Replace Synapse with Conduit

This commit is contained in:
Tommy 2023-10-29 09:24:48 +01:00
parent d6737ceb93
commit dfa885646e
40 changed files with 398 additions and 3187 deletions

View file

@ -26,13 +26,9 @@ jobs:
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Install Helm
uses: azure/setup-helm@v3
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.5.0

View file

@ -0,0 +1,8 @@
apiVersion: v2
name: conduit
description: Conduit is a simple, fast and reliable chat server powered by Matrix.
type: application
version: 0.2.1
appVersion: "0.6.0"

View file

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "conduit.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "conduit.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "conduit.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "conduit.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

View file

@ -1,7 +1,7 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "sliding-sync-proxy.name" -}}
{{- define "conduit.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
@ -10,7 +10,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "sliding-sync-proxy.fullname" -}}
{{- define "conduit.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "sliding-sync-proxy.chart" -}}
{{- define "conduit.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "sliding-sync-proxy.labels" -}}
helm.sh/chart: {{ include "sliding-sync-proxy.chart" . }}
{{ include "sliding-sync-proxy.selectorLabels" . }}
{{- define "conduit.labels" -}}
helm.sh/chart: {{ include "conduit.chart" . }}
{{ include "conduit.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
@ -45,11 +45,18 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
{{/*
Selector labels
*/}}
{{- define "sliding-sync-proxy.selectorLabels" -}}
app.kubernetes.io/name: {{ include "sliding-sync-proxy.name" . }}
{{- define "conduit.selectorLabels" -}}
app.kubernetes.io/name: {{ include "conduit.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "sliding-sync-proxy.postgresql.fullname" -}}
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "conduit.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "conduit.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,126 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "conduit.fullname" . }}
labels:
{{- include "conduit.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
strategy:
type: Recreate
selector:
matchLabels:
{{- include "conduit.selectorLabels" . | nindent 6 }}
type: conduit
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "conduit.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
type: conduit
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "conduit.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
- name: "CONDUIT_PORT"
value: {{ .Values.service.port | quote }}
- name: "CONDUIT_ADDRESS"
value: "0.0.0.0"
- name: "CONDUIT_SERVER_NAME"
value: {{ .Values.conduit.server_name | quote }}
- name: "CONDUIT_DATABASE_PATH"
value: "/var/lib/matrix-conduit"
- name: "CONDUIT_DATABASE_BACKEND"
value: "rocksdb"
- name: "CONDUIT_ALLOW_CHECK_FOR_UPDATE"
value: "false"
- name: "CONDUIT_ALLOW_REGISTRATION"
value: {{ .Values.conduit.allowRegistration | quote }}
- name: "CONDUIT_ALLOW_ENCRYPTION"
value: {{ .Values.conduit.allowEncryption | quote }}
- name: "CONDUIT_ALLOW_FEDERATION"
value: {{ .Values.conduit.allowFederation | quote }}
- name: "CONDUIT_ALLOW_ROOM_CREATION"
value: {{ .Values.conduit.allowRoomCreation | quote }}
- name: "CONDUIT_ALLOW_UNSTABLE_ROOM_VERSIONS"
value: {{ .Values.conduit.allowUnstableRoomVersions | quote }}
- name: "CONDUIT_TRUSTED_SERVERS"
value: {{ toJson .Values.conduit.trustedServers | quote }}
- name: "CONDUIT_MAX_REQUEST_SIZE"
value: {{ .Values.conduit.maxRequestSize | quote }}
{{- with .Values.conduit.maxConcurrentRequests }}
- name: "CONDUIT_MAX_CONCURRENT_REQUESTS"
value: {{ . | quote }}
{{- end }}
{{- with .Values.conduit.log }}
- name: "CONDUIT_LOG"
value: {{ . | quote }}
{{- end }}
{{- with .Values.conduit.registrationToken }}
- name: "CONDUIT_REGISTRATION_TOKEN"
value: {{ . | quote }}
{{- end }}
{{- with .Values.conduit.wellKnownClient }}
- name: "CONDUIT_WELL_KNOWN_CLIENT"
value: {{ . | quote }}
{{- end }}
volumeMounts:
- name: "data"
mountPath: "/var/lib/matrix-conduit"
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: "data"
{{- if .Values.persistence.hostPath }}
hostPath:
type: Directory
path: {{ .Values.persistence.hostPath | quote }}
{{- else if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "conduit.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end }}

View file

@ -1,16 +1,15 @@
{{- if .Values.autoscaling.enabled }}
---
apiVersion: autoscaling/v2beta1
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "sliding-sync-proxy.fullname" . }}
name: {{ include "conduit.fullname" . }}
labels:
{{- include "sliding-sync-proxy.labels" . | nindent 4 }}
{{- include "conduit.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "sliding-sync-proxy.fullname" . }}
name: {{ include "conduit.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
@ -18,12 +17,16 @@ spec:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,25 @@
{{- if and .Values.persistence.enabled ( not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "conduit.fullname" . }}
labels:
{{- include "conduit.labels" . | nindent 4 }}
{{- with .Values.persistence.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- with .Values.persistence.storageClass }}
{{- if (eq "-" .) }}
storageClassName: ""
{{- else }}
storageClassName: {{ . | quote }}
{{- end }}
{{- end }}
{{- end -}}

View file

@ -1,10 +1,9 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "sliding-sync-proxy.fullname" . }}
name: {{ include "conduit.fullname" . }}
labels:
{{- include "sliding-sync-proxy.labels" . | nindent 4 }}
{{- include "conduit.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
@ -13,4 +12,5 @@ spec:
protocol: TCP
name: http
selector:
{{- include "sliding-sync-proxy.selectorLabels" . | nindent 4 }}
{{- include "conduit.selectorLabels" . | nindent 4 }}
type: conduit

View file

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "conduit.serviceAccountName" . }}
labels:
{{- include "conduit.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "conduit.fullname" . }}-test-connection"
labels:
{{- include "conduit.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "conduit.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

158
charts/conduit/values.yaml Normal file
View file

@ -0,0 +1,158 @@
# Default values for conduit.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: registry.gitlab.com/famedly/conduit/matrix-conduit
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
conduit:
server_name: "your.server.name"
allowRegistration: false
allowEncryption: true
allowFederation: true
allowRoomCreation: true
allowUnstableRoomVersions: true
trustedServers:
- "matrix.org"
maxRequestSize: "20000000" # in bytes, ~20 MB
# maxConcurrentRequests: 100
maxConcurrentRequests:
# log: "warn,rocket=off,_=off,sled=off"
log:
registrationToken:
wellKnownClient: "your.server.name"
wellknown:
enabled: true
image:
repository: nginx
pullPolicy: IfNotPresent
tag: "1.25"
replicaCount: 1
podLabels: {}
podAnnotations: []
podSecurityContext: {}
securityContext: {}
containerPort: 80
env: []
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
service:
type: ClusterIP
port: 8080
annotations: {}
# TO EDIT:
server:
"m.server": "your.server.name:443"
client:
"m.homeserver":
"base_url": "https://your.server.name/"
"org.matrix.msc3575.proxy":
"url": "https://your.server.name/"
podLabels: {}
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 6167
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: true
annotations: {}
## Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## Do not create an PVC, direct use hostPath in Pod
# hostPath:
accessMode: ReadWriteOnce
size: 1Gi

View file

@ -1,22 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

View file

@ -1,12 +0,0 @@
---
apiVersion: v2
name: matrix-synapse
description: Matrix reference homeserver
icon: https://matrix.org/images/matrix-logo.svg
appVersion: 1.94.0
type: application
version: 3.7.8
maintainers:
- name: Tommy Skaug
email: tommy@skaug.me

View file

@ -1,13 +0,0 @@
Copyright 2021 Alexander Olofsson
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View file

@ -1,90 +0,0 @@
Matrix Synapse
==============
[Synapse](https://github.com/matrix-org/synapse) is the current reference implementation of the [Matrix protocol](https://matrix.org).
For questions/help on the chart, feel free to drop in at [#matrix-on-kubernetes:fiksel.info](https://matrix.to/#/#matrix-on-kubernetes:fiksel.info).
This chart is hosted [on GitLab](https://gitlab.com/ananace/charts).
__Attention:__ _The upgrade to 1.51.0 requires manual action, please read the upgrade instructions [below](#upgrading)._
## Prerequisites
- Kubernetes 1.20+
- Helm 3.0+
- Ingress installed in the cluster
**NB**; Matrix requires the use of valid SSL certificates for federation.
## Installing
To run a federating Matrix server, you need to have a publicly accessible subdomain that Kubernetes has an ingress on.
You will also require some federation guides, either in the form of a `.well-known/matrix/server` server or as an SRV record in DNS.
When using a well-known entry, you will need to have a valid cert for whatever subdomain you wish to serve Synapse on.
When using an SRV record, you will additionally need a valid cert for the main domain that you're using for your MXIDs.
## Installation Examples
Refer to [the main Synapse docs](https://github.com/matrix-org/synapse/blob/master/docs/federate.md) for more information.
### On main domain / with subdomain MXIDs
For the simplest possible Matrix install, you can run your Synapse install on the root of the domain you wish in your MXIDs.
If you - for instance - own the domain `chosenin.space` and want to run Matrix on it, you would simply install the chart as;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=chosenin.space --set wellknown.enabled=true
This would set up Synapse with client-server and federation both exposed on `chosenin.space/_matrix`, as well as a tiny lighttpd server that responds to federation lookups on `chosenin.space/.well-known/matrix/server`.
You can also use this to run a Synapse on a subdomain, with said subdomain as part of your MXIDs; (`@user:matrix.chosenin.space` in this case)
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=matrix.chosenin.space --set wellknown.enabled=true
### On separate subdomain
If - on the other hand - you own the domain `example.com`, want your MXIDs in the form `@user:example.com`, but still want to run your Synapse on `matrix.example.com`. Then you have two options, using either DNS or well-known;
For DNS, you could install the chart as;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=example.com --set publicServerName=matrix.example.com
This will add federation endpoints to `example.com`, along with client endpoints on `matrix.example.com`. For this to work, you will need to have valid certs for both `example.com` as well as `matrix.example.com` for your Synapse to use.
To get federation working with such a setup, you would also need to add an SRV record to your DNS - for example;
_matrix._tcp.example.com 10 1 443 matrix.example.com
If you want to use a well-known file for federation instead of an SRV record, then your install might look more like;
helm install matrix-synapse ananace-charts/matrix-synapse --set serverName=example.com --set publicServerName=matrix.example.com --set wellknown.enabled=true
With well-known federation, your client-to-server/public host is the one that needs to handle both client and federation traffic. On your main domain you'll instead only need something that can respond with a JSON file on the URL `example.com/.well-known/matrix/server` - which the included wellknown server will gladly do for you.
Additionally, when using well-known federation, your Synapse cert only needs to be valid for `matrix.example.com`.
&nbsp;
More advanced setups can be made using `ingress.hosts`, `ingress.csHosts`, and `ingress.wkHosts` for server-server, client-server, and well-known endpoints respectively.
Alternatively, you can use your own ingress setup, or switch the main service to `LoadBalancer` and add a TLS listener.
### Application services / extra config files
Synapse is configured to read all configuration files found under `/synapse/config/conf.d/` - which is mounted as an emptyDir to allow for read-only root.
You can mount your additional configuration values under here if you want to have configuration that doesn't map well to the `extraConfig`/`extraSecrets` values.
Note that due to how the mounts are set up, you will have to `subPath`-mount individual files into the folder in order for them to be loaded.
## Upgrading
### To v1.51.0
The redis subchart was upgraded in this release which changed immutable values of the StatefulSet. So, to perform this upgrade, perform the following steps. Make sure to adapt the names and arguments to your situation.
```
# Delete the old StatefulSet but leave the Pod alive
kubectl delete statefulset --cascade=orphan matrix-synapse-redis-master
# Upgrade the chart and create a new StatfulSet for redis
helm upgrade matrix-synapse matrix-synapse
# Delete the old Pod so the new StatefulSet can take over
kubectl delete pod matrix-synapse-redis-master-0
```

View file

@ -1,41 +0,0 @@
#!/bin/sh
set -eu
check_key() {
set +e
echo "Checking for existing signing key..."
key="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['signing\.key']}" 2> /dev/null)"
[ $? -ne 0 ] && return 1
[ -z "$key" ] && return 2
return 0
}
create_key() {
echo "Waiting for new signing key to be generated..."
begin=$(date +%s)
end=$((begin + 300)) # 5 minutes
while true; do
[ -f /synapse/keys/signing.key ] && return 0
[ "$(date +%s)" -gt $end ] && return 1
sleep 5
done
}
store_key() {
echo "Storing signing key in Kubernetes secret..."
kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}"
}
if check_key; then
echo "Key already in place, exiting."
exit
fi
if ! create_key; then
echo "Timed out waiting for a signing key to appear."
exit 1
fi
store_key

View file

@ -1,41 +0,0 @@
** Note, this chart may take a while to finish setup, please be patient **
{{- if .Values.signingkey.job.enabled }}
** Also, remember to disable the signingkey job (signingkey.job.enabled=false) **
{{- end }}
{{- if not .Values.ingress.enabled }}
Synapse has been installed without an ingress, you will need to manage
accesses to the services yourself.
{{- else }}
Your Synapse install is now starting, you should soon be able to access it on
the following URL(s);
{{- range (concat .Values.ingress.csHosts (list (.Values.publicServerName | default .Values.serverName))) }}
{{- if $.Values.ingress.tls }}
https://{{ . }}
{{- else }}
http://{{ . }}
{{- end }}
{{- end }}
{{ if not .Values.wellknown.enabled }}
Note that for federation to work you will need to either add an SRV record or
set up a /.well-known/matrix/server response.
Refer to https://github.com/matrix-org/synapse/blob/master/docs/federate.md
for more information.
{{- end }}
{{- end }}
{{- if .Values.config.enableRegistration }}
You should be able to connect to your Synapse install with any compatible
Matrix client - and register an account - as soon as final setup is done.
You can also create an admin user with the following command;
{{- else }}
You can create a user in your new Synapse install by running the following
command; (replacing USERNAME and PASSWORD)
{{- end }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=synapse" -o jsonpath="{.items[0].metadata.name}")
kubectl exec --namespace {{ .Release.Namespace }} $POD_NAME -- register_new_matrix_user -c /synapse/config/homeserver.yaml -c /synapse/config/conf.d/secrets.yaml -u USERNAME -p PASSWORD --admin http://localhost:8008
You can also specify --no-admin to create a non-admin user.

View file

@ -1,277 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "matrix-synapse.name" -}}
{{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "matrix-synapse.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := .Values.nameOverride | default .Chart.Name -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default replication name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.replicationname" -}}
{{- printf "%s-%s" .Release.Name "replication" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default worker name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.workername" -}}
{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default external component name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.externalname" -}}
{{- printf "%s-%s" .global.Release.Name .external | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "matrix-synapse.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the correct image tag name
*/}}
{{- define "matrix-synapse.imageTag" -}}
{{- .Values.image.tag | default (printf "v%s" .Chart.AppVersion) -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "matrix-synapse.labels" -}}
helm.sh/chart: {{ include "matrix-synapse.chart" . }}
{{ include "matrix-synapse.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "matrix-synapse.selectorLabels" -}}
app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Pull secrets
*/}}
{{- define "matrix-synapse.imagePullSecrets" -}}
{{- if or .Values.image.pullSecrets .Values.wellknown.image.pullSecrets .Values.volumePermissions.pullSecrets }}
imagePullSecrets:
{{- with .Values.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.wellknown.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.volumePermissions.image.pullSecrets }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.postgresql.fullname" -}}
{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set postgres host
*/}}
{{- define "matrix-synapse.postgresql.host" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{ required "A valid externalPostgresql.host is required" .Values.externalPostgresql.host }}
{{- end -}}
{{- end -}}
{{/*
Set postgres secret
*/}}
{{- define "matrix-synapse.postgresql.secret" -}}
{{- if .Values.postgresql.enabled -}}
{{- template "matrix-synapse.postgresql.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set postgres port
*/}}
{{- define "matrix-synapse.postgresql.port" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.service -}}
{{- .Values.postgresql.service.port | default 5432 }}
{{- else -}}
5432
{{- end -}}
{{- else -}}
{{- required "A valid externalPostgresql.port is required" .Values.externalPostgresql.port -}}
{{- end -}}
{{- end -}}
{{/*
Set postgresql username
*/}}
{{- define "matrix-synapse.postgresql.username" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.username is required" .Values.postgresql.auth.username }}
{{- else -}}
{{ required "A valid externalPostgresql.username is required" .Values.externalPostgresql.username }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql password
*/}}
{{- define "matrix-synapse.postgresql.password" -}}
{{- if .Values.postgresql.enabled -}}
{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }}
{{- else if not (and .Values.externalPostgresql.existingSecret .Values.externalPostgresql.existingSecretPasswordKey) -}}
{{ required "A valid externalPostgresql.password is required" .Values.externalPostgresql.password }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql database
*/}}
{{- define "matrix-synapse.postgresql.database" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.postgresql.postgresqlDatabase -}}
{{- fail "You need to switch to the new postgresql.auth values." -}}
{{- end -}}
{{- .Values.postgresql.auth.database | default "synapse" }}
{{- else -}}
{{ required "A valid externalPostgresql.database is required" .Values.externalPostgresql.database }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql sslmode
*/}}
{{- define "matrix-synapse.postgresql.sslmode" -}}
{{- if .Values.postgresql.enabled -}}
{{- .Values.postgresql.sslmode | default "prefer" }}
{{- else -}}
{{- .Values.externalPostgresql.sslmode | default "prefer" }}
{{- end -}}
{{- end -}}
{{/*
Set postgresql extra args
Refer to https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
for a list of options that can be passed.
*/}}
{{- define "matrix-synapse.postgresql.extraArgs" -}}
{{- if .Values.postgresql.enabled -}}
{{- with .Values.postgresql.extraArgs }}
{{- . | toYaml }}
{{- end }}
{{- else -}}
{{- with .Values.externalPostgresql.extraArgs }}
{{- . | toYaml }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "matrix-synapse.redis.fullname" -}}
{{- printf "%s-%s" .Release.Name "redis" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Set redis host
*/}}
{{- define "matrix-synapse.redis.host" -}}
{{- if .Values.redis.enabled -}}
{{- printf "%s-%s" (include "matrix-synapse.redis.fullname" .) "master" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ required "A valid externalRedis.host is required" .Values.externalRedis.host }}
{{- end -}}
{{- end -}}
{{/*
Set redis secret
*/}}
{{- define "matrix-synapse.redis.secret" -}}
{{- if .Values.redis.enabled -}}
{{- template "matrix-synapse.redis.fullname" . -}}
{{- else -}}
{{- template "matrix-synapse.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Set redis port
*/}}
{{- define "matrix-synapse.redis.port" -}}
{{- if .Values.redis.enabled -}}
{{- .Values.redis.master.service.port | default 6379 }}
{{- else -}}
{{ required "A valid externalRedis.port is required" .Values.externalRedis.port }}
{{- end -}}
{{- end -}}
{{/*
Set redis password
*/}}
{{- define "matrix-synapse.redis.password" -}}
{{- if (and .Values.redis.enabled .Values.redis.password) -}}
{{ .Values.redis.password }}
{{- else if (and .Values.redis.enabled .Values.redis.auth.password) -}}
{{ .Values.redis.auth.password }}
{{- else if .Values.externalRedis.password -}}
{{ .Values.externalRedis.password }}
{{- end -}}
{{- end -}}
{{/*
Set redis database id
*/}}
{{- define "matrix-synapse.redis.dbid" -}}
{{- if .Values.redis.dbid -}}
{{ .Values.redis.dbid }}
{{- else if .Values.externalRedis.dbid -}}
{{ .Values.externalRedis.dbid }}
{{- end -}}
{{- end -}}

View file

@ -1,14 +0,0 @@
{{- if .Values.signingkey.job.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.fullname" . }}-scripts
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
data:
{{ (.Files.Glob "scripts/*.sh").AsConfig | indent 2 }}
{{- end }}

View file

@ -1,171 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
log.yaml: |
version: 1
formatters:
{{- if .Values.config.useStructuredLogging }}
structured:
class: synapse.logging.TerseJsonFormatter
{{- else }}
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
{{- end }}
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: {{ if .Values.config.useStructuredLogging }}structured{{ else }}precise{{ end }}
filters: [context]
level: {{ .Values.config.logLevel | default "INFO" }}
loggers:
synapse:
level: {{ .Values.config.logLevel | default "INFO" }}
{{- with .Values.extraLoggers -}}
{{ . | toYaml | nindent 8 }}
{{- end }}
root:
level: {{ .Values.config.logLevel | default "INFO" }}
handlers: [console]
homeserver.yaml: |
# NOTE:
# Secrets are stored in separate configs to better fit K8s concepts
## Server ##
server_name: {{ required "You need to specify a serverName" .Values.serverName | quote }}
public_baseurl: {{ .Values.config.publicBaseurl | default (printf "https://%s" (.Values.publicServerName | default .Values.serverName)) | quote }}
pid_file: /homeserver.pid
web_client: False
soft_file_limit: 0
log_config: "/synapse/config/log.yaml"
report_stats: {{ required "You need to specify config.reportStats" .Values.config.reportStats }}
instance_map:
main:
host: {{ include "matrix-synapse.replicationname" . }}
port: 9093
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.name $config.listeners (has "replication" $config.listeners) }}
{{- $name := $worker | replace "_" "-" }}
{{ $config.name | quote }}:
host: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) | quote }}
port: 9093
{{- end }}
{{- end }}
## Ports ##
{{- $bindAddresses := .Values.config.bindAddresses | default (list "::") }}
listeners:
- port: 8008
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
- client
- federation
{{- with .Values.config.extraMainListenerTypes -}}
{{ . | toYaml | nindent 14 }}
{{- end }}
compress: false
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [replication]
compress: false
{{- if .Values.config.extraListeners }}
{{ .Values.config.extraListeners | toYaml | nindent 6 }}
{{- end }}
## Files ##
media_store_path: "/synapse/data/media"
uploads_path: "/synapse/data/uploads"
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
enable_registration_captcha: true
{{- end }}
{{- if .Values.config.turnUris }}
## Turn ##
turn_uris:
{{ toYaml .Values.config.turnUris | nindent 6 }}
{{- end }}
## Registration ##
enable_registration: {{ .Values.config.enableRegistration | default false }}
## Metrics ###
enable_metrics: true
## Signing Keys ##
signing_key_path: "/synapse/keys/signing.key"
# The trusted servers to download signing keys from.
trusted_key_servers: {{- .Values.config.trustedKeyServers | toYaml | nindent 6 }}
## Workers ##
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- if or (eq $worker "pusher") (eq ($config.app | default "") "pusher") }}
# For pusher worker
start_pushers: false
{{- else if or (eq $worker "appservice") (eq ($config.app | default "") "appservice") }}
# For appservice worker
notify_appservices_from_worker: {{ $config.name | quote }}
{{- else if or (eq $worker "federation_sender") (eq ($config.app | default "") "federation_sender") }}
# For federation_sender worker
send_federation: false
{{- else if or (eq $worker "media_repository") (eq ($config.app | default "") "media_repository") }}
# For media_repository worker
enable_media_repo: false
{{- else if or (eq $worker "user_dir") (eq ($config.app | default "") "user_dir") }}
# For user_dir worker
update_user_directory_from_worker: {{ $config.name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraConfig }}
## Extra config ##
{{ . | toYaml | nindent 4 }}
{{- end }}

View file

@ -1,199 +0,0 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- if (and .Values.postgresql.enabled (and (not .Values.postgresql.auth.password) (not .Values.postgresql.existingSecret))) -}}
{{- fail "You must specify a static postgres password or existing secret if using the included postgres chart" -}}
{{- end -}}
{{- if (and .Values.redis.enabled (and .Values.redis.usePassword (and (not .Values.redis.auth.password) (not .Values.redis.auth.existingSecret)))) -}}
{{- fail "You must specify a static redis password or existing secret if using the included redis chart" -}}
{{- end -}}
---
# Server: {{ required "A valid serverName is required" .Values.serverName }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: synapse
spec:
replicas: 1
strategy:
{{- toYaml .Values.synapse.strategy | nindent 4 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: synapse
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.synapse.annotations }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: synapse
{{- with .Values.synapse.labels }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.synapse.podSecurityContext | nindent 8 }}
{{- if $needsVolumePermissions }}
initContainers:
- name: volume-permissions
command:
- sh
- -c
- |
chown {{ .Values.volumePermissions.uid }}:{{ .Values.volumePermissions.gid }} -R /synapse/data
image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy }}
resources:
{{- toYaml .Values.volumePermissions.resources | nindent 12 }}
securityContext:
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: synapse
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if .Values.synapse.extraCommands }}
{{ range .Values.synapse.extraCommands }}
{{ . }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.homeserver \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/
env:
{{- if or .Values.postgresql.enabled .Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.postgresql.enabled }}
name: {{ .Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" .) }}
key: password
{{- else }}
name: {{ .Values.externalPostgresql.existingSecret }}
key: {{ .Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and .Values.redis.enabled (default .Values.redis.usePassword true)) .Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.redis.enabled }}
name: {{ .Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" .) }}
key: redis-password
{{- else }}
name: {{ .Values.externalRedis.existingSecret }}
key: {{ .Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with .Values.synapse.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.synapse.securityContext | nindent 12 }}
ports:
- name: http
containerPort: 8008
protocol: TCP
- name: replication
containerPort: 9093
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP
{{- with .Values.synapse.livenessProbe }}
livenessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.readinessProbe }}
readinessProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.synapse.startupProbe }}
startupProbe:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /synapse/config
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
- name: media
mountPath: /synapse/data
- name: tmpdir
mountPath: /tmp
{{- with .Values.synapse.extraVolumeMounts }}
{{- . | toYaml | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.synapse.resources | nindent 12 }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" . }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" . }}
- name: signingkey
secret:
secretName: {{ .Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
items:
- key: {{ .Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
- name: tmpdir
emptyDir: {}
- name: media
{{- $mediaworker := false }}
{{- range $worker, $config := .Values.workers }}
{{- if eq $worker "media_repository" }}
{{- $mediaworker = ($config.enabled | default false) }}
{{- end }}
{{- end }}
{{- if and .Values.persistence.enabled (not $mediaworker) }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "matrix-synapse.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.synapse.extraVolumes }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.synapse.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.synapse.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View file

@ -1,165 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "matrix-synapse.fullname" . -}}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
{{- $v1Ingress := .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if $v1Ingress -}}
apiVersion: networking.k8s.io/v1
{{- else -}}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- if .secretName }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- $csHosts := .Values.ingress.csHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $csHosts = concat (list (.Values.publicServerName | default .Values.serverName)) $csHosts }}
{{- end }}
{{- $s2sHosts := .Values.ingress.hosts }}
{{- if .Values.ingress.includeServerName }}
{{- $s2sHosts = concat (list .Values.serverName) $s2sHosts }}
{{- end }}
{{- $wkHosts := .Values.ingress.wkHosts }}
{{- if .Values.ingress.includeServerName }}
{{- $wkHosts = concat (list .Values.serverName) $wkHosts }}
{{- end }}
{{- $hosts := uniq (concat $s2sHosts $csHosts $wkHosts) }}
{{- range $hosts }}
{{- $host := . }}
- host: {{ . | quote }}
http:
paths:
{{- $default := $.Values.workers.default }}
{{- range $worker, $config := $.Values.workers }}
{{- $name := $worker | replace "_" "-" }}
{{- if and $config.enabled $config.listeners (or $config.paths $config.csPaths) }}
{{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
{{- if has $host $csHosts }}
{{- range $config.csPaths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has $host $s2sHosts }}
{{- range $config.paths }}
{{- if $.Values.ingress.traefikPaths }}
- path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- else }}
- path: {{ . | quote }}
backend:
{{- if $v1Ingress }}
service:
name: {{ $service }}
port:
number: 8083
pathType: ImplementationSpecific
{{- else }}
serviceName: {{ $service }}
servicePort: 8083
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if has . $csHosts }}
{{- with $.Values.ingress.csPaths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if has . $s2sHosts }}
{{- with $.Values.ingress.paths }}
{{ . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
{{- if or (has . $csHosts) (has . $s2sHosts) }}
- path: /_matrix
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- if and (has . $csHosts) $.Values.ingress.includeUnderscoreSynapse }}
- path: /_synapse
backend:
{{- if $v1Ingress }}
service:
name: {{ $fullName }}
port:
number: {{ $.Values.service.port }}
pathType: Prefix
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,22 +0,0 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

View file

@ -1,88 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
stringData:
config.yaml: |
{{- if .Values.config.recaptcha }}
## Captcha ##
recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
{{- end }}
{{- if .Values.config.turnSecret }}
## Turn ##
turn_shared_secret: {{ .Values.config.turnSecret | quote }}
{{- end }}
## Registration ##
registration_shared_secret: {{ .Values.config.registrationSharedSecret | default (randAlphaNum 24) | quote }}
## API Configuration ##
{{- if .Values.config.macaroonSecretKey }}
macaroon_secret_key: {{ .Values.config.macaroonSecretKey | quote }}
{{- end }}
{{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
{{- $postgresDB := include "matrix-synapse.postgresql.database" . }}
{{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
{{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
{{- $postgresSSLMode := include "matrix-synapse.postgresql.sslmode" . }}
{{- $postgresExtraArgs := include "matrix-synapse.postgresql.extraArgs" . }}
## Database configuration ##
database:
name: "psycopg2"
args:
user: {{ $postgresUser | quote }}
{{- if and $postgresPass (not .Values.postgresql.existingSecret) }}
password: {{ $postgresPass | quote }}
{{- else }}
password: "@@POSTGRES_PASSWORD@@"
{{- end }}
database: {{ $postgresDB | quote }}
host: {{ $postgresHost | quote }}
port: {{ $postgresPort }}
sslmode: {{ $postgresSSLMode | quote }}
cp_min: 5
cp_max: 10
{{- $postgresExtraArgs | nindent 8 }}
{{- $redisHost := include "matrix-synapse.redis.host" . }}
{{- $redisPort := include "matrix-synapse.redis.port" . }}
{{- $redisPass := include "matrix-synapse.redis.password" . }}
{{- $redisDbid := include "matrix-synapse.redis.dbid" . }}
## Redis configuration ##
redis:
enabled: true
host: {{ $redisHost | quote }}
{{- if $redisPort }}
port: {{ $redisPort }}
{{- end }}
{{- if or .Values.redis.auth.enabled .Values.redis.usePassword .Values.redis.password .Values.redis.auth.password .Values.externalRedis.password }}
{{- if and $redisPass (not .Values.redis.auth.existingSecret) }}
password: {{ $redisPass | quote }}
{{- else }}
password: "@@REDIS_PASSWORD@@"
{{- end }}
{{- end }}
{{- if $redisDbid }}
dbid: {{ $redisDbid }}
{{- end }}
{{- with .Values.extraSecrets }}
## Extra secrets ##
{{ . | toYaml | nindent 4 }}
{{- end }}

View file

@ -1,64 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.fullname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort | default "http" }}
protocol: TCP
name: http
selector:
app.kubernetes.io/component: synapse
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.replicationname" . }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 9093
targetPort: replication
protocol: TCP
name: replication
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: synapse
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if and $config.enabled $config.listeners }}
{{- $name := $worker | replace "_" "-" }}
{{- $release := $.Release.Name }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: 8083
targetPort: listener
protocol: TCP
name: listener
{{- if has "replication" $config.listeners }}
- port: 9093
targetPort: replication
protocol: TCP
name: replication
{{- end }}
selector:
{{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
{{- end }}
{{- end }}

View file

@ -1,153 +0,0 @@
{{- if .Values.signingkey.job.enabled }}
{{- if .Values.signingkey.existingSecret }}
{{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }}
{{- end }}
{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
{{- $secretName := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ $secretName }}
verbs:
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $name }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: hook-succeeded
{{- with .Values.signingkey.job.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ttlSecondsAfterFinished: 0
template:
metadata:
labels:
{{- include "matrix-synapse.labels" . | nindent 8 }}
app.kubernetes.io/component: signingkey-job
spec:
containers:
- command:
- sh
- -c
- |
echo "Generating signing key..."
if which generate_signing_key.py >/dev/null; then
generate_signing_key.py -o /synapse/keys/signing.key
else
generate_signing_key -o /synapse/keys/signing.key
fi
image: "{{ .Values.signingkey.job.generateImage.repository }}:{{ .Values.signingkey.job.generateImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.generateImage.pullPolicy }}
name: signing-key-generate
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /synapse/keys
name: matrix-synapse-keys
- command:
- sh
- -c
- |
printf "Checking rights to update secret... "
kubectl auth can-i update secret/${SECRET_NAME}
/scripts/signing-key.sh
env:
- name: SECRET_NAME
value: {{ $secretName }}
image: "{{ .Values.signingkey.job.publishImage.repository }}:{{ .Values.signingkey.job.publishImage.tag | default "latest" }}"
imagePullPolicy: {{ .Values.signingkey.job.publishImage.pullPolicy }}
name: signing-key-upload
resources:
{{- toYaml .Values.signingkey.resources | nindent 12 }}
volumeMounts:
- mountPath: /scripts
name: scripts
readOnly: true
- mountPath: /synapse/keys
name: matrix-synapse-keys
readOnly: true
restartPolicy: Never
serviceAccount: {{ $name }}
volumes:
- name: scripts
configMap:
name: {{ include "matrix-synapse.fullname" . }}-scripts
defaultMode: 0755
- name: matrix-synapse-keys
emptyDir: {}
parallelism: 1
completions: 1
backoffLimit: 1
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: never
helm.sh/resource-policy: keep
argocd.argoproj.io/hook: Skip
argocd.argoproj.io/hook-delete-policy: Never
name: {{ $secretName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: signingkey-job
{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{ if $secret -}}
data:
signing.key: {{ (b64dec (index $secret.data "signing.key")) | b64enc }}
{{ end -}}
{{- end }}

View file

@ -1,16 +0,0 @@
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "matrix-synapse.fullname" . }}:{{ $.Values.service.port }}/_matrix/client/versions']
restartPolicy: Never

View file

@ -1,66 +0,0 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
component: well-known
data:
lighttpd.conf: |
server.port = 8080
{{ if .Values.wellknown.useIpv6}}
server.use-ipv6 = "enable"
{{ end }}
server.modules = (
"mod_rewrite",
"mod_status",
"mod_accesslog",
"mod_extforward",
"mod_setenv"
)
include "conf.d/00-mime-types.conf"
server.username = "lighttpd"
server.groupname = "lighttpd"
server.document-root = {{ .Values.wellknown.htdocsPath | quote }}
server.pid-file = "/run/lighttpd.pid"
url.rewrite-once = (
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := initial $keys }}
"^/\.well-known/matrix/{{ $key }}" => "/{{ $key }}.json",
{{- end }}
"^/\.well-known/matrix/{{ last $keys }}" => "/{{ last $keys }}.json"
)
status.status-url = "/server-status"
extforward.forwarder = ( "all" => "trust")
setenv.add-response-header = (
"access-control-allow-headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization",
"access-control-allow-methods" => "GET, POST, PUT, DELETE, OPTIONS",
"access-control-allow-origin" => "*"
)
setenv.set-response-header = (
"content-type" => "application/json"
)
server.json: |-
{{- if .Values.wellknown.server }}
{{ toJson .Values.wellknown.server | nindent 4 }}
{{- else }}
{{ dict "m.server" (printf "%s:%d" (.Values.wellknown.host | default (.Values.publicServerName | default .Values.serverName)) (.Values.wellknown.port | default 443)) | toJson | indent 4 }}
{{- end }}
client.json: |-
{{- if .Values.wellknown.client }}
{{ toJson .Values.wellknown.client | nindent 4 }}
{{- else }}
{{ dict "m.homeserver" (dict "base_url" (printf "https://%s/" (.Values.publicServerName | default .Values.serverName))) | toJson | indent 4 }}
{{- end }}
{{- range $key, $value := .Values.wellknown.extraData }}
{{ $key }}.json: |-
{{- if $value | kindIs "string" -}}
{{ $value | nindent 4 }}
{{- else -}}
{{ $value | toJson | nindent 4 }}
{{- end -}}
{{- end -}}
{{- end -}}

View file

@ -1,95 +0,0 @@
{{- if .Values.wellknown.enabled }}
{{- $wkName := include "matrix-synapse.externalname" (dict "global" . "external" "wellknown-lighttpd") -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
type: {{ .Values.wellknown.service.type | default "ClusterIP" }}
ports:
- port: {{ .Values.wellknown.service.port | default 80 }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: well-known
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
app.kubernetes.io/component: well-known
spec:
replicas: {{ .Values.wellknown.replicaCount | default 1 }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: well-known
template:
metadata:
annotations:
checksum/config: {{ include (print .Template.BasePath "/well-known-config.yaml") . | sha256sum }}
labels:
{{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: well-known
spec:
{{- include "matrix-synapse.imagePullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.wellknown.podSecurityContext | nindent 8 }}
containers:
- name: lighttpd
image: "{{ .Values.wellknown.image.repository }}:{{ .Values.wellknown.image.tag }}"
imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
securityContext:
{{- toYaml .Values.wellknown.securityContext | nindent 12 }}
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
tcpSocket:
port: http
livenessProbe:
httpGet:
path: /server-status
port: http
volumeMounts:
- mountPath: /etc/lighttpd/lighttpd.conf
name: files
subPath: lighttpd.conf
{{- $keys := concat (list "client" "server") (keys .Values.wellknown.extraData) }}
{{- range $key := $keys }}
- mountPath: {{ $.Values.wellknown.htdocsPath }}/{{ $key }}.json
name: files
subPath: {{ $key }}.json
{{- end }}
- mountPath: /run
name: run
resources:
{{- toYaml .Values.wellknown.resources | nindent 12 }}
volumes:
- name: files
configMap:
name: {{ $wkName }}
- name: run
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

View file

@ -1,80 +0,0 @@
{{- $any := false }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $any = true }}
{{- end }}
{{- end }}
{{- if $any }}
{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "workers") -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $wkName }}
labels:
{{- include "matrix-synapse.labels" . | nindent 4 }}
data:
{{- $default := .Values.workers.default -}}
{{- range $worker, $config := .Values.workers -}}
{{- if $config.enabled -}}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
{{ $name }}.worker: |
worker_app: "synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }}"
{{- if $config.name -}}
{{- if (gt ($config.replicaCount | int) 1) -}}
{{- fail "Replica count must be 1 if a worker has a unique name." -}}
{{- end }}
worker_name: {{ $config.name }}
{{- end }}
{{- $bindAddresses := $config.bindAddresses | default $.Values.config.bindAddresses | default (list "::") }}
worker_listeners:
- port: 9090
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
resources:
- names: [metrics]
compress: false
{{- if $config.listeners }}
{{- if has "replication" $config.listeners }}
{{- if not $config.name }}
{{- fail "Workers with replication listeners must have unique names." }}
{{- end }}
- port: 9093
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names: [replication]
compress: false
{{- end }}
- port: 8083
tls: false
bind_addresses: {{ toJson $bindAddresses }}
type: http
x_forwarded: true
resources:
- names:
{{- toYaml (without $config.listeners "replication") | nindent 14 }}
compress: false
{{- end }}
worker_log_config: /synapse/config/log.yaml
{{- if $config.extraConfig }}
# Extra config
{{ toYaml $config.extraConfig | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,212 +0,0 @@
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (or .Values.persistence.enabled .Values.persistence.existingClaim) }}
{{- $default := .Values.workers.default }}
{{- range $worker, $config := .Values.workers }}
{{- if $config.enabled }}
{{- $name := $worker | replace "_" "-" }}
{{- $app := $config.app | default $worker }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
labels:
{{- include "matrix-synapse.labels" $ | nindent 4 }}
app.kubernetes.io/component: {{ $name }}
spec:
replicas: {{ $config.replicaCount | default $default.replicaCount }}
{{- with ($config.strategy | default $default.strategy) }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: {{ $name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
checksum/worker-config: {{ include (print $.Template.BasePath "/worker-configuration.yaml") $ | sha256sum }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
{{- with ($config.annotations | default $default.annotations) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
labels:
{{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
app.kubernetes.io/component: {{ $name }}
{{- with ($config.labels | default $default.labels) }}
{{ . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- include "matrix-synapse.imagePullSecrets" $ | nindent 6 }}
securityContext:
{{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
{{- if and $needsVolumePermissions (eq $name "media-repository") }}
initContainers:
- name: volume-permissions
command:
- sh
- -c
- |
chown {{ $.Values.volumePermissions.uid }}:{{ $.Values.volumePermissions.gid }} -R /synapse/data
image: "{{ $.Values.volumePermissions.image.repository }}:{{ $.Values.volumePermissions.image.tag }}"
imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy }}
securityContext:
runAsNonRoot: false
runAsUser: 0
resources: {{ $.Values.volumePermissions.resources | toYaml | nindent 12 }}
volumeMounts:
- name: media
mountPath: /synapse/data
{{- end }}
containers:
- name: {{ $name }}
command:
- sh
- -c
- |
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
{{- if (or $config.extraCommands $default.extraCommands) }}
{{- with $config.extraCommands | default $default.extraCommands }}
{{ range . }}
{{ . | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
exec python -B -m synapse.app.{{ (not (not $config.generic)) | ternary "generic_worker" $app }} \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/ \
-c /synapse/config/{{ $name }}.worker
env:
{{- if or $.Values.postgresql.enabled $.Values.externalPostgresql.existingSecret }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.postgresql.enabled }}
name: {{ $.Values.postgresql.existingSecret | default (include "matrix-synapse.postgresql.fullname" $) }}
key: password
{{- else }}
name: {{ $.Values.externalPostgresql.existingSecret }}
key: {{ $.Values.externalPostgresql.existingSecretPasswordKey }}
{{- end }}
{{- end }}
{{- if or (and $.Values.redis.enabled (default $.Values.redis.usePassword true)) $.Values.externalRedis.existingSecret }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if $.Values.redis.enabled }}
name: {{ $.Values.redis.auth.existingSecret | default (include "matrix-synapse.redis.fullname" $) }}
key: redis-password
{{- else }}
name: {{ $.Values.externalRedis.existingSecret }}
key: {{ $.Values.externalRedis.existingSecretPasswordKey }}
{{- end -}}
{{- end }}
{{- with $config.extraEnv | default $default.extraEnv }}
{{- . | toYaml | nindent 12 }}
{{- end }}
securityContext:
{{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
image: "{{ $.Values.image.repository }}:{{ include "matrix-synapse.imageTag" $ }}"
imagePullPolicy: {{ $.Values.image.pullPolicy }}
ports:
- name: metrics
containerPort: 9090
protocol: TCP
{{- if $config.listeners }}
- name: listener
containerPort: 8083
protocol: TCP
{{- if has "replication" $config.listeners }}
- name: replication
containerPort: 9093
protocol: TCP
{{- end }}
{{- if (or $config.readinessProbe $default.readinessProbe) }}
readinessProbe:
{{- $config.readinessProbe | default $default.readinessProbe | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if (or $config.livenessProbe $default.livenessProbe) }}
livenessProbe:
{{- $config.livenessProbe | default $default.livenessProbe | toYaml | nindent 12 }}
{{- end }}
{{- if (or $config.startupProbe $default.startupProbe) }}
startupProbe:
{{- $config.startupProbe | default $default.startupProbe | toYaml | nindent 12 }}
{{- end }}
resources:
{{- $config.resources | default $default.resources | toYaml | nindent 12 }}
volumeMounts:
- name: config
mountPath: /synapse/config/homeserver.yaml
subPath: homeserver.yaml
- name: config
mountPath: /synapse/config/log.yaml
subPath: log.yaml
- name: worker-config
mountPath: /synapse/config/{{ $name }}.worker
subPath: {{ $name }}.worker
- name: tmpconf
mountPath: /synapse/config/conf.d
- name: secrets
mountPath: /synapse/secrets
- name: signingkey
mountPath: /synapse/keys
{{- if eq $name "media-repository" }}
- name: media
mountPath: /synapse/data
{{- end }}
{{- with $config.volumeMounts | default $default.volumeMounts }}
{{ . | toYaml | nindent 12 }}
{{- end }}
{{- with $config.nodeSelector | default $default.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.affinity | default $default.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $config.tolerations | default $default.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ include "matrix-synapse.fullname" $ }}
- name: worker-config
configMap:
name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" "workers") }}
- name: secrets
secret:
secretName: {{ include "matrix-synapse.fullname" $ }}
- name: signingkey
secret:
secretName: {{ $.Values.signingkey.existingSecret | default (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
items:
- key: {{ $.Values.signingkey.existingSecretKey | default "signing.key" | quote }}
path: signing.key
- name: tmpconf
emptyDir: {}
{{- if eq $name "media-repository" }}
- name: media
{{- if $.Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ $.Values.persistence.existingClaim | default (include "matrix-synapse.fullname" $) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with $config.volumes | default $default.volumes }}
{{ . | toYaml | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,962 +0,0 @@
---
## Docker image configuration, used for Synapse and workers.
##
image:
repository: matrixdotorg/synapse
## Tag to override with, will default to the application version.
##
# tag: ''
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Override part of the installed name, will still keep release name.
##
# nameOverride: ""
## Override the full name of the installed chart.
##
# fullnameOverride: ""
## The Matrix domain name, this is what will be used for the domain part in
## your MXIDs.
##
# serverName: 'example.com'
## The public Matrix server name, this will be used for any public URLs
## in config as well as for client API links in the ingress.
# publicServerName: 'matrix.example.com'
## The source of the signing key used by Synapse in federation.
##
signingkey:
## Enable a Kubernetes job to generate and store a signing key if one does not
## exist.
## If you have already run a Matrix server at some point on your domain then
## you will want to keep the old signing key, either by using the `existingSecret`
## configuration, or by including the old key under `extraConfig.old_signing_keys`
##
## If you lose your signing key then any federation traffic from your instance
## might not be trusted any more by the wider network.
##
job:
enabled: true
## Annotations to apply to the signing-key-job.
##
annotations: { }
# argocd.argoproj.io/hook: PostSync
# argocd.argoproj.io/hook-delete-policy: HookSucceeded
generateImage:
repository: matrixdotorg/synapse
#tag: latest
pullPolicy: IfNotPresent
publishImage:
repository: bitnami/kubectl
# tag: latest
pullPolicy: IfNotPresent
## Specify an existing signing key secret, will need to be created in advance.
##
# existingSecret: secret-name
# existingSecretKey: signing.key
## Resources to apply to the signing key generation job
##
resources: {}
# limits:
# cpu: 100m
# memory: 250Mi
# requests:
# cpu: 100m
# memory: 250Mi
## Matrix configuration values that affect other parts of the chart, for any
## value not handled by this block, you will want to instead set it in
## extraConfig below.
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
config:
## The publicly accessible URL for the Synapse instance, will default to
## https://<publicServerName>.
##
# publicBaseurl: 'https://matrix.example.com'
## The log level for Synapse and all modules.
##
# logLevel: INFO
## Should usage stats be reported
##
reportStats: false
## Protect registration with recaptcha. (optional)
##
# recaptcha:
# publicKey: ''
# privateKey: ''
## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC
## calls.
##
# turnUris: []
# turnSecret: ''
## Registration configuration, note that registration with the
## container-internal register_new_matrix_user tool is always possible.
##
# enableRegistration: false
## NB; this value will default to a random string if not specified.
# registrationSharedSecret: ''
## NB; Strongly recommended to set this to a secure value.
# macaroonSecretKey: ''
## A set of trusted servers to contact if another server doesn't respond to a
## signing key request.
##
trustedKeyServers:
- server_name: matrix.org
# verify_keys:
# "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
## The bind addresses to use for the default listeners
##
# bindAddresses:
# - '::'
## Extra listeners to configure.
##
extraListeners: []
# - port: 9000
# bind_addresses: ['::']
# type: manhole
## Extra listener types to add onto the main listener.
##
extraMainListenerTypes: []
# - consent
## Logging
# use TerseJsonFormatter structured logging
# Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
useStructuredLogging: false
## Specify arbitrary Synapse configuration here;
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraConfig: {}
# old_signing_keys:
# "ed25519:id": { key: "base64string", expired_ts: 123456789123 }
# use_presence: false
# enable_search: false
# federation_domain_whitelist:
# - lon.example.com
# - nyc.example.com
# - syd.example.com
# dynamic_thumbnails: true
## Specify additional loggers configutation here;
## Ref: https://matrix-org.github.io/synapse/latest/structured_logging.html
extraLoggers: {}
# synapse.storage.SQL:
# level: WARNING
## Specify arbitrary - secret - Synapse configuration here;
## These values will be stored in secrets instead of configmaps
## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml
##
extraSecrets: {}
# password_config:
# pepper: ''
## Configuration to apply to the main Synapse pod.
##
synapse:
## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository
## is enabled for the main Synapse pod)
## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## Annotations to apply to the main Synapse pod.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: /_synapse/metrics
# prometheus.io/port: 9090
## Labels to apply to the main Synapse pod.
##
labels: {}
## Additional environment variables to apply to the main Synapse pod
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "2"
## Additional volumes to mount into Synapse
##
extraVolumes: []
# - name: spamcheck
# flexVolume:
# driver: ananace/git-live
# options:
# repo: https://github.com/company/synapse-module
# interval: 1d
# readOnly: true
extraVolumeMounts: []
# - name: spamcheck
# mountPath: /usr/local/lib/python3.7/site-packages/company
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Configuration for the pod security policy, Synapse will by always run as
## its own user, even if not set.
## Note that changing this may also require you to use the volumePermission
## helper depending on your storage.
##
## NB; The synapse install is currently unable to run as anything but UID:GID
## 666:666.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Configuration for the container security policy, refer to the above
## podSecurityContext for more relevant information.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the main Synapse pod.
##
resources: {}
# limits:
# cpu: 1000m
# memory: 2500Mi
# requests:
# cpu: 1000m
# memory: 2500Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: http
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: http
## Startup probe configuration to use
##
startupProbe:
failureThreshold: 12
httpGet:
path: /health
port: http
## Node selectors to set for the main Synapse pod.
##
nodeSelector: {}
## Tolerations to set for the main Synapse pod.
##
tolerations: []
## Affinity to set for the main Synapse pod.
##
affinity: {}
## Configuration for handling Synapse workers, which are useful for handling
## high-load deployments.
##
## More information is available at;
## https://github.com/matrix-org/synapse/blob/master/docs/workers.md
##
workers:
## Default configuration, this is inherited into all workers, and can also be
## overriden on each worker type.
##
default:
## The number of worker replicas, note that some workers require special
## handling. Refer to the information URL above.
##
replicaCount: 1
## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository)
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
strategy:
type: RollingUpdate
## A specific name for this worker, can't be set globally.
## Note that this can only be set when replicaCount is 1
#name:
## Additional configuration to set for the worker, can't be set globally.
#extraConfig: {}
## Annotations to apply to the worker.
##
annotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/path: /_synapse/metrics
# prometheus.io/port: 9090
## Additional environment variables to add to the worker.
##
extraEnv: []
# - name: LD_PRELOAD
# value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# - name: SYNAPSE_CACHE_FACTOR
# value: "1.0"
## Additional volumes to add to the worker.
## Useful for the media repo, or for adding Python modules.
##
volumes: []
volumeMounts: []
## Extra commands to run when starting Synapse
##
extraCommands: []
# - 'apt-get update -yqq && apt-get install patch -yqq'
# - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch'
## Security context information to set to the worker.
##
podSecurityContext: {}
# fsGroup: 666
# runAsGroup: 666
# runAsUser: 666
## Container security context information to set to the worker.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 666
## Resources to apply to the worker.
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Liveness probe configuration to use
##
livenessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
##
readinessProbe:
httpGet:
path: /health
port: metrics
## Readiness probe configuration to use
## Defaults to allowing workers 60 seconds to start up
##
startupProbe:
failureThreshold: 6
httpGet:
path: /health
port: metrics
## Node selector configuration to set on the worker.
##
nodeSelector: {}
## Toleration configuration to set on the worker.
##
tolerations: []
## Affinity configuration to set on the worker.
##
affinity: {}
## The generic worker can be used to handle most endpoints.
## Be careful when enabling the sync endpoints as they can eat large amounts of
## resources. Refer to the information URL above for more info.
## Proper load balancing with the K8s Ingress resource may not be possible.
##
generic_worker:
enabled: false
generic: true
listeners: [client, federation]
csPaths:
## Sync requests
# - "/_matrix/client/(r0|v3)/sync$"
- "/_matrix/client/(api/v1|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Client API requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "/_matrix/client/v1/rooms/.*/hierarchy$"
- "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$"
- "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- "/_matrix/client/(r0|v3|unstable)/account/3pid$"
- "/_matrix/client/(r0|v3|unstable)/account/whoami$"
- "/_matrix/client/(r0|v3|unstable)/devices$"
- "/_matrix/client/versions$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/search$"
## Encryption requests
- "/_matrix/client/(r0|v3|unstable)/keys/query$"
- "/_matrix/client/(r0|v3|unstable)/keys/changes$"
- "/_matrix/client/(r0|v3|unstable)/keys/claim$"
- "/_matrix/client/(r0|v3|unstable)/room_keys/"
## Registration/login requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "/_matrix/client/(r0|v3|unstable)/register$"
- "/_matrix/client/v1/register/m.login.registration_token/validity$"
## Event sending requests
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
## User directory search requests
- "/_matrix/client/(r0|v3|unstable)/user_directory/search"
## Worker event streams
## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers
##
## The typing event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
## The to_device event stream
# - "/_matrix/client/(r0|v3|unstable)/sendToDevice/"
## The account_data event stream
# - "/_matrix/client/(r0|v3|unstable)/.*/tags"
# - "/_matrix/client/(r0|v3|unstable)/.*/account_data"
## The receipts event stream
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
# - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
## The presence event stream
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
paths:
## Federation requests
- "/_matrix/federation/v1/event/"
- "/_matrix/federation/v1/state/"
- "/_matrix/federation/v1/state_ids/"
- "/_matrix/federation/v1/backfill/"
- "/_matrix/federation/v1/get_missing_events/"
- "/_matrix/federation/v1/publicRooms"
- "/_matrix/federation/v1/query/"
- "/_matrix/federation/v1/make_join/"
- "/_matrix/federation/v1/make_leave/"
- "/_matrix/federation/(v1|v2)/send_join/"
- "/_matrix/federation/(v1|v2)/send_leave/"
- "/_matrix/federation/(v1|v2)/invite/"
- "/_matrix/federation/v1/event_auth/"
- "/_matrix/federation/v1/exchange_third_party_invite/"
- "/_matrix/federation/v1/user/devices/"
- "/_matrix/key/v2/query"
- "/_matrix/federation/v1/hierarchy/"
## Inbound federation transaction request
- "/_matrix/federation/v1/send/"
## To separate the generic worker into specific concerns - for example federation transaction receiving;
## NB; This worker should have incoming traffic routed based on source IP, which is
## left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
#federation_reader:
# enabled: true
# generic: true
# listeners: [federation]
# paths:
# - "/_matrix/federation/v1/send/"
## Or /sync handling.
## NB; Care should be taken to route users to the same instance when scaling this worker,
## this is left as an exercise to the reader.
## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing
#synchrotron:
# enabled: true
# generic: true
# listeners: [client]
# csPaths:
# - "/_matrix/client/(v2_alpha|r0|v3)/sync$"
# - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
# - "/_matrix/client/(api/v1|r0|v3)/initialSync$"
# - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
## Specialized - non-generic workers below;
## This worker deals with pushing notifications.
## NB; Only one instance of this worker can be run at a time, refer to the
## information URL above.
##
pusher:
enabled: false
## This worker handles sending data to registered appservices.
## NB; Only one instance of this worker can be run at at time, refer to the
## information URL above.
##
appservice:
enabled: false
generic: true
name: appservices
## This worker handles sending federation traffic to other Synapse servers.
##
federation_sender:
enabled: false
## Specialized workers can also be run as multiple separate instances,
## make sure to read the relevant documentation.
##
# federation_sender_other:
# app: federation_sender
# enabled: false
## This worker deals with serving and storing media.
## NB; Running multiple instances will conflict with background jobs.
##
media_repository:
enabled: false
listeners: [media]
csPaths:
- "/_matrix/media/.*"
- "/_synapse/admin/v1/purge_media_cache$"
- "/_synapse/admin/v1/room/.*/media"
- "/_synapse/admin/v1/user/.*/media"
- "/_synapse/admin/v1/media/"
- "/_synapse/admin/v1/quarantine_media/"
- "/_synapse/admin/v1/users/.*/media$"
paths:
- "/_matrix/media/.*"
## This worker deals with user directory searches.
##
user_dir:
enabled: false
name: userdir
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
## This worker handles key uploads, and may also stub out presence if that is
## disabled. If you set extraConfig.use_presence=false then you may want to
## uncomment the second path.
##
frontend_proxy:
enabled: false
listeners: [client]
csPaths:
- "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload"
# - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status"
## This will set up a Lighttpd server to respond to any
## /.well-known/matrix/server requests, to make federation possible without
## adding SRV-records to DNS.
##
wellknown:
enabled: false
replicaCount: 1
# Lighttpd does not bind on IPv6 by default, although this is required in
# Ipv6-only clusters.
useIpv6: false
## The host and port combo to serve on .well-known/matrix/server.
##
server: {}
# m.server: matrix.example.com:443
## Data to serve on .well-known/matrix/client.
##
client: {}
# m.homeserver:
# base_url: https://matrix.example.com
## Configuration for the wellknown service.
##
service:
type: ClusterIP
port: 80
## Extra data objects to serve under .well-known/matrix/<data>
## Dictionaries will be JSON converted, plain strings will be served as they are
##
extraData: {}
## MSC1929 example;
# support:
# admins:
# - matrix_id: '@admin:example.com'
# email_address: 'admin@example.com'
# role: 'admin'
# support_page: 'https://example.com/support'
## A custom htdocs path, useful when running another image.
##
htdocsPath: /var/www/localhost/htdocs
## The lighttpd image to run.
##
image:
repository: ghcr.io/rtsp/docker-lighttpd
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Configuration for the pod security policy.
##
podSecurityContext: {}
# fsGroup: 101
# runAsGroup: 101
# runAsUser: 100
## Configuration for the container security policy.
##
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 100
## Resource configuration to apply to the well-known server.
##
resources: {}
# limits:
# cpu: 5m
# memory: 15Mi
# requests:
# cpu: 5m
# memory: 15Mi
## Node selectors to set for the well-known server.
##
nodeSelector: {}
## Tolerations to set for the well-known server.
##
tolerations: []
## Affinity to set for the main well-known server.
##
affinity: {}
## This configuration is for setting up the internally provided Postgres server,
## if you instead want to use an existing server, then you may want to set
## enabled to false and configure the externalPostgresql block.
##
postgresql:
enabled: true
auth:
# XXX Change me!
password: synapse
## Or use existing secret with "password" key
## instead of static password
##
# existingSecret: postgresql-secret
username: synapse
database: synapse
primary:
initdb:
args: "--lc-collate=C --lc-ctype=C"
persistence:
# storageClass: "-"
size: 16Gi
## Extra arguments for the database connection
## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
##
extraArgs: {}
## An externally configured Postgres server to use for Synapse's database, note
## that the database needs to have both COLLATE and CTYPE set to "C".
##
externalPostgresql:
# host: postgres
port: 5432
username: synapse
# password: synapse
## The name of an existing secret with postgresql credentials
#existingSecret: postgres-secrets
## Password key to be retrieved from existing secret
#existingSecretPasswordKey: postgres-password
database: synapse
# sslmode: prefer
## Extra arguments for the database connection
## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config
##
extraArgs: {}
## This configuration is for the internal Redis that's deployed for use with
## workers/sharding, for an external Redis server you want to set enabled to
## false and configure the externalRedis block.
##
redis:
enabled: true
## Database ID for non-default database
# dbid: 0
auth:
enabled: true
# XXX Change me!
password: synapse
## Or use existing secret with "redis-password" key
## instead of static password
##
# existingSecret: redis-secret
architecture: standalone
master:
kind: Deployment
persistence:
## Note that Synapse only uses redis as a synchronization utility, so no
## data will ever need to be persisted.
##
enabled: false
service:
port: 6379
## An externally configured Redis server to use for workers/sharding.
##
externalRedis:
# host: redis
port: 6379
# password: synapse
## Database ID for non-default database
# dbid: 0
## The name of an existing secret with redis credentials
#existingSecret: redis-secrets
## Password key to be retrieved from existing secret
#existingSecretPasswordKey: redis-password
## Persistence configuration for the media repository function.
## This PVC will be mounted in either Synapse or a media_repo worker.
##
## NB; If you want to be able to scale this, you will have to set the
## accessMode to RWX/ReadWriteMany.
##
persistence:
enabled: true
# existingClaim: synapse-data
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
## Set up an init container to chown the mounted media if necessary.
##
volumePermissions:
enabled: false
uid: 666
gid: 666
image:
repository: alpine
tag: latest
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
# resources:
# requests:
# memory: 128Mi
# cpu: 100m
## Configuration for the main Synapse service.
## To use TLS inside Synapse itself, add an TLS listener, and change the ports
## configured in here.
##
service:
type: ClusterIP
port: 8008
targetPort: http
## The K8s ingress configuration, this will be quite heavily used in order to
## set up all routing necessary for use with a sharded Synapse instance.
## If you're not using a Ingress compatible K8s ingress, you will need to set up
## your own routing instead.
##
ingress:
enabled: true
## Generate traefik-compatible regex paths instead of nginx-compatible ones.
##
traefikPaths: false
## Annotations to apply to the created ingress resource.
##
annotations: {}
# nginx.ingress.kubernetes.io/use-regex: "true"
# # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default
# nginx.ingress.kubernetes.io/proxy-body-size: 10m
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Hosts to add to the ingress configuration for handling Client-to-Server
## API request paths.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
csHosts: []
# - matrix.example.com
## Additional hosts to add to the ingress configuration for handling
## Server-to-Server API requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
hosts: []
# - example.com
## Additional hosts to add to the ingress configuration for handling
## well-known requests.
##
## NB; config.serverName is included if includeServerName is set. (default)
##
wkHosts: []
# - example.com
## Additional paths to add to the Server-to-Server ingress blocks, will be
## inserted before the /_matrix catch-all path.
##
paths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Additional paths to add to the Client-to-Server ingress blocks, will be
## inserted before the /_matrix and /_synapse catch-all paths.
##
csPaths: []
# # K8s 1.19+
# - path: /_matrix/media
# pathType: Prefix
# backend:
# service:
# name: matrix-media-repo
# port:
# number: 8000
# # K8s <1.19
# - path: /_matrix/media
# backend:
# serviceName: matrix-media-repo
# servicePort: 8000
## Should the /_synapse path be included in the ingress, admin APIs are
## provided under this path.
##
includeUnderscoreSynapse: true
## Should config.serverName be included in the list of ingress paths, can be
## set to false if the main domain is managed in some external way.
##
includeServerName: true
## TLS configuration to include in the ingress configuration
##
tls: []
# - secretName: chart-example-tls
# hosts:
# - example.com
# - matrix.example.com
## Set the name of the IngressClass cluster resource (optional)
## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec
# className: can-be-anything

View file

@ -1,11 +0,0 @@
---
apiVersion: v2
name: sliding-sync-proxy
description: An implementation of MSC3575
appVersion: "0.99.11"
type: application
version: 0.2.5
maintainers:
- name: Tommy Skaug
email: tommy@skaug.me

View file

@ -1,13 +0,0 @@
Copyright 2021 Alexander Olofsson
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View file

@ -1,81 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "sliding-sync-proxy.fullname" . }}
labels:
{{- include "sliding-sync-proxy.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "sliding-sync-proxy.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "sliding-sync-proxy.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.initContainers }}
initContainers:
{{- $initContainers := list }}
{{- range $index, $key := (keys .Values.initContainers | uniq | sortAlpha) }}
{{- $container := get $.Values.initContainers $key }}
{{- if not $container.name -}}
{{- $_ := set $container "name" $key }}
{{- end }}
{{- if $container.env -}}
{{- $_ := set $ "ObjectValues" (dict "envVars" $container.env) -}}
{{- $newEnv := fromYaml (include "lib.container.envVars" $) -}}
{{- $_ := unset $.ObjectValues "envVars" -}}
{{- $_ := set $container "env" $newEnv.env }}
{{- end }}
{{- $initContainers = append $initContainers $container }}
{{- end }}
{{- tpl (toYaml $initContainers) $ | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
envFrom:
- secretRef:
name: {{ include "sliding-sync-proxy.fullname" . }}
ports:
- name: http
containerPort: 8008
protocol: TCP
livenessProbe:
tcpSocket:
port: http
readinessProbe:
tcpSocket:
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View file

@ -1,64 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "sliding-sync-proxy.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
---
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "sliding-sync-proxy.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
{{- if $.Values.ingress.serveSimpleClient }}
- path: /
{{- else }}
- path: /_matrix
{{- end }}
{{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,43 +0,0 @@
{{/*
Environment variables used by containers.
*/}}
{{- define "lib.container.envVars" -}}
{{- $values := .Values.env -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.envVars -}}
{{- $values = . -}}
{{- end -}}
{{- end -}}
{{- with $values -}}
{{- $result := list -}}
{{- range $k, $v := . -}}
{{- $name := $k -}}
{{- $value := $v -}}
{{- if kindIs "int" $name -}}
{{- $name = required "environment variables as a list of maps require a name field" $value.name -}}
{{- end -}}
{{- if kindIs "map" $value -}}
{{- if hasKey $value "value" -}}
{{- $envValue := $value.value | toString -}}
{{- $result = append $result (dict "name" $name "value" (tpl $envValue $)) -}}
{{- else if hasKey $value "valueFrom" -}}
{{- $result = append $result (dict "name" $name "valueFrom" $value.valueFrom) -}}
{{- else -}}
{{- $result = append $result (dict "name" $name "valueFrom" $value) -}}
{{- end -}}
{{- end -}}
{{- if not (kindIs "map" $value) -}}
{{- if kindIs "string" $value -}}
{{- $result = append $result (dict "name" $name "value" (tpl $value $)) -}}
{{- else if or (kindIs "float64" $value) (kindIs "bool" $value) -}}
{{- $result = append $result (dict "name" $name "value" ($value | toString)) -}}
{{- else -}}
{{- $result = append $result (dict "name" $name "value" $value) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- toYaml (dict "env" $result) | nindent 0 -}}
{{- end -}}
{{- end -}}

View file

@ -1,39 +0,0 @@
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "sliding-sync-proxy.fullname" .)) -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "sliding-sync-proxy.fullname" . }}
labels:
{{- include "sliding-sync-proxy.labels" . | nindent 4 }}
data:
SYNCV3_BINDADDR: {{ ":8008" | b64enc }}
{{- if .Values.postgresql.enabled }}
SYNCV3_DB: {{ (printf "postgresql://%s:%s@%s:%d/%s?sslmode=%s"
.Values.postgresql.auth.username
.Values.postgresql.auth.password
(include "sliding-sync-proxy.postgresql.fullname" .)
5432
.Values.postgresql.auth.database
(.Values.postgresql.sslmode | default "prefer")
) | b64enc }}
{{- else }}
SYNCV3_DB: {{ (printf "postgresql://%s:%s@%s:%d/%s?sslmode=%s"
.Values.externalPostgresql.username
(.Values.externalPostgresql.password | required "You need to specify .externalPostgresql.password")
(.Values.externalPostgresql.host | required "You need to specify .externalPostgresql.host")
(.Values.externalPostgresql.port | default 5432)
.Values.externalPostgresql.database
(.Values.externalPostgresql.sslmode | default "require")
) | b64enc }}
{{- end }}
{{- if $secret }}
SYNCV3_SECRET: {{ (.Values.syncSecret | default (b64dec $secret.data.SYNCV3_SECRET)) | b64enc }}
{{- else }}
SYNCV3_SECRET: {{ (.Values.syncSecret | default (randAlphaNum 64)) | b64enc }}
{{- end }}
SYNCV3_SERVER: {{ .Values.matrixServer | b64enc }}
{{- range $key, $value := .Values.extraEnv }}
{{ $key }}: {{ $value | b64enc }}
{{- end }}

View file

@ -1,107 +0,0 @@
---
image:
repository: ghcr.io/matrix-org/sliding-sync
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
replicaCount: 1
matrixServer: 'https://matrix.example.com'
## Will be generated if left empty
# syncSecret: <randomstring>
## Additional environment variables will be stored in the configuration secret
extraEnv: {}
# SYNCV3_JAEGER_URL: http://jaeger.example.com
# SYNCV3_DEBUG: "true"
imagePullSecrets: []
#initContainers:
# 01-init-db:
# image: ghcr.io/onedr0p/postgres-init:14.9
# imagePullPolicy: IfNotPresent
# envFrom: &envFrom
# - configMapRef:
# name: &configMap synapse-configmap
# - secretRef:
# name: &secret synapse-secret
nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: false
serveSimpleClient: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- chart-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
postgresql:
enabled: true
# sslmode: prefer
auth:
## Change me
password: sliding_sync
username: sliding_sync
database: sliding_sync
primary:
persistence:
# storageClass: "-"
size: 16Gi
externalPostgresql:
host:
# port: 5432
# sslmode: require
database: sliding_sync
username: sliding_sync
# password: