mirror of
https://github.com/truecharts/charts.git
synced 2026-07-14 21:41:23 -03:00
feat(synapse): add synapse (#1768)
This commit is contained in:
committed by
GitHub
parent
4e89e852c4
commit
6e5e9da04c
24
charts/incubator/synapse/.helmignore
Normal file
24
charts/incubator/synapse/.helmignore
Normal file
@@ -0,0 +1,24 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
32
charts/incubator/synapse/Chart.yaml
Normal file
32
charts/incubator/synapse/Chart.yaml
Normal file
@@ -0,0 +1,32 @@
|
||||
apiVersion: v2
|
||||
appVersion: "23.0.0"
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://truecharts.org
|
||||
version: 8.14.1
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://truecharts.org/
|
||||
version: 6.0.56
|
||||
deprecated: false
|
||||
description: A Helm chart to deploy a Matrix homeserver stack into Kubernetes
|
||||
home: https://github.com/truecharts/apps/charts/stable/synapse
|
||||
icon: https://truecharts.org/_static/img/appicons/synapse-icon.png
|
||||
keywords:
|
||||
- chat
|
||||
- matrix
|
||||
- synapse
|
||||
kubeVersion: '>=1.16.0-0'
|
||||
maintainers:
|
||||
- email: info@truecharts.org
|
||||
name: TrueCharts
|
||||
url: https://truecharts.org
|
||||
name: synapse
|
||||
sources: []
|
||||
type: application
|
||||
version: 0.0.1
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- cloud
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/grade: U
|
||||
5
charts/incubator/synapse/ci/base-values.yaml
Normal file
5
charts/incubator/synapse/ci/base-values.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
matrix:
|
||||
# Hostname where Synapse can be reached.
|
||||
# This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the
|
||||
# Ingress will be used
|
||||
hostname: "matrix.example.com"
|
||||
5
charts/incubator/synapse/ci/basic-values.yaml
Normal file
5
charts/incubator/synapse/ci/basic-values.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
matrix:
|
||||
# Hostname where Synapse can be reached.
|
||||
# This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the
|
||||
# Ingress will be used
|
||||
hostname: "matrix.example.com"
|
||||
349
charts/incubator/synapse/questions.yaml
Normal file
349
charts/incubator/synapse/questions.yaml
Normal file
@@ -0,0 +1,349 @@
|
||||
# Include{groups}
|
||||
portals:
|
||||
web_portal:
|
||||
protocols:
|
||||
- "$kubernetes-resource_configmap_portal_protocol"
|
||||
host:
|
||||
- "$kubernetes-resource_configmap_portal_host"
|
||||
ports:
|
||||
- "$kubernetes-resource_configmap_portal_port"
|
||||
questions:
|
||||
- variable: portal
|
||||
group: "Container Image"
|
||||
label: "Configure Portal Button"
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable"
|
||||
description: "enable the portal button"
|
||||
schema:
|
||||
hidden: true
|
||||
editable: false
|
||||
type: boolean
|
||||
default: true
|
||||
# Include{global}
|
||||
- variable: controller
|
||||
group: "Controller"
|
||||
label: ""
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: advanced
|
||||
label: "Show Advanced Controller Settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: type
|
||||
description: "Please specify type of workload to deploy"
|
||||
label: "(Advanced) Controller Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "deployment"
|
||||
required: true
|
||||
enum:
|
||||
- value: "deployment"
|
||||
description: "Deployment"
|
||||
- value: "statefulset"
|
||||
description: "Statefulset"
|
||||
- value: "daemonset"
|
||||
description: "Daemonset"
|
||||
- variable: replicas
|
||||
description: "Number of desired pod replicas"
|
||||
label: "Desired Replicas"
|
||||
schema:
|
||||
type: int
|
||||
default: 1
|
||||
required: true
|
||||
- variable: strategy
|
||||
description: "Please specify type of workload to deploy"
|
||||
label: "(Advanced) Update Strategy"
|
||||
schema:
|
||||
type: string
|
||||
default: "Recreate"
|
||||
required: true
|
||||
enum:
|
||||
- value: "Recreate"
|
||||
description: "Recreate: Kill existing pods before creating new ones"
|
||||
- value: "RollingUpdate"
|
||||
description: "RollingUpdate: Create new pods and then kill old ones"
|
||||
- value: "OnDelete"
|
||||
description: "(Legacy) OnDelete: ignore .spec.template changes"
|
||||
# Include{controllerExpert}
|
||||
- variable: secret
|
||||
group: "Container Configuration"
|
||||
label: "Image Secrets"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: NEXTCLOUD_ADMIN_USER
|
||||
label: "NEXTCLOUD_ADMIN_USER (First Install Only)"
|
||||
description: "Sets the initial nextcloud's admin username, changing this variable after first launch will NOT change admin's username"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: "REPLACETHIS"
|
||||
- variable: NEXTCLOUD_ADMIN_PASSWORD
|
||||
label: "NEXTCLOUD_ADMIN_PASSWORD (First Install Only)"
|
||||
description: "Sets the initial nextcloud's admin password, changing this variable after first launch will NOT change admin's password"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: "REPLACETHIS"
|
||||
- variable: env
|
||||
group: "Container Configuration"
|
||||
label: "Image Environment"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{fixedEnv}
|
||||
- variable: TRUSTED_PROXIES
|
||||
label: "Trusted Proxies (Advanced)"
|
||||
description: "Sets nextcloud Trusted Proxies"
|
||||
schema:
|
||||
type: string
|
||||
default: "172.16.0.0/16"
|
||||
- variable: NODE_IP
|
||||
label: "NODE_IP"
|
||||
description: "Sets nextcloud nodeip for nodeport connections (Ensure this is correct at first install!)"
|
||||
schema:
|
||||
type: string
|
||||
$ref:
|
||||
- "definitions/nodeIP"
|
||||
|
||||
# Include{containerConfig}
|
||||
|
||||
- variable: service
|
||||
group: "Networking and Services"
|
||||
label: "Configure Service(s)"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: main
|
||||
label: "Main Service"
|
||||
description: "The Primary service on which the healthcheck runs, often the webUI"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: main
|
||||
label: "Main Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10020
|
||||
required: true
|
||||
- variable: advanced
|
||||
label: "Show Advanced settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: protocol
|
||||
label: "Port Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "HTTP"
|
||||
enum:
|
||||
- value: HTTP
|
||||
description: "HTTP"
|
||||
- value: "HTTPS"
|
||||
description: "HTTPS"
|
||||
- value: TCP
|
||||
description: "TCP"
|
||||
- value: "UDP"
|
||||
description: "UDP"
|
||||
- variable: nodePort
|
||||
label: "Node Port (Optional)"
|
||||
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
|
||||
schema:
|
||||
type: int
|
||||
min: 9000
|
||||
max: 65535
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 80
|
||||
|
||||
- variable: serviceexpert
|
||||
group: "Networking and Services"
|
||||
label: "Show Expert Config"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: hostNetwork
|
||||
group: "Networking and Services"
|
||||
label: "Host-Networking (Complicated)"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
# Include{serviceExpert}
|
||||
|
||||
# Include{serviceList}
|
||||
|
||||
- variable: persistence
|
||||
label: "Integrated Persistent Storage"
|
||||
description: "Integrated Persistent Storage"
|
||||
group: "Storage and Persistence"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: data
|
||||
label: "App Data Storage"
|
||||
description: "Stores the Application Data."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: type
|
||||
label: "Type of Storage"
|
||||
description: "Sets the persistence type, Anything other than PVC could break rollback!"
|
||||
schema:
|
||||
type: string
|
||||
default: "simplePVC"
|
||||
enum:
|
||||
- value: "simplePVC"
|
||||
description: "PVC (simple)"
|
||||
- value: "simpleHP"
|
||||
description: "HostPath (simple)"
|
||||
- value: "emptyDir"
|
||||
description: "emptyDir"
|
||||
- value: "pvc"
|
||||
description: "pvc"
|
||||
- value: "hostPath"
|
||||
description: "hostPath"
|
||||
# Include{persistenceBasic}
|
||||
- variable: hostPath
|
||||
label: "hostPath"
|
||||
description: "Path inside the container the storage is mounted"
|
||||
schema:
|
||||
show_if: [["type", "=", "hostPath"]]
|
||||
type: hostpath
|
||||
- variable: medium
|
||||
label: "EmptyDir Medium"
|
||||
schema:
|
||||
show_if: [["type", "=", "emptyDir"]]
|
||||
type: string
|
||||
default: ""
|
||||
enum:
|
||||
- value: ""
|
||||
description: "Default"
|
||||
- value: "Memory"
|
||||
description: "Memory"
|
||||
# Include{persistenceAdvanced}
|
||||
|
||||
# Include{persistenceList}
|
||||
|
||||
- variable: ingress
|
||||
label: ""
|
||||
group: "Ingress"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: main
|
||||
label: "Main Ingress"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{ingressDefault}
|
||||
|
||||
# Include{ingressTLS}
|
||||
|
||||
# Include{ingressTraefik}
|
||||
|
||||
# Include{ingressExpert}
|
||||
|
||||
# Include{ingressList}
|
||||
|
||||
- variable: advancedSecurity
|
||||
label: "Show Advanced Security Settings"
|
||||
group: "Security and Permissions"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: securityContext
|
||||
label: "Security Context"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: privileged
|
||||
label: "Privileged mode"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: readOnlyRootFilesystem
|
||||
label: "ReadOnly Root Filesystem"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: allowPrivilegeEscalation
|
||||
label: "Allow Privilege Escalation"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: runAsNonRoot
|
||||
label: "runAsNonRoot"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
# Include{securityContextAdvanced}
|
||||
|
||||
- variable: podSecurityContext
|
||||
group: "Security and Permissions"
|
||||
label: "Pod Security Context"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: runAsUser
|
||||
label: "runAsUser"
|
||||
description: "The UserID of the user running the application"
|
||||
schema:
|
||||
type: int
|
||||
default: 0
|
||||
- variable: runAsGroup
|
||||
label: "runAsGroup"
|
||||
description: The groupID this App of the user running the application"
|
||||
schema:
|
||||
type: int
|
||||
default: 0
|
||||
- variable: fsGroup
|
||||
label: "fsGroup"
|
||||
description: "The group that should own ALL storage."
|
||||
schema:
|
||||
type: int
|
||||
default: 33
|
||||
# Include{podSecurityContextAdvanced}
|
||||
|
||||
# Include{resources}
|
||||
|
||||
# Include{advanced}
|
||||
|
||||
# Include{addons}
|
||||
153
charts/incubator/synapse/templates/_configmap.tpl
Normal file
153
charts/incubator/synapse/templates/_configmap.tpl
Normal file
@@ -0,0 +1,153 @@
|
||||
{{/* Define the configs */}}
|
||||
{{- define "synapse.config" -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: synapse-config
|
||||
labels:
|
||||
{{ include "common.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
rollme: {{ randAlphaNum 5 | quote }}
|
||||
data:
|
||||
homeserver.yaml: |
|
||||
server_name: {{ .Values.matrix.serverName }}
|
||||
pid_file: /data/homeserver.pid
|
||||
public_baseurl: {{ include "matrix.baseUrl" . | quote }}
|
||||
use_presence: {{ .Values.matrix.presence }}
|
||||
|
||||
allow_public_rooms_over_federation: {{ and .Values.matrix.federation.enabled .Values.matrix.federation.allowPublicRooms }}
|
||||
|
||||
block_non_admin_invites: {{ .Values.matrix.blockNonAdminInvites }}
|
||||
|
||||
enable_search: {{ .Values.matrix.search }}
|
||||
|
||||
{{- if .Values.matrix.federation.whitelist }}
|
||||
federation_domain_whitelist:
|
||||
{{- range .Values.matrix.federation.whitelist }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
|
||||
federation_ip_range_blacklist:
|
||||
{{- range .Values.matrix.federation.blacklist }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
|
||||
listeners:
|
||||
- port: 8008
|
||||
tls: false
|
||||
type: http
|
||||
x_forwarded: true
|
||||
bind_addresses: ['0.0.0.0']
|
||||
resources:
|
||||
- names: [client, federation]
|
||||
compress: false
|
||||
|
||||
{{- if .Values.synapse.metrics.enabled }}
|
||||
- type: metrics
|
||||
port: {{ .Values.synapse.metrics.port }}
|
||||
bind_addresses: ['0.0.0.0']
|
||||
resources:
|
||||
- names: [metrics]
|
||||
{{- end }}
|
||||
|
||||
admin_contact: 'mailto:{{ .Values.matrix.adminEmail }}'
|
||||
hs_disabled: {{ .Values.matrix.disabled }}
|
||||
hs_disabled_message: {{ .Values.matrix.disabledMessage }}
|
||||
redaction_retention_period: {{ .Values.matrix.retentionPeriod }}
|
||||
|
||||
log_config: "/data/{{ .Values.matrix.serverName }}.log.config"
|
||||
media_store_path: "/data/media_store"
|
||||
uploads_path: "/data/uploads"
|
||||
max_upload_size: {{ .Values.matrix.uploads.maxSize }}
|
||||
max_image_pixels: {{ .Values.matrix.uploads.maxPixels }}
|
||||
url_preview_enabled: {{ .Values.matrix.urlPreviews.enabled }}
|
||||
|
||||
{{- if .Values.coturn.enabled -}}
|
||||
{{- if not (empty .Values.coturn.uris) }}
|
||||
turn_uris:
|
||||
{{- range .Values.coturn.uris }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
turn_uris:
|
||||
- "turn:{{ include "matrix.hostname" . }}?transport=udp"
|
||||
{{- end }}
|
||||
turn_user_lifetime: 1h
|
||||
turn_allow_guests: {{ .Values.coturn.allowGuests }}
|
||||
{{- end }}
|
||||
|
||||
enable_registration: {{ .Values.matrix.registration.enabled }}
|
||||
|
||||
allow_guest_access: {{ .Values.matrix.registration.allowGuests }}
|
||||
|
||||
{{- if .Values.synapse.metrics.enabled }}
|
||||
enable_metrics: true
|
||||
{{- end }}
|
||||
|
||||
report_stats: false
|
||||
|
||||
{{- if .Values.synapse.appConfig }}
|
||||
app_service_config_files:
|
||||
{{- range .Values.synapse.appConfig }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key"
|
||||
|
||||
{{- if .Values.matrix.security.trustedKeyServers }}
|
||||
trusted_key_servers:
|
||||
{{- range .Values.matrix.security.trustedKeyServers }}
|
||||
- server_name: {{ .serverName }}
|
||||
{{- if .verifyKeys }}
|
||||
verify_keys:
|
||||
{{- range .verifyKeys }}
|
||||
{{ .id | quote }}: {{ .key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .acceptKeysInsecurely }}
|
||||
accept_keys_insecurely: {{ .acceptKeysInsecurely }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
suppress_key_server_warning: {{ .Values.matrix.security.supressKeyServerWarning }}
|
||||
{{- if not .Values.loadCustomConfig }}
|
||||
custom.yaml: |
|
||||
# PLACEHOLDER
|
||||
{{- end }}
|
||||
|
||||
{{ .Values.matrix.serverName }}.log.config: |
|
||||
version: 1
|
||||
|
||||
formatters:
|
||||
precise:
|
||||
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: precise
|
||||
filters: [context]
|
||||
|
||||
loggers:
|
||||
synapse:
|
||||
level: {{ .Values.matrix.logging.synapseLogLevel }}
|
||||
|
||||
synapse.storage.SQL:
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
level: {{ .Values.matrix.logging.sqlLogLevel }}
|
||||
|
||||
|
||||
root:
|
||||
level: {{ .Values.matrix.logging.rootLogLevel }}
|
||||
handlers: [console]
|
||||
{{- end }}
|
||||
20
charts/incubator/synapse/templates/_helpers.tpl
Normal file
20
charts/incubator/synapse/templates/_helpers.tpl
Normal file
@@ -0,0 +1,20 @@
|
||||
Synapse hostname, derived from either the Values.matrix.hostname override or the Ingress definition
|
||||
*/}}
|
||||
{{- define "matrix.hostname" -}}
|
||||
{{- if .Values.matrix.hostname }}
|
||||
{{- .Values.matrix.hostname -}}
|
||||
{{- else }}
|
||||
{{- .Values.ingress.hosts.synapse -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Synapse hostname prepended with https:// to form a complete URL
|
||||
*/}}
|
||||
{{- define "matrix.baseUrl" -}}
|
||||
{{- if .Values.matrix.hostname }}
|
||||
{{- printf "https://%s" .Values.matrix.hostname -}}
|
||||
{{- else }}
|
||||
{{- printf "https://%s" .Values.ingress.hosts.synapse -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
55
charts/incubator/synapse/templates/_secret.tpl
Normal file
55
charts/incubator/synapse/templates/_secret.tpl
Normal file
@@ -0,0 +1,55 @@
|
||||
{{/* Define the configs */}}
|
||||
{{- define "synapse.secret" -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: synapse-secret
|
||||
labels:
|
||||
{{ include "common.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
rollme: {{ randAlphaNum 5 | quote }}
|
||||
stringData:
|
||||
{{- $previous := lookup "v1" "Secret" .Release.Namespace "synapse-secret" }}
|
||||
{{- $msk := "" }}
|
||||
secret.yaml: |
|
||||
{{- if .Values.mail.enabled }}
|
||||
email:
|
||||
enable_notifs: {{ .Values.mail.enabled }}
|
||||
notif_from: {{ .Values.mail.from }}
|
||||
smtp_host: {{ .Values.mail.external.host }}
|
||||
smtp_port: {{ .Values.mail.external.port }}
|
||||
smtp_user: {{ .Values.mail.external.username }}
|
||||
smtp_pass: {{ .Values.mail.external.password }}
|
||||
require_transport_security: {{ .Values.mail.external.requireTransportSecurity }}
|
||||
{{- end }}
|
||||
|
||||
database:
|
||||
name: "psycopg2"
|
||||
args:
|
||||
user: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
password: {{ .Values.postgresql.postgresqlPassword }}
|
||||
database: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
host: "{{ printf "%v-%v" .Release.Name "postgresql" }}"
|
||||
port: "5432"
|
||||
cp_min: 5
|
||||
cp_max: 10
|
||||
sslmode: "disable"
|
||||
|
||||
{{- if .Values.matrix.registration.sharedSecret }}
|
||||
registration_shared_secret: {{ .Values.matrix.registration.sharedSecret }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $previous }}
|
||||
{{- $msk = ( index $previous.data "macaroon_secret_key" ) | b64dec }}
|
||||
macaroon_secret_key: {{ ( index $previous.data "macaroon_secret_key" ) }}
|
||||
{{- else }}
|
||||
{{- $msk = randAlphaNum 50 }}
|
||||
macaroon_secret_key: {{ $msk | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.coturn.enabled -}}
|
||||
turn_shared_secret: {{ include "matrix.coturn.sharedSecret" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
11
charts/incubator/synapse/templates/common.yaml
Normal file
11
charts/incubator/synapse/templates/common.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "common.setup" . }}
|
||||
|
||||
{{/* Render configmap for synapse */}}
|
||||
{{- include "synapse.config" . }}
|
||||
|
||||
{{/* Render secret for synapse */}}
|
||||
{{- include "synapse.secret" . }}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "common.postSetup" . }}
|
||||
313
charts/incubator/synapse/values.yaml
Normal file
313
charts/incubator/synapse/values.yaml
Normal file
@@ -0,0 +1,313 @@
|
||||
image:
|
||||
repository: matrixdotorg/synapse
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v1.50.1
|
||||
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
exec python -B -m synapse.app.homeserver \
|
||||
-c /data/homeserver.yaml \
|
||||
-c /data/secret/secret.yaml \
|
||||
-c /data/custom.yaml
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
port: 8008
|
||||
targetPort: 8008
|
||||
replication:
|
||||
enabled: true
|
||||
ports:
|
||||
replication:
|
||||
enabled: true
|
||||
port: 9092
|
||||
targetPort: 9092
|
||||
metrics:
|
||||
enabled: true
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
port: 9090
|
||||
targetPort: 9090
|
||||
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: true
|
||||
runAsNonRoot: true
|
||||
|
||||
secret: {}
|
||||
|
||||
installContainers:
|
||||
generate-signing-key:
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
env:
|
||||
- name: SYNAPSE_SERVER_NAME
|
||||
value: "{{ .Values.matrix.serverName }}"
|
||||
- name: SYNAPSE_REPORT_STATS
|
||||
value: "no"
|
||||
command: ["python"]
|
||||
args:
|
||||
- "-m"
|
||||
- "synapse.app.homeserver"
|
||||
- "--config-path"
|
||||
- "/data/homeserver.yaml"
|
||||
- "--keys-directory"
|
||||
- "/data/keys"
|
||||
- "--generate-keys"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /data
|
||||
- name: secret
|
||||
mountPath: /data/secret
|
||||
- name: key
|
||||
mountPath: /data/keys
|
||||
|
||||
env: {}
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: configMap
|
||||
objectName: synapse-config
|
||||
mountPath: /data
|
||||
readOnly: false
|
||||
secret:
|
||||
enabled: true
|
||||
type: secret
|
||||
objectName: synapse-secret
|
||||
mountPath: /data/secret
|
||||
readOnly: false
|
||||
key:
|
||||
enabled: true
|
||||
mountPath: "/data/keys"
|
||||
media:
|
||||
enabled: true
|
||||
mountPath: "/data/media_store"
|
||||
uploads:
|
||||
enabled: true
|
||||
mountPath: "/uploads"
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
path: /health
|
||||
|
||||
readiness:
|
||||
path: /health
|
||||
|
||||
startup:
|
||||
path: /health
|
||||
|
||||
# Synapse Kubernetes resource settings
|
||||
synapse:
|
||||
loadCustomConfig: false
|
||||
# -- List of application config .yaml files to be loaded from /appConfig
|
||||
appConfig: []
|
||||
# Prometheus metrics for Synapse
|
||||
# https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
|
||||
metrics:
|
||||
# Whether Synapse should capture metrics on an additional endpoint
|
||||
enabled: true
|
||||
# Port to listen on for metrics scraping
|
||||
port: 9092
|
||||
annotations: true
|
||||
|
||||
# Runtime configuration for Synapse and settings related to the Matrix protocol
|
||||
matrix:
|
||||
# Manual overrides for homeserver.yaml, the main configuration file for Synapse
|
||||
# If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents.
|
||||
# If homeserverExtra is set, the contents will be appended to the end of the default configuration.
|
||||
# It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense
|
||||
# of the requirements and default configuration options to use other services in this chart.
|
||||
# homeserverOverride: {}
|
||||
# homeserverExtra: {}
|
||||
|
||||
# Domain name of the server
|
||||
# This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains
|
||||
# from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the
|
||||
# domain name at the end of every user's username
|
||||
serverName: "example.com"
|
||||
|
||||
urlPreviews:
|
||||
enabled: false
|
||||
|
||||
# Hostname where Synapse can be reached.
|
||||
# This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the
|
||||
# Ingress will be used
|
||||
# hostname: "matrix.example.com"
|
||||
|
||||
# Set to false to disable presence (online/offline indicators)
|
||||
presence: true
|
||||
|
||||
# Set to true to block non-admins from inviting users to any rooms
|
||||
blockNonAdminInvites: false
|
||||
|
||||
# Set to false to disable message searching
|
||||
search: true
|
||||
|
||||
# Which types of rooms to enable end-to-end encryption on by default
|
||||
# off: none
|
||||
# invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset
|
||||
# all: all rooms
|
||||
encryptByDefault: invite
|
||||
|
||||
# Email address of the administrator
|
||||
adminEmail: "admin@example.com"
|
||||
|
||||
# Settings related to image and multimedia uploads
|
||||
uploads:
|
||||
# Max upload size in bytes
|
||||
maxSize: 10M
|
||||
|
||||
# Max image size in pixels
|
||||
maxPixels: 32M
|
||||
|
||||
# Settings related to federation
|
||||
federation:
|
||||
# Set to false to disable federation and run an isolated homeserver
|
||||
enabled: true
|
||||
|
||||
# Set to false to disallow members of other homeservers from fetching *public* rooms
|
||||
allowPublicRooms: true
|
||||
|
||||
# Whitelist of domains to federate with (comment for all domains except blacklisted)
|
||||
# whitelist: []
|
||||
|
||||
# IP addresses to blacklist federation requests to
|
||||
blacklist:
|
||||
- '127.0.0.0/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '169.254.0.0/16'
|
||||
- '::1/128'
|
||||
- 'fe80::/64'
|
||||
- 'fc00::/7'
|
||||
|
||||
# User registration settings
|
||||
registration:
|
||||
# Allow new users to register an account
|
||||
enabled: false
|
||||
|
||||
# If set, allows registration of standard or admin accounts by anyone who
|
||||
# has the shared secret, even if registration is otherwise disabled.
|
||||
#
|
||||
# sharedSecret: <PRIVATE STRING>
|
||||
|
||||
# Allow users to join rooms as a guest
|
||||
allowGuests: false
|
||||
|
||||
# Required "3PIDs" - third-party identifiers such as email or msisdn (SMS)
|
||||
# required3Pids:
|
||||
# - email
|
||||
# - msisdn
|
||||
|
||||
# Rooms to automatically join all new users to
|
||||
autoJoinRooms: []
|
||||
# - "#welcome:example.com"
|
||||
|
||||
# How long to keep redacted events in unredacted form in the database
|
||||
retentionPeriod: 7d
|
||||
|
||||
security:
|
||||
# a secret which is used to sign access tokens. If none is specified,
|
||||
# the registration_shared_secret is used, if one is given; otherwise,
|
||||
# a secret key is derived from the signing key.
|
||||
#
|
||||
# macaroonSecretKey: <PRIVATE STRING>
|
||||
|
||||
# This disables the warning that is emitted when the
|
||||
# trustedKeyServers include 'matrix.org'. See below.
|
||||
# Set to false to re-enable the warning.
|
||||
#
|
||||
surpressKeyServerWarning: true
|
||||
|
||||
# The trusted servers to download signing keys from.
|
||||
#
|
||||
# When we need to fetch a signing key, each server is tried in parallel.
|
||||
#
|
||||
# Normally, the connection to the key server is validated via TLS certificates.
|
||||
# Additional security can be provided by configuring a `verify key`, which
|
||||
# will make synapse check that the response is signed by that key.
|
||||
#
|
||||
# This setting supercedes an older setting named `perspectives`. The old format
|
||||
# is still supported for backwards-compatibility, but it is deprecated.
|
||||
#
|
||||
# 'trustedKeyServers' defaults to matrix.org, but using it will generate a
|
||||
# warning on start-up. To suppress this warning, set
|
||||
# 'surpressKeyServerWarning' to true.
|
||||
#
|
||||
# Options for each entry in the list include:
|
||||
#
|
||||
# serverName: the name of the server. required.
|
||||
#
|
||||
# verifyKeys: an optional map from key id to base64-encoded public key.
|
||||
# If specified, we will check that the response is signed by at least
|
||||
# one of the given keys.
|
||||
#
|
||||
# acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset,
|
||||
# and federation_verify_certificates is not `true`, synapse will refuse
|
||||
# to start, because this would allow anyone who can spoof DNS responses
|
||||
# to masquerade as the trusted key server. If you know what you are doing
|
||||
# and are sure that your network environment provides a secure connection
|
||||
# to the key server, you can set this to `true` to override this
|
||||
# behaviour.
|
||||
#
|
||||
# An example configuration might look like:
|
||||
#
|
||||
# trustedKeyServers:
|
||||
# - serverName: my_trusted_server.example.com
|
||||
# verifyKeys:
|
||||
# - id: "ed25519:auto"
|
||||
# key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
|
||||
# acceptKeysInsecurely: false
|
||||
# - serverName: my_other_trusted_server.example.com
|
||||
|
||||
# Set to true to globally block access to the homeserver
|
||||
disabled: false
|
||||
# Human readable reason for why the homeserver is blocked
|
||||
disabledMessage: ""
|
||||
|
||||
logging:
|
||||
# Root log level is the default log level for log outputs that do not have more
|
||||
# specific settings.
|
||||
rootLogLevel: WARNING
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
sqlLogLevel: WARNING
|
||||
# The log level for the synapse server
|
||||
synapseLogLevel: WARNING
|
||||
|
||||
|
||||
# Settings for email notifications
|
||||
mail:
|
||||
# Set to false to disable all email notifications
|
||||
# NOTE: If enabled, either enable the Exim relay or configure an external mail server below
|
||||
enabled: false
|
||||
# Name and email address for outgoing mail
|
||||
from: "Matrix <matrix@example.com>"
|
||||
# Optional: Element instance URL.
|
||||
# If the ingress is enabled, this is unnecessary.
|
||||
# If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io
|
||||
riotUrl: ""
|
||||
|
||||
host: ""
|
||||
port: 25 # SSL: 465, STARTTLS: 587
|
||||
username: ""
|
||||
password: ""
|
||||
requireTransportSecurity: true
|
||||
|
||||
coturn:
|
||||
enabled: false
|
||||
|
||||
# Enabled postgres
|
||||
postgresql:
|
||||
env:
|
||||
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
|
||||
enabled: true
|
||||
existingSecret: "dbcreds"
|
||||
postgresqlUsername: synapse
|
||||
postgresqlDatabase: synapse
|
||||
Reference in New Issue
Block a user