Spec defines the desired state of ElementDeployment
Deploys an Adminbot which automatically joins rooms. Admins can manage rooms by impersonating the Adminbot.
Deprecated. Moved to bot property.
The adminbot configuration
The key of the k8s secret containing the adminbot backup passphrase
Never admin the Room IDs mentioned in this set.
No Additional ItemsEnable admin of Direct Messages
Admin only rooms local to the homeserver
Only admin the Room IDs mentioned in this set. Ignored if the list is empty.
No Additional ItemsList of remote federated homeservers
No Additional ItemsRemote federated homeserver
The admin user token secret key
Appservice tokens authentication
Automatically determine appservice tokens authentication. Only possible when using Element Enterprise Server Suite.
Manually configure appservice tokens authentication.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
The remote domain name
The remote matrix server url
Bot username.
Deprecated. Moved to bot property.
Allow access from a central adminbot
The URL of the appservice of the central adminbot
Manually configure appservice tokens. It should not be necessary if using Element Enterprise Server Suite.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
Local Adminbot security settings
IP ranges allowed to access adminbot UI
No Additional ItemsAn IPv4 or IPV6 range
TLS Verification
k8s properties of the access element web workloads inside adminbot component
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of access Element Web for Adminbot replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
k8s properties of the haproxy workloads inside adminbot component
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Appservice Certificate
Appservice Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
UI Certificate
UI Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the pipe workloads inside adminbot component
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to adminbot config The secret key associated to config.backupPassphraseSecretKey must be present.
Must be at most 253 characters long
Deploys an Auditbot which automatically joins rooms and logs every messages to configured outputs.
Deprecated. Moved to bot property.
The auditbot configuration
The key of the k8s secret containing the auditbot backup passphrase
Never audit the Room IDs mentioned in this set.
No Additional ItemsEnable audit of Direct Messages
Audit only rooms local to the homeserver
Only audit the Room IDs mentioned in this set. Ignored if the list is empty.
No Additional ItemsOutputs of Auditbot logs
Azure Blob Storage container configuration
Azure Container connection string.
Azure container name.
File key prefix
Event types to log to the output
Log a message when a user sends a read receipt.
Log a message when a user types.
Logfile rotation parameters
Number of files to keep
Value must be greater or equal to 1
Logfile size before rotation
S3 Bucket to send logs to
Auditbot access key secret key
S3 bucket name
Bucket endpoint
Bucket key prefix
Bucket region
Auditbot access key secret key
List of remote federated homeservers
No Additional ItemsRemote federated homeserver
The admin user token secret key
Appservice tokens authentication
Automatically determine appservice tokens authentication. Only possible when using Element Enterprise Server Suite.
Manually configure appservice tokens authentication.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
The remote domain name
The remote matrix server url
Bot username.
Deprecated. Moved to bot property.
Allow access from a central auditbot
The URL of the appservice of the central auditbot
Manually configure appservice tokens. It should not be necessary if using Element Enterprise Server Suite.
The remote federated homeserver as token secret key
The remote federated homeserver hs token secret key
Local Auditbot security settings. Deprecated as its now integrated in AdminUI.
IP ranges allowed to access auditbot UI
No Additional ItemsAn IPv4 or IPV6 range
TLS Verification
Deprecated, Auditbot no longer uses a separate Access Element Web instance
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of access Element Web for Auditbot replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
k8s properties of the haproxy workloads inside auditbot component
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Appservice Certificate
Appservice Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
UI Certificate
UI Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the pipe workloads inside auditbot component
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to adminbot config The secret key associated to config.backupPassphraseSecretKey must be present. For every remote server, the keys associated to the following must be present - remote.appservice.genericSharedSecretKey or remote.appservice.hsTokenSecretKey and remote.appservice.asTokenSecretKey. The key associated to remote.adminUserTokenSecretKey must also be present.
Must be at most 253 characters long
Coturn provides a STUN and a TURN server. The STUN server can be used by Element Call and Jitsi so that device are able to detect their access IP. The TURN server can be used by Jitsi to provide WebRTC relaying.
Whether to enable TCP for STUN/TURN
Coturn external IP
Whether or not to use host mode networking.
Allowed peer IPs that would otherwise be blocked by deniedIpv4Ranges or deniedIpv6Ranges
No Additional ItemsAn IP allowed
Denied IPv4 range
No Additional ItemsA denied IPv4 Range
Denied IPv6 range
No Additional ItemsA denied IPv6 Range
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Services to expose for Coturn
Fully qualified domain name where STUN/TURN is available at
The service unsecured port
The port range on which the service will be accessible
The port range start port
The port range end port
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
certfile existing Certificate file
The TLS certificate file for the coturn fqdn
The TLS private key file for the coturn fqdn
The TLS mode of the service.
The name of a secret in the cluster that contains TLS certificates
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Coturn config
Must be at most 253 characters long
VoIP group calls powered by Matrix, implementing MatrixRTC with SFU backend. Can't be deployed if Jitsi is deployed
Element call additional configuration.
Deprecated. This feature should not be used anymore.
SFU server settings. The SFU is the component which will forward WebRTC streams to call participants.
Logging settings
The maximum level of log output
Configure SFU networking.
Whether or not to use host mode networking.
Manually enter IP to advertise to clients.
How Jitsi choose its public IP to advertise
The stun servers to allow the SFU to find their public IP address and to allow connecting users to lookup their IP address. If the list is empty or not defined, it will default to Coturn deployed with Element Deployment. If coturn is not deployed, it will fallback to the defaults in LiveKit of Google's STUN servers.
No Additional ItemsA stun server
You can override Kubernetes configuration for each component of Element Call
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Services to expose for LiveKit
The service port
The port on which the service will be accessible
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
The service unsecured port
The port range on which the service will be accessible
The port range start port
The port range end port
Kubernetes service port type
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Element Call Certificate
Element Call Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
LiveKit SFU Certificate
LiveKit SFU Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the LiveKit JWT component workloads
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
k8s properties of the redis workloads
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
k8s properties of the LiveKit SFU component workloads
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Element Call replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to element call config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is the user interface used by desktops to access Matrix rooms.
Element web additional configuration.
Whether the sharing links generated by this Element Web instance should use the URL of this Element Web. If turned off the sharing links use https://matrix.to unless a custom permalink prefix is set in the Additional Config section. If turned on, mobile clients will not detect links using the URL of this Element Web (or any other custom permalink prefix) unless they've been explicitly configured by Mobile Device Management (MDM).
You can override Kubernetes configuration for each component of Element Web
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
ElementWeb Certificate
ElementWeb Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Element Web replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to synapse config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is a connector to your user management service to synchronize their groups memberships with spaces and rooms memberships.
Optionally configures a list of users to allow in any groupsync-managed room
No Additional ItemsA user to allow in any groupsync-managed room
A list of rooms to configure by default in all spaces
No Additional ItemsA room to configure by default in all spaces
The room ID in groupsync config. Changing this value creates a new room instead of renaming the existing one. It must be unique, and it can be generated using a UUID.
The room properties
The room name
Deprovisioning options
Enable rooms Garbage collection
When users get removed from the directory their accounts will only be deactivated, but their erasure will be delayed by the specified time period, allowing them to be reactivated in the meantime. The specified period will be translated into seconds, so won't account for things like DST, leap seconds etc. Users will be deleted no sooner than that, but may be removed a bit later, depending on other Group Sync operations. The format is numeric and unit being one of s, m, h, d (for example, "24h", "31d" etc.)
Enable Dry Run mode to avoid any unexpected change
Enable or disable invite to public rooms in spaces
The LDAP attribute to request space names
The LDAP attribute to requiest user id
The LDAP base DN
The LDAP bind DN
The LDAP bind password
the ldap check in seconds
An additional ldap filter
The LDAP URI groupsync will use to request users
MS Graph base URL
The MSGraph client id
The key of the k8s secret containing MSGraph client secret
Specific scopes to set for graph to use. Should be modified if the base url is changed.
Must contain a minimum of 1 items
An MSGraph scope, in the form of a URL.
The MSGraph tenant id
Configures SCIM. Please configure the SCIM ingress as well.
The scim client id
The SCIM Mapping to get the user id
Should SCIM user creation register a Matrix account for the user.
Should SCIM responses wait for Matrix provisioning to complete.
If specified, attribute sync will be limited to the attributes listed here. By default all available attributes are synced.
True to sync displayName attributes.
True to sync emails attributes.
TLS Verification
You can override Kubernetes configuration for each component of Group Sync
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
SCIM Server Certificate
SCIM Server Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to groupsync config. If using the ldap source, key matching config.source.ldap.bindPasswordSecretKey must be present. If using the 'msgraph' source, key matching config.source.msgraph.clientSecretSecretKey must be present. If using the scim source, and the ingress is using certfile tls mode, keys matching k8s.ingress.scim.certificate.certFileSecretKey and k8s.ingress.scim.certificate.privateKeySecretKey must be present.
Must be at most 253 characters long
Integrate with external code platforms (Github, Gitlab), other platforms (JIRA) and custom webhooks
The hookshot bot
The hookshot bot avatar mxc url
The hookshot bot display name
The hookshot bot username
Whether to enable separate bots for each Hookshot service
Configuration of hookshot generic webhooks
To allow JS Transformations functions
Enable or disable inbound webhooks
Enable or disable outbound webhooks
webhooks user id prefixes
Configuration of hookshot github integration
Github application auth id
The default options to apply to github hooks
Choose the prefix to use when sending commands to the bot. Ideally starts with "!" !gh
Enable notifications for some event types
No Additional ItemsNever notify on issues matching these label names
No Additional ItemsA label name
Send a link to an issue/PR in the room when a user mentions a prefix followed by a number
Choose to exclude notifications for some event types
No Additional ItemsOnly notify on issues matching these label name
No Additional ItemsA label name
Configuration options for new issues
Automatically set these labels on issues created via commands
No Additional ItemsA label name
Show a diff in the room when a PR is created, subject to limits
Enable the PR diff
Max number of lines to display in the room
When new issues are created, provide a Matrix alias link to the issue room
Configuration options for workflow run results
Never report workflow runs with a matching workflow name.
No Additional ItemsA workflow name
Only report workflow runs with a matching workflow name.
No Additional ItemsA workflow name
Only report workflow runs if it matches this regex.
The key of the k8s secret containing github key file
Github OAuth client id
The key of the k8s secret containing github oauth client secret
The key of the k8s secret containing github webhook secret
Gitlab hooks
Gitlab instance name
Gitlab instance URL
The key of the k8s secret containing gitlab webhook secret
Jira OAuth client id
The key of the k8s secret containing Jira oauth client secret
The key of the k8s secret containing Jira webhook secret
The key of the k8s secret containing hookshot Pass Key secret
What permissions users have on hokshot. Keys can be * (everyone), a roomid, specific server names or specific MXIDs
Each additional property must conform to the following schema
Type: array of objectThe permissions of the given actor.
No Additional ItemsThe key of the k8s secret containing hookshot provisioning secret
TLS Verification
The hookshot widgets settings
Deprecated - Not used since Appstore embeds widgets instead. Was - Add widgets on invite
Add widgets to admin rooms
Which IP ranges should be disallowed when resolving homeserver IP addresses (for security reasons). Unless you know what you are doing, it is recommended to not change this.
No Additional ItemsAn IP range, ipv4 or ipv6 format
The hookshot widget title
You can override Kubernetes configuration for each component of Hookshot
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Hookshot Server Certificate
Hookshot Server Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to hookshot config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
Deploy an Hydrogen client.
Hydrogen additional configuration as a JSON object.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Hydrogen Certificate
Hydrogen Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Hydrogen replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Hydrogen config
Must be at most 253 characters long
This is a user-facing service integration tool to allow users to connect their rooms to external services.
Enable custom widgets in Appstore
Select this option to manually configure an external Jitsi domain. If this option is not set, the installer will default to the domain of the installer deployed Jitsi.
Logging settings
The maximum level of log output
Optional Sentry DSN.
Output logs in logstash format. Otherwise, logs are output in a console friendly format.
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
Terms of Use
Terms policies
No Additional ItemsPolicy localization lang
Policy localization name
Policy localization url
Policy name
Policy version
Terms revision
TLS Verification
You can override Kubernetes configuration for each component of Integrator
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Integrator Certificate
Integrator Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of replicas of the Integrator deployment
Value must be greater or equal to 1
The resources to use on this workload
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to integrator config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
Deploy IRC Bridges to talk to IRC users and channels from Element.
No Additional ItemsDeploy an IRC Bridge to talk to IRC users and channels on a specific server from Element.
List of admins of this bridge
No Additional ItemsA MXID allowed to admin this bridge
IRC-Side configuration of the bridge
Arbitrary extra config to inject into the IRCBridge server configuration as a YAML string
The adress of the irc server
The irc bot password secret key
The irc bridge key file
Logging settings
The maximum level of log output
Matrix-Side configuration of the bridge
Arbitrary extra config to inject into the IRCBridge bridge configuration as a YAML string
The bridge aliases prefix for the aliases mirrored from the irc server
Drop Matrix messages which are older than this number of seconds, according to the event's originserverts. If the bridge is down for a while, the homeserver will attempt to send all missed events on reconnection. These events may be hours old, which can be confusing to IRC users if they are then bridged. This option allows these old messages to be dropped. CAUTION - This is a very coarse heuristic. Federated homeservers may have different clock times and hence produce different originserverts values, which may be old enough to cause all events from the homeserver to be dropped. Default - 0 (don't ever drop)
Should presence be enabled for matrix clients on this bridge. If disabled on the homeserver then it should also be disabled here to avoid excess traffic.
The provisioning api parameters
The number of seconds to wait before giving up on getting a response from an IRC channel operator. If the channel operator does not respond within the allotted time period, the provisioning request will fail.
Maximum number of montly active users, beyond which the bridge gets blocked (both ways)
Number of channels allowed to be bridged
When provisioning a room, disallow rooms that match these critera
These users will deny a room from being bridged.
No Additional ItemsA MXID
These users never conflict, even if matching
No Additional ItemsA MXID
The settings for counting users as active
Time before users are considered inactive again
The "grace period" before we start counting users as active
The bridge users prefix for the users mirrored from the irc server
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
The secret key containing irc bridge signing key. It can be generated using openssl - openssl rand -hex 64.
TLS Verification
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to IRC Ident listener
The service port
The port on which the service will be accessible
Kubernetes service port type
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to IRCBridge config
Must be at most 253 characters long
Deprecated. Jitsi is a VOIP conferencing system. Jitsi is being replaced by Element Call. If you wish to use Element Call you must remove Jitsi from your deployment.
The name of the application
Additional config to inject in helm values
Configure Jitsi's JVB networking. The JVB is the component which will forward WebRTC streams to call participants.
Whether or not to enable P2P.
Whether or not to use host mode networking.
Manually enter IP to advertise to clients.
How Jitsi choose its public IP to advertise
The stun servers to allow JVBs to find their public IP address. This should be used if your NAT Gateway does not support hairpinning, If the list is empty, it will rely on the internal Coturn deployed with ElementDeployment if it is available.
No Additional ItemsA stun server
Configure restrictions around whether the Jitsi is restricted to Matrix widgets only and not directly usable
The key in the k8s secret containing the admin access token for Jitsi's User Verification Service
The URL of the external homeserver to use for authentication
Whether power levels (moderator/admin) in Matrix rooms gets synchronised to what privileges the user has in the corresponding Jitsi widget
TLS Verification
Whether or not to force sysctl values on the node using a sysctl daemonset
The timezone of the application
TLS Verification
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Jitsi Certificate
Jitsi Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of JVBs per shard
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of User Verification Service replicas in total
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Jitsi Web replicas per shard
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Jitsi config
Must be at most 253 characters long
This is a Matrix Authentication Service. This manages all user account settings. Your upstream OIDC providers (as configured under Synapse) must allow /upstream/callback/ from the Matrix Authentication Service domain as valid redirect URIs
Deprecated, ignored. Admin users should be managed through the Admin UI
No Additional ItemsThe Matrix ID of an admin user
How the Matrix Authentication Service will send emails. This is only currently required if you need to allow users to register, recover their password, configure and verify additional email addresses on your account.
Email sender
Hostname of the email server
The key in the k8s secret containing the email password for the Matrix Authentication Service
Port to connect on the email server
Address for any replies to go to. Will default to the email sender if not provided
How the TLS connection is setup to the email server. TLS for wrapper mode, STARTTLS for upgrading after initiating a plain text connection or Plain for plain text only
Username to use for auth on the email server
The key of the Kubernetes secret containing the encryption secret
Matrix Authentication Service Logging settings
The maximum level of Matrix Authentication Service log output
Optional Sentry DSN
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
The private keys used for signing. Only RSA private key is required.
The key in the Kubernetes secret containing the ECDSA prime256v1 curve private key
The key in the Kubernetes secret containing the ECDSA secp256k1 curve private key
The key in the Kubernetes secret containing the ECDSA secp384r1 curve private key
The key in the Kubernetes secret containing the RSA private key
You can override Kubernetes configuration for each component of the Matrix Authentication Service
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Matrix Authentication Service Certificate
Matrix Authentication Service Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Matrix Authentication Service replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to the Matrix Authentication Service config.
Must be at most 253 characters long
A web service for scanning media hosted on a Matrix media repository.
Whether the normal Matrix media endpoints should be blocked, to force all media requests to be scanned
Configures caching of scan results.
Maximum number of results that can be stored in the cache. If more files are scanned before existing items reach their TTL, the least-recently accessed will be evicted.
The maximum cachable file size. If a file is bigger than this size, a copy of it will be not be cached even if the scan succeeds. If the file is requested again, it is downloaded again from the homeserver, but is not written to disk or scanned.
The maximum amount of time an entry will stay in the cache before being evicted.
Scanning configuration
List of allowed MIME types. If a file has a MIME type that's not in this list, its scan is considered failed. Allow every MIME types by default.
No Additional ItemsA MIME type.
ICAP server connection to configure
internal external The ICAP Host address
Deploy the internal ICAP AntiVirus based on ClamAV or connect to your own antivirus providing an ICAP endpoint.
The ICAP host port
Enter a custom script
A script to scan for viruses.
List of exit codes from the scanning script that shouldn't cause the result of the scan to be cached for future requests.
No Additional ItemsAn exit code
Use the provided script
A word to grep in ICAP response to determine if an detection happened
The ICAP service name
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of ClamAV replicas. Can only be 1 for now
Value must be greater or equal to 1 and lesser or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s workloads
Docker secret to use for ems image store
The docker registry url for this secret
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s storage as a PVC Template
A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed.
An empty label selector matches all objects. A null label selector matches no objects.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
No Additional ItemsA label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key is the label key that the selector applies to.
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.
Each additional property must conform to the following schema
Type: stringThe volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Matrix Content Scanner replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to MatrixContentScanner config
Must be at most 253 characters long
A configurable traffic gateway between security domains. Filter and modify Matrix
traffic in real time as it flows between clients, your homeserver and other
homeservers.
Additional config to inject
Checks that the SecureBorderGateway performs on incoming and outgoing traffic.
A list of HTTP headers and regular expression values that a client must include for a request to be accepted.
No Additional ItemsThe name of the header.
The value of the header as a regular expression.
Secure Border Gateway Logging settings
The maximum level of Secure Border Gateway log output
Optional Sentry DSN
Enable the management of Synapse Federation Allow List through the Admin Console. Enabling this takes over any list configured under Synapse -> Federation -> Allow List. Please make sure that the Federation configured in the Admin Console is consistent with the list configured under Federation -> Allow List, or your allowed hosts could become blocked after enabling this.
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
Additional containers string to inject in the SBG StatefulSet
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to SecureBorderGateway config
Must be at most 253 characters long
Deploy a SIP Bridge to be able to call SIP Numbers from Element.
The key of the k8s secret containing sip bridge encryption key
Bridge logging level
Bridge logging level
Matrix configuration of the bridge
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
SIP-side configuration of the bridge
Timeout in seconds for SIP Candidates gathering
Host (and optionally port) of the SIP proxy to use. If absent or set to an empty string, no proxy will be used. If no port is provided, port 5060 (default for SIP) will be used. Must not include the protocol scheme.
The SIPBridge PSTN Gateway
Configuration related to outgoing SIP REGISTER requests.
Timeout for REGISTER requests, in seconds. If absent or set to 0, registrations will not expire. Only used if proxy is set.
Configuration related to outgoing SIP SUBSCRIBE requests.
Events to subscribe to. Only supported events are allowed.
Must contain a minimum of 1 items
Supported events
Timeout for SUBSCRIBE requests, in seconds. If absent or set to 0, subscriptions will not expire. Only used if proxy is set.
An optional user agent string that the bridge will use for outbound SIP connections. If this option is not set, some default value will be used instead. The version of the bridge will be appended to this string. Does not affect HTTP connections to Matrix homeservers.
The avatar SIP users will have, provided in the form of an MXC URL. MXC URLs can be obtained by uploading media to a Matrix homeserver. "mxc://matrix.org/KJSfYJTISAOQkQzVlTIIlTGz"
TLS Verification
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to non-proxied SIP listeners
Fully qualified domain name of the bridge's SIP domain
The service port
If enabled, open a TCP SIP listener on the same port in addition to the UDP listener, and also use TCP to send any requests too large to fit in a single UDP packet.
The port on which the service will be accessible
Kubernetes service port type
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to SipBridge config
Must be at most 253 characters long
Deploys a bridge to reach Skype for Business users over Matrix.
The bridge configuration parameters
The details of the appservice bot
The avatar the appservice bot will have, provided in the form of an MXC URL. MXC URLs can be obtained by uploading media to a Matrix homeserver. "mxc://matrix.org/KJSfYJTISAOQkQzVlTIIlTGz"
The display name of the appservice bot. Set to "remove" to use an empty display name.
The username of the appservice bot
The bridge portal room alias prefix
An optional user agent string that the bridge will use for outbound SIP connections. If this option is not set, "matrix-s4b-bridge" will be used instead. The version of the bridge will be appended to this string. Does not affect HTTP connections to Matrix homeservers.
The avatar Skype for Business users will have, provided in the form of an MXC URL. MXC URLs can be obtained by uploading media to a Matrix homeserver. "mxc://matrix.org/KJSfYJTISAOQkQzVlTIIlTGz"
The bridge users prefix
Logging settings
Bridge logging level
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to non-proxied SIP listeners
Fully qualified domain name of the bridge's SIP domain
The service port
The port on which the service will be accessible
Kubernetes service port type
The service port
The port on which the service will be accessible
Kubernetes service port type
certfile existing Certificate file
The TLS certificate file for the bridge's SIP domain
The TLS private key file for the bridge's SIP domain
The TLS mode of the service.
The name of a secret in the cluster that contains TLS certificates
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to skypeForBusinessBridge config If exposedServices.sips is using certfile tls mode, key matching k8s.exposedServices.sips.tls.certificate.certFileSecretKey and k8s.exposedServices.sips.tls.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is a Matrix Identity Server.
A list of brands to create in Sydent. At least one is required.
Must contain a minimum of 1 items
A brand to create in Sydent
The Jinja email template to be used for invitations
The Jinja email template to be used for migrations. Deprecated, not used.
The brand name that templates can be reached at It must be unique, start & end with lower-case letters or numbers but can contain lower-case letters, numbers or dashes in between.
The Jinja email template to be used for email verifications
The HTML template to be used when email verifications are completed.
How Sydent will send emails
Email sender
Hostname of the email server
Email subject to use for inviting people to rooms
Email subject to use for inviting people to spaces
The number of characters in the domain part of the email address to reduce to when storing in the room state
The number of characters in the user part of the email address to reduce to when storing in the room state
The key in the k8s secret containing the email password for Sydent
Port to connect on the email server
How the TLS connection is setup to the email server. TLS for wrapper mode, STARTTLS for upgrading after initiating a plain text connection or Plain for plain text only
Username to use for auth on the email server
Which homeservers (if any) to restrict this Sydent to
self unrestricted specific Which additional Synapse Homeservers are allowed to access this Sydent. The Synapse deployed by this Element Server Suite is always allowed access
No Additional ItemsA Synapse Homeserver (identified by its server name) that is allowed to access this Sydent.
Which Synapse Homeservers (if any) to restrict this Sydent to. Use self if only the Synapse in this deployment should be able to use it. Use specific for private federation and the homeservers are available on the internet. Use unrestricted for public federation on the internet or private federation on a trusted network
Sydent logging configuration
What level of logging to run Sydent at
Optional Sentry DSN
The key of the k8s secret containing Sydent signing key
Any terms and conditions that must be agreed to before using this Sydent deploy
Name of the document, must start and end with lower-case letters, but can contain lower-case letters or underscores in between.
Each additional property must conform to the following schema
Type: objectDetails of a given Terms and Conditions document
The languages this document is available in. Must be exactly 2 lower-case letters.
Each additional property must conform to the following schema
Type: objectDetails of a given Terms and Conditions document in a given language
The name of the document to present in the UI
The URL the document can be found at
The version of this document
The version of the Terms and Conditions as a whole
How long validation tokens should be. Must be at least 6.
Value must be greater or equal to 6
TLS Verification
You can override Kubernetes configuration for each component of Sydent
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Sydent Certificate
Sydent Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The persistent volume claim name to use to store the media
The volume size to use to store the media
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Sydent config A key matching config.signingKeySecretKey must be present. config.emailPasswordSecretKey can optionally be present if the email server requires auth. If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
This is a Matrix Push Server. This is useful if you have your own iOS/Android apps or other web applications that use web push. If you are using the Element iOS & Android apps please speak to your account manager as they use the MatrixPush Server provided by Element by default.
The apps which link to remote Push providers. The key is the name of the app as per the app_id in the registered pusher
Each additional property must conform to the following schema
Details of an app which link to a remote Push provider.
Details of the Apple Push Notification Service linked app
The key identifier in APNS
Which APNS platform to use
What value of the 'apns-push-type' header is sent to APNS. Not sent if not provided
The team identifier in APNS
The topic parameter for the push. This is commonly the Bundle Identifier for your iOS application
Details of the Google Cloud Messaging linked app
How many connections to keep open to GCM
How many pending requests each Sygnal instance will accept
Details of the Web Push app
The endpoints that the web push is allowed to be sent to
Must contain a minimum of 1 items
A single endpoint that the web push can be sent to. * can be used as a wildcard
Your contact email address in Vapid
How many connections to keep open to the web push provider
The time to live in seconds of the web push
HTTP Forward Proxy configuration
Proxy server to use for HTTPS requests
Sygnal Logging settings
Logging level overrides for specific Sygnal loggers
Each additional property must conform to the following schema
Type: enum (of string)The maximum level of Sygnal log output for this specific logger
The maximum level of Sygnal log output before any overrides
Optional Sentry DSN
You can override Kubernetes configuration for each component of Sygnal
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Sygnal Certificate
Sygnal Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Sygnal replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to Sygnal config. A key must be present for each app according to apnsP8KeySecretKey apnsCertificateAndKeySecretKey/ / gcmApiKeySecretKey / vapidPrivateKeySecretKey for that app
Must be at most 253 characters long
This is a matrix homeserver.
Whether to enable auto accept invites. Defaults to manual if not set
Additional config to inject
The key of the k8s secret containing Synapse admin password
Automatically delete old data after a set time.
How long rooms should be kept on the server. Rooms which have not seen any activity since this time will be automatically deleted. Supports suffixes (s, m, h, d, w, y).
Delete media set days after it was last accessed.
Value must be greater or equal to 1 and lesser or equal to 3650
Delete messages set days after they were created.
Value must be greater or equal to 1 and lesser or equal to 3650
Provider to delegate authentication to
Deprecated. Enable localPasswordDatabase instead.
The list of ldap password providers
Must contain a minimum of 1 items
The ldap password provider
LDAP to Synapse attribute mapping
The ldap attribute mapped to synapse mail
The ldap attribute mapped to synapse name
The ldap attribute mapped to synapse uid
The LDAP Base search
The LDAP Bind DN
The LDAP bind password secret key
The LDAP Filter
The ldap URI, usually your domain controller
Allow authentication through local database
Allow users to change their passwords
Allow users to recover their account using the email recovery process. It requires an SMTP server configured into MAS.
Allow users to register against your Homeserver. It requires an SMTP server configured into MAS.
Matrix Authentication Service Password complexity level. We recommend Strong or above.
Synapse password policy. Only used if Synapse is used without MAS.
Value must be greater or equal to 8
This setting is ignored if using Matrix Authentication Service, as registration with Matrix Authentication Service always requires verification. Set to false to allow users to register against Synapse without verification. If set to true, you must add additional registration settings in the additional yaml options of synapse integration imposing the desired verifications.
The list of OIDC Providers
Must contain a minimum of 1 items
Whether to allow existing users or not. This option does nothing if Matrix Authentication Service is deployed.
Require some attributes & values to allow logging in to Synapse. If specified all attributes must be present in the OIDC claims and have the values specified or if a given claim is a list, the value is in the list
No Additional ItemsThe OIDC attribute to look up
The value to require to allow login
An optional flag to enable/disable backchannel logout support.
The client authentication method used when sending requests to the IDP.
The client identifier assigned by the IDP.
The client secret assigned by the IDP.
Deprecated. Configure discovery to the empty option {} instead.
Use OpenID Connect Discovery to discover the server configuration.
The endpoint <openid issuer>/.well-known/openid-configuration needs to be reachable for automatic
discovery to work.
URI where to fetch the JWKS. Required if discovery is disabled and the 'openid' scope is used.
Set to 'true' to skip metadata verification. Use this if you are connecting to a provider that is not OpenID Connect compliant. Defaults to false. Avoid this in production.
The token endpoint URL of the IDP. Required if provider discovery is disabled.
Use PKCE (RFC 7636) during the authorisation flow
The userinfo endpoint URL of the IDP. Required if discovery is disabled and the 'openid' scope is not requested.
An optional styling hint for clients.
Must be at least 1 characters long
Must be at most 250 characters long
The unique identifier for the Identity Provider (IDP).
Must be at least 1 characters long
Must be at most 250 characters long
The display name of the Identity Provider (IDP).
The URL of the IDP issuer.
Deprecated. Use discovery.jwksUri instead.
Deprecated. Use discoveryEndpoints.usePkce instead if you need to force a value.
A list of scopes requested during the authorization process.
Must contain a minimum of 1 items
Standard scopes include openid, profile, email.
Deprecated. Use discoveryEndpoints.skipVerification instead.
Deprecated. Use discovery.tokenEndpoint instead.
Each of these templates are Jinja expressions that map properties on a user object to the given attribute of the user. The Jinja expressions should not use the built-in Python functions, and only use Jinja built-in filters and syntax.
The template used to generate the user's display name in Matrix.
The template used to generate the user's email address in Matrix.
The template used to generate the local part of the user's Matrix ID.
Deprecated. This is not supported when running with workers nor with Matrix Authentication Service. The template used to generate the user's profile picture URL in Matrix.
The claim used to identify the subject of the ID token.
Deprecated. Use discovery.userinfoEndpoint instead.
Enable SAML login
If your computer and another computer that you are communicating with are not in sync regarding the computer clock, then here you can state how big a difference you are prepared to accept.
Map from SAML Name-format attribute to attributes
The identifier is the name-format you expect to support
A SAML mapping
No Additional ItemsA SAML Name-format mapping
The SAML name-format to read
The attribute to convert the saml name-format to
Require some attribute value to allow login in synapse
No Additional ItemsThe SAML attribute to look up
The value to require to allow login
SAML Certificates
Encryption Certificate for SAML requests
Signing certificate for SAML Requests.
Persons to contact in the metadata xml
No Additional ItemsA person to contact
The contact type
Contact mail addresses
No Additional ItemsContact given name
Contact surname
How Synapse will expose itself as a SAML Entity
Your synapse deployment description
Your Synapse entity ID
Your synapse deployment name
Identity provider options
Specifies if the IdP should encrypt the assertions
Configure where the endpoints for the services provided are
No Additional ItemsSpecifies if the IdP should sign the assertion in an authentication response or not
Specifies if the IdP should sign the authentication response or not
Indicates that the AuthnRequest received by this IdP should be signed.
A list of metadata URLs
No Additional ItemsPoint this to the IdP's metadata.
Organization information in the metadata xml
No Additional ItemsOrganization display name
Organization display name localization
Organization name
Organization web page
Service provider options
Configure where the endpoints for the services provided are
No Additional ItemsUI Attributes used to generate the SAML Metadata XML.
No Additional ItemsDescription to use in metadata xml
Display name to use in metadata xml
Information URL to use in metadata xml
A list of keywords to use in the metadata xml
No Additional ItemsLocalization country subcode (en, fr, ...)
Logo URL to display in SAML connection screens
Logo height to use in metadata xml
Logo height to use in metadata xml
Logo width to use in metadata xml
Privacy statement URL to use in metadata xml
Mapping between SAML attributes and MXIDs
Two modes of mapping - hexencode maps unpermitted characters to '=xx' dotreplace replaces unpermitted characters with '.'
The SAML Source attribute used to generate MXIDs
TLS Verification
User profiles permissions
Allow users to change their avatars themselves
Allow users to change their display names themselves
Allow users to change their emails themselves
External application services to configure
Array of ConfigMaps containing a registration.yaml to mount in synapse
No Additional ItemsA configmap name
Map of appservice registration files to inject
Each additional property must conform to the following schema
Type: stringContent of an appservice registration file
Configuration related to federation
Servers allowed to federate with this Synapse
No Additional ItemsA federated server name that is allowed to federate with this server. This is not necessarily the domain name the server is available at, it is the server name in Matrix IDs and where either SRV records are created or where the WellKnownDelegation is hosted.
List of keys in the secret, corresponding to CA certificates for Synapse to trust. This will replace Synapse's default CA trust store
No Additional ItemsThe key of the k8s secret containing a certificate authority to load into Synapse for federation requests
Servers providing trusted keys
No Additional ItemsA trusted key server configuration
A federated server name. This is not necessarily the domain name the server is available at, it is the server name in Matrix IDs and where either SRV records are created or where the WellKnownDelegation is hosted.
Keys to verify. The public key should be the public key of Synapse signing key.
Must contain a minimum of 1 items
A key to verify
A key id to verify
A public key to verify
HTTP Forward Proxy configuration
Proxy server to use for HTTP requests
Proxy server to use for HTTPS requests
List of hostnames, IP addresses or IP ranges (CIDR format) which should not use the HTTP/HTTPS proxy
No Additional ItemsHostname, IP address or IP range (CIDR format) which should not use the HTTP/HTTPS proxy
Identity Server configuration
True to auto-bind users to the Sydent in this deployment
Synapse Logging settings
Logging level overrides for specific Synapse loggers
Each additional property must conform to the following schema
Type: enum (of string)The maximum level of Synapse log output for this specific logger
The maximum level of Synapse log output before any overrides
Optional Sentry DSN
The key of the k8s secret containing Synapse Macaroon
Maximum number of Monthly Active Users
The cap on the size of uploaded media. Size in bytes ending in M or K
Use a S3 compatible bucket to store Media long-term, only using the volume for short-term storage.
Explicit authentication using an access key and secret access key
The bucket name
Target a non AWS-S3 Endpoint URL
Control cleanup of the local storage and offloading to S3
How often the local media cleanup to S3 should run. Supports s, m, h or d suffixes
How long since last access should it be before locally cached media is removed and if needed offloaded to S3. Supports s, h, d suffixes
Prefix within the bucket to use for storing/fetching media
The S3 bucket region
The object storage class used when uploading files to the bucket.
The volume holding media
The volume name to use to store the media
The volume size to use to store the media
Configuration of the PostgreSQL database
Allow Synapse to use a database with a locale distinct from the recommended C locale. It is very dangerous to do so and is strongly recommended to stay on the default setting.
Configure Synapse connection pool
The maximum number of connections in the pool.
The minimum number of connections in the pool.
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
Deprecated. Use delegatedAuth.localPasswordDatabase instead.
Local Synapse security settings
Auto Configuration
- auto_all Automatically enables encryption for all rooms created on the local server if all present integrations support it.
- auto_invite Automatically enables encryption for private rooms and private messages if all present integrations support it.
Forced Configuration
forced_all Enforces encryption for all rooms created on the local server, regardless of the integrations supporting encryption.
forced_invite Enforces encryption for private rooms and private messages, regardless of the integrations supporting encryption.
not_set Does not enforce encryption, leaving room encryption configuration choice to room admins.
Deprecated. Set Password Policy under delegatedAuth.localPasswordDatabase instead.
Value must be greater or equal to 8
The key of the k8s secret containing Synapse signing key
TURN configuration
The TURN server(s) that Synapse can provide credentials for
Must contain a minimum of 1 items
A TURN server URI. Should contain a schema (turn: or turns:), a hostname,
optionally a port and optionally a transport parameter (?transport=udp or ?transport=tcp).
Telemetry properties
Whether Telemetry is enabled or not
The telemetry instance id
The matrix network statistics endpoint. Use https://matrix.org/report-usage-stats/push to push to the public matrix network statistics.
The key of the k8s secret containing telemetry password
The telemetry room where to send telemetry
The telemetry username
Enable or disable URL Previews
URL Previews configuration
Languages to accept
No Additional ItemsLocalization country subcode (en, fr, ...)
IP ranges for which you want to force-allow url previews.
No Additional ItemsAn IPv4 or IPV6 range
User Directory configuration
Whether the user directory should show all users visible to this deployment, i.e. all users on this homeserver and all users on remote homeservers who share a room with a user on this homeserver.
If unset each user has their own view of the user directory which only includes users who share a room with them.
Workers configuration
No Additional ItemsArbitrary extra config to inject into the Synapse worker configuration as a YAML string
Kubernetes HorizontalPodAutoscaler to configure. For more information see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
Value must be greater or equal to 1
averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.
averageValue is the target value of the average of the metric across all relevant pods (as a quantity).
value is the target value of the metric (as a quantity).
minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
Value must be greater or equal to 1
Number of instances of this worker type
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Type of worker being configured
You can override Kubernetes configuration for each component of Synapse
The annotations to add to every workloads, volume claims and service monitors deployed
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
k8s properties of the haproxy workloads inside synapse component
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Synapse HAProxy replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Synapse Server Certificate
Synapse Server Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
k8s properties of the redis workloads inside synapse component
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
k8s properties of the synapse workloads inside synapse component
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s storage
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to synapse config Key matching config.macaroonSecretKey, config.registrationSharedSecretSecretKey, config.signingKeySecretKey, config.adminPasswordSecretKey, config.telemetry.password and config.postgres.passwordSecretKey must be present. If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present If stun is enabled, key matching config.stun.sharedSecretSecretKey must be present. To override synapse default trust store for federation, every keys of config.federation.certificateAutoritiesSecretKeys should be present.
Must be at most 253 characters long
This is a web based user interface used to administrate your Element Deployment.
The location the host admin may be reached, comma delimited
TLS Verification
You can override Kubernetes configuration for each component of Synapse Admin
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
Synapse Admin UI Certificate
Synapse Admin UI Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Synapse Admin UI replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to synapse admin config If ingresses is tls mode is using certificate, key matching k8s.ingresses.synapseAdminUi.certificate.certFileSecretKey and k8s.ingresses.synapseAdminUi.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
Deploy a Telegram Bridge to be able to talk to Telegram users and rooms from Element.
Additional config to inject
Level of end-to-bridge encryption required. Disabled will turn off end-to-bridge encryption, Allowed will turn it on but not make bridged rooms default to encrypted. Defaulted turns it on and makes bridged rooms encrypted. Finally forced drops unencrypted messages entirely.
Bridge logging level
Bridge logging level
The matrix-side configuration of the bridge
The bridge rooms alias prefix
Configure the bridge bot
The avatar the appservice bot will have, provided in the form of an MXC URL. MXC URLs can be obtained by uploading media to a Matrix homeserver. "mxc://matrix.org/KJSfYJTISAOQkQzVlTIIlTGz"
The display name of the appservice bot
The username of the appservice bot
Enable public portal
Deprecated - Always set to true
The bridge user prefix
Max RMAU that can use TelegramBridge
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
Telegram bridge configuration
The telegram bridge api hash secret key
The telegram bridge api id secret key
The telegram connection properties
How many concurrent connections should be handled on startup. Set to 0 to allow unlimited connections
The threshold below which the library should automatically sleep on flood wait errors (inclusive). For instance, if a FloodWaitError for 17s occurs and floodsleepthreshold is 20s, the library will sleep automatically. If the error was for 21s, it would raise the error instead. Values larger than a day (86400) will be changed to a day.
How many times a request should be retried. Request are retried when Telegram is having internal issues, when there is a FloodWaitError less than floodsleepthreshold, or when there's a migrate error. May take a negative or null value for infinite retries, but this is not recommended, since some requests can always trigger a call fail (such as searching for messages).
How many times the reconnection should retry, either on the initial connection or when Telegram disconnects us. May be set to a negative or null value for infinite retries, but this is not recommended, since the program can get stuck in an infinite loop.
The delay in seconds to sleep between automatic reconnections.
The timeout in seconds to be used when connecting.
The timeout in seconds after which the bridge reports an error on the /_matrix/mau/live endpoint. If no events are being received from Telegram this enables a management tool like Kubernetes to automatically restart the bridge. Negative values, 0 and no value will make the endpoint always report HTTP 200 after startup.
TLS Verification
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringFully qualified domain name of the ingress
An optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
TelegramBridge Certificate
TelegramBridge Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to TelegramBridge config
Must be at most 253 characters long
This is a well known delegation file hosted as a static site.
WellKnownDelegation additional client configuration.
WellKnownDelegation additional element configuration.
WellKnownDelegation additional server configuration.
You can override Kubernetes configuration for each component of WellKnownDelegation
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringAn optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external Certificate file
WellKnownDelegation Certificate
WellKnownDelegation Private Key
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The TLS mode of this component ingress. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of Well-Known Delegation replicas
Value must be greater or equal to 1
Kubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to wellKnownDelegation config If ingress is tls mode is using certificate, key matching k8s.ingress.certificate.certFileSecretKey and k8s.ingress.certificate.privateKeySecretKey must be present
Must be at most 253 characters long
Deploy a WhatsApp Bridge to be able to talk to WhatsApp users and rooms from Element.
Additional config to inject
Level of end-to-bridge encryption required. Disabled will turn off end-to-bridge encryption, Allowed will turn it on but not make bridged rooms default to encrypted. Defaulted turns it on and makes bridged rooms encrypted. Finally forced drops unencrypted messages entirely.
WhatsApp Logging settings
How the log should be formatted
The level of WhatsApp log output
The matrix-side configuration of the bridge
Configure the bridge bot
The avatar the appservice bot will have, provided in the form of an MXC URL. MXC URLs can be obtained by uploading media to a Matrix homeserver. "mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr"
The display name of the appservice bot
The username of the appservice bot
The bridge user prefix
Set permissions levels to the bridge for different users. Anyone not specified has no
permissions to use the bridge. At least two permission entries are required.
Enter * to set the permissions for all users
Enter a domain (server.example) to set the permissions for all users on that homeserver
Enter a full MXID (@localpart:server.example) to set the permissions just for that user
On clicking Add to Permissions you can then specify the permission level.
Each additional property must conform to the following schema
Type: enum (of string)Permission level
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to WhatsApp Bridge config
Must be at most 253 characters long
Deploy an XMPP Bridge to talk to XMPP users and channels from Element.
Logging settings
The maximum level of log output
Configure matrix-side of the bridge
The bridge rooms alias prefix
Configure the bridge bot
Bot username
Enable matrix room aliases join request
The bridge user prefix
Configuration of the PostgreSQL database
PostgreSQL database name
PostgreSQL database host
The PostgreSQL password
PostgreSQL port
Value must be greater or equal to 0 and lesser or equal to 65535
TLS settings to use for the PostgreSQL connection
PostgreSQL username
The secret key containing xmpp signing key. It can be generated using openssl - openssl rand -hex 64.
TLS Verification
The XMPP side configuration of the bridge
The component password secret key
The XMPP domain name
The XMPP Service address
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringKubernetes resources to allocate to each instance.
Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
Each additional property must conform to the following schema
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
The fsGroup GID to use if securityContextForceUidGid is enabled
The runAsGroup GID to use if securityContextForceUidGid is enabled
The runAsUser UID to use if securityContextForceUidGid is enabled
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret data associated to XmppBridge config
Must be at most 253 characters long
An array of allowed ips for admin endpoints
No Additional ItemsAn IPv4 or IPv6 range
The CA to inject into the deployment. It must be a file concatenating all the Base64 encoded certificates present in the CA chain that the deployment will have to interact with.
The domain name of this deployment. It will be used for the <localpart> of the users MXIDs, and cannot be changed afterwards
A configmap containing images digests metadata to override
Enable DNS Record delegation. In this mode, WellKnownDelegation is not deployed, and the domain name is served under Synapse ingress.
TLS verification
Settings dedicated to k8s
The annotations to add to every workloads and ingresses deployed
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Settings dedicated to k8s ingresses
Defines the annotations to add
Each additional property must conform to the following schema
Type: stringAn optional IngressClass name to be used for this ingress. Optional if you are managing ingress / loadbalancer externally.
Default service type
certmanager certfile existing external The default certificate for every ingresses can be configured here. It can be used for example if you plan to use a wildcard certificate, or a certificate containing all components fqdns as SAN.
The cert-manager properties, if enabled
The name of cert-manager ClusterIssuer to use
The default TLS mode of deployed ingresses. Use external if TLS is managed externaly to the cluster, certmanager if you want to use cert manager to issue certificate automatically, or certfile if you want to upload certificate files to kubernetes tls secrets manually.
The name of a secret in the cluster that contains TLS certificates
Must be at most 253 characters long
Settings dedicated to monitoring
Service monitor settings
Enable or disable monitoring using ServiceMonitor resources
Global storage configuration
The storage class name to use
Settings dedicated to k8s workloads
The annotations to add to the workload
Each additional property must conform to the following schema
Type: stringDefines the annotations to add
Docker secret to use for ems image store
The docker registry url for this secret
The list of hosts aliases to configure on the pod spec. It is advised to instead use a DNS entry to resolve your hostnames, instead of this feature. This feature can be used as a workaround when entries cannot be resolved using DNS, for example in our automated testing routines.
No Additional ItemsAn hostname of the associated ip to add to /etc/hosts
An IP resolution to add to /etc/hosts
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
Each additional property must conform to the following schema
Type: stringThe number of replicas for workloads supporting it
Value must be greater or equal to 1
Enable pod runAsUser, runAsGroup and fsGroup in security context. Disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Level is SELinux level label that applies to all the workload containers.
Role is SELinux level label that applies to all the workload containers.
Type is SELinux level label that applies to all the workload containers.
User is SELinux level label that applies to all the workload containers.
Enable RuntimeDefault pod seccomp. disable if it should not be used, in the case of openshift for example. Auto attemps to detect openshift automatically.
Workload tolerations
No Additional ItemsThe pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
The secret holding the global data
Must be at most 253 characters long
Secrets contains the secrets used by the ess-stack
Each additional property must conform to the following schema
A secret for a given component
An existing secret created externally to this chart
Each additional property must conform to the following schema
Type: stringThe secret content