├── .github ├── CODEOWNERS ├── dependabot.yml └── workflows │ ├── actions-linting.yml │ ├── artifact-hub.yml │ ├── build-test.yml │ ├── changelog_check.yml │ ├── licensing.yml │ ├── matrix-tools.yml │ ├── pytest.yml │ ├── releasing.yml │ └── scripts-linting.yml ├── .gitignore ├── CHANGELOG.md ├── DEVELOPERS.md ├── LICENSE-AGPL-3.0-only ├── LICENSES └── AGPL-3.0-only.txt ├── README.md ├── REUSE.toml ├── artifacthub-repo.yaml ├── charts └── matrix-stack │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── README.md │ ├── ci │ ├── element-web-checkov-values.yaml │ ├── element-web-minimal-values.yaml │ ├── example-default-enabled-components-values.yaml │ ├── fragments │ │ ├── deployment-markers-checkov.yaml │ │ ├── deployment-markers-minimal.yaml │ │ ├── deployment-markers-pytest-extras.yaml │ │ ├── element-web-checkov.yaml │ │ ├── element-web-minimal.yaml │ │ ├── element-web-pytest-extras.yaml │ │ ├── haproxy-checkov.yaml │ │ ├── init-secrets-checkov.yaml │ │ ├── init-secrets-disabled.yaml │ │ ├── init-secrets-minimal.yaml │ │ ├── init-secrets-pytest-extras.yaml │ │ ├── matrix-authentication-service-additional-in-helm.yaml │ │ ├── matrix-authentication-service-additional-secrets-externally.yaml │ │ ├── matrix-authentication-service-checkov.yaml │ │ ├── matrix-authentication-service-external-synapse.yaml │ │ ├── matrix-authentication-service-migrated-password-scheme.yaml │ │ ├── matrix-authentication-service-minimal.yaml │ │ ├── matrix-authentication-service-postgres-secrets-externally.yaml │ │ ├── matrix-authentication-service-postgres-secrets-in-helm.yaml │ │ ├── matrix-authentication-service-postgres.yaml │ │ ├── matrix-authentication-service-pytest-extras.yaml │ │ ├── matrix-authentication-service-secrets-externally.yaml │ │ ├── matrix-authentication-service-secrets-in-helm.yaml │ │ ├── matrix-authentication-service-syn2mas-dryrun.yaml │ │ ├── matrix-authentication-service-syn2mas-migrate.yaml │ │ ├── matrix-rtc-checkov.yaml │ │ ├── matrix-rtc-exposed-services.yaml │ │ ├── matrix-rtc-external-livekit-secrets-externally.yaml │ │ ├── matrix-rtc-external-livekit-secrets-in-helm.yaml │ │ ├── matrix-rtc-external-livekit.yaml │ │ ├── matrix-rtc-host-mode.yaml │ │ ├── matrix-rtc-minimal.yaml │ │ ├── matrix-rtc-pytest-extras.yaml │ │ ├── matrix-rtc-secrets-externally.yaml │ │ ├── matrix-rtc-secrets-in-helm.yaml │ │ ├── postgres-checkov.yaml │ │ ├── postgres-matrix-authentication-service-secrets-externally.yaml │ │ ├── postgres-matrix-authentication-service-secrets-in-helm.yaml │ │ ├── postgres-minimal.yaml │ │ ├── postgres-secrets-externally.yaml │ │ ├── postgres-secrets-in-helm.yaml │ │ ├── postgres-synapse-secrets-externally.yaml │ │ ├── postgres-synapse-secrets-in-helm.yaml │ │ ├── quick-setup-all-enabled.yaml │ │ ├── quick-setup-certificates.yaml │ │ ├── quick-setup-external-cert.yaml │ │ ├── quick-setup-hostnames.yaml │ │ ├── quick-setup-letsencrypt.yaml │ │ ├── quick-setup-postgresql.yaml │ │ ├── quick-setup-wildcard-cert.yaml │ │ ├── synapse-additional-in-helm.yaml │ │ ├── synapse-additional-secrets-externally.yaml │ │ ├── synapse-all-workers-running.yaml │ │ ├── synapse-checkov.yaml │ │ ├── synapse-ingress-additional-paths.yaml │ │ ├── synapse-minimal.yaml │ │ ├── synapse-postgres-secrets-externally.yaml │ │ ├── synapse-postgres-secrets-in-helm.yaml │ │ ├── synapse-postgres.yaml │ │ ├── synapse-pytest-base-extras.yaml │ │ ├── synapse-pytest-self-extras.yaml │ │ ├── synapse-secrets-externally.yaml │ │ ├── synapse-secrets-in-helm.yaml │ │ ├── synapse-some-workers-running.yaml │ │ ├── well-known-minimal.yaml │ │ └── well-known-pytest-extras.yaml │ ├── matrix-authentication-service-checkov-values.yaml │ ├── matrix-authentication-service-external-synapse-values.yaml │ ├── matrix-authentication-service-minimal-values.yaml │ ├── matrix-authentication-service-postgres-secrets-externally-values.yaml │ ├── matrix-authentication-service-postgres-secrets-in-helm-values.yaml │ ├── matrix-authentication-service-secrets-externally-values.yaml │ ├── matrix-authentication-service-secrets-in-helm-values.yaml │ ├── matrix-authentication-service-synapse-syn2mas-dry-run-secrets-externally-values.yaml │ ├── matrix-authentication-service-synapse-syn2mas-dry-run-secrets-in-helm-values.yaml │ ├── matrix-authentication-service-synapse-syn2mas-migrate-secrets-externally-values.yaml │ ├── matrix-authentication-service-synapse-syn2mas-migrate-secrets-in-helm-values.yaml │ ├── matrix-rtc-checkov-values.yaml │ ├── matrix-rtc-exposed-services-values.yaml │ ├── matrix-rtc-external-livekit-secrets-externally-values.yaml │ ├── matrix-rtc-external-livekit-secrets-in-helm-values.yaml │ ├── matrix-rtc-host-mode-values.yaml │ ├── matrix-rtc-minimal-values.yaml │ ├── matrix-rtc-secrets-externally-values.yaml │ ├── matrix-rtc-secrets-in-helm-values.yaml │ ├── nothing-enabled-values.yaml │ ├── pytest-element-web-values.yaml │ ├── pytest-matrix-authentication-service-syn2mas-values.yaml │ ├── pytest-matrix-authentication-service-values.yaml │ ├── pytest-matrix-rtc-standalone-values.yaml │ ├── pytest-matrix-rtc-synapse-wellknown-values.yaml │ ├── pytest-synapse-values.yaml │ ├── pytest-well-known-values.yaml │ ├── quick-setup-certificates-pg-external-values.yaml │ ├── quick-setup-certificates-pg-with-helm-values.yaml │ ├── quick-setup-external-cert-pg-external-values.yaml │ ├── quick-setup-external-cert-pg-with-helm-values.yaml │ ├── quick-setup-letsencrypt-pg-external-values.yaml │ ├── quick-setup-letsencrypt-pg-with-helm-values.yaml │ ├── quick-setup-wildcard-cert-pg-external-values.yaml │ ├── quick-setup-wildcard-cert-pg-with-helm-values.yaml │ ├── synapse-checkov-with-workers-values.yaml │ ├── synapse-ingress-additional-paths-values.yaml │ ├── synapse-minimal-values.yaml │ ├── synapse-postgres-secrets-externally-values.yaml │ ├── synapse-postgres-secrets-in-helm-values.yaml │ ├── synapse-secrets-externally-values.yaml │ ├── synapse-secrets-in-helm-values.yaml │ ├── synapse-worker-example-values.yaml │ ├── test-cluster-mixin.yaml │ ├── well-known-checkov-values.yaml │ ├── well-known-element-web-values.yaml │ ├── well-known-mas-values.yaml │ ├── well-known-minimal-values.yaml │ ├── well-known-synapse-mas-values.yaml │ └── well-known-synapse-values.yaml │ ├── configs │ ├── element-web │ │ ├── config.json.tpl │ │ ├── default.conf │ │ ├── http_customisations.conf │ │ └── security_headers.conf │ ├── haproxy │ │ ├── 429.http.tpl │ │ └── haproxy.cfg.tpl │ ├── matrix-authentication-service │ │ └── config.yaml.tpl │ ├── matrix-rtc │ │ └── sfu │ │ │ ├── config.yaml.tpl │ │ │ └── keys-template.yaml.tpl │ ├── postgres │ │ └── configure-dbs.sh.tpl │ ├── synapse │ │ ├── partial-haproxy.cfg.tpl │ │ ├── path_map_file.tpl │ │ ├── path_map_file_get.tpl │ │ ├── redis.conf │ │ ├── synapse-01-shared-underrides.yaml.tpl │ │ ├── synapse-04-homeserver-overrides.yaml.tpl │ │ ├── synapse-05-process-specific.yaml.tpl │ │ └── synapse-log-config.yaml.tpl │ └── well-known │ │ └── partial-haproxy.cfg.tpl │ ├── source │ ├── common │ │ ├── additional.json │ │ ├── containersSecurityContext.json │ │ ├── credential.json │ │ ├── exposedServicePort.json │ │ ├── exposedServicePortRange.json │ │ ├── extraEnv.json │ │ ├── global.json │ │ ├── hostAliases.json │ │ ├── image.json │ │ ├── ingress.json │ │ ├── ingress_global.json │ │ ├── ingress_without_host.json │ │ ├── labelSelector.json │ │ ├── labels.json │ │ ├── nodeSelector.json │ │ ├── persistentVolumeClaim.json │ │ ├── podSecurityContext.json │ │ ├── postgres-libpq.json │ │ ├── probe.json │ │ ├── resources.json │ │ ├── serviceAccount.json │ │ ├── serviceMonitors.json │ │ ├── sub_schema_values.yaml.j2 │ │ ├── tolerations.json │ │ ├── topologySpreadConstraints.json │ │ └── workloadAnnotations.json │ ├── deployment-markers.json │ ├── deployment-markers.yaml.j2 │ ├── element-web.json │ ├── element-web.yaml.j2 │ ├── haproxy.json │ ├── haproxy.yaml.j2 │ ├── init-secrets.json │ ├── init-secrets.yaml.j2 │ ├── matrix-rtc.json │ ├── matrix-rtc.yaml.j2 │ ├── matrixAuthenticationService.json │ ├── matrixAuthenticationService.yaml.j2 │ ├── postgres.json │ ├── postgres.yaml.j2 │ ├── synapse.json │ ├── synapse.yaml.j2 │ ├── synapse │ │ ├── ingress_with_additional_paths.json │ │ ├── scalable_worker.json │ │ ├── single_worker.json │ │ └── synapse_sub_schema_values.yaml.j2 │ ├── values.schema.json │ ├── values.yaml.j2 │ ├── wellKnownDelegation.json │ └── wellKnownDelegation.yaml.j2 │ ├── templates │ ├── NOTES.txt │ ├── deployment-markers │ │ ├── _helpers.tpl │ │ ├── job.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ └── serviceaccount.yaml │ ├── element-web │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── nginx_configmap.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ ├── ess-library │ │ ├── _credentials.tpl │ │ ├── _deployments.tpl │ │ ├── _ingress.tpl │ │ ├── _labels.tpl │ │ ├── _pods.tpl │ │ ├── _postgres.tpl │ │ ├── _render_config.tpl │ │ └── _serviceAccounts.tpl │ ├── haproxy │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── service.yaml │ │ ├── service_monitor.yaml │ │ └── serviceaccount.yaml │ ├── init-secrets │ │ ├── _helpers.tpl │ │ ├── job.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ └── serviceaccount.yaml │ ├── matrix-authentication-service │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── configmap_hook.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── secret.yaml │ │ ├── secret_hook.yaml │ │ ├── service.yaml │ │ ├── service_monitor.yaml │ │ ├── serviceaccount.yaml │ │ ├── syn2mas_job.yaml │ │ ├── syn2mas_role.yaml │ │ ├── syn2mas_rolebinding.yaml │ │ └── syn2mas_serviceaccount.yaml │ ├── matrix-rtc │ │ ├── _helpers.tpl │ │ ├── _sfu_helpers.tpl │ │ ├── ingress.yaml │ │ ├── sfu_configmap.yaml │ │ ├── sfu_deployment.yaml │ │ ├── sfu_jwt_deployment.yaml │ │ ├── sfu_jwt_secret.yaml │ │ ├── sfu_jwt_service.yaml │ │ ├── sfu_jwt_service_monitor.yaml │ │ ├── sfu_jwt_serviceaccount.yaml │ │ ├── sfu_rtc_tcp_service.yaml │ │ ├── sfu_rtc_udp_muxer_service.yaml │ │ ├── sfu_rtc_udp_range_service.yaml │ │ ├── sfu_service.yaml │ │ ├── sfu_service_monitor.yaml │ │ └── sfu_serviceaccount.yaml │ ├── postgres │ │ ├── _helpers.tpl │ │ ├── _postgres_secret.tpl │ │ ├── configmap.yaml │ │ ├── pvc.yaml │ │ ├── secret.yaml │ │ ├── secret_hook.yaml │ │ ├── service.yaml │ │ ├── service_monitor.yaml │ │ ├── serviceaccount.yaml │ │ └── statefulset.yaml │ ├── synapse │ │ ├── _helpers.tpl │ │ ├── _synapse_details.tpl │ │ ├── _synapse_pod.tpl │ │ ├── _synapse_secret.tpl │ │ ├── redis_configmap.yaml │ │ ├── redis_deployment.yaml │ │ ├── redis_service.yaml │ │ ├── redis_serviceaccount.yaml │ │ ├── synapse_check_config_job_hook.yaml │ │ ├── synapse_configmap.yaml │ │ ├── synapse_configmap_hook.yaml │ │ ├── synapse_haproxy_configmap.yaml │ │ ├── synapse_http_service.yaml │ │ ├── synapse_ingress.yaml │ │ ├── synapse_persistentvolumeclaim.yaml │ │ ├── synapse_secret.yaml │ │ ├── synapse_secret_hook.yaml │ │ ├── synapse_service.yaml │ │ ├── synapse_service_monitor.yaml │ │ ├── synapse_serviceaccount.yaml │ │ ├── synapse_serviceaccount_hook.yaml │ │ └── synapse_statefulset.yaml │ ├── well-known │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── ingress.yaml │ │ └── service.yaml │ └── z_validation │ │ └── validation.txt │ ├── user_values │ └── .gitkeep │ ├── values.schema.json │ └── values.yaml ├── ct.yaml ├── docker-bake.hcl ├── docs ├── advanced.md ├── architecture.md ├── assets │ └── images │ │ ├── Architecture.png │ │ ├── ESS-Community-architecture--dark.png │ │ ├── ESS-Community-architecture--light.png │ │ ├── Element-Server-Suite-Community--dark.png │ │ └── Element-Server-Suite-Community--light.png ├── maintenance.md ├── migrating.md └── syn2mas.md ├── matrix-tools ├── Dockerfile ├── README.md ├── cmd │ └── main.go ├── go.mod ├── go.sum ├── go.sum.license └── internal │ └── pkg │ ├── args │ ├── args.go │ └── args_test.go │ ├── marker │ ├── marker.go │ └── marker_test.go │ ├── renderer │ ├── renderer.go │ ├── renderer_test.go │ └── testdata │ │ ├── multiline │ │ ├── multiline.license │ │ ├── secret_key │ │ └── secret_key.license │ ├── secret │ ├── private_keys.go │ ├── secret.go │ ├── secret_test.go │ ├── signing_key.go │ └── signing_key_test.go │ ├── syn2mas │ ├── syn2mas.go │ └── syn2mas_test.go │ └── tcpwait │ ├── tcpwait.go │ └── tcpwait_test.go ├── newsfragments ├── .gitkeep ├── 454.added.md ├── 519.changed.md ├── 521.internal.md ├── 523.internal.md ├── 524.internal.md ├── 525.internal.md ├── 526.changed.md ├── 526.internal.md └── 527.internal.md ├── poetry.lock ├── poetry.toml ├── pyproject.toml ├── scripts ├── __init__.py ├── ansible-docker-deploy-to-values.sh ├── assemble_ci_values_files_from_fragments.sh ├── assemble_helm_charts_from_fragments.sh ├── check_newsfragment.sh ├── check_semver.py ├── checkov.sh ├── construct_helm_schema.py ├── construct_helm_values.py ├── ct-lint.sh ├── destroy_test_cluster.sh ├── generate-signing-key.py ├── set_chart_version.sh ├── setup_test_cluster.sh ├── spdx_checks.py ├── test_construct_helm_schema.py ├── testdata │ └── schema_construction │ │ ├── invalid_sub_schema1.json │ │ ├── invalid_sub_schema2.json │ │ ├── schema.json │ │ └── sub_schema1.json └── towncrier_to_helm_annotation.py └── tests ├── integration ├── __init__.py ├── artifacts │ ├── __init__.py │ ├── certs.py │ └── files │ │ ├── minimal.png │ │ └── minimal.png.license ├── conftest.py ├── env │ ├── element-web.rc │ ├── matrix-authentication-service-syn2mas.rc │ ├── matrix-authentication-service.rc │ ├── matrix-rtc-standalone.rc │ ├── matrix-rtc-synapse-wellknown.rc │ ├── synapse.rc │ └── well-known-delegation.rc ├── fixtures │ ├── __init__.py │ ├── ca.py │ ├── cluster.py │ ├── data.py │ ├── files │ │ ├── charts │ │ │ ├── cert-manager.yml │ │ │ ├── ingress-nginx.yml │ │ │ └── metrics-server.yml │ │ └── clusters │ │ │ ├── audit-policy.yml │ │ │ └── kind.yml │ ├── helm.py │ ├── matrix_tools.py │ └── users.py ├── lib │ ├── __init__.py │ ├── helpers.py │ ├── matrix_authentication_service.py │ ├── synapse.py │ └── utils.py ├── services │ └── __init__.py ├── test_element_call.py ├── test_element_web.py ├── test_matrix_authentication_service.py ├── test_networking.py ├── test_pods.py ├── test_syn2mas.py ├── test_synapse.py └── test_well_known_delegation.py └── manifests ├── __init__.py ├── conftest.py ├── test_annotations.py ├── test_basic.py ├── test_configs.py ├── test_configs_and_mounts_consistency.py ├── test_deployments.py ├── test_element_web.py ├── test_haproxy.py ├── test_ingresses.py ├── test_labels.py ├── test_manifest_test_infrastructure.py ├── test_matrix_authentication_service.py ├── test_matrix_rtc.py ├── test_pod_containers_ports.py ├── test_pod_env.py ├── test_pod_idempotency.py ├── test_pod_images.py ├── test_pod_probes.py ├── test_pod_pull_secrets.py ├── test_pod_resources.py ├── test_pod_securityContext.py ├── test_postgres.py ├── test_pvcs.py ├── test_secrets.py ├── test_service_monitors.py ├── test_serviceaccounts.py ├── test_services.py ├── test_statefulset.py ├── test_synapse.py ├── test_tolerations.py ├── test_topology_spread_constraints.py ├── test_volumes_mounts.py ├── test_well_known_delegation.py └── utils.py /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | * @element-hq/server-products-developers 6 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | --- 5 | version: 2 6 | updates: 7 | - package-ecosystem: "github-actions" 8 | directory: "/" 9 | schedule: 10 | interval: "weekly" 11 | groups: 12 | minor-and-patches: 13 | applies-to: version-updates 14 | patterns: 15 | - "*" 16 | update-types: 17 | - "minor" 18 | - "patch" 19 | - package-ecosystem: "pip" 20 | directory: "/" 21 | schedule: 22 | interval: "weekly" 23 | groups: 24 | minor-and-patches: 25 | applies-to: version-updates 26 | patterns: 27 | - "*" 28 | update-types: 29 | - "minor" 30 | - "patch" 31 | - package-ecosystem: "gomod" 32 | directory: "/matrix-tools" 33 | schedule: 34 | interval: "weekly" 35 | groups: 36 | minor-and-patches: 37 | applies-to: version-updates 38 | patterns: 39 | - "*" 40 | update-types: 41 | - "minor" 42 | - "patch" 43 | -------------------------------------------------------------------------------- /.github/workflows/artifact-hub.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | name: Artifact Hub Metadata 6 | 7 | on: 8 | pull_request_target: 9 | push: 10 | branches: 11 | - main 12 | workflow_dispatch: 13 | 14 | jobs: 15 | artifact-hub: 16 | permissions: 17 | contents: read 18 | packages: write 19 | runs-on: ubuntu-latest 20 | steps: 21 | # This will push the OCI artifact only on merges 22 | # As the checkout will push the PR Target commit hash 23 | - name: Checkout 24 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 25 | 26 | - uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1 27 | 28 | - name: ORAS Login 29 | env: 30 | ORAS_USERNAME: ${{ github.actor }} 31 | ORAS_PASSWORD: ${{ github.token }} 32 | run: | 33 | oras login ghcr.io -u "$ORAS_USERNAME" -p "$ORAS_PASSWORD" 34 | 35 | - name: Push artifact-hub 36 | env: 37 | GITHUB_REPOSITORY: ${{ github.repository }} 38 | run: | 39 | oras push \ 40 | "ghcr.io/${GITHUB_REPOSITORY}/matrix-stack:artifacthub.io" \ 41 | --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \ 42 | artifacthub-repo.yaml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml 43 | -------------------------------------------------------------------------------- /.github/workflows/scripts-linting.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | name: Scripts linting 6 | 7 | on: 8 | pull_request_target: 9 | push: 10 | branches: 11 | - main 12 | workflow_dispatch: 13 | 14 | jobs: 15 | shellcheck: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 20 | with: 21 | ref: ${{ github.event.pull_request.head.sha }} 22 | 23 | - name: Run ShellCheck 24 | run: shellcheck scripts/*.sh 25 | 26 | python: 27 | runs-on: ubuntu-latest 28 | steps: 29 | - name: Checkout 30 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 31 | with: 32 | ref: ${{ github.event.pull_request.head.sha }} 33 | 34 | - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2 35 | with: 36 | poetry-version: "1.8.5" 37 | python-version: "3.x" 38 | 39 | - name: Load poetry path 40 | run: | 41 | echo "$(poetry env info -p)/bin" >> "${GITHUB_PATH}" 42 | 43 | - name: Run ruff check 44 | run: | 45 | ruff check 46 | 47 | - name: Run ruff format 48 | run: | 49 | ruff format --check 50 | 51 | - name: pytest scripts 52 | run: | 53 | pytest --version 54 | pytest scripts 55 | 56 | - name: mypy 57 | run: 58 | mypy tests 59 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | __pycache__ 6 | .ca 7 | .venv 8 | *.tgz 9 | charts/*/user_values/*.yaml 10 | -------------------------------------------------------------------------------- /REUSE.toml: -------------------------------------------------------------------------------- 1 | version = 1 2 | 3 | [[annotations]] 4 | path = "charts/**/Chart.lock" 5 | SPDX-FileCopyrightText = "Copyright 2024 New Vector Ltd" 6 | SPDX-License-Identifier = "AGPL-3.0-only" 7 | 8 | [[annotations]] 9 | path = "charts/**/*.json" 10 | SPDX-FileCopyrightText = "Copyright 2024 New Vector Ltd" 11 | SPDX-License-Identifier = "AGPL-3.0-only" 12 | 13 | [[annotations]] 14 | path = "poetry.lock" 15 | SPDX-FileCopyrightText = "Copyright 2024 New Vector Ltd" 16 | SPDX-License-Identifier = "AGPL-3.0-only" 17 | 18 | [[annotations]] 19 | path = "scripts/testdata/**/*.json" 20 | SPDX-FileCopyrightText = "Copyright 2024 New Vector Ltd" 21 | SPDX-License-Identifier = "AGPL-3.0-only" 22 | 23 | [[annotations]] 24 | path = "newsfragments/*.md" 25 | SPDX-FileCopyrightText = "Copyright 2025 New Vector Ltd" 26 | SPDX-License-Identifier = "AGPL-3.0-only" 27 | 28 | [[annotations]] 29 | path = "docs/assets/images/*.png" 30 | SPDX-FileCopyrightText = "Copyright 2025 New Vector Ltd" 31 | SPDX-License-Identifier = "AGPL-3.0-only" 32 | -------------------------------------------------------------------------------- /artifacthub-repo.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | repositoryID: 6a910e71-6940-45a6-9d63-07ec0080aa55 6 | owners: 7 | - name: Element Server Products Team 8 | email: onprem-support@element.io 9 | ignore: 10 | - name: matrix-stack 11 | version: "[0-9]+\\.[0-9]+\\.[0-9]+-(sha.+|dev)" 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/.helmignore: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | .helmignore 6 | matrix-stack-*.tgz 7 | source/ 8 | sub_schemas/ 9 | user_values/ 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: [] 2 | digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 3 | generated: "2024-11-27T17:44:49.9172119+01:00" 4 | -------------------------------------------------------------------------------- /charts/matrix-stack/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | apiVersion: v2 6 | name: matrix-stack 7 | description: A Helm meta-chart for deploying a Matrix Stack from Element 8 | type: application 9 | version: 25.6.1-dev 10 | dependencies: [] 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/element-web-checkov-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: element-web-minimal.yaml element-web-checkov.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | annotations: 11 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 12 | checkov.io/skip2: CKV_K8S_43=No digests 13 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 14 | ingress: 15 | host: element.ess.localhost 16 | matrixAuthenticationService: 17 | enabled: false 18 | matrixRTC: 19 | enabled: false 20 | synapse: 21 | enabled: false 22 | wellKnownDelegation: 23 | enabled: false 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/element-web-minimal-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: element-web-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: element.ess.localhost 12 | matrixAuthenticationService: 13 | enabled: false 14 | matrixRTC: 15 | enabled: false 16 | synapse: 17 | enabled: false 18 | wellKnownDelegation: 19 | enabled: false 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/example-default-enabled-components-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: element-web-minimal.yaml synapse-minimal.yaml matrix-authentication-service-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml well-known-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: element.ess.localhost 12 | matrixAuthenticationService: 13 | ingress: 14 | host: mas.ess.localhost 15 | matrixRTC: 16 | enabled: false 17 | serverName: ess.localhost 18 | synapse: 19 | ingress: 20 | host: synapse.ess.localhost 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/deployment-markers-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | deploymentMarkers: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | checkov.io/skip4: CKV_K8S_38=The job needs a service account 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/deployment-markers-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/deployment-markers-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | deploymentMarkers: 6 | annotations: 7 | has-no-service-monitor: "true" 8 | 9 | podSecurityContext: 10 | runAsGroup: 0 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/element-web-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | elementWeb: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/element-web-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | elementWeb: 6 | enabled: true 7 | ingress: 8 | host: element.ess.localhost 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/element-web-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | serverName: ess.localhost 6 | 7 | elementWeb: 8 | ingress: 9 | host: element.{{ $.Values.serverName }} 10 | tlsSecret: "{{ $.Release.Name }}-element-web-tls" 11 | 12 | replicas: 1 13 | 14 | annotations: 15 | has-no-service-monitor: "true" 16 | 17 | podSecurityContext: 18 | runAsGroup: 0 19 | 20 | additional: 21 | user-config.json: | 22 | { 23 | "default_server_config": { 24 | "m.homeserver": { 25 | "base_url": "https://synapse.{{ $.Values.serverName }}" 26 | } 27 | }, 28 | "some_key": { 29 | "some_value": "https://test.{{ $.Values.serverName }}" 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/haproxy-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | haproxy: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/init-secrets-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | initSecrets: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | checkov.io/skip4: CKV_K8S_38=The job needs a service account 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/init-secrets-disabled.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | initSecrets: 6 | enabled: false -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/init-secrets-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/init-secrets-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | initSecrets: 6 | annotations: 7 | has-no-service-monitor: "true" 8 | 9 | podSecurityContext: 10 | runAsGroup: 0 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-additional-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | additional: 7 | example-value: 8 | config: | 9 | example: value 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-additional-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | additional: 7 | example-value: 8 | configSecret: "{{ $.Release.Name }}-mas-external" 9 | configSecretKey: config -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-external-synapse.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | additional: 7 | 0000-matrix-server: 8 | config: | 9 | clients: 10 | - client_id: "0000000000000000000SYNAPSE" 11 | client_auth_method: client_secret_basic 12 | client_secret: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0 13 | matrix: 14 | homeserver: "external.localhost 15 | secret: jaix6Am9Shut7zeiduu7ua5maengag3o 16 | endpoint: https://syn.external.localhost 17 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-migrated-password-scheme.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | additional: 7 | password-scheme.yml: 8 | config: | 9 | passwords: 10 | schemes: 11 | - version: 1 12 | algorithm: bcrypt 13 | - version: 2 14 | algorithm: argon2id 15 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | enabled: true 7 | 8 | ingress: 9 | host: mas.ess.localhost 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-postgres-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | postgres: 7 | password: 8 | secret: "{{ $.Release.Name }}-mas-external" 9 | secretKey: postgresPassword 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-postgres-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | postgres: 7 | password: 8 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-postgres.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | postgres: 7 | host: postgres 8 | user: mas 9 | database: mas 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | extraEnv: 7 | - name: DEBUG_RENDERING 8 | value: "1" 9 | 10 | podSecurityContext: 11 | runAsGroup: 0 12 | 13 | ingress: 14 | tlsSecret: "{{ $.Release.Name }}-mas-web-tls" 15 | host: mas.{{ $.Values.serverName }} 16 | 17 | additional: 18 | 000-pytest-admin: 19 | configSecret: "{{ $.Release.Name }}-pytest-admin" 20 | configSecretKey: "admin.yaml" 21 | 22 | syn2mas: 23 | extraEnv: 24 | - name: DEBUG_RENDERING 25 | value: "1" 26 | 27 | postgres: 28 | podSecurityContext: 29 | runAsGroup: 0 30 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | 7 | synapseSharedSecret: 8 | secret: "{{ $.Release.Name }}-mas-external" 9 | secretKey: synapseShared 10 | 11 | synapseOIDCClientSecret: 12 | secret: "{{ $.Release.Name }}-mas-external" 13 | secretKey: synapseOIDC 14 | 15 | encryptionSecret: 16 | secret: "{{ $.Release.Name }}-mas-external" 17 | secretKey: encryption 18 | 19 | privateKeys: 20 | rsa: 21 | secret: "{{ $.Release.Name }}-mas-external" 22 | secretKey: keysRSA 23 | ecdsaPrime256v1: 24 | secret: "{{ $.Release.Name }}-mas-external" 25 | secretKey: keysEcdsaPrime256v1 26 | ecdsaSecp256k1: 27 | secret: "{{ $.Release.Name }}-mas-external" 28 | secretKey: keysEcdsaSecp256k1 29 | ecdsaSecp384r1: 30 | secret: "{{ $.Release.Name }}-mas-external" 31 | secretKey: keysEcdsaSecp384r1 32 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-dryrun.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | syn2mas: 7 | enabled: true 8 | dryRun: true 9 | 10 | additional: 11 | password-scheme.yml: 12 | config: | 13 | passwords: 14 | schemes: 15 | - version: 1 16 | algorithm: bcrypt 17 | - version: 2 18 | algorithm: argon2id 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-migrate.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixAuthenticationService: 6 | syn2mas: 7 | enabled: true 8 | dryRun: false 9 | 10 | additional: 11 | password-scheme.yml: 12 | config: | 13 | passwords: 14 | schemes: 15 | - version: 1 16 | algorithm: bcrypt 17 | - version: 2 18 | algorithm: argon2id 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | annotations: 7 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 8 | checkov.io/skip2: CKV_K8S_43=No digests 9 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 10 | sfu: 11 | annotations: 12 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 13 | checkov.io/skip2: CKV_K8S_43=No digests 14 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 15 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-exposed-services.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | sfu: 7 | exposedServices: 8 | rtcTcp: 9 | port: 33000 10 | rtcMuxedUdp: 11 | port: 33001 12 | rtcUdp: 13 | enabled: true 14 | portRange: 15 | startPort: 32500 16 | endPort: 32900 17 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-external-livekit-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Copyright 2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | matrixRTC: 8 | livekitAuth: 9 | keysYaml: 10 | secret: "{{ $.Release.Name }}-matrix-rtc-external" 11 | secretKey: keys.yaml 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-external-livekit-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Copyright 2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | matrixRTC: 8 | livekitAuth: 9 | keysYaml: 10 | value: | 11 | CHANGEME-ooShei6Aebe0mesheicooCoo8Juuceke: CHANGEME-deiv8au0poecheamusohZe7Fil9pogu4 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-external-livekit.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | enabled: true 7 | ingress: 8 | host: mrtc.ess.localhost 9 | 10 | extraEnv: 11 | - name: LIVEKIT_URL 12 | value: wss://demo.livekit.cloud 13 | 14 | sfu: 15 | enabled: false 16 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-host-mode.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | sfu: 7 | hostNetwork: true 8 | exposedServices: 9 | rtcTcp: 10 | portType: HostPort 11 | rtcMuxedUdp: 12 | portType: HostPort 13 | rtcUdp: 14 | enabled: true 15 | portType: HostPort 16 | 17 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | enabled: true 7 | ingress: 8 | host: mrtc.ess.localhost 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | ingress: 7 | host: mrtc.{{ $.Values.serverName }} 8 | tlsSecret: "{{ $.Release.Name }}-matrix-rtc-tls" 9 | extraEnv: 10 | - name: LIVEKIT_INSECURE_SKIP_VERIFY_TLS 11 | value: "YES_I_KNOW_WHAT_I_AM_DOING" 12 | sfu: 13 | extraEnv: 14 | - name: DEBUG_RENDERING 15 | value: "1" 16 | podSecurityContext: 17 | runAsGroup: 0 18 | podSecurityContext: 19 | runAsGroup: 0 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Copyright 2025 New Vector Ltd 3 | # 4 | # SPDX-License-Identifier: AGPL-3.0-only 5 | 6 | matrixRTC: 7 | livekitAuth: 8 | key: CHANGEME-oolahd9xooshohSh5IeQu1natheur1oo 9 | secret: 10 | secret: "{{ $.Release.Name }}-matrix-rtc-external" 11 | secretKey: livekitSecret 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/matrix-rtc-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Copyright 2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | matrixRTC: 8 | livekitAuth: 9 | key: CHANGEME-oolahd9xooshohSh5IeQu1natheur1oo 10 | secret: 11 | value: CHANGEME-gohseengahch9pheedi5OomeHea6maem 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | enabled: true 7 | annotations: 8 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 9 | checkov.io/skip2: CKV_K8S_43=No digests 10 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-matrix-authentication-service-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | essPasswords: 7 | matrixAuthenticationService: 8 | secret: "{{ $.Release.Name }}-pg-external" 9 | secretKey: masPasswordShared 10 | 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-matrix-authentication-service-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | essPasswords: 7 | matrixAuthenticationService: 8 | value: CHANGEME-aiT7eisheim3Ojo3rongikuo1eiV3Ooh 9 | 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | enabled: true 7 | 8 | adminPassword: 9 | secret: "{{ $.Release.Name }}-pg-external" 10 | secretKey: adminPasswordShared 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | enabled: true 7 | 8 | adminPassword: 9 | value: CHANGEME-phiaPh8iu9tiivaiWahquaeg8ohcub4a 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-synapse-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | essPasswords: 7 | synapse: 8 | secret: "{{ $.Release.Name }}-pg-external" 9 | secretKey: synapsePasswordShared 10 | 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/postgres-synapse-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | postgres: 6 | essPasswords: 7 | synapse: 8 | value: CHANGEME-yuhaoshiupahmaGheiheiloJuone3aim 9 | 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-all-enabled.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | elementWeb: 6 | enabled: true 7 | 8 | matrixAuthenticationService: 9 | enabled: true 10 | 11 | matrixRTC: 12 | enabled: true 13 | 14 | synapse: 15 | enabled: true 16 | 17 | wellKnownDelegation: 18 | enabled: true 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-certificates.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | elementWeb: 6 | ingress: 7 | tlsSecret: ess-chat-certificate 8 | 9 | matrixAuthenticationService: 10 | ingress: 11 | tlsSecret: ess-auth-certificate 12 | 13 | matrixRTC: 14 | ingress: 15 | tlsSecret: ess-mrtc-certificate 16 | 17 | synapse: 18 | ingress: 19 | tlsSecret: ess-matrix-certificate 20 | 21 | wellKnownDelegation: 22 | ingress: 23 | tlsSecret: ess-well-knowncertificate 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-external-cert.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | ingress: 6 | tlsEnabled: false 7 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-hostnames.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | elementWeb: 6 | ingress: 7 | host: chat.your.tld 8 | matrixAuthenticationService: 9 | ingress: 10 | host: account.your.tld 11 | matrixRTC: 12 | ingress: 13 | host: mrtc.your.tld 14 | serverName: your.tld 15 | synapse: 16 | ingress: 17 | host: matrix.your.tld 18 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-letsencrypt.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | certManager: 6 | clusterIssuer: letsencrypt-prod 7 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-postgresql.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | postgres: 7 | host: your-db-host.tld 8 | port: 5432 9 | user: your-synapse-user 10 | password: 11 | value: your-synapse-user-password 12 | database: your-synapse-database-name 13 | sslMode: prefer 14 | 15 | matrixAuthenticationService: 16 | postgres: 17 | host: your-db-host.tld 18 | port: 5432 19 | user: your-matrix-auth-service-user 20 | password: 21 | value: your-matrix-auth-service-user-password 22 | database: your-matrix-auth-service-database-name 23 | sslMode: prefer 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/quick-setup-wildcard-cert.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | ingress: 6 | tlsSecret: ess-certificate 7 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-additional-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | additional: 7 | 00-userconfig.yaml: 8 | config: | 9 | push: 10 | jitter_dalay: 10 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-additional-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | additional: 7 | 00-userconfig.yaml: 8 | configSecret: "{{ $.Release.Name }}-synapse-secrets" 9 | configSecretKey: "00-userconfig.yaml" 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-all-workers-running.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | workers: 7 | appservice: 8 | enabled: true 9 | background: 10 | enabled: true 11 | client-reader: 12 | enabled: true 13 | encryption: 14 | enabled: true 15 | event-creator: 16 | enabled: true 17 | event-persister: 18 | enabled: true 19 | replicas: 2 20 | federation-inbound: 21 | enabled: true 22 | federation-reader: 23 | enabled: true 24 | federation-sender: 25 | enabled: true 26 | initial-synchrotron: 27 | enabled: true 28 | media-repository: 29 | enabled: true 30 | presence-writer: 31 | enabled: true 32 | push-rules: 33 | enabled: true 34 | pusher: 35 | enabled: true 36 | replicas: 2 37 | receipts-account: 38 | enabled: true 39 | sliding-sync: 40 | enabled: true 41 | sso-login: 42 | enabled: true 43 | synchrotron: 44 | enabled: true 45 | typing-persister: 46 | enabled: true 47 | user-dir: 48 | enabled: true 49 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-checkov.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | checkConfigHook: 7 | annotations: 8 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 9 | checkov.io/skip2: CKV_K8S_43=No digests 10 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 11 | 12 | annotations: 13 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 14 | checkov.io/skip2: CKV_K8S_43=No digests 15 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 16 | 17 | redis: 18 | annotations: 19 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 20 | checkov.io/skip2: CKV_K8S_43=No digests 21 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 22 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-ingress-additional-paths.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | ingress: 7 | additionalPaths: 8 | - path: /_matrix/identity 9 | availability: only_externally 10 | service: 11 | name: sydent 12 | port: 13 | number: 8080 14 | 15 | - path: /_synapse 16 | availability: blocked 17 | 18 | - path: /other 19 | availability: internally_and_externally 20 | service: 21 | name: something 22 | port: 23 | name: http 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # The secrets listed here are ones that `initSecrets` can't generate yet. 6 | # Postgres details are also required but this fragment will be combined with 7 | # synapse-postgres-values.yaml or synapse-pytest-extra-values.yaml 8 | 9 | serverName: ess.localhost 10 | 11 | synapse: 12 | enabled: true 13 | ingress: 14 | host: synapse.ess.localhost 15 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-postgres-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | postgres: 7 | password: 8 | secret: "{{ $.Release.Name }}-synapse-external" 9 | secretKey: postgresPassword 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-postgres-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | postgres: 7 | password: 8 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-postgres.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | postgres: 7 | host: ess-postgres 8 | user: synapse_user 9 | database: synapse 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-pytest-base-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | ingress: 7 | host: synapse.{{ $.Values.serverName }} 8 | tlsSecret: "{{ $.Release.Name }}-synapse-web-tls" 9 | 10 | checkConfigHook: 11 | annotations: 12 | has-no-service-monitor: "true" 13 | 14 | redis: 15 | annotations: 16 | has-no-service-monitor: "true" 17 | 18 | podSecurityContext: 19 | runAsGroup: 0 20 | 21 | podSecurityContext: 22 | runAsGroup: 0 23 | 24 | extraArgs: 25 | # Validate that any Synapse config that has a _path equivalent uses it 26 | - --no-secrets-in-config 27 | 28 | haproxy: 29 | podSecurityContext: 30 | runAsGroup: 0 31 | 32 | postgres: 33 | podSecurityContext: 34 | runAsGroup: 0 35 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-pytest-self-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | additional: 7 | 00-userconfig.yaml: 8 | config: | 9 | push: 10 | jitter_dalay: 10 11 | 01-other-user-config.yaml: 12 | configSecret: "{{ $.Release.Name }}-synapse-secrets" 13 | configSecretKey: "01-other-user-config.yaml" 14 | 15 | extraEnv: 16 | - name: DEBUG_RENDERING 17 | value: "1" 18 | 19 | workers: 20 | # A non-HTTP worker & a stream writer 21 | event-persister: 22 | enabled: true 23 | # A standard HTTP worker 24 | sliding-sync: 25 | enabled: true 26 | # Media repo is fairly distinct from other workers 27 | media-repository: 28 | enabled: true 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-secrets-externally.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | registrationSharedSecret: 7 | secret: "{{ $.Release.Name }}-synapse-external" 8 | secretKey: registrationSharedSecret 9 | macaroon: 10 | secret: "{{ $.Release.Name }}-synapse-external" 11 | secretKey: macaroon 12 | signingKey: 13 | secret: "{{ $.Release.Name }}-synapse-external" 14 | secretKey: signingKey 15 | 16 | appservices: 17 | - secret: "{{ $.Release.Name }}-synapse-external" 18 | secretKey: bridge_registration.yaml 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-secrets-in-helm.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | registrationSharedSecret: 7 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 8 | macaroon: 9 | value: CHANGEME-eek3Eigoh8ux8laeTingeej1 10 | signingKey: 11 | value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/synapse-some-workers-running.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | synapse: 6 | workers: 7 | appservice: 8 | enabled: true 9 | client-reader: 10 | enabled: true 11 | event-persister: 12 | enabled: true 13 | federation-reader: 14 | enabled: true 15 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/well-known-minimal.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | serverName: ess.localhost 6 | 7 | wellKnownDelegation: 8 | enabled: true 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/fragments/well-known-pytest-extras.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | global: 6 | baseDomain: ess.localhost 7 | 8 | # To check that templating works against the ingress 9 | serverName: "{{ $.Values.global.baseDomain }}" 10 | 11 | ingress: 12 | controllerType: ingress-nginx 13 | 14 | wellKnownDelegation: 15 | ingress: 16 | tlsSecret: "{{ $.Release.Name }}-well-known-web-tls" 17 | baseDomainRedirect: 18 | url: "https://redirect.localhost/path" 19 | 20 | haproxy: 21 | podSecurityContext: 22 | runAsGroup: 0 23 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-authentication-service-external-synapse-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-external-synapse.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | additional: 13 | 0000-matrix-server: 14 | config: | 15 | clients: 16 | - client_id: "0000000000000000000SYNAPSE" 17 | client_auth_method: client_secret_basic 18 | client_secret: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0 19 | matrix: 20 | homeserver: "external.localhost 21 | secret: jaix6Am9Shut7zeiduu7ua5maengag3o 22 | endpoint: https://syn.external.localhost 23 | ingress: 24 | host: mas.ess.localhost 25 | matrixRTC: 26 | enabled: false 27 | synapse: 28 | enabled: false 29 | wellKnownDelegation: 30 | enabled: false 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-authentication-service-minimal-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-authentication-service-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml deployment-markers-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | ingress: 13 | host: mas.ess.localhost 14 | matrixRTC: 15 | enabled: false 16 | synapse: 17 | enabled: false 18 | wellKnownDelegation: 19 | enabled: false 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-checkov-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-checkov.yaml init-secrets-checkov.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | initSecrets: 12 | annotations: 13 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 14 | checkov.io/skip2: CKV_K8S_43=No digests 15 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 16 | checkov.io/skip4: CKV_K8S_38=The job needs a service account 17 | matrixAuthenticationService: 18 | enabled: false 19 | matrixRTC: 20 | annotations: 21 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 22 | checkov.io/skip2: CKV_K8S_43=No digests 23 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 24 | ingress: 25 | host: mrtc.ess.localhost 26 | sfu: 27 | annotations: 28 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 29 | checkov.io/skip2: CKV_K8S_43=No digests 30 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 31 | synapse: 32 | enabled: false 33 | wellKnownDelegation: 34 | enabled: false 35 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-exposed-services-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-exposed-services.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | ingress: 15 | host: mrtc.ess.localhost 16 | sfu: 17 | exposedServices: 18 | rtcMuxedUdp: 19 | port: 33001 20 | rtcTcp: 21 | port: 33000 22 | rtcUdp: 23 | enabled: true 24 | portRange: 25 | endPort: 32900 26 | startPort: 32500 27 | synapse: 28 | enabled: false 29 | wellKnownDelegation: 30 | enabled: false 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-external-livekit-secrets-externally-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-external-livekit.yaml matrix-rtc-external-livekit-secrets-externally.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | extraEnv: 15 | - name: LIVEKIT_URL 16 | value: wss://demo.livekit.cloud 17 | ingress: 18 | host: mrtc.ess.localhost 19 | livekitAuth: 20 | keysYaml: 21 | secret: '{{ $.Release.Name }}-matrix-rtc-external' 22 | secretKey: keys.yaml 23 | sfu: 24 | enabled: false 25 | synapse: 26 | enabled: false 27 | wellKnownDelegation: 28 | enabled: false 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-external-livekit-secrets-in-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-external-livekit.yaml matrix-rtc-external-livekit-secrets-in-helm.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | extraEnv: 15 | - name: LIVEKIT_URL 16 | value: wss://demo.livekit.cloud 17 | ingress: 18 | host: mrtc.ess.localhost 19 | livekitAuth: 20 | keysYaml: 21 | value: | 22 | CHANGEME-ooShei6Aebe0mesheicooCoo8Juuceke: CHANGEME-deiv8au0poecheamusohZe7Fil9pogu4 23 | sfu: 24 | enabled: false 25 | synapse: 26 | enabled: false 27 | wellKnownDelegation: 28 | enabled: false 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-host-mode-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-host-mode.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | ingress: 15 | host: mrtc.ess.localhost 16 | sfu: 17 | exposedServices: 18 | rtcMuxedUdp: 19 | portType: HostPort 20 | rtcTcp: 21 | portType: HostPort 22 | rtcUdp: 23 | enabled: true 24 | portType: HostPort 25 | hostNetwork: true 26 | synapse: 27 | enabled: false 28 | wellKnownDelegation: 29 | enabled: false 30 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-minimal-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | ingress: 15 | host: mrtc.ess.localhost 16 | synapse: 17 | enabled: false 18 | wellKnownDelegation: 19 | enabled: false 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-secrets-externally-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-secrets-externally.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | ingress: 15 | host: mrtc.ess.localhost 16 | livekitAuth: 17 | key: CHANGEME-oolahd9xooshohSh5IeQu1natheur1oo 18 | secret: 19 | secret: '{{ $.Release.Name }}-matrix-rtc-external' 20 | secretKey: livekitSecret 21 | synapse: 22 | enabled: false 23 | wellKnownDelegation: 24 | enabled: false 25 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/matrix-rtc-secrets-in-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-secrets-in-helm.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | ingress: 15 | host: mrtc.ess.localhost 16 | livekitAuth: 17 | key: CHANGEME-oolahd9xooshohSh5IeQu1natheur1oo 18 | secret: 19 | value: CHANGEME-gohseengahch9pheedi5OomeHea6maem 20 | synapse: 21 | enabled: false 22 | wellKnownDelegation: 23 | enabled: false 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/nothing-enabled-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | matrixRTC: 6 | enabled: false 7 | 8 | elementWeb: 9 | enabled: false 10 | 11 | matrixAuthenticationService: 12 | enabled: false 13 | 14 | synapse: 15 | enabled: false 16 | 17 | wellKnownDelegation: 18 | enabled: false 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/pytest-element-web-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: element-web-minimal.yaml element-web-pytest-extras.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | additional: 11 | user-config.json: | 12 | { 13 | "default_server_config": { 14 | "m.homeserver": { 15 | "base_url": "https://synapse.{{ $.Values.serverName }}" 16 | } 17 | }, 18 | "some_key": { 19 | "some_value": "https://test.{{ $.Values.serverName }}" 20 | } 21 | } 22 | annotations: 23 | has-no-service-monitor: "true" 24 | ingress: 25 | host: element.{{ $.Values.serverName }} 26 | tlsSecret: '{{ $.Release.Name }}-element-web-tls' 27 | podSecurityContext: 28 | runAsGroup: 0 29 | replicas: 1 30 | matrixAuthenticationService: 31 | enabled: false 32 | matrixRTC: 33 | enabled: false 34 | serverName: ess.localhost 35 | synapse: 36 | enabled: false 37 | wellKnownDelegation: 38 | enabled: false 39 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/pytest-matrix-rtc-standalone-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: matrix-rtc-minimal.yaml matrix-rtc-pytest-extras.yaml init-secrets-minimal.yaml init-secrets-pytest-extras.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | initSecrets: 12 | annotations: 13 | has-no-service-monitor: "true" 14 | podSecurityContext: 15 | runAsGroup: 0 16 | matrixAuthenticationService: 17 | enabled: false 18 | matrixRTC: 19 | extraEnv: 20 | - name: LIVEKIT_INSECURE_SKIP_VERIFY_TLS 21 | value: YES_I_KNOW_WHAT_I_AM_DOING 22 | ingress: 23 | host: mrtc.{{ $.Values.serverName }} 24 | tlsSecret: '{{ $.Release.Name }}-matrix-rtc-tls' 25 | podSecurityContext: 26 | runAsGroup: 0 27 | sfu: 28 | extraEnv: 29 | - name: DEBUG_RENDERING 30 | value: "1" 31 | podSecurityContext: 32 | runAsGroup: 0 33 | synapse: 34 | enabled: false 35 | wellKnownDelegation: 36 | enabled: false 37 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/pytest-well-known-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml well-known-pytest-extras.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | global: 12 | baseDomain: ess.localhost 13 | haproxy: 14 | podSecurityContext: 15 | runAsGroup: 0 16 | ingress: 17 | controllerType: ingress-nginx 18 | matrixAuthenticationService: 19 | enabled: false 20 | matrixRTC: 21 | enabled: false 22 | # To check that templating works against the ingress 23 | serverName: '{{ $.Values.global.baseDomain }}' 24 | synapse: 25 | enabled: false 26 | wellKnownDelegation: 27 | baseDomainRedirect: 28 | url: https://redirect.localhost/path 29 | ingress: 30 | tlsSecret: '{{ $.Release.Name }}-well-known-web-tls' 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-certificates-pg-external-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-certificates.yaml quick-setup-postgresql.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | tlsSecret: ess-chat-certificate 13 | matrixAuthenticationService: 14 | ingress: 15 | host: account.your.tld 16 | tlsSecret: ess-auth-certificate 17 | postgres: 18 | database: your-matrix-auth-service-database-name 19 | host: your-db-host.tld 20 | password: 21 | value: your-matrix-auth-service-user-password 22 | port: 5432 23 | sslMode: prefer 24 | user: your-matrix-auth-service-user 25 | matrixRTC: 26 | ingress: 27 | host: mrtc.your.tld 28 | tlsSecret: ess-mrtc-certificate 29 | serverName: your.tld 30 | synapse: 31 | ingress: 32 | host: matrix.your.tld 33 | tlsSecret: ess-matrix-certificate 34 | postgres: 35 | database: your-synapse-database-name 36 | host: your-db-host.tld 37 | password: 38 | value: your-synapse-user-password 39 | port: 5432 40 | sslMode: prefer 41 | user: your-synapse-user 42 | wellKnownDelegation: 43 | ingress: 44 | tlsSecret: ess-well-knowncertificate 45 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-certificates-pg-with-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-certificates.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | tlsSecret: ess-chat-certificate 13 | matrixAuthenticationService: 14 | ingress: 15 | host: account.your.tld 16 | tlsSecret: ess-auth-certificate 17 | matrixRTC: 18 | ingress: 19 | host: mrtc.your.tld 20 | tlsSecret: ess-mrtc-certificate 21 | serverName: your.tld 22 | synapse: 23 | ingress: 24 | host: matrix.your.tld 25 | tlsSecret: ess-matrix-certificate 26 | wellKnownDelegation: 27 | ingress: 28 | tlsSecret: ess-well-knowncertificate 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-external-cert-pg-external-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-external-cert.yaml quick-setup-postgresql.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | ingress: 13 | tlsEnabled: false 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | postgres: 18 | database: your-matrix-auth-service-database-name 19 | host: your-db-host.tld 20 | password: 21 | value: your-matrix-auth-service-user-password 22 | port: 5432 23 | sslMode: prefer 24 | user: your-matrix-auth-service-user 25 | matrixRTC: 26 | ingress: 27 | host: mrtc.your.tld 28 | serverName: your.tld 29 | synapse: 30 | ingress: 31 | host: matrix.your.tld 32 | postgres: 33 | database: your-synapse-database-name 34 | host: your-db-host.tld 35 | password: 36 | value: your-synapse-user-password 37 | port: 5432 38 | sslMode: prefer 39 | user: your-synapse-user 40 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-external-cert-pg-with-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-external-cert.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | ingress: 13 | tlsEnabled: false 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | matrixRTC: 18 | ingress: 19 | host: mrtc.your.tld 20 | serverName: your.tld 21 | synapse: 22 | ingress: 23 | host: matrix.your.tld 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-letsencrypt-pg-external-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-letsencrypt.yaml quick-setup-postgresql.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | certManager: 10 | clusterIssuer: letsencrypt-prod 11 | elementWeb: 12 | ingress: 13 | host: chat.your.tld 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | postgres: 18 | database: your-matrix-auth-service-database-name 19 | host: your-db-host.tld 20 | password: 21 | value: your-matrix-auth-service-user-password 22 | port: 5432 23 | sslMode: prefer 24 | user: your-matrix-auth-service-user 25 | matrixRTC: 26 | ingress: 27 | host: mrtc.your.tld 28 | serverName: your.tld 29 | synapse: 30 | ingress: 31 | host: matrix.your.tld 32 | postgres: 33 | database: your-synapse-database-name 34 | host: your-db-host.tld 35 | password: 36 | value: your-synapse-user-password 37 | port: 5432 38 | sslMode: prefer 39 | user: your-synapse-user 40 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-letsencrypt-pg-with-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-letsencrypt.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | certManager: 10 | clusterIssuer: letsencrypt-prod 11 | elementWeb: 12 | ingress: 13 | host: chat.your.tld 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | matrixRTC: 18 | ingress: 19 | host: mrtc.your.tld 20 | serverName: your.tld 21 | synapse: 22 | ingress: 23 | host: matrix.your.tld 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-wildcard-cert-pg-external-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-wildcard-cert.yaml quick-setup-postgresql.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | ingress: 13 | tlsSecret: ess-certificate 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | postgres: 18 | database: your-matrix-auth-service-database-name 19 | host: your-db-host.tld 20 | password: 21 | value: your-matrix-auth-service-user-password 22 | port: 5432 23 | sslMode: prefer 24 | user: your-matrix-auth-service-user 25 | matrixRTC: 26 | ingress: 27 | host: mrtc.your.tld 28 | serverName: your.tld 29 | synapse: 30 | ingress: 31 | host: matrix.your.tld 32 | postgres: 33 | database: your-synapse-database-name 34 | host: your-db-host.tld 35 | password: 36 | value: your-synapse-user-password 37 | port: 5432 38 | sslMode: prefer 39 | user: your-synapse-user 40 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/quick-setup-wildcard-cert-pg-with-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: quick-setup-all-enabled.yaml quick-setup-hostnames.yaml quick-setup-wildcard-cert.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: chat.your.tld 12 | ingress: 13 | tlsSecret: ess-certificate 14 | matrixAuthenticationService: 15 | ingress: 16 | host: account.your.tld 17 | matrixRTC: 18 | ingress: 19 | host: mrtc.your.tld 20 | serverName: your.tld 21 | synapse: 22 | ingress: 23 | host: matrix.your.tld 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/synapse-ingress-additional-paths-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: synapse-minimal.yaml synapse-ingress-additional-paths.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | enabled: false 15 | serverName: ess.localhost 16 | synapse: 17 | ingress: 18 | additionalPaths: 19 | - availability: only_externally 20 | path: /_matrix/identity 21 | service: 22 | name: sydent 23 | port: 24 | number: 8080 25 | - availability: blocked 26 | path: /_synapse 27 | - availability: internally_and_externally 28 | path: /other 29 | service: 30 | name: something 31 | port: 32 | name: http 33 | host: synapse.ess.localhost 34 | wellKnownDelegation: 35 | enabled: false 36 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/synapse-minimal-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: synapse-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml deployment-markers-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | enabled: false 15 | serverName: ess.localhost 16 | synapse: 17 | ingress: 18 | host: synapse.ess.localhost 19 | wellKnownDelegation: 20 | enabled: false 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/synapse-postgres-secrets-externally-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: synapse-minimal.yaml synapse-secrets-externally.yaml postgres-secrets-externally.yaml postgres-synapse-secrets-externally.yaml init-secrets-disabled.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | elementWeb: 9 | enabled: false 10 | initSecrets: 11 | enabled: false 12 | matrixAuthenticationService: 13 | enabled: false 14 | matrixRTC: 15 | enabled: false 16 | postgres: 17 | adminPassword: 18 | secret: '{{ $.Release.Name }}-pg-external' 19 | secretKey: adminPasswordShared 20 | essPasswords: 21 | synapse: 22 | secret: '{{ $.Release.Name }}-pg-external' 23 | secretKey: synapsePasswordShared 24 | serverName: ess.localhost 25 | synapse: 26 | appservices: 27 | - secret: '{{ $.Release.Name }}-synapse-external' 28 | secretKey: bridge_registration.yaml 29 | ingress: 30 | host: synapse.ess.localhost 31 | macaroon: 32 | secret: '{{ $.Release.Name }}-synapse-external' 33 | secretKey: macaroon 34 | registrationSharedSecret: 35 | secret: '{{ $.Release.Name }}-synapse-external' 36 | secretKey: registrationSharedSecret 37 | signingKey: 38 | secret: '{{ $.Release.Name }}-synapse-external' 39 | secretKey: signingKey 40 | wellKnownDelegation: 41 | enabled: false 42 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/synapse-postgres-secrets-in-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: synapse-minimal.yaml synapse-secrets-in-helm.yaml postgres-secrets-in-helm.yaml postgres-synapse-secrets-in-helm.yaml init-secrets-disabled.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | elementWeb: 9 | enabled: false 10 | initSecrets: 11 | enabled: false 12 | matrixAuthenticationService: 13 | enabled: false 14 | matrixRTC: 15 | enabled: false 16 | postgres: 17 | adminPassword: 18 | value: CHANGEME-phiaPh8iu9tiivaiWahquaeg8ohcub4a 19 | essPasswords: 20 | synapse: 21 | value: CHANGEME-yuhaoshiupahmaGheiheiloJuone3aim 22 | serverName: ess.localhost 23 | synapse: 24 | ingress: 25 | host: synapse.ess.localhost 26 | macaroon: 27 | value: CHANGEME-eek3Eigoh8ux8laeTingeej1 28 | registrationSharedSecret: 29 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 30 | signingKey: 31 | value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw 32 | wellKnownDelegation: 33 | enabled: false 34 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/synapse-secrets-in-helm-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: synapse-minimal.yaml synapse-postgres.yaml synapse-additional-in-helm.yaml synapse-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | enabled: false 15 | serverName: ess.localhost 16 | synapse: 17 | additional: 18 | 00-userconfig.yaml: 19 | config: | 20 | push: 21 | jitter_dalay: 10 22 | ingress: 23 | host: synapse.ess.localhost 24 | macaroon: 25 | value: CHANGEME-eek3Eigoh8ux8laeTingeej1 26 | postgres: 27 | database: synapse 28 | host: ess-postgres 29 | password: 30 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 31 | user: synapse_user 32 | registrationSharedSecret: 33 | value: CHANGEME-ooWo6jeidahhei3Hae0eer9U 34 | signingKey: 35 | value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw 36 | wellKnownDelegation: 37 | enabled: false 38 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/test-cluster-mixin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | # This value file is not complete on its own. 6 | # It is a mixin to be used with other values file to enable 7 | # usage of the test cluster 8 | 9 | certManager: 10 | clusterIssuer: ess-selfsigned 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-checkov-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml haproxy-checkov.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | haproxy: 12 | annotations: 13 | checkov.io/skip1: CKV_K8S_11=We deliberately don't set CPU limits. Pod is BestEffort not Guaranteed 14 | checkov.io/skip2: CKV_K8S_43=No digests 15 | checkov.io/skip3: CKV2_K8S_6=No network policy yet 16 | matrixAuthenticationService: 17 | enabled: false 18 | matrixRTC: 19 | enabled: false 20 | serverName: ess.localhost 21 | synapse: 22 | enabled: false 23 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-element-web-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml element-web-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | ingress: 11 | host: element.ess.localhost 12 | matrixAuthenticationService: 13 | enabled: false 14 | matrixRTC: 15 | enabled: false 16 | serverName: ess.localhost 17 | synapse: 18 | enabled: false 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-mas-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml matrix-authentication-service-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | ingress: 13 | host: mas.ess.localhost 14 | matrixRTC: 15 | enabled: false 16 | serverName: ess.localhost 17 | synapse: 18 | enabled: false 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-minimal-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml init-secrets-disabled.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | initSecrets: 12 | enabled: false 13 | matrixAuthenticationService: 14 | enabled: false 15 | matrixRTC: 16 | enabled: false 17 | serverName: ess.localhost 18 | synapse: 19 | enabled: false 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-synapse-mas-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml synapse-minimal.yaml matrix-authentication-service-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | ingress: 13 | host: mas.ess.localhost 14 | matrixRTC: 15 | enabled: false 16 | serverName: ess.localhost 17 | synapse: 18 | ingress: 19 | host: synapse.ess.localhost 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/ci/well-known-synapse-values.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | # 5 | # source_fragments: well-known-minimal.yaml synapse-minimal.yaml init-secrets-minimal.yaml postgres-minimal.yaml 6 | # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values 7 | 8 | # initSecrets, postgres, wellKnownDelegation don't have any required properties to be set and defaults to enabled 9 | elementWeb: 10 | enabled: false 11 | matrixAuthenticationService: 12 | enabled: false 13 | matrixRTC: 14 | enabled: false 15 | serverName: ess.localhost 16 | synapse: 17 | ingress: 18 | host: synapse.ess.localhost 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/element-web/http_customisations.conf: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # SPDX-License-Identifier: AGPL-3.0-only 3 | 4 | server_tokens off; 5 | 6 | set_real_ip_from 0.0.0.0/0; 7 | real_ip_header X-Forwarded-For; 8 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/element-web/security_headers.conf: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # SPDX-License-Identifier: AGPL-3.0-only 3 | 4 | add_header Content-Security-Policy "frame-ancestors 'self'"; 5 | add_header X-Content-Type-Options nosniff; 6 | add_header X-Frame-Options SAMEORIGIN; 7 | add_header X-Robots-Tag "noindex, nofollow, noarchive, noimageindex"; 8 | add_header X-XSS-Protection "1; mode=block"; 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/haproxy/429.http.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | HTTP/1.0 429 Too Many Requests 8 | Cache-Control: no-cache 9 | Connection: close 10 | Content-Type: application/json 11 | access-control-allow-origin: * 12 | access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS 13 | access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization 14 | 15 | {"errcode":"M_UNKNOWN","error":"Server is unavailable"} 16 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/matrix-rtc/sfu/keys-template.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | ${LIVEKIT_KEY}: ${LIVEKIT_SECRET} 8 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/synapse/path_map_file.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- $root := .root -}} 8 | 9 | # A map file that is used in haproxy config to map from matrix paths to the 10 | # named backend. The format is: path_regexp backend_name 11 | 12 | {{ $enabledWorkerTypes := keys ((include "element-io.synapse.enabledWorkers" (dict "root" $root)) | fromJson) }} 13 | {{- range $workerType := $enabledWorkerTypes | sortAlpha }} 14 | {{- $workersPaths := (include "element-io.synapse.process.workerPaths" (dict "root" $root "context" (dict "workerType" $workerType "enabledWorkerTypes" $enabledWorkerTypes))) | fromJsonArray }} 15 | {{- if len $workersPaths }} 16 | # {{ $workerType }} 17 | {{- range $path := $workersPaths }} 18 | {{ $path }} {{ $workerType }} 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/synapse/path_map_file_get.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- $root := .root -}} 8 | 9 | # A map file that is used in haproxy config to map from matrix paths to the 10 | # named backend. The format is: path_regexp backend_name 11 | {{ if dig "client-reader" "enabled" false $root.Values.synapse.workers }} 12 | ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/ client-reader 13 | ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events client-reader 14 | ^/_matrix/client/(api/v1|r0|v3|unstable)/devices/ client-reader 15 | {{- end }} 16 | {{ if dig "sso-login" "enabled" false $root.Values.synapse.workers }} 17 | {{- if (and $root.Values.matrixAuthenticationService.enabled (not $root.Values.matrixAuthenticationService.preMigrationSynapseHandlesAuth)) }} 18 | ^/_synapse/admin/v1/users/[^/]+/devices$ sso-login 19 | {{- end }} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/synapse/synapse-01-shared-underrides.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- $root := .root -}} 8 | report_stats: false 9 | 10 | require_auth_for_profile_requests: true 11 | 12 | {{- if $root.Values.matrixRTC.enabled }} 13 | # The maximum allowed duration by which sent events can be delayed, as 14 | # per MSC4140. 15 | max_event_delay_duration: 24h 16 | 17 | rc_message: 18 | # This needs to match at least e2ee key sharing frequency plus a bit of headroom 19 | # Note key sharing events are bursty 20 | per_second: 0.5 21 | burst_count: 30 22 | 23 | rc_delayed_event_mgmt: 24 | # This needs to match at least the heart-beat frequency plus a bit of headroom 25 | # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s 26 | per_second: 1 27 | burst_count: 20 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/configs/synapse/synapse-log-config.yaml.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- $root := .root -}} 8 | version: 1 9 | 10 | formatters: 11 | precise: 12 | format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' 13 | 14 | handlers: 15 | console: 16 | class: logging.StreamHandler 17 | formatter: precise 18 | 19 | loggers: 20 | {{- /* 21 | Increasing synapse.storage.SQL past INFO will log access tokens. Putting in the values default will mean it gets 22 | nuked if an override is set and then if the root level is increased to debug, the access tokens will be logged. 23 | Putting here means it is an explicit customer choice to override it. 24 | */}} 25 | {{- range $logger, $level := mustMergeOverwrite (dict "synapse.storage.SQL" "INFO") $root.Values.synapse.logging.levelOverrides }} 26 | {{ $logger }}: 27 | level: "{{ $level }}" 28 | {{- end }} 29 | 30 | root: 31 | level: "{{ $root.Values.synapse.logging.rootLevel }}" 32 | handlers: 33 | - console 34 | 35 | disable_existing_loggers: false 36 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/additional.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "additionalProperties": { 4 | "type": "object", 5 | "anyOf": [ 6 | { 7 | "required": [] 8 | }, 9 | { 10 | "required": [ 11 | "config" 12 | ] 13 | }, 14 | { 15 | "required": [ 16 | "configSecret", 17 | "configSecretKey" 18 | ] 19 | } 20 | ], 21 | "properties": { 22 | "properties": { 23 | "config": { 24 | "type": "string" 25 | }, 26 | "configSecret": { 27 | "type": "string" 28 | }, 29 | "configSecretKey": { 30 | "type": "string" 31 | } 32 | } 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/containersSecurityContext.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "allowPrivilegeEscalation": { 4 | "type": "boolean" 5 | }, 6 | "capabilities": { 7 | "properties": { 8 | "add": { 9 | "items": { 10 | "type": "string" 11 | }, 12 | "type": "array" 13 | }, 14 | "drop": { 15 | "items": { 16 | "type": "string" 17 | }, 18 | "type": "array" 19 | } 20 | }, 21 | "type": "object" 22 | }, 23 | "readOnlyRootFilesystem": { 24 | "type": "boolean" 25 | }, 26 | "seccompProfile": { 27 | "properties": { 28 | "localhostProfile": { 29 | "type": "string" 30 | }, 31 | "type": { 32 | "enum": [ 33 | "RuntimeDefault", 34 | "Unconfined", 35 | "Localhost" 36 | ], 37 | "type": "string" 38 | } 39 | }, 40 | "type": "object" 41 | } 42 | }, 43 | "type": "object" 44 | } 45 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/credential.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "value": { 5 | "type": "string" 6 | }, 7 | "secret": { 8 | "type": "string" 9 | }, 10 | "secretKey": { 11 | "type": "string" 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/exposedServicePort.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "required": [ 4 | "enabled", 5 | "portType", 6 | "port" 7 | ], 8 | "properties": { 9 | "enabled": { 10 | "type": "boolean" 11 | }, 12 | "portType": { 13 | "type": "string" 14 | }, 15 | "port": { 16 | "type": "number" 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/exposedServicePortRange.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "required": [ 4 | "enabled", 5 | "portType", 6 | "portRange" 7 | ], 8 | "properties": { 9 | "enabled": { 10 | "type": "boolean" 11 | }, 12 | "portType": { 13 | "type": "string" 14 | }, 15 | "portRange": { 16 | "type": "object", 17 | "required": [ 18 | "startPort", 19 | "endPort" 20 | ], 21 | "properties": { 22 | "startPort": { 23 | "type": "number" 24 | }, 25 | "endPort": { 26 | "type": "number" 27 | } 28 | } 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/extraEnv.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "array", 3 | "items": { 4 | "type": "object", 5 | "required": [ 6 | "name", 7 | "value" 8 | ], 9 | "properties": { 10 | "name": { 11 | "type": "string" 12 | }, 13 | "value": { 14 | "type": "string" 15 | } 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/global.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "additionalProperties": true 4 | } 5 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/hostAliases.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "array", 3 | "items": { 4 | "type": "object", 5 | "properties": { 6 | "ip": { 7 | "type": "string" 8 | }, 9 | "hostnames": { 10 | "type": "array", 11 | "items": { 12 | "type": "string" 13 | } 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/image.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "required": [ 4 | "repository" 5 | ], 6 | "oneOf": [ 7 | { 8 | "required": [ 9 | "tag", 10 | "digest" 11 | ] 12 | }, 13 | { 14 | "required": [ 15 | "digest" 16 | ], 17 | "not": { 18 | "required": [ 19 | "tag" 20 | ] 21 | } 22 | }, 23 | { 24 | "required": [ 25 | "tag" 26 | ], 27 | "not": { 28 | "required": [ 29 | "digest" 30 | ] 31 | } 32 | } 33 | ], 34 | "properties": { 35 | "registry": { 36 | "type": "string" 37 | }, 38 | "repository": { 39 | "type": "string" 40 | }, 41 | "tag": { 42 | "type": [ 43 | "string", 44 | "null" 45 | ] 46 | }, 47 | "digest": { 48 | "type": [ 49 | "string", 50 | "null" 51 | ] 52 | }, 53 | "pullPolicy": { 54 | "type": "string", 55 | "enum": [ 56 | "Always", 57 | "IfNotPresent", 58 | "Never" 59 | ] 60 | }, 61 | "pullSecrets": { 62 | "type": "array", 63 | "items": { 64 | "type": "object", 65 | "properties": { 66 | "name": { 67 | "type": "string" 68 | } 69 | } 70 | } 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/ingress.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "annotations": { 5 | "type": "object", 6 | "additionalProperties": { 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "host": { 14 | "type": "string" 15 | }, 16 | "className": { 17 | "type": "string" 18 | }, 19 | "tlsEnabled": { 20 | "type": "boolean" 21 | }, 22 | "tlsSecret": { 23 | "type": "string" 24 | }, 25 | "controllerType": { 26 | "type": "string", 27 | "enum": [ 28 | "ingress-nginx" 29 | ] 30 | }, 31 | "service": { 32 | "type": "object", 33 | "properties": { 34 | "type": { 35 | "type": "string", 36 | "enum": [ 37 | "ClusterIP", 38 | "NodePort", 39 | "LoadBalancer" 40 | ] 41 | } 42 | } 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/ingress_global.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "annotations": { 5 | "type": "object", 6 | "additionalProperties": { 7 | "type": "string" 8 | } 9 | }, 10 | "className": { 11 | "type": "string" 12 | }, 13 | "tlsEnabled": { 14 | "type": "boolean" 15 | }, 16 | "tlsSecret": { 17 | "type": "string" 18 | }, 19 | "controllerType": { 20 | "type": "string", 21 | "enum": [ 22 | "ingress-nginx" 23 | ] 24 | }, 25 | "service": { 26 | "type": "object", 27 | "required": [ 28 | "type" 29 | ], 30 | "properties": { 31 | "type": { 32 | "type": "string", 33 | "enum": [ 34 | "ClusterIP", 35 | "NodePort", 36 | "LoadBalancer" 37 | ] 38 | } 39 | } 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/ingress_without_host.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "annotations": { 5 | "type": "object", 6 | "additionalProperties": { 7 | "type": [ 8 | "string", 9 | "null" 10 | ] 11 | } 12 | }, 13 | "className": { 14 | "type": "string" 15 | }, 16 | "tlsEnabled": { 17 | "type": "boolean" 18 | }, 19 | "tlsSecret": { 20 | "type": "string" 21 | }, 22 | "controllerType": { 23 | "type": "string", 24 | "enum": [ 25 | "ingress-nginx" 26 | ] 27 | }, 28 | "service": { 29 | "type": "object", 30 | "properties": { 31 | "type": { 32 | "type": "string", 33 | "enum": [ 34 | "ClusterIP", 35 | "NodePort", 36 | "LoadBalancer" 37 | ] 38 | } 39 | } 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/labelSelector.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "matchExpressions": { 5 | "type": "array", 6 | "items": { 7 | "type": "object", 8 | "required": [ 9 | "key", 10 | "operator" 11 | ], 12 | "properties": { 13 | "key": { 14 | "type": "string" 15 | }, 16 | "operator": { 17 | "type": "string", 18 | "enum": [ 19 | "In", 20 | "NotIn", 21 | "Exists", 22 | "DoesNotExist" 23 | ] 24 | }, 25 | "values": { 26 | "type": "array", 27 | "items": { 28 | "type": "string" 29 | } 30 | } 31 | } 32 | } 33 | }, 34 | "matchLabels": { 35 | "type": [ 36 | "object", 37 | "null" 38 | ], 39 | "additionalProperties": { 40 | "type": [ 41 | "string", 42 | "null" 43 | ] 44 | } 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/labels.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "additionalProperties": { 4 | "type": [ 5 | "string", 6 | "null" 7 | ] 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/nodeSelector.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "additionalProperties": { 4 | "type": "string" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/persistentVolumeClaim.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "existingClaim": { 5 | "type": "string" 6 | }, 7 | "size": { 8 | "type": "string" 9 | }, 10 | "storageClass": { 11 | "type": "string" 12 | }, 13 | "resourcePolicy": { 14 | "type": "string", 15 | "enum": [ 16 | "keep", 17 | "delete" 18 | ] 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/podSecurityContext.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "fsGroup": { 4 | "format": "int64", 5 | "type": "integer" 6 | }, 7 | "fsGroupChangePolicy": { 8 | "type": "string" 9 | }, 10 | "runAsGroup": { 11 | "format": "int64", 12 | "type": "integer" 13 | }, 14 | "runAsNonRoot": { 15 | "type": "boolean" 16 | }, 17 | "runAsUser": { 18 | "format": "int64", 19 | "type": "integer" 20 | }, 21 | "seLinuxOptions": { 22 | "properties": { 23 | "level": { 24 | "type": "string" 25 | }, 26 | "role": { 27 | "type": "string" 28 | }, 29 | "type": { 30 | "type": "string" 31 | }, 32 | "user": { 33 | "type": "string" 34 | } 35 | }, 36 | "type": "object" 37 | }, 38 | "seccompProfile": { 39 | "properties": { 40 | "localhostProfile": { 41 | "type": "string" 42 | }, 43 | "type": { 44 | "enum": [ 45 | "RuntimeDefault", 46 | "Unconfined", 47 | "Localhost" 48 | ], 49 | "type": "string" 50 | } 51 | }, 52 | "type": "object" 53 | }, 54 | "supplementalGroups": { 55 | "items": { 56 | "format": "int64", 57 | "type": "integer" 58 | }, 59 | "type": "array" 60 | } 61 | }, 62 | "type": "object" 63 | } 64 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/postgres-libpq.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "required": [ 4 | "host", 5 | "user", 6 | "database" 7 | ], 8 | "properties": { 9 | "host": { 10 | "type": "string" 11 | }, 12 | "port": { 13 | "type": "integer", 14 | "minimum": 0, 15 | "maximum": 65535 16 | }, 17 | "user": { 18 | "type": "string" 19 | }, 20 | "database": { 21 | "type": "string" 22 | }, 23 | "sslMode": { 24 | "type": "string", 25 | "enum": [ 26 | "disable", 27 | "allow", 28 | "prefer", 29 | "require", 30 | "verify-ca", 31 | "verify-full" 32 | ] 33 | }, 34 | "password": { 35 | "$ref": "file://common/credential.json" 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/probe.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "failureThreshold": { 5 | "type": [ 6 | "integer", 7 | "null" 8 | ], 9 | "minimum": 1 10 | }, 11 | "initialDelaySeconds": { 12 | "type": [ 13 | "integer", 14 | "null" 15 | ], 16 | "minimum": 0 17 | }, 18 | "periodSeconds": { 19 | "type": [ 20 | "integer", 21 | "null" 22 | ], 23 | "minimum": 1 24 | }, 25 | "successThreshold": { 26 | "type": [ 27 | "integer", 28 | "null" 29 | ], 30 | "minimum": 1 31 | }, 32 | "timeoutSeconds": { 33 | "type": [ 34 | "integer", 35 | "null" 36 | ], 37 | "minimum": 1 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/resources.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "limits": { 4 | "additionalProperties": { 5 | "anyOf": [ 6 | { 7 | "type": "integer" 8 | }, 9 | { 10 | "type": "string" 11 | } 12 | ], 13 | "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" 14 | }, 15 | "type": "object" 16 | }, 17 | "requests": { 18 | "additionalProperties": { 19 | "anyOf": [ 20 | { 21 | "type": "integer" 22 | }, 23 | { 24 | "type": "string" 25 | } 26 | ], 27 | "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$" 28 | }, 29 | "type": "object" 30 | } 31 | }, 32 | "type": "object" 33 | } 34 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/serviceAccount.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "create": { 5 | "type": "boolean" 6 | }, 7 | "name": { 8 | "type": "string" 9 | }, 10 | "annotations": { 11 | "type": "object", 12 | "additionalProperties": { 13 | "type": "string" 14 | } 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/serviceMonitors.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "enabled": { 5 | "type": "boolean" 6 | } 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/tolerations.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "array", 3 | "items": { 4 | "properties": { 5 | "effect": { 6 | "type": "string", 7 | "enum": [ 8 | "NoSchedule", 9 | "PreferNoSchedule", 10 | "NoExecute" 11 | ] 12 | }, 13 | "key": { 14 | "type": "string" 15 | }, 16 | "operator": { 17 | "type": "string" 18 | }, 19 | "tolerationSeconds": { 20 | "type": "number" 21 | }, 22 | "value": { 23 | "type": "string" 24 | } 25 | }, 26 | "type": "object" 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/topologySpreadConstraints.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "array", 3 | "items": { 4 | "required": [ 5 | "maxSkew", 6 | "topologyKey" 7 | ], 8 | "properties": { 9 | "labelSelector": { 10 | "$ref": "file://common/labelSelector.json" 11 | }, 12 | "matchLabelKeys": { 13 | "type": [ 14 | "array", 15 | "null" 16 | ], 17 | "items": { 18 | "type": "string" 19 | } 20 | }, 21 | "maxSkew": { 22 | "type": "integer", 23 | "minium": 1 24 | }, 25 | "minDomains": { 26 | "type": "integer", 27 | "minium": 0 28 | }, 29 | "nodeAffinityPolicy": { 30 | "type": "string", 31 | "enum": [ 32 | "Honor", 33 | "Ignore" 34 | ] 35 | }, 36 | "nodeTaintsPolicy": { 37 | "type": "string", 38 | "enum": [ 39 | "Honor", 40 | "Ignore" 41 | ] 42 | }, 43 | "topologyKey": { 44 | "type": "string" 45 | }, 46 | "whenUnsatisfiable": { 47 | "type": "string", 48 | "enum": [ 49 | "DoNotSchedule", 50 | "ScheduleAnyway" 51 | ] 52 | } 53 | }, 54 | "type": "object" 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/common/workloadAnnotations.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "additionalProperties": { 4 | "type": "string" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/deployment-markers.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "file://init-secrets", 3 | "$schema": "https://json-schema.org/draft/2020-12/schema", 4 | "type": "object", 5 | "properties": { 6 | "enabled": { 7 | "type": "boolean" 8 | }, 9 | "rbac": { 10 | "type": "object", 11 | "properties": { 12 | "create": { 13 | "type": "boolean" 14 | } 15 | } 16 | }, 17 | "labels": { 18 | "$ref": "file://common/labels.json" 19 | }, 20 | "annotations": { 21 | "$ref": "file://common/workloadAnnotations.json" 22 | }, 23 | "extraEnv": { 24 | "$ref": "file://common/extraEnv.json" 25 | }, 26 | "containersSecurityContext": { 27 | "$ref": "file://common/containersSecurityContext.json" 28 | }, 29 | "nodeSelector": { 30 | "$ref": "file://common/nodeSelector.json" 31 | }, 32 | "podSecurityContext": { 33 | "$ref": "file://common/podSecurityContext.json" 34 | }, 35 | "resources": { 36 | "$ref": "file://common/resources.json" 37 | }, 38 | "serviceAccount": { 39 | "$ref": "file://common/serviceAccount.json" 40 | }, 41 | "tolerations": { 42 | "$ref": "file://common/tolerations.json" 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/deployment-markers.yaml.j2: -------------------------------------------------------------------------------- 1 | {# 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | #} 6 | 7 | {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%} 8 | enabled: true 9 | 10 | rbac: 11 | create: true 12 | 13 | {{- sub_schema_values.labels() -}} 14 | {{- sub_schema_values.workloadAnnotations() -}} 15 | {{- sub_schema_values.containersSecurityContext() -}} 16 | {{- sub_schema_values.extraEnv() -}} 17 | {{- sub_schema_values.nodeSelector() -}} 18 | {{- sub_schema_values.podSecurityContext(user_id='10010', group_id='10010') -}} 19 | {{- sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='200Mi') -}} 20 | {{- sub_schema_values.serviceAccount() -}} 21 | {{- sub_schema_values.tolerations() -}} 22 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/haproxy.yaml.j2: -------------------------------------------------------------------------------- 1 | {# 2 | Copyright 2024-2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | #} 6 | 7 | {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%} 8 | 9 | replicas: 1 10 | {{- sub_schema_values.image(registry='docker.io', repository='library/haproxy', tag='3.1-alpine') }} 11 | {{- sub_schema_values.labels() }} 12 | {{- sub_schema_values.workloadAnnotations() }} 13 | {{- sub_schema_values.containersSecurityContext() }} 14 | {{- sub_schema_values.nodeSelector() }} 15 | {{- sub_schema_values.podSecurityContext(user_id='10001', group_id='10001') }} 16 | {{- sub_schema_values.resources(requests_memory='100Mi', requests_cpu='100m', limits_memory='200Mi') }} 17 | {{- sub_schema_values.serviceAccount() }} 18 | {{- sub_schema_values.serviceMonitors() }} 19 | {{- sub_schema_values.tolerations() }} 20 | {{- sub_schema_values.topologySpreadConstraints() }} 21 | {{- sub_schema_values.probe("liveness", timeoutSeconds=5) }} 22 | {{- sub_schema_values.probe("readiness", timeoutSeconds=5) }} 23 | # The failureThreshold here is tweaked towards Synapse being ready 24 | # If Synapse isn't being deployed, unsetting this or setting it to 3 maybe more appropriate 25 | {{- sub_schema_values.probe("startup", failureThreshold=150, periodSeconds=2) }} 26 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/init-secrets.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "file://init-secrets", 3 | "$schema": "https://json-schema.org/draft/2020-12/schema", 4 | "type": "object", 5 | "properties": { 6 | "enabled": { 7 | "type": "boolean" 8 | }, 9 | "rbac": { 10 | "type": "object", 11 | "properties": { 12 | "create": { 13 | "type": "boolean" 14 | } 15 | } 16 | }, 17 | "labels": { 18 | "$ref": "file://common/labels.json" 19 | }, 20 | "annotations": { 21 | "$ref": "file://common/workloadAnnotations.json" 22 | }, 23 | "extraEnv": { 24 | "$ref": "file://common/extraEnv.json" 25 | }, 26 | "containersSecurityContext": { 27 | "$ref": "file://common/containersSecurityContext.json" 28 | }, 29 | "nodeSelector": { 30 | "$ref": "file://common/nodeSelector.json" 31 | }, 32 | "podSecurityContext": { 33 | "$ref": "file://common/podSecurityContext.json" 34 | }, 35 | "resources": { 36 | "$ref": "file://common/resources.json" 37 | }, 38 | "serviceAccount": { 39 | "$ref": "file://common/serviceAccount.json" 40 | }, 41 | "tolerations": { 42 | "$ref": "file://common/tolerations.json" 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/init-secrets.yaml.j2: -------------------------------------------------------------------------------- 1 | {# 2 | Copyright 2024-2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | #} 6 | 7 | {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%} 8 | enabled: true 9 | 10 | rbac: 11 | create: true 12 | 13 | {{- sub_schema_values.labels() -}} 14 | {{- sub_schema_values.workloadAnnotations() -}} 15 | {{- sub_schema_values.containersSecurityContext() -}} 16 | {{- sub_schema_values.extraEnv() -}} 17 | {{- sub_schema_values.nodeSelector() -}} 18 | {{- sub_schema_values.podSecurityContext(user_id='10010', group_id='10010') -}} 19 | {{- sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='200Mi') -}} 20 | {{- sub_schema_values.serviceAccount() -}} 21 | {{- sub_schema_values.tolerations() -}} 22 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/synapse/scalable_worker.json: -------------------------------------------------------------------------------- 1 | { 2 | "required": [ 3 | "replicas" 4 | ], 5 | "properties": { 6 | "enabled": { 7 | "type": "boolean" 8 | }, 9 | "replicas": { 10 | "type": "integer", 11 | "minimum": 1 12 | }, 13 | "resources": { 14 | "$ref": "file://common/resources.json" 15 | }, 16 | "topologySpreadConstraints": { 17 | "$ref": "file://common/topologySpreadConstraints.json" 18 | }, 19 | "livenessProbe": { 20 | "$ref": "file://common/probe.json" 21 | }, 22 | "readinessProbe": { 23 | "$ref": "file://common/probe.json" 24 | }, 25 | "startupProbe": { 26 | "$ref": "file://common/probe.json" 27 | } 28 | }, 29 | "type": "object" 30 | } 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/synapse/single_worker.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "enabled": { 4 | "type": "boolean" 5 | }, 6 | "resources": { 7 | "$ref": "file://common/resources.json" 8 | }, 9 | "livenessProbe": { 10 | "$ref": "file://common/probe.json" 11 | }, 12 | "readinessProbe": { 13 | "$ref": "file://common/probe.json" 14 | }, 15 | "startupProbe": { 16 | "$ref": "file://common/probe.json" 17 | } 18 | }, 19 | "type": "object" 20 | } 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/synapse/synapse_sub_schema_values.yaml.j2: -------------------------------------------------------------------------------- 1 | {# 2 | Copyright 2024-2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | #} 6 | 7 | {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%} 8 | 9 | {% macro single_worker(workerType) %} 10 | {{ workerType }}: 11 | ## Set to true to deploy this worker 12 | enabled: false 13 | 14 | ## Resources for this worker. 15 | ## If omitted the global Synapse resources are used 16 | # resources: {} 17 | 18 | {{- sub_schema_values.probe("liveness", failureThreshold=8, periodSeconds=6, timeoutSeconds=2) | indent(2) }} 19 | {{- sub_schema_values.probe("readiness", failureThreshold=8, periodSeconds=2, successThreshold=2, timeoutSeconds=2) | indent(2) }} 20 | {{- sub_schema_values.probe("startup", failureThreshold=54, periodSeconds=2) | indent(2) }} 21 | {%- endmacro %} 22 | 23 | {% macro scalable_worker(workerType) %} 24 | {{ workerType }}: 25 | ## Set to true to deploy this worker 26 | enabled: false 27 | 28 | ## The number of replicas of this worker to run 29 | replicas: 1 30 | 31 | ## Resources for this worker. 32 | ## If omitted the global Synapse resources are used 33 | # resources: {} 34 | 35 | {{- sub_schema_values.probe("liveness", periodSeconds=6, timeoutSeconds=2) | indent(2) }} 36 | {{- sub_schema_values.probe("readiness", periodSeconds=2, successThreshold=2, timeoutSeconds=2) | indent(2) }} 37 | {{- sub_schema_values.probe("startup", failureThreshold=21, periodSeconds=2) | indent(2) }} 38 | {%- endmacro %} 39 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/wellKnownDelegation.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "file://wellKnownDelegation", 3 | "$schema": "https://json-schema.org/draft/2020-12/schema", 4 | "type": "object", 5 | "properties": { 6 | "enabled": { 7 | "type": "boolean" 8 | }, 9 | "ingress": { 10 | "$ref": "file://common/ingress_without_host.json" 11 | }, 12 | "labels": { 13 | "$ref": "file://common/labels.json" 14 | }, 15 | "baseDomainRedirect": { 16 | "type": "object", 17 | "properties": { 18 | "enabled": { 19 | "type": "boolean" 20 | }, 21 | "url": { 22 | "type": "string" 23 | } 24 | } 25 | }, 26 | "additional": { 27 | "type": "object", 28 | "properties": { 29 | "client": { 30 | "type": "string" 31 | }, 32 | "element": { 33 | "type": "string" 34 | }, 35 | "server": { 36 | "type": "string" 37 | }, 38 | "support": { 39 | "type": "string" 40 | } 41 | } 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /charts/matrix-stack/source/wellKnownDelegation.yaml.j2: -------------------------------------------------------------------------------- 1 | {# 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | #} 6 | 7 | {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%} 8 | enabled: true 9 | 10 | {{ sub_schema_values.labels() }} 11 | {{ sub_schema_values.ingress() }} 12 | 13 | ## If ElementWeb is deployed, the base domain will redirect to it's ingress host by default 14 | ## If ElementWeb is not deployed or this is disabled, no base domain URL redirect will be set. 15 | baseDomainRedirect: 16 | enabled: true 17 | ## You can override with another redirect URL here. 18 | url: "" 19 | 20 | ## Additional configuration to provide to all WellKnown static file 21 | ## Configuration should be provided as JSON strings 22 | additional: 23 | client: "{}" 24 | server: "{}" 25 | element: "{}" 26 | support: "{}" 27 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/deployment-markers/role.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{ range $step := list "pre" "post" -}} 7 | {{- with $.Values.deploymentMarkers -}} 8 | {{- if and .enabled .rbac.create (include "element-io.deployment-markers.markers" (dict "root" $)) }} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: Role 11 | metadata: 12 | name: {{ $.Release.Name }}-deployment-markers-{{ $step }} 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.deployment-markers.labels" (dict "root" $ "context" (mustMergeOverwrite (dict "step" $step) .)) | nindent 4 }} 16 | annotations: 17 | "helm.sh/hook": {{ $step }}-install,{{ $step }}-upgrade 18 | "helm.sh/hook-weight": "-20" 19 | rules: 20 | {{/* 21 | https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources 22 | You cannot restrict create or deletecollection requests by resourceName. 23 | For create, this limitation is because the object name is not known at authorization time. 24 | */}} 25 | - apiGroups: [""] 26 | resources: ["configmaps"] 27 | verbs: ["create"] 28 | - apiGroups: [""] 29 | resources: ["configmaps"] 30 | resourceNames: [ "{{ $.Release.Name }}-markers" ] 31 | verbs: ["get", "update"] 32 | --- 33 | {{- end -}} 34 | {{- end -}} 35 | {{- end -}} 36 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/deployment-markers/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{ range $step := list "pre" "post" -}} 8 | {{- with $.Values.deploymentMarkers -}} 9 | {{- if and .enabled .rbac.create (include "element-io.deployment-markers.markers" (dict "root" $)) }} 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: RoleBinding 12 | metadata: 13 | name: {{ $.Release.Name }}-deployment-markers-{{ $step }} 14 | namespace: {{ $.Release.Namespace }} 15 | labels: 16 | {{- include "element-io.deployment-markers.labels" (dict "root" $ "context" (mustMergeOverwrite (dict "step" $step) .)) | nindent 4 }} 17 | annotations: 18 | "helm.sh/hook": {{ $step }}-install,{{ $step }}-upgrade 19 | "helm.sh/hook-weight": "-20" 20 | roleRef: 21 | apiGroup: rbac.authorization.k8s.io 22 | kind: Role 23 | name: {{ $.Release.Name }}-deployment-markers-{{ $step }} 24 | subjects: 25 | - kind: ServiceAccount 26 | name: {{ include "element-io.ess-library.serviceAccountName" (dict "root" $ "context" (dict "serviceAccount" .serviceAccount "nameSuffix" (printf "deployment-markers-%s" $step))) }} 27 | namespace: {{ $.Release.Namespace }} 28 | --- 29 | {{- end -}} 30 | {{- end -}} 31 | {{- end -}} 32 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/deployment-markers/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{ range $step := list "pre" "post" -}} 7 | {{- with $.Values.deploymentMarkers -}} 8 | {{- if .enabled -}} 9 | {{- if and .enabled (include "element-io.deployment-markers.markers" (dict "root" $)) -}} 10 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" (printf "deployment-markers-%s" $step) "extraAnnotations" (dict "helm.sh/hook" (printf "%s-install,%s-upgrade" $step $step) "helm.sh/hook-weight" "-20"))) }} 11 | --- 12 | {{- end }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | 17 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/element-web/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.elementWeb -}} 7 | {{- if .enabled -}} 8 | apiVersion: v1 9 | kind: ConfigMap 10 | metadata: 11 | labels: 12 | {{- include "element-io.element-web.labels" (dict "root" $ "context" .) | nindent 4 }} 13 | name: {{ $.Release.Name }}-element-web 14 | namespace: {{ $.Release.Namespace }} 15 | data: 16 | {{- include "element-io.element-web.configmap-data" (dict "root" $ "context" .) | nindent 2 -}} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/element-web/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.elementWeb -}} 7 | {{- if .enabled -}} 8 | apiVersion: networking.k8s.io/v1 9 | kind: Ingress 10 | metadata: 11 | {{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} 12 | labels: 13 | {{- include "element-io.element-web.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-element-web 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "element-web")) | nindent 2 }} 18 | {{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} 19 | rules: 20 | - host: {{ (tpl .ingress.host $) | quote }} 21 | http: 22 | paths: 23 | - path: / 24 | pathType: Prefix 25 | backend: 26 | service: 27 | name: {{ $.Release.Name }}-element-web 28 | port: 29 | number: 80 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/element-web/nginx_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024-2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.elementWeb -}} 7 | {{- if .enabled -}} 8 | apiVersion: v1 9 | kind: ConfigMap 10 | metadata: 11 | labels: 12 | {{- include "element-io.element-web.labels" (dict "root" $ "context" .) | nindent 4 }} 13 | name: {{ $.Release.Name }}-element-web-nginx 14 | namespace: {{ $.Release.Namespace }} 15 | data: 16 | {{- include "element-io.element-web.nginx-configmap-data" (dict "root" $) | nindent 4 -}} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/element-web/service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.elementWeb -}} 7 | {{- if .enabled -}} 8 | apiVersion: v1 9 | kind: Service 10 | metadata: 11 | labels: 12 | {{- include "element-io.element-web.labels" (dict "root" $ "context" .) | nindent 4 }} 13 | name: {{ $.Release.Name }}-element-web 14 | namespace: {{ $.Release.Namespace }} 15 | spec: 16 | type: {{ .ingress.service.type | default $.Values.ingress.service.type }} 17 | ports: 18 | - port: 80 19 | targetPort: element 20 | name: web 21 | selector: 22 | app.kubernetes.io/instance: {{ $.Release.Name }}-element-web 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/element-web/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.elementWeb -}} 7 | {{- if .enabled -}} 8 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "element-web")) }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/ess-library/_deployments.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | 8 | {{- define "element-io.ess-library.deployments.commonSpec" -}} 9 | {{- $root := .root -}} 10 | {{- with required "element-io.ess-library.deployments.commonSpec missing context" .context -}} 11 | {{- if hasKey . "replicas" }} 12 | replicas: {{ required (printf "element-io.ess-library.deployments.commonSpec with nameSuffix %s is missing a replicas value" .nameSuffix) .replicas }} 13 | strategy: 14 | type: RollingUpdate 15 | rollingUpdate: 16 | maxUnavailable: {{ min (max 0 (sub .replicas 1)) 1 }} 17 | maxSurge: 2 18 | {{- else }} 19 | replicas: 1 20 | strategy: 21 | type: RollingUpdate 22 | rollingUpdate: 23 | maxUnavailable: 0 24 | maxSurge: 2 25 | {{- end }} 26 | selector: 27 | matchLabels: 28 | app.kubernetes.io/instance: {{ $root.Release.Name }}-{{ .nameSuffix }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/ess-library/_postgres.tpl: -------------------------------------------------------------------------------- 1 | 2 | {{- /* 3 | Copyright 2025 New Vector Ltd 4 | 5 | SPDX-License-Identifier: AGPL-3.0-only 6 | */ -}} 7 | 8 | 9 | {{- define "element-io.ess-library.postgres-host-port" -}} 10 | {{- $root := .root -}} 11 | {{- with required "element-io.ess-library.postgres-host-port requires context" .context -}} 12 | {{- if .postgres -}} 13 | {{ (tpl .postgres.host $root) }}:{{ .postgres.port | default 5432 }} 14 | {{- else if $root.Values.postgres.enabled -}} 15 | {{ $root.Release.Name }}-postgres.{{ $root.Release.Namespace }}.svc.cluster.local:5432 16 | {{- else }} 17 | {{- fail "You need to enable the chart Postgres or configure this component postgres" -}} 18 | {{- end -}} 19 | {{- end -}} 20 | {{- end -}} 21 | 22 | 23 | {{- define "element-io.ess-library.postgres-env-var" -}} 24 | {{- $root := .root -}} 25 | {{- with required "element-io.ess-library.postgres-env-var requires context" .context -}} 26 | {{- $input := . -}} 27 | {{- $output := list -}} 28 | {{- range $input | splitList "" -}} 29 | {{- if (. | regexMatch "[A-Z]") -}} 30 | {{- $output = append $output "_" -}} 31 | {{- end -}} 32 | {{- $output = append $output . -}} 33 | {{- end -}} 34 | {{- printf "POSTGRES_%s_PASSWORD" (upper ($output | join "")) -}} 35 | {{- end -}} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/haproxy/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- define "element-io.haproxy.labels" -}} 8 | {{- $root := .root -}} 9 | {{- with required "element-io.haproxy.labels missing context" .context -}} 10 | {{ include "element-io.ess-library.labels.common" (dict "root" $root "context" (dict "labels" .labels "withChartVersion" .withChartVersion)) }} 11 | app.kubernetes.io/component: matrix-stack-ingress 12 | app.kubernetes.io/name: haproxy 13 | app.kubernetes.io/instance: {{ $root.Release.Name }}-haproxy 14 | app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .image.tag }} 15 | {{- end }} 16 | {{- end }} 17 | 18 | {{- define "element-io.haproxy.configmap-data" }} 19 | {{- $root := .root -}} 20 | {{- with required "element-io.haproxy.configmap-data missing context" .context -}} 21 | haproxy.cfg: | 22 | {{- tpl ($root.Files.Get "configs/haproxy/haproxy.cfg.tpl") (dict "root" $root "context" .) | nindent 2 }} 23 | 429.http: | 24 | {{- (tpl ($root.Files.Get "configs/haproxy/429.http.tpl") dict) | nindent 2 }} 25 | {{- end -}} 26 | {{- end -}} 27 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/haproxy/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- if or $.Values.synapse.enabled $.Values.wellKnownDelegation.enabled -}} 8 | {{- with .Values.haproxy -}} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | labels: 13 | {{- include "element-io.haproxy.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-haproxy 15 | namespace: {{ $.Release.Namespace }} 16 | data: 17 | {{- include "element-io.haproxy.configmap-data" (dict "root" $ "context" .) | nindent 2 -}} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/haproxy/service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- if or $.Values.synapse.enabled $.Values.wellKnownDelegation.enabled -}} 8 | {{- with .Values.haproxy -}} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | labels: 13 | {{- include "element-io.haproxy.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-haproxy 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | type: ClusterIP 18 | ports: 19 | - name: haproxy-metrics 20 | port: 8405 21 | targetPort: haproxy-metrics 22 | selector: 23 | app.kubernetes.io/instance: "{{ $.Release.Name }}-haproxy" 24 | {{- end -}} 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/haproxy/service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- if or $.Values.synapse.enabled $.Values.wellKnownDelegation.enabled -}} 8 | {{- with .Values.haproxy -}} 9 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 10 | {{- if .serviceMonitors.enabled }} 11 | apiVersion: monitoring.coreos.com/v1 12 | kind: ServiceMonitor 13 | metadata: 14 | labels: 15 | {{- include "element-io.haproxy.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-haproxy 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | endpoints: 20 | - interval: 30s 21 | port: haproxy-metrics 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/part-of: matrix-stack 25 | app.kubernetes.io/component: matrix-stack-ingress 26 | app.kubernetes.io/instance: {{ $.Release.Name }}-haproxy 27 | {{- end }} 28 | {{- end }} 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/haproxy/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- if or $.Values.synapse.enabled $.Values.wellKnownDelegation.enabled -}} 8 | {{- with .Values.haproxy -}} 9 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "haproxy")) }} 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/init-secrets/role.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.initSecrets -}} 7 | {{- if and .enabled .rbac.create (include "element-io.init-secrets.generated-secrets" (dict "root" $)) -}} 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: Role 10 | metadata: 11 | name: {{ $.Release.Name }}-init-secrets 12 | namespace: {{ $.Release.Namespace }} 13 | labels: 14 | {{- include "element-io.init-secrets.labels" (dict "root" $ "context" .) | nindent 4 }} 15 | annotations: 16 | "helm.sh/hook": pre-install,pre-upgrade 17 | "helm.sh/hook-weight": "-10" 18 | rules: 19 | {{/* 20 | https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources 21 | You cannot restrict create or deletecollection requests by resourceName. 22 | For create, this limitation is because the object name is not known at authorization time. 23 | */}} 24 | - apiGroups: [""] 25 | resources: ["secrets"] 26 | verbs: ["create"] 27 | - apiGroups: [""] 28 | resources: ["secrets"] 29 | resourceNames: [ "{{ $.Release.Name }}-generated" ] 30 | verbs: ["get", "update"] 31 | {{- end -}} 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/init-secrets/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.initSecrets -}} 8 | {{- if and .enabled .rbac.create (include "element-io.init-secrets.generated-secrets" (dict "root" $)) -}} 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: RoleBinding 11 | metadata: 12 | name: {{ $.Release.Name }}-init-secrets 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.init-secrets.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | annotations: 17 | "helm.sh/hook": pre-install,pre-upgrade 18 | "helm.sh/hook-weight": "-10" 19 | roleRef: 20 | apiGroup: rbac.authorization.k8s.io 21 | kind: Role 22 | name: {{ $.Release.Name }}-init-secrets 23 | subjects: 24 | - kind: ServiceAccount 25 | name: {{ include "element-io.ess-library.serviceAccountName" (dict "root" $ "context" (dict "serviceAccount" .serviceAccount "nameSuffix" "init-secrets")) }} 26 | namespace: {{ $.Release.Namespace }} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/init-secrets/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.initSecrets -}} 7 | {{- if .enabled -}} 8 | {{- if and .enabled (include "element-io.init-secrets.generated-secrets" (dict "root" $)) -}} 9 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "init-secrets" "extraAnnotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-weight" "-10"))) }} 10 | {{- end }} 11 | {{- end }} 12 | {{- end }} 13 | 14 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | name: {{ include "element-io.matrix-authentication-service.configmap-name" (dict "root" $ "context" (dict "isHook" false)) }} 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | data: 17 | {{- include "element-io.matrix-authentication-service.configmap-data" (dict "root" $ "context" .) | nindent 2 -}} 18 | {{ end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/configmap_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if and .enabled .syn2mas.enabled (not .syn2mas.dryRun) -}} 9 | {{- $masContext := (mustMergeOverwrite ($.Values.matrixAuthenticationService | deepCopy) (dict "isHook" true)) -}} 10 | apiVersion: v1 11 | kind: ConfigMap 12 | metadata: 13 | name: {{ include "element-io.matrix-authentication-service.configmap-name" (dict "root" $ "context" (dict "isHook" true)) }} 14 | namespace: {{ $.Release.Namespace }} 15 | labels: 16 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" $masContext) | nindent 4 }} 17 | annotations: 18 | "helm.sh/hook": pre-install,pre-upgrade 19 | "helm.sh/hook-weight": "-5" 20 | data: 21 | {{- include "element-io.matrix-authentication-service.configmap-data" (dict "root" $ "context" $masContext) | nindent 2 -}} 22 | {{ end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if .enabled -}} 9 | apiVersion: networking.k8s.io/v1 10 | kind: Ingress 11 | metadata: 12 | {{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} 13 | labels: 14 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} 15 | name: {{ $.Release.Name }}-matrix-authentication-service 16 | namespace: {{ $.Release.Namespace }} 17 | spec: 18 | {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "matrix-authentication-service")) | nindent 2 }} 19 | {{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} 20 | rules: 21 | - host: {{ (tpl .ingress.host $) | quote }} 22 | http: 23 | paths: 24 | - path: / 25 | pathType: Prefix 26 | backend: 27 | service: 28 | name: {{ $.Release.Name }}-matrix-authentication-service 29 | port: 30 | name: http 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: {{ include "element-io.matrix-authentication-service.secret-name" (dict "root" $ "context" (dict "isHook" false)) }} 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | type: Opaque 17 | data: 18 | {{- include "element-io.matrix-authentication-service.secret-data" (dict "root" $ "context" .) | nindent 2 }} 19 | {{- end -}} 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/secret_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if and .enabled $.Values.synapse.enabled 9 | (or (and $.Values.synapse.checkConfigHook.enabled 10 | (include "element-io.matrix-authentication-service.synapse-secret-data" (dict "root" $ "context" .)) 11 | ) 12 | (and .syn2mas.enabled (not .syn2mas.dryRun)) 13 | ) -}} 14 | {{- $masContext := (mustMergeOverwrite ($.Values.matrixAuthenticationService | deepCopy) (dict "isHook" true)) -}} 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: {{ include "element-io.matrix-authentication-service.secret-name" (dict "root" $ "context" (dict "isHook" true)) }} 19 | namespace: {{ $.Release.Namespace }} 20 | labels: 21 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" $masContext) | nindent 4 }} 22 | annotations: 23 | "helm.sh/hook": pre-install,pre-upgrade 24 | "helm.sh/hook-weight": "-5" 25 | type: Opaque 26 | data: 27 | {{- if .syn2mas.enabled }} 28 | {{- include "element-io.matrix-authentication-service.secret-data" (dict "root" $ "context" $masContext) | nindent 2 }} 29 | {{- else }} 30 | {{- include "element-io.matrix-authentication-service.synapse-secret-data" (dict "root" $ "context" $masContext) | nindent 2 }} 31 | {{- end -}} 32 | {{- end -}} 33 | {{- end -}} 34 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | name: {{ $.Release.Name }}-matrix-authentication-service 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | spec: 17 | type: {{ .ingress.service.type | default $.Values.ingress.service.type }} 18 | ports: 19 | - port: 8080 20 | protocol: TCP 21 | name: http 22 | - port: 8081 23 | protocol: TCP 24 | name: internal 25 | selector: 26 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-authentication-service" 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if .enabled -}} 9 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 10 | {{- if .serviceMonitors.enabled }} 11 | apiVersion: monitoring.coreos.com/v1 12 | kind: ServiceMonitor 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-authentication-service 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | endpoints: 20 | - interval: 30s 21 | port: internal 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-authentication-service" 25 | {{- end }} 26 | {{- end }} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.matrixAuthenticationService -}} 7 | {{- if .enabled -}} 8 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "matrix-authentication-service")) }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/syn2mas_rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.matrixAuthenticationService -}} 8 | {{- if and .enabled .syn2mas.enabled (not .syn2mas.dryRun) -}} 9 | {{- with .syn2mas -}} 10 | apiVersion: rbac.authorization.k8s.io/v1 11 | kind: RoleBinding 12 | metadata: 13 | name: {{ $.Release.Name }}-syn2mas 14 | namespace: {{ $.Release.Namespace }} 15 | labels: 16 | {{- include "element-io.syn2mas.labels" (dict "root" $ "context" .) | nindent 4 }} 17 | annotations: 18 | "helm.sh/hook": pre-install,pre-upgrade 19 | {{- /* 20 | Hook Weights are 21 | - -10 : The initSecret hook generating secrets used by the syn2mas job 22 | - -5 : The MAS & synapse secret & configMap for the hook, so that they are created before the job 23 | - 0 : The job itself, so that it is run after the secrets and configs are created 24 | */}} 25 | "helm.sh/hook-weight": "0" 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: Role 29 | name: {{ $.Release.Name }}-syn2mas 30 | subjects: 31 | - kind: ServiceAccount 32 | name: {{ include "element-io.ess-library.serviceAccountName" (dict "root" $ "context" (dict "serviceAccount" .serviceAccount "nameSuffix" "syn2mas")) }} 33 | namespace: {{ $.Release.Namespace }} 34 | {{- end -}} 35 | {{- end -}} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-authentication-service/syn2mas_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with .Values.matrixAuthenticationService -}} 7 | {{- if and .enabled .syn2mas.enabled $.Values.synapse.enabled -}} 8 | {{- with .syn2mas -}} 9 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "syn2mas" "extraAnnotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-weight" "0"))) }} 10 | {{- end }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if .enabled -}} 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-sfu.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-sfu 17 | namespace: {{ $.Release.Namespace }} 18 | data: 19 | {{- (include "element-io.matrix-rtc-sfu.configmap-data" (dict "root" $ "context" .)) | nindent 2 }} 20 | {{- end -}} 21 | {{- end -}} 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_jwt_secret.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Secret 11 | metadata: 12 | name: {{ $.Release.Name }}-matrix-rtc-authorisation-service 13 | namespace: {{ $.Release.Namespace }} 14 | labels: 15 | {{- include "element-io.matrix-rtc-authorisation-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | type: Opaque 17 | data: 18 | {{- include "element-io.matrix-rtc-authorisation-service.secret-data" (dict "root" $ "context" .) | nindent 2 -}} 19 | {{- end -}} 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_jwt_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | labels: 13 | {{- include "element-io.matrix-rtc-authorisation-service.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-matrix-rtc-authorisation-service 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | type: ClusterIP 18 | ports: 19 | - name: http 20 | port: 8080 21 | targetPort: http 22 | selector: 23 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-rtc-authorisation-service" 24 | {{- end -}} 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_jwt_service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 10 | {{- if .serviceMonitors.enabled }} 11 | apiVersion: monitoring.coreos.com/v1 12 | kind: ServiceMonitor 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-authorisation-service.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-authorisation-service 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | endpoints: 20 | - interval: 30s 21 | port: http 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/part-of: matrix-stack 25 | app.kubernetes.io/component: matrix-rtc-authorisation-service 26 | app.kubernetes.io/instance: {{ $.Release.Name }}-matrix-rtc-authorisation-service 27 | {{- end }} 28 | {{- end }} 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_jwt_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "matrix-rtc-authorisation-service")) }} 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_rtc_tcp_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if and .enabled .exposedServices.rtcTcp.enabled (eq .exposedServices.rtcTcp.portType "NodePort") -}} 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-sfu-rtc.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-sfu-tcp 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | type: NodePort 20 | externalTrafficPolicy: Local 21 | ports: 22 | - name: "rtc-tcp" 23 | protocol: "TCP" 24 | port: {{ .exposedServices.rtcTcp.port }} 25 | targetPort: {{ .exposedServices.rtcTcp.port }} 26 | nodePort: {{ .exposedServices.rtcTcp.port }} 27 | selector: 28 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-rtc-sfu" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_rtc_udp_muxer_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if and .enabled .exposedServices.rtcMuxedUdp.enabled (eq .exposedServices.rtcMuxedUdp.portType "NodePort") -}} 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-sfu-rtc.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-sfu-muxed-udp 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | type: NodePort 20 | externalTrafficPolicy: Local 21 | ports: 22 | - name: "rtc-muxed-udp" 23 | protocol: "UDP" 24 | port: {{ .exposedServices.rtcMuxedUdp.port }} 25 | targetPort: {{ .exposedServices.rtcMuxedUdp.port }} 26 | nodePort: {{ .exposedServices.rtcMuxedUdp.port }} 27 | selector: 28 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-rtc-sfu" 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_rtc_udp_range_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if and .enabled .exposedServices.rtcUdp.enabled (eq .exposedServices.rtcUdp.portType "NodePort") -}} 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-sfu-rtc.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-sfu-udp-range 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | type: NodePort 20 | externalTrafficPolicy: Local 21 | ports: 22 | {{- with .exposedServices.rtcUdp.portRange }} 23 | {{- range $port := untilStep (.startPort | int) (.endPort | int) 1 }} 24 | - name: rtc-udp-{{ $port }} 25 | port: {{ $port }} 26 | targetPort: {{ $port }} 27 | nodePort: {{ $port }} 28 | protocol: UDP 29 | {{- end }} 30 | {{- end }} 31 | selector: 32 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-rtc-sfu" 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if .enabled -}} 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | {{- include "element-io.matrix-rtc-sfu.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-matrix-rtc-sfu 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | type: ClusterIP 20 | ports: 21 | - name: http 22 | port: 7880 23 | targetPort: http 24 | selector: 25 | app.kubernetes.io/instance: "{{ $.Release.Name }}-matrix-rtc-sfu" 26 | {{- end -}} 27 | {{- end -}} 28 | {{- end -}} 29 | {{- end -}} 30 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if .enabled -}} 11 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 12 | {{- if .serviceMonitors.enabled }} 13 | apiVersion: monitoring.coreos.com/v1 14 | kind: ServiceMonitor 15 | metadata: 16 | labels: 17 | {{- include "element-io.matrix-rtc-sfu.labels" (dict "root" $ "context" .) | nindent 4 }} 18 | name: {{ $.Release.Name }}-matrix-rtc-sfu 19 | namespace: {{ $.Release.Namespace }} 20 | spec: 21 | endpoints: 22 | - interval: 30s 23 | port: http 24 | selector: 25 | matchLabels: 26 | app.kubernetes.io/part-of: matrix-stack 27 | app.kubernetes.io/component: matrix-rtc-voip-server 28 | app.kubernetes.io/instance: {{ $.Release.Name }}-matrix-rtc-sfu 29 | {{- end }} 30 | {{- end }} 31 | {{- end -}} 32 | {{- end -}} 33 | {{- end -}} 34 | {{- end -}} 35 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/matrix-rtc/sfu_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.matrixRTC -}} 8 | {{- if .enabled -}} 9 | {{- with .sfu -}} 10 | {{- if .enabled -}} 11 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "matrix-rtc-sfu")) }} 12 | {{- end -}} 13 | {{- end -}} 14 | {{- end -}} 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/_postgres_secret.tpl: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- define "element-io.postgres.secret-name" }} 8 | {{- $root := .root }} 9 | {{- with required "element-io.postgres.secret-name requires context" .context }} 10 | {{- $isHook := required "element-io.postgres.secret-name requires context.isHook" .isHook }} 11 | {{- if $isHook }} 12 | {{- $root.Release.Name }}-postgres-hook 13 | {{- else }} 14 | {{- $root.Release.Name }}-postgres 15 | {{- end }} 16 | {{- end }} 17 | {{- end }} 18 | 19 | {{- define "element-io.postgres.secret-data" }} 20 | {{- $root := .root }} 21 | {{- with required "element-io.postgres.secret-data requires context" .context }} 22 | type: Opaque 23 | data: 24 | {{- with .adminPassword }} 25 | {{- include "element-io.ess-library.check-credential" (dict "root" $root "context" (dict "secretPath" "postgres.adminPassword" "initIfAbsent" false)) }} 26 | {{- with .value }} 27 | ADMIN_PASSWORD: {{ . | b64enc }} 28 | {{- end }} 29 | {{- end }} 30 | {{- range $key := (.essPasswords | keys | uniq | sortAlpha) }} 31 | {{- if (index $root.Values $key).enabled }} 32 | {{- include "element-io.ess-library.check-credential" (dict "root" $root "context" (dict "secretPath" (printf "postgres.essPasswords.%s" $key) "initIfAbsent" true)) }} 33 | {{- $prop := index $root.Values.postgres.essPasswords $key }} 34 | {{- with $prop.value }} 35 | ESS_PASSWORD_{{ $key | upper }}: {{ .| b64enc }} 36 | {{- end }} 37 | {{- end }} 38 | {{- end }} 39 | {{- end }} 40 | {{- end }} 41 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.postgres }} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | labels: 13 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-postgres 15 | namespace: {{ $.Release.Namespace }} 16 | data: 17 | {{- include "element-io.postgres.configmap-data" (dict "root" $ "context" .) | nindent 2 }} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.postgres -}} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | {{- if not .storage.existingClaim }} 10 | apiVersion: v1 11 | kind: PersistentVolumeClaim 12 | metadata: 13 | annotations: 14 | helm.sh/resource-policy: {{ .storage.resourcePolicy }} 15 | labels: 16 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 17 | name: {{ $.Release.Name }}-postgres-data 18 | namespace: {{ $.Release.Namespace }} 19 | spec: 20 | {{- with .storage.storageClassName }} 21 | storageClassName: {{ . }} 22 | {{- end }} 23 | accessModes: 24 | - ReadWriteOnce 25 | resources: 26 | requests: 27 | storage: {{ .storage.size }} 28 | {{- end }} 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.postgres -}} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | {{- if or .adminPassword.value (include "element-io.postgres.anyEssPasswordHasValue" (dict "root" $ "context" .)) }} 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | labels: 14 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 15 | name: {{ include "element-io.postgres.secret-name" (dict "root" $ "context" (dict "isHook" false)) }} 16 | namespace: {{ $.Release.Namespace }} 17 | {{- include "element-io.postgres.secret-data" (dict "root" $ "context" .) -}} 18 | {{- end -}} 19 | {{- end -}} 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/secret_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.postgres -}} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | {{- if or .adminPassword.value (include "element-io.postgres.anyEssPasswordHasValue" (dict "root" $ "context" .)) }} 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | labels: 14 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 15 | name: {{ include "element-io.postgres.secret-name" (dict "root" $ "context" (dict "isHook" true)) }} 16 | namespace: {{ $.Release.Namespace }} 17 | annotations: 18 | "helm.sh/hook": pre-install,pre-upgrade 19 | "helm.sh/hook-weight": "-5" 20 | {{- include "element-io.postgres.secret-data" (dict "root" $ "context" .) -}} 21 | {{- end -}} 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.postgres -}} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | labels: 13 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-postgres 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | clusterIP: None 18 | ports: 19 | - port: 5432 20 | name: postgres 21 | - port: 9187 22 | name: metrics 23 | type: ClusterIP 24 | selector: 25 | app.kubernetes.io/instance: {{ $.Release.Name }}-postgres 26 | {{- end -}} 27 | {{- end -}} 28 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.postgres -}} 8 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 9 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 10 | {{- if .serviceMonitors.enabled }} 11 | apiVersion: monitoring.coreos.com/v1 12 | kind: ServiceMonitor 13 | metadata: 14 | labels: 15 | {{- include "element-io.postgres.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-postgres 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | endpoints: 20 | - interval: 30s 21 | port: metrics 22 | selector: 23 | matchLabels: 24 | app.kubernetes.io/instance: {{ $.Release.Name }}-postgres 25 | {{- end }} 26 | {{- end }} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/postgres/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | {{- with $.Values.postgres -}} 7 | {{- if (include "element-io.postgres.enabled" (dict "root" $)) }} 8 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "postgres")) }} 9 | {{- end }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/redis_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- if (include "element-io.synapse.enabledWorkers" (dict "root" $)) | fromJson }} 10 | {{- with .redis -}} 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | labels: 15 | {{- include "element-io.synapse-redis.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-synapse-redis 17 | namespace: {{ $.Release.Namespace }} 18 | data: 19 | {{- include "element-io.synapse-redis.configmap-data" (dict "root" $) | nindent 2 }} 20 | {{- end }} 21 | {{- end -}} 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/redis_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- if (include "element-io.synapse.enabledWorkers" (dict "root" $)) | fromJson }} 10 | {{- with .redis -}} 11 | apiVersion: v1 12 | kind: Service 13 | metadata: 14 | labels: 15 | {{- include "element-io.synapse-redis.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-synapse-redis 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | ports: 20 | - port: 6379 21 | targetPort: redis 22 | name: redis 23 | selector: 24 | app.kubernetes.io/instance: "{{ $.Release.Name }}-synapse-redis" 25 | {{- end }} 26 | {{- end -}} 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/redis_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- if (include "element-io.synapse.enabledWorkers" (dict "root" $)) | fromJson }} 10 | {{- with .redis -}} 11 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "synapse-redis")) }} 12 | {{- end }} 13 | {{- end -}} 14 | {{- end -}} 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | labels: 13 | {{- include "element-io.synapse.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ include "element-io.synapse.configmap-name" (dict "root" $ "context" (dict "isHook" false)) }} 15 | namespace: {{ $.Release.Namespace }} 16 | data: 17 | {{- include "element-io.synapse.configmap-data" (dict "root" $ "context" (dict "isHook" false)) | nindent 2 }} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_configmap_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if and .enabled (or .checkConfigHook.enabled 9 | (and $.Values.matrixAuthenticationService.enabled 10 | $.Values.matrixAuthenticationService.syn2mas.enabled)) -}} 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | labels: 15 | {{- include "element-io.synapse-check-config.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | annotations: 17 | "helm.sh/hook": pre-install,pre-upgrade 18 | "helm.sh/hook-weight": "-5" 19 | name: {{ include "element-io.synapse.configmap-name" (dict "root" $ "context" (dict "isHook" true)) }} 20 | namespace: {{ $.Release.Namespace }} 21 | data: 22 | {{- include "element-io.synapse.configmap-data" (dict "root" $ "context" (dict "isHook" true)) | nindent 2 }} 23 | {{- end -}} 24 | {{- end -}} 25 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_haproxy_configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- if $.Values.synapse.enabled -}} 8 | {{- with .Values.synapse -}} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | labels: 13 | {{- include "element-io.synapse.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-synapse-haproxy 15 | namespace: {{ $.Release.Namespace }} 16 | data: 17 | {{- include "element-io.synapse-haproxy.configmap-data" (dict "root" $) | nindent 2 -}} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_http_service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.synapse -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | labels: 13 | {{- include "element-io.synapse-ingress.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} 14 | name: {{ $.Release.Name }}-synapse 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | type: {{ .ingress.service.type | default $.Values.ingress.service.type }} 18 | ports: 19 | - name: haproxy-synapse 20 | port: 8008 21 | targetPort: haproxy-synapse 22 | - name: haproxy-403 23 | port: 8009 24 | targetPort: haproxy-403 25 | selector: 26 | app.kubernetes.io/instance: "{{ $.Release.Name }}-haproxy" 27 | {{- end -}} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_persistentvolumeclaim.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- if not .media.storage.existingClaim }} 10 | apiVersion: v1 11 | kind: PersistentVolumeClaim 12 | metadata: 13 | annotations: 14 | helm.sh/resource-policy: {{ .media.storage.resourcePolicy }} 15 | labels: 16 | {{- include "element-io.synapse.labels" (dict "root" $ "context" .) | nindent 4 }} 17 | name: {{ $.Release.Name }}-synapse-media 18 | namespace: {{ $.Release.Namespace }} 19 | spec: 20 | {{- with .media.storage.storageClassName }} 21 | storageClassName: {{ . }} 22 | {{- end }} 23 | accessModes: 24 | - ReadWriteOnce 25 | resources: 26 | requests: 27 | storage: {{ .media.storage.size }} 28 | {{- end }} 29 | {{- end -}} 30 | {{- end -}} 31 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_secret.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024-2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Secret 11 | type: Opaque 12 | metadata: 13 | labels: 14 | {{- include "element-io.synapse.labels" (dict "root" $ "context" .) | nindent 4 }} 15 | name: {{ include "element-io.synapse.secret-name" (dict "root" $ "context" (dict "isHook" false)) }} 16 | namespace: {{ $.Release.Namespace }} 17 | {{- include "element-io.synapse.secret-data" (dict "root" $ "context" .) -}} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_secret_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if and .enabled (or .checkConfigHook.enabled 9 | (and $.Values.matrixAuthenticationService.enabled 10 | $.Values.matrixAuthenticationService.syn2mas.enabled)) -}} 11 | apiVersion: v1 12 | kind: Secret 13 | type: Opaque 14 | metadata: 15 | labels: 16 | {{- include "element-io.synapse-check-config.labels" (dict "root" $ "context" .) | nindent 4 }} 17 | name: {{ include "element-io.synapse.secret-name" (dict "root" $ "context" (dict "isHook" true)) }} 18 | namespace: {{ $.Release.Namespace }} 19 | annotations: 20 | "helm.sh/hook": pre-install,pre-upgrade 21 | "helm.sh/hook-weight": "-5" 22 | {{- include "element-io.synapse.secret-data" (dict "root" $ "context" .) -}} 23 | {{- end -}} 24 | {{- end -}} 25 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_service_monitor.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- if $.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor" }} 10 | {{- if .serviceMonitors.enabled }} 11 | apiVersion: monitoring.coreos.com/v1 12 | kind: ServiceMonitor 13 | metadata: 14 | labels: 15 | {{- include "element-io.synapse.labels" (dict "root" $ "context" .) | nindent 4 }} 16 | name: {{ $.Release.Name }}-synapse 17 | namespace: {{ $.Release.Namespace }} 18 | spec: 19 | endpoints: 20 | - interval: 30s 21 | port: synapse-metrics 22 | relabelings: 23 | - targetLabel: instance 24 | action: replace 25 | replacement: {{ tpl .ingress.host $ }} 26 | selector: 27 | matchLabels: 28 | app.kubernetes.io/part-of: matrix-stack 29 | app.kubernetes.io/component: matrix-server 30 | k8s.element.io/synapse-instance: {{ $.Release.Name }}-synapse 31 | {{- end }} 32 | {{- end }} 33 | {{- end -}} 34 | {{- end -}} 35 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.synapse -}} 8 | {{- if .enabled -}} 9 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "synapse")) }} 10 | {{- end -}} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/synapse/synapse_serviceaccount_hook.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with .Values.synapse -}} 8 | {{- if .enabled }} 9 | {{- with .checkConfigHook }} 10 | {{ if and .enabled -}} 11 | {{- include "element-io.ess-library.serviceAccount" (dict "root" $ "context" (dict "componentValues" . "nameSuffix" "synapse-check-config" "extraAnnotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-weight" "0"))) }} 12 | {{- end -}} 13 | {{- end -}} 14 | {{- end -}} 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/well-known/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2023-2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.wellKnownDelegation -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | labels: 13 | {{- include "element-io.well-known-delegation.labels" (dict "root" $ "context" .) | nindent 4 }} 14 | name: {{ $.Release.Name }}-well-known-haproxy 15 | namespace: {{ $.Release.Namespace }} 16 | data: 17 | {{- include "element-io.well-known-delegation.configmap-data" (dict "root" $ "context" .) | nindent 2 }} 18 | {{- end -}} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/well-known/service.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2024 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{- with $.Values.wellKnownDelegation -}} 8 | {{- if .enabled -}} 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | labels: 13 | {{- include "element-io.well-known-delegation-ingress.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} 14 | name: {{ $.Release.Name }}-well-known 15 | namespace: {{ $.Release.Namespace }} 16 | spec: 17 | type: {{ .ingress.service.type | default $.Values.ingress.service.type }} 18 | ports: 19 | - name: haproxy-wkd 20 | port: 8010 21 | targetPort: haproxy-wkd 22 | selector: 23 | app.kubernetes.io/instance: "{{ $.Release.Name }}-haproxy" 24 | {{- end -}} 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /charts/matrix-stack/templates/z_validation/validation.txt: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Copyright 2025 New Vector Ltd 3 | 4 | SPDX-License-Identifier: AGPL-3.0-only 5 | */ -}} 6 | 7 | {{ $messages := list }} 8 | 9 | {{- with $.Values.elementWeb }} 10 | {{- if .enabled }} 11 | {{- $messages = concat $messages (include "element-io.element-web.validations" (dict "root" $ "context" .) | fromJsonArray) }} 12 | {{- end }} 13 | {{- end }} 14 | 15 | {{- with $.Values.matrixAuthenticationService }} 16 | {{- if .enabled }} 17 | {{- $messages = concat $messages (include "element-io.matrix-authentication-service.validations" (dict "root" $ "context" .) | fromJsonArray) }} 18 | {{- end }} 19 | {{- end }} 20 | 21 | {{- with $.Values.matrixRTC }} 22 | {{- if .enabled }} 23 | {{- $messages = concat $messages (include "element-io.matrix-rtc.validations" (dict "root" $ "context" .) | fromJsonArray) }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{- with $.Values.synapse }} 28 | {{- if .enabled }} 29 | {{- $messages = concat $messages (include "element-io.synapse.validations" (dict "root" $ "context" .) | fromJsonArray) }} 30 | {{- end }} 31 | {{- end }} 32 | 33 | {{- with $.Values.wellKnownDelegation }} 34 | {{- if .enabled }} 35 | {{- $messages = concat $messages (include "element-io.well-known-delegation.validations" (dict "root" $ "context" .) | fromJsonArray) }} 36 | {{- end }} 37 | {{- end }} 38 | 39 | {{- if gt (len $messages) 0 }} 40 | {{ fail (printf "\n- %s" ($messages | join "\n- " )) }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /charts/matrix-stack/user_values/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/charts/matrix-stack/user_values/.gitkeep -------------------------------------------------------------------------------- /ct.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | --- 6 | all: true 7 | chart-dirs: 8 | - charts 9 | check-version-increment: false 10 | helm-dependency-extra-args: 11 | - --skip-refresh 12 | validate-maintainers: false 13 | -------------------------------------------------------------------------------- /docker-bake.hcl: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | // Targets filled by GitHub Actions: one for the regular tag 6 | target "docker-metadata-action" {} 7 | 8 | target "matrix-tools" { 9 | inherits = ["docker-metadata-action"] 10 | dockerfile = "Dockerfile" 11 | context = "./matrix-tools" 12 | } 13 | -------------------------------------------------------------------------------- /docs/assets/images/Architecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/docs/assets/images/Architecture.png -------------------------------------------------------------------------------- /docs/assets/images/ESS-Community-architecture--dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/docs/assets/images/ESS-Community-architecture--dark.png -------------------------------------------------------------------------------- /docs/assets/images/ESS-Community-architecture--light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/docs/assets/images/ESS-Community-architecture--light.png -------------------------------------------------------------------------------- /docs/assets/images/Element-Server-Suite-Community--dark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/docs/assets/images/Element-Server-Suite-Community--dark.png -------------------------------------------------------------------------------- /docs/assets/images/Element-Server-Suite-Community--light.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/docs/assets/images/Element-Server-Suite-Community--light.png -------------------------------------------------------------------------------- /matrix-tools/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | FROM --platform=${BUILDPLATFORM} golang:1.24 AS buildstage 6 | 7 | WORKDIR /app 8 | COPY . /app 9 | 10 | RUN go mod download 11 | 12 | ARG TARGETOS TARGETARCH 13 | RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o /app/matrix-tools cmd/main.go 14 | 15 | FROM gcr.io/distroless/cc-debian12 16 | WORKDIR / 17 | 18 | COPY --from=buildstage --chmod=0755 /app/matrix-tools / 19 | EXPOSE 8443 20 | ENTRYPOINT ["/matrix-tools"] 21 | 22 | USER 30000 23 | -------------------------------------------------------------------------------- /matrix-tools/go.sum.license: -------------------------------------------------------------------------------- 1 | Copyright 2025 New Vector Ltd 2 | SPDX-License-Identifier: AGPL-3.0-only 3 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/renderer/testdata/multiline: -------------------------------------------------------------------------------- 1 | Line 1 2 | Line 2 3 | Line 3 -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/renderer/testdata/multiline.license: -------------------------------------------------------------------------------- 1 | Copyright 2025 New Vector Ltd 2 | SPDX-License-Identifier: AGPL-3.0-only 3 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/renderer/testdata/secret_key: -------------------------------------------------------------------------------- 1 | secret_value -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/renderer/testdata/secret_key.license: -------------------------------------------------------------------------------- 1 | Copyright 2025 New Vector Ltd 2 | SPDX-License-Identifier: AGPL-3.0-only 3 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/secret/private_keys.go: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | package secret 6 | 7 | import ( 8 | "crypto/ecdsa" 9 | "crypto/elliptic" 10 | "crypto/rand" 11 | "crypto/rsa" 12 | "crypto/x509" 13 | ) 14 | 15 | 16 | func marshallKey(key any) ([]byte, error) { 17 | keyBytes, err := x509.MarshalPKCS8PrivateKey(key) 18 | if err != nil { 19 | return nil, err 20 | } 21 | 22 | return keyBytes, nil 23 | } 24 | 25 | 26 | func generateRSA() ([]byte, error) { 27 | rsaPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096) 28 | if err != nil { 29 | return nil, err 30 | } 31 | return marshallKey(rsaPrivateKey) 32 | } 33 | 34 | 35 | func generateEcdsaPrime256v1() ([]byte, error) { 36 | ecdsaPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 37 | if err != nil { 38 | return nil, err 39 | } 40 | return marshallKey(ecdsaPrivateKey) 41 | } 42 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/secret/signing_key.go: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | package secret 6 | 7 | import ( 8 | "crypto/ed25519" 9 | "encoding/base64" 10 | "fmt" 11 | "math/rand" 12 | ) 13 | 14 | type SigningKey struct { 15 | Alg string 16 | Version int 17 | Key []byte 18 | } 19 | 20 | func generateSigningKey(version int) (*SigningKey, error) { 21 | _, priv, err := ed25519.GenerateKey(rand.New(rand.NewSource(0))) 22 | if err != nil { 23 | return nil, fmt.Errorf("failed to generate key: %w", err) 24 | } 25 | 26 | // The priv key is made of 32 bytes of private key, and 32 bytes of public key 27 | // Synapse only wants the first 32 bytes of the private key 28 | key := make([]byte, 32) 29 | copy(key, priv) 30 | 31 | return &SigningKey{ 32 | Alg: "ed25519", 33 | Version: version, 34 | Key: key, 35 | }, nil 36 | } 37 | 38 | func encodeSigningKeyBase64(key *SigningKey) string { 39 | return base64.StdEncoding.EncodeToString(key.Key) 40 | } 41 | 42 | func generateSynapseSigningKey() (string, error) { 43 | signingKey, err := generateSigningKey(0) 44 | if err != nil { 45 | return "", fmt.Errorf("failed to generate signing key: %w", err) 46 | } 47 | 48 | return fmt.Sprintf("%s %d %s\n", signingKey.Alg, signingKey.Version, encodeSigningKeyBase64(signingKey)), nil 49 | } 50 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/secret/signing_key_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | package secret 6 | 7 | import ( 8 | "encoding/base64" 9 | "regexp" 10 | "testing" 11 | ) 12 | 13 | func TestGenerateSigningKey(t *testing.T) { 14 | testCases := []struct { 15 | name string 16 | }{ 17 | { 18 | name: "Create signing key", 19 | }, 20 | } 21 | 22 | for _, tc := range testCases { 23 | t.Run(tc.name, func(t *testing.T) { 24 | synapseKey, err := generateSynapseSigningKey() 25 | if err != nil { 26 | t.Errorf("failed to generate signing key: %v", err) 27 | } 28 | expectedPattern := "ed25519 0 ([a-zA-Z0-9=\\/\\+]+)" 29 | if matches := regexp.MustCompile(expectedPattern).FindStringSubmatch(synapseKey); matches != nil { 30 | priv := matches[1] 31 | if privBytes, err := base64.StdEncoding.DecodeString(priv); err == nil { 32 | if len(privBytes) != 32 { 33 | t.Errorf("Invalid private key length: %d, expected 32", len(privBytes)) 34 | } 35 | } else { 36 | t.Errorf("Failed to decode private key: %v", err) 37 | } 38 | } else { 39 | t.Fatalf("Unexpected key format: %v", synapseKey) 40 | } 41 | }) 42 | } 43 | } -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/tcpwait/tcpwait.go: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | package tcpwait 6 | 7 | import ( 8 | "fmt" 9 | "net" 10 | "os" 11 | "time" 12 | ) 13 | 14 | // WaitForTCP waits for a TCP connection on the specified address. 15 | func WaitForTCP(address string) { 16 | for { 17 | fmt.Println("Waiting for TCP connection on " + address) 18 | conn, err := net.DialTimeout("tcp", address, 5*time.Second) 19 | if err != nil { 20 | time.Sleep(time.Second) 21 | } else { 22 | defer func() { 23 | if err = conn.Close(); err != nil { 24 | fmt.Println(err) 25 | os.Exit(1) 26 | } 27 | }() 28 | break 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /matrix-tools/internal/pkg/tcpwait/tcpwait_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2025 New Vector Ltd 2 | // 3 | // SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | package tcpwait 6 | 7 | import ( 8 | "fmt" 9 | "net" 10 | "testing" 11 | ) 12 | 13 | // TestTCPWait tests that the tcpwait function correctly waits for a TCP connection. 14 | func TestTCPWait(t *testing.T) { 15 | // Start a local TCP server in a goroutine 16 | listener, err := net.Listen("tcp", "localhost:0") 17 | if err != nil { 18 | t.Fatalf("Failed to start listener: %v", err) 19 | } 20 | defer func() { 21 | if err = listener.Close(); err != nil { 22 | t.Fatalf("Failed to close listener: %v", err) 23 | } 24 | }() 25 | 26 | // Get the address of the local TCP server 27 | serverAddr := listener.Addr().String() 28 | 29 | // Start a goroutine to handle incoming connections and close them immediately 30 | go func() { 31 | conn, err := listener.Accept() 32 | if err != nil { 33 | t.Errorf("Accept error: %v", err) 34 | return 35 | } 36 | defer func() { 37 | if err = conn.Close(); err != nil { 38 | fmt.Printf("Close error: %v", err) 39 | } 40 | }() 41 | }() 42 | 43 | // Call the tcpwait function with the server address and timeout 44 | WaitForTCP(serverAddr) 45 | } 46 | -------------------------------------------------------------------------------- /newsfragments/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/newsfragments/.gitkeep -------------------------------------------------------------------------------- /newsfragments/454.added.md: -------------------------------------------------------------------------------- 1 | Add support for Syn2Mas migration. See `matrixAuthenticationService.syn2mas` documentation in values file for more information. 2 | -------------------------------------------------------------------------------- /newsfragments/519.changed.md: -------------------------------------------------------------------------------- 1 | Name secrets mounted based on a hash of their names instead of an index. 2 | -------------------------------------------------------------------------------- /newsfragments/521.internal.md: -------------------------------------------------------------------------------- 1 | CI: Dont pass `go-version` to golanglint-ci action. 2 | -------------------------------------------------------------------------------- /newsfragments/523.internal.md: -------------------------------------------------------------------------------- 1 | CI: Truncate added files in dyff comment. 2 | -------------------------------------------------------------------------------- /newsfragments/524.internal.md: -------------------------------------------------------------------------------- 1 | CI: Test chart upgrades. 2 | -------------------------------------------------------------------------------- /newsfragments/525.internal.md: -------------------------------------------------------------------------------- 1 | CI: Run mypy against integration tests. 2 | -------------------------------------------------------------------------------- /newsfragments/526.changed.md: -------------------------------------------------------------------------------- 1 | matrix-tools: Update to 0.5.1 to support syn2mas migration command. 2 | -------------------------------------------------------------------------------- /newsfragments/526.internal.md: -------------------------------------------------------------------------------- 1 | Make sure that all synapse pods are down after the statefulset does not have any available replicas. 2 | -------------------------------------------------------------------------------- /newsfragments/527.internal.md: -------------------------------------------------------------------------------- 1 | Add support for Syn2Mas migration. See `matrixAuthenticationService.syn2mas` documentation in values file for more information. 2 | -------------------------------------------------------------------------------- /poetry.toml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | [virtualenvs] 6 | create = true 7 | in-project = true 8 | -------------------------------------------------------------------------------- /scripts/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/scripts/__init__.py -------------------------------------------------------------------------------- /scripts/assemble_helm_charts_from_fragments.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024-2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | set -euo pipefail 8 | 9 | [ "$#" -ne 0 ] && echo "Usage: assemble_helm_charts_from_fragments.sh" && exit 1 10 | 11 | scripts_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 12 | chart_root=$( cd "$scripts_dir/../charts" &> /dev/null && pwd ) 13 | 14 | function assemble_helm_chart_from_fragments() { 15 | chart_dir="$1" 16 | 17 | [ ! -d "$chart_dir" ] && echo "$chart_dir must be a directory that exists" && exit 1 18 | [ ! -f "$chart_dir/Chart.yaml" ] && echo "Chart.yaml not found in $chart_dir" && exit 1 19 | [ ! -d "$chart_dir/source" ] && echo "$chart_dir/source must be a directory that exists" && exit 1 20 | [ ! -f "$chart_dir/source/values.schema.json" ] && echo "Chart.yaml not found in $chart_dir" && exit 1 21 | 22 | echo "Building $chart_dir" 23 | "$scripts_dir/construct_helm_schema.py" "$chart_dir/source/values.schema.json" "$chart_dir/values.schema.json" 24 | "$scripts_dir/construct_helm_values.py" "$chart_dir/source/values.yaml.j2" "$chart_dir/values.yaml" 25 | # REUSE-IgnoreStart 26 | reuse annotate --copyright="Copyright 2024-$(date +%Y) New Vector Ltd" --license "AGPL-3.0-only" "$chart_dir/values.yaml" 27 | # REUSE-IgnoreEnd 28 | } 29 | 30 | [ ! -d "$chart_root" ] && echo "$chart_root must be a directory that exists" && exit 1 31 | 32 | assemble_helm_chart_from_fragments "$chart_root"/matrix-stack 33 | -------------------------------------------------------------------------------- /scripts/check_semver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright 2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | import sys 8 | 9 | import semver 10 | 11 | version = sys.argv[1] 12 | if semver.Version.is_valid(version): 13 | exit(0) 14 | else: 15 | print(f"Version {version} is not semver") 16 | exit(1) 17 | -------------------------------------------------------------------------------- /scripts/checkov.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024-2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | set -euo pipefail 8 | 9 | workdir="$PWD" 10 | checkov_values="$1" 11 | matrix_stack_path="$workdir/charts/matrix-stack" 12 | echo "Testing matrix-stack with $checkov_values"; 13 | tmpdir=$(mktemp -d) 14 | cd "$tmpdir" 15 | helm template checkov -n ess -f "$workdir/$checkov_values" "$matrix_stack_path" | sed 's/{{//' | yq -s '.kind + "-" + .metadata.name' 16 | # CKV_SECRET_6=Checksum contains fake data with low entropy 17 | checkov -d . --skip-check CKV_SECRET_6 --quiet 18 | cd - 19 | -------------------------------------------------------------------------------- /scripts/construct_helm_values.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright 2024 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | from pathlib import Path 8 | 9 | import typer 10 | from jinja2 import Environment, FileSystemLoader, select_autoescape 11 | 12 | 13 | def find_sub_dirs(root_dir): 14 | sub_schemas_dirs = [] 15 | 16 | for path in Path(root_dir).rglob("*"): 17 | if path.is_dir(): 18 | sub_schemas_dirs.append(path) 19 | return sub_schemas_dirs 20 | 21 | 22 | def construct_values_file(source_values_template_path: Path, destination_values_path: Path): 23 | charts_path = Path(__file__).parent.parent / "charts" / "matrix-stack" / "source" 24 | 25 | env = Environment( 26 | loader=FileSystemLoader( 27 | [ 28 | source_values_template_path.parent, 29 | charts_path, 30 | *find_sub_dirs(charts_path), 31 | ] 32 | ), 33 | autoescape=select_autoescape, 34 | keep_trailing_newline=True, 35 | ) 36 | template = env.get_template(source_values_template_path.name) 37 | 38 | with open(destination_values_path, "w") as destination_values_file: 39 | destination_values_file.write(template.render()) 40 | 41 | 42 | def main(): 43 | typer.run(construct_values_file) 44 | 45 | 46 | if __name__ == "__main__": 47 | main() 48 | -------------------------------------------------------------------------------- /scripts/ct-lint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | set -euo pipefail 8 | 9 | temp_output_file=$(mktemp) 10 | 11 | error=1 12 | 13 | find . -type f -name '*.tpl' -exec grep -nE '\{\{[^}]*\$[^a-zA-Z0-9_][^}]*\}\}' {} + && { 14 | echo 'Error: $ is used in a .tpl files, but helm passes the local context to the special variable $ in included templates.'; exit 1 15 | } || echo "OK." 16 | 17 | find . '(' -type f -name '*.tpl' -o -name '*.yaml' ')' -exec grep -nE '\{\{[^}]*merge\s[^}]*\}\}' {} + && { 18 | echo 'Error: merge function is used in a .yaml or .tpl files, but helm does not merge boolean properly : https://github.com/helm/helm/issues/5238. Use mustMergeOverwrite instead.'; exit 1 19 | } || echo "OK." 20 | 21 | # Call the ct lint command and stream the output to stdout 22 | if ct lint "$@" 2>&1 | tee "$temp_output_file" 23 | then 24 | # Check if there are any "[INFO] Fail:" lines in the output 25 | (grep -q '\[INFO\] Fail:' "$temp_output_file") || \ 26 | (grep -q '\[INFO\] Missing required value:' "$temp_output_file") ||\ 27 | error=0 28 | fi 29 | 30 | if [ "$error" -eq 1 ]; then 31 | # If found, exit with status code 1 32 | echo "Errors were raised while running ct lint, exiting with error" 33 | echo "------------------" 34 | grep '\[INFO\] Fail:' "$temp_output_file" 35 | grep '\[INFO\] Missing required value:' "$temp_output_file" 36 | fi 37 | 38 | rm "$temp_output_file" 39 | exit $error 40 | -------------------------------------------------------------------------------- /scripts/destroy_test_cluster.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | set -e 8 | 9 | kind_cluster_name="ess-helm" 10 | 11 | if kind get clusters 2> /dev/null| grep "$kind_cluster_name"; then 12 | kind delete cluster --name $kind_cluster_name 13 | else 14 | echo "Kind cluster ${kind_cluster_name} already destoryed" 15 | fi 16 | 17 | if docker ps -a | grep "${kind_cluster_name}-registry"; then 18 | docker stop "${kind_cluster_name}-registry" || true 19 | docker rm "${kind_cluster_name}-registry" || true 20 | else 21 | echo "Kind cluster's local registry already destroyed" 22 | fi 23 | -------------------------------------------------------------------------------- /scripts/generate-signing-key.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Copyright 2024 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | import signedjson.key 8 | 9 | signing_key = signedjson.key.generate_signing_key(0) 10 | print(f"Signing key: {signing_key.alg} {signing_key.version} {signedjson.key.encode_signing_key_base64(signing_key)}") 11 | print( 12 | f"Verify key: {signing_key.alg} {signing_key.version} \ 13 | {signedjson.key.encode_verify_key_base64(signing_key.verify_key)}" 14 | ) 15 | -------------------------------------------------------------------------------- /scripts/set_chart_version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024-2025 New Vector Ltd 4 | # 5 | # SPDX-License-Identifier: AGPL-3.0-only 6 | 7 | set -euo pipefail 8 | 9 | [ "$#" -ne 1 ] && echo "Usage: set_chart_version.sh " && exit 1 10 | 11 | version="$1" 12 | scripts_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 13 | chart_root=$( cd "$scripts_dir/../charts" &> /dev/null && pwd ) 14 | 15 | function set_chart_version() { 16 | chart_dir="$1" 17 | 18 | [ ! -d "$chart_dir" ] && echo "$chart_dir must be a directory that exists" && exit 1 19 | [ ! -f "$chart_dir/Chart.yaml" ] && echo "Chart.yaml not found in $chart_dir" && exit 1 20 | 21 | echo "Setting version to $version for $chart_dir" 22 | yq -i '(.dependencies[] | select(.repository | test("file://"))).version="'"$version"'"' "$chart_dir/Chart.yaml" 23 | yq -i '.version="'"$version"'"' "$chart_dir/Chart.yaml" 24 | yq -iP '.' "$chart_dir/Chart.yaml" 25 | # REUSE-IgnoreStart 26 | reuse annotate --copyright="Copyright 2024-$(date +%Y) New Vector Ltd" --license "AGPL-3.0-only" "$chart_dir/Chart.yaml" 27 | # REUSE-IgnoreEnd 28 | } 29 | 30 | [ ! -d "$chart_root" ] && echo "$chart_root must be a directory that exists" && exit 1 31 | 32 | set_chart_version "$chart_root"/matrix-stack 33 | -------------------------------------------------------------------------------- /scripts/testdata/schema_construction/invalid_sub_schema1.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "not-an-object" 3 | } 4 | -------------------------------------------------------------------------------- /scripts/testdata/schema_construction/invalid_sub_schema2.json: -------------------------------------------------------------------------------- 1 | { 2 | "$ref": "file://sub_schema1.json" 3 | } 4 | -------------------------------------------------------------------------------- /scripts/testdata/schema_construction/schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "file://matrix-stack/charts/element-web", 3 | "$schema": "https://json-schema.org/draft/2020-12/schema", 4 | "type": "object", 5 | "properties": { 6 | "merged": { 7 | "$ref": "file://sub_schema1.json" 8 | }, 9 | "presentDirectly": { 10 | "type": "object" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /scripts/testdata/schema_construction/sub_schema1.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "object", 3 | "properties": { 4 | "first": { 5 | "type": "string" 6 | }, 7 | "second": { 8 | "type": "string" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /tests/integration/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/tests/integration/__init__.py -------------------------------------------------------------------------------- /tests/integration/artifacts/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | from .certs import CertKey, generate_ca, generate_cert, get_ca 6 | 7 | __all__ = ["get_ca", "generate_ca", "generate_cert", "CertKey"] 8 | -------------------------------------------------------------------------------- /tests/integration/artifacts/files/minimal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/tests/integration/artifacts/files/minimal.png -------------------------------------------------------------------------------- /tests/integration/artifacts/files/minimal.png.license: -------------------------------------------------------------------------------- 1 | Copyright 2024 New Vector Ltd 2 | 3 | SPDX-License-Identifier: AGPL-3.0-only 4 | -------------------------------------------------------------------------------- /tests/integration/conftest.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | pytest_plugins = [ 6 | "integration.fixtures", 7 | ] 8 | -------------------------------------------------------------------------------- /tests/integration/env/element-web.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-element-web-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/env/matrix-authentication-service-syn2mas.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-matrix-authentication-service-syn2mas-values.yaml -------------------------------------------------------------------------------- /tests/integration/env/matrix-authentication-service.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-matrix-authentication-service-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/env/matrix-rtc-standalone.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-matrix-rtc-standalone-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/env/matrix-rtc-synapse-wellknown.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-matrix-rtc-synapse-wellknown-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/env/synapse.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-synapse-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/env/well-known-delegation.rc: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | export TEST_VALUES_FILE=charts/matrix-stack/ci/pytest-well-known-values.yaml 6 | -------------------------------------------------------------------------------- /tests/integration/fixtures/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | from .ca import ca, ssl_context 6 | from .cluster import cluster, ess_namespace, helm_client, ingress, kube_client, prometheus_operator_crds, registry 7 | from .data import ESSData, generated_data 8 | from .helm import helm_prerequisites, ingress_ready, matrix_stack, secrets_generated 9 | from .matrix_tools import build_matrix_tools, loaded_matrix_tools 10 | from .users import users 11 | 12 | __all__ = [ 13 | "build_matrix_tools", 14 | "ca", 15 | "cluster", 16 | "ess_namespace", 17 | "ESSData", 18 | "generated_data", 19 | "helm_client", 20 | "helm_prerequisites", 21 | "ingress", 22 | "ingress_ready", 23 | "kube_client", 24 | "loaded_matrix_tools", 25 | "matrix_stack", 26 | "prometheus_operator_crds", 27 | "registry", 28 | "secrets_generated", 29 | "ssl_context", 30 | "users", 31 | ] 32 | -------------------------------------------------------------------------------- /tests/integration/fixtures/ca.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import ssl 6 | 7 | import pytest 8 | 9 | from ..artifacts import get_ca 10 | 11 | 12 | @pytest.fixture(autouse=True, scope="session") 13 | async def ca(): 14 | root_ca = get_ca("ESS CA") 15 | delegated_ca = get_ca("ESS CA Delegated", root_ca) 16 | return delegated_ca 17 | 18 | 19 | @pytest.fixture(scope="session") 20 | async def ssl_context(ca): 21 | context = ssl.create_default_context() 22 | context.load_verify_locations(cadata=ca.cert_bundle_as_pem()) 23 | return context 24 | -------------------------------------------------------------------------------- /tests/integration/fixtures/files/charts/cert-manager.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | crds: 6 | enabled: true 7 | -------------------------------------------------------------------------------- /tests/integration/fixtures/files/charts/ingress-nginx.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | controller: 6 | ingressClassResource: 7 | default: true 8 | 9 | config: 10 | hsts: false 11 | 12 | hostPort: 13 | enabled: true 14 | 15 | allowSnippetAnnotations: true 16 | 17 | service: 18 | type: ClusterIP 19 | enabled: true 20 | -------------------------------------------------------------------------------- /tests/integration/fixtures/files/charts/metrics-server.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | args: 6 | - --kubelet-insecure-tls 7 | -------------------------------------------------------------------------------- /tests/integration/fixtures/files/clusters/audit-policy.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | apiVersion: audit.k8s.io/v1 6 | kind: Policy 7 | rules: 8 | - level: Metadata 9 | -------------------------------------------------------------------------------- /tests/integration/fixtures/matrix_tools.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import os 6 | from pathlib import Path 7 | 8 | import pytest 9 | from python_on_whales import Image, docker 10 | 11 | 12 | @pytest.fixture(autouse=True, scope="session") 13 | async def build_matrix_tools(): 14 | # Until the image is made publicly available 15 | # In local runs we always have to build it 16 | if os.environ.get("BUILD_MATRIX_TOOLS"): 17 | project_folder = Path(__file__).parent.parent.parent.parent.resolve() 18 | docker.buildx.bake( 19 | files=str(project_folder / "docker-bake.hcl"), 20 | targets="matrix-tools", 21 | set={"*.tags": "localhost:5000/matrix-tools:pytest"}, 22 | load=True, 23 | ) 24 | 25 | 26 | @pytest.fixture(autouse=True, scope="session") 27 | async def loaded_matrix_tools(registry, build_matrix_tools: Image): 28 | # Until the image is made publicly available 29 | # In local runs we always have to build it 30 | if os.environ.get("BUILD_MATRIX_TOOLS"): 31 | docker.push("localhost:5000/matrix-tools:pytest") 32 | matrix_tools = docker.image.inspect("localhost:5000/matrix-tools:pytest") 33 | return { 34 | "repository": "matrix-tools", 35 | "registry": "localhost:5000", 36 | "digest": matrix_tools.repo_digests[0].split("@")[-1], 37 | "tag": "pytest", 38 | } 39 | else: 40 | return {} 41 | -------------------------------------------------------------------------------- /tests/integration/lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/element-hq/ess-helm/e3d5883c57edd2cd8ba24afbda7bef744125979d/tests/integration/lib/__init__.py -------------------------------------------------------------------------------- /tests/integration/services/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | -------------------------------------------------------------------------------- /tests/integration/test_element_web.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | from .fixtures import ESSData 8 | from .lib.utils import aiohttp_get_json, value_file_has 9 | 10 | 11 | @pytest.mark.skipif(value_file_has("elementWeb.enabled", False), reason="ElementWeb not deployed") 12 | @pytest.mark.asyncio_cooperative 13 | async def test_element_web_can_access_config_json(ingress_ready, generated_data: ESSData, ssl_context): 14 | await ingress_ready("element-web") 15 | 16 | json_content = await aiohttp_get_json(f"https://element.{generated_data.server_name}/config.json", ssl_context) 17 | assert "some_key" in json_content 18 | assert json_content["some_key"]["some_value"] == f"https://test.{generated_data.server_name}" 19 | -------------------------------------------------------------------------------- /tests/integration/test_pods.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | 6 | import pytest 7 | from lightkube import AsyncClient 8 | from lightkube import operators as op 9 | from lightkube.resources.core_v1 import Pod 10 | 11 | from .fixtures.data import ESSData 12 | 13 | 14 | @pytest.mark.asyncio_cooperative 15 | @pytest.mark.usefixtures("matrix_stack") 16 | async def test_pods_run_as_gid_0( 17 | kube_client: AsyncClient, 18 | generated_data: ESSData, 19 | ): 20 | async for pod in kube_client.list( 21 | Pod, namespace=generated_data.ess_namespace, labels={"app.kubernetes.io/part-of": op.in_(["matrix-stack"])} 22 | ): 23 | assert pod.spec 24 | assert pod.spec.securityContext 25 | assert pod.metadata 26 | assert pod.spec.securityContext.runAsGroup == 0, f"{pod.metadata.name} is running with GID != 0" 27 | -------------------------------------------------------------------------------- /tests/manifests/conftest.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | pytest_plugins = [ 6 | "manifests.utils", 7 | ] 8 | -------------------------------------------------------------------------------- /tests/manifests/test_annotations.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | 6 | import pytest 7 | 8 | from . import values_files_to_test 9 | from .utils import template_id 10 | 11 | 12 | @pytest.mark.parametrize("values_file", values_files_to_test) 13 | @pytest.mark.asyncio_cooperative 14 | async def test_annotations_dont_contain_things_that_should_be_labels(templates): 15 | for template in templates: 16 | annotations = template["metadata"].get("annotations", {}) 17 | our_annotations = [key for key in annotations if "k8s.element.io" in key] 18 | assert len(our_annotations) == 0, ( 19 | f"{template_id(template)} has {our_annotations=}. " 20 | "We should consistently use labels for k8s.element.io things" 21 | ) 22 | 23 | if template["kind"] in ["Deployment", "Job", "StatefulSet"]: 24 | pod_annotations = template["metadata"].get("annotations", {}) 25 | our_pod_annotations = [key for key in pod_annotations if "k8s.element.io" in key] 26 | assert len(our_pod_annotations) == 0, ( 27 | f"{template_id(template)} has {our_pod_annotations=} in its Pod spec. " 28 | "We should consistently use labels for k8s.element.io things" 29 | ) 30 | -------------------------------------------------------------------------------- /tests/manifests/test_configs.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import base64 6 | import json 7 | 8 | import pytest 9 | import yaml 10 | 11 | from . import secret_values_files_to_test 12 | 13 | 14 | @pytest.mark.parametrize("values_file", secret_values_files_to_test) 15 | @pytest.mark.asyncio_cooperative 16 | async def test_configs_are_valid(templates): 17 | for template in templates: 18 | if template["kind"] not in ["ConfigMap", "Secret"]: 19 | continue 20 | 21 | if "data" not in template or not template["data"]: 22 | continue 23 | for key, value in template["data"].items(): 24 | if template["kind"] == "Secret": 25 | value = base64.b64decode(value) 26 | 27 | if key.endswith(".yaml") or key.endswith(".yml"): 28 | assert yaml.safe_load(value) is not None 29 | elif key.endswith(".json"): 30 | assert json.loads(value) is not None 31 | -------------------------------------------------------------------------------- /tests/manifests/test_matrix_authentication_service.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024-2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | 8 | @pytest.mark.parametrize("values_file", ["matrix-authentication-service-minimal-values.yaml"]) 9 | @pytest.mark.asyncio_cooperative 10 | async def test_matrix_authentication_service_env_overrides(values, make_templates): 11 | for template in await make_templates(values): 12 | if "matrix-authentication-service" in template["metadata"]["name"] and template["kind"] == "Deployment": 13 | env = {e["name"]: e["value"] for e in template["spec"]["template"]["spec"]["containers"][0]["env"]} 14 | assert env["MAS_CONFIG"] == "/conf/config.yaml" 15 | break 16 | else: 17 | raise RuntimeError("Could not find Matrix Authentication Service deployment") 18 | 19 | values["matrixAuthenticationService"]["extraEnv"] = [ 20 | {"name": "MAS_CONFIG", "value": "should-not-override"}, 21 | {"name": "OTHER_KEY", "value": "should-exists"}, 22 | ] 23 | 24 | for template in await make_templates(values): 25 | if "matrix-authentication-service" in template["metadata"]["name"] and template["kind"] == "Deployment": 26 | env = {e["name"]: e["value"] for e in template["spec"]["template"]["spec"]["containers"][0]["env"]} 27 | assert env["MAS_CONFIG"] == "/conf/config.yaml" 28 | assert env["OTHER_KEY"] == "should-exists" 29 | break 30 | else: 31 | raise RuntimeError("Could not find Matrix Authentication Service deployment") 32 | -------------------------------------------------------------------------------- /tests/manifests/test_postgres.py: -------------------------------------------------------------------------------- 1 | # Copyright 2024 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | 8 | @pytest.mark.parametrize("values_file", ["synapse-minimal-values.yaml"]) 9 | @pytest.mark.asyncio_cooperative 10 | async def test_postgres_env_overrides(values, make_templates): 11 | for template in await make_templates(values): 12 | if "postgres" in template["metadata"]["name"] and template["kind"] == "StatefulSet": 13 | env = {e["name"]: e["value"] for e in template["spec"]["template"]["spec"]["containers"][0]["env"]} 14 | assert env["PGDATA"] == "/var/lib/postgres/data/pgdata" 15 | break 16 | else: 17 | raise RuntimeError("Could not find Postgres statefulset") 18 | 19 | values["postgres"]["extraEnv"] = [ 20 | {"name": "PGDATA", "value": "should-not-override"}, 21 | {"name": "OTHER_KEY", "value": "should-be-here"}, 22 | ] 23 | 24 | for template in await make_templates(values): 25 | if "postgres" in template["metadata"]["name"] and template["kind"] == "StatefulSet": 26 | env = {e["name"]: e["value"] for e in template["spec"]["template"]["spec"]["containers"][0]["env"]} 27 | assert env["PGDATA"] == "/var/lib/postgres/data/pgdata" 28 | assert env["OTHER_KEY"] == "should-be-here" 29 | break 30 | else: 31 | raise RuntimeError("Could not find Postgres statefulset") 32 | -------------------------------------------------------------------------------- /tests/manifests/test_pvcs.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | from . import values_files_to_test 8 | from .utils import template_to_deployable_details 9 | 10 | 11 | @pytest.mark.parametrize("values_file", values_files_to_test) 12 | @pytest.mark.asyncio_cooperative 13 | async def test_pvcs_only_present_if_expected(templates): 14 | deployable_details_to_seen_pvcs = {} 15 | for template in templates: 16 | deployable_details = template_to_deployable_details(template) 17 | deployable_details_to_seen_pvcs.setdefault(deployable_details, False) 18 | if template["kind"] == "PersistentVolumeClaim": 19 | deployable_details_to_seen_pvcs[deployable_details] = True 20 | 21 | for deployable_details, seen_pvcs in deployable_details_to_seen_pvcs.items(): 22 | assert seen_pvcs == deployable_details.has_storage, ( 23 | f"{deployable_details.name}: {seen_pvcs=} when expecting {deployable_details.has_storage}" 24 | ) 25 | 26 | 27 | @pytest.mark.parametrize("values_file", values_files_to_test) 28 | @pytest.mark.asyncio_cooperative 29 | async def test_pvcs_marked_as_being_kept_on_helm_uninstall_by_default(templates): 30 | for template in templates: 31 | if template["kind"] == "PersistentVolumeClaim": 32 | assert "helm.sh/resource-policy" in template["metadata"]["annotations"] 33 | assert template["metadata"]["annotations"]["helm.sh/resource-policy"] == "keep" 34 | -------------------------------------------------------------------------------- /tests/manifests/test_secrets.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | from . import values_files_to_test 8 | from .utils import template_id 9 | 10 | 11 | @pytest.mark.parametrize("values_file", values_files_to_test) 12 | @pytest.mark.asyncio_cooperative 13 | async def test_all_secrets_have_type(templates): 14 | for template in templates: 15 | if template["kind"] == "Secret": 16 | assert "type" in template, f"{template_id(template)} has not set the Secret type" 17 | assert template["type"] in ["Opaque"], ( 18 | f"{template_id(template)} has an unexpected Secret type {template['type']}" 19 | ) 20 | -------------------------------------------------------------------------------- /tests/manifests/test_services.py: -------------------------------------------------------------------------------- 1 | # Copyright 2025 New Vector Ltd 2 | # 3 | # SPDX-License-Identifier: AGPL-3.0-only 4 | 5 | import pytest 6 | 7 | from . import services_values_files_to_test 8 | from .utils import template_id 9 | 10 | 11 | @pytest.mark.parametrize("values_file", services_values_files_to_test) 12 | @pytest.mark.asyncio_cooperative 13 | async def test_ports_in_services_are_named(templates): 14 | for template in templates: 15 | if template["kind"] == "Service": 16 | id = template_id(template) 17 | assert "ports" in template["spec"], f"{id} does not specify a ports list" 18 | assert len(template["spec"]["ports"]) > 0, f"{id} does not include any ports" 19 | 20 | port_names = [] 21 | for port in template["spec"]["ports"]: 22 | assert "name" in port, f"{id} has a port without a name: {port}" 23 | port_names.append(port["name"]) 24 | assert len(port_names) == len(set(port_names)), f"Port names are not unique: {id}, {port_names}" 25 | --------------------------------------------------------------------------------