pusher" }}
+
+    {{- $default := .Values.workers.default }}
+    {{- range $worker, $config := .Values.workers }}
+      {{- if $config.enabled }}
+        {{- if eq $worker "pusher" }}
    start_pushers: false
-{{- else if eq $worker "appservice" }}
+        {{- else if eq $worker "appservice" }}
    notify_appservices: false
-{{- else if eq $worker "federation_sender" }}
+        {{- else if eq $worker "federation_sender" }}
    send_federation: false
-{{- else if eq $worker "media_repository" }}
+        {{- else if eq $worker "media_repository" }}
    enable_media_repo: false
-{{- else if eq $worker "user_dir" }}
+        {{- else if eq $worker "user_dir" }}
    update_user_directory: false
-{{- end }}
-{{- end }}
-{{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}

    {{- with .Values.extraConfig }}
    ## Extra config ##

-    {{ . | toYaml }}
+    {{ . | toYaml | nindent 4 }}
    {{- end }}

 {{- $default := .Values.workers.default -}}
 {{- range $worker, $config := .Values.workers -}}
-{{- if $config.enabled -}}
-{{- $name := $worker | replace "_" "-" }}
+  {{- if $config.enabled -}}
+    {{- $name := $worker | replace "_" "-" }}

  {{ $name }}.worker: |
    worker_app: "synapse.app.{{ $worker }}"

-    # The replication listener on the synapse to talk to.
    worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
    worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
    worker_replication_http_port: 9093

-    {{- if or $config.listeners ($config.metrics | default $default.metrics) }}
    worker_listeners:
-    {{- if $config.listeners }}
-      - type: http
-        tls: false
-        port: 8083
-        resources:
-          - names:
-              {{ toYaml $config.listeners | nindent 14 }}
-            compress: false
-    {{- end }}
-    {{- if $config.metrics | default $default.metrics }}
      - type: http
        bind_addresses: ['0.0.0.0']
        tls: false
@ -220,9 +211,15 @@ data:
        resources:
          - names: [metrics]
            compress: false
-    {{- end }}
+    {{- if $config.listeners }}
+      - type: http
+        tls: false
+        port: 8083
+        resources:
+          - names: {{- toYaml $config.listeners | nindent 14 }}
+            compress: false
    {{- end }}

    worker_log_config: /synapse/config/log.yaml
-{{- end }}
+  {{- end }}
 {{- end }}
--- a/charts-wip/matrix-synapse/templates/deployment.yaml
+++ b/charts-wip/matrix-synapse/templates/deployment.yaml
@ -1,6 +1,7 @@
 {{- if not .Values.config.serverName -}}
 {{- fail "A valid .Values.config.serverName is required" -}}
 {{- end -}}
+{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@ -8,21 +9,27 @@ metadata:
  name: {{ include "matrix-synapse.fullname" . }}
  labels:
    {{- include "matrix-synapse.labels" . | nindent 4 }}
-    component: synapse
+    app.kubernetes.io/component: synapse
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
-      component: synapse
+      app.kubernetes.io/component: synapse
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        {{- with .Values.annotations }}
+        {{ . | toYaml | nindent 8 }}
+        {{- end }}
      labels:
        {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
-        component: synapse
+        app.kubernetes.io/component: synapse
+        {{- with .Values.labels }}
+        {{ . | toYaml | nindent 8 }}
+        {{- end }}
    spec:
    {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@ -59,6 +66,9 @@ spec:
                  name: {{ include "matrix-synapse.redis.fullname" . }}
                  key: redis-password
          {{- end }}
+          {{- with .Values.extraEnv }}
+            {{ . | toYaml }}
+          {{- end }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
@ -147,24 +157,27 @@ metadata:
  name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
  labels:
    {{- include "matrix-synapse.labels" $ | nindent 4 }}
-    component: worker
-    worker: {{ $name }}
+    app.kubernetes.io/component: {{ $name }}
 spec:
  replicas: {{ $config.replicaCount | default $default.replicaCount }}
  selector:
    matchLabels:
      {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
-      component: worker
-      worker: {{ $name }}
+      app.kubernetes.io/component: {{ $name }}
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
+      {{- with ($config.annotations | default $default.annotations) }}
+        {{ . | toYaml | nindent 8 }}
+      {{- end }}
      labels:
        {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
-        component: worker
-        worker: {{ $name }}
+        app.kubernetes.io/component: {{ $name }}
+      {{- with ($config.labels | default $default.labels) }}
+        {{ . | toYaml | nindent 8 }}
+      {{- end }}
    spec:
    {{- with $.Values.imagePullSecrets }}
      imagePullSecrets:
@ -172,6 +185,19 @@ spec:
    {{- end }}
      securityContext:
        {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
+    {{- if and $needsVolumePermissions (eq $name "media-repository") }}
+      initContainers:
+        - name: volume-permissions
+          command: ["chown", "-R", "666:666", "/synapse/data"]
+          image: "{{ $.Values.volumePermissions.repository }}:{{ $.Values.volumePermissions.tag }}"
+          imagePullPolicy: {{ $.Values.volumePermissions.pullPolicy }}
+          securityContext:
+            runAsUser: 0
+          resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 10 }}
+          volumeMounts:
+            - name: media
+              mountPath: /synapse/data
+    {{- end }}
      containers:
        - name: {{ $name }}
          command:
@ -184,16 +210,32 @@ spec:
                       > /synapse/config/conf.d/secrets.yaml

              /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
+          env:
+          {{- if $.Values.postgresql.enabled }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "matrix-synapse.postgresql.fullname" $ }}
+                  key: postgresql-password
+          {{- end }}
+          {{- if and $.Values.redis.enabled (default $.Values.redis.usePassword true) }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "matrix-synapse.redis.fullname" $ }}
+                  key: redis-password
+          {{- end }}
+          {{- with default $config.extraEnv $default.extraEnv }}
+            {{ . | toYaml }}
+          {{- end }}
          securityContext:
            {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
          image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
          imagePullPolicy: {{ $.Values.image.pullPolicy }}
          ports:
-          {{- if $config.metrics | default $default.metrics }}
            - name: metrics
              containerPort: 9090
              protocol: TCP
-          {{- end }}
          {{- if $config.listeners }}
            - name: listener
              containerPort: 8083
--- a/charts-wip/matrix-synapse/templates/ingress.yaml
+++ b/charts-wip/matrix-synapse/templates/ingress.yaml
@ -56,11 +56,22 @@ spec:
          {{- end }}
        {{- end }}

+        {{- with $.Values.ingress.paths }}
+          {{ . | toYaml | nindent 10 }}
+        {{- end }}
+
          - path: /_matrix
            backend:
              serviceName: {{ $fullName }}
              servicePort: 8008

+        {{- if $.Values.ingress.includeUnderscoreSynapse }}
+          - path: /_synapse
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: 8008
+        {{- end }}
+
          - path: /.well-known/matrix/client
            backend:
              serviceName: {{ $fullName }}
--- a/charts-wip/matrix-synapse/templates/secrets.yaml
+++ b/charts-wip/matrix-synapse/templates/secrets.yaml
@ -21,7 +21,7 @@ stringData:

    ## Registration ##

-    registration_shared_secret: {{ .Values.config.registrationSharedSecret | quote }}
+    registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}

    ## API Configuration ##

@ -32,7 +32,6 @@ stringData:
 {{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
 {{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
 {{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
-  database.yaml: |
    ## Database configuration ##

    database:
@ -53,31 +52,31 @@ stringData:
 {{- $redisHost := include "matrix-synapse.redis.host" . }}
 {{- $redisPort := include "matrix-synapse.redis.port" . }}
 {{- $redisPass := include "matrix-synapse.redis.password" . }}
-{{- if $redisHost }}
-  redis.yaml: |
    ## Redis configuration ##

    redis:
      enabled: true
      host: {{ $redisHost | quote }}
-      {{- if or .Values.redis.password .Values.externalRedis.password }}
+{{- if or .Values.redis.password .Values.externalRedis.password }}
  {{- if $redisPass }}
      password: {{ $redisPass | quote }}
  {{- else }}
      password: "@@REDIS_PASSWORD@@"
  {{- end }}
-      {{- end }}
 {{- end }}
-{{- if not .Values.signingkey.existingSecret }}
-{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
-{{- if not (lookup "v1" "Secret" .Release.Namespace $name) }}
+
+{{- if and .Values.signingkey.job.enabled (not .Values.signingkey.existingSecret) }}
+  {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
+  {{- if not (lookup "v1" "Secret" .Release.Namespace $name) }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    helm.sh/resource-policy: keep
  name: {{ $name }}
  labels:
    {{- include "matrix-synapse.labels" . | nindent 4 }}
-    job: {{ $name }}
-{{- end }}
+    app.kubernetes.io/component: signingkey-job
+  {{- end }}
 {{- end }}
--- a/charts-wip/matrix-synapse/templates/service.yaml
+++ b/charts-wip/matrix-synapse/templates/service.yaml
@ -13,7 +13,7 @@ spec:
      protocol: TCP
      name: http
  selector:
-    component: synapse
+    app.kubernetes.io/component: synapse
    {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
 ---
 apiVersion: v1
@ -31,7 +31,7 @@ spec:
      name: replication
  selector:
    {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
-    component: synapse
+    app.kubernetes.io/component: synapse
 {{- $default := .Values.workers.default }}
 {{- range $worker, $config := .Values.workers }}
 {{- if and $config.enabled $config.listeners }}
@ -53,7 +53,6 @@ spec:
      name: listener
  selector:
    {{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
-    component: worker
-    worker: {{ $name }}
+    app.kubernetes.io/component: {{ $name }}
 {{- end }}
 {{- end }}
--- a/charts-wip/matrix-synapse/templates/signing-key-job.yaml
+++ b/charts-wip/matrix-synapse/templates/signing-key-job.yaml
@ -3,6 +3,7 @@
 {{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
 {{- end }}
 {{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
+{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@ -10,6 +11,7 @@ metadata:
  name: {{ $name }}
  labels:
    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    app.kubernetes.io/component: signingkey-job
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@ -17,11 +19,14 @@ metadata:
  name: {{ $name }}
  labels:
    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    app.kubernetes.io/component: signingkey-job
 rules:
  - apiGroups:
      - ""
    resources:
      - secrets
+    resourceNames:
+     - {{ $secretName }}
    verbs:
      - get
      - update
@ -31,6 +36,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ $name }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    app.kubernetes.io/component: signingkey-job
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -46,16 +54,14 @@ metadata:
  name: {{ $name }}
  labels:
    {{- include "matrix-synapse.labels" . | nindent 4 }}
-    component: job
-    job: signing-key-generation
+    app.kubernetes.io/component: signingkey-job
 spec:
  ttlSecondsAfterFinished: 0
  template:
    metadata:
      labels:
        {{- include "matrix-synapse.labels" . | nindent 8 }}
-        component: job
-        job: signing-key-generation
+        app.kubernetes.io/component: signingkey-job
    spec:
      containers:
        - command:
@ -85,22 +91,22 @@ spec:
            - sh
            - -c
            - |
-              printf "Checking rights to create secret... "
-              kubectl auth can-i create secret/${SECRET_NAME}
+              printf "Checking rights to update secret... "
+              kubectl auth can-i update secret/${SECRET_NAME}
              echo "Waiting for key upload script"
              while ! [ -f /scripts/key-upload ]; do sleep 1; done
              /scripts/key-upload
          env:
            - name: SECRET_NAME
-              value: {{ $name }}
+              value: {{ $secretName }}
          image: bitnami/kubectl
          name: signing-key-upload
          resources:
            requests:
-              memory: 50Mi
+              memory: 100Mi
              cpu: 100m
            limits:
-              memory: 50Mi
+              memory: 100Mi
              cpu: 100m
          volumeMounts:
            - mountPath: /scripts
@ -109,6 +115,7 @@ spec:
            - mountPath: /synapse/keys
              name: matrix-synapse-keys
              readOnly: true
+      restartPolicy: Never
      serviceAccount: {{ $name }}
      volumes:
        - name: scripts
--- a/charts-wip/matrix-synapse/values.yaml
+++ b/charts-wip/matrix-synapse/values.yaml
@ -1,63 +1,116 @@
 ---
-# Docker image configuration, used for Synapse and workers
+## Docker image configuration, used for Synapse and workers.
+##
 image:
  repository: ananace/matrix-synapse
+  ## Tag to override with, will default to the application version.
+  ##
  # tag: ''
  pullPolicy: IfNotPresent
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistryKeySecretName

-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
+## Override part of the installed name, will still keep release name.
+##
+# nameOverride: ""

+## Override the full name of the installed chart.
+##
+# fullnameOverride: ""
+
+## The source of the signing key used by Synapse in federation.
+##
 signingkey:
+  ## Enable a Kubernetes job to generate and store a signing key if one does not
+  ## exist.
+  ##
  job:
    enabled: true

+  ## Specify an existing signing key secret, will need to be created in advance.
+  ##
  # existingSecret:
-  # existingSecretKey:
+  # existingSecretKey: signing.key

+## Common Matrix configuration values, for any value not handled by this block,
+## you will want to instead set it in extraConfig.
+##
 config:
+  ## The Matrix domain name, this is what will be used for the domain part in
+  ## your MXIDs.
+  ##
  # serverName: 'example.com'
-  eventCacheSize: 10K
-  maxUploadSize: 10M

-  logLevel: INFO
+  ## The publicly accessible URL for the Synapse instance, will default to
+  ## https://<serverName>.
+  ##
+  # publicBaseurl: 'https://example.com'

+  ## The size of the event cache.
+  ##
+  # eventCacheSize: 10K
+
+  ## The maximum allowed size of uploaded media.
+  ##
+  # maxUploadSize: 10M
+
+  ## The log level for Synapse and all modules.
+  ##
+  # logLevel: INFO
+
+  ## The recaptcha configuration for registering. (optional)
+  ##
  # recaptcha:
  #   publicKey:
  #   privateKey:

+  ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC
+  ## calls.
+  ##
  # turnUris: []
-  turnSecret: ''
+  # turnSecret: ''

-  enableRegistration: false
-  registrationSharedSecret: ''
-  allowGuests: false
+  ## Registration configuration, note that registration with the
+  ## container-internal register_new_matrix_user tool is always possible.
+  ##
+  # enableRegistration: false
+  ## Note; this value will default to a random string if not specified.
+  # registrationSharedSecret: ''
+  # allowGuests: false

-  reportStats: false
-
-  federationBlacklistIPs:
-    - '127.0.0.0/8'
-    - '10.0.0.0/8'
-    - '172.16.0.0/12'
-    - '192.168.0.0/16'
-    - '100.64.0.0/10'
-    - '169.254.0.0/16'
-    - '::1/128'
-    - 'fe80::/64'
-    - 'fc00::/7'
+  ## Should the Synapse instance report stats.
+  ##
+  # reportStats: false

+  ## Servers to contact when doing 3PID lookups - for example when searching for
+  ## Matrix users by email/phone number.
+  ##
  thirdPartyIDServers:
    - matrix.org
    - vector.im

+  ## A set of fallback servers - and their key fingerprint - to contact if a
+  ## server doesn't respond to a signing key request.
+  ##
  perspectiveServers:
    matrix.org:
      verify_keys:
        ed25519:auto:
          key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"

-# Specify arbitrary synapse configuration;
+  ## Extra listeners to configure.
+  ##
+  extraListeners: []
+  #  - port: 9000
+  #    bind_addresses: ['::']
+  #    type: manhole
+
+## Specify arbitrary synapse configuration here;
+##
 extraConfig: {}
 #  use_presence: false
 #  enable_search: false
@ -66,14 +119,39 @@ extraConfig: {}
 #    - nyc.example.com
 #    - syd.example.com

+## Annotations to apply to the main Synapse pod.
+##
+annotations: {}
+#  prometheus.io/scrape: "true"
+#  prometheus.io/port: 9090
+
+## Labels to apply to the main Synapse pod.
+##
+labels: {}
+
+## Additional environment variables to apply to the main Synapse pod
+##
+extraEnv: {}
+#  - name: USE_JEMALLOC
+#    value: "1"
+#  - name: SYNAPSE_CACHE_FACTOR
+#    value: "2"
+
+## This will set up a Lighttpd server to respond to any
+## /.well-known/matrix/server requests, to make federation possible without any
+## DNS changes.
+##
 wellknown:
  enabled: false
  # host: matrix.example.com
  # port: 443

+## This configuration is for setting up the internally provided Postgres server,
+## if you instead want to use an existing server, then you may want to set
+## enabled to false and configure the externalPostgresql block.
+##
 postgresql:
  enabled: true
-  nameOverride: synapse-postgresql

  postgresqlUsername: synapse
  postgresqlDatabase: synapse
@ -83,6 +161,9 @@ postgresql:
  persistence:
    size: 16G

+## An externally configured Postgres server to use for Synapse's database, note
+## that the database needs to have both COLLATE and CTYPE set to "C".
+##
 externalPostgresql:
  # host: postgres
  port: 5432
@ -91,9 +172,12 @@ externalPostgresql:
  database: synapse
  # sslMode: require

+## This configuration is for the internal Redis that's deployed for use with
+## workers/sharding, for an external Redis server you want to set enabled to
+## false and configure the externalRedis block.
+##
 redis:
  enabled: true
-  nameOverride: synapse-redis

  # usePassword: false
  # password: synapse
@ -101,20 +185,26 @@ redis:
    enabled: false
  master:
    persistence:
+      ## Note that Synapse only uses redis as a synchronization utility, so no
+      ## data will ever need to be persisted.
+      ##
      enabled: false
    statefulset:
      updateStrategy: RollingUpdate

+## An externally configured Redis server to use for workers/sharding.
+##
 externalRedis:
  # host: redis
  port: 6379
  # password: synapse

-# Persistence configuration for the media repository.
-# This PVC will be mounted in either Synapse or a media_repo worker.
-#
-# NB; If you want to be able to scale this, you will have to set the
-# accessMode to RWX/ReadWriteMany.
+## Persistence configuration for the media repository function.
+## This PVC will be mounted in either Synapse or a media_repo worker.
+##
+## NB; If you want to be able to scale this, you will have to set the
+## accessMode to RWX/ReadWriteMany.
+##
 persistence:
  enabled: true
  # existingClaim: synapse-data
@ -123,32 +213,55 @@ persistence:
  accessMode: ReadWriteOnce
  size: 10Gi

-# Configuration for handling Synapse workers, which are useful for handling
-# high-load deployments.
-# More information is available at;
-# https://github.com/matrix-org/synapse/blob/master/docs/workers.md
+## Configuration for handling Synapse workers, which are useful for handling
+## high-load deployments.
+##
+## More information is available at;
+## https://github.com/matrix-org/synapse/blob/master/docs/workers.md
+##
 workers:
-  # Default configuration, this is inherited into all workers
+  ## Default configuration, this is inherited into all workers, and can also be
+  ## overriden on each worker type.
+  ##
  default:
-    # The number of worker replicas, note that some workers require special
-    # handling. Refer to the information URL above.
+    ## The number of worker replicas, note that some workers require special
+    ## handling. Refer to the information URL above.
+    ##
    replicaCount: 1

-    # Should workers provide Prometheus metrics.
-    metrics: false
+    ## Annotations to apply to the worker.
+    ##
+    annotations: {}
+    #  prometheus.io/scrape: "true"
+    #  prometheus.io/port: 9090

-    # Additional volume mounts to add to the worker.
-    # Useful for the media repo.
+    ## Additional environment variables to add to the worker.
+    ##
+    extraEnv: {}
+    #  - name: USE_JEMALLOC
+    #    value: "1"
+    #  - name: SYNAPSE_CACHE_FACTOR
+    #    value: "2"
+
+    ## Additional volume mounts to add to the worker.
+    ## Useful for the media repo.
+    ##
    volumeMounts: {}

-    # Additional volumes to add to the worker.
-    # Useful for the media repo.
+    ## Additional volumes to add to the worker.
+    ## Useful for the media repo.
+    ##
    volumes: {}

+    ## Security context information to set to the worker.
+    ##
    podSecurityContext: {}
    #   fsGroup: 666
    #   runAsGroup: 666
    #   runAsUser: 666
+
+    ## Container security context information to set to the worker.
+    ##
    securityContext: {}
    #   capabilities:
    #     drop:
@ -156,6 +269,9 @@ workers:
    #   readOnlyRootFilesystem: true
    #   runAsNonRoot: true
    #   runAsUser: 666
+
+    ## Resources to apply to the worker.
+    ##
    resources: {}
    #   limits:
    #     cpu: 100m
@ -163,14 +279,24 @@ workers:
    #   requests:
    #     cpu: 100m
    #     memory: 128Mi
+
+    ## Node selector configuration to set on the worker.
+    ##
    nodeSelector: {}
+
+    ## Toleration configuration to set on the worker.
+    ##
    tolerations: []
+
+    ## Affinity configuration to set on the worker.
+    ##
    affinity: {}

-  # The generic worker can be used to handle most endpoints.
-  # Be careful when enabling the sync endpoints as they can eat large amounts of
-  # resources. Refer to the information URL above for more info.
-  # Proper load balancing with the K8s Ingress resource may not be possible.
+  ## The generic worker can be used to handle most endpoints.
+  ## Be careful when enabling the sync endpoints as they can eat large amounts of
+  ## resources. Refer to the information URL above for more info.
+  ## Proper load balancing with the K8s Ingress resource may not be possible.
+  ##
  generic_worker:
    enabled: false
    listeners: [client, federation]
@ -223,24 +349,28 @@ workers:
      - "/_matrix/client/(api/v1|r0|unstable)/join/"
      - "/_matrix/client/(api/v1|r0|unstable)/profile/"

-  # This worker deals with pushing notifications.
-  # NB; Only one instance of this worker can be run at a time, refer to the
-  # information URL above.
+  ## This worker deals with pushing notifications.
+  ## NB; Only one instance of this worker can be run at a time, refer to the
+  ## information URL above.
+  ##
  pusher:
    enabled: false

-  # This worker handles sending data to registered appservices.
-  # NB; Only one instance of this worker can be run at at time, refer to the
-  # information URL above.
+  ## This worker handles sending data to registered appservices.
+  ## NB; Only one instance of this worker can be run at at time, refer to the
+  ## information URL above.
+  ##
  appservice:
    enabled: false

-  # This worker handles sending federation traffic to other Synapse servers.
+  ## This worker handles sending federation traffic to other Synapse servers.
+  ##
  federation_sender:
    enabled: false

-  # This worker deals with serving and storing media.
-  # NB; Running multiple instances will conflict with background jobs.
+  ## This worker deals with serving and storing media.
+  ## NB; Running multiple instances will conflict with background jobs.
+  ##
  media_repository:
    enabled: false
    listeners: [media]
@ -252,16 +382,18 @@ workers:
      - "/_synapse/admin/v1/media/.*"
      - "/_synapse/admin/v1/quarantine_media/.*"

-  # This worker deals with user directory searches.
+  ## This worker deals with user directory searches.
+  ##
  user_dir:
    enabled: false
    listeners: [client]
    paths:
      - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"

-  # This worker handles key uploads, and may also stub out presence if that is
-  # disabled. If you set extraConfig.use_presence=false then you may want to
-  # uncomment the second path.
+  ## This worker handles key uploads, and may also stub out presence if that is
+  ## disabled. If you set extraConfig.use_presence=false then you may want to
+  ## uncomment the second path.
+  ##
  frontend_proxy:
    enabled: false
    listeners: [client]
@ -269,11 +401,38 @@ workers:
      - "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
    # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"

+## Set up an init container to chown the mounted media if necessary.
+##
+volumePermissions:
+  enabled: false
+
+  image:
+    repository: alpine
+    tag: latest
+    pullPolicy: Always
+
+  resources: {}
+  # resources:
+  #   requests:
+  #     memory: 128Mi
+  #     cpu: 100m
+
+## Configuration for the pod security policy, Synapse will by default run as its
+## own user, even if not set.
+## Note that changing this may also require you to use the volumePermission
+## helper depending on your storage.
+##
+## NB; The synapse install is currently unable to run as anything but UID:GID
+## 666:666.
+##
 podSecurityContext: {}
 #  fsGroup: 666
 #  runAsGroup: 666
 #  runAsUser: 666

+## Configuration for the container security policy, refer to the above
+## podSecurityContext for more relevant information.
+##
 securityContext: {}
 #  capabilities:
 #    drop:
@ -282,44 +441,76 @@ securityContext: {}
 #  runAsNonRoot: true
 #  runAsUser: 666

+## The K8s ingress configuration, this will be quite heavily used in order to set
+## up all routing necessary for use with a sharded Synapse instance.
+## If you're not using a Ingress compatible K8s ingress, you will need to set up
+## your own routing instead.
+##
 ingress:
  enabled: true

-  # Generate traefik-compatible regex paths instead of nginx-compatible ones
+  ## Generate traefik-compatible regex paths instead of nginx-compatible ones.
+  ##
  traefikPaths: false

-  # Annotations to apply to the created ingress resource
+  ## Annotations to apply to the created ingress resource.
+  ##
  annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
+  #  nginx.ingress.kubernetes.io/use-regex: "true"
  #  kubernetes.io/ingress.class: nginx
  #  kubernetes.io/tls-acme: "true"

-  # Additional hosts to add to the ingress configuration
-  # NB; config.serverName is included if includeServerName is set (default)
+  ## Additional hosts to add to the ingress configuration.
+  ## NB; config.serverName is included if includeServerName is set. (default)
+  ##
  hosts: []
  #  - matrix.example.com

-  # Should config.serverName be included in the list of ingress paths, can be
-  # set to false if the main domain is managed in some external way.
+  ## Additional paths to add to the ingress blocks, will be inserted before the
+  ## /_matrix and /synapse catch-all paths.
+  ##
+  paths: []
+  #  - path: /_matrix/media
+  #    backend:
+  #      serviceName: matrix-media-repo
+  #      servicePort: 8000
+
+  ## Should the /_synapse path be included in the ingress, admin APIs are
+  ## provided under this path.
+  ##
+  includeUnderscoreSynapse: true
+
+  ## Should config.serverName be included in the list of ingress paths, can be
+  ## set to false if the main domain is managed in some external way.
+  ##
  # includeServerName: false

-  # TLS configuration to include in the ingress configuration
+  ## TLS configuration to include in the ingress configuration
+  ##
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - example.com
  #      - matrix.example.com

+## Resources to apply to the main Synapse pod.
+##
 resources: {}
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+#  limits:
+#    cpu: 1000m
+#    memory: 2500Mi
+#  requests:
+#    cpu: 1000m
+#    memory: 2500Mi

+## Node selectors to set for the main Synapse pod.
+##
 nodeSelector: {}

+## Tolerations to set for the main Synapse pod.
+##
 tolerations: []

+## Affinity to set for the main Synapse pod.
+##
 affinity: {}