diff --git a/defaults/main.yml b/defaults/main.yml index cff160e..4e4adf9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,3 +1,4 @@ --- # defaults file for ansible-role-matrix-stack release_namespace: matrix +server_name: example.com diff --git a/tasks/main.yml b/tasks/main.yml index 7311167..167347c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,213 +7,15 @@ release_namespace: "{{ release_namespace }}" create_namespace: true values: - # Copyright 2024-2025 New Vector Ltd - # - # SPDX-License-Identifier: AGPL-3.0-only - - # This file is generated. Do not edit directly. Edit source/values.yaml.j2 instead to make changes - - ## Common configuration that impacts all components in the chart - - ## The matrix-tools image, used in multiple components - matrixTools: - - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: ghcr.io - - ## The path in the registry where the container image is located - repository: element-hq/ess-helm/matrix-tools - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "0.3.5" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - - ## CertManager Issuer to configure by default automatically on all ingresses - ## If configured, the chart will automatically generate the tlsSecret name for all ingresses - certManager: {} - ## Choose one of clusterIssuer or issuer - # clusterIssuer: - # issuer: - - ## The server name of the Matrix Stack. This gets embedded in user IDs & room IDs - ## It can not change after the initial deployment. - # serverName: ess.localhost - - ## Labels to add to all manifest for all components in this chart - labels: {} - - ## How all ingresses should be constructed by default, unless overridden + certManager: + clusterIssuer: ca-issuer + serverName: "{{ server_name }}" ingress: - ## Annotations to be added to all Ingresses. Will be merged with component specific Ingress annotations - annotations: {} - - ## What Ingress Class Name that should be used for all Ingresses by default - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for all Ingresses by default - # tlsSecret: - - ## How the Services behind all Ingresses is constructed by default - service: - type: ClusterIP - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - - ## A list of Secrets in this namespace to use as pull Secrets. - ## Ignored if a given component specifies its own pull Secrets. - ## e.g. - ## imagePullSecrets: - ## - name: ess-pull-secret - imagePullSecrets: [] - - ## Workload tolerations allows Pods that are part of a (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - - ## TopologySpreadConstraints describes how Pods for a component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for each component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for each component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - - ## Components + className: nginx + annotations: + nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off; initSecrets: enabled: true - - rbac: - create: true - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10010 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10010 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10010 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 50Mi - cpu: 50m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 200Mi - ## Controls configuration of the ServiceAccount for this component serviceAccount: ## Whether a ServiceAccount should be created by the chart or not create: true @@ -223,1084 +25,16 @@ ## Annotations to add to the service account annotations: {} - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] matrixRTC: - enabled: true - - # LiveKit Authentication Configuration - # This section allows you to configure authentication for the LiveKit SFU. - # You can either use an existing keys.yaml file or provide a key and secret. - # livekitAuth: - ## The keys.yaml file for the LiveKit SFU - ## This is required if `sfu.enabled` is set to `false`. - ## It can either be provided inline in the Helm chart e.g.: - ## keysYaml: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## keysYaml: - ## secret: existing-secret - ## secretKey: key-in-secret - # keysYaml: {} - ## Provide a key and secret if not using an existing keys.yaml - # key: "" - ## The secret for the LiveKit SFU. - ## This is required if `sfu.enabled` and `keysYaml` is not used. It will be generated by the `initSecrets` job if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## secret: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## secret: - ## secret: existing-secret - ## secretKey: key-in-secret - # secret: {} - ## How this ingress should be constructed ingress: - ## What hostname should be used for this Ingress - # host: - - ## Annotations to be added to this Ingress - annotations: {} - - ## What Ingress Class Name that should be used for this Ingress - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress - # tlsSecret: - - ## How the Service behind this Ingress is constructed - service: {} - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: ghcr.io - - ## The path in the registry where the container image is located - repository: element-hq/lk-jwt-service - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "0.2.3" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10033 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10033 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10033 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 20Mi - cpu: 50m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 20Mi - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - sfu: - enabled: true - - # LiveKit Logging level - logging: - # log level, valid values: debug, info, warn, error - level: info - # log level for pion, default error - pionLevel: error - # when set to true, emit json fields - json: false - - ## Additional configuration to provide to all LiveKit processes. - ## This should be provided as yaml-string and will be merged into the default configuration. - ## Full details on available configuration options can be found at https://docs.livekit.io/home/self-hosting/deployment/#configuration - additional: "" - - # Whether to start the SFU in host network mode or not - hostNetwork: false - exposedServices: - rtcTcp: - enabled: true - # Either a NodePort or a HostPort - portType: NodePort - port: 30881 - rtcMuxedUdp: - enabled: true - # Either a NodePort or a HostPort - portType: NodePort - port: 30882 - rtcUdp: - enabled: false - # Either a NodePort or a HostPort - portType: NodePort - portRange: - # The beginning port of the range - startPort: 31000 - # The last port of the range - endPort: 32000 - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: livekit/livekit-server - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "v1.7.2" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## The list of hosts aliases to configure on the pod spec. - ## It should be avoid as much as possible to use this feature. - ## Please prefer using an DNS entry to resolve your hostnames. - ## This can be used as a workaround when entries cannot be resolved using DNS, for example for our automated testings. - ## e.g. - ## hostAliases: - ## - ip: 192.0.2.1 # An IP resolution to add to /etc/hosts - ## # A list of hostnames to be associated with the above IP - ## hostnames: - ## - ess.localhost - ## - synapse.ess.localhost - hostAliases: [] - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10030 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10030 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10030 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 150Mi - cpu: 100m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 4Gi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 + host: rtc.eom.dev elementWeb: - enabled: true - - ## Arbitrary extra config to inject into Element Web's config.json. - ## Each key under additional is an additional config to merge into Element Web's config.json. - ## - ## Full details on available configuration options can be found at https://github.com/element-hq/element-web/blob/develop/docs/config.md - ## Most settings are configurable but some settings are owned by the chart and can't be overwritten - additional: {} - - # Number of Element Web replicas to start up - replicas: 1 - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: vectorim/element-web - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "v1.11.101" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## How this ingress should be constructed ingress: - ## What hostname should be used for this Ingress - # host: - - ## Annotations to be added to this Ingress - annotations: {} - - ## What Ingress Class Name that should be used for this Ingress - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress - # tlsSecret: - - ## How the Service behind this Ingress is constructed - service: {} - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10004 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10004 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10004 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 50Mi - cpu: 50m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 200Mi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## TopologySpreadConstraints describes how Pods for this component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for this component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for this component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 3 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 4 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 3 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - haproxy: - replicas: 1 - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: library/haproxy - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "3.1-alpine" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10001 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10001 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10001 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 100Mi - cpu: 100m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 200Mi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## TopologySpreadConstraints describes how Pods for this component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for this component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for this component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 5 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 5 - # The failureThreshold here is tweaked towards Synapse being ready - # If Synapse isn't being deployed, unsetting this or setting it to 3 maybe more appropriate - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 150 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 + host: element.eom.dev matrixAuthenticationService: - enabled: true - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: ghcr.io - - ## The path in the registry where the container image is located - repository: element-hq/matrix-authentication-service - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "0.16.0" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - - ## Force the authentication to happen with legacy authentication. - ## This can be used to deploy Matrix Authentication Service and keeping auth on Synapse. - ## Once MAS is deployed, you can run the syn2mas tool to migrate the data from Synapse to MAS. - ## This should be set back to false and never switch again after the migration to MAS has been run. - preMigrationSynapseHandlesAuth: false - - - ## Details of the Postgres Database to use - postgres: {} - ## PostgreSQL database host - # host: - - ## PostgreSQL port - # port: 5432 - - ## PostgreSQL username - # user: - - ## PostgreSQL database name - # database: - - ## TLS settings to use for the PostgreSQL connection - # sslMode: prefer - - ## PostgreSQL password. - ## It can either be provided inline in the Helm chart e.g.: - ## password: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## password: - ## secret: existing-secret - ## secretKey: key-in-secret - # password: {} - - - ## Encryption secret. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## encryptionSecret: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## encryptionSecret: - ## secret: existing-secret - ## secretKey: key-in-secret - encryptionSecret: {} - - ## Synapse - MAS Shared Secret. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## synapseSharedSecret: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## synapseSharedSecret: - ## secret: existing-secret - ## secretKey: key-in-secret - synapseSharedSecret: {} - - ## Synapse - MAS OIDC Client Secret. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## synapseOIDCClientSecret: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## synapseOIDCClientSecret: - ## secret: existing-secret - ## secretKey: key-in-secret - synapseOIDCClientSecret: {} ## Additional configuration to provide to Matrix Authentication Service. ## Each key under additional is an additional config to merge into Matrix Authentication Service config.yaml @@ -1317,707 +51,13 @@ ## ## Most settings are configurable but some settings are owned by the chart and can't overwritten additional: {} - - privateKeys: - - ## RSA Private Key. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## rsa: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## rsa: - ## secret: existing-secret - ## secretKey: key-in-secret - rsa: {} - - ## ECDSA Prime256v1 Private Key. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## ecdsaPrime256v1: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## ecdsaPrime256v1: - ## secret: existing-secret - ## secretKey: key-in-secret - ecdsaPrime256v1: {} - - ## ECDSA Secp256k1 Private Key. - ## It can either be provided inline in the Helm chart e.g.: - ## ecdsaSecp256k1: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## ecdsaSecp256k1: - ## secret: existing-secret - ## secretKey: key-in-secret - ecdsaSecp256k1: {} - - ## ECDSA Secp384r1 Private Key. - ## It can either be provided inline in the Helm chart e.g.: - ## ecdsaSecp384r1: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## ecdsaSecp384r1: - ## secret: existing-secret - ## secretKey: key-in-secret - ecdsaSecp384r1: {} - - - ## How this ingress should be constructed ingress: - ## What hostname should be used for this Ingress - # host: - - ## Annotations to be added to this Ingress - annotations: {} - - ## What Ingress Class Name that should be used for this Ingress - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress - # tlsSecret: - - ## How the Service behind this Ingress is constructed - service: {} - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 50Mi - cpu: 50m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 350Mi - - ## Labels to add to all manifest for this component - labels: {} - - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - - ## TopologySpreadConstraints describes how Pods for this component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for this component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for this component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10005 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10005 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10005 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - - ## Defines the annotations to add to the workload - # annotations: {} - - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 4 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - + host: mas.eom.dev postgres: - enabled: true - - postgresExporter: - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: prometheuscommunity/postgres-exporter - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "v0.17.0" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 10Mi - cpu: 10m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 500Mi - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 20 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Postgres Admin Password. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## adminPassword: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## adminPassword: - ## secret: existing-secret - ## secretKey: key-in-secret - adminPassword: {} - - essPasswords: - ## Synapse DB Password. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## synapse: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## synapse: - ## secret: existing-secret - ## secretKey: key-in-secret - synapse: {} - ## Matrix Authentication Service DB Password. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## matrixAuthenticationService: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## matrixAuthenticationService: - ## secret: existing-secret - ## secretKey: key-in-secret - matrixAuthenticationService: {} - ## Configures the PersistentVolumeClaim to be used for storage storage: - ## Name of an existing PersistentVolumeClaim in this namespace that should be used - # existingClaim: - - ## The size of a PersistentVolumeClaim to be constructed - ## Ignored if existingClaim is provided - size: 10Gi - - ## The StorageClass to be used by the constructed PersistentVolumeClaim. - ## Will use the cluster default if not provided - ## Ignored if existingClaim is provided - # storageClass: - - ## Whether to instruct Helm to keep or delete the constructed PersistentVolumeClaim when uninstalling the chart - ## Ignored if existingClaim is provided - resourcePolicy: keep - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: postgres - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "17-alpine" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10091 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10091 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10091 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 100Mi - cpu: 100m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 4Gi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## TopologySpreadConstraints describes how Pods for this component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for this component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for this component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 + size: 2Ti synapse: - enabled: true - - ## A hook job will make sure that Synapse config is valid before continuing - checkConfigHook: - enabled: true - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Details of the Postgres Database to use - postgres: {} - ## PostgreSQL database host - # host: - - ## PostgreSQL port - # port: 5432 - - ## PostgreSQL username - # user: - - ## PostgreSQL database name - # database: - - ## TLS settings to use for the PostgreSQL connection - # sslMode: prefer - - ## PostgreSQL password. - ## It can either be provided inline in the Helm chart e.g.: - ## password: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## password: - ## secret: existing-secret - ## secretKey: key-in-secret - # password: {} ## Configures the media store for Synapse media: ## Configures the PersistentVolumeClaim to be used for storage @@ -2027,7 +67,7 @@ ## The size of a PersistentVolumeClaim to be constructed ## Ignored if existingClaim is provided - size: 10Gi + size: 256Gi ## The StorageClass to be used by the constructed PersistentVolumeClaim. ## Will use the cluster default if not provided @@ -2054,1695 +94,5 @@ ## secret: existing-secret ## secretKey: key-in-secret signingKey: {} - ## Shared Secret to registering users without having any users provisioned. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## registrationSharedSecret: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## registrationSharedSecret: - ## secret: existing-secret - ## secretKey: key-in-secret - registrationSharedSecret: {} - ## Secret used to sign Synapse issued tokens. - ## This secret is optional, and will be generated by the `initSecrets` job - ## if it is empty. - ## It can either be provided inline in the Helm chart e.g.: - ## macaroon: - ## value: SecretValue - ## - ## Or it can be provided via an existing Secret e.g.: - ## macaroon: - ## secret: existing-secret - ## secretKey: key-in-secret - macaroon: {} - - ## Additional configuration to provide to all Synapse processes. - ## Each key under additional is an additional config to merge into synapse homeserver.yaml - ## Full details on available configuration options can be found at https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html - ## This can be provided in-line in the Helm Chart and/or via an existing Secret - ## e.g. - ## additional: - ## 0-customConfig: - ## config: | - ## - ## 1-customConfig: - ## configSecret: custom-config - ## configSecretKey: shared.yaml - ## - ## Most settings are configurable but some settings are owned by the chart and can't overwritten - additional: {} - - - ## Details of Application Service registration files to give to Synapse - ## e.g. - ## appservices: - ## - configMap: test-appservice - ## configMapKey: registration.yaml - ## - secret: test-appservice - ## secretKey: registration.yaml - appservices: [] - - ## Additional Synapse processes managed by this chart - ## e.g. - ## workers: - ## client-reader: - ## enabled: true - ## replicas: 2 - ## event-creator: - ## enabled: true - workers: - appservice: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - background: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - client-reader: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - encryption: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - event-creator: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - event-persister: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - federation-inbound: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - federation-reader: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - federation-sender: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - initial-synchrotron: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - media-repository: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - presence-writer: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - push-rules: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - pusher: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - receipts-account: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - sliding-sync: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - sso-login: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - synchrotron: - ## Set to true to deploy this worker - enabled: false - - ## The number of replicas of this worker to run - replicas: 1 - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 21 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - typing-persister: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - user-dir: - ## Set to true to deploy this worker - enabled: false - - ## Resources for this worker. - ## If omitted the global Synapse resources are used - # resources: {} - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - ## Synapse's logging settings - logging: - ## The maximum level of Synapse log output before any overrides - rootLevel: INFO - - ## Override the log level of specific loggers - ## e.g. - ## levelOverrides: - ## synapse.util.caches.lrucache: WARNING - levelOverrides: {} - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: matrixdotorg/synapse - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "v1.130.0" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## How this ingress should be constructed ingress: - ## What hostname should be used for this Ingress - # host: - - ## Annotations to be added to this Ingress - annotations: {} - - ## What Ingress Class Name that should be used for this Ingress - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress - # tlsSecret: - - ## How the Service behind this Ingress is constructed - service: {} - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - ## The list of hosts aliases to configure on the pod spec. - ## It should be avoid as much as possible to use this feature. - ## Please prefer using an DNS entry to resolve your hostnames. - ## This can be used as a workaround when entries cannot be resolved using DNS, for example for our automated testings. - ## e.g. - ## hostAliases: - ## - ip: 192.0.2.1 # An IP resolution to add to /etc/hosts - ## # A list of hostnames to be associated with the above IP - ## hostnames: - ## - ess.localhost - ## - synapse.ess.localhost - hostAliases: [] - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10091 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10091 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10091 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 100Mi - cpu: 100m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 4Gi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Whether to deploy ServiceMonitors into the cluster for this component - ## Requires the ServiceMonitor CRDs to be in the cluster - serviceMonitors: - enabled: true - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## TopologySpreadConstraints describes how Pods for this component should be spread between nodes. - ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ for in-depth details - ## labelSelector can be omitted and the chart will populate a sensible value for this component. - ## Similarly `pod-template-hash` will be aded to `matchLabelKeys` if appropriate for this component. - ## If any TopologySpreadConstraints are provided for a component any global TopologySpreadConstraints are ignored for that component. - ## e.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## # nodeAffinityPolicy: Honor/Ignore - ## # nodeTaintsPolicy: Honor/Ignore - ## # whenUnsatisfiable: DoNotSchedule/ScheduleAnyway - topologySpreadConstraints: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 6 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 8 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 2 - - ## Number of seconds after which the probe times out - timeoutSeconds: 2 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 54 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 2 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - ## Extra command line arguments to provide to Synapse - extraArgs: [] - - redis: - # Details of the image to be used - image: - ## The host and (optional) port of the container image registry for this component. - ## If not specified Docker Hub is implied - registry: docker.io - - ## The path in the registry where the container image is located - repository: library/redis - - ## The tag of the container image to use. - ## Defaults to the Chart's appVersion if not set - tag: "7.4-alpine" - - ## Container digest to use. Used to pull the image instead of the image tag / Chart appVersion if set - # digest: - - ## Whether the image should be pulled on container startup. Valid values are Always, IfNotPresent and Never - ## If this isn't provided it defaults to Always when using the image tag / Chart appVersion or - ## IfNotPresent if using a digest - # pullPolicy: - - ## A list of pull secrets to use for this image - ## e.g. - ## pullSecrets: - ## - name: dockerhub - pullSecrets: [] - ## Labels to add to all manifest for this component - labels: {} - ## Defines the annotations to add to the workload - # annotations: {} - ## A subset of SecurityContext. ContainersSecurityContext holds pod-level security attributes and common container settings - containersSecurityContext: - ## Controls whether a process can gain more privileges than its parent process. - ## This bool directly controls whether the no_new_privs flag gets set on the container process. - ## allowPrivilegeEscalation is always true when the container is run as privileged, or has CAP_SYS_ADMIN - allowPrivilegeEscalation: false - - ## Give a process some privileges, but not all the privileges of the root user. - capabilities: - ## Privileges to add. - # add: [] - ## Privileges to drop. - drop: - - ALL - - ## Mounts the container's root filesystem as read-only. - readOnlyRootFilesystem: true - - ## To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. Valid options for type include RuntimeDefault, Unconfined, and Localhost. - ## localhostProfile must only be set set if type Localhost. It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - # seccompProfile: - # type: RuntimeDefault - ## Defines additional environment variables to be injected onto this workload - ## e.g. - ## extraEnv: - ## - name: FOO - ## value: "bar" - extraEnv: [] - ## NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - # nodeSelector: {} - ## A subset of PodSecurityContext. PodSecurityContext holds pod-level security attributes and common container settings - podSecurityContext: - ## A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to - ## change the ownership of that volume to be owned by the pod: - ## - ## 1. The owning GID will be the FSGroup - ## 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)## 3. The permission bits are OR'd with rw-rw---- - ## - ## If unset, the Kubelet will not modify the ownership and permissions of any volume. - fsGroup: 10002 - - ## fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. - ## This field will only apply to volume types which support fsGroup based ownership(and permissions). - ## It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - # fsGroupChangePolicy: - - ## The GID to run the entrypoint of the container process. Uses runtime default if unset. - runAsGroup: 10002 - - ## Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. - runAsNonRoot: true - - ## The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. - runAsUser: 10002 - - ## SELinuxOptions are the labels to be applied to all the pod containers - # seLinuxOptions: - ## Level is SELinux level label that applies to the container. - # level: - - ## Role is a SELinux role label that applies to the container. - # role: - - ## Type is a SELinux type label that applies to the container. - # type: - - ## User is a SELinux user label that applies to the container. - # user: - - ## "To set the Seccomp profile for a Container, include the seccompProfile field in the securityContext section of your Pod or Container manifest. - ## The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. - ## Valid options for type include RuntimeDefault, Unconfined, and Localhost. localhostProfile must only be set set if type Localhost. - ## It indicates the path of the pre-configured profile on the node, relative to the kubelet's configured Seccomp profile location (configured with the --root-dir flag). - seccompProfile: - # localhostProfile: - type: RuntimeDefault - - ## A list of groups applied to the first process run in each container, in addition to the container's primary GID. - ## If unspecified, no groups will be added to any container. - supplementalGroups: [] - ## Kubernetes resources to allocate to each instance. - resources: - ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - requests: - memory: 50Mi - cpu: 50m - - ## Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - limits: - memory: 50Mi - ## Controls configuration of the ServiceAccount for this component - serviceAccount: - ## Whether a ServiceAccount should be created by the chart or not - create: true - - ## What name to give the ServiceAccount. If not provided the chart will provide the name automatically - name: "" - - ## Annotations to add to the service account - annotations: {} - ## Workload tolerations allows Pods that are part of this (sub)component to 'tolerate' any taint that matches the triple using the matching operator . - ## - ## * effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - ## * key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - ## * operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - ## * value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - ## - ## * tolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - ## e.g. - ## tolerations: - ## - effect: - ## key: - ## operator: - ## value: - - tolerations: [] - ## Configuration of the thresholds and frequencies of the livenessProbe - livenessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the readinessProbe - readinessProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 3 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - ## Configuration of the thresholds and frequencies of the startupProbe - startupProbe: - ## How many consecutive failures for the probe to be considered failed - failureThreshold: 5 - - ## Number of seconds after the container has started before the probe starts - initialDelaySeconds: 0 - - ## How often (in seconds) to perform the probe - periodSeconds: 10 - - ## How many consecutive successes for the probe to be consider successful after having failed - successThreshold: 1 - - ## Number of seconds after which the probe times out - timeoutSeconds: 1 - - wellKnownDelegation: - enabled: true - - - ## Labels to add to all manifest for this component - labels: {} - - ## How this ingress should be constructed - ingress: - ## What hostname should be used for this Ingress - # host: - - ## Annotations to be added to this Ingress - annotations: {} - - ## What Ingress Class Name that should be used for this Ingress - # className: - - ## Disable TLS configuration by setting it to false - tlsEnabled: true - - ## The name of the Secret containing the TLS certificate and the key that should be used for this Ingress - # tlsSecret: - - ## How the Service behind this Ingress is constructed - service: {} - ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. - ## This can be set to `ingress-nginx`. - # controllerType: - - ## If ElementWeb is deployed, the base domain will redirect to it's ingress host by default - ## If ElementWeb is not deployed or this is disabled, no base domain URL redirect will be set. - baseDomainRedirect: - enabled: true - ## You can override with another redirect URL here. - url: "" - - ## Additional configuration to provide to all WellKnown static file - ## Configuration should be provided as JSON strings - additional: - client: "{}" - server: "{}" - element: "{}" - support: "{}" + host: synapse.eom.dev