From f3860574163146c25ecb70144feb05aa8f89f413 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 4 Dec 2019 16:19:41 -0800 Subject: [PATCH 001/105] Initial empty chart --- charts/matrix/.gitignore | 1 + charts/matrix/Chart.yaml | 21 ++++++ charts/matrix/templates/NOTES.txt | 21 ++++++ charts/matrix/templates/_helpers.tpl | 63 ++++++++++++++++++ charts/matrix/templates/deployment.yaml | 55 ++++++++++++++++ charts/matrix/templates/ingress.yaml | 41 ++++++++++++ charts/matrix/templates/service.yaml | 15 +++++ charts/matrix/templates/serviceaccount.yaml | 8 +++ .../templates/tests/test-connection.yaml | 15 +++++ charts/matrix/values.yaml | 66 +++++++++++++++++++ 10 files changed, 306 insertions(+) create mode 100644 charts/matrix/.gitignore create mode 100644 charts/matrix/Chart.yaml create mode 100644 charts/matrix/templates/NOTES.txt create mode 100644 charts/matrix/templates/_helpers.tpl create mode 100644 charts/matrix/templates/deployment.yaml create mode 100644 charts/matrix/templates/ingress.yaml create mode 100644 charts/matrix/templates/service.yaml create mode 100644 charts/matrix/templates/serviceaccount.yaml create mode 100644 charts/matrix/templates/tests/test-connection.yaml create mode 100644 charts/matrix/values.yaml diff --git a/charts/matrix/.gitignore b/charts/matrix/.gitignore new file mode 100644 index 0000000..9f11b75 --- /dev/null +++ b/charts/matrix/.gitignore @@ -0,0 +1 @@ +.idea/ diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml new file mode 100644 index 0000000..7ae2b29 --- /dev/null +++ b/charts/matrix/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: matrix +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 1.16.0 diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt new file mode 100644 index 0000000..0329b0d --- /dev/null +++ b/charts/matrix/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "matrix.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "matrix.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "matrix.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "matrix.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl new file mode 100644 index 0000000..8c0f92c --- /dev/null +++ b/charts/matrix/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "matrix.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "matrix.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "matrix.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "matrix.labels" -}} +helm.sh/chart: {{ include "matrix.chart" . }} +{{ include "matrix.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "matrix.selectorLabels" -}} +app.kubernetes.io/name: {{ include "matrix.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "matrix.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "matrix.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/matrix/templates/deployment.yaml b/charts/matrix/templates/deployment.yaml new file mode 100644 index 0000000..6d126e0 --- /dev/null +++ b/charts/matrix/templates/deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }} + labels: + {{- include "matrix.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "matrix.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "matrix.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "matrix.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/matrix/templates/ingress.yaml b/charts/matrix/templates/ingress.yaml new file mode 100644 index 0000000..d13cfa5 --- /dev/null +++ b/charts/matrix/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "matrix.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "matrix.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/matrix/templates/service.yaml b/charts/matrix/templates/service.yaml new file mode 100644 index 0000000..1fff2f1 --- /dev/null +++ b/charts/matrix/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }} + labels: + {{- include "matrix.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "matrix.selectorLabels" . | nindent 4 }} diff --git a/charts/matrix/templates/serviceaccount.yaml b/charts/matrix/templates/serviceaccount.yaml new file mode 100644 index 0000000..bce7a8b --- /dev/null +++ b/charts/matrix/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "matrix.serviceAccountName" . }} + labels: +{{ include "matrix.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/matrix/templates/tests/test-connection.yaml b/charts/matrix/templates/tests/test-connection.yaml new file mode 100644 index 0000000..e2e4382 --- /dev/null +++ b/charts/matrix/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "matrix.fullname" . }}-test-connection" + labels: +{{ include "matrix.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "matrix.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml new file mode 100644 index 0000000..e098920 --- /dev/null +++ b/charts/matrix/values.yaml @@ -0,0 +1,66 @@ +# Default values for matrix. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} From 1838c20cdd34b114c9feb6ae640065520e3fb976 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 4 Dec 2019 16:27:01 -0800 Subject: [PATCH 002/105] Barebones Synapse deployment and service --- charts/matrix/templates/NOTES.txt | 22 +------ charts/matrix/templates/deployment.yaml | 55 ---------------- charts/matrix/templates/service.yaml | 15 ----- charts/matrix/templates/serviceaccount.yaml | 8 --- .../matrix/templates/synapse/deployment.yaml | 44 +++++++++++++ charts/matrix/templates/synapse/service.yaml | 16 +++++ .../templates/tests/test-connection.yaml | 15 ----- charts/matrix/values.yaml | 65 ++++++------------- 8 files changed, 82 insertions(+), 158 deletions(-) delete mode 100644 charts/matrix/templates/deployment.yaml delete mode 100644 charts/matrix/templates/service.yaml delete mode 100644 charts/matrix/templates/serviceaccount.yaml create mode 100644 charts/matrix/templates/synapse/deployment.yaml create mode 100644 charts/matrix/templates/synapse/service.yaml delete mode 100644 charts/matrix/templates/tests/test-connection.yaml diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index 0329b0d..30404ce 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -1,21 +1 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "matrix.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "matrix.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "matrix.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "matrix.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 -{{- end }} +TODO \ No newline at end of file diff --git a/charts/matrix/templates/deployment.yaml b/charts/matrix/templates/deployment.yaml deleted file mode 100644 index 6d126e0..0000000 --- a/charts/matrix/templates/deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "matrix.fullname" . }} - labels: - {{- include "matrix.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "matrix.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "matrix.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "matrix.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/matrix/templates/service.yaml b/charts/matrix/templates/service.yaml deleted file mode 100644 index 1fff2f1..0000000 --- a/charts/matrix/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "matrix.fullname" . }} - labels: - {{- include "matrix.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "matrix.selectorLabels" . | nindent 4 }} diff --git a/charts/matrix/templates/serviceaccount.yaml b/charts/matrix/templates/serviceaccount.yaml deleted file mode 100644 index bce7a8b..0000000 --- a/charts/matrix/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "matrix.serviceAccountName" . }} - labels: -{{ include "matrix.labels" . | nindent 4 }} -{{- end -}} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml new file mode 100644 index 0000000..476653c --- /dev/null +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-synapse + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.synapse.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }} + containers: + - name: "synapse" + image: "{{ .Values.synapse.image.repository }}:{{ .Values.synapse.image.tag }}" + imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + {{- with .Values.synapse.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/charts/matrix/templates/synapse/service.yaml b/charts/matrix/templates/synapse/service.yaml new file mode 100644 index 0000000..b0b6cdd --- /dev/null +++ b/charts/matrix/templates/synapse/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-synapse + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.synapse.service.type }} + ports: + - port: {{ .Values.synapse.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/matrix/templates/tests/test-connection.yaml b/charts/matrix/templates/tests/test-connection.yaml deleted file mode 100644 index e2e4382..0000000 --- a/charts/matrix/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "matrix.fullname" . }}-test-connection" - labels: -{{ include "matrix.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "matrix.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index e098920..15b0eb8 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -2,38 +2,33 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 1 +# Synapse deployment configuration +synapse: + image: + repository: "matrixdotorg/synapse" + tag: latest + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 80 + replicaCount: 1 + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 -image: - repository: nginx - pullPolicy: IfNotPresent + resources: {} imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - ingress: enabled: false annotations: {} @@ -46,21 +41,3 @@ ingress: # - secretName: chart-example-tls # hosts: # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} From 93054a850427f3790b56759c56a2d1a1849251c8 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 4 Dec 2019 18:06:43 -0800 Subject: [PATCH 003/105] Add templating for most useful parts of homeserver.yaml --- .../matrix/templates/synapse/_homeserver.yaml | 1596 +++++++++++++++++ .../matrix/templates/synapse/configmap.yaml | 9 + .../matrix/templates/synapse/deployment.yaml | 11 + charts/matrix/values.yaml | 128 +- 4 files changed, 1739 insertions(+), 5 deletions(-) create mode 100644 charts/matrix/templates/synapse/_homeserver.yaml create mode 100644 charts/matrix/templates/synapse/configmap.yaml diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml new file mode 100644 index 0000000..22b1fca --- /dev/null +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -0,0 +1,1596 @@ +{{- define "homeserver.yaml" }} +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +# +server_name: {{ .Values.matrix.serverName }} + +# When running as a daemon, the file to store the pid in +# +pid_file: /data/homeserver.pid + +# The path to the web client which will be served at /_matrix/client/ +# if 'webclient' is configured under the 'listeners' configuration. +# +#web_client_location: "/path/to/web/root" + +# The public-facing base URL that clients use to access this HS +# (not including _matrix/...). This is the same URL a user would +# enter into the 'custom HS URL' field on their client. If you +# use synapse with a reverse proxy, this should be the URL to reach +# synapse via the proxy. +# +{{- if .Values.matrix.baseUrl }} +public_baseurl: {{ .Values.matrix.baseUrl }} +{{- else }} +public_baseurl: {{ (index .Values.ingress.hosts 0).host }} +{{- end }} +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +# +#soft_file_limit: 0 + +# Set to false to disable presence tracking on this homeserver. +# +use_presence: {{ .Values.matrix.enablePresence }} + +# Whether to require authentication to retrieve profile data (avatars, +# display names) of other users through the client API. Defaults to +# 'false'. Note that profile data is also available via the federation +# API, so this setting is of limited value if federation is enabled on +# the server. +# +#require_auth_for_profile_requests: true + +# If set to 'false', requires authentication to access the server's public rooms +# directory through the client API. Defaults to 'true'. +# +#allow_public_rooms_without_auth: false + +# If set to 'false', forbids any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'true'. +# +allow_public_rooms_over_federation: {{ and .Values.matrix.federation.enabled .Values.matrix.federation.allowPublicRooms }} + +# The default room version for newly created rooms. +# +# Known room versions are listed here: +# https://matrix.org/docs/spec/#complete-list-of-room-versions +# +# For example, for room version 1, default_room_version should be set +# to "1". +# +#default_room_version: "5" + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# +#gc_thresholds: [700, 10, 10] + +# Set the limit on the returned events in the timeline in the get +# and sync operations. The default value is -1, means no upper limit. +# +#filter_timeline_limit: 5000 + +# Whether room invites to users on this server should be blocked +# (except those sent by local server admins). The default is False. +# +block_non_admin_invites: {{ .Values.matrix.blockNonAdminInvites }} + +# Room searching +# +# If disabled, new messages will not be indexed for searching and users +# will receive errors when searching for messages. Defaults to enabled. +# +enable_search: {{ .Values.matrix.enableSearch }} + +# Restrict federation to the following whitelist of domains. +# N.B. we recommend also firewalling your federation listener to limit +# inbound federation traffic as early as possible, rather than relying +# purely on this application-layer restriction. If not specified, the +# default is to whitelist everything. + +{{- if .Values.matrix.federation.whitelist }} +federation_domain_whitelist: + {{- range .Values.matrix.federation.whitelist }} + - {{ . }} + {{- end }} +{{- end}} + +# Prevent federation requests from being sent to the following +# blacklist IP address CIDR ranges. If this option is not specified, or +# specified with an empty list, no ip range blacklist will be enforced. +# +# As of Synapse v1.4.0 this option also affects any outbound requests to identity +# servers provided by user input. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) + +federation_ip_range_blacklist: +{{- range .Values.matrix.federation.blacklist }} + - {{ . }} +{{- end }} + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +# +# Options for each listener include: +# +# port: the TCP port to bind to +# +# bind_addresses: a list of local addresses to listen on. The default is +# 'all local interfaces'. +# +# type: the type of listener. Normally 'http', but other valid options are: +# 'manhole' (see docs/manhole.md), +# 'metrics' (see docs/metrics-howto.md), +# 'replication' (see docs/workers.md). +# +# tls: set to true to enable TLS for this listener. Will use the TLS +# key/cert specified in tls_private_key_path / tls_certificate_path. +# +# x_forwarded: Only valid for an 'http' listener. Set to true to use the +# X-Forwarded-For header as the client IP. Useful when Synapse is +# behind a reverse-proxy. +# +# resources: Only valid for an 'http' listener. A list of resources to host +# on this port. Options for each resource are: +# +# names: a list of names of HTTP resources. See below for a list of +# valid resource names. +# +# compress: set to true to enable HTTP comression for this resource. +# +# additional_resources: Only valid for an 'http' listener. A map of +# additional endpoints which should be loaded via dynamic modules. +# +# Valid resource names are: +# +# client: the client-server API (/_matrix/client), and the synapse admin +# API (/_synapse/admin). Also implies 'media' and 'static'. +# +# consent: user consent forms (/_matrix/consent). See +# docs/consent_tracking.md. +# +# federation: the server-server API (/_matrix/federation). Also implies +# 'media', 'keys', 'openid' +# +# keys: the key discovery API (/_matrix/keys). +# +# media: the media API (/_matrix/media). +# +# metrics: the metrics interface. See docs/metrics-howto.md. +# +# openid: OpenID authentication. +# +# replication: the HTTP replication API (/_synapse/replication). See +# docs/workers.md. +# +# static: static resources under synapse/static (/_matrix/static). (Mostly +# useful for 'fallback authentication'.) +# +# webclient: A web client. Requires web_client_location to be set. +# +listeners: + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + # + # Disabled by default. To enable it, uncomment the following. (Note that you + # will also need to give Synapse a TLS key and certificate: see the TLS section + # below.) + # + #- port: 8448 + # type: http + # tls: true + # resources: + # - names: [client, federation] + + # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + # + # If you plan to use a reverse proxy, please see + # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. + # + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + + resources: + - names: [client, federation] + compress: false + + # example additional_resources: + # + #additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # + #- port: 9000 + # bind_addresses: ['::1', '127.0.0.1'] + # type: manhole + + +## Homeserver blocking ## + +# How to reach the server admin, used in ResourceLimitError + +admin_contact: 'mailto:{{ .Values.matrix.adminEmail }}' + +# Global blocking +# +hs_disabled: {{ .Values.matrix.disabled }} +hs_disabled_message: {{ .Values.matrix.disabledMessage }} + +# Monthly Active User Blocking +# +# Used in cases where the admin or server owner wants to limit to the +# number of monthly active users. +# +# 'limit_usage_by_mau' disables/enables monthly active user blocking. When +# anabled and a limit is reached the server returns a 'ResourceLimitError' +# with error type Codes.RESOURCE_LIMIT_EXCEEDED +# +# 'max_mau_value' is the hard limit of monthly active users above which +# the server will start blocking user actions. +# +# 'mau_trial_days' is a means to add a grace period for active users. It +# means that users must be active for this number of days before they +# can be considered active and guards against the case where lots of users +# sign up in a short space of time never to return after their initial +# session. +# +# 'mau_limit_alerting' is a means of limiting client side alerting +# should the mau limit be reached. This is useful for small instances +# where the admin has 5 mau seats (say) for 5 specific people and no +# interest increasing the mau limit further. Defaults to True, which +# means that alerting is enabled +# +#limit_usage_by_mau: false +#max_mau_value: 50 +#mau_trial_days: 2 +#mau_limit_alerting: false + +# If enabled, the metrics for the number of monthly active users will +# be populated, however no one will be limited. If limit_usage_by_mau +# is true, this is implied to be true. +# +#mau_stats_only: false + +# Sometimes the server admin will want to ensure certain accounts are +# never blocked by mau checking. These accounts are specified here. +# +#mau_limit_reserved_threepids: +# - medium: 'email' +# address: 'reserved_user@example.com' + +# Used by phonehome stats to group together related servers. +#server_context: context + +# Resource-constrained homeserver Settings +# +# If limit_remote_rooms.enabled is True, the room complexity will be +# checked before a user joins a new remote room. If it is above +# limit_remote_rooms.complexity, it will disallow joining or +# instantly leave. +# +# limit_remote_rooms.complexity_error can be set to customise the text +# displayed to the user when a room above the complexity threshold has +# its join cancelled. +# +# Uncomment the below lines to enable: +#limit_remote_rooms: +# enabled: true +# complexity: 1.0 +# complexity_error: "This room is too complex." + +# Whether to require a user to be in the room to add an alias to it. +# Defaults to 'true'. +# +#require_membership_for_aliases: false + +# Whether to allow per-room membership profiles through the send of membership +# events with profile information that differ from the target's global profile. +# Defaults to 'true'. +# +#allow_per_room_profiles: false + +# How long to keep redacted events in unredacted form in the database. After +# this period redacted events get replaced with their redacted form in the DB. +# +# Defaults to `7d`. Set to `null` to disable. + +redaction_retention_period: {{ .Values.matrix.retentionPeriod | default "null" }} + +# How long to track users' last seen time and IPs in the database. +# +# Defaults to `28d`. Set to `null` to disable clearing out of old rows. +# +#user_ips_max_age: 14d + + +## TLS ## + +# PEM-encoded X509 certificate for TLS. +# This certificate, as of Synapse 1.0, will need to be a valid and verifiable +# certificate, signed by a recognised Certificate Authority. +# +# See 'ACME support' below to enable auto-provisioning this certificate via +# Let's Encrypt. +# +# If supplying your own, be sure to use a `.pem` file that includes the +# full certificate chain including any intermediate certificates (for +# instance, if using certbot, use `fullchain.pem` as your certificate, +# not `cert.pem`). +# +#tls_certificate_path: "/synapse/conf/example.com.tls.crt" + +# PEM-encoded private key for TLS +# +#tls_private_key_path: "/synapse/conf/example.com.tls.key" + +# Whether to verify TLS server certificates for outbound federation requests. +# +# Defaults to `true`. To disable certificate verification, uncomment the +# following line. +# +#federation_verify_certificates: false + +# The minimum TLS version that will be used for outbound federation requests. +# +# Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note +# that setting this value higher than `1.2` will prevent federation to most +# of the public Matrix network: only configure it to `1.3` if you have an +# entirely private federation setup and you can ensure TLS 1.3 support. +# +#federation_client_minimum_tls_version: 1.2 + +# Skip federation certificate verification on the following whitelist +# of domains. +# +# This setting should only be used in very specific cases, such as +# federation over Tor hidden services and similar. For private networks +# of homeservers, you likely want to use a private CA instead. +# +# Only effective if federation_verify_certicates is `true`. +# +#federation_certificate_verification_whitelist: +# - lon.example.com +# - *.domain.com +# - *.onion + +# List of custom certificate authorities for federation traffic. +# +# This setting should only normally be used within a private network of +# homeservers. +# +# Note that this list will replace those that are provided by your +# operating environment. Certificates must be in PEM format. +# +#federation_custom_ca_list: +# - myCA1.pem +# - myCA2.pem +# - myCA3.pem + +# ACME support: This will configure Synapse to request a valid TLS certificate +# for your configured `server_name` via Let's Encrypt. +# +# Note that provisioning a certificate in this way requires port 80 to be +# routed to Synapse so that it can complete the http-01 ACME challenge. +# By default, if you enable ACME support, Synapse will attempt to listen on +# port 80 for incoming http-01 challenges - however, this will likely fail +# with 'Permission denied' or a similar error. +# +# There are a couple of potential solutions to this: +# +# * If you already have an Apache, Nginx, or similar listening on port 80, +# you can configure Synapse to use an alternate port, and have your web +# server forward the requests. For example, assuming you set 'port: 8009' +# below, on Apache, you would write: +# +# ProxyPass /.well-known/acme-challenge http://localhost:8009/.well-known/acme-challenge +# +# * Alternatively, you can use something like `authbind` to give Synapse +# permission to listen on port 80. +# +acme: + # ACME support is disabled by default. Set this to `true` and uncomment + # tls_certificate_path and tls_private_key_path above to enable it. + # + enabled: false + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use /synapse/conf/client.key. + # + account_key_file: /data/acme_account.key + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handled directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +# +# You can calculate a fingerprint from a given TLS listener via: +# openssl s_client -connect $host:$port < /dev/null 2> /dev/null | +# openssl x509 -outform DER | openssl sha256 -binary | base64 | tr -d '=' +# or by checking matrix.org/federationtester/api/report?server_name=$host +# +#tls_fingerprints: [{"sha256": ""}] + + + +## Database ## + +database: + # The database engine name + name: "sqlite3" + # Arguments to pass to the engine + args: + # Path to the database + database: "/data/homeserver.db" + +# Number of events to cache in memory. +# +#event_cache_size: 10K + + +## Logging ## + +# A yaml python logging config file as described by +# https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema +# +log_config: "/data/{{ .Values.matrix.serverName }}.log.config" + + +## Ratelimiting ## + +# Ratelimiting settings for client actions (registration, login, messaging). +# +# Each ratelimiting configuration is made of two parameters: +# - per_second: number of requests a client can send per second. +# - burst_count: number of requests a client can send before being throttled. +# +# Synapse currently uses the following configurations: +# - one for messages that ratelimits sending based on the account the client +# is using +# - one for registration that ratelimits registration requests based on the +# client's IP address. +# - one for login that ratelimits login requests based on the client's IP +# address. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into. +# - one for login that ratelimits login requests based on the account the +# client is attempting to log into, based on the amount of failed login +# attempts for this account. +# - one for ratelimiting redactions by room admins. If this is not explicitly +# set then it uses the same ratelimiting as per rc_message. This is useful +# to allow room admins to deal with abuse quickly. +# +# The defaults are as shown below. +# +#rc_message: +# per_second: 0.2 +# burst_count: 10 +# +#rc_registration: +# per_second: 0.17 +# burst_count: 3 +# +#rc_login: +# address: +# per_second: 0.17 +# burst_count: 3 +# account: +# per_second: 0.17 +# burst_count: 3 +# failed_attempts: +# per_second: 0.17 +# burst_count: 3 +# +#rc_admin_redaction: +# per_second: 1 +# burst_count: 50 + + +# Ratelimiting settings for incoming federation +# +# The rc_federation configuration is made up of the following settings: +# - window_size: window size in milliseconds +# - sleep_limit: number of federation requests from a single server in +# a window before the server will delay processing the request. +# - sleep_delay: duration in milliseconds to delay processing events +# from remote servers by if they go over the sleep limit. +# - reject_limit: maximum number of concurrent federation requests +# allowed from a single server +# - concurrent: number of federation requests to concurrently process +# from a single server +# +# The defaults are as shown below. +# +#rc_federation: +# window_size: 1000 +# sleep_limit: 10 +# sleep_delay: 500 +# reject_limit: 50 +# concurrent: 3 + +# Target outgoing federation transaction frequency for sending read-receipts, +# per-room. +# +# If we end up trying to send out more read-receipts, they will get buffered up +# into fewer transactions. +# +#federation_rr_transactions_per_room_per_second: 50 + + + +## Media Store ## + +# Enable the media store service in the Synapse master. Uncomment the +# following if you are using a separate media store worker. +# +#enable_media_repo: false + +# Directory where uploaded images and attachments are stored. +# +media_store_path: "/data/media_store" + +# Media storage providers allow media to be stored in different +# locations. +# +#media_storage_providers: +# - module: file_system +# # Whether to write new local files. +# store_local: false +# # Whether to write new remote media +# store_remote: false +# # Whether to block upload requests waiting for write to this +# # provider to complete +# store_synchronous: false +# config: +# directory: /mnt/some/other/directory + +# Directory where in-progress uploads are stored. +# +uploads_path: "/data/uploads" + +# The largest allowed upload size in bytes + +max_upload_size: {{ .Values.matrix.uploads.maxSize }} + +# Maximum number of pixels that will be thumbnailed + +max_image_pixels: {{ .Values.matrix.uploads.maxPixels }} + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +# +#dynamic_thumbnails: false + +# List of thumbnails to precalculate when an image is uploaded. +# +#thumbnail_sizes: +# - width: 32 +# height: 32 +# method: crop +# - width: 96 +# height: 96 +# method: crop +# - width: 320 +# height: 240 +# method: scale +# - width: 640 +# height: 480 +# method: scale +# - width: 800 +# height: 600 +# method: scale + +# Is the preview URL API enabled? +# +# 'false' by default: uncomment the following to enable it (and specify a +# url_preview_ip_range_blacklist blacklist). +# +url_preview_enabled: {{ .Values.matrix.urlPreviews.enabled }} + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This must be specified if url_preview_enabled is set. It is recommended that +# you uncomment the following list as a starting point. + +{{- if .Values.matrix.urlPreviews.rules.ip.blacklist }} +url_preview_ip_range_blacklist: + {{- range .Values.matrix.urlPreviews.rules.ip.blacklist }} + - {{ . }} + {{- end }} +{{- end }} + +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. + +{{- if .Values.matrix.urlPreviews.rules.ip.whitelist }} +url_preview_ip_range_whitelist: + {{- range .Values.matrix.urlPreviews.rules.ip.whitelist}} + - {{ . }} + {{- end }} +{{- end }} + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. + +{{- if .Values.matrix.urlPreviews.rules.url.blacklist }} +url_preview_url_blacklist: +{{ include .Values.matrix.urlPreviews.rules.url.blacklist . | nindent 2 }} +{{- end }} + +# The largest allowed URL preview spidering size in bytes + +max_spider_size: {{ .Values.matrix.urlPreviews.rules.maxSize }} + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This homeserver's ReCAPTCHA public key. +# +#recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This homeserver's ReCAPTCHA private key. +# +#recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +# +#enable_registration_captcha: false + +# A secret key used to bypass the captcha test entirely. +# +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +# +#recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" + + +## TURN ## + +# The public URIs of the TURN server to give to clients +# +#turn_uris: [] + +# The shared secret used to compute passwords for the TURN server +# +#turn_shared_secret: "YOUR_SHARED_SECRET" + +# The Username and password if the TURN server needs them and +# does not use a token +# +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +# +#turn_user_lifetime: 1h + +# Whether guests should be allowed to use the TURN server. +# This defaults to True, otherwise VoIP will be unreliable for guests. +# However, it does introduce a slight security risk as it allows users to +# connect to arbitrary endpoints without having first signed up for a +# valid account (e.g. by passing a CAPTCHA). +# +#turn_allow_guests: true + + +## Registration ## +# +# Registration can be rate-limited using the parameters in the "Ratelimiting" +# section of this file. + +# Enable registration for new users. +# +enable_registration: {{ .Values.matrix.registration.enabled }} + +# Optional account validity configuration. This allows for accounts to be denied +# any request after a given period. +# +# ``enabled`` defines whether the account validity feature is enabled. Defaults +# to False. +# +# ``period`` allows setting the period after which an account is valid +# after its registration. When renewing the account, its validity period +# will be extended by this amount of time. This parameter is required when using +# the account validity feature. +# +# ``renew_at`` is the amount of time before an account's expiry date at which +# Synapse will send an email to the account's email address with a renewal link. +# This needs the ``email`` and ``public_baseurl`` configuration sections to be +# filled. +# +# ``renew_email_subject`` is the subject of the email sent out with the renewal +# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter +# from the ``email`` section. +# +# Once this feature is enabled, Synapse will look for registered users without an +# expiration date at startup and will add one to every account it found using the +# current settings at that time. +# This means that, if a validity period is set, and Synapse is restarted (it will +# then derive an expiration date from the current validity period), and some time +# after that the validity period changes and Synapse is restarted, the users' +# expiration dates won't be updated unless their account is manually renewed. This +# date will be randomly selected within a range [now + period - d ; now + period], +# where d is equal to 10% of the validity period. +# +#account_validity: +# enabled: true +# period: 6w +# renew_at: 1w +# renew_email_subject: "Renew your %(app)s account" +# # Directory in which Synapse will try to find the HTML files to serve to the +# # user when trying to renew an account. Optional, defaults to +# # synapse/res/templates. +# template_dir: "res/templates" +# # HTML to be displayed to the user after they successfully renewed their +# # account. Optional. +# account_renewed_html_path: "account_renewed.html" +# # HTML to be displayed when the user tries to renew an account with an invalid +# # renewal token. Optional. +# invalid_token_html_path: "invalid_token.html" + +# Time that a user's session remains valid for, after they log in. +# +# Note that this is not currently compatible with guest logins. +# +# Note also that this is calculated at login time: changes are not applied +# retrospectively to users who have already logged in. +# +# By default, this is infinite. +# +#session_lifetime: 24h + +# The user must provide all of the below types of 3PID when registering. + +{{- if .Values.matrix.registration.required3Pids }} +registrations_require_3pid: + {{- range .Values.matrix.registration.required3Pids }} + - {{ . }} + {{- end }} +{{- end }} + +# Explicitly disable asking for MSISDNs from the registration +# flow (overrides registrations_require_3pid if MSISDNs are set as required) +# +#disable_msisdn_registration: true + +# Mandate that users are only allowed to associate certain formats of +# 3PIDs with accounts on this server. +# +#allowed_local_3pids: +# - medium: email +# pattern: '.*@matrix\.org' +# - medium: email +# pattern: '.*@vector\.im' +# - medium: msisdn +# pattern: '\+44' + +# Enable 3PIDs lookup requests to identity servers from this server. +# +#enable_3pid_lookup: true + +# If set, allows registration of standard or admin accounts by anyone who +# has the shared secret, even if registration is otherwise disabled. +# +# registration_shared_secret: + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number is 12 (which equates to 2^12 rounds). +# N.B. that increasing this will exponentially increase the time required +# to register or login - e.g. 24 => 2^24 rounds which will take >20 mins. +# +#bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. + +allow_guest_access: {{ .Values.matrix.registration.allowGuests }} + +# The identity server which we suggest that clients should use when users log +# in on this server. +# +# (By default, no suggestion is made, so it is left up to the client. +# This setting is ignored unless public_baseurl is also set.) +# +#default_identity_server: https://matrix.org + +# The list of identity servers trusted to verify third party +# identifiers by this server. +# +# Also defines the ID server which will be called when an account is +# deactivated (one will be picked arbitrarily). +# +# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity +# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a +# background migration script, informing itself that the identity server all of its +# 3PIDs have been bound to is likely one of the below. +# +# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and +# it is now solely used for the purposes of the background migration script, and can be +# removed once it has run. +#trusted_third_party_id_servers: +# - matrix.org +# - vector.im + +# Handle threepid (email/phone etc) registration and password resets through a set of +# *trusted* identity servers. Note that this allows the configured identity server to +# reset passwords for accounts! +# +# Be aware that if `email` is not set, and SMTP options have not been +# configured in the email config block, registration and user password resets via +# email will be globally disabled. +# +# Additionally, if `msisdn` is not set, registration and password resets via msisdn +# will be disabled regardless. This is due to Synapse currently not supporting any +# method of sending SMS messages on its own. +# +# To enable using an identity server for operations regarding a particular third-party +# identifier type, set the value to the URL of that identity server as shown in the +# examples below. +# +# Servers handling the these requests must answer the `/requestToken` endpoints defined +# by the Matrix Identity Service API specification: +# https://matrix.org/docs/spec/identity_service/latest +# +# If a delegate is specified, the config option public_baseurl must also be filled out. +# +account_threepid_delegates: +#email: https://example.com # Delegate email sending to example.com +#msisdn: http://localhost:8090 # Delegate SMS sending to this local process + +# Users who register on this homeserver will automatically be joined +# to these rooms + +{{- if not (empty .Values.matrix.autoJoinRooms) }} +auto_join_rooms: + {{- range .Values.matrix.autoJoinRooms }} + - {{ . }} + {{- end }} +{{- end }} + +# Where auto_join_rooms are specified, setting this flag ensures that the +# the rooms exist by creating them when the first user on the +# homeserver registers. +# Setting to false means that if the rooms are not manually created, +# users cannot be auto-joined since they do not exist. +# +#autocreate_auto_join_rooms: true + + +## Metrics ### + +# Enable collection and rendering of performance metrics +# +#enable_metrics: false + +# Enable sentry integration +# NOTE: While attempts are made to ensure that the logs don't contain +# any sensitive information, this cannot be guaranteed. By enabling +# this option the sentry server may therefore receive sensitive +# information, and it in turn may then diseminate sensitive information +# through insecure notification channels if so configured. +# +#sentry: +# dsn: "..." + +# Flags to enable Prometheus metrics which are not suitable to be +# enabled by default, either for performance reasons or limited use. +# +metrics_flags: +# Publish synapse_federation_known_servers, a g auge of the number of +# servers this homeserver knows about, including itself. May cause +# performance problems on large homeservers. +# +#known_servers: true + +# Whether or not to report anonymized homeserver usage statistics. +report_stats: {{ .Values.matrix.telemetry }} + +# The endpoint to report the anonymized homeserver usage statistics to. +# Defaults to https://matrix.org/report-usage-stats/push +# +#report_stats_endpoint: https://example.com/report-usage-stats/push + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +# +#room_invite_state_types: +# - "m.room.join_rules" +# - "m.room.canonical_alias" +# - "m.room.avatar" +# - "m.room.encryption" +# - "m.room.name" + + +# A list of application service config files to use +# +#app_service_config_files: +# - app_service_1.yaml +# - app_service_2.yaml + +# Uncomment to enable tracking of application service IP addresses. Implicitly +# enables MAU tracking for application service users. +# +#track_appservice_user_ips: true + + +# a secret which is used to sign access tokens. If none is specified, +# the registration_shared_secret is used, if one is given; otherwise, +# a secret key is derived from the signing key. +# +# macaroon_secret_key: + +# a secret which is used to calculate HMACs for form values, to stop +# falsification of values. Must be specified for the User Consent +# forms to work. +# +# form_secret: + +## Signing Keys ## + +# Path to the signing key to sign messages with +# +signing_key_path: "/data/{{ .Values.matrix.serverName }}.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +# +#old_signing_keys: +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +# +#key_refresh_interval: 1d + +# The trusted servers to download signing keys from. +# +# When we need to fetch a signing key, each server is tried in parallel. +# +# Normally, the connection to the key server is validated via TLS certificates. +# Additional security can be provided by configuring a `verify key`, which +# will make synapse check that the response is signed by that key. +# +# This setting supercedes an older setting named `perspectives`. The old format +# is still supported for backwards-compatibility, but it is deprecated. +# +# 'trusted_key_servers' defaults to matrix.org, but using it will generate a +# warning on start-up. To suppress this warning, set +# 'suppress_key_server_warning' to true. +# +# Options for each entry in the list include: +# +# server_name: the name of the server. required. +# +# verify_keys: an optional map from key id to base64-encoded public key. +# If specified, we will check that the response is signed by at least +# one of the given keys. +# +# accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset, +# and federation_verify_certificates is not `true`, synapse will refuse +# to start, because this would allow anyone who can spoof DNS responses +# to masquerade as the trusted key server. If you know what you are doing +# and are sure that your network environment provides a secure connection +# to the key server, you can set this to `true` to override this +# behaviour. +# +# An example configuration might look like: +# +#trusted_key_servers: +# - server_name: "my_trusted_server.example.com" +# verify_keys: +# "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" +# - server_name: "my_other_trusted_server.example.com" +# + +# Uncomment the following to disable the warning that is emitted when the +# trusted_key_servers include 'matrix.org'. See above. +# +#suppress_key_server_warning: true + +# The signing keys to use when acting as a trusted key server. If not specified +# defaults to the server signing key. +# +# Can contain multiple keys, one per line. +# +#key_server_signing_keys_path: "key_server_signing_keys.key" + + +# Enable SAML2 for registration and login. Uses pysaml2. +# +# At least one of `sp_config` or `config_path` must be set in this section to +# enable SAML login. +# +# (You will probably also want to set the following options to `false` to +# disable the regular login/registration flows: +# * enable_registration +# * password_config.enabled +# +# Once SAML support is enabled, a metadata file will be exposed at +# https://:/_matrix/saml2/metadata.xml, which you may be able to +# use to configure your SAML IdP with. Alternatively, you can manually configure +# the IdP to use an ACS location of +# https://:/_matrix/saml2/authn_response. +# +saml2_config: +# `sp_config` is the configuration for the pysaml2 Service Provider. +# See pysaml2 docs for format of config. +# +# Default values will be used for the 'entityid' and 'service' settings, +# so it is not normally necessary to specify them unless you need to +# override them. +# +#sp_config: +# # point this to the IdP's metadata. You can use either a local file or +# # (preferably) a URL. +# metadata: +# #local: ["saml2/idp.xml"] +# remote: +# - url: https://our_idp/metadata.xml +# +# # By default, the user has to go to our login page first. If you'd like +# # to allow IdP-initiated login, set 'allow_unsolicited: true' in a +# # 'service.sp' section: +# # +# #service: +# # sp: +# # allow_unsolicited: true +# +# # The examples below are just used to generate our metadata xml, and you +# # may well not need them, depending on your setup. Alternatively you +# # may need a whole lot more detail - see the pysaml2 docs! +# +# description: ["My awesome SP", "en"] +# name: ["Test SP", "en"] +# +# organization: +# name: Example com +# display_name: +# - ["Example co", "en"] +# url: "http://example.com" +# +# contact_person: +# - given_name: Bob +# sur_name: "the Sysadmin" +# email_address": ["admin@example.com"] +# contact_type": technical + +# Instead of putting the config inline as above, you can specify a +# separate pysaml2 configuration file: +# +#config_path: "/synapse/conf/sp_conf.py" + +# the lifetime of a SAML session. This defines how long a user has to +# complete the authentication process, if allow_unsolicited is unset. +# The default is 5 minutes. +# +#saml_session_lifetime: 5m + +# The SAML attribute (after mapping via the attribute maps) to use to derive +# the Matrix ID from. 'uid' by default. +# +#mxid_source_attribute: displayName + +# The mapping system to use for mapping the saml attribute onto a matrix ID. +# Options include: +# * 'hexencode' (which maps unpermitted characters to '=xx') +# * 'dotreplace' (which replaces unpermitted characters with '.'). +# The default is 'hexencode'. +# +#mxid_mapping: dotreplace + +# In previous versions of synapse, the mapping from SAML attribute to MXID was +# always calculated dynamically rather than stored in a table. For backwards- +# compatibility, we will look for user_ids matching such a pattern before +# creating a new account. +# +# This setting controls the SAML attribute which will be used for this +# backwards-compatibility lookup. Typically it should be 'uid', but if the +# attribute maps are changed, it may be necessary to change it. +# +# The default is 'uid'. +# +#grandfathered_mxid_source_attribute: upn + + + +# Enable CAS for registration and login. +# +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homeserver.domain.com:8448" +# #displayname_attribute: name +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +#jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + +password_config: +# Uncomment to disable password login +# +#enabled: false + +# Uncomment to disable authentication against the local password +# database. This is ignored if `enabled` is false, and is only useful +# if you have other password_providers. +# +#localdb_enabled: false + +# Uncomment and change to a secret random string for extra security. +# DO NOT CHANGE THIS AFTER INITIAL SETUP! +# +#pepper: "EVEN_MORE_SECRET" + + + +# Enable sending emails for password resets, notification events or +# account expiry notices +# +# If your SMTP server requires authentication, the optional smtp_user & +# smtp_pass variables should be used +# +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 # SSL: 465, STARTTLS: 587 +# smtp_user: "exampleusername" +# smtp_pass: "examplepassword" +# require_transport_security: false +# notif_from: "Your Friendly %(app)s homeserver " +# app_name: Matrix +# +# # Enable email notifications by default +# # +# notif_for_new_users: true +# +# # Defining a custom URL for Riot is only needed if email notifications +# # should contain links to a self-hosted installation of Riot; when set +# # the "app_name" setting is ignored +# # +# riot_base_url: "http://localhost/riot" +# +# # Configure the time that a validation email or text message code +# # will expire after sending +# # +# # This is currently used for password resets +# # +# #validation_token_lifetime: 1h +# +# # Template directory. All template files should be stored within this +# # directory. If not set, default templates from within the Synapse +# # package will be used +# # +# # For the list of default templates, please see +# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates +# # +# #template_dir: res/templates +# +# # Templates for email notifications +# # +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# +# # Templates for account expiry notices +# # +# expiry_template_html: notice_expiry.html +# expiry_template_text: notice_expiry.txt +# +# # Templates for password reset emails sent by the homeserver +# # +# #password_reset_template_html: password_reset.html +# #password_reset_template_text: password_reset.txt +# +# # Templates for registration emails sent by the homeserver +# # +# #registration_template_html: registration.html +# #registration_template_text: registration.txt +# +# # Templates for validation emails sent by the homeserver when adding an email to +# # your user account +# # +# #add_threepid_template_html: add_threepid.html +# #add_threepid_template_text: add_threepid.txt +# +# # Templates for password reset success and failure pages that a user +# # will see after attempting to reset their password +# # +# #password_reset_template_success_html: password_reset_success.html +# #password_reset_template_failure_html: password_reset_failure.html +# +# # Templates for registration success and failure pages that a user +# # will see after attempting to register using an email or phone +# # +# #registration_template_success_html: registration_success.html +# #registration_template_failure_html: registration_failure.html +# +# # Templates for success and failure pages that a user will see after attempting +# # to add an email or phone to their account +# # +# #add_threepid_success_html: add_threepid_success.html +# #add_threepid_failure_html: add_threepid_failure.html + + +#password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" + + + +# Clients requesting push notifications can either have the body of +# the message sent in the notification poke along with other details +# like the sender, or just the event ID and room ID (`event_id_only`). +# If clients choose the former, this option controls whether the +# notification request includes the content of the event (other details +# like the sender are still included). For `event_id_only` push, it +# has no effect. +# +# For modern android devices the notification content will still appear +# because it is loaded by the app. iPhone, however will send a +# notification saying only that a message arrived and who it came from. +# +#push: +# include_content: true + + +#spam_checker: +# module: "my_custom_project.SuperSpamChecker" +# config: +# example_option: 'things' + + +# Uncomment to allow non-server-admin users to create groups on this server +# +#enable_group_creation: true + +# If enabled, non server admins can only create groups with local parts +# starting with this prefix +# +#group_creation_prefix: "unofficial/" + + + +# User Directory configuration +# +# 'enabled' defines whether users can search the user directory. If +# false then empty responses are returned to all queries. Defaults to +# true. +# +# 'search_all_users' defines whether to search all users visible to your HS +# when searching the user directory, rather than limiting to users visible +# in public rooms. Defaults to false. If you set it True, you'll have to +# rebuild the user_directory search indexes, see +# https://github.com/matrix-org/synapse/blob/master/docs/user_directory.md +# +#user_directory: +# enabled: true +# search_all_users: false + + +# User Consent configuration +# +# for detailed instructions, see +# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md +# +# Parts of this section are required if enabling the 'consent' resource under +# 'listeners', in particular 'template_dir' and 'version'. +# +# 'template_dir' gives the location of the templates for the HTML forms. +# This directory should contain one subdirectory per language (eg, 'en', 'fr'), +# and each language directory should contain the policy document (named as +# '.html') and a success page (success.html). +# +# 'version' specifies the 'current' version of the policy document. It defines +# the version to be served by the consent resource if there is no 'v' +# parameter. +# +# 'server_notice_content', if enabled, will send a user a "Server Notice" +# asking them to consent to the privacy policy. The 'server_notices' section +# must also be configured for this to work. Notices will *not* be sent to +# guest users unless 'send_server_notice_to_guests' is set to true. +# +# 'block_events_error', if set, will block any attempts to send events +# until the user consents to the privacy policy. The value of the setting is +# used as the text of the error. +# +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". +# +#user_consent: +# template_dir: res/templates/privacy +# version: 1.0 +# server_notice_content: +# msgtype: m.text +# body: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# send_server_notice_to_guests: true +# block_events_error: >- +# To continue using this homeserver you must review and agree to the +# terms and conditions at %(consent_uri)s +# require_at_registration: false +# policy_name: Privacy Policy +# + + + +# Local statistics collection. Used in populating the room directory. +# +# 'bucket_size' controls how large each statistics timeslice is. It can +# be defined in a human readable short form -- e.g. "1d", "1y". +# +# 'retention' controls how long historical statistics will be kept for. +# It can be defined in a human readable short form -- e.g. "1d", "1y". +# +# +#stats: +# enabled: true +# bucket_size: 1d +# retention: 1y + + +# Server Notices room configuration +# +# Uncomment this section to enable a room which can be used to send notices +# from the server to users. It is a special room which cannot be left; notices +# come from a special "notices" user id. +# +# If you uncomment this section, you *must* define the system_mxid_localpart +# setting, which defines the id of the user which will be used to send the +# notices. +# +# It's also possible to override the room name, the display name of the +# "notices" user, and the avatar for the user. +# +#server_notices: +# system_mxid_localpart: notices +# system_mxid_display_name: "Server Notices" +# system_mxid_avatar_url: "mxc://server.com/oumMVlgDnLYFaPVkExemNVVZ" +# room_name: "Server Notices" + + + +# Uncomment to disable searching the public room list. When disabled +# blocks searching local and remote room lists for local and remote +# users by always returning an empty list for all queries. +# +#enable_room_list_search: false + +# The `alias_creation` option controls who's allowed to create aliases +# on this server. +# +# The format of this option is a list of rules that contain globs that +# match against user_id, room_id and the new alias (fully qualified with +# server name). The action in the first rule that matches is taken, +# which can currently either be "allow" or "deny". +# +# Missing user_id/room_id/alias fields default to "*". +# +# If no rules match the request is denied. An empty list means no one +# can create aliases. +# +# Options for the rules include: +# +# user_id: Matches against the creator of the alias +# alias: Matches against the alias being created +# room_id: Matches against the room ID the alias is being pointed at +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#alias_creation_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + +# The `room_list_publication_rules` option controls who can publish and +# which rooms can be published in the public room list. +# +# The format of this option is the same as that for +# `alias_creation_rules`. +# +# If the room has one or more aliases associated with it, only one of +# the aliases needs to match the alias rule. If there are no aliases +# then only rules with `alias: *` match. +# +# If no rules match the request is denied. An empty list means no one +# can publish rooms. +# +# Options for the rules include: +# +# user_id: Matches agaisnt the creator of the alias +# room_id: Matches against the room ID being published +# alias: Matches against any current local or canonical aliases +# associated with the room +# action: Whether to "allow" or "deny" the request if the rule matches +# +# The default is: +# +#room_list_publication_rules: +# - user_id: "*" +# alias: "*" +# room_id: "*" +# action: allow + + +# Server admins can define a Python module that implements extra rules for +# allowing or denying incoming events. In order to work, this module needs to +# override the methods defined in synapse/events/third_party_rules.py. +# +# This feature is designed to be used in closed federations only, where each +# participating server enforces the same rules. +# +#third_party_event_rules: +# module: "my_custom_project.SuperRulesSet" +# config: +# example_option: 'things' + + +## Opentracing ## + +# These settings enable opentracing, which implements distributed tracing. +# This allows you to observe the causal chains of events across servers +# including requests, key lookups etc., across any server running +# synapse or any other other services which supports opentracing +# (specifically those implemented with Jaeger). +# +opentracing: +# tracing is disabled by default. Uncomment the following line to enable it. +# +#enabled: true + +# The list of homeservers we wish to send and receive span contexts and span baggage. +# See docs/opentracing.rst +# This is a list of regexes which are matched against the server_name of the +# homeserver. +# +# By defult, it is empty, so no servers are matched. +# +#homeserver_whitelist: +# - ".*" + +# Jaeger can be configured to sample traces at different rates. +# All configuration options provided by Jaeger can be set here. +# Jaeger's configuration mostly related to trace sampling which +# is documented here: +# https://www.jaegertracing.io/docs/1.13/sampling/. +# +#jaeger_config: +# sampler: +# type: const +# param: 1 + +# Logging whether spans were started and reported +# +# logging: +# false +{{- end}} \ No newline at end of file diff --git a/charts/matrix/templates/synapse/configmap.yaml b/charts/matrix/templates/synapse/configmap.yaml new file mode 100644 index 0000000..1726b6e --- /dev/null +++ b/charts/matrix/templates/synapse/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-homeserver-yaml + labels: +{{ include "matrix.labels" . | nindent 4}} +data: + homeserver.yaml: | + {{ include "homeserver.yaml" . | nindent 4 }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 476653c..b68bd31 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -12,6 +12,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: + annotations: + # re-roll deployment on homeserver.yaml change + checksum/homeserver-yaml: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} labels: app.kubernetes.io/name: {{ include "matrix.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -30,6 +33,10 @@ spec: - name: http containerPort: 80 protocol: TCP + volumeMounts: + - name: homeserver-yaml + mountPath: /data/homeserver.yaml + subPath: homeserver.yaml livenessProbe: httpGet: path: / @@ -42,3 +49,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + volumes: + - name: homeserver-yaml + configMap: + name: {{ include "matrix.fullname" . }}-homeserver-yaml diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 15b0eb8..0941041 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -2,6 +2,129 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Runtime configuration for Synapse and settings related to the Matrix protocol +matrix: + # Domain name of the server + # This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains + # from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the + # domain name at the end of every user's username + serverName: "example.com" + + # Enable anonymous telemetry to matrix.org + telemetry: false + + # URL where Synapse can be reached. + # This is *optional* if an Ingress is configured below. If baseUrl is unspecified, the first host of the + # Ingress will be used + # baseUrl: "matrix.example.com" + + # Set to false to disable presence (online/offline indicators) + presence: true + + # Set to true to block non-admins from inviting users to any rooms + blockNonAdminInvites: false + + # Set to false to disable message searching + search: true + + # Email address of the administrator + adminEmail: "admin@example.com" + + # Settings related to image and multimedia uploads + uploads: + # Max upload size in bytes + maxSize: 10M + + # Max image size in pixels + maxPixels: 32M + + # Settings related to federation + federation: + # Set to false to disable federation and run an isolated homeserver + enabled: true + + # Set to false to disallow members of other homeservers from fetching *public* rooms + allowPublicRooms: true + + # Whitelist of domains to federate with (comment for all domains except blacklisted) + # whitelist: [] + + # IP addresses to blacklist federation requests to + blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + + # User registration settings + registration: + # Allow new users to register an account + enabled: false + + # Allow users to join rooms as a guest + allowGuests: false + + # Required "3PIDs" - third-party identifiers such as email or msisdn (SMS) + # required3Pids: + # - email + # - msisdn + + # Rooms to automatically join all new users to + autoJoinRooms: [] + # - "#welcome:example.com" + + # Settings for the URL preview crawler + urlPreviews: + # Enable URL previews. + # WARNING: Make sure to review the default rules below to ensure that users cannot crawl + # sensitive internal endpoints in your cluster. + enabled: false + + # Blacklists and whitelists for the URL preview crawler + rules: + # Maximum size of a crawlable page. Keep this low to prevent a DOS vector + maxSize: 10M + + # Whitelist and blacklist for crawlable IP addresses + ip: + # whitelist: + blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' + + # Whitelist and blacklist based on URL pattern matching + url: {} + # whitelist: + # blacklist: + # # blacklist any URL with a username in its URI + # - username: '*' + # + # # blacklist all *.google.com URLs + # - netloc: 'google.com' + # - netloc: '*.google.com' + # + # # blacklist all plain HTTP URLs + # - scheme: 'http' + # + # # blacklist http(s)://www.acme.com/foo + # - netloc: 'www.acme.com' + # path: '/foo' + # + # # blacklist any URL with a literal IPv4 address + # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + # Synapse deployment configuration synapse: image: @@ -32,12 +155,7 @@ fullnameOverride: "" ingress: enabled: false annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: [] tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local From d054c440277f6109e6882c621c644e63191fd327 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 4 Dec 2019 18:18:46 -0800 Subject: [PATCH 004/105] Configure attachments/media volumes --- charts/matrix/templates/synapse/deployment.yaml | 10 ++++++++++ charts/matrix/templates/synapse/media-pvc.yaml | 12 ++++++++++++ charts/matrix/values.yaml | 7 +++++++ 3 files changed, 29 insertions(+) create mode 100644 charts/matrix/templates/synapse/media-pvc.yaml diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index b68bd31..00e3ece 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -37,6 +37,10 @@ spec: - name: homeserver-yaml mountPath: /data/homeserver.yaml subPath: homeserver.yaml + - name: media-store + mountPath: /data/media_store + - name: uploads + mountPath: /data/uploads livenessProbe: httpGet: path: / @@ -53,3 +57,9 @@ spec: - name: homeserver-yaml configMap: name: {{ include "matrix.fullname" . }}-homeserver-yaml + - name: media-store + persistentVolumeClaim: + claimName: {{ include "matrix.fullname" . }}-media-store + # Ephemeral in-progress uploads + - name: uploads + emptyDir: {} diff --git a/charts/matrix/templates/synapse/media-pvc.yaml b/charts/matrix/templates/synapse/media-pvc.yaml new file mode 100644 index 0000000..a89982d --- /dev/null +++ b/charts/matrix/templates/synapse/media-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-media-store + labels: +{{ include "matrix.labels" . | indent 4}} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.volumes.media.capacity }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 0941041..12247f0 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -125,6 +125,13 @@ matrix: # # blacklist any URL with a literal IPv4 address # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' +# Persistent volumes configuration +volumes: + # Uploaded attachments/multimedia + media: + # Capacity of the media persistent volume claim + capacity: 10Gi + # Synapse deployment configuration synapse: image: From 9197801a90744f1c4cbb5eb66364597eaee55a0e Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 15 Dec 2019 12:46:38 -0800 Subject: [PATCH 005/105] Generate and mount signing key --- .../matrix/templates/synapse/_homeserver.yaml | 2 +- .../matrix/templates/synapse/deployment.yaml | 32 +++++++++++++++++++ .../matrix/templates/synapse/keys-secret.yaml | 8 +++++ charts/matrix/values.yaml | 2 +- 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 charts/matrix/templates/synapse/keys-secret.yaml diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 22b1fca..dff9f3e 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1029,7 +1029,7 @@ report_stats: {{ .Values.matrix.telemetry }} # Path to the signing key to sign messages with # -signing_key_path: "/data/{{ .Values.matrix.serverName }}.signing.key" +signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key" # The keys that the server used to sign messages with but won't use # to sign new messages. E.g. it has lost its private key diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 00e3ece..6d66568 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -25,6 +25,33 @@ spec: {{- end }} securityContext: {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }} + # generate signing key only on fresh install + {{- if .Release.IsInstall }} + initContainers: + - name: generate-signing-key + image: "{{ .Values.synapse.image.repository }}:{{ .Values.synapse.image.tag }}" + imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} + env: + - name: SYNAPSE_SERVER_NAME + value: {{ .Values.matrix.serverName }} + - name: SYNAPSE_REPORT_STATS + value: {{ .Values.matrix.telemetry | ternary "yes" "no" | quote }} + command: ["python"] + args: + - "-m" + - "synapse.app.homeserver" + - "--config-path" + - "/data/homeserver.yaml" + - "--keys-directory" + - "/data/keys" + - "--generate-keys" + volumeMounts: + - name: homeserver-yaml + mountPath: /data/homeserver.yaml + subPath: homeserver.yaml + - name: signing-key + mountPath: /data/keys + {{- end }} # end if .Release.IsInstall containers: - name: "synapse" image: "{{ .Values.synapse.image.repository }}:{{ .Values.synapse.image.tag }}" @@ -37,6 +64,8 @@ spec: - name: homeserver-yaml mountPath: /data/homeserver.yaml subPath: homeserver.yaml + - name: signing-key + mountPath: /data/keys - name: media-store mountPath: /data/media_store - name: uploads @@ -57,6 +86,9 @@ spec: - name: homeserver-yaml configMap: name: {{ include "matrix.fullname" . }}-homeserver-yaml + - name: signing-key + secret: + secretName: {{ include "matrix.fullname" . }}-signing-keys - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store diff --git a/charts/matrix/templates/synapse/keys-secret.yaml b/charts/matrix/templates/synapse/keys-secret.yaml new file mode 100644 index 0000000..a4c67e7 --- /dev/null +++ b/charts/matrix/templates/synapse/keys-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "matrix.fullname" . }}-signing-keys + labels: +{{ include "matrix.labels" . | indent 4 }} +data: + {{ .Values.matrix.serverName }}.signing.key: "" diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 12247f0..cd9bd49 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -136,7 +136,7 @@ volumes: synapse: image: repository: "matrixdotorg/synapse" - tag: latest + tag: v1.7.0 pullPolicy: IfNotPresent service: type: ClusterIP From 77e49a83680a04cdeaa33798c2e47276eeff23e3 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 16 Dec 2019 19:19:26 -0800 Subject: [PATCH 006/105] Switch signing key storage from Secret to PVC --- charts/matrix/templates/synapse/deployment.yaml | 4 ++-- charts/matrix/templates/synapse/keys-secret.yaml | 8 -------- charts/matrix/templates/synapse/signing-key-pvc.yaml | 12 ++++++++++++ 3 files changed, 14 insertions(+), 10 deletions(-) delete mode 100644 charts/matrix/templates/synapse/keys-secret.yaml create mode 100644 charts/matrix/templates/synapse/signing-key-pvc.yaml diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 6d66568..8ad6490 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -87,8 +87,8 @@ spec: configMap: name: {{ include "matrix.fullname" . }}-homeserver-yaml - name: signing-key - secret: - secretName: {{ include "matrix.fullname" . }}-signing-keys + persistentVolumeClaim: + claimName: {{ include "matrix.fullname" . }}-signing-key - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store diff --git a/charts/matrix/templates/synapse/keys-secret.yaml b/charts/matrix/templates/synapse/keys-secret.yaml deleted file mode 100644 index a4c67e7..0000000 --- a/charts/matrix/templates/synapse/keys-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "matrix.fullname" . }}-signing-keys - labels: -{{ include "matrix.labels" . | indent 4 }} -data: - {{ .Values.matrix.serverName }}.signing.key: "" diff --git a/charts/matrix/templates/synapse/signing-key-pvc.yaml b/charts/matrix/templates/synapse/signing-key-pvc.yaml new file mode 100644 index 0000000..fe80acb --- /dev/null +++ b/charts/matrix/templates/synapse/signing-key-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-signing-key + labels: +{{ include "matrix.labels" . | indent 4}} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Mi From e1b9691219539b9a42b00e05dd7e7d68139789c9 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 16 Dec 2019 19:25:04 -0800 Subject: [PATCH 007/105] Add .log.config file --- .../matrix/templates/synapse/configmap.yaml | 33 ++++++++++++++++++- .../matrix/templates/synapse/deployment.yaml | 16 ++++----- 2 files changed, 39 insertions(+), 10 deletions(-) diff --git a/charts/matrix/templates/synapse/configmap.yaml b/charts/matrix/templates/synapse/configmap.yaml index 1726b6e..1b441ae 100644 --- a/charts/matrix/templates/synapse/configmap.yaml +++ b/charts/matrix/templates/synapse/configmap.yaml @@ -1,9 +1,40 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "matrix.fullname" . }}-homeserver-yaml + name: {{ include "matrix.fullname" . }}-synapse-config labels: {{ include "matrix.labels" . | nindent 4}} data: homeserver.yaml: | {{ include "homeserver.yaml" . | nindent 4 }} + {{ .Values.matrix.serverName }}.log.config: | + version: 1 + + formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + + handlers: + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + + loggers: + synapse: + level: WARNING + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: WARNING + + + root: + level: WARNING + handlers: [console] diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 8ad6490..8a9256d 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -14,7 +14,7 @@ spec: metadata: annotations: # re-roll deployment on homeserver.yaml change - checksum/homeserver-yaml: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} + checksum/synapse-config: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} labels: app.kubernetes.io/name: {{ include "matrix.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -46,9 +46,8 @@ spec: - "/data/keys" - "--generate-keys" volumeMounts: - - name: homeserver-yaml - mountPath: /data/homeserver.yaml - subPath: homeserver.yaml + - name: synapse-config + mountPath: /data - name: signing-key mountPath: /data/keys {{- end }} # end if .Release.IsInstall @@ -61,9 +60,8 @@ spec: containerPort: 80 protocol: TCP volumeMounts: - - name: homeserver-yaml - mountPath: /data/homeserver.yaml - subPath: homeserver.yaml + - name: synapse-config + mountPath: /data - name: signing-key mountPath: /data/keys - name: media-store @@ -83,9 +81,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: - - name: homeserver-yaml + - name: synapse-config configMap: - name: {{ include "matrix.fullname" . }}-homeserver-yaml + name: {{ include "matrix.fullname" . }}-synapse-config - name: signing-key persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-signing-key From 067dbe0ef4ba7943f1e4e68997683639c999370a Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 16 Dec 2019 20:11:46 -0800 Subject: [PATCH 008/105] Add PostgreSQL chart and configure database --- charts/matrix/.gitignore | 1 + charts/matrix/Chart.lock | 6 ++++++ charts/matrix/Chart.yaml | 6 ++++++ charts/matrix/templates/synapse/_homeserver.yaml | 16 +++++++++++----- charts/matrix/values.yaml | 15 +++++++++++++++ 5 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 charts/matrix/Chart.lock diff --git a/charts/matrix/.gitignore b/charts/matrix/.gitignore index 9f11b75..a8d4be7 100644 --- a/charts/matrix/.gitignore +++ b/charts/matrix/.gitignore @@ -1 +1,2 @@ .idea/ +charts/ diff --git a/charts/matrix/Chart.lock b/charts/matrix/Chart.lock new file mode 100644 index 0000000..aa60715 --- /dev/null +++ b/charts/matrix/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://kubernetes-charts.storage.googleapis.com + version: 8.0.0 +digest: sha256:9f2052244167d312b126a3e74777dc547b8aaa4e76bbf23900a6880c6399d23d +generated: "2019-12-16T19:54:24.921858546-08:00" diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 7ae2b29..722e724 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -19,3 +19,9 @@ version: 0.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. appVersion: 1.16.0 + +dependencies: + - name: postgresql + version: 8.0.0 + repository: https://kubernetes-charts.storage.googleapis.com + condition: postgresql.enabled diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index dff9f3e..808b3a5 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -476,17 +476,23 @@ acme: # #tls_fingerprints: [{"sha256": ""}] - - ## Database ## database: # The database engine name - name: "sqlite3" + name: "psycopg2" # Arguments to pass to the engine args: - # Path to the database - database: "/data/homeserver.db" + user: "{{ .Values.postgresql.postgresqlUsername }}" + password: "{{ .Values.postgresql.postgresqlPassword }}" + database: "{{ .Values.postgresql.postgresqlDatabase }}" + {{- if .Values.postgresql.enabled }} + host: "{{ include "matrix.fullname" . }}-postgresql" + {{- else }} + host: "{{ .Values.postgresql.hostname }}" + {{- end}} + cp_min: 5 + cp_max: 10 # Number of events to cache in memory. # diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index cd9bd49..c6b1106 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -132,6 +132,21 @@ volumes: # Capacity of the media persistent volume claim capacity: 10Gi +# PostgreSQL Database Configuration +postgresql: + # Whether to deploy the stable/postgresql chart with this chart. If disabled, make sure PostgreSQL is available at the hostname below and credentials are configured below + enabled: true + + postgresqlUsername: matrix + postgresqlPassword: matrix + postgresqlDatabase: matrix + + # Set this if postgresql.enabled = false + hostname: "" + + persistence: + size: 8Gi + # Synapse deployment configuration synapse: image: From d7652b9746f5b06e4e1336a287b1da023dac5aaf Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 16 Dec 2019 20:56:40 -0800 Subject: [PATCH 009/105] Open port 8008 and configure liveness/readiness probes --- charts/matrix/templates/synapse/_homeserver.yaml | 4 ++-- charts/matrix/templates/synapse/deployment.yaml | 6 +++--- charts/matrix/values.yaml | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 808b3a5..bc2ed98 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -194,11 +194,11 @@ listeners: # If you plan to use a reverse proxy, please see # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. # - - port: 8008 + - port: {{ .Values.synapse.service.port }} tls: false type: http x_forwarded: true - bind_addresses: ['::1', '127.0.0.1'] + bind_addresses: ['0.0.0.0'] resources: - names: [client, federation] diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 8a9256d..ffaa2d2 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -57,7 +57,7 @@ spec: imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8008 protocol: TCP volumeMounts: - name: synapse-config @@ -70,11 +70,11 @@ spec: mountPath: /data/uploads livenessProbe: httpGet: - path: / + path: /_matrix/static/ port: http readinessProbe: httpGet: - path: / + path: /_matrix/static/ port: http {{- with .Values.synapse.resources }} resources: diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index c6b1106..d550a36 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -155,10 +155,9 @@ synapse: pullPolicy: IfNotPresent service: type: ClusterIP - port: 80 + port: 8008 replicaCount: 1 podSecurityContext: {} - # fsGroup: 2000 securityContext: capabilities: From 744f694bcf283756c72635c3cba2f2b20b077292 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 16 Dec 2019 21:55:45 -0800 Subject: [PATCH 010/105] Configure Synapse Ingress --- charts/matrix/templates/ingress.yaml | 41 ------------------- .../matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/templates/synapse/ingress.yaml | 30 ++++++++++++++ charts/matrix/values.yaml | 16 ++++---- 4 files changed, 39 insertions(+), 50 deletions(-) delete mode 100644 charts/matrix/templates/ingress.yaml create mode 100644 charts/matrix/templates/synapse/ingress.yaml diff --git a/charts/matrix/templates/ingress.yaml b/charts/matrix/templates/ingress.yaml deleted file mode 100644 index d13cfa5..0000000 --- a/charts/matrix/templates/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "matrix.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "matrix.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index bc2ed98..8cf8f4f 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -26,7 +26,7 @@ pid_file: /data/homeserver.pid {{- if .Values.matrix.baseUrl }} public_baseurl: {{ .Values.matrix.baseUrl }} {{- else }} -public_baseurl: {{ (index .Values.ingress.hosts 0).host }} +public_baseurl: {{ .Values.synapse.ingress.host }} {{- end }} # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the diff --git a/charts/matrix/templates/synapse/ingress.yaml b/charts/matrix/templates/synapse/ingress.yaml new file mode 100644 index 0000000..b7cb080 --- /dev/null +++ b/charts/matrix/templates/synapse/ingress.yaml @@ -0,0 +1,30 @@ +{{- if .Values.synapse.ingress.enabled -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "matrix.fullname" . }}-synapse + labels: + {{- include "matrix.labels" . | nindent 4 }} + {{- with .Values.synapse.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.synapse.ingress.tlsSecret }} + tls: + - hosts: [{{ .Values.synapse.ingress.host }}] + secretName: {{ .Values.synapse.ingress.tlsSecret }} +{{- end }} + rules: + - host: {{ .Values.synapse.ingress.host }} + http: + paths: + - path: "/" + backend: + serviceName: "{{ include "matrix.fullname" . }}-synapse" + servicePort: {{ .Values.synapse.service.port }} +{{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index d550a36..b27ed3c 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -169,14 +169,14 @@ synapse: resources: {} + ingress: + enabled: true + # Set the externally-facing hostname of Synapse here + host: matrix.chart-example.local + # Uncomment and set this to use an existing TLS secret for HTTPS +# tlsSecret: "" + annotations: {} + imagePullSecrets: [] nameOverride: "" fullnameOverride: "" - -ingress: - enabled: false - annotations: {} - hosts: - - host: chart-example.local - paths: [] - tls: [] From 252e5299368d9a7aa587028e22f11a0166d42e41 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 00:17:41 -0800 Subject: [PATCH 011/105] Move Ingress back to top of templates/ for future consolidation --- .../templates/{synapse => }/ingress.yaml | 19 ++++++++++++------- .../matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/values.yaml | 15 +++++++-------- 3 files changed, 20 insertions(+), 16 deletions(-) rename charts/matrix/templates/{synapse => }/ingress.yaml (60%) diff --git a/charts/matrix/templates/synapse/ingress.yaml b/charts/matrix/templates/ingress.yaml similarity index 60% rename from charts/matrix/templates/synapse/ingress.yaml rename to charts/matrix/templates/ingress.yaml index b7cb080..3f7ad8e 100644 --- a/charts/matrix/templates/synapse/ingress.yaml +++ b/charts/matrix/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{- if .Values.synapse.ingress.enabled -}} +{{- if .Values.ingress.enabled -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1beta1 {{- else -}} @@ -6,21 +6,26 @@ apiVersion: extensions/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ include "matrix.fullname" . }}-synapse + name: {{ include "matrix.fullname" . }} labels: {{- include "matrix.labels" . | nindent 4 }} - {{- with .Values.synapse.ingress.annotations }} + {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: -{{- if .Values.synapse.ingress.tlsSecret }} +{{- if .Values.ingress.tls }} tls: - - hosts: [{{ .Values.synapse.ingress.host }}] - secretName: {{ .Values.synapse.ingress.tlsSecret }} + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} {{- end }} rules: - - host: {{ .Values.synapse.ingress.host }} + - host: {{ .Values.ingress.hosts.synapse }} http: paths: - path: "/" diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 8cf8f4f..529a01e 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -26,7 +26,7 @@ pid_file: /data/homeserver.pid {{- if .Values.matrix.baseUrl }} public_baseurl: {{ .Values.matrix.baseUrl }} {{- else }} -public_baseurl: {{ .Values.synapse.ingress.host }} +public_baseurl: {{ .Values.ingress.hosts.synapse }} {{- end }} # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index b27ed3c..8e15f75 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -169,14 +169,13 @@ synapse: resources: {} - ingress: - enabled: true - # Set the externally-facing hostname of Synapse here - host: matrix.chart-example.local - # Uncomment and set this to use an existing TLS secret for HTTPS -# tlsSecret: "" - annotations: {} - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" + +ingress: + enabled: true + tls: [] + hosts: + synapse: matrix.chart-example.local + annotations: {} From 175097ace5d701adeece8a2c0dd2b6b8e5f56536 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 00:35:50 -0800 Subject: [PATCH 012/105] Add basic Riot deployment/service and fix label selectors for Synapse --- charts/matrix/templates/ingress.yaml | 9 ++++ charts/matrix/templates/riot/deployment.yaml | 46 +++++++++++++++++++ charts/matrix/templates/riot/service.yaml | 18 ++++++++ .../matrix/templates/synapse/deployment.yaml | 4 +- charts/matrix/templates/synapse/service.yaml | 2 +- charts/matrix/values.yaml | 23 ++++++---- 6 files changed, 91 insertions(+), 11 deletions(-) create mode 100644 charts/matrix/templates/riot/deployment.yaml create mode 100644 charts/matrix/templates/riot/service.yaml diff --git a/charts/matrix/templates/ingress.yaml b/charts/matrix/templates/ingress.yaml index 3f7ad8e..fcc5a94 100644 --- a/charts/matrix/templates/ingress.yaml +++ b/charts/matrix/templates/ingress.yaml @@ -32,4 +32,13 @@ spec: backend: serviceName: "{{ include "matrix.fullname" . }}-synapse" servicePort: {{ .Values.synapse.service.port }} + {{- if .Values.riot.enabled }} + - host: {{ .Values.ingress.hosts.riot }} + http: + paths: + - path: "/" + backend: + serviceName: "{{ include "matrix.fullname" . }}-riot" + servicePort: {{ .Values.riot.service.port }} + {{- end }} {{- end }} diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml new file mode 100644 index 0000000..bef17cd --- /dev/null +++ b/charts/matrix/templates/riot/deployment.yaml @@ -0,0 +1,46 @@ +{{- if .Values.riot.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-riot + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.riot.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-riot + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-riot + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.riot.podSecurityContext | nindent 8 }} + containers: + - name: "riot" + image: "{{ .Values.riot.image.repository }}:{{ .Values.riot.image.tag }}" + imagePullPolicy: {{ .Values.riot.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + {{- with .Values.riot.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/matrix/templates/riot/service.yaml b/charts/matrix/templates/riot/service.yaml new file mode 100644 index 0000000..1dec9ee --- /dev/null +++ b/charts/matrix/templates/riot/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.riot.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-riot + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.riot.service.type }} + ports: + - port: {{ .Values.riot.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-riot + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index ffaa2d2..be8bf71 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -8,7 +8,7 @@ spec: replicas: {{ .Values.synapse.replicaCount }} selector: matchLabels: - app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: @@ -16,7 +16,7 @@ spec: # re-roll deployment on homeserver.yaml change checksum/synapse-config: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} labels: - app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} spec: {{- with .Values.imagePullSecrets }} diff --git a/charts/matrix/templates/synapse/service.yaml b/charts/matrix/templates/synapse/service.yaml index b0b6cdd..d4affce 100644 --- a/charts/matrix/templates/synapse/service.yaml +++ b/charts/matrix/templates/synapse/service.yaml @@ -12,5 +12,5 @@ spec: protocol: TCP name: http selector: - app.kubernetes.io/name: {{ include "matrix.name" . }} + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8e15f75..a6c6a68 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -158,15 +158,21 @@ synapse: port: 8008 replicaCount: 1 podSecurityContext: {} + resources: {} - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - +# Riot deployment configuration +riot: + # Set to false to disable a deployment of riot-web. Users will still be able to connect via any other instances of riot-web (such as https://riot.im), riot-desktop, or any other Matrix clients + enabled: true + image: + repository: "bubuntux/riot-web" + tag: v1.5.6 + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 80 + replicaCount: 1 + podSecurityContext: {} resources: {} imagePullSecrets: [] @@ -178,4 +184,5 @@ ingress: tls: [] hosts: synapse: matrix.chart-example.local + riot: riot.chart-example.local annotations: {} From ce170fbd742bcbbe1aff1c9745ba4d1b97e5bbf1 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 01:19:09 -0800 Subject: [PATCH 013/105] Remove unused helpers --- charts/matrix/templates/_helpers.tpl | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 8c0f92c..c950e24 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -36,28 +36,8 @@ Common labels */}} {{- define "matrix.labels" -}} helm.sh/chart: {{ include "matrix.chart" . }} -{{ include "matrix.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} - -{{/* -Selector labels -*/}} -{{- define "matrix.selectorLabels" -}} -app.kubernetes.io/name: {{ include "matrix.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "matrix.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "matrix.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} From d91c9fa4479d746cbaadd6282d1c3cbd4c1af206 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 12:17:24 -0800 Subject: [PATCH 014/105] Add Riot config file ConfigMap --- charts/matrix/templates/riot/configmap.yaml | 48 ++++++++++++++++++ charts/matrix/templates/riot/deployment.yaml | 12 +++++ charts/matrix/values.yaml | 52 ++++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 charts/matrix/templates/riot/configmap.yaml diff --git a/charts/matrix/templates/riot/configmap.yaml b/charts/matrix/templates/riot/configmap.yaml new file mode 100644 index 0000000..c11b311 --- /dev/null +++ b/charts/matrix/templates/riot/configmap.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-riot-config + labels: +{{ include "matrix.labels" . | nindent 4}} +data: + config.json: | + { + "default_server_name": {{ .Values.matrix.serverName | quote }}, + "brand": {{ .Values.riot.branding.brand | quote }}, + "branding": { + {{- if .Values.riot.branding.welcomeBackgroundUrl }} + "welcomeBackgroundUrl": {{ .Values.riot.branding.welcomeBackgroundUrl | quote }}, + {{- end }} + {{- if .Values.riot.branding.authHeaderLogoUrl }} + "authHeaderLogoUrl": {{ .Values.riot.branding.authHeaderLogoUrl | quote }}, + {{- end }} + {{- if .Values.riot.branding.authFooterLinks }} + "authFooterLinks": {{ .Values.riot.branding.authFooterLinks | toJson }}, + {{- end }} + }, + {{- if .Values.riot.integrations.enabled }} + "integrations_ui_url": {{ .Values.riot.integrations.ui | quote }}, + "integrations_rest_url": {{ .Values.riot.integrations.api | quote }}, + "integrations_widgets_urls": {{ .Values.riot.integrations.widgets | toJson }}, + {{- end }} + {{- if .Values.riot.labs }} {{/* if not empty */}} + "showLabsSettings": true, + {{- else }} + "showLabsSettings": false, + {{- end }} + "features": { + {{- if .Values.riot.labs }} + {{- range initial .Values.riot.labs }} + {{ . | quote }}: "labs", + {{- end }} + {{ last .Values.riot.labs | quote }}: "labs" + {{- end }} + }, + "roomDirectory": { + "servers": {{ .Values.riot.roomDirectoryServers | toJson }} + }, + {{- if .Values.riot.welcomeUserId }} + "welcomeUserId": {{ .Values.riot.welcomeUserId | quote }}, + {{- end }} + "permalinkPrefix": {{ .Values.riot.permalinkPrefix | quote }} + } diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index bef17cd..e1a562f 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -13,6 +13,9 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: + annotations: + # re-roll deployment on config change + checksum/riot-config: {{ include (print $.Template.BasePath "/riot/configmap.yaml") . | sha256sum }} labels: app.kubernetes.io/name: {{ include "matrix.name" . }}-riot app.kubernetes.io/instance: {{ .Release.Name }} @@ -31,6 +34,11 @@ spec: - name: http containerPort: 80 protocol: TCP + volumeMounts: + - mountPath: /etc/riot-web/config.json + name: riot-config + subPath: config.json + readOnly: true livenessProbe: httpGet: path: / @@ -43,4 +51,8 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + volumes: + - name: riot-config + configMap: + name: {{ include "matrix.fullname" . }}-riot-config {{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index a6c6a68..e236821 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -164,6 +164,58 @@ synapse: riot: # Set to false to disable a deployment of riot-web. Users will still be able to connect via any other instances of riot-web (such as https://riot.im), riot-desktop, or any other Matrix clients enabled: true + + # Organization/enterprise branding + branding: + # Shown in email notifications + brand: "Riot" + # Background of login splash screen + welcomeBackgroundUrl: "" + # Logo shown at top of login screen + authHeaderLogoUrl: "" + # Array of links to show at the bottom of the login screen + authFooterLinks: [] +# - text: +# url: + + # Integration server configuration + integrations: + # Set to false to disable the Integrations menu (including widgets, bots, and other plugins to Riot) + enabled: true + # UI to load when a user selects the Integrations button at the top-right of a room + ui: "https://scalar.vector.im/" + # API for the integration server + api: "https://scalar.vector.im/api" + # Array of API paths providing widgets + widgets: + - "https://scalar.vector.im/_matrix/integrations/v1" + - "https://scalar.vector.im/api" + - "https://scalar-staging.vector.im/_matrix/integrations/v1" + - "https://scalar-staging.vector.im/api" + - "https://scalar-staging.riot.im/scalar/api" + + # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md + labs: + - feature_pinning + - feature_custom_status + - feature_custom_tags + - feature_state_counters + - feature_many_integration_managers + - feature_mjolnir + - feature_dm_verification + - feature_cross_signing + - feature_event_indexing + + # Servers to show in the Explore menu (the current server is always shown) + roomDirectoryServers: + - matrix.org + + # Set to the user ID (@username:domain.tld) of a bot to invite all new users to a DM with the bot upon registration + welcomeUserId: "" + + # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance. + permalinkPrefix: "https://matrix.to" + image: repository: "bubuntux/riot-web" tag: v1.5.6 From 9f428ce11f4e61494fb5b07db28d6d7a64833676 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 15:06:01 -0800 Subject: [PATCH 015/105] Deploy LoadBalancer for federation port 8448 --- charts/matrix/templates/synapse/deployment.yaml | 2 +- .../synapse/federation-loadbalancer.yaml | 17 +++++++++++++++++ charts/matrix/values.yaml | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 charts/matrix/templates/synapse/federation-loadbalancer.yaml diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index be8bf71..89ae51a 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -57,7 +57,7 @@ spec: imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} ports: - name: http - containerPort: 8008 + containerPort: {{ .Values.synapse.service.port }} protocol: TCP volumeMounts: - name: synapse-config diff --git a/charts/matrix/templates/synapse/federation-loadbalancer.yaml b/charts/matrix/templates/synapse/federation-loadbalancer.yaml new file mode 100644 index 0000000..388ed8c --- /dev/null +++ b/charts/matrix/templates/synapse/federation-loadbalancer.yaml @@ -0,0 +1,17 @@ +{{- if .Values.matrix.federation.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-synapse-federation + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: LoadBalancer + ports: + - port: 8448 + targetPort: http + protocol: TCP + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index e236821..90edb8d 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -41,6 +41,7 @@ matrix: # Settings related to federation federation: # Set to false to disable federation and run an isolated homeserver + # This also deploys a LoadBalancer Service for the federation port (8448) enabled: true # Set to false to disallow members of other homeservers from fetching *public* rooms From 68244255e7813766661b573463a57ee1105b9aea Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 17:26:18 -0800 Subject: [PATCH 016/105] Email + Exim relay configuration --- charts/matrix/templates/exim/deployment.yaml | 44 +++++ charts/matrix/templates/exim/service.yaml | 18 ++ .../matrix/templates/synapse/_homeserver.yaml | 171 ++++++++++-------- charts/matrix/values.yaml | 41 ++++- 4 files changed, 191 insertions(+), 83 deletions(-) create mode 100644 charts/matrix/templates/exim/deployment.yaml create mode 100644 charts/matrix/templates/exim/service.yaml diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml new file mode 100644 index 0000000..b6ddfbb --- /dev/null +++ b/charts/matrix/templates/exim/deployment.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.mail.enabled .Values.mail.relay.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-exim-relay + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.mail.relay.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-exim-relay + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-exim-relay + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.mail.relay.podSecurityContext | nindent 8 }} + containers: + - name: "exim-relay" + image: "{{ .Values.mail.relay.image.repository }}:{{ .Values.mail.relay.image.tag }}" + imagePullPolicy: {{ .Values.mail.relay.image.pullPolicy }} + ports: + - name: smtp + containerPort: 8025 + protocol: TCP + livenessProbe: + tcpSocket: + port: 8025 + readinessProbe: + tcpSocket: + port: 8025 + {{- with .Values.mail.relay.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/charts/matrix/templates/exim/service.yaml b/charts/matrix/templates/exim/service.yaml new file mode 100644 index 0000000..c614c89 --- /dev/null +++ b/charts/matrix/templates/exim/service.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.mail.enabled .Values.mail.relay.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-exim-relay + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.mail.relay.service.type }} + ports: + - port: {{ .Values.mail.relay.service.port }} + targetPort: smtp + protocol: TCP + name: smtp + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-exim-relay + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 529a01e..5e28160 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1247,86 +1247,97 @@ password_config: # # If your SMTP server requires authentication, the optional smtp_user & # smtp_pass variables should be used -# -#email: -# enable_notifs: false -# smtp_host: "localhost" -# smtp_port: 25 # SSL: 465, STARTTLS: 587 -# smtp_user: "exampleusername" -# smtp_pass: "examplepassword" -# require_transport_security: false -# notif_from: "Your Friendly %(app)s homeserver " -# app_name: Matrix -# -# # Enable email notifications by default -# # -# notif_for_new_users: true -# -# # Defining a custom URL for Riot is only needed if email notifications -# # should contain links to a self-hosted installation of Riot; when set -# # the "app_name" setting is ignored -# # -# riot_base_url: "http://localhost/riot" -# -# # Configure the time that a validation email or text message code -# # will expire after sending -# # -# # This is currently used for password resets -# # -# #validation_token_lifetime: 1h -# -# # Template directory. All template files should be stored within this -# # directory. If not set, default templates from within the Synapse -# # package will be used -# # -# # For the list of default templates, please see -# # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates -# # -# #template_dir: res/templates -# -# # Templates for email notifications -# # -# notif_template_html: notif_mail.html -# notif_template_text: notif_mail.txt -# -# # Templates for account expiry notices -# # -# expiry_template_html: notice_expiry.html -# expiry_template_text: notice_expiry.txt -# -# # Templates for password reset emails sent by the homeserver -# # -# #password_reset_template_html: password_reset.html -# #password_reset_template_text: password_reset.txt -# -# # Templates for registration emails sent by the homeserver -# # -# #registration_template_html: registration.html -# #registration_template_text: registration.txt -# -# # Templates for validation emails sent by the homeserver when adding an email to -# # your user account -# # -# #add_threepid_template_html: add_threepid.html -# #add_threepid_template_text: add_threepid.txt -# -# # Templates for password reset success and failure pages that a user -# # will see after attempting to reset their password -# # -# #password_reset_template_success_html: password_reset_success.html -# #password_reset_template_failure_html: password_reset_failure.html -# -# # Templates for registration success and failure pages that a user -# # will see after attempting to register using an email or phone -# # -# #registration_template_success_html: registration_success.html -# #registration_template_failure_html: registration_failure.html -# -# # Templates for success and failure pages that a user will see after attempting -# # to add an email or phone to their account -# # -# #add_threepid_success_html: add_threepid_success.html -# #add_threepid_failure_html: add_threepid_failure.html + +email: + enable_notifs: {{ .Values.mail.enabled }} + notif_from: {{ .Values.mail.from }} + {{- if .Values.mail.relay }} + smtp_host: {{ include "matrix.fullname" . }}-exim-relay + smtp_port: {{ .Values.mail.relay.service.port }} + {{- else }} + smtp_host: {{ .Values.mail.external.host }} + smtp_port: {{ .Values.mail.external.port }} + smtp_user: {{ .Values.mail.external.username }} + smtp_pass: {{ .Values.mail.external.password }} + require_transport_security: {{ .Values.mail.external.requireTransportSecurity }} + {{- end }} + app_name: Matrix + + # Enable email notifications by default + # + notif_for_new_users: true + + # Defining a custom URL for Riot is only needed if email notifications + # should contain links to a self-hosted installation of Riot; when set + # the "app_name" setting is ignored + + {{- if .Values.mail.riotUrl }} + riot_base_url: {{ .Values.mail.riotUrl }} + {{- else if .Values.ingress.enabled }} + riot_base_url: {{ .Values.ingress.hosts.riot }} + {{- else }} + riot_base_url: "" + {{- end }} + + # Configure the time that a validation email or text message code + # will expire after sending + # + # This is currently used for password resets + # + #validation_token_lifetime: 1h + + # Template directory. All template files should be stored within this + # directory. If not set, default templates from within the Synapse + # package will be used + # + # For the list of default templates, please see + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: res/templates + + # Templates for email notifications + + notif_template_html: notif_mail.html + notif_template_text: notif_mail.txt + + # Templates for account expiry notices + + expiry_template_html: notice_expiry.html + expiry_template_text: notice_expiry.txt + + # Templates for password reset emails sent by the homeserver + + password_reset_template_html: password_reset.html + password_reset_template_text: password_reset.txt + + # Templates for registration emails sent by the homeserver + + registration_template_html: registration.html + registration_template_text: registration.txt + + # Templates for validation emails sent by the homeserver when adding an email to + # your user account + + add_threepid_template_html: add_threepid.html + add_threepid_template_text: add_threepid.txt + + # Templates for password reset success and failure pages that a user + # will see after attempting to reset their password + + password_reset_template_success_html: password_reset_success.html + password_reset_template_failure_html: password_reset_failure.html + + # Templates for registration success and failure pages that a user + # will see after attempting to register using an email or phone + + registration_template_success_html: registration_success.html + registration_template_failure_html: registration_failure.html + + # Templates for success and failure pages that a user will see after attempting + # to add an email or phone to their account + + add_threepid_success_html: add_threepid_success.html + add_threepid_failure_html: add_threepid_failure.html #password_providers: diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 90edb8d..f4683b8 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -148,7 +148,7 @@ postgresql: persistence: size: 8Gi -# Synapse deployment configuration +# Synapse Kubernetes resource settings synapse: image: repository: "matrixdotorg/synapse" @@ -161,7 +161,7 @@ synapse: podSecurityContext: {} resources: {} -# Riot deployment configuration +# Riot Web client configuration riot: # Set to false to disable a deployment of riot-web. Users will still be able to connect via any other instances of riot-web (such as https://riot.im), riot-desktop, or any other Matrix clients enabled: true @@ -179,7 +179,7 @@ riot: # - text: # url: - # Integration server configuration + # Riot integrations configuration integrations: # Set to false to disable the Integrations menu (including widgets, bots, and other plugins to Riot) enabled: true @@ -217,6 +217,7 @@ riot: # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance. permalinkPrefix: "https://matrix.to" + # Riot Kubernetes resource settings image: repository: "bubuntux/riot-web" tag: v1.5.6 @@ -228,6 +229,40 @@ riot: podSecurityContext: {} resources: {} +# Settings for email notifications +mail: + # Set to false to disable all email notifications + # NOTE: If enabled, either enable the Exim relay or configure an external mail server below + enabled: true + # Name and email address for outgoing mail + from: "Matrix " + # Optional: Riot instance URL. + # If the ingress is enabled, this is unnecessary. + # If the ingress is disabled and this is left unspecified, emails will contain a link to https://riot.im + riotUrl: "" + + # Exim relay + relay: + enabled: true + image: + repository: "devture/exim-relay" + tag: "4.92.2-r0-0" + pullPolicy: IfNotPresent + service: + type: ClusterIP + port: 25 + replicaCount: 1 + podSecurityContext: {} + resources: {} + + # External mail server + external: + host: "" + port: 25 # SSL: 465, STARTTLS: 587 + username: "" + password: "" + requireTransportSecurity: true + imagePullSecrets: [] nameOverride: "" fullnameOverride: "" From b11f11849c05cf3c6f87e0d82a2dbc5de8c4f76e Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 17:28:57 -0800 Subject: [PATCH 017/105] Change default Synapse service port to 80 --- charts/matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/templates/synapse/deployment.yaml | 2 +- charts/matrix/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 5e28160..3878302 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -194,7 +194,7 @@ listeners: # If you plan to use a reverse proxy, please see # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. # - - port: {{ .Values.synapse.service.port }} + - port: 8008 tls: false type: http x_forwarded: true diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 89ae51a..be8bf71 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -57,7 +57,7 @@ spec: imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.synapse.service.port }} + containerPort: 8008 protocol: TCP volumeMounts: - name: synapse-config diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index f4683b8..01e0197 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -156,7 +156,7 @@ synapse: pullPolicy: IfNotPresent service: type: ClusterIP - port: 8008 + port: 80 replicaCount: 1 podSecurityContext: {} resources: {} From 1ad509daf8cffc8361715c478de38c9784cc6949 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 17 Dec 2019 17:44:49 -0800 Subject: [PATCH 018/105] Add README.md --- charts/matrix/README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 charts/matrix/README.md diff --git a/charts/matrix/README.md b/charts/matrix/README.md new file mode 100644 index 0000000..b8143dd --- /dev/null +++ b/charts/matrix/README.md @@ -0,0 +1,28 @@ +# Matrix Chart + +A Helm chart for deploying a Matrix homeserver stack in Kubernetes. + +## Installation + +```shell script +git clone https://github.com/dacruz21/matrix-chart.git +cd matrix-chart +helm install matrix . +``` + +## Features + +- Latest version of Synapse +- (Optional) Latest version of Riot Web +- (Optional) Choice of lightweight Exim relay or external mail server for email notifications +- Fully configurable via values.yaml +- (Optional) PostgreSQL cluster via stable/postgresql chart +- Ingress definition for Synapse and Riot +- Load balanced federation port for federated homeservers + +## TODO + +- Security hardening including NetworkPolicies +- Coturn (VoIP calls) deployment +- Various dockerized bridges and appservices +- S3 storage for multimedia uploads via Goofys From e3823f03464919456fc21739d4d7e876d5f82abc Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 11:52:28 -0800 Subject: [PATCH 019/105] Run all containers as non-root --- charts/matrix/templates/exim/deployment.yaml | 7 ++++--- charts/matrix/templates/riot/deployment.yaml | 12 +++++++++--- charts/matrix/templates/synapse/deployment.yaml | 15 +++++++++++---- .../synapse/federation-loadbalancer.yaml | 2 +- charts/matrix/values.yaml | 8 +++++--- 5 files changed, 30 insertions(+), 14 deletions(-) diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index b6ddfbb..c8eda88 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -17,12 +17,13 @@ spec: app.kubernetes.io/name: {{ include "matrix.name" . }}-exim-relay app.kubernetes.io/instance: {{ .Release.Name }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} securityContext: - {{- toYaml .Values.mail.relay.podSecurityContext | nindent 8 }} + runAsUser: 100 + runAsGroup: 101 containers: - name: "exim-relay" image: "{{ .Values.mail.relay.image.repository }}:{{ .Values.mail.relay.image.tag }}" diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index e1a562f..9f3d21b 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -20,12 +20,14 @@ spec: app.kubernetes.io/name: {{ include "matrix.name" . }}-riot app.kubernetes.io/instance: {{ .Release.Name }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} securityContext: - {{- toYaml .Values.riot.podSecurityContext | nindent 8 }} + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 containers: - name: "riot" image: "{{ .Values.riot.image.repository }}:{{ .Values.riot.image.tag }}" @@ -39,6 +41,8 @@ spec: name: riot-config subPath: config.json readOnly: true + - mountPath: /var/cache/nginx + name: nginx-cache livenessProbe: httpGet: path: / @@ -55,4 +59,6 @@ spec: - name: riot-config configMap: name: {{ include "matrix.fullname" . }}-riot-config + - name: nginx-cache + emptyDir: {} {{- end }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index be8bf71..d0fca80 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -19,12 +19,14 @@ spec: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} securityContext: - {{- toYaml .Values.synapse.podSecurityContext | nindent 8 }} + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 # generate signing key only on fresh install {{- if .Release.IsInstall }} initContainers: @@ -50,11 +52,16 @@ spec: mountPath: /data - name: signing-key mountPath: /data/keys - {{- end }} # end if .Release.IsInstall + {{- end }} {{/* end if .Release.IsInstall */}} containers: - name: "synapse" image: "{{ .Values.synapse.image.repository }}:{{ .Values.synapse.image.tag }}" imagePullPolicy: {{ .Values.synapse.image.pullPolicy }} + env: + - name: UID + value: "1000" + - name: GID + value: "1000" ports: - name: http containerPort: 8008 diff --git a/charts/matrix/templates/synapse/federation-loadbalancer.yaml b/charts/matrix/templates/synapse/federation-loadbalancer.yaml index 388ed8c..614af3b 100644 --- a/charts/matrix/templates/synapse/federation-loadbalancer.yaml +++ b/charts/matrix/templates/synapse/federation-loadbalancer.yaml @@ -14,4 +14,4 @@ spec: selector: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 01e0197..a3e1696 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -148,6 +148,11 @@ postgresql: persistence: size: 8Gi + securityContext: + enabled: true + runAsUser: 1000 + fsGroup: 1000 + # Synapse Kubernetes resource settings synapse: image: @@ -158,7 +163,6 @@ synapse: type: ClusterIP port: 80 replicaCount: 1 - podSecurityContext: {} resources: {} # Riot Web client configuration @@ -226,7 +230,6 @@ riot: type: ClusterIP port: 80 replicaCount: 1 - podSecurityContext: {} resources: {} # Settings for email notifications @@ -252,7 +255,6 @@ mail: type: ClusterIP port: 25 replicaCount: 1 - podSecurityContext: {} resources: {} # External mail server From c7b03f6b3042ca7056391a319a54c87b1f1192f6 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 13:09:30 -0800 Subject: [PATCH 020/105] Drop all capabilities --- charts/matrix/templates/exim/deployment.yaml | 4 ++++ charts/matrix/templates/riot/deployment.yaml | 4 ++++ charts/matrix/templates/synapse/deployment.yaml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index c8eda88..9853576 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -38,6 +38,10 @@ spec: readinessProbe: tcpSocket: port: 8025 + securityContext: + capabilities: + drop: + - ALL {{- with .Values.mail.relay.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 9f3d21b..0ed8e08 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -51,6 +51,10 @@ spec: httpGet: path: / port: http + securityContext: + capabilities: + drop: + - ALL {{- with .Values.riot.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index d0fca80..4696116 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -83,6 +83,10 @@ spec: httpGet: path: /_matrix/static/ port: http + securityContext: + capabilities: + drop: + - ALL {{- with .Values.synapse.resources }} resources: {{- toYaml . | nindent 12 }} From 16007b4fa0be02dc3d73c1f535a01128e75a1af0 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 13:20:06 -0800 Subject: [PATCH 021/105] Fix Riot (nginx) by modifying port and mounting temp files as volumes --- charts/matrix/templates/riot/configmap.yaml | 74 ++++++++++++++++++++ charts/matrix/templates/riot/deployment.yaml | 19 ++++- 2 files changed, 90 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/riot/configmap.yaml b/charts/matrix/templates/riot/configmap.yaml index c11b311..7e92084 100644 --- a/charts/matrix/templates/riot/configmap.yaml +++ b/charts/matrix/templates/riot/configmap.yaml @@ -46,3 +46,77 @@ data: {{- end }} "permalinkPrefix": {{ .Values.riot.permalinkPrefix | quote }} } + nginx.conf: | + worker_processes auto; + + error_log /var/log/nginx/error.log warn; + pid /var/run/pid/nginx.pid; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + } + default.conf: | + server { + listen 8080; + server_name localhost; + + #charset koi8-r; + #access_log /var/log/nginx/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } \ No newline at end of file diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 0ed8e08..8557b8d 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -34,15 +34,27 @@ spec: imagePullPolicy: {{ .Values.riot.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP volumeMounts: - mountPath: /etc/riot-web/config.json name: riot-config subPath: config.json readOnly: true + - mountPath: /etc/nginx/nginx.conf + name: riot-config + subPath: nginx.conf + readOnly: true + - mountPath: /etc/nginx/conf.d/default.conf + name: riot-config + subPath: default.conf + readOnly: true - mountPath: /var/cache/nginx - name: nginx-cache + name: ephemeral + subPath: cache + - mountPath: /var/run/pid + name: ephemeral + subPath: pid livenessProbe: httpGet: path: / @@ -63,6 +75,7 @@ spec: - name: riot-config configMap: name: {{ include "matrix.fullname" . }}-riot-config - - name: nginx-cache + # ephemeral cache, PID file, and any other temporary files nginx needs access to + - name: ephemeral emptyDir: {} {{- end }} From f5a129a599a9bf7c1c1cfc2ccb73adae392d76ac Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 13:43:55 -0800 Subject: [PATCH 022/105] Set root filesystems as read-only, mount /tmp on synapse --- charts/matrix/templates/exim/deployment.yaml | 1 + charts/matrix/templates/riot/deployment.yaml | 1 + charts/matrix/templates/synapse/deployment.yaml | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index 9853576..419fe52 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -42,6 +42,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true {{- with .Values.mail.relay.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 8557b8d..1020050 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -67,6 +67,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true {{- with .Values.riot.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 4696116..0f3b3f3 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -75,6 +75,8 @@ spec: mountPath: /data/media_store - name: uploads mountPath: /data/uploads + - name: tmp + mountPath: /tmp livenessProbe: httpGet: path: /_matrix/static/ @@ -87,6 +89,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true {{- with .Values.synapse.resources }} resources: {{- toYaml . | nindent 12 }} @@ -104,3 +107,5 @@ spec: # Ephemeral in-progress uploads - name: uploads emptyDir: {} + - name: tmp + emptyDir: {} From d882d74e709b1baa39a97f8b6cd0ce197552f14b Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 13:45:20 -0800 Subject: [PATCH 023/105] Disallow privilege escalation --- charts/matrix/templates/exim/deployment.yaml | 1 + charts/matrix/templates/riot/deployment.yaml | 1 + charts/matrix/templates/synapse/deployment.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index 419fe52..079c8d7 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -43,6 +43,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + allowPrivilegeEscalation: false {{- with .Values.mail.relay.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 1020050..997f507 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -68,6 +68,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + allowPrivilegeEscalation: false {{- with .Values.riot.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 0f3b3f3..8bdf1da 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -90,6 +90,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + allowPrivilegeEscalation: false {{- with .Values.synapse.resources }} resources: {{- toYaml . | nindent 12 }} From 3ad67eebbc70946ac7c7d63d44b8fc1b2305cabf Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 14:48:11 -0800 Subject: [PATCH 024/105] Configure NetworkPolicies --- .../matrix/templates/exim/network-policy.yaml | 22 +++++++++++++++++++ .../templates/postgresql/network-policy.yaml | 22 +++++++++++++++++++ .../matrix/templates/riot/network-policy.yaml | 15 +++++++++++++ .../templates/synapse/network-policy.yaml | 15 +++++++++++++ charts/matrix/values.yaml | 3 +++ 5 files changed, 77 insertions(+) create mode 100644 charts/matrix/templates/exim/network-policy.yaml create mode 100644 charts/matrix/templates/postgresql/network-policy.yaml create mode 100644 charts/matrix/templates/riot/network-policy.yaml create mode 100644 charts/matrix/templates/synapse/network-policy.yaml diff --git a/charts/matrix/templates/exim/network-policy.yaml b/charts/matrix/templates/exim/network-policy.yaml new file mode 100644 index 0000000..500907e --- /dev/null +++ b/charts/matrix/templates/exim/network-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.mail.relay.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-exim-relay + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-exim-relay + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: smtp + protocol: TCP +{{- end }} diff --git a/charts/matrix/templates/postgresql/network-policy.yaml b/charts/matrix/templates/postgresql/network-policy.yaml new file mode 100644 index 0000000..d78cd3f --- /dev/null +++ b/charts/matrix/templates/postgresql/network-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.postgresql.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-postgresql + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "postgresql.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: tcp-postgresql + protocol: TCP +{{- end }} diff --git a/charts/matrix/templates/riot/network-policy.yaml b/charts/matrix/templates/riot/network-policy.yaml new file mode 100644 index 0000000..220b347 --- /dev/null +++ b/charts/matrix/templates/riot/network-policy.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.networkPolicies.enabled .Values.riot.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-riot + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-riot + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/matrix/templates/synapse/network-policy.yaml b/charts/matrix/templates/synapse/network-policy.yaml new file mode 100644 index 0000000..3f588ad --- /dev/null +++ b/charts/matrix/templates/synapse/network-policy.yaml @@ -0,0 +1,15 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-synapse + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index a3e1696..c01a8d8 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -269,6 +269,9 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +networkPolicies: + enabled: true + ingress: enabled: true tls: [] From 7839c74fa5e1664b7e1e42f1dc509967f4082c06 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 18 Dec 2019 16:17:34 -0800 Subject: [PATCH 025/105] Update README --- charts/matrix/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index b8143dd..09f7d9a 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -22,7 +22,6 @@ helm install matrix . ## TODO -- Security hardening including NetworkPolicies - Coturn (VoIP calls) deployment - Various dockerized bridges and appservices - S3 storage for multimedia uploads via Goofys From 35bca2ac8b9936b309247d4793e11e621963bd9b Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 17 Jan 2020 15:54:23 -0800 Subject: [PATCH 026/105] Update synapse + riot + exim image tags --- charts/matrix/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index c01a8d8..ee59c36 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -157,7 +157,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.7.0 + tag: v1.8.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -223,8 +223,8 @@ riot: # Riot Kubernetes resource settings image: - repository: "bubuntux/riot-web" - tag: v1.5.6 + repository: "vectorim/riot-web" + tag: v1.5.7 pullPolicy: IfNotPresent service: type: ClusterIP From fc59ade54877fd5d63524a989565e639e52d2ccd Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 24 Jan 2020 14:12:43 -0800 Subject: [PATCH 027/105] Coturn server for VoIP calls --- charts/matrix/README.md | 9 +-- charts/matrix/templates/_helpers.tpl | 11 ++++ charts/matrix/templates/coturn/_helpers.tpl | 12 ++++ charts/matrix/templates/coturn/configmap.yaml | 28 +++++++++ .../matrix/templates/coturn/deployment.yaml | 62 +++++++++++++++++++ .../templates/coturn/network-policy.yaml | 15 +++++ charts/matrix/templates/coturn/service.yaml | 24 +++++++ .../matrix/templates/synapse/_homeserver.yaml | 30 ++++----- charts/matrix/values.yaml | 28 ++++++++- 9 files changed, 192 insertions(+), 27 deletions(-) create mode 100644 charts/matrix/templates/coturn/_helpers.tpl create mode 100644 charts/matrix/templates/coturn/configmap.yaml create mode 100644 charts/matrix/templates/coturn/deployment.yaml create mode 100644 charts/matrix/templates/coturn/network-policy.yaml create mode 100644 charts/matrix/templates/coturn/service.yaml diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 09f7d9a..c49869c 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -15,13 +15,8 @@ helm install matrix . - Latest version of Synapse - (Optional) Latest version of Riot Web - (Optional) Choice of lightweight Exim relay or external mail server for email notifications -- Fully configurable via values.yaml +- (Optional) Coturn TURN server for VoIP calls - (Optional) PostgreSQL cluster via stable/postgresql chart +- Fully configurable via values.yaml - Ingress definition for Synapse and Riot - Load balanced federation port for federated homeservers - -## TODO - -- Coturn (VoIP calls) deployment -- Various dockerized bridges and appservices -- S3 storage for multimedia uploads via Goofys diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index c950e24..2f7fc52 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -41,3 +41,14 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} + +{{/* +Synapse base URL, derived from either the Values.matrix.baseUrl override or the Ingress definition +*/}} +{{- define "matrix.baseUrl" -}} +{{- if .Values.matrix.baseUrl }} +{{- .Values.matrix.baseUrl -}} +{{- else }} +{{- .Values.ingress.hosts.synapse -}} +{{- end }} +{{- end }} diff --git a/charts/matrix/templates/coturn/_helpers.tpl b/charts/matrix/templates/coturn/_helpers.tpl new file mode 100644 index 0000000..8438021 --- /dev/null +++ b/charts/matrix/templates/coturn/_helpers.tpl @@ -0,0 +1,12 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Shared secret for the Coturn server +*/}} +{{- define "matrix.coturn.sharedSecret" -}} +{{- if .Values.coturn.sharedSecret }} +{{- .Values.coturn.sharedSecret -}} +{{- else }} +{{- randAlphaNum 64 -}} +{{- end }} +{{- end -}} + diff --git a/charts/matrix/templates/coturn/configmap.yaml b/charts/matrix/templates/coturn/configmap.yaml new file mode 100644 index 0000000..6f6b36d --- /dev/null +++ b/charts/matrix/templates/coturn/configmap.yaml @@ -0,0 +1,28 @@ +{{- if .Values.coturn.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-coturn-config + labels: +{{ include "matrix.labels" . | nindent 4}} +data: + turnserver.conf: | + use-auth-secret + static-auth-secret={{ include "matrix.coturn.sharedSecret" . }} + realm=turn.{{ .Values.matrix.serverName }} + + min-port={{ .Values.coturn.ports.from }} + max-port={{ .Values.coturn.ports.to }} + + log-file=stdout + pidfile=/var/tmp/turnserver.pid + userdb=/var/tmp/turnserver.db + + no-cli + + no-tls + no-dtls + + prod + no-tcp-relay +{{- end }} \ No newline at end of file diff --git a/charts/matrix/templates/coturn/deployment.yaml b/charts/matrix/templates/coturn/deployment.yaml new file mode 100644 index 0000000..c48e049 --- /dev/null +++ b/charts/matrix/templates/coturn/deployment.yaml @@ -0,0 +1,62 @@ +{{- if .Values.coturn.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-coturn + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.coturn.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + annotations: + # re-roll deployment on config change + checksum/coturn-config: {{ include (print $.Template.BasePath "/coturn/configmap.yaml") . | sha256sum }} + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + containers: + - name: "coturn" + image: "{{ .Values.coturn.image.repository }}:{{ .Values.coturn.image.tag }}" + imagePullPolicy: {{ .Values.coturn.image.pullPolicy }} + args: ["-c", "/turnserver.conf"] + ports: + - name: turn + containerPort: 3478 + protocol: UDP + volumeMounts: + - name: coturn-config + mountPath: /turnserver.conf + subPath: turnserver.conf + readOnly: true + - name: var-tmp + mountPath: /var/tmp + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + {{- with .Values.coturn.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: coturn-config + configMap: + name: {{ include "matrix.fullname" . }}-coturn-config + - name: var-tmp + emptyDir: {} +{{- end }} diff --git a/charts/matrix/templates/coturn/network-policy.yaml b/charts/matrix/templates/coturn/network-policy.yaml new file mode 100644 index 0000000..91cad26 --- /dev/null +++ b/charts/matrix/templates/coturn/network-policy.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.networkPolicies.enabled .Values.coturn.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-coturn + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress +{{- end }} diff --git a/charts/matrix/templates/coturn/service.yaml b/charts/matrix/templates/coturn/service.yaml new file mode 100644 index 0000000..935dd1e --- /dev/null +++ b/charts/matrix/templates/coturn/service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.coturn.enabled }} +{{- $portRange := untilStep (int .Values.coturn.ports.from) (int (add1 .Values.coturn.ports.to)) 1 -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-coturn + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.coturn.service.type }} + ports: + {{- range $portRange }} + - port: {{ . }} + targetPort: {{ . }} + {{- if eq $.Values.coturn.service.type "NodePort" }} + nodePort: {{ . }} + {{- end }} + protocol: UDP + name: turn-{{ . }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 3878302..0246685 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -23,11 +23,7 @@ pid_file: /data/homeserver.pid # use synapse with a reverse proxy, this should be the URL to reach # synapse via the proxy. # -{{- if .Values.matrix.baseUrl }} -public_baseurl: {{ .Values.matrix.baseUrl }} -{{- else }} -public_baseurl: {{ .Values.ingress.hosts.synapse }} -{{- end }} +public_baseurl: {{ include "matrix.baseUrl" . }} # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the # hard limit. @@ -36,7 +32,7 @@ public_baseurl: {{ .Values.ingress.hosts.synapse }} # Set to false to disable presence tracking on this homeserver. # -use_presence: {{ .Values.matrix.enablePresence }} +use_presence: {{ .Values.matrix.presence }} # Whether to require authentication to retrieve profile data (avatars, # display names) of other users through the client API. Defaults to @@ -746,34 +742,30 @@ max_spider_size: {{ .Values.matrix.urlPreviews.rules.maxSize }} #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +{{- if .Values.coturn.enabled }} ## TURN ## # The public URIs of the TURN server to give to clients -# -#turn_uris: [] + +turn_uris: + - "turn:{{ include "matrix.baseUrl" . }}?transport=udp" # The shared secret used to compute passwords for the TURN server -# -#turn_shared_secret: "YOUR_SHARED_SECRET" -# The Username and password if the TURN server needs them and -# does not use a token -# -#turn_username: "TURNSERVER_USERNAME" -#turn_password: "TURNSERVER_PASSWORD" +turn_shared_secret: {{ include "matrix.coturn.sharedSecret" . }} # How long generated TURN credentials last -# -#turn_user_lifetime: 1h + +turn_user_lifetime: 1h # Whether guests should be allowed to use the TURN server. # This defaults to True, otherwise VoIP will be unreliable for guests. # However, it does introduce a slight security risk as it allows users to # connect to arbitrary endpoints without having first signed up for a # valid account (e.g. by passing a CAPTCHA). -# -#turn_allow_guests: true +turn_allow_guests: {{ .Values.coturn.allowGuests }} +{{- end }} ## Registration ## # diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index ee59c36..c521f7a 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -14,7 +14,7 @@ matrix: telemetry: false # URL where Synapse can be reached. - # This is *optional* if an Ingress is configured below. If baseUrl is unspecified, the first host of the + # This is *optional* if an Ingress is configured below. If baseUrl is unspecified, the Synapse hostname of the # Ingress will be used # baseUrl: "matrix.example.com" @@ -232,6 +232,32 @@ riot: replicaCount: 1 resources: {} +# Settings for Coturn TURN relay, used for routing voice calls +coturn: + # Set to false to disable Coturn + enabled: true + + # Whether to allow guests to use the TURN server + allowGuests: true + + # Shared secret for communication between Synapse and Coturn. + # Optional, will be auto-generated if not overridden here. + sharedSecret: "" + + # UDP port range for TURN connections + ports: + from: 49152 + to: 49172 + + image: + repository: "instrumentisto/coturn" + tag: "4.5.1.1" + pullPolicy: IfNotPresent + service: + type: NodePort + replicaCount: 1 + resources: {} + # Settings for email notifications mail: # Set to false to disable all email notifications From 03514bbb6c26f9986536b5844a32170967b5d0ac Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 24 Jan 2020 14:23:24 -0800 Subject: [PATCH 028/105] Update Synapse -> v1.9.0 --- charts/matrix/values.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index c521f7a..e6d9a81 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -1,7 +1,3 @@ -# Default values for matrix. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - # Runtime configuration for Synapse and settings related to the Matrix protocol matrix: # Domain name of the server @@ -157,7 +153,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.8.0 + tag: v1.9.0 pullPolicy: IfNotPresent service: type: ClusterIP From cb8bd51c1cbeb6812d5c834eb3129ad38e5c55d5 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 1 Feb 2020 20:37:35 -0800 Subject: [PATCH 029/105] Add WhatsApp Bridge Add https://github.com/tulir/mautrix-whatsapp and start laying some groundwork for future bridges. Bridge is disabled by default. --- .../templates/bridge-whatsapp/configmap.yaml | 181 ++++++++++++++++++ .../templates/bridge-whatsapp/data-pvc.yaml | 14 ++ .../templates/bridge-whatsapp/deployment.yaml | 107 +++++++++++ .../bridge-whatsapp/network-policy.yaml | 22 +++ .../templates/bridge-whatsapp/service.yaml | 18 ++ charts/matrix/templates/bridges-pvc.yaml | 14 ++ .../matrix/templates/synapse/_homeserver.yaml | 5 +- .../matrix/templates/synapse/deployment.yaml | 6 + .../templates/synapse/network-policy.yaml | 11 +- charts/matrix/values.yaml | 85 ++++++++ 10 files changed, 460 insertions(+), 3 deletions(-) create mode 100644 charts/matrix/templates/bridge-whatsapp/configmap.yaml create mode 100644 charts/matrix/templates/bridge-whatsapp/data-pvc.yaml create mode 100644 charts/matrix/templates/bridge-whatsapp/deployment.yaml create mode 100644 charts/matrix/templates/bridge-whatsapp/network-policy.yaml create mode 100644 charts/matrix/templates/bridge-whatsapp/service.yaml create mode 100644 charts/matrix/templates/bridges-pvc.yaml diff --git a/charts/matrix/templates/bridge-whatsapp/configmap.yaml b/charts/matrix/templates/bridge-whatsapp/configmap.yaml new file mode 100644 index 0000000..754ba71 --- /dev/null +++ b/charts/matrix/templates/bridge-whatsapp/configmap.yaml @@ -0,0 +1,181 @@ +{{- if .Values.bridges.whatsapp.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-whatsapp-config + labels: + {{ include "matrix.labels" . | nindent 4}} +data: + config.yaml: | + # Homeserver details. + homeserver: + # The address that this appservice can use to connect to the homeserver. + address: http://{{ include "matrix.fullname" . }}-synapse + # The domain of the homeserver (for MXIDs, etc). + domain: {{ .Values.matrix.serverName }} + + # Application service host/registration related details. + # Changing these values requires regeneration of the registration. + appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://{{ include "matrix.fullname" . }}-bridge-whatsapp:{{ .Values.bridges.whatsapp.service.port }} + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29318 + + # Database config. + database: + # The database type. "sqlite3" and "postgres" are supported. + type: sqlite3 + # The database URI. + # SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database + uri: /data/mautrix-whatsapp.db + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 20 + max_idle_conns: 2 + + # The unique ID of this appservice. + id: whatsapp + # Appservice bot details. + bot: + # Username of the appservice bot. + username: {{ .Values.bridges.whatsapp.bot.username }} + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: {{ .Values.bridges.whatsapp.bot.displayname }} + avatar: {{ .Values.bridges.whatsapp.bot.avatar }} + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "This value is generated when generating the registration" + hs_token: "This value is generated when generating the registration" + + # Bridge config + bridge: + # Localpart template of MXIDs for WhatsApp users. + # {{ "{{.}}" }} is replaced with the phone number of the WhatsApp user. + username_template: {{ .Values.bridges.whatsapp.users.username | quote }} + # Displayname template for WhatsApp users. + displayname_template: {{ .Values.bridges.whatsapp.users.displayName | quote }} + # Localpart template for per-user room grouping community IDs. + # The bridge will create these communities and add all of the specific user's portals to the community. + community_template: {{ .Values.bridges.whatsapp.communityName | quote }} + + # WhatsApp connection timeout in seconds. + connection_timeout: {{ .Values.bridges.whatsapp.connection.timeout }} + # Number of times to regenerate QR code when logging in. + # The regenerated QR code is sent as an edit and essentially multiplies the login timeout (20 seconds) + login_qr_regen_count: {{ .Values.bridges.whatsapp.connection.qrRegenCount }} + # Maximum number of times to retry connecting on connection error. + max_connection_attempts: {{ .Values.bridges.whatsapp.connection.maxAttempts }} + # Number of seconds to wait between connection attempts. + # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts + connection_retry_delay: {{ .Values.bridges.whatsapp.connection.retryDelay }} + # Whether or not the bridge should send a notice to the user's management room when it retries connecting. + # If false, it will only report when it stops retrying. + report_connection_retry: {{ .Values.bridges.whatsapp.connection.reportRetry }} + # Maximum number of seconds to wait for chats to be sent at startup. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + chat_list_wait: 30 + # Maximum number of seconds to wait to sync portals before force unlocking message processing. + # If this is too low and you have lots of chats, it could cause backfilling to fail. + portal_sync_wait: 600 + + # Whether or not to send call start/end notices to Matrix. + call_notices: + start: {{ .Values.bridges.whatsapp.callNotices }} + end: {{ .Values.bridges.whatsapp.callNotices }} + + # Number of chats to sync for new users. + initial_chat_sync_count: 10 + # Number of old messages to fill when creating new portal rooms. + initial_history_fill_count: 20 + # Maximum number of chats to sync when recovering from downtime. + # Set to -1 to sync all new chats during downtime. + recovery_chat_sync_limit: -1 + # Whether or not to sync history when recovering from downtime. + recovery_history_backfill: true + # Maximum number of seconds since last message in chat to skip + # syncing the chat in any case. This setting will take priority + # over both recovery_chat_sync_limit and initial_chat_sync_count. + # Default is 3 days = 259200 seconds + sync_max_chat_age: 259200 + + # Whether or not to sync with custom puppets to receive EDUs that + # are not normally sent to appservices. + sync_with_custom_puppets: true + # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, custom puppets will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret: null + + # Whether or not to invite own WhatsApp user's Matrix puppet into private + # chat portals when backfilling if needed. + # This always uses the default puppet instead of custom puppets due to + # rate limits and timestamp massaging. + invite_own_puppet_for_backfilling: true + # Whether or not to explicitly set the avatar and room name for private + # chat portal rooms. This can be useful if the previous field works fine, + # but causes room avatar/name bugs. + private_chat_portal_meta: false + + # Allow invite permission for user. User can invite any bots to room with whatsapp + # users (private chat and groups) + allow_user_invite: false + + # The prefix for commands. Only required in non-management rooms. + command_prefix: "!wa" + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relaybot + "example.com": user + "@admin:example.com": admin + + relaybot: + # Whether or not relaybot support is enabled. + enabled: {{ .Values.bridges.whatsapp.relaybot.enabled }} + # The management room for the bot. This is where all status notifications are posted and + # in this room, you can use `!wa ` instead of `!wa relaybot `. Omitting + # the command prefix completely like in user management rooms is not possible. + management: {{ .Values.bridges.whatsapp.relaybot.management }} + # List of users to invite to all created rooms that include the relaybot. + invites: {{ .Values.bridges.whatsapp.relaybot.invites }} + # The formats to use when sending messages to WhatsApp via the relaybot. + message_formats: + m.text: "{{ "{{ .Sender.Displayname }}" }}: {{ "{{ .Message }}" }}" + m.notice: "{{ "{{ .Sender.Displayname }}" }}: {{ "{{ .Message }}" }}" + m.emote: "* {{ "{{ .Sender.Displayname }}" }} {{ "{{ .Message }}" }}" + m.file: "{{ "{{ .Sender.Displayname }}" }} sent a file" + m.image: "{{ "{{ .Sender.Displayname }}" }} sent an image" + m.audio: "{{ "{{ .Sender.Displayname }}" }} sent an audio file" + m.video: "{{ "{{ .Sender.Displayname }}" }} sent a video" + m.location: "{{ "{{ .Sender.Displayname }}" }} sent a location" + + # Logging config. + logging: + # The directory for log files. Will be created if not found. + directory: /tmp + # Available variables: .Date for the file date and .Index for different log files on the same day. + file_name_format: "{{ "{{.Date}}-{{.Index}}" }}.log" + # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants + file_date_format: 2006-01-02 + # Log file permissions. + file_mode: 0600 + # Timestamp format for log entries in the Go time format. + timestamp_format: Jan _2, 2006 15:04:05 + # Minimum severity for log messages. + # Options: debug, info, warn, error, fatal + print_level: debug +{{- end }} diff --git a/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml new file mode 100644 index 0000000..12f3822 --- /dev/null +++ b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml @@ -0,0 +1,14 @@ +{{- if .Values.bridges.whatsapp.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-whatsapp-data + labels: +{{ include "matrix.labels" . | indent 4}} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.bridges.whatsapp.data.capacity }} +{{- end }} diff --git a/charts/matrix/templates/bridge-whatsapp/deployment.yaml b/charts/matrix/templates/bridge-whatsapp/deployment.yaml new file mode 100644 index 0000000..3977866 --- /dev/null +++ b/charts/matrix/templates/bridge-whatsapp/deployment.yaml @@ -0,0 +1,107 @@ +{{- if .Values.bridges.whatsapp.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-bridge-whatsapp + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.bridges.whatsapp.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-whatsapp + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + template: + metadata: + annotations: + # re-roll deployment on config change + checksum/whatsapp-config: {{ include (print $.Template.BasePath "/bridge-whatsapp/configmap.yaml") . | sha256sum }} + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-whatsapp + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + initContainers: + - name: "load-config" + image: "{{ .Values.bridges.whatsapp.image.repository }}:{{ .Values.bridges.whatsapp.image.tag }}" + imagePullPolicy: {{ .Values.bridges.whatsapp.image.pullPolicy }} + command: ["sh"] + args: ["-c", "cp /load/config.yaml /data/config.yaml"] + volumeMounts: + - name: data + mountPath: /data + - name: config + mountPath: /load + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + - name: "generate-config" + image: "{{ .Values.bridges.whatsapp.image.repository }}:{{ .Values.bridges.whatsapp.image.tag }}" + imagePullPolicy: {{ .Values.bridges.whatsapp.image.pullPolicy }} + command: ["mautrix-whatsapp"] + args: ["-g", "-c", "/data/config.yaml", "-r", "/bridges/whatsapp.yaml"] + volumeMounts: + - name: data + mountPath: /data + - name: bridges + mountPath: /bridges + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + {{- with .Values.bridges.whatsapp.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + containers: + - name: "bridge-whatsapp" + image: "{{ .Values.bridges.whatsapp.image.repository }}:{{ .Values.bridges.whatsapp.image.tag }}" + imagePullPolicy: {{ .Values.bridges.whatsapp.image.pullPolicy }} + command: ["mautrix-whatsapp"] + args: ["-c", "/data/config.yaml"] + ports: + - name: bridge + containerPort: 29318 + protocol: TCP + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + {{- with .Values.bridges.whatsapp.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-whatsapp-data" + - name: config + configMap: + name: "{{ include "matrix.fullname" . }}-whatsapp-config" + - name: bridges + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-bridges" + - name: tmp + emptyDir: {} +{{- end }} diff --git a/charts/matrix/templates/bridge-whatsapp/network-policy.yaml b/charts/matrix/templates/bridge-whatsapp/network-policy.yaml new file mode 100644 index 0000000..f2298d1 --- /dev/null +++ b/charts/matrix/templates/bridge-whatsapp/network-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.bridges.whatsapp.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-bridge-whatsapp + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-bridge-whatsapp + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: bridge + protocol: TCP +{{- end }} diff --git a/charts/matrix/templates/bridge-whatsapp/service.yaml b/charts/matrix/templates/bridge-whatsapp/service.yaml new file mode 100644 index 0000000..54e8fe4 --- /dev/null +++ b/charts/matrix/templates/bridge-whatsapp/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.bridges.whatsapp.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-bridge-whatsapp + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.bridges.whatsapp.service.type }} + ports: + - port: {{ .Values.bridges.whatsapp.service.port }} + targetPort: bridge + protocol: TCP + name: bridge + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-whatsapp + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/bridges-pvc.yaml b/charts/matrix/templates/bridges-pvc.yaml new file mode 100644 index 0000000..6da0982 --- /dev/null +++ b/charts/matrix/templates/bridges-pvc.yaml @@ -0,0 +1,14 @@ +{{- if .Values.bridges.whatsapp.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-bridges + labels: +{{ include "matrix.labels" . | indent 4}} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Mi +{{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 0246685..dae0b63 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1001,7 +1001,10 @@ report_stats: {{ .Values.matrix.telemetry }} # A list of application service config files to use # -#app_service_config_files: +{{- if .Values.bridges.whatsapp.enabled }} +app_service_config_files: + - "/bridges/whatsapp.yaml" +{{- end }} # - app_service_1.yaml # - app_service_2.yaml diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 8bdf1da..48e0f93 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -73,6 +73,9 @@ spec: mountPath: /data/keys - name: media-store mountPath: /data/media_store + - name: bridges + mountPath: /bridges + readOnly: true - name: uploads mountPath: /data/uploads - name: tmp @@ -105,6 +108,9 @@ spec: - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store + - name: bridges + persistentVolumeClaim: + claimName: {{ include "matrix.fullname" . }}-bridges # Ephemeral in-progress uploads - name: uploads emptyDir: {} diff --git a/charts/matrix/templates/synapse/network-policy.yaml b/charts/matrix/templates/synapse/network-policy.yaml index 3f588ad..d177e4e 100644 --- a/charts/matrix/templates/synapse/network-policy.yaml +++ b/charts/matrix/templates/synapse/network-policy.yaml @@ -10,6 +10,13 @@ spec: matchLabels: app.kubernetes.io/name: {{ include "matrix.fullname" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} - policyTypes: - - Ingress + ingress: + - from: + - podSelector: + matchLabels: + matrix-chart/allow-synapse-access: allow + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: http + protocol: TCP {{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index e6d9a81..939388b 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -287,6 +287,91 @@ mail: password: "" requireTransportSecurity: true +bridges: + whatsapp: + # Set to true to enable the WhatsApp bridge + enabled: false + + # Username and display name of the WhatsApp bridge bot + bot: + username: "whatsappbot" + displayName: "WhatsApp bridge bot" + avatar: "mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr" + + # Permissions for using the bridge. + # Permitted values: + # relaybot - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a WhatsApp account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relaybot + + # WhatsApp server connection settings + connection: + # WhatsApp server connection timeout (seconds) + timeout: 20 + # Number of QR codes to store, essentially multiplying the connection timeout + qrRegenCount: 2 + # Maximum number of connection attempts before failing + maxAttempts: 3 + # Retry delay + # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts + retryDelay: -1 + # Whether or not to notify the user when attempting to reconnect. Set to false to only report when maxAttempts has been reached + reportRetry: true + + # Send notifications for incoming calls + callNotices: true + + users: + # Username for WhatsApp users + # Evaluated as a template where {{ . }} is replaced with the phone number of the WhatsApp user + username: "whatsapp_{{.}}" + + # Display name for WhatsApp users + # Evaluated as a template, with variables: + # {{.Notify}} - nickname set by the WhatsApp user + # {{.Jid}} - phone number (international format) + # The following variables are also available, but will cause problems on multi-user instances: + # {{.Name}} - display name from contact list + # {{.Short}} - short display name from contact list + displayName: "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)" + + # Display name for communities. + # A community will be automatically generated for each user using the bridge, and can be used to group WhatsApp chats together + # Evaluated as a template, with variables: + # {{.Localpart}} - MXID localpart + # {{.Server}} - MXID server part of the user. + communityName: "whatsapp_{{.Localpart}}={{.Server}}" + + relaybot: + # Set to true to enable the relaybot and management room + enabled: false + + # Management room for the relay bot where status notifications are posted + management: "#foo:example.com" + + # Users to invite to the management room automatically + invites: [] + + data: + # Size of the PVC to allocate for the SQLite database + capacity: 512Mi + + image: + repository: "dock.mau.dev/tulir/mautrix-whatsapp" + tag: "latest" + pullPolicy: Always + replicaCount: 1 + resources: {} + service: + type: ClusterIP + port: 29318 + imagePullSecrets: [] nameOverride: "" fullnameOverride: "" From d60e24059ce5b435bcca330c466df78cf5cc53b1 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 1 Feb 2020 22:19:11 -0800 Subject: [PATCH 030/105] Fix Coturn ports Added port 3748 to Coturn and configured as a NodePort. This is the default port for STUN connections, ports 49152-49172 are only used after a connection has been established and authenticated. --- charts/matrix/templates/coturn/deployment.yaml | 8 +++++++- charts/matrix/templates/coturn/service.yaml | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/matrix/templates/coturn/deployment.yaml b/charts/matrix/templates/coturn/deployment.yaml index c48e049..8cc37bf 100644 --- a/charts/matrix/templates/coturn/deployment.yaml +++ b/charts/matrix/templates/coturn/deployment.yaml @@ -1,4 +1,5 @@ {{- if .Values.coturn.enabled }} +{{- $portRange := untilStep (int .Values.coturn.ports.from) (int (add1 .Values.coturn.ports.to)) 1 -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -33,9 +34,14 @@ spec: imagePullPolicy: {{ .Values.coturn.image.pullPolicy }} args: ["-c", "/turnserver.conf"] ports: - - name: turn + - name: turn-3478 containerPort: 3478 protocol: UDP + {{- range $portRange }} + - name: turn-{{ . }} + containerPort: {{ . }} + protocol: UDP + {{- end }} volumeMounts: - name: coturn-config mountPath: /turnserver.conf diff --git a/charts/matrix/templates/coturn/service.yaml b/charts/matrix/templates/coturn/service.yaml index 935dd1e..034f586 100644 --- a/charts/matrix/templates/coturn/service.yaml +++ b/charts/matrix/templates/coturn/service.yaml @@ -9,6 +9,11 @@ metadata: spec: type: {{ .Values.coturn.service.type }} ports: + - port: 3478 + targetPort: turn-3478 + nodePort: 3478 + protocol: UDP + name: turn-3478 {{- range $portRange }} - port: {{ . }} targetPort: {{ . }} From 69244b86bf13c8109905bc08c1a0a35558003a06 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 1 Feb 2020 22:24:36 -0800 Subject: [PATCH 031/105] Fix Pending Synapse pod Fixed Synapse being stuck in pending when bridges were disabled, due to it waiting for the bridge registration file PVC. --- charts/matrix/templates/synapse/deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 48e0f93..0679da9 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -73,9 +73,11 @@ spec: mountPath: /data/keys - name: media-store mountPath: /data/media_store + {{- if .Values.bridges.whatsapp.enabled }} - name: bridges mountPath: /bridges readOnly: true + {{- end }} - name: uploads mountPath: /data/uploads - name: tmp @@ -108,9 +110,11 @@ spec: - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store + {{- if .Values.bridges.whatsapp.enabled }} - name: bridges persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-bridges + {{- end }} # Ephemeral in-progress uploads - name: uploads emptyDir: {} From d7270cd6ebaefc384abbc1952cf5bd495c5bcd3c Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 1 Feb 2020 22:29:59 -0800 Subject: [PATCH 032/105] Change federation service default type to NodePort LoadBalancers usually spin up additional infrastructure, which can be expensive. Change the default type to a NodePort for fewer heart attacks. --- .../{federation-loadbalancer.yaml => federation-svc.yaml} | 4 ++-- charts/matrix/values.yaml | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) rename charts/matrix/templates/synapse/{federation-loadbalancer.yaml => federation-svc.yaml} (77%) diff --git a/charts/matrix/templates/synapse/federation-loadbalancer.yaml b/charts/matrix/templates/synapse/federation-svc.yaml similarity index 77% rename from charts/matrix/templates/synapse/federation-loadbalancer.yaml rename to charts/matrix/templates/synapse/federation-svc.yaml index 614af3b..e6b9d52 100644 --- a/charts/matrix/templates/synapse/federation-loadbalancer.yaml +++ b/charts/matrix/templates/synapse/federation-svc.yaml @@ -6,9 +6,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4 }} spec: - type: LoadBalancer + type: {{ .Values.synapse.service.federation.type }} ports: - - port: 8448 + - port: {{ .Values.synapse.service.federation.port }} targetPort: http protocol: TCP selector: diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 939388b..8daa271 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -158,6 +158,10 @@ synapse: service: type: ClusterIP port: 80 + federation: + type: NodePort + # Warning! By spec, federation must be available at :8448. Only change this if Synapse is running behind another proxy + port: 8448 replicaCount: 1 resources: {} From f92135a2cfb3b354c6fd1de94062a592630680e5 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 16 Feb 2020 15:37:10 -0800 Subject: [PATCH 033/105] Add Discord bridge --- .../templates/bridge-discord/_helpers.tpl | 11 ++ .../templates/bridge-discord/configmap.yaml | 109 ++++++++++++++++++ .../templates/bridge-discord/data-pvc.yaml | 14 +++ .../templates/bridge-discord/deployment.yaml | 84 ++++++++++++++ .../bridge-discord/network-policy.yaml | 22 ++++ .../templates/bridge-discord/service.yaml | 18 +++ .../templates/bridge-whatsapp/deployment.yaml | 1 + charts/matrix/templates/bridges-pvc.yaml | 2 +- .../matrix/templates/synapse/_homeserver.yaml | 9 +- .../matrix/templates/synapse/deployment.yaml | 4 +- charts/matrix/values.yaml | 66 ++++++++++- 11 files changed, 333 insertions(+), 7 deletions(-) create mode 100644 charts/matrix/templates/bridge-discord/_helpers.tpl create mode 100644 charts/matrix/templates/bridge-discord/configmap.yaml create mode 100644 charts/matrix/templates/bridge-discord/data-pvc.yaml create mode 100644 charts/matrix/templates/bridge-discord/deployment.yaml create mode 100644 charts/matrix/templates/bridge-discord/network-policy.yaml create mode 100644 charts/matrix/templates/bridge-discord/service.yaml diff --git a/charts/matrix/templates/bridge-discord/_helpers.tpl b/charts/matrix/templates/bridge-discord/_helpers.tpl new file mode 100644 index 0000000..2c94255 --- /dev/null +++ b/charts/matrix/templates/bridge-discord/_helpers.tpl @@ -0,0 +1,11 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Shared secret for the discord server +*/}} +{{- define "matrix.discord.as_token" -}} +{{- randAlphaNum 64 -}} +{{- end -}} + +{{- define "matrix.discord.hs_token" -}} +{{- randAlphaNum 64 -}} +{{- end -}} diff --git a/charts/matrix/templates/bridge-discord/configmap.yaml b/charts/matrix/templates/bridge-discord/configmap.yaml new file mode 100644 index 0000000..9f97c0b --- /dev/null +++ b/charts/matrix/templates/bridge-discord/configmap.yaml @@ -0,0 +1,109 @@ +{{- if .Values.bridges.discord.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-discord-config + labels: + {{ include "matrix.labels" . | nindent 4}} +data: + config.yaml: | + bridge: + # Domain part of the bridge, e.g. matrix.org + domain: {{ .Values.matrix.serverName }} + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: "https://{{ include "matrix.baseUrl" . }}" + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: {{ not .Values.bridges.discord.presence }} + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: {{ .Values.bridges.discord.typingNotifications }} + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: {{ .Values.bridges.discord.selfService }} + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: {{ not .Values.bridges.discord.readReceipt }} + # Disable Join Leave echos from matrix + disableJoinLeaveNotifications: {{ not .Values.bridges.discord.joinLeaveEvents }} + # Authentication configuration for the discord bot. + auth: + clientID: {{ .Values.bridges.discord.auth.clientId | quote }} + botToken: {{ .Values.bridges.discord.auth.botToken | quote }} + logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + files: [] + database: + userStorePath: "/data/user-store.db" + roomStorePath: "/data/room-store.db" + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "/data/discord.db" + # connString: "postgresql://user:password@localhost/database_name" + room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: {{ .Values.bridges.discord.defaultVisibility }} + channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: {{ .Values.bridges.discord.channelName | quote }} + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true + limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 + ghosts: + # Pattern for the ghosts nick, available is :nick, :username, :tag and :id + nickPattern: {{ .Values.bridges.discord.users.nickname | quote }} + # Pattern for the ghosts username, available is :username, :tag and :id + usernamePattern: {{ .Values.bridges.discord.users.username | quote }} + registration.yaml: | + id: appservice-discord + as_token: "{{ include "matrix.discord.as_token" . }}" + hs_token: "{{ include "matrix.discord.hs_token" . }}" + namespaces: + users: + - exclusive: true + regex: '^@_discord_.*' + aliases: + - exclusive: true + regex: '^#_discord_.*' + url: "http://{{ include "matrix.fullname" . }}-bridge-discord:{{ .Values.bridges.discord.service.port }}" + sender_localpart: _discord_bot + rate_limited: false + protocols: + - discord +{{- end }} diff --git a/charts/matrix/templates/bridge-discord/data-pvc.yaml b/charts/matrix/templates/bridge-discord/data-pvc.yaml new file mode 100644 index 0000000..ac290b8 --- /dev/null +++ b/charts/matrix/templates/bridge-discord/data-pvc.yaml @@ -0,0 +1,14 @@ +{{- if .Values.bridges.discord.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-discord-data + labels: +{{ include "matrix.labels" . | indent 4}} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.bridges.discord.data.capacity }} +{{- end }} diff --git a/charts/matrix/templates/bridge-discord/deployment.yaml b/charts/matrix/templates/bridge-discord/deployment.yaml new file mode 100644 index 0000000..f81b49a --- /dev/null +++ b/charts/matrix/templates/bridge-discord/deployment.yaml @@ -0,0 +1,84 @@ +{{- if .Values.bridges.discord.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-bridge-discord + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + replicas: {{ .Values.bridges.discord.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-discord + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + template: + metadata: + annotations: + # re-roll deployment on config change + checksum/discord-config: {{ include (print $.Template.BasePath "/bridge-discord/configmap.yaml") . | sha256sum }} + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-discord + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + initContainers: + - name: "load-config" + image: "{{ .Values.bridges.discord.image.repository }}:{{ .Values.bridges.discord.image.tag }}" + imagePullPolicy: {{ .Values.bridges.discord.image.pullPolicy }} + command: ["sh"] + args: ["-c", "cp /load/registration.yaml /data/discord-registration.yaml; cp /load/config.yaml /data/config.yaml; cp /load/registration.yaml /bridges/discord.yaml"] + volumeMounts: + - name: data + mountPath: /data + - name: bridges + mountPath: /bridges + - name: config + mountPath: /load + readOnly: true + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + containers: + - name: "bridge-discord" + image: "{{ .Values.bridges.discord.image.repository }}:{{ .Values.bridges.discord.image.tag }}" + imagePullPolicy: {{ .Values.bridges.discord.image.pullPolicy }} + ports: + - name: bridge + containerPort: 9005 + protocol: TCP + volumeMounts: + - name: data + mountPath: /data + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + {{- with .Values.bridges.discord.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-discord-data" + - name: config + configMap: + name: "{{ include "matrix.fullname" . }}-discord-config" + - name: bridges + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-bridges" +{{- end }} diff --git a/charts/matrix/templates/bridge-discord/network-policy.yaml b/charts/matrix/templates/bridge-discord/network-policy.yaml new file mode 100644 index 0000000..a34834d --- /dev/null +++ b/charts/matrix/templates/bridge-discord/network-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.bridges.discord.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-bridge-discord + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-bridge-discord + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: bridge + protocol: TCP +{{- end }} diff --git a/charts/matrix/templates/bridge-discord/service.yaml b/charts/matrix/templates/bridge-discord/service.yaml new file mode 100644 index 0000000..b50d793 --- /dev/null +++ b/charts/matrix/templates/bridge-discord/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.bridges.discord.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-bridge-discord + labels: +{{ include "matrix.labels" . | indent 4 }} +spec: + type: {{ .Values.bridges.discord.service.type }} + ports: + - port: {{ .Values.bridges.discord.service.port }} + targetPort: bridge + protocol: TCP + name: bridge + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-discord + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/bridge-whatsapp/deployment.yaml b/charts/matrix/templates/bridge-whatsapp/deployment.yaml index 3977866..172fbf4 100644 --- a/charts/matrix/templates/bridge-whatsapp/deployment.yaml +++ b/charts/matrix/templates/bridge-whatsapp/deployment.yaml @@ -41,6 +41,7 @@ spec: mountPath: /data - name: config mountPath: /load + readOnly: true securityContext: capabilities: drop: diff --git a/charts/matrix/templates/bridges-pvc.yaml b/charts/matrix/templates/bridges-pvc.yaml index 6da0982..ad7d7b2 100644 --- a/charts/matrix/templates/bridges-pvc.yaml +++ b/charts/matrix/templates/bridges-pvc.yaml @@ -1,4 +1,4 @@ -{{- if .Values.bridges.whatsapp.enabled }} +{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index dae0b63..f9af8c9 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1001,12 +1001,15 @@ report_stats: {{ .Values.matrix.telemetry }} # A list of application service config files to use # -{{- if .Values.bridges.whatsapp.enabled }} +{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} app_service_config_files: +{{- end }} +{{- if .Values.bridges.whatsapp.enabled }} - "/bridges/whatsapp.yaml" {{- end }} -# - app_service_1.yaml -# - app_service_2.yaml +{{- if .Values.bridges.discord.enabled }} + - "/bridges/discord.yaml" +{{- end }} # Uncomment to enable tracking of application service IP addresses. Implicitly # enables MAU tracking for application service users. diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 0679da9..789335a 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -73,7 +73,7 @@ spec: mountPath: /data/keys - name: media-store mountPath: /data/media_store - {{- if .Values.bridges.whatsapp.enabled }} + {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} - name: bridges mountPath: /bridges readOnly: true @@ -110,7 +110,7 @@ spec: - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store - {{- if .Values.bridges.whatsapp.enabled }} + {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} - name: bridges persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-bridges diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8daa271..91528d0 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -357,7 +357,7 @@ bridges: enabled: false # Management room for the relay bot where status notifications are posted - management: "#foo:example.com" + management: "!foo:example.com" # Users to invite to the management room automatically invites: [] @@ -376,6 +376,70 @@ bridges: type: ClusterIP port: 29318 + discord: + # Set to true to enable the Discord bridge + enabled: false + + # Discord bot authentication + # See https://github.com/Half-Shot/matrix-appservice-discord#setting-up-discord + auth: + clientId: "" + botToken: "" + + # The name of bridged rooms + # Available vars: + # :guild - guild/server name + # :name - channel name prefixed with # + channelName: "[Discord] :guild :name" + + users: + # Nickname of bridged Discord users + # Available vars: + # :nick - user's Discord nickname + # :username - user's Discord username + # :tag - user's 4 digit Discord tag + # :id - user's Discord developer ID (long) + nickname: ":nick" + # Username of bridged Discord users + # Available vars: + # :username - user's Discord username + # :tag - user's 4 digit Discord tag + # :id - user's Discord developer ID (long) + username: ":username#:tag" + + # Set to false to disable online/offline presence for Discord users + presence: true + + # Set to false to disable typing notifications (only for Discord to Matrix) + typingNotifications: true + + # Set to true to allow users to bridge rooms themselves using !discord commands + # More info: https://t2bot.io/discord + selfService: false + + # Set to false to disable the Discord bot read receipt, which advances whenever the bot bridges a message + readReceipt: true + + # Set to false to disable Discord notifications when a user joins/leaves the Matrix channel + joinLeaveEvents: true + + # Default visibility of bridged rooms (public/private) + defaultVisibility: public + + data: + # Size of the PVC to allocate for the SQLite database + capacity: 512Mi + + image: + repository: "halfshot/matrix-appservice-discord" + tag: "latest" + pullPolicy: Always + replicaCount: 1 + resources: {} + service: + type: ClusterIP + port: 9005 + imagePullSecrets: [] nameOverride: "" fullnameOverride: "" From 75741256a12f791dff53e6dc39267e1cfe9fcb80 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 16 Feb 2020 15:39:47 -0800 Subject: [PATCH 034/105] Update Synapse -> v1.10.0, Riot -> v1.5.8 --- charts/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 91528d0..de3a539 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -153,7 +153,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.9.0 + tag: v1.10.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -224,7 +224,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.5.7 + tag: v1.5.8 pullPolicy: IfNotPresent service: type: ClusterIP From ebd39ec5cf3298a41e84bffd781cbad120fc932a Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 18 Feb 2020 14:13:23 -0800 Subject: [PATCH 035/105] Fix conditional for Exim relay enabled --- charts/matrix/templates/synapse/_homeserver.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index f9af8c9..63f1c25 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1249,7 +1249,7 @@ password_config: email: enable_notifs: {{ .Values.mail.enabled }} notif_from: {{ .Values.mail.from }} - {{- if .Values.mail.relay }} + {{- if .Values.mail.relay.enabled }} smtp_host: {{ include "matrix.fullname" . }}-exim-relay smtp_port: {{ .Values.mail.relay.service.port }} {{- else }} @@ -1608,4 +1608,4 @@ opentracing: # # logging: # false -{{- end}} \ No newline at end of file +{{- end}} From a9ce9e457ae94225e978dda1922627f3e17df190 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 19 Feb 2020 01:17:59 -0800 Subject: [PATCH 036/105] Add .helmignore --- charts/matrix/.helmignore | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 charts/matrix/.helmignore diff --git a/charts/matrix/.helmignore b/charts/matrix/.helmignore new file mode 100644 index 0000000..0514631 --- /dev/null +++ b/charts/matrix/.helmignore @@ -0,0 +1,3 @@ +.git/ +.idea/ +.gitignore/ From f4700bf8cf7ef203f1ed1bd743bb9a93a50cf47e Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 19 Feb 2020 11:31:00 -0800 Subject: [PATCH 037/105] Fix Postgres collation settings Set LC_COLLATION and LC_CTYPE to 'C' for the matrix database when using stable/postgresql. Synapse 1.10 and above requires this. --- charts/matrix/templates/NOTES.txt | 2 +- charts/matrix/templates/coturn/_helpers.tpl | 1 - .../postgresql/initdb-configmap.yaml | 20 +++++++++++++++++++ .../matrix/templates/synapse/_homeserver.yaml | 6 +++--- charts/matrix/values.yaml | 11 +++++++--- 5 files changed, 32 insertions(+), 8 deletions(-) create mode 100644 charts/matrix/templates/postgresql/initdb-configmap.yaml diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index 30404ce..1333ed7 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -1 +1 @@ -TODO \ No newline at end of file +TODO diff --git a/charts/matrix/templates/coturn/_helpers.tpl b/charts/matrix/templates/coturn/_helpers.tpl index 8438021..b50ddac 100644 --- a/charts/matrix/templates/coturn/_helpers.tpl +++ b/charts/matrix/templates/coturn/_helpers.tpl @@ -9,4 +9,3 @@ Shared secret for the Coturn server {{- randAlphaNum 64 -}} {{- end }} {{- end -}} - diff --git a/charts/matrix/templates/postgresql/initdb-configmap.yaml b/charts/matrix/templates/postgresql/initdb-configmap.yaml new file mode 100644 index 0000000..d83d97e --- /dev/null +++ b/charts/matrix/templates/postgresql/initdb-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.postgresql.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-postgresql-initdb + labels: + {{ include "matrix.labels" . | nindent 4}} +data: + matrix.sql: | + CREATE USER {{ .Values.postgresql.username }} + LOGIN + ENCRYPTED PASSWORD '{{ .Values.postgresql.password }}'; + + CREATE DATABASE {{ .Values.postgresql.database }} + ENCODING 'UTF8' + LC_COLLATE='C' + LC_CTYPE='C' + template=template0 + OWNER {{ .Values.postgresql.username }}; +{{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 63f1c25..972b582 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -479,9 +479,9 @@ database: name: "psycopg2" # Arguments to pass to the engine args: - user: "{{ .Values.postgresql.postgresqlUsername }}" - password: "{{ .Values.postgresql.postgresqlPassword }}" - database: "{{ .Values.postgresql.postgresqlDatabase }}" + user: "{{ .Values.postgresql.username }}" + password: "{{ .Values.postgresql.password }}" + database: "{{ .Values.postgresql.database }}" {{- if .Values.postgresql.enabled }} host: "{{ include "matrix.fullname" . }}-postgresql" {{- else }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index de3a539..4d487c3 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -134,16 +134,21 @@ postgresql: # Whether to deploy the stable/postgresql chart with this chart. If disabled, make sure PostgreSQL is available at the hostname below and credentials are configured below enabled: true - postgresqlUsername: matrix - postgresqlPassword: matrix - postgresqlDatabase: matrix + username: matrix + password: matrix + database: matrix # Set this if postgresql.enabled = false hostname: "" + # Storage to allocate for stable/postgresql persistence: size: 8Gi + # If postgresql.enabled, stable/postgresql will run the scripts in templates/postgresql/initdb.yaml + # If using an external Postgres server, make sure to configure the database as specified at https://github.com/matrix-org/synapse/blob/master/docs/postgres.md + initdbScriptsConfigMap: "{{ .Release.Name }}-postgresql-initdb" + securityContext: enabled: true runAsUser: 1000 From 4892da8393e23357360bd1ffbee7e686df671404 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 19 Feb 2020 11:33:09 -0800 Subject: [PATCH 038/105] Prepend https:// to base URL when derived from ingress definition The "matrix.baseUrl" template is used to determine the URL of the synapse instance in a few places. It needs to start with https://, but the ingress definition only contains a hostname. --- charts/matrix/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 2f7fc52..83d474b 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -49,6 +49,6 @@ Synapse base URL, derived from either the Values.matrix.baseUrl override or the {{- if .Values.matrix.baseUrl }} {{- .Values.matrix.baseUrl -}} {{- else }} -{{- .Values.ingress.hosts.synapse -}} +https://{{- .Values.ingress.hosts.synapse -}} {{- end }} {{- end }} From 5cbfc7180e163c720c5a336597f2b4a0df74c906 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 19 Feb 2020 11:43:07 -0800 Subject: [PATCH 039/105] Allow PVC storage classes overrides Closes #11 --- charts/matrix/templates/bridge-discord/data-pvc.yaml | 1 + .../matrix/templates/bridge-whatsapp/data-pvc.yaml | 1 + charts/matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/templates/synapse/media-pvc.yaml | 1 + charts/matrix/templates/synapse/signing-key-pvc.yaml | 3 ++- charts/matrix/values.yaml | 12 ++++++++++++ 6 files changed, 18 insertions(+), 2 deletions(-) diff --git a/charts/matrix/templates/bridge-discord/data-pvc.yaml b/charts/matrix/templates/bridge-discord/data-pvc.yaml index ac290b8..3fc9b07 100644 --- a/charts/matrix/templates/bridge-discord/data-pvc.yaml +++ b/charts/matrix/templates/bridge-discord/data-pvc.yaml @@ -6,6 +6,7 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + storageClassName: {{ .Values.bridges.discord.data.storageClass }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml index 12f3822..d15dedd 100644 --- a/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml +++ b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml @@ -6,6 +6,7 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + storageClassName: {{ .Values.bridges.whatsapp.data.storageClass }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 972b582..c76e4f6 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -23,7 +23,7 @@ pid_file: /data/homeserver.pid # use synapse with a reverse proxy, this should be the URL to reach # synapse via the proxy. # -public_baseurl: {{ include "matrix.baseUrl" . }} +public_baseurl: {{ include "matrix.baseUrl" . | quote }} # Set the soft limit on the number of file descriptors synapse can use # Zero is used to indicate synapse should set the soft limit to the # hard limit. diff --git a/charts/matrix/templates/synapse/media-pvc.yaml b/charts/matrix/templates/synapse/media-pvc.yaml index a89982d..d8a202f 100644 --- a/charts/matrix/templates/synapse/media-pvc.yaml +++ b/charts/matrix/templates/synapse/media-pvc.yaml @@ -5,6 +5,7 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + storageClassName: {{ .Values.volumes.media.storageClass }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/synapse/signing-key-pvc.yaml b/charts/matrix/templates/synapse/signing-key-pvc.yaml index fe80acb..65b3003 100644 --- a/charts/matrix/templates/synapse/signing-key-pvc.yaml +++ b/charts/matrix/templates/synapse/signing-key-pvc.yaml @@ -5,8 +5,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + storageClassName: {{ .Values.volumes.signingKey.storageClass }} accessModes: - ReadWriteOnce resources: requests: - storage: 1Mi + storage: {{ .Values.volumes.signingKey.capacity }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 4d487c3..031218e 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -128,6 +128,14 @@ volumes: media: # Capacity of the media persistent volume claim capacity: 10Gi + # Storage class (optional) + storageClass: "" + signingKey: + # Capacity of the signing key PVC + # Note: 1Mi is more than enough, but some cloud providers set a minimum PVC size of 1Mi or 1Gi, adjust as necessary + capacity: 1Mi + # Storage class (optional) + storageClass: "" # PostgreSQL Database Configuration postgresql: @@ -370,6 +378,8 @@ bridges: data: # Size of the PVC to allocate for the SQLite database capacity: 512Mi + # Storage class (optional) + storageClass: "" image: repository: "dock.mau.dev/tulir/mautrix-whatsapp" @@ -434,6 +444,8 @@ bridges: data: # Size of the PVC to allocate for the SQLite database capacity: 512Mi + # Storage class (optional) + storageClass: "" image: repository: "halfshot/matrix-appservice-discord" From 8798b2ac4fa438d50fb7fb668a45037bad032634 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Thu, 20 Feb 2020 17:36:25 -0800 Subject: [PATCH 040/105] Fix and refactor matrix hostname and base URL --- charts/matrix/templates/_helpers.tpl | 19 +++++++++++++++---- .../matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/values.yaml | 6 +++--- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 83d474b..8f351e0 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -43,12 +43,23 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} {{/* -Synapse base URL, derived from either the Values.matrix.baseUrl override or the Ingress definition +Synapse hostname, derived from either the Values.matrix.hostname override or the Ingress definition +*/}} +{{- define "matrix.hostname" -}} +{{- if .Values.matrix.hostname }} +{{- .Values.matrix.hostname -}} +{{- else }} +{{- .Values.ingress.hosts.synapse -}} +{{- end }} +{{- end }} + +{{/* +Synapse hostname prepended with https:// to form a complete URL */}} {{- define "matrix.baseUrl" -}} -{{- if .Values.matrix.baseUrl }} -{{- .Values.matrix.baseUrl -}} +{{- if .Values.matrix.hostname }} +{{- printf "https://%s" .Values.matrix.hostname -}} {{- else }} -https://{{- .Values.ingress.hosts.synapse -}} +{{- printf "https://%s" .Values.ingress.hosts.synapse -}} {{- end }} {{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index c76e4f6..fb1228d 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -748,7 +748,7 @@ max_spider_size: {{ .Values.matrix.urlPreviews.rules.maxSize }} # The public URIs of the TURN server to give to clients turn_uris: - - "turn:{{ include "matrix.baseUrl" . }}?transport=udp" + - "turn:{{ include "matrix.hostname" . }}?transport=udp" # The shared secret used to compute passwords for the TURN server diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 031218e..1f8a688 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -9,10 +9,10 @@ matrix: # Enable anonymous telemetry to matrix.org telemetry: false - # URL where Synapse can be reached. - # This is *optional* if an Ingress is configured below. If baseUrl is unspecified, the Synapse hostname of the + # Hostname where Synapse can be reached. + # This is *optional* if an Ingress is configured below. If hostname is unspecified, the Synapse hostname of the # Ingress will be used - # baseUrl: "matrix.example.com" + # hostname: "matrix.example.com" # Set to false to disable presence (online/offline indicators) presence: true From 7bca2542fb53d5ce2aa9b31a8e6fec7bf0ed70ff Mon Sep 17 00:00:00 2001 From: David Cruz Date: Thu, 20 Feb 2020 17:44:16 -0800 Subject: [PATCH 041/105] Update README --- charts/matrix/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index c49869c..4ef74bb 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -4,9 +4,14 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. ## Installation +Some documentation is available in values.yaml, and a complete installation guide is coming soon. + +This chart is not yet published to a repository. For now, you can clone the chart and install it manually. + ```shell script git clone https://github.com/dacruz21/matrix-chart.git cd matrix-chart +helm dep update helm install matrix . ``` @@ -17,6 +22,8 @@ helm install matrix . - (Optional) Choice of lightweight Exim relay or external mail server for email notifications - (Optional) Coturn TURN server for VoIP calls - (Optional) PostgreSQL cluster via stable/postgresql chart +- (Optional) [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge +- (Optional) [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge - Fully configurable via values.yaml - Ingress definition for Synapse and Riot -- Load balanced federation port for federated homeservers +- Federation (port 8448) access via NodePort or LoadBalancer From b08e66bd7ba9797275a1d929573c4e2f6ae6e735 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 15 Mar 2020 23:18:25 -0700 Subject: [PATCH 042/105] Affinity and DigitalOcean workarounds DigitalOcean K8s doesn't support the ReadWriteMany access mode for PVCs. This is required to share bridge/appservice registration files with Synapse, as the bridge pods are not necessarily scheduled on the same node as Synapse. The workaround was to: - Add an override to change the access mode of the bridge PVC in values.yaml - Add a setting to configure affinity between bridges and Synapse, so that this access mode is actually valid DOK8S also requires a minimum PVC size of 1Gi. Added an override for the size of the bridge PVC, but left the default at 1Mi. --- charts/matrix/.helmignore | 2 +- .../templates/bridge-discord/deployment.yaml | 16 ++++++++++++++++ .../templates/bridge-whatsapp/deployment.yaml | 16 ++++++++++++++++ charts/matrix/templates/bridges-pvc.yaml | 5 +++-- charts/matrix/values.yaml | 14 ++++++++++++++ 5 files changed, 50 insertions(+), 3 deletions(-) diff --git a/charts/matrix/.helmignore b/charts/matrix/.helmignore index 0514631..faa7861 100644 --- a/charts/matrix/.helmignore +++ b/charts/matrix/.helmignore @@ -1,3 +1,3 @@ .git/ .idea/ -.gitignore/ +.gitignore diff --git a/charts/matrix/templates/bridge-discord/deployment.yaml b/charts/matrix/templates/bridge-discord/deployment.yaml index f81b49a..586a522 100644 --- a/charts/matrix/templates/bridge-discord/deployment.yaml +++ b/charts/matrix/templates/bridge-discord/deployment.yaml @@ -22,6 +22,22 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} matrix-chart/allow-synapse-access: allow spec: + {{- if .Values.bridges.affinity }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "matrix.name" . }}-synapse + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: kubernetes.io/hostname + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/matrix/templates/bridge-whatsapp/deployment.yaml b/charts/matrix/templates/bridge-whatsapp/deployment.yaml index 172fbf4..7072fbb 100644 --- a/charts/matrix/templates/bridge-whatsapp/deployment.yaml +++ b/charts/matrix/templates/bridge-whatsapp/deployment.yaml @@ -22,6 +22,22 @@ spec: app.kubernetes.io/instance: {{ .Release.Name }} matrix-chart/allow-synapse-access: allow spec: + {{- if .Values.bridges.affinity }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "matrix.name" . }}-synapse + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: kubernetes.io/hostname + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/charts/matrix/templates/bridges-pvc.yaml b/charts/matrix/templates/bridges-pvc.yaml index ad7d7b2..a2bbf6c 100644 --- a/charts/matrix/templates/bridges-pvc.yaml +++ b/charts/matrix/templates/bridges-pvc.yaml @@ -6,9 +6,10 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + storageClassName: {{ .Values.bridges.volume.storageClass }} accessModes: - - ReadWriteMany + - {{ .Values.bridges.volume.accessMode }} resources: requests: - storage: 1Mi + storage: {{ .Values.bridges.volume.capacity }} {{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 1f8a688..c4f14c8 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -456,6 +456,20 @@ bridges: service: type: ClusterIP port: 9005 + # Recommended to leave this disabled to allow bridges to be scheduled on separate nodes. + # Set this to true to reduce latency between the homeserver and bridges, or if your cloud provider does not allow + # the ReadWriteMany access mode (see below) + affinity: false + volume: + # Capacity of the shared volume for storing bridge/appservice registration files + # Note: 1Mi should be enough but some cloud providers may set a minimum PVC size of 1Gi, adjust as necessary + capacity: 1Mi + # Storage class (optional) + storageClass: "" + # Access mode of the shared volume. ReadWriteMany is recommended to allow bridges to be scheduled on separate nodes. + # Some cloud providers may not allow the ReadWriteMany access mode. In that case, change this to ReadWriteOnce -AND- + # set bridges.affinity (above) to true + accessMode: ReadWriteMany imagePullSecrets: [] nameOverride: "" From 1f9c40e725e67ca41997dbfe9c6308e116813365 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 15 Mar 2020 23:26:45 -0700 Subject: [PATCH 043/105] Update Synapse -> v1.11.1, Riot -> v1.5.12 --- charts/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index c4f14c8..2dfedcb 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -166,7 +166,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.10.0 + tag: v1.11.1 pullPolicy: IfNotPresent service: type: ClusterIP @@ -237,7 +237,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.5.8 + tag: v1.5.12 pullPolicy: IfNotPresent service: type: ClusterIP From 50964a966397b4b92bace701d4266e9199b88faf Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 15 Mar 2020 23:58:49 -0700 Subject: [PATCH 044/105] Add Coturn DaemonSet support Add support for running Coturn pods under a DaemonSet with host networking enabled to bind TURN ports on each node. This maximizes compatibility as it doesn't require setting the NodePort range setting on the cluster as a whole. The downside is that it will deploy one Coturn pod for each node, which may be more (or fewer) than necessary, so the old method of Deployment + NodePort is still supported. Thanks to @danjenkins for this one. --- .../matrix/templates/coturn/deployment.yaml | 10 ++++++++- charts/matrix/templates/coturn/service.yaml | 2 ++ charts/matrix/values.yaml | 21 +++++++++++++++++-- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/coturn/deployment.yaml b/charts/matrix/templates/coturn/deployment.yaml index 8cc37bf..7e21e84 100644 --- a/charts/matrix/templates/coturn/deployment.yaml +++ b/charts/matrix/templates/coturn/deployment.yaml @@ -1,13 +1,15 @@ {{- if .Values.coturn.enabled }} {{- $portRange := untilStep (int .Values.coturn.ports.from) (int (add1 .Values.coturn.ports.to)) 1 -}} apiVersion: apps/v1 -kind: Deployment +kind: {{ .Values.coturn.kind }} metadata: name: {{ include "matrix.fullname" . }}-coturn labels: {{ include "matrix.labels" . | indent 4 }} spec: + {{- if eq .Values.coturn.kind "Deployment" }} replicas: {{ .Values.coturn.replicaCount }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ include "matrix.name" . }}-coturn @@ -28,6 +30,9 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 + {{- if eq .Values.coturn.kind "DaemonSet" }} + hostNetwork: true + {{- end }} containers: - name: "coturn" image: "{{ .Values.coturn.image.repository }}:{{ .Values.coturn.image.tag }}" @@ -40,6 +45,9 @@ spec: {{- range $portRange }} - name: turn-{{ . }} containerPort: {{ . }} + {{- if eq $.Values.coturn.kind "DaemonSet" }} + hostPort: {{ . }} + {{- end }} protocol: UDP {{- end }} volumeMounts: diff --git a/charts/matrix/templates/coturn/service.yaml b/charts/matrix/templates/coturn/service.yaml index 034f586..66efbd3 100644 --- a/charts/matrix/templates/coturn/service.yaml +++ b/charts/matrix/templates/coturn/service.yaml @@ -11,7 +11,9 @@ spec: ports: - port: 3478 targetPort: turn-3478 + {{- if eq .Values.coturn.service.type "NodePort" }} nodePort: 3478 + {{- end }} protocol: UDP name: turn-3478 {{- range $portRange }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 2dfedcb..7ee14a6 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -250,6 +250,15 @@ coturn: # Set to false to disable Coturn enabled: true + # How to deploy Coturn + # Options: + # DaemonSet: A DaemonSet will be used to schedule one Coturn pod per node. Each Coturn pod will open the ports it needs directly on the host it is scheduled on. + # This maximizes compatibility and will allow you to set up Coturn without any additional cluster configuration. + # Deployment: A Deployment will be used to schedule Coturn pods. The number of Coturn pods will be configurable (via the replicaCount setting below). + # You will need to use a NodePort service or an external load balancer to route traffic to the Coturn pods. + # This is more flexible and can use fewer pods in a multi-node setup, but will require additional networking configuration. + kind: DaemonSet + # Whether to allow guests to use the TURN server allowGuests: true @@ -262,12 +271,20 @@ coturn: from: 49152 to: 49172 + service: + # The type of service to deploy for routing Coturn traffic + # Options: + # ClusterIP: Recommended for DaemonSet configurations. This will create a standard Kubernetes service for Coturn within the cluster. No external networking + # will be configured as the DaemonSet will handle binding to each Node's host networking + # NodePort: Recommended for Deployment configurations. This will open TURN ports on every node and route traffic on these ports to the Coturn pods. + # You will need to make sure your cloud provider supports the cluster config setting "apiserver.service-node-port-range", as this range must contain + # the ports defined above for the service to be created. + type: ClusterIP + image: repository: "instrumentisto/coturn" tag: "4.5.1.1" pullPolicy: IfNotPresent - service: - type: NodePort replicaCount: 1 resources: {} From 2af0647c151fe7203f8887728030da7129563827 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 22:19:45 -0700 Subject: [PATCH 045/105] Update images --- charts/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 7ee14a6..233fc38 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -166,7 +166,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.11.1 + tag: v1.12.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -237,7 +237,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.5.12 + tag: v1.5.14 pullPolicy: IfNotPresent service: type: ClusterIP From fc65c2efa5687ee2ce84348cf7a35a194bfe3889 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 22:32:29 -0700 Subject: [PATCH 046/105] Update Chart.yaml for 1.0 release --- charts/matrix/Chart.lock | 4 ++-- charts/matrix/Chart.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/matrix/Chart.lock b/charts/matrix/Chart.lock index aa60715..8b3b211 100644 --- a/charts/matrix/Chart.lock +++ b/charts/matrix/Chart.lock @@ -2,5 +2,5 @@ dependencies: - name: postgresql repository: https://kubernetes-charts.storage.googleapis.com version: 8.0.0 -digest: sha256:9f2052244167d312b126a3e74777dc547b8aaa4e76bbf23900a6880c6399d23d -generated: "2019-12-16T19:54:24.921858546-08:00" +digest: sha256:54b8dbbf92f98a307a15de995f41897aa3ea3f3252b6f594d058530755b3dfa8 +generated: "2020-03-30T22:24:34.251333366-07:00" diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 722e724..b226d39 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -14,11 +14,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.16.0 +appVersion: 1.12.0 dependencies: - name: postgresql From 15e336d5aa4b2ebf94e98f61775b69be3067f4c8 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 23:01:17 -0700 Subject: [PATCH 047/105] Fix upgrades when storageClass unspecified --- charts/matrix/templates/bridge-discord/data-pvc.yaml | 2 ++ charts/matrix/templates/bridge-whatsapp/data-pvc.yaml | 2 ++ charts/matrix/templates/bridges-pvc.yaml | 2 ++ charts/matrix/templates/synapse/media-pvc.yaml | 2 ++ charts/matrix/templates/synapse/signing-key-pvc.yaml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/charts/matrix/templates/bridge-discord/data-pvc.yaml b/charts/matrix/templates/bridge-discord/data-pvc.yaml index 3fc9b07..05737c8 100644 --- a/charts/matrix/templates/bridge-discord/data-pvc.yaml +++ b/charts/matrix/templates/bridge-discord/data-pvc.yaml @@ -6,7 +6,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + {{- if .Values.bridges.discord.data.storageClass }} storageClassName: {{ .Values.bridges.discord.data.storageClass }} + {{- end }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml index d15dedd..fd9a52a 100644 --- a/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml +++ b/charts/matrix/templates/bridge-whatsapp/data-pvc.yaml @@ -6,7 +6,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + {{- if .Values.bridges.whatsapp.data.storageClass }} storageClassName: {{ .Values.bridges.whatsapp.data.storageClass }} + {{- end }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/bridges-pvc.yaml b/charts/matrix/templates/bridges-pvc.yaml index a2bbf6c..d026976 100644 --- a/charts/matrix/templates/bridges-pvc.yaml +++ b/charts/matrix/templates/bridges-pvc.yaml @@ -6,7 +6,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + {{- if .Values.bridges.volume.storageClass }} storageClassName: {{ .Values.bridges.volume.storageClass }} + {{- end }} accessModes: - {{ .Values.bridges.volume.accessMode }} resources: diff --git a/charts/matrix/templates/synapse/media-pvc.yaml b/charts/matrix/templates/synapse/media-pvc.yaml index d8a202f..ba1d31e 100644 --- a/charts/matrix/templates/synapse/media-pvc.yaml +++ b/charts/matrix/templates/synapse/media-pvc.yaml @@ -5,7 +5,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + {{- if .Values.volumes.media.storageClass }} storageClassName: {{ .Values.volumes.media.storageClass }} + {{- end }} accessModes: - ReadWriteOnce resources: diff --git a/charts/matrix/templates/synapse/signing-key-pvc.yaml b/charts/matrix/templates/synapse/signing-key-pvc.yaml index 65b3003..90c03fd 100644 --- a/charts/matrix/templates/synapse/signing-key-pvc.yaml +++ b/charts/matrix/templates/synapse/signing-key-pvc.yaml @@ -5,7 +5,9 @@ metadata: labels: {{ include "matrix.labels" . | indent 4}} spec: + {{- if .Values.volumes.signingKey.storageClass }} storageClassName: {{ .Values.volumes.signingKey.storageClass }} + {{- end }} accessModes: - ReadWriteOnce resources: From 2ba28e26d4cb51a1ea9665385b049626f1d09216 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 23:01:49 -0700 Subject: [PATCH 048/105] Add NOTES.txt and update .helmignore --- charts/matrix/.helmignore | 1 + charts/matrix/Chart.yaml | 2 +- charts/matrix/templates/NOTES.txt | 47 ++++++++++++++++++++++++++++++- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/charts/matrix/.helmignore b/charts/matrix/.helmignore index faa7861..cdd8ee1 100644 --- a/charts/matrix/.helmignore +++ b/charts/matrix/.helmignore @@ -1,3 +1,4 @@ .git/ .idea/ .gitignore +README.md diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index b226d39..e19aa9a 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.0 +version: 1.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index 1333ed7..30857dd 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -1 +1,46 @@ -TODO +{{- if .Release.IsInstall }} +dacruz21/matrix-chart has been installed! + +Installed components: + - Synapse ({{ .Values.synapse.image.repository }}) +{{- if .Values.riot.enabled }} + - Riot Web ({{ .Values.riot.image.repository }}) +{{- end }} +{{- if .Values.postgresql.enabled }} + - PostgreSQL ({{ .Values.postgresql.image.repository }}) +{{- end }} +{{- if .Values.coturn.enabled }} + - Coturn ({{ .Values.coturn.image.repository }}) +{{- end }} +{{- if .Values.mail.relay.enabled }} + - Exim Relay ({{ .Values.mail.relay.image.repository }}) +{{- end }} +{{- if .Values.bridges.whatsapp.enabled }} + - WhatsApp Bridge ({{ .Values.bridges.whatsapp.image.repository }}) +{{- end }} +{{- if .Values.bridges.discord.enabled }} + - Discord Bridge ({{ .Values.bridges.discord.image.repository }}) +{{- end }} + +Thank you for installing dacruz21/matrix-chart! If you have any questions or run into any issues, please file a GitHub issue or join us at #matrix-chart:typokign.com. + +{{ if .Values.ingress.enabled }} +Your Synapse homeserver should soon be available at https://{{ .Values.ingress.hosts.synapse }} +{{- if .Values.riot.enabled }} +Your Riot Web instance should soon be available at https://{{ .Values.ingress.hosts.riot }} +{{- end }} +{{- end }} + +{{ if .Values.bridges.whatsapp.enabled }} +The WhatsApp bridge has been enabled! + +To get started, start a chat with the bridge bot (@{{ .Values.bridges.whatsapp.bot.username }}:{{ .Values.matrix.serverName }}). +For more information, check out the official documentation at https://github.com/tulir/mautrix-whatsapp/wiki/Authentication +{{- end }} + +{{ if .Values.bridges.discord.enabled }} +The Discord bridge has been enabled! + +You'll need to follow the instructions at https://github.com/Half-Shot/matrix-appservice-discord#setting-up-discord to finish setting up the bridge +{{- end }} +{{- end }} From 94561fbc4c05f4dad1374817c4de1e671bca19df Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 23:29:07 -0700 Subject: [PATCH 049/105] Update Readme --- charts/matrix/README.md | 65 ++++++++++++++++++++++++++++++++--------- 1 file changed, 52 insertions(+), 13 deletions(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 4ef74bb..7e8d286 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -2,19 +2,6 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. -## Installation - -Some documentation is available in values.yaml, and a complete installation guide is coming soon. - -This chart is not yet published to a repository. For now, you can clone the chart and install it manually. - -```shell script -git clone https://github.com/dacruz21/matrix-chart.git -cd matrix-chart -helm dep update -helm install matrix . -``` - ## Features - Latest version of Synapse @@ -27,3 +14,55 @@ helm install matrix . - Fully configurable via values.yaml - Ingress definition for Synapse and Riot - Federation (port 8448) access via NodePort or LoadBalancer + +## Installation + +Some documentation is available in values.yaml, and a complete installation guide is coming soon. + +Choose one of the two options below to install the chart. + +### Chart Repository (recommended) + +This chart is published to my Helm chart repository at https://dacruz21.github.io/helm-charts. To install this chart: + +1. Create an empty chart to hold your configuration + + ```shell script + helm create mychart + cd mychart + ``` + +1. Add this chart to your chart's dependencies by editing `Chart.yaml` and adding the following lines: + + ```yaml + dependencies: + - name: matrix + version: 1.0.1 + repository: https://dacruz21.github.io/helm-charts + ``` + +1. Run `helm dependency update` to download the chart into the `charts/` directory. + +1. Configure the chart by editing `values.yaml`, adding a `matrix:` object, and adding any config overrides under this object. + +1. Deploy your customized chart with `helm install mychart .` + +### Git + +You can also clone this repo directly and override the values.yaml provided. To do so, run the following commands: + +```shell script +git clone https://github.com/dacruz21/matrix-chart.git +cd matrix-chart +helm dependency update +helm install matrix . +``` + +## Security +Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. + +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.1.tgz.gpg. + +These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. + +If you find any security vulnerabilities in this Helm chart, please contact me by sending a PGP-encrypted email (encrypted to `F13C346C0DE56944`) to david@typokign.com. Vulnerabilities in upstream services should be reported to that service's developers. From 81c18f34f9a401cae7068fa60b044c1e49d9020a Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 23:32:19 -0700 Subject: [PATCH 050/105] Clarify installation -> configuration --- charts/matrix/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 7e8d286..6026404 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -17,7 +17,7 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. ## Installation -Some documentation is available in values.yaml, and a complete installation guide is coming soon. +Some documentation is available in values.yaml, and a complete configuration guide is coming soon. Choose one of the two options below to install the chart. From 01b4bf66c2d4ee73d9c71d0e937cd60b7cce3c5e Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 30 Mar 2020 23:33:48 -0700 Subject: [PATCH 051/105] Update description and bump version --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index e19aa9a..f3593ef 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: matrix -description: A Helm chart for Kubernetes +description: A Helm chart to deploy a Matrix homeserver stack into Kubernetes # A chart can be either an 'application' or a 'library' chart. # @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.1 +version: 1.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 6026404..017d2ea 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.0.1 + version: 1.0.2 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.1.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.2.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 38ce6566a7598bf38421756f94428bb8057ecafc Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 4 Apr 2020 18:19:03 -0700 Subject: [PATCH 052/105] Update Synapse to v1.12.3 --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index f3593ef..a93550b 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -14,11 +14,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.2 +version: 1.0.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.12.0 +appVersion: 1.12.3 dependencies: - name: postgresql diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 233fc38..24fe263 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -166,7 +166,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.12.0 + tag: v1.12.3 pullPolicy: IfNotPresent service: type: ClusterIP From e2fafd888ba7d189e1a2e2c7b7ca5aa18e79dc89 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 7 Apr 2020 18:37:18 -0700 Subject: [PATCH 053/105] Update readme for v1.0.3 --- charts/matrix/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 017d2ea..15799ff 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.0.2 + version: 1.0.3 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.2.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.3 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.3.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From bd0bdbccf31be675a6fea3ed5e6ce219adc05631 Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Sat, 18 Apr 2020 03:14:49 -0500 Subject: [PATCH 054/105] Added port parameter for postgresql --- charts/matrix/templates/synapse/_homeserver.yaml | 5 ++++- charts/matrix/values.yaml | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index fb1228d..9356cc6 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -482,11 +482,14 @@ database: user: "{{ .Values.postgresql.username }}" password: "{{ .Values.postgresql.password }}" database: "{{ .Values.postgresql.database }}" + {{- if .Values.postgresql.enabled }} host: "{{ include "matrix.fullname" . }}-postgresql" + port: "5432" {{- else }} host: "{{ .Values.postgresql.hostname }}" - {{- end}} + port: "{{ .Values.postgresql.port }}" + {{- end }} cp_min: 5 cp_max: 10 diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 24fe263..7b06663 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -148,6 +148,7 @@ postgresql: # Set this if postgresql.enabled = false hostname: "" + port: 5432 # Storage to allocate for stable/postgresql persistence: From 7afcdf54cbd3e88bc2263aab91ba7afa317481b6 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 25 Apr 2020 16:29:56 -0700 Subject: [PATCH 055/105] Update Synapse -> v1.12.4, Riot -> v1.5.15 --- charts/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 7b06663..8e0be13 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -167,7 +167,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.12.3 + tag: v1.12.4 pullPolicy: IfNotPresent service: type: ClusterIP @@ -238,7 +238,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.5.14 + tag: v1.5.15 pullPolicy: IfNotPresent service: type: ClusterIP From 3e6426c85993708588d99ff7386edb7f6c4b6097 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 25 Apr 2020 17:08:08 -0700 Subject: [PATCH 056/105] Add IRC Bridge (Credit @danjenkins) Added the official Matrix.org IRC appservice. Thanks to @danjenkins for the majority of this commit! --- charts/matrix/README.md | 1 + charts/matrix/templates/NOTES.txt | 10 + .../matrix/templates/bridge-irc/_config.yaml | 194 ++++++++++++++++++ .../matrix/templates/bridge-irc/_helpers.tpl | 15 ++ .../templates/bridge-irc/configmap.yaml | 29 +++ .../matrix/templates/bridge-irc/data-pvc.yaml | 14 ++ .../templates/bridge-irc/deployment.yaml | 102 +++++++++ .../templates/bridge-irc/network-policy.yaml | 22 ++ .../matrix/templates/bridge-irc/service.yaml | 18 ++ charts/matrix/templates/bridges-pvc.yaml | 2 +- .../postgresql/initdb-configmap.yaml | 10 + .../matrix/templates/synapse/_homeserver.yaml | 5 +- .../matrix/templates/synapse/deployment.yaml | 4 +- charts/matrix/values.yaml | 34 ++- 14 files changed, 455 insertions(+), 5 deletions(-) create mode 100644 charts/matrix/templates/bridge-irc/_config.yaml create mode 100644 charts/matrix/templates/bridge-irc/_helpers.tpl create mode 100644 charts/matrix/templates/bridge-irc/configmap.yaml create mode 100644 charts/matrix/templates/bridge-irc/data-pvc.yaml create mode 100644 charts/matrix/templates/bridge-irc/deployment.yaml create mode 100644 charts/matrix/templates/bridge-irc/network-policy.yaml create mode 100644 charts/matrix/templates/bridge-irc/service.yaml diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 15799ff..8ce60ca 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -9,6 +9,7 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. - (Optional) Choice of lightweight Exim relay or external mail server for email notifications - (Optional) Coturn TURN server for VoIP calls - (Optional) PostgreSQL cluster via stable/postgresql chart +- (Optional) [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge - (Optional) [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge - (Optional) [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge - Fully configurable via values.yaml diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index 30857dd..a91e3f1 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -15,6 +15,9 @@ Installed components: {{- if .Values.mail.relay.enabled }} - Exim Relay ({{ .Values.mail.relay.image.repository }}) {{- end }} +{{- if .Values.bridges.irc.enabled }} + - IRC Bridge ({{ .Values.bridges.irc.image.repository }}) +{{- end }} {{- if .Values.bridges.whatsapp.enabled }} - WhatsApp Bridge ({{ .Values.bridges.whatsapp.image.repository }}) {{- end }} @@ -31,6 +34,13 @@ Your Riot Web instance should soon be available at https://{{ .Values.ingress.ho {{- end }} {{- end }} +{{ if .Values.bridges.irc.enabled }} +The IRC bridge has been enabled! + +You can now join IRC channels on any servers you have configured by joining #:{{ .Values.matrix.serverName }}. +For more information, check out the official documentation at https://github.com/matrix-org/matrix-appservice-irc +{{- end }} + {{ if .Values.bridges.whatsapp.enabled }} The WhatsApp bridge has been enabled! diff --git a/charts/matrix/templates/bridge-irc/_config.yaml b/charts/matrix/templates/bridge-irc/_config.yaml new file mode 100644 index 0000000..9aef9ac --- /dev/null +++ b/charts/matrix/templates/bridge-irc/_config.yaml @@ -0,0 +1,194 @@ +{{- define "matrix.irc.config" }} +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: "{{ include "matrix.baseUrl" . }}" + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + # media_url: "http://media.repo:8008" + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + # dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: "{{ .Values.matrix.serverName }}" + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: {{ .Values.bridges.irc.presence }} + + # Which port should the appservice bind to. Takes priority over the one provided in the + # command line! Optional. + bindPort: 9006 + + # Use this option to force the appservice to listen on another hostname for transactions. + # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. + bindHostname: 0.0.0.0 + +# Configuration specific to the IRC service +ircService: + servers: + {{ toYaml .Values.bridges.irc.servers | nindent 4 }} + # Set information about the bridged channel in the room state, so that client's may + # present relevant UI to the user. MSC2346 + bridgeInfoState: + enabled: false + initial: false + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "debug" + # The file location to log to. This is relative to the project directory. + logfile: "/data/debug.log" + # The file location to log errors to. This is relative to the project + # directory. + errfile: "/data/errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: false {{/* TODO: Enable this when Prometheus support added */}} + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # Configuration options for the debug HTTP API. To access this API, you must + # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # + # The debug API exposes the following endpoints: + # + # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # + # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # Format: new line delimited commands as per IRC protocol. + # + debugApi: + # True to enable the HTTP API endpoint. Default: false. + enabled: false + # The port to host the HTTP API. + port: 11100 + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + # A file defining the provisioning rules for rooms. Format is documented + # in rules.sample.yaml. Leave undefined to not specify any rules. + ruleFile: "./provisioning.rules.yaml" + # Watch the file for changes, and apply the rules. Default: false + enableReload: true + + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "/data/passkey.pem" + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + + ircHandler: + # How many /leave requests can be ongoing at a time. + # This is used to stem the flow of requests in case of a mass quit/leave, which might + # slow down the homeserver. + leaveConcurrency: 10 + # Should we attempt to match an IRC side mention (nickaname match) + # with the nickname's owner's matrixId, if we are bridging them? + # "on" - Defaults to enabled, users can choose to disable. + # "off" - Defaults to disabled, users can choose to enable. + # "force-off" - Disabled, cannot be enabled. + mapIrcMentionsToMatrix: "on" # This can be "on", "off", "force-off". +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 + # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb + maxTxnSize: 10000000 + +# Capture information to a sentry.io instance +sentry: + enabled: false + dsn: "https://@sentry.io/" + # Optional. A tag to specify the production environment. Not set by default + # environment: "" + # Optional. A tag to specify the server name. Not set by default + # serverName: "" + +# Use an external database to store bridge state. +database: + # database engine (must be 'postgres' or 'nedb'). Default: nedb + engine: "postgres" + # Either a PostgreSQL connection string, or a path to the NeDB storage directory. + # For postgres, it must start with postgres:// + # For NeDB, it must start with nedb://. The path is relative to the project directory. + {{- if .Values.postgresql.enabled }} + connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ include "matrix.fullname" . }}-postgresql/{{ .Values.bridges.irc.database }}" + {{- else }} + connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.hostname }}:{{ .Values.postgresql.port }}/{{ .Values.bridges.irc.database }}" + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/matrix/templates/bridge-irc/_helpers.tpl b/charts/matrix/templates/bridge-irc/_helpers.tpl new file mode 100644 index 0000000..6024e43 --- /dev/null +++ b/charts/matrix/templates/bridge-irc/_helpers.tpl @@ -0,0 +1,15 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Shared secret for the irc server +*/}} +{{- define "matrix.irc.as_token" -}} +{{- randAlphaNum 64 -}} +{{- end }} + +{{- define "matrix.irc.hs_token" -}} +{{- randAlphaNum 64 -}} +{{- end }} + +{{- define "matrix.irc.passkey" -}} +{{- genPrivateKey "rsa" -}} +{{- end -}} \ No newline at end of file diff --git a/charts/matrix/templates/bridge-irc/configmap.yaml b/charts/matrix/templates/bridge-irc/configmap.yaml new file mode 100644 index 0000000..706d950 --- /dev/null +++ b/charts/matrix/templates/bridge-irc/configmap.yaml @@ -0,0 +1,29 @@ +{{- if .Values.bridges.irc.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "matrix.fullname" . }}-irc-config + labels: + {{ include "matrix.labels" . | nindent 4}} +data: + config.yaml: | + {{ include "matrix.irc.config" . | nindent 4 }} + registration.yaml: | + id: appservice-irc + as_token: "{{ include "matrix.irc.as_token" . }}" + hs_token: "{{ include "matrix.irc.hs_token" . }}" + namespaces: + users: + - exclusive: true + regex: '@irc_.*:{{ include "matrix.fullname" . }}' + aliases: + - exclusive: true + regex: '#irc_.*:{{ include "matrix.fullname" . }}' + url: "http://{{ include "matrix.fullname" . }}-bridge-irc:{{ .Values.bridges.irc.service.port }}" + sender_localpart: irc_bot + rate_limited: false + protocols: + - irc + passkey.pem: | + {{ include "matrix.irc.passkey" . | nindent 4 }} +{{- end }} diff --git a/charts/matrix/templates/bridge-irc/data-pvc.yaml b/charts/matrix/templates/bridge-irc/data-pvc.yaml new file mode 100644 index 0000000..26f3f0a --- /dev/null +++ b/charts/matrix/templates/bridge-irc/data-pvc.yaml @@ -0,0 +1,14 @@ +{{- if .Values.bridges.irc.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "matrix.fullname" . }}-irc-data + labels: + {{ include "matrix.labels" . | nindent 4}} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.bridges.irc.data.capacity }} +{{- end }} diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml new file mode 100644 index 0000000..a7b80f4 --- /dev/null +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -0,0 +1,102 @@ +{{- if .Values.bridges.irc.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "matrix.fullname" . }}-bridge-irc + labels: + {{ include "matrix.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.bridges.irc.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-irc + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + template: + metadata: + annotations: + # re-roll deployment on config change + checksum/irc-config: {{ include (print $.Template.BasePath "/bridge-irc/configmap.yaml") . | sha256sum }} + labels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-irc + app.kubernetes.io/instance: {{ .Release.Name }} + matrix-chart/allow-synapse-access: allow + spec: + {{- if .Values.bridges.affinity }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - {{ include "matrix.name" . }}-synapse + - key: app.kubernetes.io/instance + operator: In + values: + - {{ .Release.Name }} + topologyKey: kubernetes.io/hostname + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + initContainers: + - name: "load-config" + image: "{{ .Values.bridges.irc.image.repository }}:{{ .Values.bridges.irc.image.tag }}" + imagePullPolicy: {{ .Values.bridges.irc.image.pullPolicy }} +{{/* command: ["sleep"]*/}} +{{/* args: ["10000"]*/}} + command: ["sh"] + args: ["-c", "cp /load/registration.yaml /data/appservice-registration-irc.yaml; cp /load/passkey.pem /data/passkey.pem; cp /load/config.yaml /data/config.yaml; cp /load/registration.yaml /bridges/irc.yaml"] + volumeMounts: + - name: data + mountPath: /data + - name: bridges + mountPath: /bridges + - name: config + mountPath: /load + readOnly: true + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + containers: + - name: "bridge-irc" + image: "{{ .Values.bridges.irc.image.repository }}:{{ .Values.bridges.irc.image.tag }}" + imagePullPolicy: {{ .Values.bridges.irc.image.pullPolicy }} + ports: + - name: bridge + containerPort: 9006 + protocol: TCP + volumeMounts: + - name: data + mountPath: /data + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + {{- with .Values.bridges.irc.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-irc-data" + - name: config + configMap: + name: "{{ include "matrix.fullname" . }}-irc-config" + - name: bridges + persistentVolumeClaim: + claimName: "{{ include "matrix.fullname" . }}-bridges" + {{- end }} diff --git a/charts/matrix/templates/bridge-irc/network-policy.yaml b/charts/matrix/templates/bridge-irc/network-policy.yaml new file mode 100644 index 0000000..7d74e21 --- /dev/null +++ b/charts/matrix/templates/bridge-irc/network-policy.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.networkPolicies.enabled .Values.bridges.irc.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "matrix.fullname" . }}-bridge-irc + labels: + {{ include "matrix.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.fullname" . }}-bridge-irc + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - port: bridge + protocol: TCP +{{- end }} diff --git a/charts/matrix/templates/bridge-irc/service.yaml b/charts/matrix/templates/bridge-irc/service.yaml new file mode 100644 index 0000000..088b4a8 --- /dev/null +++ b/charts/matrix/templates/bridge-irc/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.bridges.irc.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "matrix.fullname" . }}-bridge-irc + labels: + {{ include "matrix.labels" . | nindent 4 }} +spec: + type: {{ .Values.bridges.irc.service.type }} + ports: + - port: {{ .Values.bridges.irc.service.port }} + targetPort: bridge + protocol: TCP + name: bridge + selector: + app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-irc + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/matrix/templates/bridges-pvc.yaml b/charts/matrix/templates/bridges-pvc.yaml index d026976..e3a490a 100644 --- a/charts/matrix/templates/bridges-pvc.yaml +++ b/charts/matrix/templates/bridges-pvc.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} +{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/charts/matrix/templates/postgresql/initdb-configmap.yaml b/charts/matrix/templates/postgresql/initdb-configmap.yaml index d83d97e..2c060a3 100644 --- a/charts/matrix/templates/postgresql/initdb-configmap.yaml +++ b/charts/matrix/templates/postgresql/initdb-configmap.yaml @@ -17,4 +17,14 @@ data: LC_CTYPE='C' template=template0 OWNER {{ .Values.postgresql.username }}; + {{- if .Values.bridges.irc.enabled }} + {{/* Scripts are run in alphabetical order */}} + zzz_irc.sql: | + CREATE DATABASE {{ .Values.bridges.irc.database }} + ENCODING 'UTF8' + LC_COLLATE='C' + LC_CTYPE='C' + template=template0 + OWNER {{ .Values.postgresql.username }}; + {{- end }} {{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 9356cc6..8112001 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1004,7 +1004,7 @@ report_stats: {{ .Values.matrix.telemetry }} # A list of application service config files to use # -{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} +{{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }} app_service_config_files: {{- end }} {{- if .Values.bridges.whatsapp.enabled }} @@ -1013,6 +1013,9 @@ app_service_config_files: {{- if .Values.bridges.discord.enabled }} - "/bridges/discord.yaml" {{- end }} +{{- if .Values.bridges.irc.enabled }} + - "/bridges/irc.yaml" +{{- end }} # Uncomment to enable tracking of application service IP addresses. Implicitly # enables MAU tracking for application service users. diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 789335a..870a2cf 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -73,7 +73,7 @@ spec: mountPath: /data/keys - name: media-store mountPath: /data/media_store - {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} + {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }} - name: bridges mountPath: /bridges readOnly: true @@ -110,7 +110,7 @@ spec: - name: media-store persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-media-store - {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled }} + {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }} - name: bridges persistentVolumeClaim: claimName: {{ include "matrix.fullname" . }}-bridges diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8e0be13..aeddfe1 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -154,7 +154,7 @@ postgresql: persistence: size: 8Gi - # If postgresql.enabled, stable/postgresql will run the scripts in templates/postgresql/initdb.yaml + # If postgresql.enabled, stable/postgresql will run the scripts in templates/postgresql/initdb-configmap.yaml # If using an external Postgres server, make sure to configure the database as specified at https://github.com/matrix-org/synapse/blob/master/docs/postgres.md initdbScriptsConfigMap: "{{ .Release.Name }}-postgresql-initdb" @@ -323,6 +323,38 @@ mail: requireTransportSecurity: true bridges: + irc: + # Set to true to enable the IRC bridge + enabled: false + # Whether to enable presence (online/offline indicators). If presence is disabled for the homeserver (above), it should be disabled here too + presence: false + # Name of Postgres database to store IRC bridge data in, this database will be created if the included Postgres chart is enabled, otherwise you must create it manually + database: "matrix_irc" + + # Object of IRC servers to connect to, see https://github.com/matrix-org/matrix-appservice-irc/blob/master/config.sample.yaml for config options + servers: + chat.freenode.net: + # A human-readable short name. + name: "Freenode" + # The port to connect to. Optional. + port: 6697 + # Whether to use SSL or not. Default: false. + ssl: true + + data: + # Size of the data PVC to allocate + capacity: 1Mi + + image: + repository: "matrixdotorg/matrix-appservice-irc" + tag: "release-0.16.0" + pullPolicy: IfNotPresent + replicaCount: 1 + resources: {} + service: + type: ClusterIP + port: 9006 + whatsapp: # Set to true to enable the WhatsApp bridge enabled: false From ed887044580ab38bacef21babc52589266a4aab5 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 25 Apr 2020 18:03:57 -0700 Subject: [PATCH 057/105] Release v1.1.0 --- charts/matrix/Chart.yaml | 5 +++-- charts/matrix/README.md | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index a93550b..9de9dd5 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: matrix description: A Helm chart to deploy a Matrix homeserver stack into Kubernetes +icon: "https://dacruz21.github.io/helm-charts/icons/matrix.svg" # A chart can be either an 'application' or a 'library' chart. # @@ -14,11 +15,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.0.3 +version: 1.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.12.3 +appVersion: 1.12.4 dependencies: - name: postgresql diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 8ce60ca..5225b9d 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.0.3 + version: 1.1.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.0.3 is available at https://dacruz21.github.io/helm-charts/matrix-1.0.3.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 575df59213bb8df70e05e92db4bae520860e0a46 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 25 Apr 2020 18:09:56 -0700 Subject: [PATCH 058/105] Release v1.1.1 --- charts/matrix/Chart.yaml | 10 +++++++++- charts/matrix/README.md | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 9de9dd5..1df0d75 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -2,6 +2,9 @@ apiVersion: v2 name: matrix description: A Helm chart to deploy a Matrix homeserver stack into Kubernetes icon: "https://dacruz21.github.io/helm-charts/icons/matrix.svg" +home: "https://github.com/dacruz21/matrix-chart" +sources: + - "https://github.com/dacruz21/matrix-chart" # A chart can be either an 'application' or a 'library' chart. # @@ -15,12 +18,17 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.1.0 +version: 1.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. appVersion: 1.12.4 +maintainers: + - name: "David Cruz" + email: "david@typokign.com" + url: "https://github.com/dacruz21/" + dependencies: - name: postgresql version: 8.0.0 diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 5225b9d..649f8ea 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.1.0 + version: 1.1.1 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.1.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 08592c741820abb90fc3b804c1fe02f6ef100cd7 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 8 May 2020 16:52:58 -0700 Subject: [PATCH 059/105] Update Riot -> v1.6.0 and update labs --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 7 ++++--- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 1df0d75..aa3a074 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.1.1 +version: 1.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 649f8ea..8ce6348 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.1.1 + version: 1.1.2 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.1.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.2.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index aeddfe1..1bc6743 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -222,8 +222,9 @@ riot: - feature_many_integration_managers - feature_mjolnir - feature_dm_verification - - feature_cross_signing - - feature_event_indexing + - feature_bridge_state + - feature_presence_in_room_list + - feature_custom_themes # Servers to show in the Explore menu (the current server is always shown) roomDirectoryServers: @@ -238,7 +239,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.5.15 + tag: v1.6.0 pullPolicy: IfNotPresent service: type: ClusterIP From 62d58a5b0633b36f965ead417264f3fdb05982ca Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 19 May 2020 13:06:44 -0700 Subject: [PATCH 060/105] Update Synapse -> 1.13, Riot -> 1.6.1 --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index aa3a074..0304af4 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.1.2 +version: 1.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.12.4 +appVersion: 1.13.0 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 8ce6348..c92b75c 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.1.2 + version: 1.2.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.1.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.1.2.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.2.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.2.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 1bc6743..f80883b 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -167,7 +167,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.12.4 + tag: v1.13.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -239,7 +239,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.6.0 + tag: v1.6.1 pullPolicy: IfNotPresent service: type: ClusterIP From 9b8ec916d296e55cc16fc99d2531f18cfbfacf9a Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 29 May 2020 21:24:08 -0700 Subject: [PATCH 061/105] Update Synapse -> 1.14, Riot -> 1.6.2 --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 0304af4..7f855ec 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.2.0 +version: 1.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.13.0 +appVersion: 1.14.0 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index c92b75c..641c488 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.2.0 + version: 1.3.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.2.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.2.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.3.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.3.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index f80883b..a0cb3ab 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -167,7 +167,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.13.0 + tag: v1.14.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -239,7 +239,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.6.1 + tag: v1.6.2 pullPolicy: IfNotPresent service: type: ClusterIP From 85847cfab4d8f0893eab1778ed3795d4e3a98a33 Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Mon, 1 Jun 2020 20:09:55 -0700 Subject: [PATCH 062/105] Add security related configuration items. --- .../matrix/templates/synapse/_homeserver.yaml | 27 ++++++++- charts/matrix/values.yaml | 59 +++++++++++++++++++ 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 8112001..5f189d2 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -868,7 +868,9 @@ registrations_require_3pid: # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -# registration_shared_secret: +{{- if .Values.matrix.registration.sharedSecret }} +registration_shared_secret: {{ .Values.matrix.registration.sharedSecret }} +{{- end }} # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -1027,7 +1029,10 @@ app_service_config_files: # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -# macaroon_secret_key: +{{- if .Values.matrix.security.macaroonSecretKey }} +macaroon_secret_key: {{ .Values.matrix.security.macaroonSecretKey }} +{{- end }} + # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent @@ -1097,11 +1102,27 @@ signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key" # "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" # - server_name: "my_other_trusted_server.example.com" # +{{- if .Values.matrix.security.trustedKeyServers }} +trusted_key_servers: + {{- range .Values.matrix.security.trustedKeyServers }} + - server_name: {{ .serverName }} + {{- if .verifyKeys }} + verify_keys: + {{- range .verifyKeys }} + {{ .id | quote }}: {{ .key | quote }} + {{- end }} + {{- end }} + {{- if .acceptKeysInsecurely }} + accept_keys_insecurely: {{ .acceptKeysInsecurely }} + {{- end }} + {{- end }} +{{- end }} # Uncomment the following to disable the warning that is emitted when the # trusted_key_servers include 'matrix.org'. See above. # -#suppress_key_server_warning: true +suppress_key_server_warning: {{ .Values.matrix.security.supressKeyServerWarning }} + # The signing keys to use when acting as a trusted key server. If not specified # defaults to the server signing key. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index a0cb3ab..8823441 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -63,6 +63,11 @@ matrix: # Allow new users to register an account enabled: false + # If set, allows registration of standard or admin accounts by anyone who + # has the shared secret, even if registration is otherwise disabled. + # + # sharedSecret: + # Allow users to join rooms as a guest allowGuests: false @@ -122,6 +127,60 @@ matrix: # # blacklist any URL with a literal IPv4 address # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + security: + # a secret which is used to sign access tokens. If none is specified, + # the registration_shared_secret is used, if one is given; otherwise, + # a secret key is derived from the signing key. + # + # macaroonSecretKey: + + # This disables the warning that is emitted when the + # trustedKeyServers include 'matrix.org'. See below. + # Set to false to re-enable the warning. + # + surpressKeyServerWarning: true + + # The trusted servers to download signing keys from. + # + # When we need to fetch a signing key, each server is tried in parallel. + # + # Normally, the connection to the key server is validated via TLS certificates. + # Additional security can be provided by configuring a `verify key`, which + # will make synapse check that the response is signed by that key. + # + # This setting supercedes an older setting named `perspectives`. The old format + # is still supported for backwards-compatibility, but it is deprecated. + # + # 'trustedKeyServers' defaults to matrix.org, but using it will generate a + # warning on start-up. To suppress this warning, set + # 'surpressKeyServerWarning' to true. + # + # Options for each entry in the list include: + # + # serverName: the name of the server. required. + # + # verifyKeys: an optional map from key id to base64-encoded public key. + # If specified, we will check that the response is signed by at least + # one of the given keys. + # + # acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset, + # and federation_verify_certificates is not `true`, synapse will refuse + # to start, because this would allow anyone who can spoof DNS responses + # to masquerade as the trusted key server. If you know what you are doing + # and are sure that your network environment provides a secure connection + # to the key server, you can set this to `true` to override this + # behaviour. + # + # An example configuration might look like: + # + # trustedKeyServers: + # - serverName: my_trusted_server.example.com + # verifyKeys: + # - id: "ed25519:auto" + # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" + # acceptKeysInsecurely: false + # - serverName: my_other_trusted_server.example.com + # Persistent volumes configuration volumes: # Uploaded attachments/multimedia From ed7997d7ef4e0663b4b71fcc8a03dd28ca079940 Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Mon, 1 Jun 2020 20:39:55 -0700 Subject: [PATCH 063/105] Bugfix - Indentation error --- charts/matrix/values.yaml | 102 +++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8823441..27917eb 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -127,59 +127,59 @@ matrix: # # blacklist any URL with a literal IPv4 address # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' - security: - # a secret which is used to sign access tokens. If none is specified, - # the registration_shared_secret is used, if one is given; otherwise, - # a secret key is derived from the signing key. - # - # macaroonSecretKey: + security: + # a secret which is used to sign access tokens. If none is specified, + # the registration_shared_secret is used, if one is given; otherwise, + # a secret key is derived from the signing key. + # + # macaroonSecretKey: - # This disables the warning that is emitted when the - # trustedKeyServers include 'matrix.org'. See below. - # Set to false to re-enable the warning. - # - surpressKeyServerWarning: true + # This disables the warning that is emitted when the + # trustedKeyServers include 'matrix.org'. See below. + # Set to false to re-enable the warning. + # + surpressKeyServerWarning: true - # The trusted servers to download signing keys from. - # - # When we need to fetch a signing key, each server is tried in parallel. - # - # Normally, the connection to the key server is validated via TLS certificates. - # Additional security can be provided by configuring a `verify key`, which - # will make synapse check that the response is signed by that key. - # - # This setting supercedes an older setting named `perspectives`. The old format - # is still supported for backwards-compatibility, but it is deprecated. - # - # 'trustedKeyServers' defaults to matrix.org, but using it will generate a - # warning on start-up. To suppress this warning, set - # 'surpressKeyServerWarning' to true. - # - # Options for each entry in the list include: - # - # serverName: the name of the server. required. - # - # verifyKeys: an optional map from key id to base64-encoded public key. - # If specified, we will check that the response is signed by at least - # one of the given keys. - # - # acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset, - # and federation_verify_certificates is not `true`, synapse will refuse - # to start, because this would allow anyone who can spoof DNS responses - # to masquerade as the trusted key server. If you know what you are doing - # and are sure that your network environment provides a secure connection - # to the key server, you can set this to `true` to override this - # behaviour. - # - # An example configuration might look like: - # - # trustedKeyServers: - # - serverName: my_trusted_server.example.com - # verifyKeys: - # - id: "ed25519:auto" - # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" - # acceptKeysInsecurely: false - # - serverName: my_other_trusted_server.example.com + # The trusted servers to download signing keys from. + # + # When we need to fetch a signing key, each server is tried in parallel. + # + # Normally, the connection to the key server is validated via TLS certificates. + # Additional security can be provided by configuring a `verify key`, which + # will make synapse check that the response is signed by that key. + # + # This setting supercedes an older setting named `perspectives`. The old format + # is still supported for backwards-compatibility, but it is deprecated. + # + # 'trustedKeyServers' defaults to matrix.org, but using it will generate a + # warning on start-up. To suppress this warning, set + # 'surpressKeyServerWarning' to true. + # + # Options for each entry in the list include: + # + # serverName: the name of the server. required. + # + # verifyKeys: an optional map from key id to base64-encoded public key. + # If specified, we will check that the response is signed by at least + # one of the given keys. + # + # acceptKeysInsecurely: a boolean. Normally, if `verify_keys` is unset, + # and federation_verify_certificates is not `true`, synapse will refuse + # to start, because this would allow anyone who can spoof DNS responses + # to masquerade as the trusted key server. If you know what you are doing + # and are sure that your network environment provides a secure connection + # to the key server, you can set this to `true` to override this + # behaviour. + # + # An example configuration might look like: + # + # trustedKeyServers: + # - serverName: my_trusted_server.example.com + # verifyKeys: + # - id: "ed25519:auto" + # key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr" + # acceptKeysInsecurely: false + # - serverName: my_other_trusted_server.example.com # Persistent volumes configuration volumes: From f0d38e1e171f30ca629a9546a3e710d053d18c2e Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 1 Jun 2020 20:29:15 -0700 Subject: [PATCH 064/105] Bump version for registration token feature --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 7f855ec..abdf8e2 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.3.0 +version: 1.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 641c488..fc152cb 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.3.0 + version: 1.4.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.3.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.3.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 5cdb3430e729d4b4c4c9292cafb415af48d6a239 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 1 Jun 2020 21:39:16 -0700 Subject: [PATCH 065/105] Bump version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index abdf8e2..8dc5375 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.4.0 +version: 1.4.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index fc152cb..c9f67dd 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.4.0 + version: 1.4.1 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.0 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.1.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 4d6fc35541ebde57d3c1ad866d937e528394b194 Mon Sep 17 00:00:00 2001 From: jjlpinto <452392+jjlpinto@users.noreply.github.com> Date: Tue, 2 Jun 2020 16:38:30 -0400 Subject: [PATCH 066/105] Fix riot config.json mount path and server name configuration --- charts/matrix/templates/riot/configmap.yaml | 2 +- charts/matrix/templates/riot/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/templates/riot/configmap.yaml b/charts/matrix/templates/riot/configmap.yaml index 7e92084..08f0060 100644 --- a/charts/matrix/templates/riot/configmap.yaml +++ b/charts/matrix/templates/riot/configmap.yaml @@ -7,7 +7,7 @@ metadata: data: config.json: | { - "default_server_name": {{ .Values.matrix.serverName | quote }}, + "default_server_name": {{ .Values.matrix.hostname | quote }}, "brand": {{ .Values.riot.branding.brand | quote }}, "branding": { {{- if .Values.riot.branding.welcomeBackgroundUrl }} diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 997f507..bb1dfa6 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -37,7 +37,7 @@ spec: containerPort: 8080 protocol: TCP volumeMounts: - - mountPath: /etc/riot-web/config.json + - mountPath: /app/config.json name: riot-config subPath: config.json readOnly: true From 1960d7e8efff912bf87d95467ab7516a950f4213 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 2 Jun 2020 23:05:55 -0700 Subject: [PATCH 067/105] Update deprecated default_server_name Riot config --- charts/matrix/templates/riot/configmap.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/matrix/templates/riot/configmap.yaml b/charts/matrix/templates/riot/configmap.yaml index 08f0060..49affe0 100644 --- a/charts/matrix/templates/riot/configmap.yaml +++ b/charts/matrix/templates/riot/configmap.yaml @@ -7,7 +7,11 @@ metadata: data: config.json: | { - "default_server_name": {{ .Values.matrix.hostname | quote }}, + "default_server_config": { + "m.homeserver": { + "base_url": {{ include "matrix.baseUrl" . | quote }} + } + }, "brand": {{ .Values.riot.branding.brand | quote }}, "branding": { {{- if .Values.riot.branding.welcomeBackgroundUrl }} From bb2e31554b95b7deb856c370b16540ba0739a9a4 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Tue, 2 Jun 2020 23:06:50 -0700 Subject: [PATCH 068/105] Bump version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 8dc5375..9ef77cc 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.4.1 +version: 1.4.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index c9f67dd..94ef3e2 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.4.1 + version: 1.4.2 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.1 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.1.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.2.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 221a6a1a34c8c8d5159ec9e9e44cfcbed5336efc Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Thu, 4 Jun 2020 19:33:37 -0700 Subject: [PATCH 069/105] Add logging level configuration. --- charts/matrix/templates/synapse/configmap.yaml | 6 +++--- charts/matrix/values.yaml | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/synapse/configmap.yaml b/charts/matrix/templates/synapse/configmap.yaml index 1b441ae..64ab47d 100644 --- a/charts/matrix/templates/synapse/configmap.yaml +++ b/charts/matrix/templates/synapse/configmap.yaml @@ -27,14 +27,14 @@ data: loggers: synapse: - level: WARNING + level: {{ .Values.matrix.logging.synapseLogLevel }} synapse.storage.SQL: # beware: increasing this to DEBUG will make synapse log sensitive # information such as access tokens. - level: WARNING + level: {{ .Values.matrix.logging.sqlLogLevel }} root: - level: WARNING + level: {{ .Values.matrix.logging.rootLogLevel }} handlers: [console] diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 27917eb..6df1e00 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -181,6 +181,16 @@ matrix: # acceptKeysInsecurely: false # - serverName: my_other_trusted_server.example.com + logging: + # Root log level is the default log level for log outputs that do not have more + # specific settings. + rootLogLevel: WARNING + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + sqlLogLevel: WARNING + # The log level for the synapse server + synapseLogLevel: WARNING + # Persistent volumes configuration volumes: # Uploaded attachments/multimedia From fa74707515ae5310dad57ccab9a5d99a82d77156 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 16:28:14 -0700 Subject: [PATCH 070/105] Support running federation behind the Ingress This runs federation behind the Ingress, at port 443 but on a different subdomain. This will allow users to deploy a federating homeserver *without* needing to pay for/configure TLS for an external load balancer. --- charts/matrix/templates/ingress.yaml | 9 +++++++++ charts/matrix/values.yaml | 28 ++++++++++++++++------------ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/charts/matrix/templates/ingress.yaml b/charts/matrix/templates/ingress.yaml index fcc5a94..2975108 100644 --- a/charts/matrix/templates/ingress.yaml +++ b/charts/matrix/templates/ingress.yaml @@ -41,4 +41,13 @@ spec: serviceName: "{{ include "matrix.fullname" . }}-riot" servicePort: {{ .Values.riot.service.port }} {{- end }} + {{- if .Values.matrix.federation.enableIngress }} + - host: {{ .Values.ingress.hosts.federation }} + http: + paths: + - path: "/" + backend: + serviceName: "{{ include "matrix.fullname" . }}-synapse-federation" + servicePort: {{ .Values.synapse.service.federation.port }} + {{- end }} {{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 6df1e00..4b38ab9 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -37,9 +37,10 @@ matrix: # Settings related to federation federation: # Set to false to disable federation and run an isolated homeserver - # This also deploys a LoadBalancer Service for the federation port (8448) enabled: true + enableIngress: true + # Set to false to disallow members of other homeservers from fetching *public* rooms allowPublicRooms: true @@ -206,6 +207,18 @@ volumes: # Storage class (optional) storageClass: "" +ingress: + enabled: true + # Whether to expose the federation API behind the Ingress + # If you would rather use an external proxy to run federation on a port other than 443, set this to false and set the synapse.service.federation.type value to either LoadBalancer or NodePort + federation: true + tls: [] + hosts: + synapse: matrix.chart-example.local + riot: riot.chart-example.local + federation: matrix-fed.chart-example.local + annotations: {} + # PostgreSQL Database Configuration postgresql: # Whether to deploy the stable/postgresql chart with this chart. If disabled, make sure PostgreSQL is available at the hostname below and credentials are configured below @@ -242,9 +255,8 @@ synapse: type: ClusterIP port: 80 federation: - type: NodePort - # Warning! By spec, federation must be available at :8448. Only change this if Synapse is running behind another proxy - port: 8448 + type: ClusterIP + port: 80 replicaCount: 1 resources: {} @@ -597,11 +609,3 @@ fullnameOverride: "" networkPolicies: enabled: true - -ingress: - enabled: true - tls: [] - hosts: - synapse: matrix.chart-example.local - riot: riot.chart-example.local - annotations: {} From 25bb7c71490ad91e99972f31277e2e1e5bdf621a Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 16:36:09 -0700 Subject: [PATCH 071/105] Set synapse upgrade strategy to Recreate --- charts/matrix/templates/synapse/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 870a2cf..6255322 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -10,6 +10,8 @@ spec: matchLabels: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} + strategy: + type: Recreate template: metadata: annotations: From 97fe2d8984095a309ccfca22b619a6d5a0a0025c Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 16:48:02 -0700 Subject: [PATCH 072/105] Update Riot -> v1.6.4 --- charts/matrix/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 4b38ab9..fb6b351 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -320,7 +320,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.6.2 + tag: v1.6.4 pullPolicy: IfNotPresent service: type: ClusterIP From 6f8b3de6db2516bf9f34e1f8043b61b5408d4dbd Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 16:57:56 -0700 Subject: [PATCH 073/105] Bump version 2.0.0 --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 9ef77cc..5cd79b8 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 1.4.2 +version: 2.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 94ef3e2..b760629 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 1.4.2 + version: 2.0.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v1.4.2 is available at https://dacruz21.github.io/helm-charts/matrix-1.4.2.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.0.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.0.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From 4f28f37eace48beaea2e8229fbb8d3ede3139fd7 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 17:17:40 -0700 Subject: [PATCH 074/105] Fix duplicate config values --- charts/matrix/templates/ingress.yaml | 2 +- charts/matrix/values.yaml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/charts/matrix/templates/ingress.yaml b/charts/matrix/templates/ingress.yaml index 2975108..3a35306 100644 --- a/charts/matrix/templates/ingress.yaml +++ b/charts/matrix/templates/ingress.yaml @@ -41,7 +41,7 @@ spec: serviceName: "{{ include "matrix.fullname" . }}-riot" servicePort: {{ .Values.riot.service.port }} {{- end }} - {{- if .Values.matrix.federation.enableIngress }} + {{- if .Values.ingress.federation }} - host: {{ .Values.ingress.hosts.federation }} http: paths: diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index fb6b351..aaad3d6 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -39,8 +39,6 @@ matrix: # Set to false to disable federation and run an isolated homeserver enabled: true - enableIngress: true - # Set to false to disallow members of other homeservers from fetching *public* rooms allowPublicRooms: true From 708b675c0212ad5e01c40601903005e0b56dc71b Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 17:18:15 -0700 Subject: [PATCH 075/105] Update version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 5cd79b8..c421bb5 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.0.0 +version: 2.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index b760629..b85945b 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.0.0 + version: 2.0.1 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.0.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.0.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.0.1 is available at https://dacruz21.github.io/helm-charts/matrix-2.0.1.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From dd115dd70e4260d6ee2ee912ae90913692428b61 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 19:54:29 -0700 Subject: [PATCH 076/105] Add health probe overrides --- .../templates/bridge-irc/deployment.yaml | 2 -- charts/matrix/templates/exim/deployment.yaml | 20 +++++++++++++++---- charts/matrix/templates/riot/deployment.yaml | 17 ++++++++++++++-- .../matrix/templates/synapse/deployment.yaml | 17 ++++++++++++++-- charts/matrix/values.yaml | 20 +++++++++++++++++++ 5 files changed, 66 insertions(+), 10 deletions(-) diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml index a7b80f4..b4d24e2 100644 --- a/charts/matrix/templates/bridge-irc/deployment.yaml +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -50,8 +50,6 @@ spec: - name: "load-config" image: "{{ .Values.bridges.irc.image.repository }}:{{ .Values.bridges.irc.image.tag }}" imagePullPolicy: {{ .Values.bridges.irc.image.pullPolicy }} -{{/* command: ["sleep"]*/}} -{{/* args: ["10000"]*/}} command: ["sh"] args: ["-c", "cp /load/registration.yaml /data/appservice-registration-irc.yaml; cp /load/passkey.pem /data/passkey.pem; cp /load/config.yaml /data/config.yaml; cp /load/registration.yaml /bridges/irc.yaml"] volumeMounts: diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index 079c8d7..1eef5ab 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -32,12 +32,24 @@ spec: - name: smtp containerPort: 8025 protocol: TCP - livenessProbe: - tcpSocket: - port: 8025 readinessProbe: tcpSocket: - port: 8025 + port: smtp + {{- if .Values.mail.relay.probes.readiness }} + {{- toYaml .Values.mail.relay.probes.readiness | nindent 12 }} + {{- end }} + startupProbe: + tcpSocket: + port: smtp + {{- if .Values.mail.relay.probes.startup }} + {{- toYaml .Values.mail.relay.probes.startup | nindent 12 }} + {{- end }} + livenessProbe: + tcpSocket: + port: smtp + {{- if .Values.mail.relay.probes.liveness }} + {{- toYaml .Values.mail.relay.probes.liveness | nindent 12 }} + {{- end }} securityContext: capabilities: drop: diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index bb1dfa6..1914a06 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -55,14 +55,27 @@ spec: - mountPath: /var/run/pid name: ephemeral subPath: pid - livenessProbe: + readinessProbe: httpGet: path: / port: http - readinessProbe: + {{- if .Values.riot.probes.readiness }} + {{- toYaml .Values.riot.probes.readiness | nindent 12 }} + {{- end }} + startupProbe: + httpGet: + path: / + port: http + {{- if .Values.riot.probes.startup }} + {{- toYaml .Values.riot.probes.startup | nindent 12 }} + {{- end }} + livenessProbe: httpGet: path: / port: http + {{- if .Values.riot.probes.liveness }} + {{- toYaml .Values.riot.probes.liveness | nindent 12 }} + {{- end }} securityContext: capabilities: drop: diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 6255322..a8dfbe6 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -84,14 +84,27 @@ spec: mountPath: /data/uploads - name: tmp mountPath: /tmp - livenessProbe: + readinessProbe: httpGet: path: /_matrix/static/ port: http - readinessProbe: + {{- if .Values.synapse.probes.readiness }} + {{- toYaml .Values.synapse.probes.readiness | nindent 12 }} + {{- end }} + startupProbe: + httpGet: + path: /_matrix/static/ + port: http + {{- if .Values.synapse.probes.startup }} + {{- toYaml .Values.synapse.probes.startup | nindent 12 }} + {{- end }} + livenessProbe: httpGet: path: /_matrix/static/ port: http + {{- if .Values.synapse.probes.liveness }} + {{- toYaml .Values.synapse.probes.liveness | nindent 12 }} + {{- end }} securityContext: capabilities: drop: diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index aaad3d6..f63c169 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -257,6 +257,18 @@ synapse: port: 80 replicaCount: 1 resources: {} + # Configure timings for readiness, startup, and liveness probes here + probes: + readiness: + timeoutSeconds: 5 + periodSeconds: 10 + startup: + timeoutSeconds: 5 + periodSeconds: 5 + failureThreshold: 6 + liveness: + timeoutSeconds: 5 + periodSeconds: 10 # Riot Web client configuration riot: @@ -325,6 +337,10 @@ riot: port: 80 replicaCount: 1 resources: {} + probes: + readiness: {} + startup: {} + liveness: {} # Settings for Coturn TURN relay, used for routing voice calls coturn: @@ -393,6 +409,10 @@ mail: port: 25 replicaCount: 1 resources: {} + probes: + readiness: {} + startup: {} + liveness: {} # External mail server external: From 5d16f5fb87d8aa16e2fa6acffba4d67611fadac1 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 19:57:39 -0700 Subject: [PATCH 077/105] Bump version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index c421bb5..b01224b 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.0.1 +version: 2.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index b85945b..8ae9944 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -38,7 +38,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.0.1 + version: 2.1.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -62,7 +62,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.0.1 is available at https://dacruz21.github.io/helm-charts/matrix-2.0.1.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.1.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.1.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From f8b6c92e70fe9e9ca781d64b464ceb43f99dedd4 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 7 Jun 2020 22:52:07 -0700 Subject: [PATCH 078/105] Fix federation note in readme --- charts/matrix/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 8ae9944..0272612 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -13,8 +13,7 @@ A Helm chart for deploying a Matrix homeserver stack in Kubernetes. - (Optional) [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge - (Optional) [Half-Shot/matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) Discord bridge - Fully configurable via values.yaml -- Ingress definition for Synapse and Riot -- Federation (port 8448) access via NodePort or LoadBalancer +- Ingress definition for federated Synapse and Riot ## Installation From 8ca291d5231a00df33fd633da7313cdda347c37c Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 8 Jun 2020 13:01:59 -0700 Subject: [PATCH 079/105] Add proxy_intercept_errors off to Ingress When using nginx-ingress-provider, nginx may overwrite non-200 responses and replace the expected JSON schema. This breaks spec, and has broken some of the _matrix/key endpoints. --- charts/matrix/values.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index f63c169..a2e228c 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -215,7 +215,10 @@ ingress: synapse: matrix.chart-example.local riot: riot.chart-example.local federation: matrix-fed.chart-example.local - annotations: {} + annotations: + # This annotation is required for the Nginx ingress provider. You can remove it if you use a different ingress provider + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_intercept_errors off; # PostgreSQL Database Configuration postgresql: From 0d2bfbbc95e39b99d4a8276ca928624eaca8bb61 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 8 Jun 2020 13:03:51 -0700 Subject: [PATCH 080/105] Bump version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index b01224b..17abe8c 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.1.0 +version: 2.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 0272612..a80eee1 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.1.0 + version: 2.1.1 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.1.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.1.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.1.1 is available at https://dacruz21.github.io/helm-charts/matrix-2.1.1.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From ec78cf102269aa8f804ffbc8986c99d29572b222 Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Wed, 10 Jun 2020 17:42:06 -0700 Subject: [PATCH 081/105] Remove protocol from configmap for bridge-discord. --- charts/matrix/templates/bridge-discord/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/matrix/templates/bridge-discord/configmap.yaml b/charts/matrix/templates/bridge-discord/configmap.yaml index 9f97c0b..436b222 100644 --- a/charts/matrix/templates/bridge-discord/configmap.yaml +++ b/charts/matrix/templates/bridge-discord/configmap.yaml @@ -12,7 +12,7 @@ data: domain: {{ .Values.matrix.serverName }} # This should be your publically facing URL because Discord may use it to # fetch media from the media store. - homeserverUrl: "https://{{ include "matrix.baseUrl" . }}" + homeserverUrl: "{{ include "matrix.baseUrl" . }}" # Interval at which to process users in the 'presence queue'. If you have # 5 users, one user will be processed every 500 milliseconds according to the # value below. This has a minimum value of 250. From 965a89b67c93c2de269779681655633e4d5d0405 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Thu, 11 Jun 2020 19:54:46 -0700 Subject: [PATCH 082/105] Allow TURN URIs to be customized This is needed for anyone running Coturn at a different hostname, as well as anyone running an external Coturn instance. --- charts/matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/values.yaml | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 5f189d2..820406b 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -745,7 +745,7 @@ max_spider_size: {{ .Values.matrix.urlPreviews.rules.maxSize }} #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" -{{- if .Values.coturn.enabled }} +{{- if not (empty .Values.coturn.uris) }} ## TURN ## # The public URIs of the TURN server to give to clients diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index a2e228c..e702404 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -347,9 +347,15 @@ riot: # Settings for Coturn TURN relay, used for routing voice calls coturn: - # Set to false to disable Coturn + # Set to false to disable the included deployment of Coturn enabled: true + # URIs of the Coturn servers + # If deploying Coturn with this chart, include the public IPs of each node in your cluster (or a DNS round-robin hostname) + # You can also include an external Coturn instance if you'd prefer + uris: [] +# - "turn:turn.example.com?transport=udp" + # How to deploy Coturn # Options: # DaemonSet: A DaemonSet will be used to schedule one Coturn pod per node. Each Coturn pod will open the ports it needs directly on the host it is scheduled on. From f4acaec467a7785b17deafd19a1bcfedecf98a38 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Thu, 11 Jun 2020 19:57:45 -0700 Subject: [PATCH 083/105] Update Docker images --- charts/matrix/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index e702404..b3b7392 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -250,7 +250,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.14.0 + tag: v1.15.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -389,7 +389,7 @@ coturn: image: repository: "instrumentisto/coturn" - tag: "4.5.1.1" + tag: "4.5.1.2" pullPolicy: IfNotPresent replicaCount: 1 resources: {} @@ -411,7 +411,7 @@ mail: enabled: true image: repository: "devture/exim-relay" - tag: "4.92.2-r0-0" + tag: "4.93.1-r0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -456,7 +456,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.16.0" + tag: "release-0.17.1" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From b14903cab24f15af70d1801386ba1288b9344633 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Thu, 11 Jun 2020 20:05:07 -0700 Subject: [PATCH 084/105] Update version --- charts/matrix/Chart.yaml | 2 +- charts/matrix/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 17abe8c..3451fc9 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.1.1 +version: 2.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/README.md b/charts/matrix/README.md index a80eee1..70de18d 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.1.1 + version: 2.2.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.1.1 is available at https://dacruz21.github.io/helm-charts/matrix-2.1.1.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.2.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.2.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From e1e60f03a6b85674d5a18e401bf94a02aa88e623 Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Tue, 16 Jun 2020 08:40:14 -0700 Subject: [PATCH 085/105] Add updateStrategy to ensure kubernetes knows it needs to unschedule the orginal deployment in order to release the ReadWriteOnce PVC on the bridges. --- charts/matrix/templates/bridge-discord/deployment.yaml | 5 +++++ charts/matrix/templates/bridge-irc/deployment.yaml | 5 +++++ charts/matrix/templates/bridge-whatsapp/deployment.yaml | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/charts/matrix/templates/bridge-discord/deployment.yaml b/charts/matrix/templates/bridge-discord/deployment.yaml index 586a522..3e30bef 100644 --- a/charts/matrix/templates/bridge-discord/deployment.yaml +++ b/charts/matrix/templates/bridge-discord/deployment.yaml @@ -7,6 +7,11 @@ metadata: {{ include "matrix.labels" . | indent 4 }} spec: replicas: {{ .Values.bridges.discord.replicaCount }} + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-discord diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml index b4d24e2..dce35bc 100644 --- a/charts/matrix/templates/bridge-irc/deployment.yaml +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -7,6 +7,11 @@ metadata: {{ include "matrix.labels" . | nindent 4 }} spec: replicas: {{ .Values.bridges.irc.replicaCount }} + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-irc diff --git a/charts/matrix/templates/bridge-whatsapp/deployment.yaml b/charts/matrix/templates/bridge-whatsapp/deployment.yaml index 7072fbb..6f26e54 100644 --- a/charts/matrix/templates/bridge-whatsapp/deployment.yaml +++ b/charts/matrix/templates/bridge-whatsapp/deployment.yaml @@ -7,6 +7,11 @@ metadata: {{ include "matrix.labels" . | indent 4 }} spec: replicas: {{ .Values.bridges.whatsapp.replicaCount }} + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 0 + type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: {{ include "matrix.name" . }}-bridge-whatsapp From 727ecc93c179e3b040f78e4ee83bfbcdc2eaa655 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sat, 4 Jul 2020 11:21:45 -0700 Subject: [PATCH 086/105] Update images --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/values.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 3451fc9..01e5eab 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.2.0 +version: 2.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.14.0 +appVersion: 1.15.2 maintainers: - name: "David Cruz" diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index b3b7392..b1dbab8 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -250,7 +250,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.15.0 + tag: v1.15.2 pullPolicy: IfNotPresent service: type: ClusterIP @@ -333,7 +333,7 @@ riot: # Riot Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.6.4 + tag: v1.6.8 pullPolicy: IfNotPresent service: type: ClusterIP @@ -389,7 +389,7 @@ coturn: image: repository: "instrumentisto/coturn" - tag: "4.5.1.2" + tag: "4.5.1.3" pullPolicy: IfNotPresent replicaCount: 1 resources: {} @@ -456,7 +456,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.17.1" + tag: "release-0.18.0" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From d554b5e0eeb10a78af648a7f9b59c6a83383bb8b Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Tue, 7 Jul 2020 15:58:18 -0700 Subject: [PATCH 087/105] strategy is for Deployment, updateStrategy is for StatefulSet --- charts/matrix/templates/bridge-discord/deployment.yaml | 2 +- charts/matrix/templates/bridge-irc/deployment.yaml | 2 +- charts/matrix/templates/bridge-whatsapp/deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/bridge-discord/deployment.yaml b/charts/matrix/templates/bridge-discord/deployment.yaml index 3e30bef..09378ba 100644 --- a/charts/matrix/templates/bridge-discord/deployment.yaml +++ b/charts/matrix/templates/bridge-discord/deployment.yaml @@ -7,7 +7,7 @@ metadata: {{ include "matrix.labels" . | indent 4 }} spec: replicas: {{ .Values.bridges.discord.replicaCount }} - updateStrategy: + strategy: rollingUpdate: maxUnavailable: 1 maxSurge: 0 diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml index dce35bc..1ecb988 100644 --- a/charts/matrix/templates/bridge-irc/deployment.yaml +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -7,7 +7,7 @@ metadata: {{ include "matrix.labels" . | nindent 4 }} spec: replicas: {{ .Values.bridges.irc.replicaCount }} - updateStrategy: + strategy: rollingUpdate: maxUnavailable: 1 maxSurge: 0 diff --git a/charts/matrix/templates/bridge-whatsapp/deployment.yaml b/charts/matrix/templates/bridge-whatsapp/deployment.yaml index 6f26e54..660a49e 100644 --- a/charts/matrix/templates/bridge-whatsapp/deployment.yaml +++ b/charts/matrix/templates/bridge-whatsapp/deployment.yaml @@ -7,7 +7,7 @@ metadata: {{ include "matrix.labels" . | indent 4 }} spec: replicas: {{ .Values.bridges.whatsapp.replicaCount }} - updateStrategy: + strategy: rollingUpdate: maxUnavailable: 1 maxSurge: 0 From 1db5351addcc022fa6863452a4a58bfbabd9626b Mon Sep 17 00:00:00 2001 From: David Cruz Date: Wed, 8 Jul 2020 14:39:45 -0700 Subject: [PATCH 088/105] Update images --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 01e5eab..0db0141 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.2.1 +version: 2.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.15.2 +appVersion: 1.16.0 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 70de18d..09904ea 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.2.0 + version: 2.3.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.2.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.2.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.3.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.3.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index b1dbab8..cb24458 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -250,7 +250,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.15.2 + tag: v1.16.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -456,7 +456,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.18.0" + tag: "release-0.19.0" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From 35b7ab441af35ab1cc54790e17adee3addd0ad8d Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 2 Aug 2020 15:18:12 -0700 Subject: [PATCH 089/105] Update homeserver.yaml and allow overrides --- .../matrix/templates/synapse/_homeserver.yaml | 1201 +++++++++++++---- charts/matrix/values.yaml | 47 +- 2 files changed, 952 insertions(+), 296 deletions(-) diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 820406b..4545bca 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -1,4 +1,7 @@ {{- define "homeserver.yaml" }} +{{- if .Values.matrix.homeserverOverride }} +{{- toYaml .Values.matrix.homeserverOverride }} +{{- else }} ## Server ## # The domain name of the server, with optional explicit port. @@ -12,10 +15,15 @@ server_name: {{ .Values.matrix.serverName }} # pid_file: /data/homeserver.pid -# The path to the web client which will be served at /_matrix/client/ -# if 'webclient' is configured under the 'listeners' configuration. +# The absolute URL to the web client which /_matrix/client will redirect +# to if 'webclient' is configured under the 'listeners' configuration. # -#web_client_location: "/path/to/web/root" +# This option can be also set to the filesystem path to the web client +# which will be served at /_matrix/client/ if 'webclient' is configured +# under the 'listeners' configuration, however this is a security risk: +# https://github.com/matrix-org/synapse#security-note +# +#web_client_location: https://riot.example.com/ # The public-facing base URL that clients use to access this HS # (not including _matrix/...). This is the same URL a user would @@ -42,13 +50,21 @@ use_presence: {{ .Values.matrix.presence }} # #require_auth_for_profile_requests: true -# If set to 'false', requires authentication to access the server's public rooms -# directory through the client API. Defaults to 'true'. +# Uncomment to require a user to share a room with another user in order +# to retrieve their profile information. Only checked on Client-Server +# requests. Profile requests from other servers should be checked by the +# requesting server. Defaults to 'false'. +# +#limit_profile_requests_to_users_who_share_rooms: true + +# If set to 'true', removes the need for authentication to access the server's +# public rooms directory through the client API, meaning that anyone can +# query the room directory. Defaults to 'false'. # -#allow_public_rooms_without_auth: false +#allow_public_rooms_without_auth: true -# If set to 'false', forbids any other homeserver to fetch the server's public -# rooms directory via federation. Defaults to 'true'. +# If set to 'true', allows any other homeserver to fetch the server's public +# rooms directory via federation. Defaults to 'false'. # allow_public_rooms_over_federation: {{ and .Values.matrix.federation.enabled .Values.matrix.federation.allowPublicRooms }} @@ -81,7 +97,7 @@ block_non_admin_invites: {{ .Values.matrix.blockNonAdminInvites }} # If disabled, new messages will not be indexed for searching and users # will receive errors when searching for messages. Defaults to enabled. # -enable_search: {{ .Values.matrix.enableSearch }} +enable_search: {{ .Values.matrix.search }} # Restrict federation to the following whitelist of domains. # N.B. we recommend also firewalling your federation listener to limit @@ -172,53 +188,65 @@ federation_ip_range_blacklist: # webclient: A web client. Requires web_client_location to be set. # listeners: - # TLS-enabled listener: for when matrix traffic is sent directly to synapse. - # - # Disabled by default. To enable it, uncomment the following. (Note that you - # will also need to give Synapse a TLS key and certificate: see the TLS section - # below.) - # - #- port: 8448 - # type: http - # tls: true - # resources: - # - names: [client, federation] - - # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy - # that unwraps TLS. + # TLS-enabled listener: for when matrix traffic is sent directly to synapse. + # + # Disabled by default. To enable it, uncomment the following. (Note that you + # will also need to give Synapse a TLS key and certificate: see the TLS section + # below.) + # + #- port: 8448 + # type: http + # tls: true + # resources: + # - names: [client, federation] + + # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy + # that unwraps TLS. + # + # If you plan to use a reverse proxy, please see + # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. + # + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['0.0.0.0'] + + resources: + - names: [client, federation] + compress: false + + # example additional_resources: # - # If you plan to use a reverse proxy, please see - # https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md. - # - - port: 8008 - tls: false - type: http - x_forwarded: true - bind_addresses: ['0.0.0.0'] - - resources: - - names: [client, federation] - compress: false + #additional_resources: + # "/_matrix/my/custom/endpoint": + # module: my_module.CustomRequestHandler + # config: {} - # example additional_resources: - # - #additional_resources: - # "/_matrix/my/custom/endpoint": - # module: my_module.CustomRequestHandler - # config: {} + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # + #- port: 9000 + # bind_addresses: ['::1', '127.0.0.1'] + # type: manhole - # Turn on the twisted ssh manhole service on localhost on the given - # port. - # - #- port: 9000 - # bind_addresses: ['::1', '127.0.0.1'] - # type: manhole +# Forward extremities can build up in a room due to networking delays between +# homeservers. Once this happens in a large room, calculation of the state of +# that room can become quite expensive. To mitigate this, once the number of +# forward extremities reaches a given threshold, Synapse will send an +# org.matrix.dummy_event event, which will reduce the forward extremities +# in the room. +# +# This setting defines the threshold (i.e. number of forward extremities in the +# room) at which dummy events are sent. The default value is 10. +# +#dummy_events_threshold: 5 ## Homeserver blocking ## # How to reach the server admin, used in ResourceLimitError - +# admin_contact: 'mailto:{{ .Values.matrix.adminEmail }}' # Global blocking @@ -232,7 +260,7 @@ hs_disabled_message: {{ .Values.matrix.disabledMessage }} # number of monthly active users. # # 'limit_usage_by_mau' disables/enables monthly active user blocking. When -# anabled and a limit is reached the server returns a 'ResourceLimitError' +# enabled and a limit is reached the server returns a 'ResourceLimitError' # with error type Codes.RESOURCE_LIMIT_EXCEEDED # # 'max_mau_value' is the hard limit of monthly active users above which @@ -271,22 +299,27 @@ hs_disabled_message: {{ .Values.matrix.disabledMessage }} # Used by phonehome stats to group together related servers. #server_context: context -# Resource-constrained homeserver Settings +# Resource-constrained homeserver settings # -# If limit_remote_rooms.enabled is True, the room complexity will be -# checked before a user joins a new remote room. If it is above -# limit_remote_rooms.complexity, it will disallow joining or -# instantly leave. +# When this is enabled, the room "complexity" will be checked before a user +# joins a new remote room. If it is above the complexity limit, the server will +# disallow joining, or will instantly leave. # -# limit_remote_rooms.complexity_error can be set to customise the text -# displayed to the user when a room above the complexity threshold has -# its join cancelled. +# Room complexity is an arbitrary measure based on factors such as the number of +# users in the room. # -# Uncomment the below lines to enable: -#limit_remote_rooms: -# enabled: true -# complexity: 1.0 -# complexity_error: "This room is too complex." +limit_remote_rooms: + # Uncomment to enable room complexity checking. + # + #enabled: true + + # the limit above which rooms cannot be joined. The default is 1.0. + # + #complexity: 0.5 + + # override the error which is returned when the room is too complex. + # + #complexity_error: "This room is too complex." # Whether to require a user to be in the room to add an alias to it. # Defaults to 'true'. @@ -303,8 +336,8 @@ hs_disabled_message: {{ .Values.matrix.disabledMessage }} # this period redacted events get replaced with their redacted form in the DB. # # Defaults to `7d`. Set to `null` to disable. - -redaction_retention_period: {{ .Values.matrix.retentionPeriod | default "null" }} +# +redaction_retention_period: {{ .Values.matrix.retentionPeriod }} # How long to track users' last seen time and IPs in the database. # @@ -312,6 +345,79 @@ redaction_retention_period: {{ .Values.matrix.retentionPeriod | default "null" } # #user_ips_max_age: 14d +# Message retention policy at the server level. +# +# Room admins and mods can define a retention period for their rooms using the +# 'm.room.retention' state event, and server admins can cap this period by setting +# the 'allowed_lifetime_min' and 'allowed_lifetime_max' config options. +# +# If this feature is enabled, Synapse will regularly look for and purge events +# which are older than the room's maximum retention period. Synapse will also +# filter events received over federation so that events that should have been +# purged are ignored and not stored again. +# +retention: + # The message retention policies feature is disabled by default. Uncomment the + # following line to enable it. + # + #enabled: true + + # Default retention policy. If set, Synapse will apply it to rooms that lack the + # 'm.room.retention' state event. Currently, the value of 'min_lifetime' doesn't + # matter much because Synapse doesn't take it into account yet. + # + #default_policy: + # min_lifetime: 1d + # max_lifetime: 1y + + # Retention policy limits. If set, a user won't be able to send a + # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime' + # that's not within this range. This is especially useful in closed federations, + # in which server admins can make sure every federating server applies the same + # rules. + # + #allowed_lifetime_min: 1d + #allowed_lifetime_max: 1y + + # Server admins can define the settings of the background jobs purging the + # events which lifetime has expired under the 'purge_jobs' section. + # + # If no configuration is provided, a single job will be set up to delete expired + # events in every room daily. + # + # Each job's configuration defines which range of message lifetimes the job + # takes care of. For example, if 'shortest_max_lifetime' is '2d' and + # 'longest_max_lifetime' is '3d', the job will handle purging expired events in + # rooms whose state defines a 'max_lifetime' that's both higher than 2 days, and + # lower than or equal to 3 days. Both the minimum and the maximum value of a + # range are optional, e.g. a job with no 'shortest_max_lifetime' and a + # 'longest_max_lifetime' of '3d' will handle every room with a retention policy + # which 'max_lifetime' is lower than or equal to three days. + # + # The rationale for this per-job configuration is that some rooms might have a + # retention policy with a low 'max_lifetime', where history needs to be purged + # of outdated messages on a more frequent basis than for the rest of the rooms + # (e.g. every 12h), but not want that purge to be performed by a job that's + # iterating over every room it knows, which could be heavy on the server. + # + #purge_jobs: + # - shortest_max_lifetime: 1d + # longest_max_lifetime: 3d + # interval: 12h + # - shortest_max_lifetime: 3d + # longest_max_lifetime: 1y + # interval: 1d + +# Inhibits the /requestToken endpoints from returning an error that might leak +# information about whether an e-mail address is in use or not on this +# homeserver. +# Note that for some endpoints the error situation is the e-mail already being +# used, and for others the error is entering the e-mail being unused. +# If this option is enabled, instead of returning an error, these endpoints will +# act as if no error happened and return a fake session ID ('sid') to clients. +# +#request_token_inhibit_3pid_errors: true + ## TLS ## @@ -327,11 +433,11 @@ redaction_retention_period: {{ .Values.matrix.retentionPeriod | default "null" } # instance, if using certbot, use `fullchain.pem` as your certificate, # not `cert.pem`). # -#tls_certificate_path: "/synapse/conf/example.com.tls.crt" +#tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" # PEM-encoded private key for TLS # -#tls_private_key_path: "/synapse/conf/example.com.tls.key" +#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" # Whether to verify TLS server certificates for outbound federation requests. # @@ -379,6 +485,11 @@ redaction_retention_period: {{ .Values.matrix.retentionPeriod | default "null" } # ACME support: This will configure Synapse to request a valid TLS certificate # for your configured `server_name` via Let's Encrypt. # +# Note that ACME v1 is now deprecated, and Synapse currently doesn't support +# ACME v2. This means that this feature currently won't work with installs set +# up after November 2019. For more info, and alternative solutions, see +# https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1 +# # Note that provisioning a certificate in this way requires port 80 to be # routed to Synapse so that it can complete the http-01 ACME challenge. # By default, if you enable ACME support, Synapse will attempt to listen on @@ -441,9 +552,9 @@ acme: # file to use for the account key. This will be generated if it doesn't # exist. # - # If unspecified, we will use /synapse/conf/client.key. + # If unspecified, we will use CONFDIR/client.key. # - account_key_file: /data/acme_account.key + account_key_file: DATADIR/acme_account.key # List of allowed TLS fingerprints for this server to publish along # with the signing keys for this server. Other matrix servers that @@ -938,6 +1049,29 @@ account_threepid_delegates: #email: https://example.com # Delegate email sending to example.com #msisdn: http://localhost:8090 # Delegate SMS sending to this local process +# Whether users are allowed to change their displayname after it has +# been initially set. Useful when provisioning users based on the +# contents of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_displayname: false + +# Whether users are allowed to change their avatar after it has been +# initially set. Useful when provisioning users based on the contents +# of a third-party directory. +# +# Does not apply to server administrators. Defaults to 'true' +# +#enable_set_avatar_url: false + +# Whether users can change the 3PIDs associated with their accounts +# (email address and msisdn). +# +# Defaults to 'true' +# +#enable_3pid_changes: false + # Users who register on this homeserver will automatically be joined # to these rooms @@ -951,10 +1085,69 @@ auto_join_rooms: # Where auto_join_rooms are specified, setting this flag ensures that the # the rooms exist by creating them when the first user on the # homeserver registers. +# +# By default the auto-created rooms are publicly joinable from any federated +# server. Use the autocreate_auto_join_rooms_federated and +# autocreate_auto_join_room_preset settings below to customise this behaviour. +# # Setting to false means that if the rooms are not manually created, # users cannot be auto-joined since they do not exist. # -#autocreate_auto_join_rooms: true +# Defaults to true. Uncomment the following line to disable automatically +# creating auto-join rooms. +# +#autocreate_auto_join_rooms: false + +# Whether the auto_join_rooms that are auto-created are available via +# federation. Only has an effect if autocreate_auto_join_rooms is true. +# +# Note that whether a room is federated cannot be modified after +# creation. +# +# Defaults to true: the room will be joinable from other servers. +# Uncomment the following to prevent users from other homeservers from +# joining these rooms. +# +#autocreate_auto_join_rooms_federated: false + +# The room preset to use when auto-creating one of auto_join_rooms. Only has an +# effect if autocreate_auto_join_rooms is true. +# +# This can be one of "public_chat", "private_chat", or "trusted_private_chat". +# If a value of "private_chat" or "trusted_private_chat" is used then +# auto_join_mxid_localpart must also be configured. +# +# Defaults to "public_chat", meaning that the room is joinable by anyone, including +# federated servers if autocreate_auto_join_rooms_federated is true (the default). +# Uncomment the following to require an invitation to join these rooms. +# +#autocreate_auto_join_room_preset: private_chat + +# The local part of the user id which is used to create auto_join_rooms if +# autocreate_auto_join_rooms is true. If this is not provided then the +# initial user account that registers will be used to create the rooms. +# +# The user id is also used to invite new users to any auto-join rooms which +# are set to invite-only. +# +# It *must* be configured if autocreate_auto_join_room_preset is set to +# "private_chat" or "trusted_private_chat". +# +# Note that this must be specified in order for new users to be correctly +# invited to any auto-join rooms which have been set to invite-only (either +# at the time of creation or subsequently). +# +# Note that, if the room already exists, this user must be joined and +# have the appropriate permissions to invite new members. +# +#auto_join_mxid_localpart: system + +# When auto_join_rooms is specified, setting this flag to false prevents +# guest accounts from being automatically joined to the rooms. +# +# Defaults to true. +# +#auto_join_rooms_for_guests: false ## Metrics ### @@ -977,11 +1170,11 @@ auto_join_rooms: # enabled by default, either for performance reasons or limited use. # metrics_flags: -# Publish synapse_federation_known_servers, a g auge of the number of -# servers this homeserver knows about, including itself. May cause -# performance problems on large homeservers. -# -#known_servers: true + # Publish synapse_federation_known_servers, a gauge of the number of + # servers this homeserver knows about, including itself. May cause + # performance problems on large homeservers. + # + #known_servers: true # Whether or not to report anonymized homeserver usage statistics. report_stats: {{ .Values.matrix.telemetry }} @@ -1149,84 +1342,249 @@ suppress_key_server_warning: {{ .Values.matrix.security.supressKeyServerWarning # https://:/_matrix/saml2/authn_response. # saml2_config: -# `sp_config` is the configuration for the pysaml2 Service Provider. -# See pysaml2 docs for format of config. -# -# Default values will be used for the 'entityid' and 'service' settings, -# so it is not normally necessary to specify them unless you need to -# override them. -# -#sp_config: -# # point this to the IdP's metadata. You can use either a local file or -# # (preferably) a URL. -# metadata: -# #local: ["saml2/idp.xml"] -# remote: -# - url: https://our_idp/metadata.xml -# -# # By default, the user has to go to our login page first. If you'd like -# # to allow IdP-initiated login, set 'allow_unsolicited: true' in a -# # 'service.sp' section: -# # -# #service: -# # sp: -# # allow_unsolicited: true -# -# # The examples below are just used to generate our metadata xml, and you -# # may well not need them, depending on your setup. Alternatively you -# # may need a whole lot more detail - see the pysaml2 docs! -# -# description: ["My awesome SP", "en"] -# name: ["Test SP", "en"] -# -# organization: -# name: Example com -# display_name: -# - ["Example co", "en"] -# url: "http://example.com" -# -# contact_person: -# - given_name: Bob -# sur_name: "the Sysadmin" -# email_address": ["admin@example.com"] -# contact_type": technical - -# Instead of putting the config inline as above, you can specify a -# separate pysaml2 configuration file: -# -#config_path: "/synapse/conf/sp_conf.py" - -# the lifetime of a SAML session. This defines how long a user has to -# complete the authentication process, if allow_unsolicited is unset. -# The default is 5 minutes. -# -#saml_session_lifetime: 5m - -# The SAML attribute (after mapping via the attribute maps) to use to derive -# the Matrix ID from. 'uid' by default. -# -#mxid_source_attribute: displayName + # `sp_config` is the configuration for the pysaml2 Service Provider. + # See pysaml2 docs for format of config. + # + # Default values will be used for the 'entityid' and 'service' settings, + # so it is not normally necessary to specify them unless you need to + # override them. + # + #sp_config: + # # point this to the IdP's metadata. You can use either a local file or + # # (preferably) a URL. + # metadata: + # #local: ["saml2/idp.xml"] + # remote: + # - url: https://our_idp/metadata.xml + # + # # By default, the user has to go to our login page first. If you'd like + # # to allow IdP-initiated login, set 'allow_unsolicited: true' in a + # # 'service.sp' section: + # # + # #service: + # # sp: + # # allow_unsolicited: true + # + # # The examples below are just used to generate our metadata xml, and you + # # may well not need them, depending on your setup. Alternatively you + # # may need a whole lot more detail - see the pysaml2 docs! + # + # description: ["My awesome SP", "en"] + # name: ["Test SP", "en"] + # + # organization: + # name: Example com + # display_name: + # - ["Example co", "en"] + # url: "http://example.com" + # + # contact_person: + # - given_name: Bob + # sur_name: "the Sysadmin" + # email_address": ["admin@example.com"] + # contact_type": technical + + # Instead of putting the config inline as above, you can specify a + # separate pysaml2 configuration file: + # + #config_path: "CONFDIR/sp_conf.py" + + # The lifetime of a SAML session. This defines how long a user has to + # complete the authentication process, if allow_unsolicited is unset. + # The default is 15 minutes. + # + #saml_session_lifetime: 5m + + # An external module can be provided here as a custom solution to + # mapping attributes returned from a saml provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # + #module: mapping_provider.SamlMappingProvider -# The mapping system to use for mapping the saml attribute onto a matrix ID. -# Options include: -# * 'hexencode' (which maps unpermitted characters to '=xx') -# * 'dotreplace' (which replaces unpermitted characters with '.'). -# The default is 'hexencode'. -# -#mxid_mapping: dotreplace + # Custom configuration values for the module. Below options are + # intended for the built-in provider, they should be changed if + # using a custom module. This section will be passed as a Python + # dictionary to the module's `parse_config` method. + # + config: + # The SAML attribute (after mapping via the attribute maps) to use + # to derive the Matrix ID from. 'uid' by default. + # + # Note: This used to be configured by the + # saml2_config.mxid_source_attribute option. If that is still + # defined, its value will be used instead. + # + #mxid_source_attribute: displayName + + # The mapping system to use for mapping the saml attribute onto a + # matrix ID. + # + # Options include: + # * 'hexencode' (which maps unpermitted characters to '=xx') + # * 'dotreplace' (which replaces unpermitted characters with + # '.'). + # The default is 'hexencode'. + # + # Note: This used to be configured by the + # saml2_config.mxid_mapping option. If that is still defined, its + # value will be used instead. + # + #mxid_mapping: dotreplace + + # In previous versions of synapse, the mapping from SAML attribute to + # MXID was always calculated dynamically rather than stored in a + # table. For backwards- compatibility, we will look for user_ids + # matching such a pattern before creating a new account. + # + # This setting controls the SAML attribute which will be used for this + # backwards-compatibility lookup. Typically it should be 'uid', but if + # the attribute maps are changed, it may be necessary to change it. + # + # The default is 'uid'. + # + #grandfathered_mxid_source_attribute: upn + + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page to display to users if something goes wrong during the + # authentication process: 'saml_error.html'. + # + # When rendering, this template is given the following variables: + # * code: an HTML error code corresponding to the error that is being + # returned (typically 400 or 500) + # + # * msg: a textual message describing the error. + # + # The variables will automatically be HTML-escaped. + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + +# OpenID Connect integration. The following settings can be used to make Synapse +# use an OpenID Connect Provider for authentication, instead of its internal +# password database. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md. +# +oidc_config: + # Uncomment the following to enable authorization against an OpenID Connect + # server. Defaults to false. + # + #enabled: true + + # Uncomment the following to disable use of the OIDC discovery mechanism to + # discover endpoints. Defaults to true. + # + #discover: false + + # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to + # discover the provider's endpoints. + # + # Required if 'enabled' is true. + # + #issuer: "https://accounts.example.com/" + + # oauth2 client id to use. + # + # Required if 'enabled' is true. + # + #client_id: "provided-by-your-issuer" + + # oauth2 client secret to use. + # + # Required if 'enabled' is true. + # + #client_secret: "provided-by-your-issuer" + + # auth method to use when exchanging the token. + # Valid values are 'client_secret_basic' (default), 'client_secret_post' and + # 'none'. + # + #client_auth_method: client_secret_post + + # list of scopes to request. This should normally include the "openid" scope. + # Defaults to ["openid"]. + # + #scopes: ["openid", "profile"] + + # the oauth2 authorization endpoint. Required if provider discovery is disabled. + # + #authorization_endpoint: "https://accounts.example.com/oauth2/auth" + + # the oauth2 token endpoint. Required if provider discovery is disabled. + # + #token_endpoint: "https://accounts.example.com/oauth2/token" + + # the OIDC userinfo endpoint. Required if discovery is disabled and the + # "openid" scope is not requested. + # + #userinfo_endpoint: "https://accounts.example.com/userinfo" + + # URI where to fetch the JWKS. Required if discovery is disabled and the + # "openid" scope is used. + # + #jwks_uri: "https://accounts.example.com/.well-known/jwks.json" + + # Uncomment to skip metadata verification. Defaults to false. + # + # Use this if you are connecting to a provider that is not OpenID Connect + # compliant. + # Avoid this in production. + # + #skip_verification: true + + # An external module can be provided here as a custom solution to mapping + # attributes returned from a OIDC provider onto a matrix user. + # + user_mapping_provider: + # The custom module's class. Uncomment to use a custom module. + # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. + # + # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers + # for information on implementing a custom mapping provider. + # + #module: mapping_provider.OidcMappingProvider -# In previous versions of synapse, the mapping from SAML attribute to MXID was -# always calculated dynamically rather than stored in a table. For backwards- -# compatibility, we will look for user_ids matching such a pattern before -# creating a new account. -# -# This setting controls the SAML attribute which will be used for this -# backwards-compatibility lookup. Typically it should be 'uid', but if the -# attribute maps are changed, it may be necessary to change it. -# -# The default is 'uid'. -# -#grandfathered_mxid_source_attribute: upn + # Custom configuration values for the module. This section will be passed as + # a Python dictionary to the user mapping provider module's `parse_config` + # method. + # + # The examples below are intended for the default provider: they should be + # changed if using a custom provider. + # + config: + # name of the claim containing a unique identifier for the user. + # Defaults to `sub`, which OpenID Connect compliant providers should provide. + # + #subject_claim: "sub" + + # Jinja2 template for the localpart of the MXID. + # + # When rendering, this template is given the following variables: + # * user: The claims returned by the UserInfo Endpoint and/or in the ID + # Token + # + # This must be configured if using the default mapping provider. + # +{{/* localpart_template: "{{ user.preferred_username }}"*/}} + + # Jinja2 template for the display name to set on first login. + # + # If unset, no displayname will be set. + # +{{/* #display_name_template: "{{ user.given_name }} {{ user.last_name }}"*/}} @@ -1241,131 +1599,374 @@ saml2_config: # # name: value -# The JWT needs to contain a globally unique "sub" (subject) claim. +# Additional settings to use with single-sign on systems such as OpenID Connect, +# SAML2 and CAS. # -#jwt_config: -# enabled: true -# secret: "a secret" -# algorithm: "HS256" +sso: + # A list of client URLs which are whitelisted so that the user does not + # have to confirm giving access to their account to the URL. Any client + # whose URL starts with an entry in the following list will not be subject + # to an additional confirmation step after the SSO login is completed. + # + # WARNING: An entry such as "https://my.client" is insecure, because it + # will also match "https://my.client.evil.site", exposing your users to + # phishing attacks from evil.site. To avoid this, include a slash after the + # hostname: "https://my.client/". + # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # + # By default, this list is empty. + # + #client_whitelist: + # - https://riot.im/develop + # - https://my.custom.client/ + # Directory in which Synapse will try to find the template files below. + # If not set, default templates from within the Synapse package will be used. + # + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * HTML page for a confirmation step before redirecting back to the client + # with the login token: 'sso_redirect_confirm.html'. + # + # When rendering, this template is given three variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * display_url: the same as `redirect_url`, but with the query + # parameters stripped. The intention is to have a + # human-readable URL to show to users, not to use it as + # the final address to redirect to. Needs manual escaping + # (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * server_name: the homeserver's name. + # + # * HTML page which notifies the user that they are authenticating to confirm + # an operation on their account during the user interactive authentication + # process: 'sso_auth_confirm.html'. + # + # When rendering, this template is given the following variables: + # * redirect_url: the URL the user is about to be redirected to. Needs + # manual escaping (see + # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping). + # + # * description: the operation which the user is being asked to confirm + # + # * HTML page shown after a successful user interactive authentication session: + # 'sso_auth_success.html'. + # + # Note that this page must include the JavaScript which notifies of a successful authentication + # (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback). + # + # This template has no additional variables. + # + # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) + # attempts to login: 'sso_account_deactivated.html'. + # + # This template has no additional variables. + # + # * HTML page to display to users if something goes wrong during the + # OpenID Connect authentication process: 'sso_error.html'. + # + # When rendering, this template is given two variables: + # * error: the technical name of the error + # * error_description: a human-readable message for the error + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" -password_config: -# Uncomment to disable password login -# -#enabled: false -# Uncomment to disable authentication against the local password -# database. This is ignored if `enabled` is false, and is only useful -# if you have other password_providers. +# JSON web token integration. The following settings can be used to make +# Synapse JSON web tokens for authentication, instead of its internal +# password database. # -#localdb_enabled: false - -# Uncomment and change to a secret random string for extra security. -# DO NOT CHANGE THIS AFTER INITIAL SETUP! +# Each JSON Web Token needs to contain a "sub" (subject) claim, which is +# used as the localpart of the mxid. # -#pepper: "EVEN_MORE_SECRET" - - - -# Enable sending emails for password resets, notification events or -# account expiry notices +# Additionally, the expiration time ("exp"), not before time ("nbf"), +# and issued at ("iat") claims are validated if present. # -# If your SMTP server requires authentication, the optional smtp_user & -# smtp_pass variables should be used - -email: - enable_notifs: {{ .Values.mail.enabled }} - notif_from: {{ .Values.mail.from }} - {{- if .Values.mail.relay.enabled }} - smtp_host: {{ include "matrix.fullname" . }}-exim-relay - smtp_port: {{ .Values.mail.relay.service.port }} - {{- else }} - smtp_host: {{ .Values.mail.external.host }} - smtp_port: {{ .Values.mail.external.port }} - smtp_user: {{ .Values.mail.external.username }} - smtp_pass: {{ .Values.mail.external.password }} - require_transport_security: {{ .Values.mail.external.requireTransportSecurity }} - {{- end }} - app_name: Matrix - - # Enable email notifications by default +# Note that this is a non-standard login type and client support is +# expected to be non-existant. +# +# See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md. +# +#jwt_config: + # Uncomment the following to enable authorization using JSON web + # tokens. Defaults to false. # - notif_for_new_users: true - - # Defining a custom URL for Riot is only needed if email notifications - # should contain links to a self-hosted installation of Riot; when set - # the "app_name" setting is ignored - - {{- if .Values.mail.riotUrl }} - riot_base_url: {{ .Values.mail.riotUrl }} - {{- else if .Values.ingress.enabled }} - riot_base_url: {{ .Values.ingress.hosts.riot }} - {{- else }} - riot_base_url: "" - {{- end }} + #enabled: true - # Configure the time that a validation email or text message code - # will expire after sending + # This is either the private shared secret or the public key used to + # decode the contents of the JSON web token. # - # This is currently used for password resets + # Required if 'enabled' is true. # - #validation_token_lifetime: 1h + #secret: "provided-by-your-issuer" - # Template directory. All template files should be stored within this - # directory. If not set, default templates from within the Synapse - # package will be used + # The algorithm used to sign the JSON web token. # - # For the list of default templates, please see - # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # Supported algorithms are listed at + # https://pyjwt.readthedocs.io/en/latest/algorithms.html # - #template_dir: res/templates - - # Templates for email notifications - - notif_template_html: notif_mail.html - notif_template_text: notif_mail.txt - - # Templates for account expiry notices - - expiry_template_html: notice_expiry.html - expiry_template_text: notice_expiry.txt - - # Templates for password reset emails sent by the homeserver - - password_reset_template_html: password_reset.html - password_reset_template_text: password_reset.txt - - # Templates for registration emails sent by the homeserver - - registration_template_html: registration.html - registration_template_text: registration.txt - - # Templates for validation emails sent by the homeserver when adding an email to - # your user account - - add_threepid_template_html: add_threepid.html - add_threepid_template_text: add_threepid.txt - - # Templates for password reset success and failure pages that a user - # will see after attempting to reset their password + # Required if 'enabled' is true. + # + #algorithm: "provided-by-your-issuer" - password_reset_template_success_html: password_reset_success.html - password_reset_template_failure_html: password_reset_failure.html + # The issuer to validate the "iss" claim against. + # + # Optional, if provided the "iss" claim will be required and + # validated for all JSON web tokens. + # + #issuer: "provided-by-your-issuer" - # Templates for registration success and failure pages that a user - # will see after attempting to register using an email or phone + # A list of audiences to validate the "aud" claim against. + # + # Optional, if provided the "aud" claim will be required and + # validated for all JSON web tokens. + # + # Note that if the "aud" claim is included in a JSON web token then + # validation will fail without configuring audiences. + # + #audiences: + # - "provided-by-your-issuer" - registration_template_success_html: registration_success.html - registration_template_failure_html: registration_failure.html - # Templates for success and failure pages that a user will see after attempting - # to add an email or phone to their account +password_config: + # Uncomment to disable password login + # + #enabled: false + + # Uncomment to disable authentication against the local password + # database. This is ignored if `enabled` is false, and is only useful + # if you have other password_providers. + # + #localdb_enabled: false + + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + # + #pepper: "EVEN_MORE_SECRET" + + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + + +# Configuration for sending emails from Synapse. +# +email: + enable_notifs: {{ .Values.mail.enabled }} + notif_from: {{ .Values.mail.from }} + {{- if .Values.mail.relay.enabled }} + smtp_host: {{ include "matrix.fullname" . }}-exim-relay + smtp_port: {{ .Values.mail.relay.service.port }} + {{- else }} + smtp_host: {{ .Values.mail.external.host }} + smtp_port: {{ .Values.mail.external.port }} + smtp_user: {{ .Values.mail.external.username }} + smtp_pass: {{ .Values.mail.external.password }} + require_transport_security: {{ .Values.mail.external.requireTransportSecurity }} + {{- end }} + + # notif_from defines the "From" address to use when sending emails. + # It must be set if email sending is enabled. + # + # The placeholder '%(app)s' will be replaced by the application name, + # which is normally 'app_name' (below), but may be overridden by the + # Matrix client application. + # + # Note that the placeholder must be written '%(app)s', including the + # trailing 's'. + # + notif_from: {{ .Values.mail.from }} + + # Uncomment the following to enable sending emails for messages that the user + # has missed. Disabled by default. + # + #enable_notifs: true + + # Uncomment the following to disable automatic subscription to email + # notifications for new users. Enabled by default. + # + #notif_for_new_users: false + + # Custom URL for client links within the email notifications. By default + # links will be based on "https://matrix.to". + # + # (This setting used to be called riot_base_url; the old name is still + # supported for backwards-compatibility but is now deprecated.) + {{- if .Values.mail.riotUrl }} + client_base_url: {{ .Values.mail.riotUrl }} + {{- else if .Values.ingress.enabled }} + client_base_url: {{ .Values.ingress.hosts.riot }} + {{- end }} + + # Configure the time that a validation email will expire after sending. + # Defaults to 1h. + # + #validation_token_lifetime: 15m + + # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. + # If you *do* uncomment it, you will need to make sure that all the templates + # below are in the directory. + # + # Synapse will look for the following templates in this directory: + # + # * The contents of email notifications of missed events: 'notif_mail.html' and + # 'notif_mail.txt'. + # + # * The contents of account expiry notice emails: 'notice_expiry.html' and + # 'notice_expiry.txt'. + # + # * The contents of password reset emails sent by the homeserver: + # 'password_reset.html' and 'password_reset.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in the password reset email: 'password_reset_success.html' and + # 'password_reset_failure.html' + # + # * The contents of address verification emails sent during registration: + # 'registration.html' and 'registration.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent during registration: + # 'registration_success.html' and 'registration_failure.html' + # + # * The contents of address verification emails sent when an address is added + # to a Matrix account: 'add_threepid.html' and 'add_threepid.txt' + # + # * HTML pages for success and failure that a user will see when they follow + # the link in an address verification email sent when an address is added + # to a Matrix account: 'add_threepid_success.html' and + # 'add_threepid_failure.html' + # + # You can see the default templates at: + # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates + # + #template_dir: "res/templates" + + # Subjects to use when sending emails from Synapse. + # + # The placeholder '%(app)s' will be replaced with the value of the 'app_name' + # setting above, or by a value dictated by the Matrix client application. + # + # If a subject isn't overridden in this configuration file, the value used as + # its example will be used. + # + #subjects: + + # Subjects for notification emails. + # + # On top of the '%(app)s' placeholder, these can use the following + # placeholders: + # + # * '%(person)s', which will be replaced by the display name of the user(s) + # that sent the message(s), e.g. "Alice and Bob". + # * '%(room)s', which will be replaced by the name of the room the + # message(s) have been sent to, e.g. "My super room". + # + # See the example provided for each setting to see which placeholder can be + # used and how to use them. + # + # Subject to use to notify about one message from one or more user(s) in a + # room which has a name. + #message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." + # + # Subject to use to notify about one message from one or more user(s) in a + # room which doesn't have a name. + #message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages from one or more users in + # a room which doesn't have a name. + #messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." + # + # Subject to use to notify about multiple messages in a room which has a + # name. + #messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." + # + # Subject to use to notify about multiple messages in multiple rooms. + #messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." + # + # Subject to use to notify about multiple messages from multiple persons in + # multiple rooms. This is similar to the setting above except it's used when + # the room in which the notification was triggered has no name. + #messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." + # + # Subject to use to notify about an invite to a room which has a name. + #invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." + # + # Subject to use to notify about an invite to a room which doesn't have a + # name. + #invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." - add_threepid_success_html: add_threepid_success.html - add_threepid_failure_html: add_threepid_failure.html + # Subject for emails related to account administration. + # + # On top of the '%(app)s' placeholder, these one can use the + # '%(server_name)s' placeholder, which will be replaced by the value of the + # 'server_name' setting in your Synapse configuration. + # + # Subject to use when sending a password reset email. + #password_reset: "[%(server_name)s] Password reset" + # + # Subject to use when sending a verification email to assert an address's + # ownership. + #email_validation: "[%(server_name)s] Validate your email" -#password_providers: +# Password providers allow homeserver administrators to integrate +# their Synapse installation with existing authentication methods +# ex. LDAP, external tokens, etc. +# +# For more information and known implementations, please see +# https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md +# +# Note: instances wishing to use SAML or CAS authentication should +# instead use the `saml2_config` or `cas_config` options, +# respectively. +# +password_providers: +# # Example config for an LDAP auth provider # - module: "ldap_auth_provider.LdapAuthProvider" # config: # enabled: true @@ -1398,10 +1999,37 @@ email: # include_content: true -#spam_checker: -# module: "my_custom_project.SuperSpamChecker" -# config: -# example_option: 'things' +# Spam checkers are third-party modules that can block specific actions +# of local users, such as creating rooms and registering undesirable +# usernames, as well as remote users by redacting incoming events. +# +spam_checker: + #- module: "my_custom_project.SuperSpamChecker" + # config: + # example_option: 'things' + #- module: "some_other_project.BadEventStopper" + # config: + # example_stop_events_from: ['@bad:example.com'] + + +## Rooms ## + +# Controls whether locally-created rooms should be end-to-end encrypted by +# default. +# +# Possible options are "all", "invite", and "off". They are defined as: +# +# * "all": any locally-created room +# * "invite": any room created with the "private_chat" or "trusted_private_chat" +# room creation presets +# * "off": this option will take no effect +# +# The default value is "off". +# +# Note that this option will only affect rooms created after it is set. It +# will also not affect rooms created by other servers. +# +encryption_enabled_by_default_for_room_type: {{ .Values.matrix.encryptByDefault }} # Uncomment to allow non-server-admin users to create groups on this server @@ -1606,33 +2234,38 @@ email: # (specifically those implemented with Jaeger). # opentracing: -# tracing is disabled by default. Uncomment the following line to enable it. -# -#enabled: true + # tracing is disabled by default. Uncomment the following line to enable it. + # + #enabled: true -# The list of homeservers we wish to send and receive span contexts and span baggage. -# See docs/opentracing.rst -# This is a list of regexes which are matched against the server_name of the -# homeserver. -# -# By defult, it is empty, so no servers are matched. -# -#homeserver_whitelist: -# - ".*" + # The list of homeservers we wish to send and receive span contexts and span baggage. + # See docs/opentracing.rst + # This is a list of regexes which are matched against the server_name of the + # homeserver. + # + # By defult, it is empty, so no servers are matched. + # + #homeserver_whitelist: + # - ".*" + + # Jaeger can be configured to sample traces at different rates. + # All configuration options provided by Jaeger can be set here. + # Jaeger's configuration mostly related to trace sampling which + # is documented here: + # https://www.jaegertracing.io/docs/1.13/sampling/. + # + #jaeger_config: + # sampler: + # type: const + # param: 1 -# Jaeger can be configured to sample traces at different rates. -# All configuration options provided by Jaeger can be set here. -# Jaeger's configuration mostly related to trace sampling which -# is documented here: -# https://www.jaegertracing.io/docs/1.13/sampling/. -# -#jaeger_config: -# sampler: -# type: const -# param: 1 + # Logging whether spans were started and reported + # + # logging: + # false -# Logging whether spans were started and reported -# -# logging: -# false +{{ if .Values.matrix.homeserverExtra }} +{{- toYaml .Values.matrix.homeserverExtra }} +{{- end }} +{{- end }} {{- end}} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index cb24458..fa29e55 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -1,5 +1,13 @@ # Runtime configuration for Synapse and settings related to the Matrix protocol matrix: + # Manual overrides for homeserver.yaml, the main configuration file for Synapse + # If homeserverOverride is set, the entirety of homeserver.yaml will be replaced with the contents. + # If homeserverExtra is set, the contents will be appended to the end of the default configuration. + # It is highly recommended that you take a look at the defaults in templates/synapse/_homeserver.yaml, to get a sense + # of the requirements and default configuration options to use other services in this chart. + # homeserverOverride: {} + # homeserverExtra: {} + # Domain name of the server # This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains # from this value as the server name set here will be the name of your homeserver in the fediverse, and will be the @@ -23,6 +31,12 @@ matrix: # Set to false to disable message searching search: true + # Which types of rooms to enable end-to-end encryption on by default + # off: none + # invite: private messages, or rooms created with the private_chat or trusted_private_chat room preset + # all: all rooms + encryptByDefault: invite + # Email address of the administrator adminEmail: "admin@example.com" @@ -126,6 +140,9 @@ matrix: # # blacklist any URL with a literal IPv4 address # - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + # How long to keep redacted events in unredacted form in the database + retentionPeriod: 7d + security: # a secret which is used to sign access tokens. If none is specified, # the registration_shared_secret is used, if one is given; otherwise, @@ -180,6 +197,11 @@ matrix: # acceptKeysInsecurely: false # - serverName: my_other_trusted_server.example.com + # Set to true to globally block access to the homeserver + disabled: false + # Human readable reason for why the homeserver is blocked + disabledMessage: "" + logging: # Root log level is the default log level for log outputs that do not have more # specific settings. @@ -250,7 +272,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.16.0 + tag: v1.17.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -273,15 +295,15 @@ synapse: timeoutSeconds: 5 periodSeconds: 10 -# Riot Web client configuration +# Element (formerly Riot Web) client configuration riot: - # Set to false to disable a deployment of riot-web. Users will still be able to connect via any other instances of riot-web (such as https://riot.im), riot-desktop, or any other Matrix clients + # Set to false to disable a deployment of Element. Users will still be able to connect via any other instances of Element (such as https://app.element.io), Element Desktop, or any other Matrix clients enabled: true # Organization/enterprise branding branding: # Shown in email notifications - brand: "Riot" + brand: "Element" # Background of login splash screen welcomeBackgroundUrl: "" # Logo shown at top of login screen @@ -291,9 +313,9 @@ riot: # - text: # url: - # Riot integrations configuration + # Element integrations configuration integrations: - # Set to false to disable the Integrations menu (including widgets, bots, and other plugins to Riot) + # Set to false to disable the Integrations menu (including widgets, bots, and other plugins to Element) enabled: true # UI to load when a user selects the Integrations button at the top-right of a room ui: "https://scalar.vector.im/" @@ -307,8 +329,9 @@ riot: - "https://scalar-staging.vector.im/api" - "https://scalar-staging.riot.im/scalar/api" - # Experimental features in riot-web, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md + # Experimental features in Element, see https://github.com/vector-im/riot-web/blob/develop/docs/labs.md labs: + - feature_new_spinner - feature_pinning - feature_custom_status - feature_custom_tags @@ -327,13 +350,13 @@ riot: # Set to the user ID (@username:domain.tld) of a bot to invite all new users to a DM with the bot upon registration welcomeUserId: "" - # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Riot instance. + # Prefix before permalinks generated when users share links to rooms, users, or messages. If running an unfederated Synapse, set the below to the URL of your Element instance. permalinkPrefix: "https://matrix.to" - # Riot Kubernetes resource settings + # Element Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.6.8 + tag: v1.7.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -401,9 +424,9 @@ mail: enabled: true # Name and email address for outgoing mail from: "Matrix " - # Optional: Riot instance URL. + # Optional: Element instance URL. # If the ingress is enabled, this is unnecessary. - # If the ingress is disabled and this is left unspecified, emails will contain a link to https://riot.im + # If the ingress is disabled and this is left unspecified, emails will contain a link to https://app.element.io riotUrl: "" # Exim relay From 7c1c1ebbbe9991eeb9ab4d0d660ad2d13b8b9c32 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 2 Aug 2020 15:24:23 -0700 Subject: [PATCH 090/105] Update images --- charts/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index fa29e55..8f89b15 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -272,7 +272,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.17.0 + tag: v1.18.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -356,7 +356,7 @@ riot: # Element Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.7.0 + tag: v1.7.2 pullPolicy: IfNotPresent service: type: ClusterIP From 60555211312e4e37ab6a3d8c3777c9eb97ccdce3 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 2 Aug 2020 15:29:17 -0700 Subject: [PATCH 091/105] Bump version --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 0db0141..5581b07 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.3.0 +version: 2.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.16.0 +appVersion: 1.18.0 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 09904ea..e0171f2 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.3.0 + version: 2.4.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.3.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.3.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.4.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.4.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. From a48faf4ff88bf104a82c7c23a3bf776d3f8b591b Mon Sep 17 00:00:00 2001 From: David Cruz Date: Mon, 17 Aug 2020 22:21:14 -0700 Subject: [PATCH 092/105] Bump versions --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/templates/NOTES.txt | 2 ++ charts/matrix/templates/synapse/_homeserver.yaml | 2 +- charts/matrix/values.yaml | 6 +++--- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 5581b07..73e993b 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.4.0 +version: 2.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.18.0 +appVersion: 1.19.0 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index e0171f2..fbba3fe 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.4.0 + version: 2.5.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.4.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.4.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.5.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.5.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index a91e3f1..ef1b65d 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -52,5 +52,7 @@ For more information, check out the official documentation at https://github.com The Discord bridge has been enabled! You'll need to follow the instructions at https://github.com/Half-Shot/matrix-appservice-discord#setting-up-discord to finish setting up the bridge + +When you've finished setting up the bridge, head to https://discord.com/oauth2/authorize?client_id={{ .Values.bridges.discord.auth.clientId }}&scope=bot&permissions=607251456 to invite the bridge bot to a Discord guild. {{- end }} {{- end }} diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 4545bca..adc1b32 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -2268,4 +2268,4 @@ opentracing: {{- toYaml .Values.matrix.homeserverExtra }} {{- end }} {{- end }} -{{- end}} +{{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8f89b15..8ff2134 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -272,7 +272,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.18.0 + tag: v1.19.0 pullPolicy: IfNotPresent service: type: ClusterIP @@ -356,7 +356,7 @@ riot: # Element Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.7.2 + tag: v1.7.4 pullPolicy: IfNotPresent service: type: ClusterIP @@ -479,7 +479,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.19.0" + tag: "release-0.20.1" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From c5002c55567f0eefccd78dbcf9fa4abc8fe83dd6 Mon Sep 17 00:00:00 2001 From: Chris Routh Date: Sat, 29 Aug 2020 12:50:34 -0700 Subject: [PATCH 093/105] Add support for ssl db connections on the IRC bridge, and to disable SSL verification if needed --- charts/matrix/templates/bridge-irc/_config.yaml | 4 ++-- charts/matrix/templates/bridge-irc/deployment.yaml | 5 +++++ charts/matrix/values.yaml | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/bridge-irc/_config.yaml b/charts/matrix/templates/bridge-irc/_config.yaml index 9aef9ac..c8ea4e7 100644 --- a/charts/matrix/templates/bridge-irc/_config.yaml +++ b/charts/matrix/templates/bridge-irc/_config.yaml @@ -187,8 +187,8 @@ database: # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. {{- if .Values.postgresql.enabled }} - connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ include "matrix.fullname" . }}-postgresql/{{ .Values.bridges.irc.database }}" + connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ include "matrix.fullname" . }}-postgresql/{{ .Values.bridges.irc.database.name }}{{ if .Values.bridges.irc.database.ssl }}?ssl=require&sslmode=allow{{ end }}" {{- else }} - connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.hostname }}:{{ .Values.postgresql.port }}/{{ .Values.bridges.irc.database }}" + connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.hostname }}:{{ .Values.postgresql.port }}/{{ .Values.bridges.irc.database.name }}{{ if .Values.bridges.irc.database.ssl }}?ssl=require&sslmode=allow{{ end }}" {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml index 1ecb988..5a35506 100644 --- a/charts/matrix/templates/bridge-irc/deployment.yaml +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -75,6 +75,11 @@ spec: - name: "bridge-irc" image: "{{ .Values.bridges.irc.image.repository }}:{{ .Values.bridges.irc.image.tag }}" imagePullPolicy: {{ .Values.bridges.irc.image.pullPolicy }} + {{- if not .Values.bridges.irc.database.sslVerify}} + env: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + {{ end }} ports: - name: bridge containerPort: 9006 diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8ff2134..6b51fb7 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -461,7 +461,10 @@ bridges: # Whether to enable presence (online/offline indicators). If presence is disabled for the homeserver (above), it should be disabled here too presence: false # Name of Postgres database to store IRC bridge data in, this database will be created if the included Postgres chart is enabled, otherwise you must create it manually - database: "matrix_irc" + database: + name: "matrix_irc" + ssl: false + sslVerify: true # Object of IRC servers to connect to, see https://github.com/matrix-org/matrix-appservice-irc/blob/master/config.sample.yaml for config options servers: From cd17a08beb454fd3b0347564a2fdcddd148ff494 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 30 Aug 2020 16:19:18 -0700 Subject: [PATCH 094/105] Move SSL settings to postgres values --- charts/matrix/templates/_helpers.tpl | 11 +++++++++++ charts/matrix/templates/bridge-irc/_config.yaml | 6 +----- charts/matrix/templates/bridge-irc/deployment.yaml | 4 ++-- charts/matrix/templates/synapse/_homeserver.yaml | 1 + charts/matrix/values.yaml | 11 +++++++---- 5 files changed, 22 insertions(+), 11 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 8f351e0..5e7ddff 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -63,3 +63,14 @@ Synapse hostname prepended with https:// to form a complete URL {{- printf "https://%s" .Values.ingress.hosts.synapse -}} {{- end }} {{- end }} + +{{/* +Helper function to get a postgres connection string for the database, with all of the auth and SSL settings automatically applied +*/}} +{{- define "matrix.postgresUri" -}} +{{- if .Values.postgresql.enabled -}} +postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ include "matrix.fullname" . }}-postgresql/%s{{ if .Values.postgresql.ssl }}?ssl=true&sslmode={{ .Values.postgresql.sslMode}}{{ end }} +{{- else -}} +postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.hostname }}:{{ .Values.postgresql.port }}/%s{{ if .Values.postgresql.ssl }}?ssl=true&sslmode={{ .Values.postgresql.sslMode }}{{ end }} +{{- end }} +{{- end }} diff --git a/charts/matrix/templates/bridge-irc/_config.yaml b/charts/matrix/templates/bridge-irc/_config.yaml index c8ea4e7..e6b68ae 100644 --- a/charts/matrix/templates/bridge-irc/_config.yaml +++ b/charts/matrix/templates/bridge-irc/_config.yaml @@ -186,9 +186,5 @@ database: # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - {{- if .Values.postgresql.enabled }} - connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ include "matrix.fullname" . }}-postgresql/{{ .Values.bridges.irc.database.name }}{{ if .Values.bridges.irc.database.ssl }}?ssl=require&sslmode=allow{{ end }}" - {{- else }} - connectionString: "postgres://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Values.postgresql.hostname }}:{{ .Values.postgresql.port }}/{{ .Values.bridges.irc.database.name }}{{ if .Values.bridges.irc.database.ssl }}?ssl=require&sslmode=allow{{ end }}" - {{- end }} + connectionString: {{ printf (include "matrix.postgresUri" .) .Values.bridges.irc.database | quote }} {{- end }} \ No newline at end of file diff --git a/charts/matrix/templates/bridge-irc/deployment.yaml b/charts/matrix/templates/bridge-irc/deployment.yaml index 5a35506..98dc72e 100644 --- a/charts/matrix/templates/bridge-irc/deployment.yaml +++ b/charts/matrix/templates/bridge-irc/deployment.yaml @@ -75,11 +75,11 @@ spec: - name: "bridge-irc" image: "{{ .Values.bridges.irc.image.repository }}:{{ .Values.bridges.irc.image.tag }}" imagePullPolicy: {{ .Values.bridges.irc.image.pullPolicy }} - {{- if not .Values.bridges.irc.database.sslVerify}} + {{- if not .Values.bridges.irc.databaseSslVerify }} env: - name: NODE_TLS_REJECT_UNAUTHORIZED value: "0" - {{ end }} + {{- end }} ports: - name: bridge containerPort: 9006 diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index adc1b32..6267746 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -601,6 +601,7 @@ database: host: "{{ .Values.postgresql.hostname }}" port: "{{ .Values.postgresql.port }}" {{- end }} + sslmode: {{ .Values.postgresql.sslMode }} cp_min: 5 cp_max: 10 diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 6b51fb7..3e0b23b 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -255,6 +255,11 @@ postgresql: hostname: "" port: 5432 + # Whether to connect to the database over SSL + ssl: false + # See https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS for documentation of these modes + sslMode: prefer + # Storage to allocate for stable/postgresql persistence: size: 8Gi @@ -461,10 +466,8 @@ bridges: # Whether to enable presence (online/offline indicators). If presence is disabled for the homeserver (above), it should be disabled here too presence: false # Name of Postgres database to store IRC bridge data in, this database will be created if the included Postgres chart is enabled, otherwise you must create it manually - database: - name: "matrix_irc" - ssl: false - sslVerify: true + database: "matrix_irc" + databaseSslVerify: true # Object of IRC servers to connect to, see https://github.com/matrix-org/matrix-appservice-irc/blob/master/config.sample.yaml for config options servers: From 3ec07a96b7db789d0243c2ba51c84aee7303df78 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 30 Aug 2020 16:19:41 -0700 Subject: [PATCH 095/105] More Riot->Element renames --- charts/matrix/templates/NOTES.txt | 4 ++-- charts/matrix/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/matrix/templates/NOTES.txt b/charts/matrix/templates/NOTES.txt index ef1b65d..8d7c939 100644 --- a/charts/matrix/templates/NOTES.txt +++ b/charts/matrix/templates/NOTES.txt @@ -4,7 +4,7 @@ dacruz21/matrix-chart has been installed! Installed components: - Synapse ({{ .Values.synapse.image.repository }}) {{- if .Values.riot.enabled }} - - Riot Web ({{ .Values.riot.image.repository }}) + - Element Web ({{ .Values.riot.image.repository }}) {{- end }} {{- if .Values.postgresql.enabled }} - PostgreSQL ({{ .Values.postgresql.image.repository }}) @@ -30,7 +30,7 @@ Thank you for installing dacruz21/matrix-chart! If you have any questions or run {{ if .Values.ingress.enabled }} Your Synapse homeserver should soon be available at https://{{ .Values.ingress.hosts.synapse }} {{- if .Values.riot.enabled }} -Your Riot Web instance should soon be available at https://{{ .Values.ingress.hosts.riot }} +Your Element Web instance should soon be available at https://{{ .Values.ingress.hosts.riot }} {{- end }} {{- end }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 3e0b23b..8718c00 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -235,7 +235,7 @@ ingress: tls: [] hosts: synapse: matrix.chart-example.local - riot: riot.chart-example.local + riot: element.chart-example.local federation: matrix-fed.chart-example.local annotations: # This annotation is required for the Nginx ingress provider. You can remove it if you use a different ingress provider From 7e5e8a0a5b7927ee379f956a43677e85a9317d19 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 30 Aug 2020 16:22:02 -0700 Subject: [PATCH 096/105] Update images --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 73e993b..352d9fb 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.5.0 +version: 2.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.19.0 +appVersion: 1.19.1 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index fbba3fe..d229ace 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.5.0 + version: 2.6.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.5.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.5.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.6.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.6.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 8718c00..c07464d 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -277,7 +277,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.19.0 + tag: v1.19.1 pullPolicy: IfNotPresent service: type: ClusterIP @@ -485,7 +485,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.20.1" + tag: "release-0.20.2" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From 2bda4e997c67313396617a17deb8ea288de3b6c8 Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Sat, 12 Sep 2020 23:32:34 -0500 Subject: [PATCH 097/105] Fixed CoTURN URIs, incremented patch number --- charts/matrix/Chart.yaml | 2 +- charts/matrix/templates/synapse/_homeserver.yaml | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 352d9fb..29fb742 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.6.0 +version: 2.6.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 6267746..545b3f0 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -856,15 +856,25 @@ max_spider_size: {{ .Values.matrix.urlPreviews.rules.maxSize }} # #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify" +{{- if .Values.coturn.enabled -}} -{{- if not (empty .Values.coturn.uris) }} ## TURN ## # The public URIs of the TURN server to give to clients +# Let the user specify coturn URIs explicitly +{{- if not (empty .Values.coturn.uris) }} +turn_uris: + {{- range .Values.coturn.uris }} + - {{ . }} + {{- end }} +{{- else }} + +# Default to using the matrix hostname as turn_uris: - "turn:{{ include "matrix.hostname" . }}?transport=udp" +{{- end }} # The shared secret used to compute passwords for the TURN server turn_shared_secret: {{ include "matrix.coturn.sharedSecret" . }} From da57d68fce28d83377821eb05cd7ce6962e53109 Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Sun, 13 Sep 2020 01:34:04 -0500 Subject: [PATCH 098/105] Added Prometheus metrics capabilitiesg --- charts/matrix/Chart.yaml | 2 +- charts/matrix/templates/synapse/_homeserver.yaml | 13 ++++++++++++- charts/matrix/templates/synapse/deployment.yaml | 10 ++++++++++ charts/matrix/values.yaml | 10 ++++++++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 29fb742..47806a5 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.6.1 +version: 2.6.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/templates/synapse/_homeserver.yaml b/charts/matrix/templates/synapse/_homeserver.yaml index 545b3f0..876337e 100644 --- a/charts/matrix/templates/synapse/_homeserver.yaml +++ b/charts/matrix/templates/synapse/_homeserver.yaml @@ -223,6 +223,14 @@ listeners: # module: my_module.CustomRequestHandler # config: {} +{{- if .Values.synapse.metrics.enabled }} + - type: metrics + port: {{ .Values.synapse.metrics.port }} + bind_addresses: ['0.0.0.0'] + + resources: + - names: [metrics] +{{- end }} # Turn on the twisted ssh manhole service on localhost on the given # port. # @@ -1165,7 +1173,10 @@ auto_join_rooms: # Enable collection and rendering of performance metrics # -#enable_metrics: false + +{{- if .Values.synapse.metrics.enabled }} +enable_metrics: true +{{- end }} # Enable sentry integration # NOTE: While attempts are made to ensure that the logs don't contain diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index a8dfbe6..2d06e47 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -17,6 +17,11 @@ spec: annotations: # re-roll deployment on homeserver.yaml change checksum/synapse-config: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} +{{- if and (eq .Values.synapse.metrics.enabled true) (eq .Values.synapse.metrics.annotations true) }} + prometheus.io/scrape: "true" + prometheus.io/path: "/_synapse/metrics" + prometheus.io/port: {{ .Values.synapse.metrics.port | quote }} +{{- end }} labels: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} @@ -68,6 +73,11 @@ spec: - name: http containerPort: 8008 protocol: TCP + {{- if .Values.synapse.metrics.enabled }} + - name: prometheus-http + containerPort: {{ .Values.synapse.metrics.port }} + protocol: TCP + {{- end }} volumeMounts: - name: synapse-config mountPath: /data diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index c07464d..daf784d 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -300,6 +300,16 @@ synapse: timeoutSeconds: 5 periodSeconds: 10 + # Prometheus metrics for Synapse + # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md + metrics: + # Whether Synapse should capture metrics on an additional endpoint + enabled: true + # Port to listen on for metrics scraping + port: 9092 + annotations: true + + # Element (formerly Riot Web) client configuration riot: # Set to false to disable a deployment of Element. Users will still be able to connect via any other instances of Element (such as https://app.element.io), Element Desktop, or any other Matrix clients From 5d8f3928119a84988bce307f0ccc3fba01d69ff9 Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Sun, 13 Sep 2020 02:07:11 -0500 Subject: [PATCH 099/105] Added metrics port to synapse service --- charts/matrix/Chart.yaml | 2 +- charts/matrix/templates/synapse/service.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 47806a5..8866385 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.6.2 +version: 2.6.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. diff --git a/charts/matrix/templates/synapse/service.yaml b/charts/matrix/templates/synapse/service.yaml index d4affce..17e6922 100644 --- a/charts/matrix/templates/synapse/service.yaml +++ b/charts/matrix/templates/synapse/service.yaml @@ -11,6 +11,12 @@ spec: targetPort: http protocol: TCP name: http + {{- if .Values.synapse.metrics.enabled }} + - port: {{ .Values.synapse.metrics.port }} + targetPort: prometheus-http + protocol: TCP + name: prometheus-http + {{- end }} selector: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} From 75faa698ec93306e09ff95c3569bf8c766cd327c Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Sun, 13 Sep 2020 17:00:51 -0500 Subject: [PATCH 100/105] Added labels to all chart components to facilitate things like prometheus-operator ServiceMonitors --- charts/matrix/templates/_helpers.tpl | 30 +++++++++++++++++++ charts/matrix/templates/coturn/configmap.yaml | 1 + .../matrix/templates/coturn/deployment.yaml | 1 + .../templates/coturn/network-policy.yaml | 1 + charts/matrix/templates/coturn/service.yaml | 1 + charts/matrix/templates/exim/deployment.yaml | 1 + .../matrix/templates/exim/network-policy.yaml | 1 + charts/matrix/templates/exim/service.yaml | 1 + charts/matrix/templates/riot/configmap.yaml | 1 + charts/matrix/templates/riot/deployment.yaml | 1 + .../matrix/templates/riot/network-policy.yaml | 1 + charts/matrix/templates/riot/service.yaml | 1 + .../matrix/templates/synapse/configmap.yaml | 1 + .../matrix/templates/synapse/deployment.yaml | 6 +--- .../templates/synapse/federation-svc.yaml | 1 + .../matrix/templates/synapse/media-pvc.yaml | 1 + .../templates/synapse/network-policy.yaml | 1 + charts/matrix/templates/synapse/service.yaml | 7 +++++ .../templates/synapse/signing-key-pvc.yaml | 1 + charts/matrix/values.yaml | 20 +++++++++++++ 20 files changed, 74 insertions(+), 5 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 5e7ddff..bb2f4df 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -40,6 +40,36 @@ helm.sh/chart: {{ include "matrix.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +app: matrix +{{- end -}} + + +{{/* +Synapse specific labels +*/}} +{{- define "matrix.synapse.labels" -}} +component: synapse +{{- end -}} + +{{/* +Element specific labels +*/}} +{{- define "matrix.element.labels" -}} +component: element +{{- end -}} + +{{/* +Coturn specific labels +*/}} +{{- define "matrix.coturn.labels" -}} +component: coturn +{{- end -}} + +{{/* +Mail specific labels +*/}} +{{- define "matrix.mail.labels" -}} +component: mail {{- end -}} {{/* diff --git a/charts/matrix/templates/coturn/configmap.yaml b/charts/matrix/templates/coturn/configmap.yaml index 6f6b36d..80cc573 100644 --- a/charts/matrix/templates/coturn/configmap.yaml +++ b/charts/matrix/templates/coturn/configmap.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-coturn-config labels: {{ include "matrix.labels" . | nindent 4}} +{{ include "matrix.coturn.labels" . | indent 4}} data: turnserver.conf: | use-auth-secret diff --git a/charts/matrix/templates/coturn/deployment.yaml b/charts/matrix/templates/coturn/deployment.yaml index 7e21e84..850f533 100644 --- a/charts/matrix/templates/coturn/deployment.yaml +++ b/charts/matrix/templates/coturn/deployment.yaml @@ -6,6 +6,7 @@ metadata: name: {{ include "matrix.fullname" . }}-coturn labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.coturn.labels" . | indent 4}} spec: {{- if eq .Values.coturn.kind "Deployment" }} replicas: {{ .Values.coturn.replicaCount }} diff --git a/charts/matrix/templates/coturn/network-policy.yaml b/charts/matrix/templates/coturn/network-policy.yaml index 91cad26..059c956 100644 --- a/charts/matrix/templates/coturn/network-policy.yaml +++ b/charts/matrix/templates/coturn/network-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-coturn labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.coturn.labels" . | indent 4}} spec: podSelector: matchLabels: diff --git a/charts/matrix/templates/coturn/service.yaml b/charts/matrix/templates/coturn/service.yaml index 66efbd3..a129ac6 100644 --- a/charts/matrix/templates/coturn/service.yaml +++ b/charts/matrix/templates/coturn/service.yaml @@ -6,6 +6,7 @@ metadata: name: {{ include "matrix.fullname" . }}-coturn labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.coturn.labels" . | indent 4}} spec: type: {{ .Values.coturn.service.type }} ports: diff --git a/charts/matrix/templates/exim/deployment.yaml b/charts/matrix/templates/exim/deployment.yaml index 1eef5ab..3b88dbb 100644 --- a/charts/matrix/templates/exim/deployment.yaml +++ b/charts/matrix/templates/exim/deployment.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-exim-relay labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.mail.labels" . | indent 4}} spec: replicas: {{ .Values.mail.relay.replicaCount }} selector: diff --git a/charts/matrix/templates/exim/network-policy.yaml b/charts/matrix/templates/exim/network-policy.yaml index 500907e..a9055bf 100644 --- a/charts/matrix/templates/exim/network-policy.yaml +++ b/charts/matrix/templates/exim/network-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-exim-relay labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.mail.labels" . | indent 4}} spec: podSelector: matchLabels: diff --git a/charts/matrix/templates/exim/service.yaml b/charts/matrix/templates/exim/service.yaml index c614c89..8b661a3 100644 --- a/charts/matrix/templates/exim/service.yaml +++ b/charts/matrix/templates/exim/service.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-exim-relay labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.mail.labels" . | indent 4}} spec: type: {{ .Values.mail.relay.service.type }} ports: diff --git a/charts/matrix/templates/riot/configmap.yaml b/charts/matrix/templates/riot/configmap.yaml index 49affe0..c27de19 100644 --- a/charts/matrix/templates/riot/configmap.yaml +++ b/charts/matrix/templates/riot/configmap.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "matrix.fullname" . }}-riot-config labels: {{ include "matrix.labels" . | nindent 4}} +{{ include "matrix.element.labels" . | indent 4}} data: config.json: | { diff --git a/charts/matrix/templates/riot/deployment.yaml b/charts/matrix/templates/riot/deployment.yaml index 1914a06..890417b 100644 --- a/charts/matrix/templates/riot/deployment.yaml +++ b/charts/matrix/templates/riot/deployment.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-riot labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.element.labels" . | indent 4}} spec: replicas: {{ .Values.riot.replicaCount }} selector: diff --git a/charts/matrix/templates/riot/network-policy.yaml b/charts/matrix/templates/riot/network-policy.yaml index 220b347..df9b0a8 100644 --- a/charts/matrix/templates/riot/network-policy.yaml +++ b/charts/matrix/templates/riot/network-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-riot labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.element.labels" . | indent 4}} spec: podSelector: matchLabels: diff --git a/charts/matrix/templates/riot/service.yaml b/charts/matrix/templates/riot/service.yaml index 1dec9ee..93209c8 100644 --- a/charts/matrix/templates/riot/service.yaml +++ b/charts/matrix/templates/riot/service.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-riot labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.element.labels" . | indent 4}} spec: type: {{ .Values.riot.service.type }} ports: diff --git a/charts/matrix/templates/synapse/configmap.yaml b/charts/matrix/templates/synapse/configmap.yaml index 64ab47d..5a64f23 100644 --- a/charts/matrix/templates/synapse/configmap.yaml +++ b/charts/matrix/templates/synapse/configmap.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "matrix.fullname" . }}-synapse-config labels: {{ include "matrix.labels" . | nindent 4}} +{{ include "matrix.synapse.labels" . | nindent 4}} data: homeserver.yaml: | {{ include "homeserver.yaml" . | nindent 4 }} diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index 2d06e47..e1c3d19 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "matrix.fullname" . }}-synapse labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.synapse.labels" . | indent 4}} spec: replicas: {{ .Values.synapse.replicaCount }} selector: @@ -17,11 +18,6 @@ spec: annotations: # re-roll deployment on homeserver.yaml change checksum/synapse-config: {{ include (print $.Template.BasePath "/synapse/configmap.yaml") . | sha256sum }} -{{- if and (eq .Values.synapse.metrics.enabled true) (eq .Values.synapse.metrics.annotations true) }} - prometheus.io/scrape: "true" - prometheus.io/path: "/_synapse/metrics" - prometheus.io/port: {{ .Values.synapse.metrics.port | quote }} -{{- end }} labels: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/matrix/templates/synapse/federation-svc.yaml b/charts/matrix/templates/synapse/federation-svc.yaml index e6b9d52..2f2fcb6 100644 --- a/charts/matrix/templates/synapse/federation-svc.yaml +++ b/charts/matrix/templates/synapse/federation-svc.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-synapse-federation labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.synapse.labels" . | indent 4}} spec: type: {{ .Values.synapse.service.federation.type }} ports: diff --git a/charts/matrix/templates/synapse/media-pvc.yaml b/charts/matrix/templates/synapse/media-pvc.yaml index ba1d31e..cee149d 100644 --- a/charts/matrix/templates/synapse/media-pvc.yaml +++ b/charts/matrix/templates/synapse/media-pvc.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "matrix.fullname" . }}-media-store labels: {{ include "matrix.labels" . | indent 4}} +{{ include "matrix.synapse.labels" . | indent 4}} spec: {{- if .Values.volumes.media.storageClass }} storageClassName: {{ .Values.volumes.media.storageClass }} diff --git a/charts/matrix/templates/synapse/network-policy.yaml b/charts/matrix/templates/synapse/network-policy.yaml index d177e4e..081c178 100644 --- a/charts/matrix/templates/synapse/network-policy.yaml +++ b/charts/matrix/templates/synapse/network-policy.yaml @@ -5,6 +5,7 @@ metadata: name: {{ include "matrix.fullname" . }}-synapse labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.synapse.labels" . | indent 4}} spec: podSelector: matchLabels: diff --git a/charts/matrix/templates/synapse/service.yaml b/charts/matrix/templates/synapse/service.yaml index 17e6922..35441cb 100644 --- a/charts/matrix/templates/synapse/service.yaml +++ b/charts/matrix/templates/synapse/service.yaml @@ -4,6 +4,13 @@ metadata: name: {{ include "matrix.fullname" . }}-synapse labels: {{ include "matrix.labels" . | indent 4 }} +{{ include "matrix.synapse.labels" . | indent 4}} + annotations: +{{- if and (eq .Values.synapse.metrics.enabled true) (eq .Values.synapse.metrics.annotations true) }} + prometheus.io/scrape: "true" + prometheus.io/path: "/_synapse/metrics" + prometheus.io/port: {{ .Values.synapse.metrics.port | quote }} +{{- end }} spec: type: {{ .Values.synapse.service.type }} ports: diff --git a/charts/matrix/templates/synapse/signing-key-pvc.yaml b/charts/matrix/templates/synapse/signing-key-pvc.yaml index 90c03fd..84d9d19 100644 --- a/charts/matrix/templates/synapse/signing-key-pvc.yaml +++ b/charts/matrix/templates/synapse/signing-key-pvc.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "matrix.fullname" . }}-signing-key labels: {{ include "matrix.labels" . | indent 4}} +{{ include "matrix.synapse.labels" . | indent 4}} spec: {{- if .Values.volumes.signingKey.storageClass }} storageClassName: {{ .Values.volumes.signingKey.storageClass }} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index daf784d..b93bbe6 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -14,6 +14,10 @@ matrix: # domain name at the end of every user's username serverName: "example.com" + # Global labels to append to all deployments / services etc. + labels: + app: "matrix" + # Enable anonymous telemetry to matrix.org telemetry: false @@ -300,6 +304,10 @@ synapse: timeoutSeconds: 5 periodSeconds: 10 + # Labels to be appended to all Synapse resources + labels: + component: synapse + # Prometheus metrics for Synapse # https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md metrics: @@ -383,6 +391,10 @@ riot: startup: {} liveness: {} + # Element specific labels + labels: + component: element + # Settings for Coturn TURN relay, used for routing voice calls coturn: # Set to false to disable the included deployment of Coturn @@ -432,6 +444,10 @@ coturn: replicaCount: 1 resources: {} + # Coturn specific labels + labels: + component: coturn + # Settings for email notifications mail: # Set to false to disable all email notifications @@ -460,6 +476,10 @@ mail: readiness: {} startup: {} liveness: {} + + # Mail relay specific labels + labels: + component: mail # External mail server external: From e1917f5144b744627489d8d8ff21893764558956 Mon Sep 17 00:00:00 2001 From: Tanner Danzey Date: Wed, 16 Sep 2020 00:05:18 -0500 Subject: [PATCH 101/105] Finished adding labels and have metrics exposed properly --- charts/matrix/templates/_helpers.tpl | 22 +++++++++++++------ .../matrix/templates/synapse/deployment.yaml | 2 +- charts/matrix/templates/synapse/service.yaml | 4 ++-- charts/matrix/values.yaml | 4 ---- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index bb2f4df..754b101 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -40,36 +40,44 @@ helm.sh/chart: {{ include "matrix.chart" . }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app: matrix +app.kubernetes.io/name: "matrix" {{- end -}} - - +# TODO: Include labels from values {{/* Synapse specific labels */}} {{- define "matrix.synapse.labels" -}} -component: synapse +{{- range $key, $val := .Values.synapse.labels -}} +{{ $key }}: {{ $val }} +{{- end }} {{- end -}} {{/* Element specific labels */}} +#TOOO: Change riot to element {{- define "matrix.element.labels" -}} -component: element +{{- range $key, $val := .Values.riot.labels }} +{{ $key }}: {{ $val }} +{{- end }} {{- end -}} {{/* Coturn specific labels */}} {{- define "matrix.coturn.labels" -}} -component: coturn +{{- range $key, $val := .Values.coturn.labels -}} +{{ $key }}: {{ $val }} +{{- end }} {{- end -}} {{/* Mail specific labels */}} {{- define "matrix.mail.labels" -}} -component: mail +{{- range $key, $val := .Values.matrix.labels -}} +{{ $key }}: {{ $val }} +{{- end }} {{- end -}} {{/* diff --git a/charts/matrix/templates/synapse/deployment.yaml b/charts/matrix/templates/synapse/deployment.yaml index e1c3d19..5d57125 100644 --- a/charts/matrix/templates/synapse/deployment.yaml +++ b/charts/matrix/templates/synapse/deployment.yaml @@ -70,7 +70,7 @@ spec: containerPort: 8008 protocol: TCP {{- if .Values.synapse.metrics.enabled }} - - name: prometheus-http + - name: metrics containerPort: {{ .Values.synapse.metrics.port }} protocol: TCP {{- end }} diff --git a/charts/matrix/templates/synapse/service.yaml b/charts/matrix/templates/synapse/service.yaml index 35441cb..0d194f1 100644 --- a/charts/matrix/templates/synapse/service.yaml +++ b/charts/matrix/templates/synapse/service.yaml @@ -20,9 +20,9 @@ spec: name: http {{- if .Values.synapse.metrics.enabled }} - port: {{ .Values.synapse.metrics.port }} - targetPort: prometheus-http + targetPort: metrics protocol: TCP - name: prometheus-http + name: metrics {{- end }} selector: app.kubernetes.io/name: {{ include "matrix.name" . }}-synapse diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index b93bbe6..201313f 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -14,10 +14,6 @@ matrix: # domain name at the end of every user's username serverName: "example.com" - # Global labels to append to all deployments / services etc. - labels: - app: "matrix" - # Enable anonymous telemetry to matrix.org telemetry: false From 8afecc5203f0dc86519b0610d0af403bcbd91f66 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 20 Sep 2020 13:49:49 -0700 Subject: [PATCH 102/105] Move exim relay labels under mail.relay --- charts/matrix/templates/_helpers.tpl | 4 ++-- charts/matrix/values.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/matrix/templates/_helpers.tpl b/charts/matrix/templates/_helpers.tpl index 754b101..67c126b 100644 --- a/charts/matrix/templates/_helpers.tpl +++ b/charts/matrix/templates/_helpers.tpl @@ -72,10 +72,10 @@ Coturn specific labels {{- end -}} {{/* -Mail specific labels +Mail relay specific labels */}} {{- define "matrix.mail.labels" -}} -{{- range $key, $val := .Values.matrix.labels -}} +{{- range $key, $val := .Values.mail.relay.labels -}} {{ $key }}: {{ $val }} {{- end }} {{- end -}} diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 201313f..cb41ecc 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -472,11 +472,11 @@ mail: readiness: {} startup: {} liveness: {} - - # Mail relay specific labels - labels: - component: mail + # Mail relay specific labels + labels: + component: mail + # External mail server external: host: "" From 62d66ad027598cbeb4dd3e59867962e6705f17ba Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 20 Sep 2020 13:51:34 -0700 Subject: [PATCH 103/105] Update images --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index 8866385..a4a0fc0 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.6.3 +version: 2.7.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.19.1 +appVersion: 1.19.3 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index d229ace..9913a92 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.6.0 + version: 2.7.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.6.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.6.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.7.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.7.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index cb41ecc..198c5a3 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -277,7 +277,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.19.1 + tag: v1.19.3 pullPolicy: IfNotPresent service: type: ClusterIP @@ -375,7 +375,7 @@ riot: # Element Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.7.4 + tag: v1.7.7 pullPolicy: IfNotPresent service: type: ClusterIP @@ -511,7 +511,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.20.2" + tag: "release-0.20.3" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From c53901ba5ed1b4d69b075fd8348340774b1beff0 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Sun, 1 Nov 2020 09:24:36 -0800 Subject: [PATCH 104/105] Update images --- charts/matrix/Chart.yaml | 4 ++-- charts/matrix/README.md | 4 ++-- charts/matrix/values.yaml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml index a4a0fc0..27a9850 100644 --- a/charts/matrix/Chart.yaml +++ b/charts/matrix/Chart.yaml @@ -18,11 +18,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 2.7.0 +version: 2.8.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 1.19.3 +appVersion: 1.22.1 maintainers: - name: "David Cruz" diff --git a/charts/matrix/README.md b/charts/matrix/README.md index 9913a92..61f1a29 100644 --- a/charts/matrix/README.md +++ b/charts/matrix/README.md @@ -37,7 +37,7 @@ This chart is published to my Helm chart repository at https://dacruz21.github.i ```yaml dependencies: - name: matrix - version: 2.7.0 + version: 2.8.0 repository: https://dacruz21.github.io/helm-charts ``` @@ -61,7 +61,7 @@ helm install matrix . ## Security Helm currently [does not officially support chart signatures created by GPG keys stored on smartcards](https://github.com/helm/helm/issues/2843#issuecomment-379532906). This may change in the future, in which case I will start packaging this chart with the standard `.prov` signatures, but until then signatures must be verified manually. -GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.7.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.7.0.tgz.gpg. +GPG signatures are available within the chart repo and can be found by appending `.gpg` to the end of the package URL. For example, the signature for v2.8.0 is available at https://dacruz21.github.io/helm-charts/matrix-2.8.0.tgz.gpg. These GPG signatures are signed with the same PGP key that is used to sign commits in this Git repository. The key is available by searching for david@typokign.com on a public keyserver, or by downloading it from my website at https://typokign.com/key.gpg. diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml index 198c5a3..db2f79c 100644 --- a/charts/matrix/values.yaml +++ b/charts/matrix/values.yaml @@ -277,7 +277,7 @@ postgresql: synapse: image: repository: "matrixdotorg/synapse" - tag: v1.19.3 + tag: v1.22.1 pullPolicy: IfNotPresent service: type: ClusterIP @@ -375,7 +375,7 @@ riot: # Element Kubernetes resource settings image: repository: "vectorim/riot-web" - tag: v1.7.7 + tag: v1.7.12 pullPolicy: IfNotPresent service: type: ClusterIP @@ -511,7 +511,7 @@ bridges: image: repository: "matrixdotorg/matrix-appservice-irc" - tag: "release-0.20.3" + tag: "release-0.22.0-rc1" pullPolicy: IfNotPresent replicaCount: 1 resources: {} From 4adbc81609a5655a57f5ccb01147c5350435b2f0 Mon Sep 17 00:00:00 2001 From: David Cruz Date: Fri, 23 Apr 2021 22:39:29 -0700 Subject: [PATCH 105/105] Add MIT license --- charts/matrix/LICENSE | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 charts/matrix/LICENSE diff --git a/charts/matrix/LICENSE b/charts/matrix/LICENSE new file mode 100644 index 0000000..971cbb3 --- /dev/null +++ b/charts/matrix/LICENSE @@ -0,0 +1,22 @@ +MIT License + +Copyright (c) 2021 David Cruz + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +