--- ## Docker image configuration, used for Synapse and workers. ## image: repository: matrixdotorg/synapse ## Tag to override with, will default to the application version. ## # tag: '' pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName ## Override part of the installed name, will still keep release name. ## # nameOverride: "" ## Override the full name of the installed chart. ## # fullnameOverride: "" ## The Matrix domain name, this is what will be used for the domain part in ## your MXIDs. ## # serverName: 'example.com' ## The public Matrix server name, this will be used for any public URLs ## in config as well as for client API links in the ingress. # publicServerName: 'matrix.example.com' ## The source of the signing key used by Synapse in federation. ## signingkey: ## Enable a Kubernetes job to generate and store a signing key if one does not ## exist. ## If you have already run a Matrix server at some point on your domain then ## you will want to keep the old signing key, either by using the `existingSecret` ## configuration, or by including the old key under `extraConfig.old_signing_keys` ## ## If you lose your signing key then any federation traffic from your instance ## might not be trusted any more by the wider network. ## job: enabled: true generateImage: repository: matrixdotorg/synapse #tag: latest pullPolicy: IfNotPresent publishImage: repository: bitnami/kubectl # tag: latest pullPolicy: IfNotPresent ## Specify an existing signing key secret, will need to be created in advance. ## # existingSecret: secret-name # existingSecretKey: signing.key ## Resources to apply to the signing key generation job ## resources: {} # limits: # cpu: 100m # memory: 250Mi # requests: # cpu: 100m # memory: 250Mi ## Matrix configuration values that affect other parts of the chart, for any ## value not handled by this block, you will want to instead set it in ## extraConfig below. ## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml ## config: ## The publicly accessible URL for the Synapse instance, will default to ## https://. ## # publicBaseurl: 'https://matrix.example.com' ## The log level for Synapse and all modules. ## # logLevel: INFO ## Should usage stats be reported ## reportStats: false ## Protect registration with recaptcha. (optional) ## # recaptcha: # publicKey: '' # privateKey: '' ## URIs and secret key for TURN servers to use to help establish 1:1 WebRTC ## calls. ## # turnUris: [] # turnSecret: '' ## Registration configuration, note that registration with the ## container-internal register_new_matrix_user tool is always possible. ## # enableRegistration: false ## NB; this value will default to a random string if not specified. # registrationSharedSecret: '' ## NB; Strongly recommended to set this to a secure value. # macaroonSecretKey: '' ## A set of trusted servers to contact if another server doesn't respond to a ## signing key request. ## trustedKeyServers: - server_name: matrix.org # verify_keys: # "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" ## Extra listeners to configure. ## extraListeners: [] # - port: 9000 # bind_addresses: ['::'] # type: manhole ## Specify arbitrary Synapse configuration here; ## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml ## extraConfig: {} # old_signing_keys: # "ed25519:id": { key: "base64string", expired_ts: 123456789123 } # use_presence: false # enable_search: false # federation_domain_whitelist: # - lon.example.com # - nyc.example.com # - syd.example.com # dynamic_thumbnails: true ## Specify arbitrary - secret - Synapse configuration here; ## These values will be stored in secrets instead of configmaps ## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml ## extraSecrets: {} # password_config: # pepper: '' ## Configuration to apply to the main Synapse pod. ## synapse: ## Only really applicable when the deployment has an RWO PV attached (e.g. when media repository ## is enabled for the main Synapse pod) ## Since replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will ## terminate the single previous pod, so that the new, incoming pod can attach to the PV ## strategy: type: RollingUpdate ## Annotations to apply to the main Synapse pod. ## annotations: {} # prometheus.io/scrape: "true" # prometheus.io/path: /_synapse/metrics # prometheus.io/port: 9090 ## Labels to apply to the main Synapse pod. ## labels: {} ## Additional environment variables to apply to the main Synapse pod ## extraEnv: [] # - name: LD_PRELOAD # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 # - name: SYNAPSE_CACHE_FACTOR # value: "2" ## Additional volumes to mount into Synapse ## extraVolumes: [] # - name: spamcheck # flexVolume: # driver: ananace/git-live # options: # repo: https://github.com/company/synapse-module # interval: 1d # readOnly: true extraVolumeMounts: [] # - name: spamcheck # mountPath: /usr/local/lib/python3.7/site-packages/company ## Extra commands to run when starting Synapse ## extraCommands: [] # - 'apt-get update -yqq && apt-get install patch -yqq' # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' ## Configuration for the pod security policy, Synapse will by always run as ## its own user, even if not set. ## Note that changing this may also require you to use the volumePermission ## helper depending on your storage. ## ## NB; The synapse install is currently unable to run as anything but UID:GID ## 666:666. ## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 ## Configuration for the container security policy, refer to the above ## podSecurityContext for more relevant information. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 666 ## Resources to apply to the main Synapse pod. ## resources: {} # limits: # cpu: 1000m # memory: 2500Mi # requests: # cpu: 1000m # memory: 2500Mi ## Liveness probe configuration to use ## livenessProbe: httpGet: path: /health port: http ## Readiness probe configuration to use ## readinessProbe: httpGet: path: /health port: http ## Node selectors to set for the main Synapse pod. ## nodeSelector: {} ## Tolerations to set for the main Synapse pod. ## tolerations: [] ## Affinity to set for the main Synapse pod. ## affinity: {} ## Configuration for handling Synapse workers, which are useful for handling ## high-load deployments. ## ## More information is available at; ## https://github.com/matrix-org/synapse/blob/master/docs/workers.md ## workers: ## Default configuration, this is inherited into all workers, and can also be ## overriden on each worker type. ## default: ## The number of worker replicas, note that some workers require special ## handling. Refer to the information URL above. ## replicaCount: 1 ## Update strategy - only really applicable for deployments with RWO PVs attached (e.g. media repository) ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will ## terminate the single previous pod, so that the new, incoming pod can attach to the PV ## strategy: type: RollingUpdate ## A specific name for this worker, can't be set globally. ## Note that this can only be set when replicaCount is 1 #name: ## Additional configuration to set for the worker, can't be set globally. #extraConfig: {} ## Annotations to apply to the worker. ## annotations: {} # prometheus.io/scrape: "true" # prometheus.io/path: /_synapse/metrics # prometheus.io/port: 9090 ## Additional environment variables to add to the worker. ## extraEnv: [] # - name: LD_PRELOAD # value: /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 # - name: SYNAPSE_CACHE_FACTOR # value: "1.0" ## Additional volumes to add to the worker. ## Useful for the media repo, or for adding Python modules. ## volumes: [] volumeMounts: [] ## Extra commands to run when starting Synapse ## extraCommands: [] # - 'apt-get update -yqq && apt-get install patch -yqq' # - 'patch -d/usr/local/lib/python3.7/site-packages/synapse -p2 < /synapse/patches/something.patch' ## Security context information to set to the worker. ## podSecurityContext: {} # fsGroup: 666 # runAsGroup: 666 # runAsUser: 666 ## Container security context information to set to the worker. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 666 ## Resources to apply to the worker. ## resources: {} # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi ## Liveness probe configuration to use ## livenessProbe: httpGet: path: /health port: metrics ## Readiness probe configuration to use ## readinessProbe: httpGet: path: /health port: metrics ## Readiness probe configuration to use ## Defaults to allowing workers 60 seconds to start up ## startupProbe: failureThreshold: 6 httpGet: path: /health port: metrics ## Node selector configuration to set on the worker. ## nodeSelector: {} ## Toleration configuration to set on the worker. ## tolerations: [] ## Affinity configuration to set on the worker. ## affinity: {} ## The generic worker can be used to handle most endpoints. ## Be careful when enabling the sync endpoints as they can eat large amounts of ## resources. Refer to the information URL above for more info. ## Proper load balancing with the K8s Ingress resource may not be possible. ## generic_worker: enabled: false generic: true listeners: [client, federation] csPaths: ## Sync requests # - "/_matrix/client/(r0|v3)/sync$" - "/_matrix/client/(api/v1|r0|v3)/events$" # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" ## Client API requests - "/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" - "/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" - "/_matrix/client/v1/rooms/.*/hierarchy$" - "/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$" - "/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$" - "/_matrix/client/(r0|v3|unstable)/account/3pid$" - "/_matrix/client/(r0|v3|unstable)/account/whoami$" - "/_matrix/client/(r0|v3|unstable)/devices$" - "/_matrix/client/versions$" - "/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" - "/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" - "/_matrix/client/(api/v1|r0|v3|unstable)/search$" ## Encryption requests - "/_matrix/client/(r0|v3|unstable)/keys/query$" - "/_matrix/client/(r0|v3|unstable)/keys/changes$" - "/_matrix/client/(r0|v3|unstable)/keys/claim$" - "/_matrix/client/(r0|v3|unstable)/room_keys/" ## Registration/login requests - "/_matrix/client/(api/v1|r0|v3|unstable)/login$" - "/_matrix/client/(r0|v3|unstable)/register$" - "/_matrix/client/v1/register/m.login.registration_token/validity$" ## Event sending requests - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" - "/_matrix/client/(api/v1|r0|v3|unstable)/join/" - "/_matrix/client/(api/v1|r0|v3|unstable)/profile/" ## User directory search requests - "/_matrix/client/(r0|v3|unstable)/user_directory/search" ## Worker event streams ## See https://matrix-org.github.io/synapse/latest/workers.html#stream-writers ## ## The typing event stream # - "/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" ## The to_device event stream # - "/_matrix/client/(r0|v3|unstable)/sendToDevice/" ## The account_data event stream # - "/_matrix/client/(r0|v3|unstable)/.*/tags" # - "/_matrix/client/(r0|v3|unstable)/.*/account_data" ## The receipts event stream # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" # - "/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" ## The presence event stream # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/" paths: ## Federation requests - "/_matrix/federation/v1/event/" - "/_matrix/federation/v1/state/" - "/_matrix/federation/v1/state_ids/" - "/_matrix/federation/v1/backfill/" - "/_matrix/federation/v1/get_missing_events/" - "/_matrix/federation/v1/publicRooms" - "/_matrix/federation/v1/query/" - "/_matrix/federation/v1/make_join/" - "/_matrix/federation/v1/make_leave/" - "/_matrix/federation/(v1|v2)/send_join/" - "/_matrix/federation/(v1|v2)/send_leave/" - "/_matrix/federation/(v1|v2)/invite/" - "/_matrix/federation/v1/event_auth/" - "/_matrix/federation/v1/exchange_third_party_invite/" - "/_matrix/federation/v1/user/devices/" - "/_matrix/key/v2/query" - "/_matrix/federation/v1/hierarchy/" ## Inbound federation transaction request - "/_matrix/federation/v1/send/" ## To separate the generic worker into specific concerns - for example federation transaction receiving; ## NB; This worker should have incoming traffic routed based on source IP, which is ## left as an exercise to the reader. ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing #federation_reader: # enabled: true # generic: true # listeners: [federation] # paths: # - "/_matrix/federation/v1/send/" ## Or /sync handling. ## NB; Care should be taken to route users to the same instance when scaling this worker, ## this is left as an exercise to the reader. ## https://github.com/matrix-org/synapse/blob/develop/docs/workers.md#load-balancing #synchrotron: # enabled: true # generic: true # listeners: [client] # csPaths: # - "/_matrix/client/(v2_alpha|r0|v3)/sync$" # - "/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$" # - "/_matrix/client/(api/v1|r0|v3)/initialSync$" # - "/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" ## Specialized - non-generic workers below; ## This worker deals with pushing notifications. ## NB; Only one instance of this worker can be run at a time, refer to the ## information URL above. ## pusher: enabled: false ## This worker handles sending data to registered appservices. ## NB; Only one instance of this worker can be run at at time, refer to the ## information URL above. ## appservice: enabled: false ## This worker handles sending federation traffic to other Synapse servers. ## federation_sender: enabled: false ## Specialized workers can also be run as multiple separate instances, ## make sure to read the relevant documentation. ## # federation_sender_other: # app: federation_sender # enabled: false ## This worker deals with serving and storing media. ## NB; Running multiple instances will conflict with background jobs. ## media_repository: enabled: false listeners: [media] csPaths: - "/_matrix/media/.*" - "/_synapse/admin/v1/purge_media_cache$" - "/_synapse/admin/v1/room/.*/media" - "/_synapse/admin/v1/user/.*/media" - "/_synapse/admin/v1/media/" - "/_synapse/admin/v1/quarantine_media/" - "/_synapse/admin/v1/users/.*/media$" paths: - "/_matrix/media/.*" ## This worker deals with user directory searches. ## user_dir: enabled: false listeners: [client] csPaths: - "/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" ## This worker handles key uploads, and may also stub out presence if that is ## disabled. If you set extraConfig.use_presence=false then you may want to ## uncomment the second path. ## frontend_proxy: enabled: false listeners: [client] csPaths: - "/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload" # - "/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status" ## This will set up a Lighttpd server to respond to any ## /.well-known/matrix/server requests, to make federation possible without ## adding SRV-records to DNS. ## wellknown: enabled: false replicaCount: 1 # Lighttpd does not bind on IPv6 by default, although this is required in # Ipv6-only clusters. useIpv6: false ## The host and port combo to serve on .well-known/matrix/server. ## server: {} # m.server: matrix.example.com:443 ## Data to serve on .well-known/matrix/client. ## client: {} # m.homeserver: # base_url: https://matrix.example.com ## Extra data objects to serve under .well-known/matrix/ ## Dictionaries will be JSON converted, plain strings will be served as they are ## extraData: {} ## MSC1929 example; # support: # admins: # - matrix_id: '@admin:example.com' # email_address: 'admin@example.com' # role: 'admin' # support_page: 'https://example.com/support' ## A custom htdocs path, useful when running another image. ## htdocsPath: /var/www/localhost/htdocs ## The lighttpd image to run. ## image: repository: m4rcu5/lighttpd tag: latest pullPolicy: Always ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName ## Configuration for the pod security policy. ## podSecurityContext: {} # fsGroup: 101 # runAsGroup: 101 # runAsUser: 100 ## Configuration for the container security policy. ## securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 100 ## Resource configuration to apply to the well-known server. ## resources: {} # limits: # cpu: 5m # memory: 15Mi # requests: # cpu: 5m # memory: 15Mi ## Node selectors to set for the well-known server. ## nodeSelector: {} ## Tolerations to set for the well-known server. ## tolerations: [] ## Affinity to set for the main well-known server. ## affinity: {} ## This configuration is for setting up the internally provided Postgres server, ## if you instead want to use an existing server, then you may want to set ## enabled to false and configure the externalPostgresql block. ## postgresql: enabled: true # XXX Change me! postgresqlPassword: synapse ## Or use existing secret with "postgresql-password" key ## instead of static password ## # existingSecret: postgresql-secret postgresqlUsername: synapse postgresqlDatabase: synapse postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C" persistence: # storageClass: "-" size: 16Gi ## Extra arguments for the database connection ## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config ## extraArgs: {} ## An externally configured Postgres server to use for Synapse's database, note ## that the database needs to have both COLLATE and CTYPE set to "C". ## externalPostgresql: # host: postgres port: 5432 username: synapse # password: synapse ## The name of an existing secret with postgresql credentials #existingSecret: postgres-secrets ## Password key to be retrieved from existing secret #existingSecretPasswordKey: postgres-password database: synapse # sslmode: prefer ## Extra arguments for the database connection ## ref: https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#synapse-config ## extraArgs: {} ## This configuration is for the internal Redis that's deployed for use with ## workers/sharding, for an external Redis server you want to set enabled to ## false and configure the externalRedis block. ## redis: enabled: true auth: enabled: true # XXX Change me! password: synapse ## Or use existing secret with "redis-password" key ## instead of static password ## # existingSecret: redis-secret architecture: standalone master: persistence: ## Note that Synapse only uses redis as a synchronization utility, so no ## data will ever need to be persisted. ## enabled: false service: port: 6379 statefulset: updateStrategy: RollingUpdate ## An externally configured Redis server to use for workers/sharding. ## externalRedis: # host: redis port: 6379 # password: synapse ## The name of an existing secret with redis credentials #existingSecret: redis-secrets ## Password key to be retrieved from existing secret #existingSecretPasswordKey: redis-password ## Persistence configuration for the media repository function. ## This PVC will be mounted in either Synapse or a media_repo worker. ## ## NB; If you want to be able to scale this, you will have to set the ## accessMode to RWX/ReadWriteMany. ## persistence: enabled: true # existingClaim: synapse-data # storageClass: "-" accessMode: ReadWriteOnce size: 10Gi ## Set up an init container to chown the mounted media if necessary. ## volumePermissions: enabled: false uid: 666 gid: 666 image: repository: alpine tag: latest pullPolicy: Always ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName resources: {} # resources: # requests: # memory: 128Mi # cpu: 100m ## Configuration for the main Synapse service. ## To use TLS inside Synapse itself, add an TLS listener, and change the ports ## configured in here. ## service: type: ClusterIP port: 8008 targetPort: http ## The K8s ingress configuration, this will be quite heavily used in order to ## set up all routing necessary for use with a sharded Synapse instance. ## If you're not using a Ingress compatible K8s ingress, you will need to set up ## your own routing instead. ## ingress: enabled: true ## Generate traefik-compatible regex paths instead of nginx-compatible ones. ## traefikPaths: false ## Annotations to apply to the created ingress resource. ## annotations: {} # nginx.ingress.kubernetes.io/use-regex: "true" # # Sync proxy-body-size with Synapse's max_upload_size which is 10M by default # nginx.ingress.kubernetes.io/proxy-body-size: 10m # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" ## Hosts to add to the ingress configuration for handling Client-to-Server ## API request paths. ## ## NB; config.serverName is included if includeServerName is set. (default) ## csHosts: [] # - matrix.example.com ## Additional hosts to add to the ingress configuration for handling ## Server-to-Server API requests. ## ## NB; config.serverName is included if includeServerName is set. (default) ## hosts: [] # - example.com ## Additional hosts to add to the ingress configuration for handling ## well-known requests. ## ## NB; config.serverName is included if includeServerName is set. (default) ## wkHosts: [] # - example.com ## Additional paths to add to the Server-to-Server ingress blocks, will be ## inserted before the /_matrix catch-all path. ## paths: [] # # K8s 1.19+ # - path: /_matrix/media # pathType: Prefix # backend: # service: # name: matrix-media-repo # port: 8000 # # K8s <1.19 # - path: /_matrix/media # backend: # serviceName: matrix-media-repo # servicePort: 8000 ## Additional paths to add to the Client-to-Server ingress blocks, will be ## inserted before the /_matrix and /_synapse catch-all paths. ## csPaths: [] # # K8s 1.19+ # - path: /_matrix/media # pathType: Prefix # backend: # service: # name: matrix-media-repo # port: # number: 8000 # # K8s <1.19 # - path: /_matrix/media # backend: # serviceName: matrix-media-repo # servicePort: 8000 ## Should the /_synapse path be included in the ingress, admin APIs are ## provided under this path. ## includeUnderscoreSynapse: true ## Should config.serverName be included in the list of ingress paths, can be ## set to false if the main domain is managed in some external way. ## includeServerName: true ## TLS configuration to include in the ingress configuration ## tls: [] # - secretName: chart-example-tls # hosts: # - example.com # - matrix.example.com ## Set the name of the IngressClass cluster resource (optional) ## https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec # className: can-be-anything