⚠️ MAJOR UPDATE: Feature: add matrix sliding sync and matrix authentication service subcharts

[jessebot]

Changes

• bumps element version to v1.11.67 and closes Update vectorim/element-web Docker tag to v1.11.67 #562

• adds some more auto-generated values.yaml docs

• soft deprecates the synapse.ingress.host parameter, and hard deprecates the synapse.tls.enabled parameter, in favor of proper synapse.ingress.hosts and synapse.ingress.tls parameters. Because of this, matrix.hostname is now required. All in all, this would look like this:

  matrix:
    hostname: my-synapse-hostname.com
  
  synapse:
    enabled: true
    ingress:
      enabled: true
      className: "nginx"
      annotations:
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_intercept_errors off;
        cert-manager.io/cluster-issuer: letsencrypt-staging
      hosts:
        - host: 'my-synapse-hostname.com'
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls:
        - secretName: matrix-tls
          hosts:
            - 'my-synapse-hostname.com'

• adds web_client_location by default to homeserver.yaml if element.enabled is set to true

• add matrix.require_auth_for_profile_requests, matrix.limit_profile_requests_to_users_who_share_rooms, matrix.federation_client_minimum_tls_version, and matrix.password_config parameters for the homeserver.yaml

• sets matrix.federation.enabled and matrix.federation.ingress.enabled to false by default, so that it's opt-in

• updates all the matrix-org/synapse (archived) URLs in values.yaml docs to element-hq/synapse (fork)

• element.integrations.enabled is set to false because those are paid features, and they should be opt-in

• Closes Add support for sliding sync #556 by adding the matrix sliding sync chart as a sub-chart of this chart. This is needed for the new version of Element, currently called element-x during it's beta phase. For more info, please see matrix-org/sliding-sync.

  new syncv3(sliding sync) helm values

  # values for https://github.com/small-hack/matrix-sliding-sync-chart
  # they are called syncv3 because hyphens aren't allowed in gotemplating of subcharts
  # and camelcase is not allowed in kubneretes resources
  syncv3:
    enabled: false
    postgresql:
      # -- Whether to deploy the Bitnami Postgresql sub chart
      # If postgresql.enabled is set to true, externalDatabase.enabled must be set to false
      # else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
      enabled: true
      persistence:
        enabled: false
      volumePermissions:
        # -- Enable init container that changes the owner and group of the PVC
        enabled: true
      global:
        postgresql:
          # global.postgresql.auth overrides postgresql.auth
          auth:
            # database credentials to use if you don't use an existingSecret
            # -- username of matrix-sliding-sync postgres user
            username: syncv3
            # -- password of matrix-sliding-sync postgres user - ignored using exsitingSecret
            password: changeme
            # -- which port to use to connect to your database server
            port: 5432
            # -- name of the database
            database: syncv3
            # -- Name of existing secret to use for PostgreSQL credentials
            existingSecret: ""
            # secretKeys to grab from existingSecret
            # if postgresql.existingSecret is provided, the following are ignored
            # postgresql.password/username/hostname/database
            secretKeys:
              # -- key in existingSecret with hostname of the database
              databaseHostname: hostname
              # -- key in existingSecret with name of the database
              database: database
              # -- key in existingSecret with username for matrix to connect to db
              databaseUsername: username
              # -- key in existingSecret with password for matrix to connect to db
              userPasswordKey: password
              # -- key in existingSecret with the admin postgresql password
              adminPasswordKey: postgresPassword
  
    externalDatabase:
      # -- enable using an external database *instead of* the Bitnami PostgreSQL sub-chart
      # if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
      enabled: false
      # optional SSL parameters for postgresql, if using your own db instead of the subchart
      # ref: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
      # -- sslmode to use, example: verify-full
      sslmode: ""
      # make sure any paths here are reflected in synapse.extraVolumes and synapse.extraVolumeMounts
      # -- optional: tls/ssl root cert for postgresql connections
      sslrootcert: ""
      # -- optional: tls/ssl cert for postgresql connections
      sslcert: ""
      # -- optional: tls/ssl key for postgresql connections
      sslkey: ""
      # database credentials to use if you don't use an existingSecret
      # -- username of matrix-sliding-sync postgres user
      username: syncv3
      # -- password of matrix-sliding-sync postgres user - ignored using exsitingSecret
      password: changeme
      # -- which port to use to connect to your database server
      port: 5432
      # -- hostname of db server. Can be left blank if using postgres subchart
      hostname: ""
      # -- name of the database to try and connect to
      database: "syncv3"
      # -- Name of existing secret to use for PostgreSQL credentials
      existingSecret: ""
      # if externalDatabase.existingSecret is provided, the following are ignored
      # password, username, hostname, database
      # secretKeys to grab from existingSecret
      secretKeys:
        # -- key in existingSecret with hostname of the database
        databaseHostname: hostname
        # -- key in existingSecret with name of the database
        database: database
        # -- key in existingSecret with username for matrix to connect to db
        databaseUsername: username
        # -- key in existingSecret with password for matrix to connect to db
        userPasswordKey: password
        # -- key in existingSecret with the admin postgresql password
        adminPasswordKey: postgresPassword
  
    syncv3:
      # -- existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values below, everything under syncv3 including syncvc.otlp.
      existingSecret: ""
      # -- SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket)
      server: ""
      # -- SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. If both syncv3.secret and syncv3.existingSecret are not set, we will autogenerate this value
      secret: ""
      # -- SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket)
      bindaddr: "0.0.0.0:8008"
      # -- SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address.
      tlsCert: ""
      # -- SYNCV3_TLS_KEY - Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file.
      tlsKey: ""
      # -- SYNCV3_PPROF - Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen.
      pprof: ""
      # -- SYNCV3_PROM - Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address.
      prom: ""
      otlp:
        # -- SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces.
        url: ""
        # -- SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header.
        username: ""
        # -- SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header.
        password: ""
        existingSecret: ""
  
      # -- SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://[email protected]/123 - if unset does not send sentry events.
      sentryDsn: ""
      # -- SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal
      logLevel: "info"
      # -- SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit.
      maxDbConn: ""

• Also adds a section to the README explaining how to return the correct json for requests to https://matrix.example.com/.well-known/matrix/client by using matrix.extra_well_known_client_content:

  matrix:
    extra_well_known_client_content:
       "org.matrix.msc3575.proxy":
         "url": "https://your-sliding-sync-hostname.com"

• Closes MAS - matrix authentication service helm sub-chart needed #561
  adds the matrix authentication service chart as a sub-chart of this chart which implements msc3861 which you can read more about in this blog post by matrix.org. This is needed for the new version of Element, currently called element-x during it's beta phase. For more info, please see matrix-org/matrix-authentication-service. Includes two new values.yaml sections:matrix.experimental_features.msc3861, and mas.

  new mas helm values

  mas:
    enabled: false
    # PostgreSQL Database configuration for matrix Authentication Service, for more options:
    # https://github.com/bitnami/charts/tree/main/bitnami/postgresql
    postgresql:
      # -- Whether to deploy the Bitnami Postgresql sub chart
      # If postgresql.enabled is set to true, externalDatabase.enabled must be set to false
      # else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
      enabled: true
      # persistence:
      #   enabled: false
      volumePermissions:
        # -- Enable init container that changes the owner and group of the PVC
        enabled: true
  
      tls:
        # -- Enable TLS traffic support for postgresql, see [bitnami/charts/postgresql#securing-traffic-using-tls](https://github.com/bitnami/charts/tree/main/bitnami/postgresql#securing-traffic-using-tls)
        enabled: false
        # -- Generate automatically self-signed TLS certificates
        autoGenerated: false
        # -- Whether to use the server's TLS cipher preferences rather than the client's
        preferServerCiphers: true
        # -- Name of an existing secret that contains the certificates
        certificatesSecret: ""
        # -- Certificate filename
        certFilename: ""
        # -- Certificate key filename
        certKeyFilename: ""
        # -- CA Certificate filename
        certCAFilename: ""
        # -- File containing a Certificate Revocation List
        crlFilename: ""
  
      global:
        postgresql:
          # global.postgresql.auth overrides postgresql.auth
          auth:
            # database credentials to use if you don't use an existingSecret
            # -- username of matrix-authentication-service postgres user
            username: mas
            # -- password of matrix-authentication-service postgres user - ignored using exsitingSecret
            password: changeme
            # -- which port to use to connect to your database server
            port: 5432
            # -- name of the database
            database: mas
            # -- Name of existing secret to use for PostgreSQL credentials
            existingSecret: ""
            # secretKeys to grab from existingSecret
            # if postgresql.existingSecret is provided, the following are ignored
            # postgresql.password/username/hostname/database
            secretKeys:
              # -- key in existingSecret with hostname of the database
              databaseHostname: hostname
              # -- key in existingSecret with name of the database
              database: database
              # -- key in existingSecret with username for matrix-authentication-service to connect to db
              databaseUsername: username
              # -- key in existingSecret with password for matrix-authentication-service to connect to db
              userPasswordKey: password
              # -- key in existingSecret with the admin postgresql password
              adminPasswordKey: postgresPassword
  
      # primary database node config
      primary:
        # -- run the scripts in templates/postgresql/initdb-configmap.yaml
        # If using an external Postgres server, make sure to configure the database
        # ref: https://github.com/matrix-org/synapse/blob/master/docs/postgres.md
        initdb:
          scriptsConfigMap: "{{ .Release.Name }}-postgresql-initdb"
  
        podSecurityContext:
          enabled: true
          runAsUser: 1000
          fsGroup: 1000
  
    # matrix authentication external database settings
    externalDatabase:
      # -- enable using an external database *instead of* the Bitnami PostgreSQL sub-chart
      # if externalDatabase.enabled is set to true, postgresql.enabled must be set to false
      enabled: false
      # optional SSL parameters for postgresql, if using your own db instead of the subchart
      # ref: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
      # -- sslmode to use, example: verify-full
      sslmode: ""
      # make sure any paths here are reflected in matrixAuthenticationService.extraVolumes and matrixAuthenticationService.extraVolumeMounts
      # -- optional: tls/ssl root cert for postgresql connections
      sslrootcert: ""
      # -- optional: tls/ssl cert for postgresql connections
      sslcert: ""
      # -- optional: tls/ssl key for postgresql connections
      sslkey: ""
      # database credentials to use if you don't use an existingSecret
      # -- username of matrix-authentication-service postgres user
      username: mas
      # -- password of matrix-authentication-service postgres user - ignored using exsitingSecret
      password: changeme
      # -- which port to use to connect to your database server
      port: 5432
      # -- hostname of db server. Can be left blank if using postgres subchart
      hostname: ""
      # -- name of the database to try and connect to
      database: "mas"
      # -- Name of existing secret to use for PostgreSQL credentials
      existingSecret: ""
      # if externalDatabase.existingSecret is provided, the following are ignored
      # password, username, hostname, database
      # secretKeys to grab from existingSecret
      secretKeys:
        # -- key in existingSecret with hostname of the database
        databaseHostname: hostname
        # -- key in existingSecret with name of the database
        database: database
        # -- key in existingSecret with username for matrix to connect to db
        databaseUsername: username
        # -- key in existingSecret with password for matrix to connect to db
        userPasswordKey: password
        # -- key in existingSecret with the admin postgresql password
        adminPasswordKey: postgresPassword
  
    networkPolicies:
      enabled: true
  
    # this is for storing your matrix authentication service config file
    configVolume:
      # -- name of an existing persistent volume claim to use for matrix-authentication-service config. If provided, ignores mas parameter map
      existingClaim: ""
      # -- name of storage class for the persistent volume
      storageClassName: "default"
      # -- storage capacity for creating a persistent volume
      storage: "500Mi"
  
    # this stands for Matrix Authentication Service
    mas:
      masClientSecret:
        # -- use an existing secret for clients section of config.yaml for:
        # mas.clients[0].client_id, mas.clients[0].client_secret
        # if set, ignores mas.clients[0].client_id, mas.clients[0].client_secret
        existingSecret: ""
  
        secretKeys:
          # -- key in secret with the client_id
          client_id: "client_id"
          # -- key in secret with the client_secret
          client_secret: "client_secret"
  
      # see more info here:  https://matrix-org.github.io/matrix-authentication-service/reference/configuration.html#clients
      clients:
          # -- a unique identifier for the client. It must be a valid ULID, and it happens that 0000000000000000000SYNAPSE is a valid ULID.
        - client_id: ""
          # -- set to client_secret_basic. Other methods are possible, such as client_secret_post, but this is the easiest to set up.
          client_auth_method: client_secret_basic
          # -- a shared secret used for the homeserver to authenticate
          client_secret: ""
  
      matrix:
        # -- name of your matrix home server (synapse or dendrite) with port if needed
        homeserver: "localhost:8008"
        # -- a shared secret the service will use to call the homeserver admin API
        secret: "test"
        # -- endpoint of your matrix home server (synapse or dendrite) with port if needed
        endpoint: "https://localhost:8008"
        # -- grab the above secret from an existing k8s secret. if set, ignores mas.matrix.secret
        existingSecret: ""
        # -- name of the key in existing secret to grab matrix.secret from
        secretKey: "secret"
  
      policy:
        data:
          # -- Users which are allowed to ask for admin access. If possible, use the
          # can_request_admin flag on users instead.
          admin_users: []
          #  - person1
          #  - person2
  
          # -- Client IDs which are allowed to ask for admin access with a
          # client_credentials grant
          admin_clients: []
          #  - 01H8PKNWKKRPCBW4YGH1RWV279
          #  - 01HWQCPA5KF10FNCETY9402WGF
  
          # Dynamic Client Registration
          client_registration:
            # -- don't require URIs to be on the same host. default: false
            allow_host_mismatch: true
            # -- allow non-SSL and localhost URIs. default: false
            allow_insecure_uris: true
  
          # Registration using passwords
          passwords:
            # -- minimum length of a password. default: 0
            min_length: 16
            # -- require at least one lowercase character in a password. default: false
            require_lowercase: true
            # -- require at least one uppercase character in a password. default: false
            require_uppercase: true
            # -- require at least one number in a password. default: false
            require_number: true
  
      # see: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html?highlight=ulid#general-configuration
      # and also see: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html#keycloak
      upstream_oauth2:
  
        # -- use an existing k8s secret for upstream oauth2 client_id and client_secret
        existingSecret: ""
        secretKeys:
          # -- key in secret with the issuer
          issuer: "issuer"
          # -- key in secret with the client_id
          client_id: "client_id"
          # -- key in secret with the client_secret
          client_secret: "client_secret"
          # -- key in secret with the authorization_endpoint if discovery is disabled
          authorization_endpoint: ""
          # -- key in secret with the token_endpoint if discovery is disabled
          token_endpoint: ""
          # -- key in secret with the userinfo_endpoint if discovery is disabled
          userinfo_endpoint: ""
  
        # only one provider supported at this time, but if you want more, feel free to submit a PR
        providers:
          # -- A unique identifier for the provider
          # Must be a valid ULID, and can be generated using online tools like:
          # https://www.ulidtools.com
          - id: ""
  
            # -- The issuer URL, which will be used to discover the provider's configuration.
            # If discovery is enabled, this *must* exactly match the `issuer` field
            # advertised in `<issuer>/.well-known/openid-configuration`.
            issuer: https://example.com/
  
            # -- A human-readable name for the provider, which will be displayed on the login page
            human_name: Example
  
            # -- A brand identifier for the provider, which will be used to display a logo
            # on the login page. Values supported by the default template are:
            #  - `apple`
            #  - `google`
            #  - `facebook`
            #  - `github`
            #  - `gitlab`
            #  - `twitter`
            brand_name: zitadel
  
            # -- The client ID to use to authenticate to the provider
            client_id: ""
  
            # -- The client secret to use to authenticate to the provider
            # This is only used by the `client_secret_post`, `client_secret_basic`
            # and `client_secret_jwk` authentication methods
            client_secret: ""
  
            # -- Which authentication method to use to authenticate to the provider
            # Supported methods are:
            #   - `none`
            #   - `client_secret_basic`
            #   - `client_secret_post`
            #   - `client_secret_jwt`
            #   - `private_key_jwt` (using the keys defined in the `secrets.keys` section)
            token_endpoint_auth_method: client_secret_basic
  
            # -- Which signing algorithm to use to sign the authentication request when using
            # the `private_key_jwt` or the `client_secret_jwt` authentication methods
            # token_endpoint_auth_signing_alg: RS256
  
            # -- The scopes to request from the provider
            # In most cases, it should always include `openid` scope
            scope: "openid email profile"
  
            # How the provider configuration and endpoints should be discovered
            # Possible values are:
            #  - `oidc`: discover the provider through OIDC discovery,
            #     with strict metadata validation (default)
            #  - `insecure`: discover through OIDC discovery, but skip metadata validation
            #  - `disabled`: don't discover the provider and use the endpoints below
            # discovery_mode: oidc
  
            # -- Whether PKCE should be used during the authorization code flow.
            # Possible values are:
            #  - `auto`: use PKCE if the provider supports it (default)
            #    Determined through discovery, and disabled if discovery is disabled
            #  - `always`: always use PKCE (with the S256 method)
            #  - `never`: never use PKCE
            pkce_method: auto
  
            # -- The provider authorization endpoint
            # This takes precedence over the discovery mechanism
            authorization_endpoint: https://example.com/oauth2/authorize
  
            # The provider token endpoint
            # This takes precedence over the discovery mechanism
            # token_endpoint: https://example.com/oauth2/token
  
            # The provider JWKS URI
            # This takes precedence over the discovery mechanism
            # jwks_uri: https://example.com/oauth2/keys
  
            # How user attributes should be mapped
            #
            # Most of those attributes have two main properties:
            #   - `action`: what to do with the attribute. Possible values are:
            #      - `ignore`: ignore the attribute
            #      - `suggest`: suggest the attribute to the user, but let them opt out
            #      - `force`: always import the attribute, and don't fail if it's missing
            #      - `require`: always import the attribute, and fail if it's missing
            #   - `template`: a Jinja2 template used to generate the value. In this template,
            #      the `user` variable is available, which contains the user's attributes
            #      retrieved from the `id_token` given by the upstream provider.
            #
            # Each attribute has a default template which follows the well-known OIDC claims.
            #
            claims_imports:
              # -- The subject is an internal identifier used to link the
              # user's provider identity to local accounts.
              # By default it uses the `sub` claim as per the OIDC spec,
              # which should fit most use cases.
              subject:
                template: "{{ user.sub }}"
  
              # -- The localpart is the local part of the user's Matrix ID.
              # For example, on the `example.com` server, if the localpart is `alice`,
              #  the user's Matrix ID will be `@alice:example.com`.
              localpart:
                action: require
                template: "{{ user.preferred_username }}"
  
              # -- The display name is the user's display name.
              displayname:
                action: suggest
                template: "{{ user.name }}"
  
              # -- An email address to import.
              email:
                action: suggest
                template: "{{ user.email }}"
                # -- Whether the email address must be marked as verified.
                # Possible values are:
                #  - `import`: mark the email address as verified if the upstream provider
                #     has marked it as verified, using the `email_verified` claim.
                #     This is the default.
                #   - `always`: mark the email address as verified
                #   - `never`: mark the email address as not verified
                set_email_verification: always

  new matrix.experimental_features.msc3861 helm values

  matrix:
    # -- use an existing secret for all msc3861 (matrix authentication service) related values
    # if set, all other msc3861 values are ignored (issuer, client_id,
    # client_auth_method, client_secret, admin_token, account_management_url)
    msc3861ExistingSecret: ""
  
    msc3861SecretKeys:
      # -- secret key to use in existing secret for masc3861 issuer
      issuer: ""
      # -- secret key to use in existing secret for masc3861 client id
      client_id: ""
      # -- secret key to use in existing secret for masc3861 client secret
      client_secret: ""
      # -- secret key to use in existing secret for masc3861 admin_token
      admin_token: ""
      # -- secret key to use in existing secret for masc3861 account_management_url
      account_management_url: ""
  
    experimental_features:
      msc3861:
        # -- experimental_feature msc3861 - enable this if you want to use the matrix authentication service
        # Likely needed if using OIDC on synapse and you want to allow usage of Element-X (the beta of element)
        # See: [Matrix authentication service home server docs](https://matrix-org.github.io/matrix-authentication-service/setup/homeserver.html#configure-the-homeserver-to-delegate-authentication-to-the-service), [full matrix authentication service docs](https://matrix-org.github.io/matrix-authentication-service/index.html), and [issue#1915](https://github.com/element-hq/element-meta/issues/1915#issuecomment-2119297748) where this is being discussed
        enabled: false
  
        # -- Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
        issuer: http://localhost:8080/
  
        # -- Matches the `mas.mas.clients[0].client_id` in the auth service config
        client_id: 0000000000000000000SYNAPSE
  
        # -- Matches the `client_auth_method` in the auth service config
        client_auth_method: client_secret_basic
  
        # -- Matches the `mas.mas.clients[0].client_secret` in the auth service config
        client_secret: "SomeRandomSecret"
  
        # -- Matches the `mas.mas.matrix.secret` in the auth service config
        admin_token: "AnotherRandomSecret"
  
        # -- URL to advertise to clients where users can self-manage their account
        account_management_url: "http://localhost:8080/account"