pub/charts
1
0
Fork 0
Code Issues Pull requests Releases Packages 19 Activity Actions

Update Matrix Synapse version and add new requirements

Browse source
This commit is contained in:
Tommy 2024-01-18 10:25:18 +01:00
parent 7f6e6af336
commit a09ed65baa
No known key found for this signature in database
16 changed files with 205 additions and 683 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/matrix-synapse/Chart.yaml
View file

@ -5,7 +5,7 @@ icon: https://matrix.org/images/matrix-logo.svg
appVersion: 1.99.0
type: application
version: 4.0.1
version: 4.0.4
maintainers:
- name: Tommy Skaug
email: tommy@skaug.me

5
charts/matrix-synapse/README.md
View file

@ -1,6 +1,11 @@
Matrix Synapse
==============
pip3 install pynacl
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info).

61
charts/matrix-synapse/scripts/generate-signingkey.py Normal file
View file

@ -0,0 +1,61 @@
#!/usr/bin/env python
#
# This file is licensed under the Affero General Public License (AGPL) version 3.
#
# Copyright (C) 2023 New Vector, Ltd
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# See the GNU Affero General Public License for more details:
# <https://www.gnu.org/licenses/agpl-3.0.html>.
#
# Originally licensed under the Apache License, Version 2.0:
# <http://www.apache.org/licenses/LICENSE-2.0>.
#
# [This file includes modifications made by New Vector Limited]
#
#
import argparse
import secrets
import string
import base64
import os
import sys
from signedjson.key import generate_signing_key, write_signing_keys
def random_string(length: int) -> str:
"""Generate a cryptographically secure string of random letters.
Drawn from the characters: `a-z` and `A-Z`
"""
return "".join(secrets.choice(string.ascii_letters) for _ in range(length))
def main() -> None:
parser = argparse.ArgumentParser()
parser.add_argument(
"-o",
"--output_file",
type=str,
default="-",
help="Where to write the output to",
)
args = parser.parse_args()
key_id = "a_" + random_string(4)
key = (generate_signing_key(key_id),)
if args.output_file == "-":
write_signing_keys(sys.stdout, key)
else:
with open(
args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
write_signing_keys(signing_key_file, key)
if __name__ == "__main__":
main()

2
charts/matrix-synapse/scripts/requirements.txt Normal file
View file

@ -0,0 +1,2 @@
signedjson
python-secrets

41
charts/matrix-synapse/scripts/signing-key.sh
View file

@ -1,41 +0,0 @@
#!/bin/sh
set -eu
check_key() {
set +e
echo "Checking for existing signing key..."
key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$key" ] && return 2
return 0
}
create_key() {
echo "Waiting for new signing key to be generated..."
begin=$(date +%s)
end=$((begin + 300)) # 5 minutes
while true; do
[ -f /synapse/keys/signing.key ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_key() {
echo "Storing signing key in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
}
if check_key; then
echo "Key already in place, exiting."
exit
fi
if ! create_key; then
echo "Timed out waiting for a signing key to appear."
exit 1
fi
store_key

25
charts/matrix-synapse/templates/NOTES.txt
View file

@ -1,29 +1,4 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if .Values.signingkey.job.enabled }}
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **
{{- end }}
{{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself.
{{- else }}
Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
{{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }}
{{- if $.Values.ingress.tls }}
https://{{ . }}
{{- else }}
http://{{ . }}
{{- end }}
{{- end }}
{{ if not .Values.wellknown.enabled }}
Note that for federation to work you will need to either add an SRV record or
set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible

4
charts/matrix-synapse/templates/configuration.yaml
View file

@ -125,6 +125,7 @@ data:
## Registration ##
enable_registration: {{ .Values.config.enableRegistration | default false }}
registration_requires_token: {{ .Values.config.enableRegistration | default false }}
## Metrics ###
@ -136,6 +137,7 @@ data:
# The trusted servers to download signing keys from.
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
suppress_key_server_warning: true
## Workers ##
{{- $default := .Values.workers.default }}
@ -144,7 +146,7 @@ data:
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
# For pusher worker
start_pushers: false
start_pushers: true
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
# For appservice worker

20
charts/matrix-synapse/templates/db-init.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "matrix-synapse.fullname" . }}-db-init
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
template:
spec:
restartPolicy: Never
containers:
- name: general-db-init
image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
envFrom:
- secretRef:
name: {{ .Values.externalPostgresql.existingSecret }}
backoffLimit: 3

7
charts/matrix-synapse/templates/deployment.yaml
View file

@ -25,7 +25,6 @@ spec:
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
{{- with .Values.synapse.annotations }}
{{ . | toYaml | nindent 8 }}
{{- end }}
@ -158,12 +157,12 @@ spec:
name: {{ include "matrix-synapse.fullname" . }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" . }}
secretName: {{ $.Values.existingSecrets }}
- name: signingkey
secret:
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
secretName: {{ $.Values.signingkey.existingSecret | quote }}
items:
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}

195
charts/matrix-synapse/templates/ingress.yaml
View file

@ -1,195 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if $v1Ingress -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- if .secretName }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- $csHosts := .Values.ingress.csHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }}
{{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }}
http:
paths:
{{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
{{- if has $host $csHosts }}
{{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if has . $wkHosts }}
{{- if $.Values.wellknown.enabled }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $wkName }}
port:
number: {{ $.Values.wellknown.service.port | default 80 }}
pathType: Prefix
{{- else }}
serviceName: {{ $wkName }}
servicePort: {{ $.Values.wellknown.service.port | default 80 }}
{{- end }}
{{- else }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

153
charts/matrix-synapse/templates/signing-key-job.yaml
View file

@ -1,153 +0,0 @@
{{- if .Values.signingkey.job.enabled }}
{{- if .Values.signingkey.existingSecret }}
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
{{- end }}
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
{{- with .Values.signingkey.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
{{- include "matrix-synapse.labels" . | nindent 8 }}
app.kubernetes.io/component: signingkey-job
spec:
containers:
- command:
- sh
- -c
- |
echo "Generating signing key..."
if which generate_signing_key.py >/dev/null; then
generate_signing_key.py -o /synapse/keys/signing.key
else
generate_signing_key -o /synapse/keys/signing.key
fi
image: "{{ .Values.signingkey.job.generateImage.repository }}:{{ .Values.signingkey.job.generateImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.generateImage.pullPolicy }}
name: signing-key-generate
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /synapse/keys
name: matrix-synapse-keys
- command:
- sh
- -c
- |
printf "Checking rights to update secret... "
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/signing-key.sh
env:
- name: SECRET_NAME
value: {{ $secretName }}
image: "{{ .Values.signingkey.job.publishImage.repository }}:{{ .Values.signingkey.job.publishImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.publishImage.pullPolicy }}
name: signing-key-upload
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /synapse/keys
name: matrix-synapse-keys
readOnly: true
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "matrix-synapse.fullname" . }}-scripts
defaultMode: 0755
- name: matrix-synapse-keys
emptyDir: {}
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: never
helm.sh/resource-policy: keep
argocd.argoproj.io/hook: Skip
argocd.argoproj.io/hook-delete-policy: Never
name: {{ $secretName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
{{ end -}}
{{- end }}

66
charts/matrix-synapse/templates/well-known-config.yaml
View file

@ -1,66 +0,0 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
component: well-known
data:
lighttpd.conf: |
server.port = 8080
{{ if .Values.wellknown.useIpv6}}
server.use-ipv6 = "enable"
{{ end }}
server.modules = (
"mod_rewrite",
"mod_status",
"mod_accesslog",
"mod_extforward",
"mod_setenv"
)
include "conf.d/00-mime-types.conf"
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
server.pid-file = "/run/lighttpd.pid"
url.rewrite-once = (
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := initial $keys }}
"^/\.well-known/matrix/{{ $key }}" => "/{{ $key }}.json",
{{- end }}
"^/\.well-known/matrix/{{ last $keys }}" => "/{{ last $keys }}.json"
)
status.status-url = "/server-status"
extforward.forwarder = ( "all" => "trust")
setenv.add-response-header = (
"access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization",
"access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS",
"access-control-allow-origin" => "*"
)
setenv.set-response-header = (
"content-type" => "application/json"
)
server.json: |-
{{- if .Values.wellknown.server }}
{{ toJson .Values.wellknown.server | nindent 4 }}
{{- else }}
{{ dict "m.server" (printf "%s:%d" (.Values.wellknown.host | default (.Values.publicServerName | default .Values.serverName)) (.Values.wellknown.port | default 443)) | toJson | indent 4 }}
{{- end }}
client.json: |-
{{- if .Values.wellknown.client }}
{{ toJson .Values.wellknown.client | nindent 4 }}
{{- else }}
{{ dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | indent 4 }}
{{- end }}
{{- range $key, $value := .Values.wellknown.extraData }}
{{ $key }}.json: |-
{{- if $value | kindIs "string" -}}
{{ $value | nindent 4 }}
{{- else -}}
{{ $value | toJson | nindent 4 }}
{{- end -}}
{{- end -}}
{{- end -}}

95
charts/matrix-synapse/templates/well-known.yaml
View file

@ -1,95 +0,0 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
type: {{ .Values.wellknown.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.wellknown.service.port | default 80 }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: well-known
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: well-known
template:
metadata:
annotations:
checksum/config: {{ include (print .Template.BasePath "/well-known-config.yaml") . | sha256sum }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: well-known
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers:
- name: lighttpd
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
tcpSocket:
port: http
livenessProbe:
httpGet:
path: /server-status
port: http
volumeMounts:
- mountPath: /etc/lighttpd/lighttpd.conf
name: files
subPath: lighttpd.conf
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := $keys }}
- mountPath: {{ $.Values.wellknown.htdocsPath }}/{{ $key }}.json
name: files
subPath: {{ $key }}.json
{{- end }}
- mountPath: /run
name: run
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumes:
- name: files
configMap:
name: {{ $wkName }}
- name: run
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

4
charts/matrix-synapse/templates/worker-configuration.yaml
View file

@ -22,7 +22,7 @@ data:
{{- $app := $config.app | default $worker }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}"
worker_app: "synapse.app.generic_worker"
{{- if $config.name -}}
{{- if (gt ($config.replicaCount | int) 1) -}}
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
@ -77,4 +77,4 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

8
charts/matrix-synapse/templates/worker-deployment.yaml
View file

@ -27,7 +27,6 @@ spec:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
@ -160,6 +159,7 @@ spec:
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
readOnly: false
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
@ -188,10 +188,10 @@ spec:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
secretName: {{ $.Values.existingSecrets }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
secretName: {{ $.Values.signingkey.existingSecret | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
@ -210,4 +210,4 @@ spec:
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

200
charts/matrix-synapse/values.yaml
View file

@ -1,4 +1,12 @@
---
initContainers:
dbInit:
image:
repository: ghcr.io/onedr0p/postgres-init
tag: "16"
envFrom:
- secretRef:
name: synapse-secret
## Docker image configuration, used for Synapse and workers.
##
image:
@ -124,7 +132,7 @@ config:
## signing key request.
##
trustedKeyServers:
- server_name: matrix.org
- server_name: matrix.org
# verify_keys:
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
@ -427,96 +435,96 @@ workers:
generic: true
listeners: [client, federation]
csPaths:
## Sync requests
# - "/_matrix/client/(r0|v3)/sync$"
- "/_matrix/client/(api/v1|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Sync requests
# - "/_matrix/client/(r0|v3)/sync$"
- "/_matrix/client/(api/v1|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Client API requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "/_matrix/client/v1/rooms/.*/hierarchy$"
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
- "/_matrix/client/(r0|v3|unstable)/devices$"
- "/_matrix/client/versions$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
## Client API requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "/_matrix/client/v1/rooms/.*/hierarchy$"
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
- "/_matrix/client/(r0|v3|unstable)/devices$"
- "/_matrix/client/versions$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
## Encryption requests
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
## Encryption requests
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
## Registration/login requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "/_matrix/client/(r0|v3|unstable)/register$"
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
## Registration/login requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "/_matrix/client/(r0|v3|unstable)/register$"
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
## Event sending requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
## Event sending requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
## User directory search requests
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
## User directory search requests
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
## Worker event streams
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
##
## Worker event streams
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
##
## The typing event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
## The typing event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
## The to_device event stream
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
## The to_device event stream
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
## The account_data event stream
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
## The account_data event stream
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
## The receipts event stream
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
## The receipts event stream
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
## The presence event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
## The presence event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
paths:
## Federation requests
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
- "/_matrix/federation/v1/backfill/"
- "/_matrix/federation/v1/get_missing_events/"
- "/_matrix/federation/v1/publicRooms"
- "/_matrix/federation/v1/query/"
- "/_matrix/federation/v1/make_join/"
- "/_matrix/federation/v1/make_leave/"
- "/_matrix/federation/(v1|v2)/send_join/"
- "/_matrix/federation/(v1|v2)/send_leave/"
- "/_matrix/federation/(v1|v2)/invite/"
- "/_matrix/federation/v1/event_auth/"
- "/_matrix/federation/v1/exchange_third_party_invite/"
- "/_matrix/federation/v1/user/devices/"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/hierarchy/"
## Federation requests
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
- "/_matrix/federation/v1/backfill/"
- "/_matrix/federation/v1/get_missing_events/"
- "/_matrix/federation/v1/publicRooms"
- "/_matrix/federation/v1/query/"
- "/_matrix/federation/v1/make_join/"
- "/_matrix/federation/v1/make_leave/"
- "/_matrix/federation/(v1|v2)/send_join/"
- "/_matrix/federation/(v1|v2)/send_leave/"
- "/_matrix/federation/(v1|v2)/invite/"
- "/_matrix/federation/v1/event_auth/"
- "/_matrix/federation/v1/exchange_third_party_invite/"
- "/_matrix/federation/v1/user/devices/"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/hierarchy/"
## Inbound federation transaction request
- "/_matrix/federation/v1/send/"
## Inbound federation transaction request
- "/_matrix/federation/v1/send/"
## To separate the generic worker into specific concerns - for example federation transaction receiving;
## NB; This worker should have incoming traffic routed based on source IP, which is
@ -580,15 +588,15 @@ workers:
enabled: false
listeners: [media]
csPaths:
- "/_matrix/media/.*"
- "/_synapse/admin/v1/purge_media_cache$"
- "/_synapse/admin/v1/room/.*/media"
- "/_synapse/admin/v1/user/.*/media"
- "/_synapse/admin/v1/media/"
- "/_synapse/admin/v1/quarantine_media/"
- "/_synapse/admin/v1/users/.*/media$"
- "/_matrix/media/.*"
- "/_synapse/admin/v1/purge_media_cache$"
- "/_synapse/admin/v1/room/.*/media"
- "/_synapse/admin/v1/user/.*/media"
- "/_synapse/admin/v1/media/"
- "/_synapse/admin/v1/quarantine_media/"
- "/_synapse/admin/v1/users/.*/media$"
paths:
- "/_matrix/media/.*"
- "/_matrix/media/.*"
## This worker deals with user directory searches.
##
@ -597,7 +605,7 @@ workers:
name: userdir
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
## This worker handles key uploads, and may also stub out presence if that is
## disabled. If you set extraConfig.use_presence=false then you may want to
@ -607,7 +615,7 @@ workers:
enabled: false
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
@ -643,13 +651,13 @@ wellknown:
## Dictionaries will be JSON converted, plain strings will be served as they are
##
extraData: {}
## MSC1929 example;
# support:
# admins:
# - matrix_id: '@admin:example.com'
# email_address: 'admin@example.com'
# role: 'admin'
# support_page: 'https://example.com/support'
## MSC1929 example;
# support:
# admins:
# - matrix_id: '@admin:example.com'
# email_address: 'admin@example.com'
# role: 'admin'
# support_page: 'https://example.com/support'
## A custom htdocs path, useful when running another image.
##
@ -966,5 +974,5 @@ ingress:
serviceAccount:
create: false
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
# name: non-default-service-name