pub/charts
1
0
Fork 0
Code Issues Pull requests Releases Packages 19 Activity Actions

feat(synapse) add a clone of the ananace chart for Matrix Synapse

Browse source
This commit is contained in:
Tommy 2024-01-17 07:43:04 +01:00
parent a5d716f970
commit cf759778e4
No known key found for this signature in database
20 changed files with 2764 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
charts/matrix-synapse/.helmignore Normal file
View file

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

11
charts/matrix-synapse/Chart.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v2
name: matrix-synapse
description: Matrix homeserver
icon: https://matrix.org/images/matrix-logo.svg
appVersion: 1.99.0
type: application
version: 4.0.0
maintainers:
- name: Tommy Skaug
email: tommy@skaug.me

90
charts/matrix-synapse/README.md Normal file
View file

@ -0,0 +1,90 @@
Matrix Synapse
==============
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info).
This chart is hosted [on GitLab](https://gitlab.com/ananace/charts).
__Attention:__ _The upgrade to 1.51.0 requires manual action, please read the upgrade instructions [below](#upgrading)._
## Prerequisites
- Kubernetes 1.20+
- Helm 3.0+
- Ingress installed in the cluster
**NB**; Matrix requires the use of valid SSL certificates for federation.
## Installing
To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on.
You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS.
When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on.
When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs.
## Installation Examples
Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information.
### On main domain / with subdomain MXIDs
For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs.
If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=chosenin.space --set wellknown.enabled=true
This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`.
You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case)
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=matrix.chosenin.space --set wellknown.enabled=true
### On separate subdomain
If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known;
For DNS, you could install the chart as;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=example.com --set publicServerName=matrix.example.com
This will add federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. For this to work, you will need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use.
To get federation working with such a setup, you would also need to add an SRV record to your DNS - for example;
_matrix._tcp.example.com 10 1 443 matrix.example.com
If you want to use a well-known file for federation instead of an SRV record, then your install might look more like;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=example.com --set publicServerName=matrix.example.com --set wellknown.enabled=true
With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server` - which the included wellknown server will gladly do for you.
Additionally, when using well-known federation, your Synapse cert only needs to be valid for `matrix.example.com`.
 
More advanced setups can be made using `ingress.hosts`, `ingress.csHosts`, and `ingress.wkHosts` for server-server, client-server, and well-known endpoints respectively.
Alternatively, you can use your own ingress setup, or switch the main service to `LoadBalancer` and add a TLS listener.
### Application services / extra config files
Synapse is configured to read all configuration files found under `/synapse/config/conf.d/` - which is mounted as an emptyDir to allow for read-only root.
You can mount your additional configuration values under here if you want to have configuration that doesn't map well to the `extraConfig`/`extraSecrets` values.
Note that due to how the mounts are set up, you will have to `subPath`-mount individual files into the folder in order for them to be loaded.
## Upgrading
### To v1.51.0
The redis subchart was upgraded in this release which changed immutable values of the StatefulSet. So, to perform this upgrade, perform the following steps. Make sure to adapt the names and arguments to your situation.
```
# Delete the old StatefulSet but leave the Pod alive
kubectl delete statefulset --cascade=orphan matrix-synapse-redis-master
# Upgrade the chart and create a new StatfulSet for redis
helm upgrade matrix-synapse matrix-synapse
# Delete the old Pod so the new StatefulSet can take over
kubectl delete pod matrix-synapse-redis-master-0
```

41
charts/matrix-synapse/scripts/signing-key.sh Normal file
View file

@ -0,0 +1,41 @@
#!/bin/sh
set -eu
check_key() {
set +e
echo "Checking for existing signing key..."
key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$key" ] && return 2
return 0
}
create_key() {
echo "Waiting for new signing key to be generated..."
begin=$(date +%s)
end=$((begin + 300)) # 5 minutes
while true; do
[ -f /synapse/keys/signing.key ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_key() {
echo "Storing signing key in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
}
if check_key; then
echo "Key already in place, exiting."
exit
fi
if ! create_key; then
echo "Timed out waiting for a signing key to appear."
exit 1
fi
store_key

41
charts/matrix-synapse/templates/NOTES.txt Normal file
View file

@ -0,0 +1,41 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if .Values.signingkey.job.enabled }}
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **
{{- end }}
{{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself.
{{- else }}
Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
{{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }}
{{- if $.Values.ingress.tls }}
https://{{ . }}
{{- else }}
http://{{ . }}
{{- end }}
{{- end }}
{{ if not .Values.wellknown.enabled }}
Note that for federation to work you will need to either add an SRV record or
set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible
Matrix client - and register an account - as soon as final setup is done.
You can also create an admin user with the following command;
{{- else }}
You can create a user in your new Synapse install by running the following
command; (replacing USERNAME and PASSWORD)
{{- end }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=synapse" -o jsonpath="{.items[0].metadata.name}")
kubectl exec --namespace {{ .Release.Namespace }} $POD_NAME -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user.

288
charts/matrix-synapse/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,288 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "matrix-synapse.name" -}}
{{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "matrix-synapse.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := .Values.nameOverride | default .Chart.Name -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default replication name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.replicationname" -}}
{{- printf "%s-%s" .Release.Name "replication" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default external component name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.externalname" -}}
{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "matrix-synapse.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the correct image tag name
*/}}
{{- define "matrix-synapse.imageTag" -}}
{{- .Values.image.tag | default (printf "v%s" .Chart.AppVersion) -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "matrix-synapse.labels" -}}
helm.sh/chart: {{ include "matrix-synapse.chart" . }}
{{ include "matrix-synapse.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "matrix-synapse.selectorLabels" -}}
app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Pull secrets
*/}}
{{- define "matrix-synapse.imagePullSecrets" -}}
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
imagePullSecrets:
{{- with .Values.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.wellknown.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.volumePermissions.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.postgresql.fullname" -}}
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set postgres host
*/}}
{{- define "matrix-synapse.postgresql.host" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }}
{{- end -}}
{{- end -}}
{{/*
Set postgres secret
*/}}
{{- define "matrix-synapse.postgresql.secret" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set postgres port
*/}}
{{- define "matrix-synapse.postgresql.port" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.service -}}
{{- .Values.postgresql.service.port | default 5432 }}
{{- else -}}
5432
{{- end -}}
{{- else -}}
{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}}
{{- end -}}
{{- end -}}
{{/*
Set postgresql username
*/}}
{{- define "matrix-synapse.postgresql.username" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.username is required" .Values.postgresql.auth.username }}
{{- else -}}
{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql password
*/}}
{{- define "matrix-synapse.postgresql.password" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }}
{{- else if not (and .Values.externalPostgresql.existingSecret .Values.externalPostgresql.existingSecretPasswordKey) -}}
{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql database
*/}}
{{- define "matrix-synapse.postgresql.database" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.postgresqlDatabase -}}
{{- fail "You need to switch to the new postgresql.auth values." -}}
{{- end -}}
{{- .Values.postgresql.auth.database | default "synapse" }}
{{- else -}}
{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql sslmode
*/}}
{{- define "matrix-synapse.postgresql.sslmode" -}}
{{- if .Values.postgresql.enabled -}}
{{- .Values.postgresql.sslmode | default "prefer" }}
{{- else -}}
{{- .Values.externalPostgresql.sslmode | default "prefer" }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql extra args
Refer to https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
for a list of options that can be passed.
*/}}
{{- define "matrix-synapse.postgresql.extraArgs" -}}
{{- if .Values.postgresql.enabled -}}
{{- with .Values.postgresql.extraArgs }}
{{- . | toYaml }}
{{- end }}
{{- else -}}
{{- with .Values.externalPostgresql.extraArgs }}
{{- . | toYaml }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.redis.fullname" -}}
{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set redis host
*/}}
{{- define "matrix-synapse.redis.host" -}}
{{- if .Values.redis.enabled -}}
{{- printf "%s-%s" (include "matrix-synapse.redis.fullname" .) "master" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }}
{{- end -}}
{{- end -}}
{{/*
Set redis secret
*/}}
{{- define "matrix-synapse.redis.secret" -}}
{{- if .Values.redis.enabled -}}
{{- template "matrix-synapse.redis.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set redis port
*/}}
{{- define "matrix-synapse.redis.port" -}}
{{- if .Values.redis.enabled -}}
{{- .Values.redis.master.service.port | default 6379 }}
{{- else -}}
{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }}
{{- end -}}
{{- end -}}
{{/*
Set redis password
*/}}
{{- define "matrix-synapse.redis.password" -}}
{{- if (and .Values.redis.enabled .Values.redis.password) -}}
{{ .Values.redis.password }}
{{- else if (and .Values.redis.enabled .Values.redis.auth.password) -}}
{{ .Values.redis.auth.password }}
{{- else if .Values.externalRedis.password -}}
{{ .Values.externalRedis.password }}
{{- end -}}
{{- end -}}
{{/*
Set redis database id
*/}}
{{- define "matrix-synapse.redis.dbid" -}}
{{- if .Values.redis.dbid -}}
{{ .Values.redis.dbid }}
{{- else if .Values.externalRedis.dbid -}}
{{ .Values.externalRedis.dbid }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "matrix-synapse.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "matrix-synapse.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

14
charts/matrix-synapse/templates/configuration-scripts.yaml Normal file
View file

@ -0,0 +1,14 @@
{{- if .Values.signingkey.job.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.fullname" . }}-scripts
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
data:
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
{{- end }}

171
charts/matrix-synapse/templates/configuration.yaml Normal file
View file

@ -0,0 +1,171 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
log.yaml: |
version: 1
formatters:
{{- if .Values.config.useStructuredLogging }}
structured:
class: synapse.logging.TerseJsonFormatter
{{- else }}
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
{{- end }}
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: {{ if .Values.config.useStructuredLogging }}structured{{ else }}precise{{ end }}
filters: [context]
level: {{ .Values.config.logLevel | default "INFO" }}
loggers:
synapse:
level: {{ .Values.config.logLevel | default "INFO" }}
{{- with .Values.extraLoggers -}}
{{ . | toYaml | nindent 8 }}
{{- end }}
root:
level: {{ .Values.config.logLevel | default "INFO" }}
handlers: [console]
homeserver.yaml: |
# NOTE:
# Secrets are stored in separate configs to better fit K8s concepts
## Server ##
server_name: {{ required "You need to specify a serverName" .Values.serverName | quote }}
public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" (.Values.publicServerName | default .Values.serverName)) | quote }}
pid_file: /homeserver.pid
web_client: False
soft_file_limit: 0
log_config: "/synapse/config/log.yaml"
report_stats: {{ required "You need to specify config.reportStats" .Values.config.reportStats }}
instance_map:
main:
host: {{ include "matrix-synapse.replicationname" . }}
port: 9093
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.name $config.listeners (has "replication" $config.listeners) }}
{{- $name := $worker | replace "_" "-" }}
{{ $config.name | quote }}:
host: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) | quote }}
port: 9093
{{- end }}
{{- end }}
## Ports ##
{{- $bindAddresses := .Values.config.bindAddresses | default (list "::") }}
listeners:
- port: 8008
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
- client
- federation
{{- with .Values.config.extraMainListenerTypes -}}
{{ . | toYaml | nindent 14 }}
{{- end }}
compress: false
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [replication]
compress: false
{{- if .Values.config.extraListeners }}
{{ .Values.config.extraListeners | toYaml | nindent 6 }}
{{- end }}
## Files ##
media_store_path: "/synapse/data/media"
uploads_path: "/synapse/data/uploads"
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
enable_registration_captcha: true
{{- end }}
{{- if .Values.config.turnUris }}
## Turn ##
turn_uris:
{{ toYaml .Values.config.turnUris | nindent 6 }}
{{- end }}
## Registration ##
enable_registration: {{ .Values.config.enableRegistration | default false }}
## Metrics ###
enable_metrics: true
## Signing Keys ##
signing_key_path: "/synapse/keys/signing.key"
# The trusted servers to download signing keys from.
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
## Workers ##
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
# For pusher worker
start_pushers: false
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
# For appservice worker
notify_appservices_from_worker: {{ $config.name | quote }}
{{- else if or (eq $worker "federation_sender") (eq ($config.app | default "") "federation_sender") }}
# For federation_sender worker
send_federation: false
{{- else if or (eq $worker "media_repository") (eq ($config.app | default "") "media_repository") }}
# For media_repository worker
enable_media_repo: false
{{- else if or (eq $worker "user_dir") (eq ($config.app | default "") "user_dir") }}
# For user_dir worker
update_user_directory_from_worker: {{ $config.name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraConfig }}
## Extra config ##
{{ . | toYaml | nindent 4 }}
{{- end }}

200
charts/matrix-synapse/templates/deployment.yaml Normal file
View file

@ -0,0 +1,200 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- if (and .Values.postgresql.enabled (and (not .Values.postgresql.auth.password) (not .Values.postgresql.existingSecret))) -}}
{{- fail "You must specify a static postgres password or existing secret if using the included postgres chart" -}}
{{- end -}}
{{- if (and .Values.redis.enabled (and .Values.redis.usePassword (and (not .Values.redis.auth.password) (not .Values.redis.auth.existingSecret)))) -}}
{{- fail "You must specify a static redis password or existing secret if using the included redis chart" -}}
{{- end -}}
---
# Server: {{ required "A valid serverName is required" .Values.serverName }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: synapse
spec:
replicas: 1
strategy:
{{- toYaml .Values.synapse.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: synapse
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.synapse.annotations }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: synapse
{{- with .Values.synapse.labels }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "matrix-synapse.serviceAccountName" . }}
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
{{- if $needsVolumePermissions }}
initContainers:
- name: volume-permissions
command:
- sh
- -c
- |
chown {{ .Values.volumePermissions.uid }}:{{ .Values.volumePermissions.gid }} -R /synapse/data
image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy }}
resources:
{{- toYaml .Values.volumePermissions.resources | nindent 12 }}
securityContext:
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: synapse
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if .Values.synapse.extraCommands }}
{{ range .Values.synapse.extraCommands }}
{{ . }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.homeserver \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/
env:
{{- if or .Values.postgresql.enabled .Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.postgresql.enabled }}
name: {{ .Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" .) }}
key: password
{{- else }}
name: {{ .Values.externalPostgresql.existingSecret }}
key: {{ .Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and .Values.redis.enabled (default .Values.redis.usePassword true)) .Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.redis.enabled }}
name: {{ .Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" .) }}
key: redis-password
{{- else }}
name: {{ .Values.externalRedis.existingSecret }}
key: {{ .Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with .Values.synapse.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.synapse.securityContext | nindent 12 }}
ports:
- name: http
containerPort: 8008
protocol: TCP
- name: replication
containerPort: 9093
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP
{{- with .Values.synapse.livenessProbe }}
livenessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.readinessProbe }}
readinessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.startupProbe }}
startupProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /synapse/config
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
- name: media
mountPath: /synapse/data
- name: tmpdir
mountPath: /tmp
{{- with .Values.synapse.extraVolumeMounts }}
{{- . | toYaml | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.synapse.resources | nindent 12 }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" . }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" . }}
- name: signingkey
secret:
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
items:
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
- name: tmpdir
emptyDir: {}
- name: media
{{- $mediaworker := false }}
{{- range $worker, $config := .Values.workers }}
{{- if eq $worker "media_repository" }}
{{- $mediaworker = ($config.enabled | default false) }}
{{- end }}
{{- end }}
{{- if and .Values.persistence.enabled (not $mediaworker) }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.synapse.extraVolumes }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.synapse.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

195
charts/matrix-synapse/templates/ingress.yaml Normal file
View file

@ -0,0 +1,195 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if $v1Ingress -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- if .secretName }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- $csHosts := .Values.ingress.csHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }}
{{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }}
http:
paths:
{{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
{{- if has $host $csHosts }}
{{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if has . $wkHosts }}
{{- if $.Values.wellknown.enabled }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $wkName }}
port:
number: {{ $.Values.wellknown.service.port | default 80 }}
pathType: Prefix
{{- else }}
serviceName: {{ $wkName }}
servicePort: {{ $.Values.wellknown.service.port | default 80 }}
{{- end }}
{{- else }}
- path: /.well-known/matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

22
charts/matrix-synapse/templates/pvc.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

64
charts/matrix-synapse/templates/service.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort | default "http" }}
protocol: TCP
name: http
selector:
app.kubernetes.io/component: synapse
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.replicationname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 9093
targetPort: replication
protocol: TCP
name: replication
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: synapse
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.listeners }}
{{- $name := $worker | replace "_" "-" }}
{{- $release := $.Release.Name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8083
targetPort: listener
protocol: TCP
name: listener
{{- if has "replication" $config.listeners }}
- port: 9093
targetPort: replication
protocol: TCP
name: replication
{{- end }}
selector:
{{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
{{- end }}
{{- end }}

12
charts/matrix-synapse/templates/serviceaccount.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name | default (include "matrix-synapse.fullname" .) }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

153
charts/matrix-synapse/templates/signing-key-job.yaml Normal file
View file

@ -0,0 +1,153 @@
{{- if .Values.signingkey.job.enabled }}
{{- if .Values.signingkey.existingSecret }}
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
{{- end }}
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
{{- with .Values.signingkey.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
{{- include "matrix-synapse.labels" . | nindent 8 }}
app.kubernetes.io/component: signingkey-job
spec:
containers:
- command:
- sh
- -c
- |
echo "Generating signing key..."
if which generate_signing_key.py >/dev/null; then
generate_signing_key.py -o /synapse/keys/signing.key
else
generate_signing_key -o /synapse/keys/signing.key
fi
image: "{{ .Values.signingkey.job.generateImage.repository }}:{{ .Values.signingkey.job.generateImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.generateImage.pullPolicy }}
name: signing-key-generate
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /synapse/keys
name: matrix-synapse-keys
- command:
- sh
- -c
- |
printf "Checking rights to update secret... "
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/signing-key.sh
env:
- name: SECRET_NAME
value: {{ $secretName }}
image: "{{ .Values.signingkey.job.publishImage.repository }}:{{ .Values.signingkey.job.publishImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.publishImage.pullPolicy }}
name: signing-key-upload
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /synapse/keys
name: matrix-synapse-keys
readOnly: true
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "matrix-synapse.fullname" . }}-scripts
defaultMode: 0755
- name: matrix-synapse-keys
emptyDir: {}
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: never
helm.sh/resource-policy: keep
argocd.argoproj.io/hook: Skip
argocd.argoproj.io/hook-delete-policy: Never
name: {{ $secretName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
{{ end -}}
{{- end }}

16
charts/matrix-synapse/templates/tests/test-connection.yaml Normal file
View file

@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "matrix-synapse.fullname" . }}:{{ $.Values.service.port }}/_matrix/client/versions']
restartPolicy: Never

66
charts/matrix-synapse/templates/well-known-config.yaml Normal file
View file

@ -0,0 +1,66 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
component: well-known
data:
lighttpd.conf: |
server.port = 8080
{{ if .Values.wellknown.useIpv6}}
server.use-ipv6 = "enable"
{{ end }}
server.modules = (
"mod_rewrite",
"mod_status",
"mod_accesslog",
"mod_extforward",
"mod_setenv"
)
include "conf.d/00-mime-types.conf"
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
server.pid-file = "/run/lighttpd.pid"
url.rewrite-once = (
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := initial $keys }}
"^/\.well-known/matrix/{{ $key }}" => "/{{ $key }}.json",
{{- end }}
"^/\.well-known/matrix/{{ last $keys }}" => "/{{ last $keys }}.json"
)
status.status-url = "/server-status"
extforward.forwarder = ( "all" => "trust")
setenv.add-response-header = (
"access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization",
"access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS",
"access-control-allow-origin" => "*"
)
setenv.set-response-header = (
"content-type" => "application/json"
)
server.json: |-
{{- if .Values.wellknown.server }}
{{ toJson .Values.wellknown.server | nindent 4 }}
{{- else }}
{{ dict "m.server" (printf "%s:%d" (.Values.wellknown.host | default (.Values.publicServerName | default .Values.serverName)) (.Values.wellknown.port | default 443)) | toJson | indent 4 }}
{{- end }}
client.json: |-
{{- if .Values.wellknown.client }}
{{ toJson .Values.wellknown.client | nindent 4 }}
{{- else }}
{{ dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | indent 4 }}
{{- end }}
{{- range $key, $value := .Values.wellknown.extraData }}
{{ $key }}.json: |-
{{- if $value | kindIs "string" -}}
{{ $value | nindent 4 }}
{{- else -}}
{{ $value | toJson | nindent 4 }}
{{- end -}}
{{- end -}}
{{- end -}}

95
charts/matrix-synapse/templates/well-known.yaml Normal file
View file

@ -0,0 +1,95 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
type: {{ .Values.wellknown.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.wellknown.service.port | default 80 }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: well-known
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: well-known
template:
metadata:
annotations:
checksum/config: {{ include (print .Template.BasePath "/well-known-config.yaml") . | sha256sum }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: well-known
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers:
- name: lighttpd
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
tcpSocket:
port: http
livenessProbe:
httpGet:
path: /server-status
port: http
volumeMounts:
- mountPath: /etc/lighttpd/lighttpd.conf
name: files
subPath: lighttpd.conf
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := $keys }}
- mountPath: {{ $.Values.wellknown.htdocsPath }}/{{ $key }}.json
name: files
subPath: {{ $key }}.json
{{- end }}
- mountPath: /run
name: run
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumes:
- name: files
configMap:
name: {{ $wkName }}
- name: run
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

80
charts/matrix-synapse/templates/worker-configuration.yaml Normal file
View file

@ -0,0 +1,80 @@
{{- $any := false }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $any = true }}
{{- end }}
{{- end }}
{{- if $any }}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}"
{{- if $config.name -}}
{{- if (gt ($config.replicaCount | int) 1) -}}
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
{{- end }}
worker_name: {{ $config.name }}
{{- end }}
{{- $bindAddresses := $config.bindAddresses | default $.Values.config.bindAddresses | default (list "::") }}
worker_listeners:
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
{{- if has "replication" $config.listeners }}
{{- if not $config.name }}
{{- fail "Workers with replication listeners must have unique names." }}
{{- end }}
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names: [replication]
compress: false
{{- end }}
- port: 8083
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
{{- toYaml (without $config.listeners "replication") | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- if $config.extraConfig }}
# Extra config
{{ toYaml $config.extraConfig | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

213
charts/matrix-synapse/templates/worker-deployment.yaml Normal file
View file

@ -0,0 +1,213 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
{{- with ($config.strategy | default $default.strategy) }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "matrix-synapse.serviceAccountName" $ }}
{{- include "matrix-synapse.imagePullSecrets" $ | nindent 6 }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command:
- sh
- -c
- |
chown {{ $.Values.volumePermissions.uid }}:{{ $.Values.volumePermissions.gid }} -R /synapse/data
image: "{{ $.Values.volumePermissions.image.repository }}:{{ $.Values.volumePermissions.image.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy }}
securityContext:
runAsNonRoot: false
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 12 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if (or $config.extraCommands $default.extraCommands) }}
{{- with $config.extraCommands | default $default.extraCommands }}
{{ range . }}
{{ . | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }} \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/ \
-c /synapse/config/{{ $name }}.worker
env:
{{- if or $.Values.postgresql.enabled $.Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.postgresql.enabled }}
name: {{ $.Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" $) }}
key: password
{{- else }}
name: {{ $.Values.externalPostgresql.existingSecret }}
key: {{ $.Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and $.Values.redis.enabled (default $.Values.redis.usePassword true)) $.Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.redis.enabled }}
name: {{ $.Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" $) }}
key: redis-password
{{- else }}
name: {{ $.Values.externalRedis.existingSecret }}
key: {{ $.Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with $config.extraEnv | default $default.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ include "matrix-synapse.imageTag" $ }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
{{- if has "replication" $config.listeners }}
- name: replication
containerPort: 9093
protocol: TCP
{{- end }}
{{- if (or $config.readinessProbe $default.readinessProbe) }}
readinessProbe:
{{- $config.readinessProbe | default $default.readinessProbe | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if (or $config.livenessProbe $default.livenessProbe) }}
livenessProbe:
{{- $config.livenessProbe | default $default.livenessProbe | toYaml | nindent 12 }}
{{- end }}
{{- if (or $config.startupProbe $default.startupProbe) }}
startupProbe:
{{- $config.startupProbe | default $default.startupProbe | toYaml | nindent 12 }}
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /synapse/config/log.yaml
subPath: log.yaml
- name: worker-config
mountPath: /synapse/config/{{ $name }}.worker
subPath: {{ $name }}.worker
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: worker-config
configMap:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ $.Values.persistence.existingClaim | default (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes | default $default.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

970
charts/matrix-synapse/values.yaml Normal file
View file

@ -0,0 +1,970 @@
---
## Docker image configuration, used for Synapse and workers.
##
image:
repository: matrixdotorg/synapse
## Tag to override with, will default to the application version.
##
# tag: ''
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Override part of the installed name, will still keep release name.
##
# nameOverride: ""
## Override the full name of the installed chart.
##
# fullnameOverride: ""
## The Matrix domain name, this is what will be used for the domain part in
## your MXIDs.
##
# serverName: 'example.com'
## The public Matrix server name, this will be used for any public URLs
## in config as well as for client API links in the ingress.
# publicServerName: 'matrix.example.com'
## The source of the signing key used by Synapse in federation.
##
signingkey:
## Enable a Kubernetes job to generate and store a signing key if one does not
## exist.
## If you have already run a Matrix server at some point on your domain then
## you will want to keep the old signing key, either by using the `existingSecret`
## configuration, or by including the old key under `extraConfig.old_signing_keys`
##
## If you lose your signing key then any federation traffic from your instance
## might not be trusted any more by the wider network.
##
job:
enabled: true
## Annotations to apply to the signing-key-job.
##
annotations: {}
# argocd.argoproj.io/hook: PostSync
# argocd.argoproj.io/hook-delete-policy: HookSucceeded
generateImage:
repository: matrixdotorg/synapse
# tag: latest
pullPolicy: IfNotPresent
publishImage:
repository: bitnami/kubectl
# tag: latest
pullPolicy: IfNotPresent
## Specify an existing signing key secret, will need to be created in advance.
##
# existingSecret: secret-name
# existingSecretKey: signing.key
## Resources to apply to the signing key generation job
##
resources: {}
# limits:
# cpu: 100m
# memory: 250Mi
# requests:
# cpu: 100m
# memory: 250Mi
## Matrix configuration values that affect other parts of the chart, for any
## value not handled by this block, you will want to instead set it in
## extraConfig below.
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
config:
## The publicly accessible URL for the Synapse instance, will default to
## https://<publicServerName>.
##
# publicBaseurl: 'https://matrix.example.com'
## The log level for Synapse and all modules.
##
# logLevel: INFO
## Should usage stats be reported
##
reportStats: false
## Protect registration with recaptcha. (optional)
##
# recaptcha:
# publicKey: ''
# privateKey: ''
## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC
## calls.
##
# turnUris: []
# turnSecret: ''
## Registration configuration, note that registration with the
## container-internal register_new_matrix_user tool is always possible.
##
# enableRegistration: false
## NB; this value will default to a random string if not specified.
# registrationSharedSecret: ''
## NB; Strongly recommended to set this to a secure value.
# macaroonSecretKey: ''
## A set of trusted servers to contact if another server doesn't respond to a
## signing key request.
##
trustedKeyServers:
- server_name: matrix.org
# verify_keys:
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
## The bind addresses to use for the default listeners
##
# bindAddresses:
# - '::'
## Extra listeners to configure.
##
extraListeners: []
# - port: 9000
# bind_addresses: ['::']
# type: manhole
## Extra listener types to add onto the main listener.
##
extraMainListenerTypes: []
# - consent
## Logging
# use TerseJsonFormatter structured logging
# Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
useStructuredLogging: false
## Specify arbitrary Synapse configuration here;
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraConfig: {}
# old_signing_keys:
# "ed25519:id": { key: "base64string", expired_ts: 123456789123 }
# use_presence: false
# enable_search: false
# federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
# dynamic_thumbnails: true
## Specify additional loggers configutation here;
## Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
extraLoggers: {}
# synapse.storage.SQL:
# level: WARNING
## Specify arbitrary - secret - Synapse configuration here;
## These values will be stored in secrets instead of configmaps
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraSecrets: {}
# password_config:
# pepper: ''
## Configuration to apply to the main Synapse pod.
##
synapse:
## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository
## is enabled for the main Synapse pod)
## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## Annotations to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: "/_synapse/metrics"
# prometheus.io/port: "9090"
## Labels to apply to the main Synapse pod.
##
labels: {}
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## Additional volumes to mount into Synapse
##
extraVolumes: []
# - name: spamcheck
# flexVolume:
# driver: ananace/git-live
# options:
# repo: https://github.com/company/synapse-module
# interval: 1d
# readOnly: true
extraVolumeMounts: []
# - name: spamcheck
# mountPath: /usr/local/lib/python3.7/site-packages/company
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Configuration for the pod security policy, Synapse will by always run as
## its own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: http
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: http
## Startup probe configuration to use
##
startupProbe:
failureThreshold: 12
httpGet:
path: /health
port: http
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {}
## Configuration for handling Synapse workers, which are useful for handling
## high-load deployments.
##
## More information is available at;
## https://github.com/matrix-org/synapse/blob/master/docs/workers.md
##
workers:
## Default configuration, this is inherited into all workers, and can also be
## overriden on each worker type.
##
default:
## The number of worker replicas, note that some workers require special
## handling. Refer to the information URL above.
##
replicaCount: 1
## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository)
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## A specific name for this worker, can't be set globally.
## Note that this can only be set when replicaCount is 1
# name:
## Additional configuration to set for the worker, can't be set globally.
# extraConfig: {}
## Annotations to apply to the worker.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: /_synapse/metrics
# prometheus.io/port: 9090
## Additional environment variables to add to the worker.
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "1.0"
## Additional volumes to add to the worker.
## Useful for the media repo, or for adding Python modules.
##
volumes: []
volumeMounts: []
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Security context information to set to the worker.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Container security context information to set to the worker.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the worker.
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
## Defaults to allowing workers 60 seconds to start up
##
startupProbe:
failureThreshold: 6
httpGet:
path: /health
port: metrics
## Node selector configuration to set on the worker.
##
nodeSelector: {}
## Toleration configuration to set on the worker.
##
tolerations: []
## Affinity configuration to set on the worker.
##
affinity: {}
## The generic worker can be used to handle most endpoints.
## Be careful when enabling the sync endpoints as they can eat large amounts of
## resources. Refer to the information URL above for more info.
## Proper load balancing with the K8s Ingress resource may not be possible.
##
generic_worker:
enabled: false
generic: true
listeners: [client, federation]
csPaths:
## Sync requests
# - "/_matrix/client/(r0|v3)/sync$"
- "/_matrix/client/(api/v1|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Client API requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "/_matrix/client/v1/rooms/.*/hierarchy$"
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
- "/_matrix/client/(r0|v3|unstable)/devices$"
- "/_matrix/client/versions$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
## Encryption requests
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
## Registration/login requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "/_matrix/client/(r0|v3|unstable)/register$"
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
## Event sending requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
## User directory search requests
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
## Worker event streams
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
##
## The typing event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
## The to_device event stream
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
## The account_data event stream
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
## The receipts event stream
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
## The presence event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
paths:
## Federation requests
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
- "/_matrix/federation/v1/backfill/"
- "/_matrix/federation/v1/get_missing_events/"
- "/_matrix/federation/v1/publicRooms"
- "/_matrix/federation/v1/query/"
- "/_matrix/federation/v1/make_join/"
- "/_matrix/federation/v1/make_leave/"
- "/_matrix/federation/(v1|v2)/send_join/"
- "/_matrix/federation/(v1|v2)/send_leave/"
- "/_matrix/federation/(v1|v2)/invite/"
- "/_matrix/federation/v1/event_auth/"
- "/_matrix/federation/v1/exchange_third_party_invite/"
- "/_matrix/federation/v1/user/devices/"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/hierarchy/"
## Inbound federation transaction request
- "/_matrix/federation/v1/send/"
## To separate the generic worker into specific concerns - for example federation transaction receiving;
## NB; This worker should have incoming traffic routed based on source IP, which is
## left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
# federation_reader:
# enabled: true
# generic: true
# listeners: [federation]
# paths:
# - "/_matrix/federation/v1/send/"
## Or /sync handling.
## NB; Care should be taken to route users to the same instance when scaling this worker,
## this is left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
# synchrotron:
# enabled: true
# generic: true
# listeners: [client]
# csPaths:
# - "/_matrix/client/(v2_alpha|r0|v3)/sync$"
# - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Specialized - non-generic workers below;
## This worker deals with pushing notifications.
## NB; Only one instance of this worker can be run at a time, refer to the
## information URL above.
##
pusher:
enabled: false
## This worker handles sending data to registered appservices.
## NB; Only one instance of this worker can be run at at time, refer to the
## information URL above.
##
appservice:
enabled: false
generic: true
name: appservices
## This worker handles sending federation traffic to other Synapse servers.
##
federation_sender:
enabled: false
## Specialized workers can also be run as multiple separate instances,
## make sure to read the relevant documentation.
##
# federation_sender_other:
# app: federation_sender
# enabled: false
## This worker deals with serving and storing media.
## NB; Running multiple instances will conflict with background jobs.
##
media_repository:
enabled: false
listeners: [media]
csPaths:
- "/_matrix/media/.*"
- "/_synapse/admin/v1/purge_media_cache$"
- "/_synapse/admin/v1/room/.*/media"
- "/_synapse/admin/v1/user/.*/media"
- "/_synapse/admin/v1/media/"
- "/_synapse/admin/v1/quarantine_media/"
- "/_synapse/admin/v1/users/.*/media$"
paths:
- "/_matrix/media/.*"
## This worker deals with user directory searches.
##
user_dir:
enabled: false
name: userdir
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
## This worker handles key uploads, and may also stub out presence if that is
## disabled. If you set extraConfig.use_presence=false then you may want to
## uncomment the second path.
##
frontend_proxy:
enabled: false
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without
## adding SRV-records to DNS.
##
wellknown:
enabled: false
replicaCount: 1
# Lighttpd does not bind on IPv6 by default, although this is required in
# Ipv6-only clusters.
useIpv6: false
## The host and port combo to serve on .well-known/matrix/server.
##
server: {}
# m.server: matrix.example.com:443
## Data to serve on .well-known/matrix/client.
##
client: {}
# m.homeserver:
# base_url: https://matrix.example.com
## Configuration for the wellknown service.
##
service:
type: ClusterIP
port: 80
## Extra data objects to serve under .well-known/matrix/<data>
## Dictionaries will be JSON converted, plain strings will be served as they are
##
extraData: {}
## MSC1929 example;
# support:
# admins:
# - matrix_id: '@admin:example.com'
# email_address: 'admin@example.com'
# role: 'admin'
# support_page: 'https://example.com/support'
## A custom htdocs path, useful when running another image.
##
htdocsPath: /var/www/localhost/htdocs
## The lighttpd image to run.
##
image:
repository: ghcr.io/rtsp/docker-lighttpd
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Configuration for the pod security policy.
##
podSecurityContext: {}
# fsGroup: 101
# runAsGroup: 101
# runAsUser: 100
## Configuration for the container security policy.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 100
## Resource configuration to apply to the well-known server.
##
resources: {}
# limits:
# cpu: 5m
# memory: 15Mi
# requests:
# cpu: 5m
# memory: 15Mi
## Node selectors to set for the well-known server.
##
nodeSelector: {}
## Tolerations to set for the well-known server.
##
tolerations: []
## Affinity to set for the main well-known server.
##
affinity: {}
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
auth:
# XXX Change me!
password: synapse
## Or use existing secret with "password" key
## instead of static password
##
# existingSecret: postgresql-secret
username: synapse
database: synapse
primary:
initdb:
args: "--lc-collate=C --lc-ctype=C"
persistence:
# storageClass: "-"
size: 16Gi
## Extra arguments for the database connection
## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
##
extraArgs: {}
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
## The name of an existing secret with postgresql credentials
# existingSecret: postgres-secrets
## Password key to be retrieved from existing secret
# existingSecretPasswordKey: postgres-password
database: synapse
# sslmode: prefer
## Extra arguments for the database connection
## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
##
extraArgs: {}
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
## Database ID for non-default database
# dbid: 0
auth:
enabled: true
# XXX Change me!
password: synapse
## Or use existing secret with "redis-password" key
## instead of static password
##
# existingSecret: redis-secret
architecture: standalone
master:
kind: Deployment
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
service:
port: 6379
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Database ID for non-default database
# dbid: 0
## The name of an existing secret with redis credentials
# existingSecret: redis-secrets
## Password key to be retrieved from existing secret
# existingSecretPasswordKey: redis-password
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Set up an init container to chown the mounted media if necessary.
##
volumePermissions:
enabled: false
uid: 666
gid: 666
image:
repository: alpine
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
## Configuration for the main Synapse service.
## To use TLS inside Synapse itself, add an TLS listener, and change the ports
## configured in here.
##
service:
type: ClusterIP
port: 8008
targetPort: http
## The K8s ingress configuration, this will be quite heavily used in order to
## set up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up
## your own routing instead.
##
ingress:
enabled: true
## Generate traefik-compatible regex paths instead of nginx-compatible ones.
##
traefikPaths: false
## Annotations to apply to the created ingress resource.
##
annotations: {}
# nginx.ingress.kubernetes.io/use-regex: "true"
# # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default
# nginx.ingress.kubernetes.io/proxy-body-size: 10m
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Hosts to add to the ingress configuration for handling Client-to-Server
## API request paths.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
csHosts: []
# - matrix.example.com
## Additional hosts to add to the ingress configuration for handling
## Server-to-Server API requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
hosts: []
# - example.com
## Additional hosts to add to the ingress configuration for handling
## well-known requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
wkHosts: []
# - example.com
## Additional paths to add to the Server-to-Server ingress blocks, will be
## inserted before the /_matrix catch-all path.
##
paths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Additional paths to add to the Client-to-Server ingress blocks, will be
## inserted before the /_matrix and /_synapse catch-all paths.
##
csPaths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port:
# number: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path.
##
includeUnderscoreSynapse: true
## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way.
##
includeServerName: true
## TLS configuration to include in the ingress configuration
##
tls: []
# - secretName: chart-example-tls
# hosts:
# - example.com
# - matrix.example.com
## Set the name of the IngressClass cluster resource (optional)
## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec
# className: can-be-anything
## Specifies whether a service account should be created, and annotations to add.
##
serviceAccount:
create: false
annotations: {}
# eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/matrix-synapse
# name: non-default-service-name