diff --git a/charts/matrix-synapse/Chart.yaml b/charts/matrix-synapse/Chart.yaml index 2760af8..b40d6d8 100644 --- a/charts/matrix-synapse/Chart.yaml +++ b/charts/matrix-synapse/Chart.yaml @@ -5,7 +5,7 @@ icon: https://matrix.org/images/matrix-logo.svg appVersion: 1.99.0 type: application -version: 4.0.1 +version: 4.0.4 maintainers: - name: Tommy Skaug email: tommy@skaug.me diff --git a/charts/matrix-synapse/README.md b/charts/matrix-synapse/README.md index 5528a1a..4737e06 100644 --- a/charts/matrix-synapse/README.md +++ b/charts/matrix-synapse/README.md @@ -1,6 +1,11 @@ Matrix Synapse ============== +pip3 install pynacl + + + + [Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org). For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info). diff --git a/charts/matrix-synapse/scripts/generate-signingkey.py b/charts/matrix-synapse/scripts/generate-signingkey.py new file mode 100644 index 0000000..68146c8 --- /dev/null +++ b/charts/matrix-synapse/scripts/generate-signingkey.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python +# +# This file is licensed under the Affero General Public License (AGPL) version 3. +# +# Copyright (C) 2023 New Vector, Ltd +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# See the GNU Affero General Public License for more details: +# . +# +# Originally licensed under the Apache License, Version 2.0: +# . +# +# [This file includes modifications made by New Vector Limited] +# +# +import argparse +import secrets +import string +import base64 +import os +import sys + +from signedjson.key import generate_signing_key, write_signing_keys + +def random_string(length: int) -> str: + """Generate a cryptographically secure string of random letters. + + Drawn from the characters: `a-z` and `A-Z` + """ + return "".join(secrets.choice(string.ascii_letters) for _ in range(length)) + +def main() -> None: + parser = argparse.ArgumentParser() + + parser.add_argument( + "-o", + "--output_file", + type=str, + default="-", + help="Where to write the output to", + ) + args = parser.parse_args() + + key_id = "a_" + random_string(4) + key = (generate_signing_key(key_id),) + if args.output_file == "-": + write_signing_keys(sys.stdout, key) + else: + with open( + args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640) + ) as signing_key_file: + write_signing_keys(signing_key_file, key) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/charts/matrix-synapse/scripts/requirements.txt b/charts/matrix-synapse/scripts/requirements.txt new file mode 100644 index 0000000..6627beb --- /dev/null +++ b/charts/matrix-synapse/scripts/requirements.txt @@ -0,0 +1,2 @@ +signedjson +python-secrets \ No newline at end of file diff --git a/charts/matrix-synapse/scripts/signing-key.sh b/charts/matrix-synapse/scripts/signing-key.sh deleted file mode 100644 index 5d1b941..0000000 --- a/charts/matrix-synapse/scripts/signing-key.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh - -set -eu - -check_key() { - set +e - - echo "Checking for existing signing key..." - key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)" - [ $? -ne 0 ] && return 1 - [ -z "$key" ] && return 2 - return 0 -} - -create_key() { - echo "Waiting for new signing key to be generated..." - begin=$(date +%s) - end=$((begin + 300)) # 5 minutes - while true; do - [ -f /synapse/keys/signing.key ] && return 0 - [ "$(date +%s)" -gt $end ] && return 1 - sleep 5 - done -} - -store_key() { - echo "Storing signing key in Kubernetes secret..." - kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}" -} - -if check_key; then - echo "Key already in place, exiting." - exit -fi - -if ! create_key; then - echo "Timed out waiting for a signing key to appear." - exit 1 -fi - -store_key diff --git a/charts/matrix-synapse/templates/NOTES.txt b/charts/matrix-synapse/templates/NOTES.txt index 5d8ce00..6c67dfc 100644 --- a/charts/matrix-synapse/templates/NOTES.txt +++ b/charts/matrix-synapse/templates/NOTES.txt @@ -1,29 +1,4 @@ ** Note, this chart may take a while to finish setup, please be patient ** -{{- if .Values.signingkey.job.enabled }} -** Also, remember to disable the signingkey job (signingkey.job.enabled=false) ** -{{- end }} -{{- if not .Values.ingress.enabled }} - -Synapse has been installed without an ingress, you will need to manage -accesses to the services yourself. -{{- else }} - -Your Synapse install is now starting, you should soon be able to access it on -the following URL(s); - {{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }} - {{- if $.Values.ingress.tls }} -https://{{ . }} - {{- else }} -http://{{ . }} - {{- end }} - {{- end }} -{{ if not .Values.wellknown.enabled }} -Note that for federation to work you will need to either add an SRV record or -set up a /.well-known/matrix/server response. -Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md -for more information. -{{- end }} -{{- end }} {{- if .Values.config.enableRegistration }} You should be able to connect to your Synapse install with any compatible diff --git a/charts/matrix-synapse/templates/configuration.yaml b/charts/matrix-synapse/templates/configuration.yaml index 4216141..ef69997 100644 --- a/charts/matrix-synapse/templates/configuration.yaml +++ b/charts/matrix-synapse/templates/configuration.yaml @@ -125,6 +125,7 @@ data: ## Registration ## enable_registration: {{ .Values.config.enableRegistration | default false }} + registration_requires_token: {{ .Values.config.enableRegistration | default false }} ## Metrics ### @@ -136,6 +137,7 @@ data: # The trusted servers to download signing keys from. trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }} + suppress_key_server_warning: true ## Workers ## {{- $default := .Values.workers.default }} @@ -144,7 +146,7 @@ data: {{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }} # For pusher worker - start_pushers: false + start_pushers: true {{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }} # For appservice worker diff --git a/charts/matrix-synapse/templates/db-init.yaml b/charts/matrix-synapse/templates/db-init.yaml new file mode 100644 index 0000000..9b4b03c --- /dev/null +++ b/charts/matrix-synapse/templates/db-init.yaml @@ -0,0 +1,20 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "matrix-synapse.fullname" . }}-db-init + labels: + {{- include "matrix-synapse.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + restartPolicy: Never + containers: + - name: general-db-init + image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}" + envFrom: + - secretRef: + name: {{ .Values.externalPostgresql.existingSecret }} + backoffLimit: 3 \ No newline at end of file diff --git a/charts/matrix-synapse/templates/deployment.yaml b/charts/matrix-synapse/templates/deployment.yaml index f35c074..91a9981 100644 --- a/charts/matrix-synapse/templates/deployment.yaml +++ b/charts/matrix-synapse/templates/deployment.yaml @@ -25,7 +25,6 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }} {{- with .Values.synapse.annotations }} {{ . | toYaml | nindent 8 }} {{- end }} @@ -158,12 +157,12 @@ spec: name: {{ include "matrix-synapse.fullname" . }} - name: secrets secret: - secretName: {{ include "matrix-synapse.fullname" . }} + secretName: {{ $.Values.existingSecrets }} - name: signingkey secret: - secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }} + secretName: {{ $.Values.signingkey.existingSecret | quote }} items: - - key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }} + - key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }} path: signing.key - name: tmpconf emptyDir: {} diff --git a/charts/matrix-synapse/templates/ingress.yaml b/charts/matrix-synapse/templates/ingress.yaml deleted file mode 100644 index c76fc93..0000000 --- a/charts/matrix-synapse/templates/ingress.yaml +++ /dev/null @@ -1,195 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "matrix-synapse.fullname" . -}} -{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}} -{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}} -{{- if $v1Ingress -}} -apiVersion: networking.k8s.io/v1 -{{- else -}} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className }} -{{- end }} -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - {{- if .secretName }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} -{{- end }} - rules: - {{- $csHosts := .Values.ingress.csHosts }} - {{- if .Values.ingress.includeServerName }} - {{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }} - {{- end }} - {{- $s2sHosts := .Values.ingress.hosts }} - {{- if .Values.ingress.includeServerName }} - {{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }} - {{- end }} - {{- $wkHosts := .Values.ingress.wkHosts }} - {{- if .Values.ingress.includeServerName }} - {{- $wkHosts = concat (list .Values.serverName) $wkHosts }} - {{- end }} - {{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }} - {{- range $hosts }} - {{- $host := . }} - - host: {{ . | quote }} - http: - paths: - {{- $default := $.Values.workers.default }} - {{- range $worker, $config := $.Values.workers }} - {{- $name := $worker | replace "_" "-" }} - {{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }} - {{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }} - {{- if has $host $csHosts }} - {{- range $config.csPaths }} - {{- if $.Values.ingress.traefikPaths }} - - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} - backend: - {{- if $v1Ingress }} - service: - name: {{ $service }} - port: - number: 8083 - pathType: ImplementationSpecific - {{- else }} - serviceName: {{ $service }} - servicePort: 8083 - {{- end }} - {{- else }} - - path: {{ . | quote }} - backend: - {{- if $v1Ingress }} - service: - name: {{ $service }} - port: - number: 8083 - pathType: ImplementationSpecific - {{- else }} - serviceName: {{ $service }} - servicePort: 8083 - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if has $host $s2sHosts }} - {{- range $config.paths }} - {{- if $.Values.ingress.traefikPaths }} - - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }} - backend: - {{- if $v1Ingress }} - service: - name: {{ $service }} - port: - number: 8083 - pathType: ImplementationSpecific - {{- else }} - serviceName: {{ $service }} - servicePort: 8083 - {{- end }} - {{- else }} - - path: {{ . | quote }} - backend: - {{- if $v1Ingress }} - service: - name: {{ $service }} - port: - number: 8083 - pathType: ImplementationSpecific - {{- else }} - serviceName: {{ $service }} - servicePort: 8083 - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - - {{- if has . $csHosts }} - {{- with $.Values.ingress.csPaths }} - {{ . | toYaml | nindent 10 }} - {{- end }} - {{- end }} - {{- if has . $s2sHosts }} - {{- with $.Values.ingress.paths }} - {{ . | toYaml | nindent 10 }} - {{- end }} - {{- end }} - - {{- if or (has . $csHosts) (has . $s2sHosts) }} - - path: /_matrix - backend: - {{- if $v1Ingress }} - service: - name: {{ $fullName }} - port: - number: {{ $.Values.service.port }} - pathType: Prefix - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $.Values.service.port }} - {{- end }} - {{- end }} - - {{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }} - - path: /_synapse - backend: - {{- if $v1Ingress }} - service: - name: {{ $fullName }} - port: - number: {{ $.Values.service.port }} - pathType: Prefix - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $.Values.service.port }} - {{- end }} - {{- end }} - - {{- if has . $wkHosts }} - {{- if $.Values.wellknown.enabled }} - - path: /.well-known/matrix - backend: - {{- if $v1Ingress }} - service: - name: {{ $wkName }} - port: - number: {{ $.Values.wellknown.service.port | default 80 }} - pathType: Prefix - {{- else }} - serviceName: {{ $wkName }} - servicePort: {{ $.Values.wellknown.service.port | default 80 }} - {{- end }} - {{- else }} - - path: /.well-known/matrix - backend: - {{- if $v1Ingress }} - service: - name: {{ $fullName }} - port: - number: {{ $.Values.service.port }} - pathType: Prefix - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $.Values.service.port }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/matrix-synapse/templates/signing-key-job.yaml b/charts/matrix-synapse/templates/signing-key-job.yaml deleted file mode 100644 index c1cdd3a..0000000 --- a/charts/matrix-synapse/templates/signing-key-job.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{- if .Values.signingkey.job.enabled }} -{{- if .Values.signingkey.existingSecret }} -{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }} -{{- end }} -{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }} -{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ $name }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: signingkey-job - annotations: - helm.sh/hook: pre-install - helm.sh/hook-delete-policy: hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: signingkey-job - annotations: - helm.sh/hook: pre-install - helm.sh/hook-delete-policy: hook-succeeded -rules: - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ $secretName }} - verbs: - - get - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: signingkey-job - annotations: - helm.sh/hook: pre-install - helm.sh/hook-delete-policy: hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: - - kind: ServiceAccount - name: {{ $name }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $name }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: signingkey-job - annotations: - helm.sh/hook: pre-install - helm.sh/hook-delete-policy: hook-succeeded - {{- with .Values.signingkey.job.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ttlSecondsAfterFinished: 0 - template: - metadata: - labels: - {{- include "matrix-synapse.labels" . | nindent 8 }} - app.kubernetes.io/component: signingkey-job - spec: - containers: - - command: - - sh - - -c - - | - echo "Generating signing key..." - if which generate_signing_key.py >/dev/null; then - generate_signing_key.py -o /synapse/keys/signing.key - else - generate_signing_key -o /synapse/keys/signing.key - fi - image: "{{ .Values.signingkey.job.generateImage.repository }}:{{ .Values.signingkey.job.generateImage.tag | default "latest" }}" - imagePullPolicy: {{ .Values.signingkey.job.generateImage.pullPolicy }} - name: signing-key-generate - resources: - {{- toYaml .Values.signingkey.resources | nindent 12 }} - volumeMounts: - - mountPath: /synapse/keys - name: matrix-synapse-keys - - command: - - sh - - -c - - | - printf "Checking rights to update secret... " - kubectl auth can-i update secret/${SECRET_NAME} - /scripts/signing-key.sh - env: - - name: SECRET_NAME - value: {{ $secretName }} - image: "{{ .Values.signingkey.job.publishImage.repository }}:{{ .Values.signingkey.job.publishImage.tag | default "latest" }}" - imagePullPolicy: {{ .Values.signingkey.job.publishImage.pullPolicy }} - name: signing-key-upload - resources: - {{- toYaml .Values.signingkey.resources | nindent 12 }} - volumeMounts: - - mountPath: /scripts - name: scripts - readOnly: true - - mountPath: /synapse/keys - name: matrix-synapse-keys - readOnly: true - restartPolicy: Never - serviceAccount: {{ $name }} - volumes: - - name: scripts - configMap: - name: {{ include "matrix-synapse.fullname" . }}-scripts - defaultMode: 0755 - - name: matrix-synapse-keys - emptyDir: {} - parallelism: 1 - completions: 1 - backoffLimit: 1 ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - helm.sh/hook: pre-install - helm.sh/hook-delete-policy: never - helm.sh/resource-policy: keep - argocd.argoproj.io/hook: Skip - argocd.argoproj.io/hook-delete-policy: Never - name: {{ $secretName }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: signingkey-job -{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} -{{ if $secret -}} -data: - signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }} -{{ end -}} -{{- end }} diff --git a/charts/matrix-synapse/templates/well-known-config.yaml b/charts/matrix-synapse/templates/well-known-config.yaml deleted file mode 100644 index ea58c07..0000000 --- a/charts/matrix-synapse/templates/well-known-config.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if .Values.wellknown.enabled }} -{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $wkName }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - component: well-known -data: - lighttpd.conf: | - server.port = 8080 - {{ if .Values.wellknown.useIpv6}} - server.use-ipv6 = "enable" - {{ end }} - server.modules = ( - "mod_rewrite", - "mod_status", - "mod_accesslog", - "mod_extforward", - "mod_setenv" - ) - include "conf.d/00-mime-types.conf" - server.username = "lighttpd" - server.groupname = "lighttpd" - server.document-root = {{ .Values.wellknown.htdocsPath | quote }} - server.pid-file = "/run/lighttpd.pid" - url.rewrite-once = ( -{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }} -{{- range $key := initial $keys }} - "^/\.well-known/matrix/{{ $key }}" => "/{{ $key }}.json", -{{- end }} - "^/\.well-known/matrix/{{ last $keys }}" => "/{{ last $keys }}.json" - ) - status.status-url = "/server-status" - extforward.forwarder = ( "all" => "trust") - setenv.add-response-header = ( - "access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization", - "access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS", - "access-control-allow-origin" => "*" - ) - setenv.set-response-header = ( - "content-type" => "application/json" - ) - server.json: |- -{{- if .Values.wellknown.server }} -{{ toJson .Values.wellknown.server | nindent 4 }} -{{- else }} -{{ dict "m.server" (printf "%s:%d" (.Values.wellknown.host | default (.Values.publicServerName | default .Values.serverName)) (.Values.wellknown.port | default 443)) | toJson | indent 4 }} -{{- end }} - client.json: |- -{{- if .Values.wellknown.client }} -{{ toJson .Values.wellknown.client | nindent 4 }} -{{- else }} -{{ dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | indent 4 }} -{{- end }} -{{- range $key, $value := .Values.wellknown.extraData }} - {{ $key }}.json: |- -{{- if $value | kindIs "string" -}} - {{ $value | nindent 4 }} -{{- else -}} - {{ $value | toJson | nindent 4 }} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/matrix-synapse/templates/well-known.yaml b/charts/matrix-synapse/templates/well-known.yaml deleted file mode 100644 index d0e7f07..0000000 --- a/charts/matrix-synapse/templates/well-known.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{- if .Values.wellknown.enabled }} -{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ $wkName }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: well-known -spec: - type: {{ .Values.wellknown.service.type | default "ClusterIP" }} - ports: - - port: {{ .Values.wellknown.service.port | default 80 }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "matrix-synapse.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: well-known ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $wkName }} - labels: - {{- include "matrix-synapse.labels" . | nindent 4 }} - app.kubernetes.io/component: well-known -spec: - replicas: {{ .Values.wellknown.replicaCount | default 1 }} - selector: - matchLabels: - {{- include "matrix-synapse.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: well-known - template: - metadata: - annotations: - checksum/config: {{ include (print .Template.BasePath "/well-known-config.yaml") . | sha256sum }} - labels: - {{- include "matrix-synapse.selectorLabels" . | nindent 8 }} - app.kubernetes.io/component: well-known - spec: - {{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }} - securityContext: - {{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }} - containers: - - name: lighttpd - image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}" - imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }} - securityContext: - {{- toYaml .Values.wellknown.securityContext | nindent 12 }} - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - tcpSocket: - port: http - livenessProbe: - httpGet: - path: /server-status - port: http - volumeMounts: - - mountPath: /etc/lighttpd/lighttpd.conf - name: files - subPath: lighttpd.conf -{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }} -{{- range $key := $keys }} - - mountPath: {{ $.Values.wellknown.htdocsPath }}/{{ $key }}.json - name: files - subPath: {{ $key }}.json -{{- end }} - - mountPath: /run - name: run - resources: - {{- toYaml .Values.wellknown.resources | nindent 12 }} - volumes: - - name: files - configMap: - name: {{ $wkName }} - - name: run - emptyDir: {} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/matrix-synapse/templates/worker-configuration.yaml b/charts/matrix-synapse/templates/worker-configuration.yaml index 40399b0..5590dc9 100644 --- a/charts/matrix-synapse/templates/worker-configuration.yaml +++ b/charts/matrix-synapse/templates/worker-configuration.yaml @@ -22,7 +22,7 @@ data: {{- $app := $config.app | default $worker }} {{ $name }}.worker: | - worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}" + worker_app: "synapse.app.generic_worker" {{- if $config.name -}} {{- if (gt ($config.replicaCount | int) 1) -}} {{- fail "Replica count must be 1 if a worker has a unique name." -}} @@ -77,4 +77,4 @@ data: {{- end }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/matrix-synapse/templates/worker-deployment.yaml b/charts/matrix-synapse/templates/worker-deployment.yaml index bf5763a..9cd22ad 100644 --- a/charts/matrix-synapse/templates/worker-deployment.yaml +++ b/charts/matrix-synapse/templates/worker-deployment.yaml @@ -27,7 +27,6 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }} checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }} - checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }} {{- with ($config.annotations | default $default.annotations) }} {{ . | toYaml | nindent 8 }} {{- end }} @@ -160,6 +159,7 @@ spec: mountPath: /synapse/secrets - name: signingkey mountPath: /synapse/keys + readOnly: false {{- if eq $name "media-repository" }} - name: media mountPath: /synapse/data @@ -188,10 +188,10 @@ spec: name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }} - name: secrets secret: - secretName: {{ include "matrix-synapse.fullname" $ }} + secretName: {{ $.Values.existingSecrets }} - name: signingkey secret: - secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }} + secretName: {{ $.Values.signingkey.existingSecret | quote }} items: - key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }} path: signing.key @@ -210,4 +210,4 @@ spec: {{ . | toYaml | nindent 8 }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/matrix-synapse/values.yaml b/charts/matrix-synapse/values.yaml index 942f356..874372f 100644 --- a/charts/matrix-synapse/values.yaml +++ b/charts/matrix-synapse/values.yaml @@ -1,4 +1,12 @@ ---- +initContainers: + dbInit: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: "16" + envFrom: + - secretRef: + name: synapse-secret + ## Docker image configuration, used for Synapse and workers. ## image: @@ -124,7 +132,7 @@ config: ## signing key request. ## trustedKeyServers: - - server_name: matrix.org + - server_name: matrix.org # verify_keys: # "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" @@ -427,96 +435,96 @@ workers: generic: true listeners: [client, federation] csPaths: - ## Sync requests - # - "/_matrix/client/(r0|v3)/sync$" - - "/_matrix/client/(api/v1|r0|v3)/events$" - # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" - # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" + ## Sync requests + # - "/_matrix/client/(r0|v3)/sync$" + - "/_matrix/client/(api/v1|r0|v3)/events$" + # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" + # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" - ## Client API requests - - "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" - - "/_matrix/client/v1/rooms/.*/hierarchy$" - - "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$" - - "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$" - - "/_matrix/client/(r0|v3|unstable)/account/3pid$" - - "/_matrix/client/(r0|v3|unstable)/account/whoami$" - - "/_matrix/client/(r0|v3|unstable)/devices$" - - "/_matrix/client/versions$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" - - "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/search$" + ## Client API requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" + - "/_matrix/client/v1/rooms/.*/hierarchy$" + - "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$" + - "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$" + - "/_matrix/client/(r0|v3|unstable)/account/3pid$" + - "/_matrix/client/(r0|v3|unstable)/account/whoami$" + - "/_matrix/client/(r0|v3|unstable)/devices$" + - "/_matrix/client/versions$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/search$" - ## Encryption requests - - "/_matrix/client/(r0|v3|unstable)/keys/query$" - - "/_matrix/client/(r0|v3|unstable)/keys/changes$" - - "/_matrix/client/(r0|v3|unstable)/keys/claim$" - - "/_matrix/client/(r0|v3|unstable)/room_keys/" + ## Encryption requests + - "/_matrix/client/(r0|v3|unstable)/keys/query$" + - "/_matrix/client/(r0|v3|unstable)/keys/changes$" + - "/_matrix/client/(r0|v3|unstable)/keys/claim$" + - "/_matrix/client/(r0|v3|unstable)/room_keys/" - ## Registration/login requests - - "/_matrix/client/(api/v1|r0|v3|unstable)/login$" - - "/_matrix/client/(r0|v3|unstable)/register$" - - "/_matrix/client/v1/register/m.login.registration_token/validity$" + ## Registration/login requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/login$" + - "/_matrix/client/(r0|v3|unstable)/register$" + - "/_matrix/client/v1/register/m.login.registration_token/validity$" - ## Event sending requests - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" - - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" - - "/_matrix/client/(api/v1|r0|v3|unstable)/join/" - - "/_matrix/client/(api/v1|r0|v3|unstable)/profile/" + ## Event sending requests + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/join/" + - "/_matrix/client/(api/v1|r0|v3|unstable)/profile/" - ## User directory search requests - - "/_matrix/client/(r0|v3|unstable)/user_directory/search" + ## User directory search requests + - "/_matrix/client/(r0|v3|unstable)/user_directory/search" - ## Worker event streams - ## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers - ## + ## Worker event streams + ## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers + ## - ## The typing event stream - # - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" + ## The typing event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" - ## The to_device event stream - # - "/_matrix/client/(r0|v3|unstable)/sendToDevice/" + ## The to_device event stream + # - "/_matrix/client/(r0|v3|unstable)/sendToDevice/" - ## The account_data event stream - # - "/_matrix/client/(r0|v3|unstable)/.*/tags" - # - "/_matrix/client/(r0|v3|unstable)/.*/account_data" + ## The account_data event stream + # - "/_matrix/client/(r0|v3|unstable)/.*/tags" + # - "/_matrix/client/(r0|v3|unstable)/.*/account_data" - ## The receipts event stream - # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" - # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" + ## The receipts event stream + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" + # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" - ## The presence event stream - # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/" + ## The presence event stream + # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/" paths: - ## Federation requests - - "/_matrix/federation/v1/event/" - - "/_matrix/federation/v1/state/" - - "/_matrix/federation/v1/state_ids/" - - "/_matrix/federation/v1/backfill/" - - "/_matrix/federation/v1/get_missing_events/" - - "/_matrix/federation/v1/publicRooms" - - "/_matrix/federation/v1/query/" - - "/_matrix/federation/v1/make_join/" - - "/_matrix/federation/v1/make_leave/" - - "/_matrix/federation/(v1|v2)/send_join/" - - "/_matrix/federation/(v1|v2)/send_leave/" - - "/_matrix/federation/(v1|v2)/invite/" - - "/_matrix/federation/v1/event_auth/" - - "/_matrix/federation/v1/exchange_third_party_invite/" - - "/_matrix/federation/v1/user/devices/" - - "/_matrix/key/v2/query" - - "/_matrix/federation/v1/hierarchy/" + ## Federation requests + - "/_matrix/federation/v1/event/" + - "/_matrix/federation/v1/state/" + - "/_matrix/federation/v1/state_ids/" + - "/_matrix/federation/v1/backfill/" + - "/_matrix/federation/v1/get_missing_events/" + - "/_matrix/federation/v1/publicRooms" + - "/_matrix/federation/v1/query/" + - "/_matrix/federation/v1/make_join/" + - "/_matrix/federation/v1/make_leave/" + - "/_matrix/federation/(v1|v2)/send_join/" + - "/_matrix/federation/(v1|v2)/send_leave/" + - "/_matrix/federation/(v1|v2)/invite/" + - "/_matrix/federation/v1/event_auth/" + - "/_matrix/federation/v1/exchange_third_party_invite/" + - "/_matrix/federation/v1/user/devices/" + - "/_matrix/key/v2/query" + - "/_matrix/federation/v1/hierarchy/" - ## Inbound federation transaction request - - "/_matrix/federation/v1/send/" + ## Inbound federation transaction request + - "/_matrix/federation/v1/send/" ## To separate the generic worker into specific concerns - for example federation transaction receiving; ## NB; This worker should have incoming traffic routed based on source IP, which is @@ -580,15 +588,15 @@ workers: enabled: false listeners: [media] csPaths: - - "/_matrix/media/.*" - - "/_synapse/admin/v1/purge_media_cache$" - - "/_synapse/admin/v1/room/.*/media" - - "/_synapse/admin/v1/user/.*/media" - - "/_synapse/admin/v1/media/" - - "/_synapse/admin/v1/quarantine_media/" - - "/_synapse/admin/v1/users/.*/media$" + - "/_matrix/media/.*" + - "/_synapse/admin/v1/purge_media_cache$" + - "/_synapse/admin/v1/room/.*/media" + - "/_synapse/admin/v1/user/.*/media" + - "/_synapse/admin/v1/media/" + - "/_synapse/admin/v1/quarantine_media/" + - "/_synapse/admin/v1/users/.*/media$" paths: - - "/_matrix/media/.*" + - "/_matrix/media/.*" ## This worker deals with user directory searches. ## @@ -597,7 +605,7 @@ workers: name: userdir listeners: [client] csPaths: - - "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" + - "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" ## This worker handles key uploads, and may also stub out presence if that is ## disabled. If you set extraConfig.use_presence=false then you may want to @@ -607,7 +615,7 @@ workers: enabled: false listeners: [client] csPaths: - - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" + - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status" ## This will set up a Lighttpd server to respond to any @@ -643,13 +651,13 @@ wellknown: ## Dictionaries will be JSON converted, plain strings will be served as they are ## extraData: {} - ## MSC1929 example; - # support: - # admins: - # - matrix_id: '@admin:example.com' - # email_address: 'admin@example.com' - # role: 'admin' - # support_page: 'https://example.com/support' + ## MSC1929 example; + # support: + # admins: + # - matrix_id: '@admin:example.com' + # email_address: 'admin@example.com' + # role: 'admin' + # support_page: 'https://example.com/support' ## A custom htdocs path, useful when running another image. ## @@ -966,5 +974,5 @@ ingress: serviceAccount: create: false annotations: {} - # eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse + # eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse # name: non-default-service-name