bump synapse docker tag to v1.95.1, element docker tag to `v1.11.48…

…`, and add optional `s3.cronjob` object to values.yaml (#485)

* bump synapse docker patch version and add optional s3.cronjob object

* add configurable file_age parameter to change the age of the files you'd like to clean up and clean up docs a bit

* upgrade element to docker image to v1.11.48

charts/matrix/Chart.yaml

@@ -8,10 +8,10 @@ sources:
 
 type: application
 
-version: 5.0.0
+version: 5.0.1
 
 # renovate: image=matrixdotorg/synapse
-appVersion: v1.95.0
+appVersion: v1.95.1
 
 maintainers:
   - name: "jessebot"
@@ -23,6 +23,7 @@ dependencies:
     version: 13.1.5
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
+
   - name: coturn
     version: 4.3.0
     repository: https://jessebot.github.io/coturn-chart

charts/matrix/README.md

@@ -1,8 +1,8 @@
 # matrix
 
-![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.95.0](https://img.shields.io/badge/AppVersion-v1.95.0-informational?style=flat-square)
+![Version: 5.0.1](https://img.shields.io/badge/Version-5.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.95.1](https://img.shields.io/badge/AppVersion-v1.95.1-informational?style=flat-square)
 
-A Helm chart to deploy a Matrix homeserver stack into Kubernetes
+A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 
 **Homepage:** <https://github.com/small-hack/matrix-chart>
 
@@ -165,7 +165,7 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
 | element.enabled | bool | `true` | Set to false to disable a deployment of Element. Users will still be able to connect via any other instances of Element e.g. https://app.element.io, Element Desktop, or any other Matrix clients |
 | element.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy to use for element image, set to Always if using latest tag |
 | element.image.repository | string | `"vectorim/element-web"` | registry and repository to use for element docker image |
-| element.image.tag | string | `"v1.11.47"` | tag to use for element docker image |
+| element.image.tag | string | `"v1.11.48"` | tag to use for element docker image |
 | element.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` | required for TLS certs issued by cert-manager |
 | element.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"proxy_intercept_errors off;\n"` |  |
 | element.ingress.className | string | `"nginx"` | ingressClassName for the k8s ingress |
@@ -308,10 +308,14 @@ A Helm chart to deploy a Matrix homeserver stack into Kubernetes
 | postgresql.primary.podSecurityContext.runAsUser | int | `1000` |  |
 | postgresql.volumePermissions.enabled | bool | `true` | Enable init container that changes the owner and group of the PVC |
 | s3.bucket | string | `""` | name of the bucket to use |
-| s3.enabled | bool | `false` | enable s3 storage |
+| s3.cronjob.enabled | bool | `false` | enable a regular cleanup k8s cronjob to automatically backup everything to your s3 bucket for you and delete it from local disk ref: https://github.com/matrix-org/synapse-s3-storage-provider/tree/main#regular-cleanup-job |
+| s3.cronjob.file_age | string | `"2m"` | this is the age of files you'd like to clean up, defaults files not used within two months (2m) |
+| s3.cronjob.schedule | string | `"0 0 * * *"` | cron schedule to run the k8s cronjob. Defaults to every day at midnight |
+| s3.enabled | bool | `false` | enable s3 storage via https://github.com/matrix-org/synapse-s3-storage-provider |
 | s3.endpoint | string | `""` | your s3 endpoint |
 | s3.existingSecret | string | `""` | use credentials from an existing kubernetes secret |
-| s3.secretKeys | object | `{"accessKey":"S3_ACCESS_KEY","secretKey":"S3_SECRET_KEY"}` | these are the keys within the existing k8s secret to use for s3 credentials |
+| s3.secretKeys.accessKey | string | `"S3_ACCESS_KEY"` | key in existing secret fo the S3 key |
+| s3.secretKeys.secretKey | string | `"S3_SECRET_KEY"` | key in existing secret fo the S3 secret |
 | synapse.extraVolumeMounts | list | `[]` |  |
 | synapse.extraVolumes | list | `[]` |  |
 | synapse.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy for synapse image, Use Always if using image.tag: latest |

charts/matrix/templates/synapse/s3-cronjob.yaml

@@ -0,0 +1,142 @@
+{{- if and .Values.s3.enabled ( .Values.s3.cronjob.enabled ) }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ include "matrix.fullname" . }}-synapse-s3-cleanup
+  labels:
+{{ include "matrix.labels" . | indent 4 }}
+{{ include "matrix.synapse.labels" . | indent 4}}
+spec:
+  schedule: {{ .Values.s3.cronjob.schedule }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: "synapse"
+              image: {{ include "matrix.image" . }}
+              imagePullPolicy: {{ .Values.synapse.image.pullPolicy }}
+              command:
+                - |
+                  pip install synapse-s3-storage-provider
+                  cd s3_media_upload
+                  s3_media_upload update /data/media_store {{ .Values.s3.cronjob.file_age }}
+                  s3_media_upload upload /data/media_store {{ .Values.s3.bucket }} --storage-class STANDARD_IA --delete
+              volumeMounts:
+                - name: synapse-config
+                  mountPath: /data
+                - name: signing-key
+                  mountPath: /data/keys
+                - name: media-store
+                  mountPath: /data/media_store
+                {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }}
+                - name: bridges
+                  mountPath: /bridges
+                  readOnly: true
+                {{- end }}
+                - name: uploads
+                  mountPath: /data/uploads
+                - name: tmp
+                  mountPath: /tmp
+                {{- if gt (len .Values.synapse.extraVolumeMounts) 0 }}
+                {{- toYaml .Values.synapse.extraVolumeMounts | nindent 12 }}
+                {{- end }}
+              env:
+                {{- if .Values.synapse.securityContext.env }}
+                {{- if .Values.synapse.securityContext.runAsUser }}
+                - name: UID
+                  value: "{{ .Values.synapse.securityContext.runAsUser }}"
+                {{- end }}
+                {{- if .Values.synapse.securityContext.runAsGroup }}
+                - name: GID
+                  value: "{{ .Values.synapse.securityContext.runAsGroup }}"
+                {{- end }}
+                {{- end }}
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ .Values.s3.existingSecret }}
+                      key: {{ .Values.s3.secretKeys.accessKey }}
+
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ .Values.s3.existingSecret }}
+                      key: {{ .Values.s3.secretKeys.secretKey }}
+              ports:
+                - name: http
+                  containerPort: 8008
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /_matrix/static/
+                  port: http
+                {{- if .Values.synapse.probes.readiness }}
+                {{- toYaml .Values.synapse.probes.readiness | nindent 12 }}
+                {{- end }}
+              startupProbe:
+                httpGet:
+                  path: /_matrix/static/
+                  port: http
+                {{- if .Values.synapse.probes.startup }}
+                {{- toYaml .Values.synapse.probes.startup | nindent 12 }}
+                {{- end }}
+              livenessProbe:
+                httpGet:
+                  path: /_matrix/static/
+                  port: http
+                {{- if .Values.synapse.probes.liveness }}
+                {{- toYaml .Values.synapse.probes.liveness | nindent 12 }}
+                {{- end }}
+              securityContext:
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: false
+              {{- with .Values.synapse.resources }}
+              resources:
+                {{- toYaml . | nindent 12 }}
+              {{- end }}
+          volumes:
+            - name: synapse-config
+              persistentVolumeClaim:
+                {{- if not .Values.volumes.synapseConfig.existingClaim }}
+                claimName: {{ include "matrix.fullname" . }}-synapse-config
+                {{ else }}
+                claimName: {{ .Values.volumes.synapseConfig.existingClaim }}
+                {{- end }}
+            - name: signing-key
+              persistentVolumeClaim:
+                {{- if not .Values.volumes.signingKey.existingClaim }}
+                claimName: {{ include "matrix.fullname" . }}-signing-key
+                {{ else }}
+                claimName: {{ .Values.volumes.signingKey.existingClaim }}
+                {{- end }}
+            - name: media-store
+              persistentVolumeClaim:
+                {{- if not .Values.volumes.media.existingClaim }}
+                claimName: {{ include "matrix.fullname" . }}-media-store
+                {{ else }}
+                claimName: {{ .Values.volumes.media.existingClaim }}
+                {{- end }}
+            {{- if or .Values.bridges.whatsapp.enabled .Values.bridges.discord.enabled .Values.bridges.irc.enabled }}
+            - name: bridges
+              persistentVolumeClaim:
+                {{- if not .Values.bridges.volume.existingClaim }}
+                claimName: {{ include "matrix.fullname" . }}-bridges
+                {{ else }}
+                claimName: {{ .Values.bridges.volume.existingClaim }}
+                {{- end }}
+            {{- end }}
+            # Ephemeral in-progress uploads
+            - name: uploads
+              emptyDir: {}
+            - name: tmp
+              emptyDir: {}
+            {{- if gt (len .Values.synapse.extraVolumes) 0 }}
+            {{ toYaml .Values.synapse.extraVolumes | nindent 8}}
+            {{- end }}
+          restartPolicy: OnFailure
+{{- end }}

charts/matrix/values.yaml

@@ -331,18 +331,30 @@ matrix:
     synapseLogLevel: WARNING
 
 s3:
-  # -- enable s3 storage
+  # -- enable s3 storage via https://github.com/matrix-org/synapse-s3-storage-provider
   enabled: false
   # -- your s3 endpoint
   endpoint: ""
   # -- name of the bucket to use
   bucket: ""
   # -- use credentials from an existing kubernetes secret
   existingSecret: ""
-  # -- these are the keys within the existing k8s secret to use for s3 credentials
+  # these are the keys within the existing k8s secret to use for s3 credentials
   secretKeys:
+    # -- key in existing secret fo the S3 key
     accessKey: "S3_ACCESS_KEY"
+    # -- key in existing secret fo the S3 secret
     secretKey: "S3_SECRET_KEY"
+  cronjob:
+    # -- enable a regular cleanup k8s cronjob to automatically backup everything
+    # to your s3 bucket for you and delete it from local disk ref:
+    # https://github.com/matrix-org/synapse-s3-storage-provider/tree/main#regular-cleanup-job
+    enabled: false
+    # -- cron schedule to run the k8s cronjob. Defaults to every day at midnight
+    schedule: "0 0 * * *"
+    # -- this is the age of files you'd like to clean up, defaults files not used
+    # within two months (2m)
+    file_age: 2m
 
 # Persistent volumes configuration
 volumes:
@@ -613,7 +625,7 @@ element:
     # -- registry and repository to use for element docker image
     repository: "vectorim/element-web"
     # -- tag to use for element docker image
-    tag: v1.11.47
+    tag: v1.11.48
     # -- pullPolicy to use for element image, set to Always if using latest tag
     pullPolicy: IfNotPresent
   service: