Type: object

Spec defines the desired state of ElementDeployment

Type: object Default: {}

Type: object

Deploys an Adminbot which automatically joins rooms. Admins can manage rooms by impersonating the Adminbot.



Must not be:

Type: object

The following properties are required:

  • centralAccess

The following properties are required:

  • bot
  • security

Must not be:

Type: object

The following properties are required:

  • bot
  • security

The following properties are required:

  • centralAccess

Type: string

Deprecated. Moved to bot property.

Type: object

The adminbot configuration

Type: string Default: "backupPassphrase"

The key of the k8s secret containing the adminbot backup passphrase

Type: array of string Default: []

Never admin the Room IDs mentioned in this set.

No Additional Items

Each item of this array must be:

Type: boolean Default: false

Enable admin of Direct Messages

Type: boolean Default: true

Admin only rooms local to the homeserver

Type: enum (of string) Default: "info"

Must be one of:

  • "info"
  • "debug"
  • "warning"

Type: array of string Default: []

Only admin the Room IDs mentioned in this set. Ignored if the list is empty.

No Additional Items

Each item of this array must be:

Type: array of object Default: []

List of remote federated homeservers

No Additional Items

Each item of this array must be:

Type: object

Remote federated homeserver

Type: string Default: "remoteAdminUserSecretKey"

The admin user token secret key


Appservice tokens authentication


Must not be:

Type: object

The following properties are required:

  • manual

The following properties are required:

  • auto

Must not be:

The following properties are required:

  • manual

Type: object

Automatically determine appservice tokens authentication. Only possible when using Element Enterprise Server Suite.

Type: string Default: "remoteGenericSharedSecret"

The remote federated homeserver generic shared secret

Type: object

Manually configure appservice tokens authentication.

Type: string Default: "remoteASToken"

The remote federated homeserver as token secret key

Type: string Default: "remoteHSToken"

The remote federated homeserver hs token secret key

Type: string Default: "adminbot"

Bot username.

Type: string

Deprecated. Moved to bot property.


Allow access from a central adminbot

Type: object

The following properties are required:

  • manualAppService

Type: string

The URL of the appservice of the central adminbot

Type: object

Manually configure appservice tokens. It should not be necessary if using Element Enterprise Server Suite.

Type: string Default: "centralASToken"

The remote federated homeserver as token secret key

Type: string Default: "centralHSToken"

The remote federated homeserver hs token secret key


Local Adminbot security settings

Type: object

The following properties are required:

  • ipRangesAllowed

Type: array of string

IP ranges allowed to access adminbot UI

No Additional Items

Each item of this array must be:

Type: string

An IPv4 or IPV6 range

Type: enum (of string) Default: "useGlobalSetting"

TLS Verification

Must be one of:

  • "useGlobalSetting"
  • "force"
  • "disable"

Type: object Default: {}

Type: object Default: {}

k8s properties of the access element web workloads inside adminbot component

Type: object Default: {}

Settings dedicated to k8s workloads

Type: object Default: {}

The annotations to add to the workload

Each additional property must conform to the following schema

Type: string

Defines the annotations to add

Type: array of object
No Additional Items

Each item of this array must be:

Type: object

Type: string

Docker secret to use for ems image store

Type: string

The docker registry url for this secret

Type: array of object

The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.

No Additional Items

Each item of this array must be:

Type: object

Type: array of string
No Additional Items

Each item of this array must be:

Type: string

An hostname of the associated ip to add to /etc/hosts

Type: string

An IP resolution to add to /etc/hosts

Type: object

NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

Each additional property must conform to the following schema

Type: string

Type: number

The number of access Element Web for Adminbot replicas

Value must be greater or equal to 1

Type: object Default: {}

Kubernetes resources to allocate to each instance.

Type: object Default: {"memory": "200Mi"}

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Type: object Default: {"cpu": "50m", "memory": "50Mi"}

Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Default: {}

Type: object

The following properties are required:

  • seLinuxOptions

Type: enum (of string)

Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: number Default: 10004

The fsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10004

The runAsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10004

The runAsUser UID to use if securityContextForceUidGid is enabled

Type: object

Type: string

Level is SELinux level label that applies to all the workload containers.

Type: string

Role is SELinux level label that applies to all the workload containers.

Type: string

Type is SELinux level label that applies to all the workload containers.

Type: string

User is SELinux level label that applies to all the workload containers.

Type: enum (of string)

Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: array of object

Workload tolerations

No Additional Items

Each item of this array must be:

Type: object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.

Type: string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

Type: string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

Type: string

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

Type: number

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Type: string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

Type: object Default: {}

Settings dedicated to k8s

Type: object Default: {}

The annotations to add to every workloads and ingresses deployed

Each additional property must conform to the following schema

Type: string

Defines the annotations to add

Type: object Default: {}

k8s properties of the haproxy workloads inside adminbot component

Type: object Default: {}

Settings dedicated to monitoring

Type: object Default: {}

Service monitor settings

Type: enum (of string) Default: "auto"

Enable or disable monitoring using ServiceMonitor resources

Must be one of:

  • "enable"
  • "disable"
  • "auto"

Type: object Default: {}

Settings dedicated to k8s workloads

Type: object Default: {}

The annotations to add to the workload

Each additional property must conform to the following schema

Type: string

Defines the annotations to add

Type: array of object
No Additional Items

Each item of this array must be:

Type: object

Type: string

Docker secret to use for ems image store

Type: string

The docker registry url for this secret

Type: array of object

The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.

No Additional Items

Each item of this array must be:

Type: object

Type: array of string
No Additional Items

Each item of this array must be:

Type: string

An hostname of the associated ip to add to /etc/hosts

Type: string

An IP resolution to add to /etc/hosts

Type: object

NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

Each additional property must conform to the following schema

Type: string

Type: object Default: {}

Kubernetes resources to allocate to each instance.

Type: object Default: {"memory": "200Mi"}

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Type: object Default: {"cpu": "10m", "memory": "100Mi"}

Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Default: {}

Type: object

The following properties are required:

  • seLinuxOptions

Type: enum (of string)

Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: number Default: 10016

The fsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10016

The runAsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10016

The runAsUser UID to use if securityContextForceUidGid is enabled

Type: object

Type: string

Level is SELinux level label that applies to all the workload containers.

Type: string

Role is SELinux level label that applies to all the workload containers.

Type: string

Type is SELinux level label that applies to all the workload containers.

Type: string

User is SELinux level label that applies to all the workload containers.

Type: enum (of string)

Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: array of object

Workload tolerations

No Additional Items

Each item of this array must be:

Type: object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.

Type: string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

Type: string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

Type: string

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

Type: number

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Type: string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

Default: {}

Type: object

The following properties are required:

  • appservice

Type: object

Settings dedicated to k8s ingresses

Type: object Default: {}

Defines the annotations to add

Each additional property must conform to the following schema

Type: string

Type: string

Fully qualified domain name of the ingress

Type: string

An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.

Type: object Default: {}

Type: enum (of string)

Default service type

Must be one of:

  • "ClusterIP"
  • "NodePort"
  • "LoadBalancer"



Must not be:

Type: object

The following properties are required:

  • certificate
  • secretName

The following properties are required:

  • certmanager

Type: object
Must match regular expression: certmanager

Must not be:

Type: object

The following properties are required:

  • certmanager
  • secretName

The following properties are required:

  • certificate

Type: object
Must match regular expression: certfile

Must not be:

Type: object

The following properties are required:

  • certificate
  • certmanager

The following properties are required:

  • secretName

Type: object
Must match regular expression: existing

Must not be:

Type: object

The following properties are required:

  • certificate
  • certmanager
  • secretName

Type: object
Must match regular expression: external

Type: object

Certificate file

Type: string Default: "appserviceCertificate"

Appservice Certificate

Type: string Default: "appservicePrivateKey"

Appservice Private Key

Type: object

The cert-manager properties, if enabled

Type: string

The name of cert-manager ClusterIssuer to use

Type: enum (of string)

The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.

Must be one of:

  • "certmanager"
  • "external"
  • "certfile"
  • "existing"

Type: string

The name of a secret in the cluster that contains TLS certificates

Must be at most 253 characters long

Type: object

Settings dedicated to k8s ingresses

Type: object Default: {}

Defines the annotations to add

Each additional property must conform to the following schema

Type: string

Type: string

Fully qualified domain name of the ingress

Type: string

An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.

Type: object Default: {}

Type: enum (of string)

Default service type

Must be one of:

  • "ClusterIP"
  • "NodePort"
  • "LoadBalancer"



Must not be:

Type: object

The following properties are required:

  • certificate
  • secretName

The following properties are required:

  • certmanager

Type: object
Must match regular expression: certmanager

Must not be:

Type: object

The following properties are required:

  • certmanager
  • secretName

The following properties are required:

  • certificate

Type: object
Must match regular expression: certfile

Must not be:

Type: object

The following properties are required:

  • certificate
  • certmanager

The following properties are required:

  • secretName

Type: object
Must match regular expression: existing

Must not be:

Type: object

The following properties are required:

  • certificate
  • certmanager
  • secretName

Type: object
Must match regular expression: external

Type: object

Certificate file

Type: string Default: "uiCertificate"

UI Certificate

Type: string Default: "uiPrivateKey"

UI Private Key

Type: object

The cert-manager properties, if enabled

Type: string

The name of cert-manager ClusterIssuer to use

Type: enum (of string)

The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.

Must be one of:

  • "certmanager"
  • "external"
  • "certfile"
  • "existing"

Type: string

The name of a secret in the cluster that contains TLS certificates

Must be at most 253 characters long

Type: object Default: {}

k8s properties of the pipe workloads inside adminbot component

Type: object Default: {}

Settings dedicated to k8s

Type: object Default: {}

The annotations to add to every workloads and ingresses deployed

Each additional property must conform to the following schema

Type: string

Defines the annotations to add

Type: object Default: {}

Settings dedicated to monitoring

Type: object Default: {}

Service monitor settings

Type: enum (of string) Default: "auto"

Enable or disable monitoring using ServiceMonitor resources

Must be one of:

  • "enable"
  • "disable"
  • "auto"

Type: object Default: {"volume": {"size": "1Gi"}}

Settings dedicated to k8s storage

Default: {"size": "1Gi"}


Must not be:

Type: object

The following properties are required:

  • persistentVolumeClaimName

The following properties are required:

  • size

Must not be:

Type: object

The following properties are required:

  • size

The following properties are required:

  • persistentVolumeClaimName

Type: string

The persistent volume claim name to use to store the media


The volume size to use to store the media

Type: string

The storage class name to use

Type: object Default: {}

Settings dedicated to k8s workloads

Type: object Default: {}

The annotations to add to the workload

Each additional property must conform to the following schema

Type: string

Defines the annotations to add

Type: array of object
No Additional Items

Each item of this array must be:

Type: object

Type: string

Docker secret to use for ems image store

Type: string

The docker registry url for this secret

Type: array of object

The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.

No Additional Items

Each item of this array must be:

Type: object

Type: array of string
No Additional Items

Each item of this array must be:

Type: string

An hostname of the associated ip to add to /etc/hosts

Type: string

An IP resolution to add to /etc/hosts

Type: object

NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

Each additional property must conform to the following schema

Type: string

Type: object Default: {}

Kubernetes resources to allocate to each instance.

Type: object Default: {"memory": "1Gi"}

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Type: object Default: {"cpu": "10m", "memory": "100Mi"}

Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

Default: {}

Type: object

The following properties are required:

  • seLinuxOptions

Type: enum (of string)

Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: number Default: 10006

The fsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10006

The runAsGroup GID to use if securityContextForceUidGid is enabled

Type: number Default: 10006

The runAsUser UID to use if securityContextForceUidGid is enabled

Type: object

Type: string

Level is SELinux level label that applies to all the workload containers.

Type: string

Role is SELinux level label that applies to all the workload containers.

Type: string

Type is SELinux level label that applies to all the workload containers.

Type: string

User is SELinux level label that applies to all the workload containers.

Type: enum (of string)

Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.

Must be one of:

  • "enable"
  • "auto"
  • "disable"

Type: array of object

Workload tolerations

No Additional Items

Each item of this array must be:

Type: object

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.