Spec defines the desired state of ElementDeployment
Deploys an Adminbot which automatically joins rooms. Admins can manage rooms by impersonating the Adminbot.
Deprecated. Moved to bot property.
The adminbot configuration
The key of the k8s secret containing the adminbot backup passphrase
Never admin the Room IDs mentioned in this set.
No Additional ItemsEnable admin of Direct Messages
Admin only rooms local to the homeserver
Only admin the Room IDs mentioned in this set. Ignored if the list is empty.
No Additional ItemsList of remote federated homeservers
No Additional ItemsRemote federated homeserver
The admin user token secret key
Appservice tokens authentication
Automatically determine appservice tokens authentication. Only possible when using Element Enterprise Server Suite.
Manually configure appservice tokens authentication.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
The remote domain name
The remote matrix server url
The localpart of the bot Matrix ID.
Deprecated. Moved to bot property.
Allow access from a central adminbot
The URL of the appservice of the central adminbot
Manually configure appservice tokens. It should not be necessary if using Element Enterprise Server Suite.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
Local Adminbot security settings
IP ranges allowed to access adminbot UI
No Additional ItemsAn IPv4 or IPV6 range
TLS Verification
k8s properties of the access element web workloads inside adminbot component
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of access Element Web for Adminbot replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
k8s properties of the haproxy workloads inside adminbot component
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Appservice Certificate
Appservice Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
UI Certificate
UI Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the pipe workloads inside adminbot component
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to adminbot config The secret key associated to config.backupPassphraseSecretKey must be present.
Must be at most 253 characters long
Deploys an Auditbot which automatically joins rooms and logs every messages to configured outputs.
Deprecated. Moved to bot property.
The auditbot configuration
The key of the k8s secret containing the auditbot backup passphrase
Never audit the Room IDs mentioned in this set.
No Additional ItemsEnable audit of Direct Messages
Audit only rooms local to the homeserver
Only audit the Room IDs mentioned in this set. Ignored if the list is empty.
No Additional ItemsOutputs of Auditbot logs
Azure Blob Storage container configuration
Azure Container connection string.
Azure container name.
File key prefix
Event types to log to the output
Log a message when a user sends a read receipt.
Log a message when a user types.
Logfile rotation parameters
Number of files to keep
Value must be greater or equal to 1
Logfile size before rotation
S3 Bucket to send logs to
Auditbot access key secret key
S3 bucket name
Bucket endpoint
Bucket key prefix
Bucket region
Auditbot access key secret key
List of remote federated homeservers
No Additional ItemsRemote federated homeserver
The admin user token secret key
Appservice tokens authentication
Automatically determine appservice tokens authentication. Only possible when using Element Enterprise Server Suite.
Manually configure appservice tokens authentication.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
The remote domain name
The remote matrix server url
The localpart of the bot Matrix ID.
Deprecated. Moved to bot property.
Allow access from a central auditbot
The URL of the appservice of the central auditbot
Manually configure appservice tokens. It should not be necessary if using Element Enterprise Server Suite.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
Local Auditbot security settings. Deprecated as its now integrated in AdminUI.
IP ranges allowed to access auditbot UI
No Additional ItemsAn IPv4 or IPV6 range
TLS Verification
Deprecated, Auditbot no longer uses a separate Access Element Web instance
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of access Element Web for Auditbot replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
k8s properties of the haproxy workloads inside auditbot component
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Appservice Certificate
Appservice Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
UI Certificate
UI Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the pipe workloads inside auditbot component
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to adminbot config The secret key associated to config.backupPassphraseSecretKey must be present. For every remote server, the keys associated to the following must be present - remote.appservice.genericSharedSecretKey or remote.appservice.hsTokenSecretKey and remote.appservice.asTokenSecretKey. The key associated to remote.adminUserTokenSecretKey must also be present.
Must be at most 253 characters long
Coturn provides a STUN and a TURN server. The STUN server can be used by Element Call and Jitsi so that device are able to detect their access IP. The TURN server can be used by Jitsi to provide WebRTC relaying.
Whether to enable TCP for STUN/TURN
Coturn external IP
Whether or not to use host mode networking.
Allowed peer IPs that would otherwise be blocked by deniedIpv4Ranges or deniedIpv6Ranges
No Additional ItemsAn IP allowed
Denied IPv4 range
No Additional ItemsA denied IPv4 Range
Denied IPv6 range
No Additional ItemsA denied IPv6 Range
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Services to expose for Coturn
Fully qualified domain name where STUN/TURN is available at
The service unsecured port
The port range on which the service will be accessible
The port range start port
The port range end port
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
certfile existing Certificate file
The TLS certificate file for the coturn fqdn
The TLS private key file for the coturn fqdn
The TLS mode of the service.
The name of a secret in the cluster that contains TLS certificates
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Coturn config
Must be at most 253 characters long
VoIP group calls powered by Matrix, implementing MatrixRTC with SFU backend. Can't be deployed if Jitsi is deployed
Element call additional configuration.
Deprecated. This feature should not be used anymore.
SFU server settings. The SFU is the component which will forward WebRTC streams to call participants.
Logging settings
The maximum level of log output
Configure SFU networking.
Whether or not to use host mode networking.
Manually enter IP to advertise to clients.
How Jitsi choose its public IP to advertise
The stun servers to allow the SFU to find their public IP address and to allow connecting users to lookup their IP address. If the list is empty or not defined, it will default to Coturn deployed with Element Deployment. If coturn is not deployed, it will fallback to the defaults in LiveKit of Google's STUN servers.
No Additional ItemsA stun server
You can override Kubernetes configuration for each component of Element Call
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Services to expose for LiveKit
The service port
The port on which the service will be accessible
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
The service unsecured port
The port range on which the service will be accessible
The port range start port
The port range end port
Kubernetes service port type
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Element Call Certificate
Element Call Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
LiveKit SFU Certificate
LiveKit SFU Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the LiveKit JWT component workloads
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
k8s properties of the redis workloads
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
k8s properties of the LiveKit SFU component workloads
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Element Call replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to element call config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is the user interface used by desktops to access Matrix rooms.
Element web additional configuration.
Whether the sharing links generated by this Element Web instance should use the URL of this Element Web. If turned off the sharing links use https://matrix.to unless a custom permalink prefix is set in the Additional Config section. If turned on, mobile clients will not detect links using the URL of this Element Web (or any other custom permalink prefix) unless they've been explicitly configured by Mobile Device Management (MDM).
You can override Kubernetes configuration for each component of Element Web
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
ElementWeb Certificate
ElementWeb Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Element Web replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to synapse config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is a connector to your user management service to synchronize their groups memberships with spaces and rooms memberships.
Optionally configures a list of users to allow in any groupsync-managed room
No Additional ItemsA user to allow in any groupsync-managed room
A list of rooms to configure by default in all spaces
No Additional ItemsA room to configure by default in all spaces
The room ID in groupsync config. Changing this value creates a new room instead of renaming the existing one. It must be unique, and it can be generated using a UUID.
The room properties
The room name
Deprovisioning options
Enable rooms Garbage collection
When users get removed from the directory their accounts will only be deactivated, but their erasure will be delayed by the specified time period, allowing them to be reactivated in the meantime. The specified period will be translated into seconds, so won't account for things like DST, leap seconds etc. Users will be deleted no sooner than that, but may be removed a bit later, depending on other Group Sync operations. The format is numeric and unit being one of s, m, h, d (for example, "24h", "31d" etc.)
Enable Dry Run mode to avoid any unexpected change
Enable or disable invite to public rooms in spaces
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
The LDAP attribute to request space names
The LDAP attribute to requiest user id
The LDAP base DN
The LDAP bind DN
The LDAP bind password
the ldap check in seconds
An additional ldap filter
The LDAP URI groupsync will use to request users
MS Graph base URL
The MSGraph client id
The key of the k8s secret containing MSGraph client secret
Specific scopes to set for graph to use. Should be modified if the base url is changed.
Must contain a minimum of 1 items
An MSGraph scope, in the form of a URL.
The MSGraph tenant id
Configures SCIM. Please configure the SCIM ingress as well.
The scim client id
The SCIM Mapping to get the user id
Should SCIM user creation register a Matrix account for the user.
Should SCIM responses wait for Matrix provisioning to complete.
If specified, attribute sync will be limited to the attributes listed here. By default all available attributes are synced.
True to sync displayName attributes.
True to sync emails attributes.
TLS Verification
You can override Kubernetes configuration for each component of Group Sync
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
SCIM Server Certificate
SCIM Server Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to groupsync config. If using the ldap source, key matching config.source.ldap.bindPasswordSecretKey must be present. If using the 'msgraph' source, key matching config.source.msgraph.clientSecretSecretKey must be present. If using the scim source, and the ingress is using certfile tls mode, keys matching k8s.ingress.scim.certificate.certFileSecretKey and k8s.ingress.scim.certificate.privateKeySecretKey must be present.
Must be at most 253 characters long
Integrate with external code platforms (Github, Gitlab), other platforms (JIRA) and custom webhooks
The hookshot bot
The hookshot bot avatar mxc url
The hookshot bot display name
The localpart of the bot Matrix ID.
Whether to enable separate bots for each Hookshot service
Configuration of hookshot generic webhooks
To allow JS Transformations functions
Enable or disable inbound webhooks
Enable or disable outbound webhooks
webhooks user id prefixes
Configuration of hookshot github integration
Github application auth id
The default options to apply to github hooks
Choose the prefix to use when sending commands to the bot. Ideally starts with "!" !gh
Enable notifications for some event types
No Additional ItemsNever notify on issues matching these label names
No Additional ItemsA label name
Send a link to an issue/PR in the room when a user mentions a prefix followed by a number
Choose to exclude notifications for some event types
No Additional ItemsOnly notify on issues matching these label name
No Additional ItemsA label name
Configuration options for new issues
Automatically set these labels on issues created via commands
No Additional ItemsA label name
Show a diff in the room when a PR is created, subject to limits
Enable the PR diff
Max number of lines to display in the room
When new issues are created, provide a Matrix alias link to the issue room
Configuration options for workflow run results
Never report workflow runs with a matching workflow name.
No Additional ItemsA workflow name
Only report workflow runs with a matching workflow name.
No Additional ItemsA workflow name
Only report workflow runs if it matches this regex.
The key of the k8s secret containing github key file
Github OAuth client id
The key of the k8s secret containing github oauth client secret
The key of the k8s secret containing github webhook secret
Gitlab hooks
Gitlab instance name
Gitlab instance URL
The key of the k8s secret containing gitlab webhook secret
Jira OAuth client id
The key of the k8s secret containing Jira oauth client secret
The key of the k8s secret containing Jira webhook secret
The key of the k8s secret containing hookshot Pass Key secret
What permissions users have on hokshot. Keys can be * (everyone), a roomid, specific server names or specific MXIDs
Each additional property must conform to the following schema
Type: array of objectThe permissions of the given actor.
No Additional ItemsThe key of the k8s secret containing hookshot provisioning secret
TLS Verification
The hookshot widgets settings
Deprecated - Not used since Appstore embeds widgets instead. Was - Add widgets on invite
Add widgets to admin rooms
Which IP ranges should be disallowed when resolving homeserver IP addresses (for security reasons). Unless you know what you are doing, it is recommended to not change this.
No Additional ItemsAn IP range, ipv4 or ipv6 format
The hookshot widget title
You can override Kubernetes configuration for each component of Hookshot
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Hookshot Server Certificate
Hookshot Server Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to hookshot config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
Deploy an Hydrogen client.
Hydrogen additional configuration as a JSON object.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Hydrogen Certificate
Hydrogen Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Hydrogen replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema