diff --git a/.github/workflows/cd-helm-release.yml b/.github/workflows/cd-helm-release.yml
index e066419..6a2fadf 100644
--- a/.github/workflows/cd-helm-release.yml
+++ b/.github/workflows/cd-helm-release.yml
@@ -32,8 +32,7 @@ jobs:
- name: Add dependency chart repos
run: |
- helm repo add coturn https://small-hack.github.io/coturn-chart/
- helm dep update charts/matrix
+ helm dep update charts/matrix-sliding-sync
- name: Run chart-releaser
id: helm-release
diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
index f4caeba..0489bb5 100644
--- a/.github/workflows/ci-helm-lint-test.yml
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -3,7 +3,7 @@ name: Lint and Test Chart
on:
pull_request:
paths:
- - 'charts/matrix/**'
+ - 'charts/matrix-sliding-sync/**'
permissions:
contents: read
@@ -24,7 +24,6 @@ jobs:
- name: Add dependency chart repos
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
- helm repo add coturn https://small-hack.github.io/coturn-chart
- name: Set up chart-testing
uses: helm/chart-testing-action@v2.6.1
@@ -49,4 +48,4 @@ jobs:
- name: Run chart-testing (install)
id: install
if: steps.list-changed.outputs.changed == 'true'
- run: ct install --target-branch ${{ github.event.repository.default_branch }}
+ run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args '--set=postgresql.volumePermissions.enabled=false --set=postgresql.primary.networkPolicy.enabled=false'
diff --git a/README.md b/README.md
index 05d8736..8cffdc6 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,20 @@
-# matrix sliding-sync helm chart
+# Matrix Sliding Sync helm chart
-This is a helm chart implementing [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync/tree/main).
+
+
+This is a helm chart implementing [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync/tree/main) for deployment on Kubernetes. It was originally designed for use as a subchart for [small-hack/matrix-chart](https://github.com/small-hack/matrix-chart), but it can be used stand alone as well.
+
+See the [`README.md`](https://github.com/small-hack/matrix-sliding-sync-chart/blob/main/charts/matrix/README.md) for docs auto-generated from the [`values.yaml`](https://github.com/small-hack/matrix-sliding-sync-chart/blob/main/charts/matrix/values.yaml).
+
+Read through the parameters and modify them locally before installing the chart:
+
+```bash
+# add the helm repo locally
+helm repo add matrix-sliding-sync https://small-hack.github.io/matrix-sliding-sync-chart
+
+# downloads the values.yaml locally
+helm show values matrix-sliding-sync/matrix-sliding-sync > values.yaml
+
+# install the chart
+helm install my-release-name matrix-sliding-sync/matrix-sliding-sync --values values.yaml
+```
diff --git a/charts/matrix-sliding-sync/Chart.yaml b/charts/matrix-sliding-sync/Chart.yaml
index 89c8f99..93f9531 100644
--- a/charts/matrix-sliding-sync/Chart.yaml
+++ b/charts/matrix-sliding-sync/Chart.yaml
@@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
@@ -30,3 +30,7 @@ dependencies:
version: 15.1.4
repository: oci://registry-1.docker.io/bitnamicharts
condition: postgresql.enabled
+
+maintainers:
+ - name: jessebot
+ url: https://github.com/jessebot
diff --git a/charts/matrix-sliding-sync/README.md b/charts/matrix-sliding-sync/README.md
index 139f7da..5bdc3b1 100644
--- a/charts/matrix-sliding-sync/README.md
+++ b/charts/matrix-sliding-sync/README.md
@@ -1,9 +1,15 @@
# matrix-sliding-sync
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.17](https://img.shields.io/badge/AppVersion-v0.99.17-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.99.17](https://img.shields.io/badge/AppVersion-v0.99.17-informational?style=flat-square)
A Helm chart for Kubernetes
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| jessebot | | |
+
## Requirements
| Repository | Name | Version |
@@ -19,11 +25,11 @@ A Helm chart for Kubernetes
| autoscaling.maxReplicas | int | `100` | |
| autoscaling.minReplicas | int | `1` | |
| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| externalDatabase.database | string | `"matrix"` | name of the database to try and connect to |
+| externalDatabase.database | string | `"matrix-sliding-sync"` | name of the database to try and connect to |
| externalDatabase.enabled | bool | `false` | enable using an external database *instead of* the Bitnami PostgreSQL sub-chart if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
| externalDatabase.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
| externalDatabase.hostname | string | `""` | hostname of db server. Can be left blank if using postgres subchart |
-| externalDatabase.password | string | `"changeme"` | password of matrix postgres user - ignored using exsitingSecret |
+| externalDatabase.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
| externalDatabase.port | int | `5432` | which port to use to connect to your database server |
| externalDatabase.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
| externalDatabase.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
@@ -34,7 +40,7 @@ A Helm chart for Kubernetes
| externalDatabase.sslkey | string | `""` | optional: tls/ssl key for postgresql connections |
| externalDatabase.sslmode | string | `""` | sslmode to use, example: verify-full |
| externalDatabase.sslrootcert | string | `""` | optional: tls/ssl root cert for postgresql connections |
-| externalDatabase.username | string | `"matrix"` | username of matrix postgres user |
+| externalDatabase.username | string | `"matrix-sliding-sync"` | username of matrix-sliding-sync postgres user |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/matrix-org/sliding-sync"` | |
@@ -56,14 +62,14 @@ A Helm chart for Kubernetes
| podSecurityContext | object | `{}` | |
| postgresql.enabled | bool | `true` | Whether to deploy the Bitnami Postgresql sub chart If postgresql.enabled is set to true, externalDatabase.enabled must be set to false else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
| postgresql.global.postgresql.auth.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
-| postgresql.global.postgresql.auth.password | string | `"changeme"` | password of matrix postgres user - ignored using exsitingSecret |
+| postgresql.global.postgresql.auth.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
| postgresql.global.postgresql.auth.port | int | `5432` | which port to use to connect to your database server |
| postgresql.global.postgresql.auth.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
| postgresql.global.postgresql.auth.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
| postgresql.global.postgresql.auth.secretKeys.databaseHostname | string | `"hostname"` | key in existingSecret with hostname of the database |
-| postgresql.global.postgresql.auth.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix to connect to db |
-| postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix to connect to db |
-| postgresql.global.postgresql.auth.username | string | `"matrix-sliding-sync"` | username of matrix postgres user |
+| postgresql.global.postgresql.auth.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix-sliding-sync to connect to db |
+| postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix-sliding-sync to connect to db |
+| postgresql.global.postgresql.auth.username | string | `"matrix-sliding-sync"` | username of matrix-sliding-sync postgres user |
| postgresql.primary.initdb | object | `{"scriptsConfigMap":"{{ .Release.Name }}-postgresql-initdb"}` | run the scripts in templates/postgresql/initdb-configmap.yaml If using an external Postgres server, make sure to configure the database ref: https://github.com/matrix-org/synapse/blob/master/docs/postgres.md |
| postgresql.primary.persistence | object | `{"enabled":false,"size":"8Gi"}` | persistent volume claim configuration for postgresql to persist data |
| postgresql.primary.persistence.enabled | bool | `false` | Enable PostgreSQL Primary data persistence using PVC |
@@ -84,16 +90,18 @@ A Helm chart for Kubernetes
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| syncv3.bindaddr | string | `"0.0.0.0:8008"` | SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket) |
-| syncv3.db | string | `""` | SYNCV3_DB - Required. The postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING |
-| syncv3.log_level | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
-| syncv3.max_db_conn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
-| syncv3.otlp_password | string | `""` | SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. |
-| syncv3.otlp_url | string | `""` | SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. |
-| syncv3.otlp_username | string | `""` | SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. |
+| syncv3.db | object | `{"dbname":"matrix-sliding-sync","existingSecret":"","host":"","password":"","sslmode":"disable","user":"matrix-sliding-sync"}` | templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING like this: user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal password='DATABASE_PASSWORD_HERE' |
+| syncv3.existingSecret | string | `""` | existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncv3.db and syncvc.otlp. |
+| syncv3.logLevel | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
+| syncv3.maxDbConn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
+| syncv3.otlp.existingSecret | string | `nil` | |
+| syncv3.otlp.password | string | `""` | SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. |
+| syncv3.otlp.url | string | `""` | SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. |
+| syncv3.otlp.username | string | `""` | SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. |
| syncv3.pprof | string | `""` | SYNCV3_PPROF - Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen. |
| syncv3.prom | string | `""` | SYNCV3_PROM - Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address. |
| syncv3.secret | string | `""` | SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. |
-| syncv3.sentry_dsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://sliding-sync@sentry.example.com/123 - if unset does not send sentry events. |
+| syncv3.sentryDsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://sliding-sync@sentry.example.com/123 - if unset does not send sentry events. |
| syncv3.server | string | `""` | SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket) |
| syncv3.tlsCert | string | `""` | SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address. |
| syncv3.tlsKey | string | `""` | SYNCV3_TLS_KEY - Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file. |
diff --git a/charts/matrix-sliding-sync/templates/_helpers.tpl b/charts/matrix-sliding-sync/templates/_helpers.tpl
index 672a34c..0bf4baa 100644
--- a/charts/matrix-sliding-sync/templates/_helpers.tpl
+++ b/charts/matrix-sliding-sync/templates/_helpers.tpl
@@ -60,3 +60,38 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Helper function to get postgres instance name
+*/}}
+{{- define "postgresql.name" -}}
+{{- if .Values.postgresql.enabled -}}
+{{ include "matrix-sliding-sync.fullname" . }}-postgresql
+{{- end }}
+{{- end }}
+
+{{/*
+Helper function to get the postgres secret containing the database credentials
+*/}}
+{{- define "matrix-sliding-sync.postgresql.secretName" -}}
+{{- if and .Values.postgresql.enabled .Values.postgresql.global.postgresql.auth.existingSecret -}}
+{{ .Values.postgresql.global.postgresql.auth.existingSecret }}
+{{- else if and .Values.externalDatabase.enabled .Values.externalDatabase.existingSecret -}}
+{{ .Values.externalDatabase.existingSecret }}
+{{- else -}}
+{{ template "matrix-sliding-sync.fullname" . }}-db-secret
+{{- end }}
+{{- end }}
+
+{{/*
+templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING like this: user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal password='DATABASE_PASSWORD_HERE'
+*/}}
+{{- define "matrix-sliding-sync.dbConnString" -}}
+{{- if and .Values.postgresql.enabled (not .Values.syncv3.existingSecret) }}
+{{- if .Values.syncv3.db.password }}
+{{- printf "user=%s dbname=%s sslmode=%s host=%s password=%s" .Values.syncv3.db.user .Values.syncv3.db.dbname .Values.syncv3.db.sslmode .Values.syncv3.db.host .Values.syncv3.db.password }}
+{{- else -}}
+{{- printf "user=%s dbname=%s sslmode=%s host=%s" .Values.syncv3.db.user .Values.syncv3.db.dbname .Values.syncv3.db.sslmode .Values.syncv3.db.host }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/matrix-sliding-sync/templates/deployment.yaml b/charts/matrix-sliding-sync/templates/deployment.yaml
index a28c04c..352419c 100644
--- a/charts/matrix-sliding-sync/templates/deployment.yaml
+++ b/charts/matrix-sliding-sync/templates/deployment.yaml
@@ -30,6 +30,40 @@ spec:
serviceAccountName: {{ include "matrix-sliding-sync.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
+ initContainers:
+ {{- if .Values.postgresql.enabled }}
+ - name: postgresql-isready
+ image: {{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}
+ env:
+ - name: POSTGRES_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
+ key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.databaseUsername }}
+ - name: DATABASE_HOSTNAME
+ {{- if not .Values.postgresql.global.postgresql.auth.existingSecret }}
+ value: {{ template "postgresql.v1.primary.fullname" .Subcharts.postgresql }}
+ {{ else }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "matrix-sliding-sync.postgresql.secretName" . }}
+ key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.databaseHostname }}
+ {{- end }}
+ {{- if .Values.postgresql.sslmode }}
+ - name: PGSSLMODE
+ value: {{ .Values.postgresql.sslmode }}
+ - name: PGSSLCERT
+ value: {{ .Values.postgresql.sslcert }}
+ - name: PGSSLKEY
+ value: {{ .Values.postgresql.sslkey }}
+ - name: PGSSLROOTCERT
+ value: {{ .Values.postgresql.sslrootcert }}
+ {{- end }}
+ command:
+ - "sh"
+ - "-c"
+ - "until pg_isready -h $DATABASE_HOSTNAME -U $POSTGRES_USER; do sleep 2; done"
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
@@ -50,7 +84,13 @@ spec:
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
- env:
+ envFrom:
+ - secretRef:
+ {{- if .Values.syncv3.existingSecret }}
+ name: {{ .Values.syncv3.existingSecret }}
+ {{- else }}
+ name: {{ include "matrix-sliding-sync.fullname" . }}-env
+ {{- end }}
{{- with .Values.volumes }}
volumes:
diff --git a/charts/matrix-sliding-sync/templates/initdb-configmap.yaml b/charts/matrix-sliding-sync/templates/initdb-configmap.yaml
new file mode 100644
index 0000000..4986fbd
--- /dev/null
+++ b/charts/matrix-sliding-sync/templates/initdb-configmap.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "matrix-sliding-sync.fullname" . }}-postgresql-initdb
+ labels:
+ {{ include "matrix-sliding-sync.labels" . | nindent 4}}
+data:
+ matrix.sql: |
+ CREATE DATABASE matrix ENCODING 'UTF8' LOCALE 'C' TEMPLATE template0 OWNER {{ .Values.postgresql.global.postgresql.auth.username }};
+ GRANT ALL PRIVILEGES ON DATABASE matrix-sliding-sync TO {{ .Values.postgresql.global.postgresql.auth.username }};
+ GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO {{ .Values.postgresql.global.postgresql.auth.username }};
+{{- end }}
diff --git a/charts/matrix-sliding-sync/templates/matrix-sliding-sync-env-secret.yaml b/charts/matrix-sliding-sync/templates/matrix-sliding-sync-env-secret.yaml
index bf05bb0..7018b99 100644
--- a/charts/matrix-sliding-sync/templates/matrix-sliding-sync-env-secret.yaml
+++ b/charts/matrix-sliding-sync/templates/matrix-sliding-sync-env-secret.yaml
@@ -3,21 +3,46 @@
apiVersion: v1
kind: Secret
metadata:
- name: sliding-sync-env
+ name: {{ include "matrix-sliding-sync.fullname" . }}-env
data:
- SYNCV3_SERVER: {{ .Values.syncv3.server | b64enc | quote }}
- SYNCV3_DB: {{ .Values.syncv3.db | b64enc | quote }}
+ {{- if .Values.syncv3.secret }}
SYNCV3_SECRET: {{ .Values.syncv3.secret | b64enc | quote }}
+ {{- else }}
+ SYNCV3_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
+ {{- end }}
+ SYNCV3_SERVER: {{ .Values.syncv3.server | b64enc | quote }}
+ {{- if not .Values.syncv3.db.existingSecret }}
+ SYNCV3_DB: {{ include "matrix-sliding-sync.dbConnString" . | b64enc | quote }}
+ {{- end }}
SYNCV3_BINDADDR: {{ .Values.syncv3.bindaddr | b64enc | quote }}
+ {{ if .Values.syncv3.tlsCert }}
SYNCV3_TLS_CERT: {{ .Values.syncv3.tlsCert | b64enc | quote }}
+ {{- end }}
+ {{ if .Values.syncv3.tlsKey }}
SYNCV3_TLS_KEY: {{ .Values.syncv3.tlsKey | b64enc | quote }}
+ {{- end }}
+ {{ if not .Values.syncv3.pprof }}
SYNCV3_PPROF: {{ .Values.syncv3.pprof | b64enc | quote }}
+ {{- end }}
+ {{ if not .Values.syncv3.prom }}
SYNCV3_PROM: {{ .Values.syncv3.prom | b64enc | quote }}
- SYNCV3_OTLP_URL: {{ .Values.syncv3.otlpUrl | b64enc | quote }}
- SYNCV3_OTLP_USERNAME: {{ .Values.syncv3.otlpUsername | b64enc | quote }}
- SYNCV3_OTLP_PASSWORD: {{ .Values.syncv3.otlpPassword | b64enc | quote }}
+ {{- end }}
+ {{ if not .Values.syncv3.otlp.existingSecret }}
+ {{ if .Values.syncv3.otlp.url }}
+ SYNCV3_OTLP_URL: {{ .Values.syncv3.otlp.url | b64enc | quote }}
+ {{- end }}
+ {{ if .Values.syncv3.otlp.username }}
+ SYNCV3_OTLP_USERNAME: {{ .Values.syncv3.otlp.username | b64enc | quote }}
+ {{- end }}
+ {{ if .Values.syncv3.otlp.password }}
+ SYNCV3_OTLP_PASSWORD: {{ .Values.syncv3.otlp.password | b64enc | quote }}
+ {{- end }}
+ {{- end }}
+ {{ if .Values.syncv3.sentryDsn }}
SYNCV3_SENTRY_DSN: {{ .Values.syncv3.sentryDsn | b64enc | quote }}
+ {{- end }}
SYNCV3_LOG_LEVEL: {{ .Values.syncv3.logLevel | b64enc | quote }}
+ {{ if .Values.syncv3.maxDbConn }}
SYNCV3_MAX_DB_CONN: {{ .Values.syncv3.maxDbConn | b64enc | quote }}
-
+ {{- end }}
{{- end }}
diff --git a/charts/matrix-sliding-sync/templates/network-policy.yaml b/charts/matrix-sliding-sync/templates/network-policy.yaml
new file mode 100644
index 0000000..fb00b13
--- /dev/null
+++ b/charts/matrix-sliding-sync/templates/network-policy.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.networkPolicies.enabled .Values.postgresql.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "matrix-sliding-sync.fullname" . }}-synapse-postgresql
+ labels:
+{{ include "matrix-sliding-sync.labels" . | indent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "postgresql.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "matrix-sliding-sync.name" . }}-synapse
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ ports:
+ - port: tcp-postgresql
+ protocol: TCP
+{{- end }}
diff --git a/charts/matrix-sliding-sync/values.yaml b/charts/matrix-sliding-sync/values.yaml
index 6603fda..9589d0d 100644
--- a/charts/matrix-sliding-sync/values.yaml
+++ b/charts/matrix-sliding-sync/values.yaml
@@ -113,6 +113,8 @@ postgresql:
# If postgresql.enabled is set to true, externalDatabase.enabled must be set to false
# else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
enabled: true
+ persistence:
+ enabled: false
volumePermissions:
# -- Enable init container that changes the owner and group of the PVC
enabled: true
@@ -146,13 +148,6 @@ postgresql:
# primary database node config
primary:
- # -- persistent volume claim configuration for postgresql to persist data
- persistence:
- # -- Enable PostgreSQL Primary data persistence using PVC
- enabled: false
- # -- size of postgresql volume claim
- size: 8Gi
-
# -- run the scripts in templates/postgresql/initdb-configmap.yaml
# If using an external Postgres server, make sure to configure the database
# ref: https://github.com/matrix-org/synapse/blob/master/docs/postgres.md
@@ -210,10 +205,20 @@ externalDatabase:
adminPasswordKey: postgresPassword
syncv3:
+ # -- existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncv3.db and syncvc.otlp.
+ existingSecret: ""
# -- SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket)
server: ""
- # -- SYNCV3_DB - Required. The postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
- db: ""
+
+ # -- templates out SYNCV3_DB which is a postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING like this: user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal password='DATABASE_PASSWORD_HERE'
+ db:
+ host: ""
+ dbname: matrix-sliding-sync
+ sslmode: disable
+ user: matrix-sliding-sync
+ password: ""
+ existingSecret: ""
+
# -- SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database.
secret: ""
# -- SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket)
@@ -226,17 +231,24 @@ syncv3:
pprof: ""
# -- SYNCV3_PROM - Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address.
prom: ""
- # -- SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces.
- otlpUrl: ""
- # -- SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header.
- otlpUsername: ""
- # -- SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header.
- otlpPassword: ""
+
+ otlp:
+ # -- SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces.
+ url: ""
+ # -- SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header.
+ username: ""
+ # -- SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header.
+ password: ""
+ existingSecret:
+
# -- SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://sliding-sync@sentry.example.com/123 - if unset does not send sentry events.
sentryDsn: ""
# -- SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal
logLevel: "info"
# -- SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit.
maxDbConn: ""
- # -- existing kubernetes secret for syncv3 env vars listed above, ignores all above if set.
- existingSecret: ""
+
+
+networkPolicies:
+ # -- whether to enable kubernetes network policies or not
+ enabled: true