diff --git a/charts/matrix-stack/source/common/routes.json b/charts/matrix-stack/source/common/routes.json new file mode 100644 index 000000000..86a5cde97 --- /dev/null +++ b/charts/matrix-stack/source/common/routes.json @@ -0,0 +1,41 @@ +{ + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { "type": "string" }, + "namespace": { "type": "string" }, + "group": { "type": "string" }, + "kind": { "type": "string" }, + "sectionName": { "type": "string" }, + "port": { "type": "integer" } + } + }, + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "$ref": "file://common/service.json" + } + } +} diff --git a/charts/matrix-stack/source/common/routes_global.json b/charts/matrix-stack/source/common/routes_global.json new file mode 100644 index 000000000..320cea980 --- /dev/null +++ b/charts/matrix-stack/source/common/routes_global.json @@ -0,0 +1,72 @@ +{ + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { "type": "string" }, + "namespace": { "type": "string" }, + "group": { "type": "string" }, + "kind": { "type": "string" }, + "sectionName": { "type": "string" }, + "port": { "type": "integer" } + } + }, + "minItems": 1 + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "required": [ + "type", + "internalTrafficPolicy" + ], + "properties": { + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + } + } + } + } +} diff --git a/charts/matrix-stack/source/common/routes_without_host.json b/charts/matrix-stack/source/common/routes_without_host.json new file mode 100644 index 000000000..cf70532c3 --- /dev/null +++ b/charts/matrix-stack/source/common/routes_without_host.json @@ -0,0 +1,38 @@ +{ + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { "type": "string" }, + "namespace": { "type": "string" }, + "group": { "type": "string" }, + "kind": { "type": "string" }, + "sectionName": { "type": "string" }, + "port": { "type": "integer" } + } + }, + "minItems": 1 + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "$ref": "file://common/service.json" + } + } +} diff --git a/charts/matrix-stack/source/common/sub_schema_values.yaml.j2 b/charts/matrix-stack/source/common/sub_schema_values.yaml.j2 index 387fe581b..ba529ce20 100644 --- a/charts/matrix-stack/source/common/sub_schema_values.yaml.j2 +++ b/charts/matrix-stack/source/common/sub_schema_values.yaml.j2 @@ -28,6 +28,7 @@ certManager: {} # serverName: ess.localhost {{ labels(global=true) }} {{ ingress(global=true) }} +{{ routes(global=true, withHost=false) }} ## Common image properties that are applied as defaults to all components. image: @@ -54,6 +55,21 @@ clusterDomain: "cluster.local." networking: ## Whether components should attempt to bind IPv4 (ipv4) /IPv6 (ipv6) / both (dual-stack) ipFamily: dual-stack + +## Gateway configuration options +gateway: + ## Create a default gateway for all routes + create: false + + ## Set the gateway class to use. If not set it will use the cluster default + # className: "" + + ## Additional annotations to add to the gateway resource + annotations: {} + +## Set the default inbound traffic handler type. Options are ingress | routes | none +inboundTrafficHandler: ingress + {%- endmacro %} {% macro containersSecurityContext(key='containersSecurityContext') %} @@ -170,9 +186,6 @@ networking: ## Annotations to be added to {{ 'all Ingresses. Will be merged with component specific Ingress annotations' if global else 'this Ingress' }} annotations: {} - ## What Ingress Class Name that should be used for {{ 'all Ingresses by default' if global else 'this Ingress' }} - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -199,9 +212,62 @@ networking: # externalIPs: [] service: {} {%- endif %} + + ## What Ingress Class Name that should be used for {{ 'all Ingresses by default' if global else 'this Ingress' }} + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + + +{%- endmacro %} + +{% macro routes(global=false, withHost=true, key='routes') %} +{%- if global %} +## How all routes should be constructed by default, unless overridden +{%- else %} +## How this component's routes should be constructed +{%- endif %} +{{ key }}: +{%- if withHost %} + ## What hostname should be used for this component + # host: +{% endif %} + ## Annotations to be added to {{ 'all routes. Will be merged with component specific route annotations' if global else 'this route' }} + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for {{ 'all routes by default' if global else 'this route' }} + # tlsSecret: + + ## How the {{ 'Services' if global else 'Service' }} behind {{ 'all routes' if global else 'this route' }} is constructed{{ ' by default' if global else '' }} +{%- if global %} + service: + type: ClusterIP + ## Annotations to be added to {{ 'all routes services. Will be merged with component specific route services annotations' if global else 'this route' }} + annotations: {} + # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster +{%- else %} + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} +{%- endif %} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} + {%- endmacro %} {% macro labels(global=false, key='labels') %} diff --git a/charts/matrix-stack/source/element-admin.json b/charts/matrix-stack/source/element-admin.json index 9d4f3dee3..087722fa5 100644 --- a/charts/matrix-stack/source/element-admin.json +++ b/charts/matrix-stack/source/element-admin.json @@ -10,12 +10,23 @@ "minimum": 1, "type": "integer" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "image": { "$ref": "file://common/image.json" }, "ingress": { "$ref": "file://common/ingress.json" }, + "routes": { + "$ref": "file://common/routes.json" + }, "labels": { "$ref": "file://common/labels.json" }, diff --git a/charts/matrix-stack/source/element-admin.yaml.j2 b/charts/matrix-stack/source/element-admin.yaml.j2 index b782adaa2..bc69a8fb4 100644 --- a/charts/matrix-stack/source/element-admin.yaml.j2 +++ b/charts/matrix-stack/source/element-admin.yaml.j2 @@ -14,6 +14,7 @@ enabled: true replicas: 1 {{- sub_schema_values.image(registry='oci.element.io', repository='element-admin', tag='0.1.10') -}} {{- sub_schema_values.ingress() -}} +{{- sub_schema_values.routes() -}} {{- sub_schema_values.labels() -}} {{- sub_schema_values.workloadAnnotations() -}} {{- sub_schema_values.extraEnv() -}} diff --git a/charts/matrix-stack/source/element-web.json b/charts/matrix-stack/source/element-web.json index 3a1844ada..5c9f7e294 100644 --- a/charts/matrix-stack/source/element-web.json +++ b/charts/matrix-stack/source/element-web.json @@ -16,6 +16,14 @@ "minimum": 1, "type": "integer" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "extraVolumes": { "$ref": "file://common/extraVolumes.json" }, @@ -31,6 +39,9 @@ "ingress": { "$ref": "file://common/ingress.json" }, + "routes": { + "$ref": "file://common/routes.json" + }, "labels": { "$ref": "file://common/labels.json" }, diff --git a/charts/matrix-stack/source/element-web.yaml.j2 b/charts/matrix-stack/source/element-web.yaml.j2 index 1a1659562..a40467113 100644 --- a/charts/matrix-stack/source/element-web.yaml.j2 +++ b/charts/matrix-stack/source/element-web.yaml.j2 @@ -22,6 +22,7 @@ additional: {} replicas: 1 {{- sub_schema_values.image(registry='oci.element.io', repository='element-web', tag='v1.12.12') -}} {{- sub_schema_values.ingress() -}} +{{- sub_schema_values.routes() -}} {{- sub_schema_values.labels() -}} {{- sub_schema_values.workloadAnnotations() -}} {{- sub_schema_values.extraEnv() -}} diff --git a/charts/matrix-stack/source/hookshot.json b/charts/matrix-stack/source/hookshot.json index e217bfad2..f2eaf1746 100644 --- a/charts/matrix-stack/source/hookshot.json +++ b/charts/matrix-stack/source/hookshot.json @@ -45,12 +45,23 @@ } } }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "additional": { "$ref": "file://common/additional.json" }, "ingress": { "$ref": "file://common/ingress.json" }, + "routes": { + "$ref": "file://common/routes.json" + }, "image": { "$ref": "file://common/image.json" }, diff --git a/charts/matrix-stack/source/hookshot.yaml.j2 b/charts/matrix-stack/source/hookshot.yaml.j2 index 1cd7e6c50..491485d16 100644 --- a/charts/matrix-stack/source/hookshot.yaml.j2 +++ b/charts/matrix-stack/source/hookshot.yaml.j2 @@ -24,6 +24,7 @@ logging: {{ sub_schema_values.credential("Hookshot passkey used to encrypt stored tokens.", "passkey", initIfAbsent=True) }} {{ sub_schema_values.redis() }} {{ sub_schema_values.ingress() }} +{{ sub_schema_values.routes() }} ## Additional configuration to provide to Hookshot. ## You can, if you whish, override it in the additional config. diff --git a/charts/matrix-stack/source/matrix-rtc.json b/charts/matrix-stack/source/matrix-rtc.json index 95459794a..56cfd2572 100644 --- a/charts/matrix-stack/source/matrix-rtc.json +++ b/charts/matrix-stack/source/matrix-rtc.json @@ -47,6 +47,14 @@ } } }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "replicas": { "type": "integer" }, @@ -68,6 +76,9 @@ "ingress": { "$ref": "file://common/ingress.json" }, + "routes": { + "$ref": "file://common/routes.json" + }, "labels": { "$ref": "file://common/labels.json" }, diff --git a/charts/matrix-stack/source/matrix-rtc.yaml.j2 b/charts/matrix-stack/source/matrix-rtc.yaml.j2 index 424c85355..f49c059c6 100644 --- a/charts/matrix-stack/source/matrix-rtc.yaml.j2 +++ b/charts/matrix-stack/source/matrix-rtc.yaml.j2 @@ -24,6 +24,7 @@ restrictRoomCreationToLocalUsers: true replicas: 1 {{- sub_schema_values.ingress() }} +{{- sub_schema_values.routes() }} {{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/lk-jwt-service', tag='0.4.1') }} {{- sub_schema_values.labels() }} {{- sub_schema_values.workloadAnnotations() }} diff --git a/charts/matrix-stack/source/matrixAuthenticationService.json b/charts/matrix-stack/source/matrixAuthenticationService.json index 340577cb5..cc822da58 100644 --- a/charts/matrix-stack/source/matrixAuthenticationService.json +++ b/charts/matrix-stack/source/matrixAuthenticationService.json @@ -96,9 +96,20 @@ } } }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "$ref": "file://common/ingress.json" }, + "routes": { + "$ref": "file://common/routes.json" + }, "image": { "$ref": "file://common/image.json" }, diff --git a/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2 b/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2 index eeae697de..c9f96fe4f 100644 --- a/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2 +++ b/charts/matrix-stack/source/matrixAuthenticationService.yaml.j2 @@ -27,6 +27,7 @@ privateKeys: {{ sub_schema_values.credential("ECDSA Secp384r1 Private Key", "ecdsaSecp384r1") | indent(2) }} {{ sub_schema_values.ingress() }} +{{ sub_schema_values.routes() }} {{ sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='350Mi') }} {{ sub_schema_values.labels() }} {{ sub_schema_values.serviceAccount() }} diff --git a/charts/matrix-stack/source/synapse.json b/charts/matrix-stack/source/synapse.json index ef538b47c..e8741e8a3 100644 --- a/charts/matrix-stack/source/synapse.json +++ b/charts/matrix-stack/source/synapse.json @@ -133,9 +133,20 @@ "type": "string" } }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "$ref": "file://synapse/ingress_with_additional_paths.json" }, + "routes": { + "$ref": "file://synapse/routes_with_additional_paths.json" + }, "image": { "$ref": "file://common/image.json" }, diff --git a/charts/matrix-stack/source/synapse.yaml.j2 b/charts/matrix-stack/source/synapse.yaml.j2 index 59cf6f730..5164b5d84 100644 --- a/charts/matrix-stack/source/synapse.yaml.j2 +++ b/charts/matrix-stack/source/synapse.yaml.j2 @@ -91,6 +91,7 @@ logging: {{- sub_schema_values.extraVolumeMounts("Synapse", with_context=true) }} {{- sub_schema_values.extraInitContainers("Synapse") }} {{- sub_schema_values.ingress() }} +{{- sub_schema_values.routes() }} {{- sub_schema_values.labels() }} {{- sub_schema_values.workloadAnnotations() }} {{- sub_schema_values.containersSecurityContext() }} diff --git a/charts/matrix-stack/source/synapse/routes_with_additional_paths.json b/charts/matrix-stack/source/synapse/routes_with_additional_paths.json new file mode 100644 index 000000000..6b68a1208 --- /dev/null +++ b/charts/matrix-stack/source/synapse/routes_with_additional_paths.json @@ -0,0 +1,111 @@ +{ + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { "type": "string" }, + "namespace": { "type": "string" }, + "group": { "type": "string" }, + "kind": { "type": "string" }, + "sectionName": { "type": "string" }, + "port": { "type": "integer" } + } + } + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "host": { + "type": "string" + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "$ref": "file://common/service.json" + }, + "additionalPaths": { + "type": "array", + "items": { + "type": "object", + "required": [ + "path", + "availability" + ], + "properties": { + "path": { + "type": "string" + }, + "availability": { + "type": "string", + "enum": [ + "internally_and_externally", + "only_externally", + "blocked" + ] + }, + "service": { + "type": "object", + "required": [ + "name", + "port" + ], + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "object", + "oneOf": [ + { + "required": [ + "name" + ], + "not": { + "required": [ + "number" + ] + } + }, + { + "required": [ + "number" + ], + "not": { + "required": [ + "name" + ] + } + } + ], + "properties": { + "name": { + "type": "string" + }, + "number": { + "type": "integer" + } + } + } + } + } + } + } + } + } +} diff --git a/charts/matrix-stack/source/values.schema.json b/charts/matrix-stack/source/values.schema.json index f0a6f2799..f34aaad7e 100644 --- a/charts/matrix-stack/source/values.schema.json +++ b/charts/matrix-stack/source/values.schema.json @@ -79,6 +79,9 @@ "ingress": { "$ref": "file://common/ingress_global.json" }, + "routes": { + "$ref": "file://common/routes_global.json" + }, "tolerations": { "$ref": "file://common/tolerations.json" }, @@ -101,6 +104,31 @@ } } }, + "gateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "className": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + } + } + }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "deploymentMarkers": { "$ref": "file://deployment-markers.json" }, diff --git a/charts/matrix-stack/source/wellKnownDelegation.json b/charts/matrix-stack/source/wellKnownDelegation.json index 97f9070e9..dbb20ed62 100644 --- a/charts/matrix-stack/source/wellKnownDelegation.json +++ b/charts/matrix-stack/source/wellKnownDelegation.json @@ -6,9 +6,20 @@ "enabled": { "type": "boolean" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "$ref": "file://common/ingress_without_host.json" }, + "routes": { + "$ref": "file://common/routes_without_host.json" + }, "labels": { "$ref": "file://common/labels.json" }, diff --git a/charts/matrix-stack/source/wellKnownDelegation.yaml.j2 b/charts/matrix-stack/source/wellKnownDelegation.yaml.j2 index 86f7be980..62c57c08b 100644 --- a/charts/matrix-stack/source/wellKnownDelegation.yaml.j2 +++ b/charts/matrix-stack/source/wellKnownDelegation.yaml.j2 @@ -10,6 +10,7 @@ enabled: true {{ sub_schema_values.labels() }} {{ sub_schema_values.ingress() }} +{{ sub_schema_values.routes(withHost=false) }} ## If ElementWeb is deployed, the base domain will redirect to it's ingress host by default ## If ElementWeb is not deployed or this is disabled, no base domain URL redirect will be set. diff --git a/charts/matrix-stack/templates/element-admin/httproute.yaml b/charts/matrix-stack/templates/element-admin/httproute.yaml new file mode 100644 index 000000000..24db65e14 --- /dev/null +++ b/charts/matrix-stack/templates/element-admin/httproute.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with .Values.elementAdmin -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} + labels: + {{- include "element-io.element-admin.labels" (dict "root" $ "context" .) | nindent 4 }} + name: {{ $.Release.Name }}-element-admin + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "element-admin" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $.Release.Name }}-element-admin + port: 8080 + group: "" + kind: Service + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/element-admin/ingress.yaml b/charts/matrix-stack/templates/element-admin/ingress.yaml index 0550e16a7..2bd590793 100644 --- a/charts/matrix-stack/templates/element-admin/ingress.yaml +++ b/charts/matrix-stack/templates/element-admin/ingress.yaml @@ -5,7 +5,7 @@ Copyright 2025 Element Creations Ltd SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with .Values.elementAdmin -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -16,7 +16,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "element-admin")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/element-web/httproute.yaml b/charts/matrix-stack/templates/element-web/httproute.yaml new file mode 100644 index 000000000..8f35035bb --- /dev/null +++ b/charts/matrix-stack/templates/element-web/httproute.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with .Values.elementWeb -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} + labels: + {{- include "element-io.element-web.labels" (dict "root" $ "context" .) | nindent 4 }} + name: {{ $.Release.Name }}-element-web + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "element-web" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $.Release.Name }}-element-web + port: 80 + group: "" + kind: Service + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/element-web/ingress.yaml b/charts/matrix-stack/templates/element-web/ingress.yaml index cfad0d7b6..5aaa573b5 100644 --- a/charts/matrix-stack/templates/element-web/ingress.yaml +++ b/charts/matrix-stack/templates/element-web/ingress.yaml @@ -5,7 +5,7 @@ Copyright 2025 Element Creations Ltd SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with .Values.elementWeb -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -16,7 +16,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "element-web")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/ess-library/_ingress.tpl b/charts/matrix-stack/templates/ess-library/_ingress.tpl index a1cad314a..1fe6a241a 100644 --- a/charts/matrix-stack/templates/ess-library/_ingress.tpl +++ b/charts/matrix-stack/templates/ess-library/_ingress.tpl @@ -70,6 +70,13 @@ ipFamilyPolicy: PreferDualStack {{- end }} {{- end }} +{{- define "element-io.ess-library.ingress.tls.isEnabled" -}} +{{- $root := .root -}} +{{- with required "element-io.ess-library.ingress.tls.isEnabled missing context" .context -}} +{{- and $root.Values.ingress.tlsEnabled .tlsEnabled -}} +{{- end -}} +{{- end -}} + {{- define "element-io.ess-library.ingress.tls" -}} {{- $root := .root -}} {{- with required "element-io.ess-library.ingress.tls missing context" .context -}} @@ -133,3 +140,42 @@ ImplementationSpecific Prefix {{- end -}} {{- end -}} + +{{- define "element-io.ess-library.ingress.parentRefs" -}} +{{- $root := .root -}} +{{- with required "element-io.ess-library.ingress.parentRefs missing context" .context -}} +{{- $serviceName := required "element-io.ess-library.ingress.parentRefs missing serviceName" .serviceName -}} +{{- $globalHTTPRouteConfig := $root.Values.ingress.HTTPRoute | default dict -}} +{{- $httpRouteConfig := .HTTPRoute | default dict -}} +{{- $gateways := concat + ($globalHTTPRouteConfig.existingGateways | default list) + ($httpRouteConfig.existingGateways | default list) +-}} +{{- $builtinGateway := $root.Values.ingress.gateway | default dict -}} +{{- if or (gt (len $gateways) 0) $builtinGateway.create -}} +{{- if gt (len $gateways) 0 -}} +{{ toYaml $gateways }} +{{- end -}} +{{ if $builtinGateway.create }} +- name: {{ $root.Release.Name | quote }} + namespace: {{ $root.Release.Namespace | quote }} + kind: gateway + group: gateway.networking.k8s.io + sectionname: {{ printf "%s-%s" $root.Release.Name $serviceName | quote }} +{{ end }} +{{- else -}} +[] +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "element-io.ess-library.ingress.isEnabled" -}} +{{- $root := .root -}} +{{- with required "element-io.ess-library.ingress.isEnabled missing context" .context -}} +{{- $ingress := required "element-io.ess-library.ingress.isEnabled missing ingress" .ingress -}} +{{- $type := required "element-io.ess-library.ingress.isEnabled missing type" .type -}} +{{- $desiredType := coalesce $ingress.type $root.Values.ingress.type -}} +{{- $enabled := or $ingress.enabled $root.Values.ingress.enabled -}} +{{- and $enabled (eq $type $desiredType) -}} +{{- end -}} +{{- end -}} diff --git a/charts/matrix-stack/templates/gateway/_helpers.tpl b/charts/matrix-stack/templates/gateway/_helpers.tpl new file mode 100644 index 000000000..9947cc0d1 --- /dev/null +++ b/charts/matrix-stack/templates/gateway/_helpers.tpl @@ -0,0 +1,78 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- define "element-io.gateway.tlsConfig" -}} +{{- $root := .root -}} +{{- with required "element-io.gateway.tlsConfig missing context" .context -}} +{{- $tlsSecret := coalesce + .tlsSecret + $root.Values.ingress.tlsSecret + (printf "%s-%s-certmanager-tls" $root.Release.Name .name) +-}} +tls: + certificateRefs: + - group: "" + kind: Secret + name: {{ $tlsSecret | quote }} + mode: Terminate +{{- end -}} +{{- end -}} + +{{- define "element-io.gateway.listeners" -}} +{{- $root := .root -}} +{{- $contexts := dict + "element-admin" $root.Values.elementAdmin + "element-web" $root.Values.elementWeb + "hookshot" $root.Values.hookshot + "matrix-authentication-service" $root.Values.matrixAuthenticationService + "matrix-rtc" $root.Values.matrixRTC + "synapse" $root.Values.synapse + "well-known" $root.Values.wellKnownDelegation +-}} +{{- $listenFor := $root.Values.ingress.gateway.listenFor | default (list + "element-admin" + "element-web" + "matrix-authentication-service" + "matrix-rtc" + "synapse" + "well-known") +-}} +{{- if and (not $root.Values.ingress.gateway.listenFor) $root.Values.hookshot.enabled -}} +{{- $listenFor = append $listenFor "hookshot" -}} +{{- end -}} +{{- range $listenFor -}} +{{- $service := . -}} +{{- with required "element-io.gateway.listener missing context" (index $contexts $service) -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $root "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" }} +- hostname: {{ .ingress.host | default $root.Values.serverName | quote }} + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $root "context" .ingress)) "true" }} + port: 443 + protocol: HTTPS + {{- include "element-io.gateway.tlsConfig" (dict "root" $root "context" (dict "tlsSecret" .ingress.tlsSecret "name" $service)) | nindent 2 }} + {{- else }} + port: 80 + protocol: HTTP + {{- end }} + name: {{ printf "%s-%s" $root.Release.Name $service | quote }} + allowedRoutes: + namespaces: + from: Same +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "element-io.gateway.labels" -}} +{{- $root := .root -}} +{{- with required "element-io.gateway.labels missing context" .context -}} +{{- $labels := .labels | default dict -}} +{{ include "element-io.ess-library.labels.common" (dict "root" $root "context" (dict "labels" $labels)) }} +app.kubernetes.io/component: matrix-stack-ingress +app.kubernetes.io/name: {{ $root.Release.Name }} +app.kubernetes.io/instance: {{ $root.Release.Name }}-gateway +app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" $root.Chart.Version }} +{{- end -}} +{{- end -}} diff --git a/charts/matrix-stack/templates/gateway/gateway.yaml b/charts/matrix-stack/templates/gateway/gateway.yaml new file mode 100644 index 000000000..27398fca0 --- /dev/null +++ b/charts/matrix-stack/templates/gateway/gateway.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- if and .Values.ingress.gateway .Values.ingress.gateway.create }} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .Values.ingress.gateway)) | nindent 2 }} + labels: + {{- include "element-io.gateway.labels" (dict "root" $ "context" .Values.ingress.gateway) | nindent 4 }} + name: {{ $.Release.Name }} + namespace: {{ $.Release.Namespace }} +spec: + gatewayClassName: {{ .Values.ingress.gateway.className }} + listeners: + {{- include "element-io.gateway.listeners" (dict "root" $) | nindent 4 -}} +{{- end }} diff --git a/charts/matrix-stack/templates/hookshot/hookshot_httproute.yaml b/charts/matrix-stack/templates/hookshot/hookshot_httproute.yaml new file mode 100644 index 000000000..db68b98ed --- /dev/null +++ b/charts/matrix-stack/templates/hookshot/hookshot_httproute.yaml @@ -0,0 +1,54 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with $.Values.hookshot -}} +{{- if and (eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true") .ingress.host -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- $extraAnnotations := dict }} +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress "extraAnnotations" $extraAnnotations)) | nindent 2 }} + labels: + {{- include "element-io.hookshot.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} + name: {{ $.Release.Name }}-hookshot + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "hookshot" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: + - matches: + - path: + type: PathPrefix + value: /widgetapi/v1 + backendRefs: + - name: "{{ $.Release.Name }}-hookshot" + port: 7778 + group: "" + kind: Service + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: "{{ $.Release.Name }}-hookshot" + port: 7775 + group: "" + kind: Service + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/hookshot/hookshot_ingress.yaml b/charts/matrix-stack/templates/hookshot/hookshot_ingress.yaml index 6a9d1ad16..3eb5593ac 100644 --- a/charts/matrix-stack/templates/hookshot/hookshot_ingress.yaml +++ b/charts/matrix-stack/templates/hookshot/hookshot_ingress.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-only {{- with $.Values.hookshot -}} -{{- if and .enabled .ingress.host }} +{{- if and (eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true") .ingress.host -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -18,7 +18,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "hookshot")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/matrix-authentication-service/httproute.yaml b/charts/matrix-stack/templates/matrix-authentication-service/httproute.yaml new file mode 100644 index 000000000..5d741ed7d --- /dev/null +++ b/charts/matrix-stack/templates/matrix-authentication-service/httproute.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with .Values.matrixAuthenticationService -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} + labels: + {{- include "element-io.matrix-authentication-service.labels" (dict "root" $ "context" .) | nindent 4 }} + name: {{ $.Release.Name }}-matrix-authentication-service + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "matrix-authentication-service" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $.Release.Name }}-matrix-authentication-service + port: 8080 + group: "" + kind: Service + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/matrix-authentication-service/ingress.yaml b/charts/matrix-stack/templates/matrix-authentication-service/ingress.yaml index e413d9954..1431d338b 100644 --- a/charts/matrix-stack/templates/matrix-authentication-service/ingress.yaml +++ b/charts/matrix-stack/templates/matrix-authentication-service/ingress.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with .Values.matrixAuthenticationService -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -17,7 +17,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "matrix-authentication-service")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/matrix-rtc/httproute.yaml b/charts/matrix-stack/templates/matrix-rtc/httproute.yaml new file mode 100644 index 000000000..e64548bb2 --- /dev/null +++ b/charts/matrix-stack/templates/matrix-rtc/httproute.yaml @@ -0,0 +1,56 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with .Values.matrixRTC -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- $extraAnnotations := dict }} +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress "extraAnnotations" $extraAnnotations)) | nindent 2 }} + labels: + {{- include "element-io.matrix-rtc-ingress.labels" (dict "root" $ "context" .) | nindent 4 }} + name: {{ $.Release.Name }}-matrix-rtc + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "matrix-rtc" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: + - matches: + - path: + type: PathPrefix + value: /sfu/get + backendRefs: + - name: {{ $.Release.Name }}-matrix-rtc-authorisation-service + port: 8080 + group: "" + kind: Service + {{- if .sfu.enabled }} + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $.Release.Name }}-matrix-rtc-sfu + port: 7880 + group: "" + kind: Service + {{- end }} + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/matrix-rtc/ingress.yaml b/charts/matrix-stack/templates/matrix-rtc/ingress.yaml index 76195a508..dd38e4a8f 100644 --- a/charts/matrix-stack/templates/matrix-rtc/ingress.yaml +++ b/charts/matrix-stack/templates/matrix-rtc/ingress.yaml @@ -5,13 +5,13 @@ Copyright 2025-2026 Element Creations Ltd SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with .Values.matrixRTC -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: {{- $extraAnnotations := dict }} {{- if .sfu.enabled }} -{{- if eq "ingress-nginx" (include "element-io.ess-library.ingress-controller-type" (dict "root" $ "context" .ingress.controllerType)) }} +{{- if eq "ingress-nginx" (include "element-io.ess-library.ingress-controller-type" (dict "root" $ "context" .ingress.Ingress.controllerType)) }} {{- $_ := set $extraAnnotations "nginx.ingress.kubernetes.io/proxy-send-timeout" "120" }} {{- $_ := set $extraAnnotations "nginx.ingress.kubernetes.io/proxy-read-timeout" "120" }} {{- $_ := set $extraAnnotations "nginx.ingress.kubernetes.io/proxy-buffering" "off" }} @@ -24,7 +24,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "matrix-rtc")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/synapse/_helpers.tpl b/charts/matrix-stack/templates/synapse/_helpers.tpl index 4875ba221..07946e88b 100644 --- a/charts/matrix-stack/templates/synapse/_helpers.tpl +++ b/charts/matrix-stack/templates/synapse/_helpers.tpl @@ -108,6 +108,8 @@ env: {{- define "element-io.synapse.ingress.additionalPaths" -}} {{- $root := .root -}} +{{- $ingress := $root.Values.synapse.ingress | default dict }} +{{- $type := coalesce $ingress.type $root.Values.ingress.type }} {{- with required "element-io.synapse.ingress.additionalPaths missing context" .context -}} {{- if include "element-io.matrix-authentication-service.readyToHandleAuth" (dict "root" $root) }} {{- range $apiVersion := list "api/v1" "r0" "v3" "unstable" }} @@ -118,6 +120,9 @@ env: name: "{{ $root.Release.Name }}-matrix-authentication-service" port: name: http + {{- if eq $type "HTTPRoute" }} + number: 8080 + {{- end }} {{- end }} {{- end }} {{- end }} @@ -128,12 +133,18 @@ env: name: "{{ $root.Release.Name }}-hookshot" port: name: widgets + {{- if eq $type "HTTPRoute" }} + number: 7778 + {{- end }} - path: "/_matrix/hookshot" availability: only_externally service: name: "{{ $root.Release.Name }}-hookshot" port: name: webhooks + {{- if eq $type "HTTPRoute" }} + number: 7775 + {{- end }} {{- end -}} {{- range $root.Values.synapse.ingress.additionalPaths }} - {{ . | toYaml | indent 2 | trim }} diff --git a/charts/matrix-stack/templates/synapse/synapse_httproute.yaml b/charts/matrix-stack/templates/synapse/synapse_httproute.yaml new file mode 100644 index 000000000..2eae845b2 --- /dev/null +++ b/charts/matrix-stack/templates/synapse/synapse_httproute.yaml @@ -0,0 +1,85 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with $.Values.synapse -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- $extraAnnotations := dict }} +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress "extraAnnotations" $extraAnnotations)) | nindent 2 }} + labels: + {{- include "element-io.synapse-ingress.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} + name: {{ $.Release.Name }}-synapse + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "synapse" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ (tpl .ingress.host $) | quote }} + rules: +{{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: / + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect +{{- end }} +{{- range (include "element-io.synapse.ingress.additionalPaths" (dict "root" $ "context" .)) | fromYamlArray -}} +{{- if eq .availability "only_externally" }} + - matches: + - path: + type: PathPrefix + value: {{ .path }} + backendRefs: + - name: {{ (tpl .service.name $) | quote }} + port: {{ .service.port.number }} + group: "" + kind: Service +{{- else if eq .availability "blocked" }} + - matches: + - path: + type: PathPrefix + value: {{ .path }} + backendRefs: + - name: "{{ $.Release.Name }}-synapse" + port: 8009 + group: "" + kind: Service +{{- end }} +{{- end }} +{{- range $synapsePath := (list "/_matrix" "/_synapse") -}} +{{- /* Determine if this path is equal to, or a subset of, one of the + defined additional paths. If so, let the other service handle it and don't + add it here. */}} +{{- $_pathAlreadyDefined := false }} +{{- range (include "element-io.synapse.ingress.additionalPaths" (dict "root" $ "context" .)) | fromYamlArray -}} +{{- if has .availability (list "only_externally" "blocked") }} +{{- if hasPrefix .path $synapsePath }} +{{- $_pathAlreadyDefined = true }} +{{- end }} +{{- end }} +{{- end -}} +{{- /* The path, or a superset of, has not already been defined in _additional_paths. + Define it here.*/}} +{{- if not $_pathAlreadyDefined }} + - matches: + - path: + type: PathPrefix + value: {{ $synapsePath }} + backendRefs: + - name: "{{ $.Release.Name }}-synapse" + port: 8008 + group: "" + kind: Service +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/synapse/synapse_ingress.yaml b/charts/matrix-stack/templates/synapse/synapse_ingress.yaml index 9a85a5172..514f3a75a 100644 --- a/charts/matrix-stack/templates/synapse/synapse_ingress.yaml +++ b/charts/matrix-stack/templates/synapse/synapse_ingress.yaml @@ -6,22 +6,23 @@ SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with $.Values.synapse -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: {{- $extraAnnotations := dict }} -{{- if eq (include "element-io.ess-library.ingress-controller-type" (dict "root" $ "context" .ingress.controllerType)) "ingress-nginx" }} +{{- if eq (include "element-io.ess-library.ingress-controller-type" (dict "root" $ "context" .ingress.Ingress.controllerType)) "ingress-nginx" }} {{- $_ := set $extraAnnotations "nginx.ingress.kubernetes.io/proxy-body-size" .media.maxUploadSize }} {{- end }} {{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress "extraAnnotations" $extraAnnotations)) | nindent 2 }} + test: {{ include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress")) }} labels: {{- include "element-io.synapse-ingress.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} name: {{ $.Release.Name }}-synapse namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "ingress" .ingress "ingressName" "synapse")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: {{ (tpl .ingress.host $) | quote }} http: diff --git a/charts/matrix-stack/templates/well-known/_helpers.tpl b/charts/matrix-stack/templates/well-known/_helpers.tpl index 1862ec332..98264e7b4 100644 --- a/charts/matrix-stack/templates/well-known/_helpers.tpl +++ b/charts/matrix-stack/templates/well-known/_helpers.tpl @@ -93,3 +93,14 @@ support: | {{- (tpl (include "element-io.well-known-delegation.support" (dict "root" $root "context" .)) $root) | nindent 2 }} {{- end -}} {{- end -}} + +{{- define "element-io.well-known-delegation.httproute-path" -}} +{{- $root := .root -}} +{{- with required "element-io.well-known-delegation.httproute-path missing context" .context -}} +{{- if and .enabled (or $root.Values.elementWeb.enabled .url) -}} +/ +{{- else -}} +/.well-known/matrix +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/matrix-stack/templates/well-known/httproute.yaml b/charts/matrix-stack/templates/well-known/httproute.yaml new file mode 100644 index 000000000..e652bc59e --- /dev/null +++ b/charts/matrix-stack/templates/well-known/httproute.yaml @@ -0,0 +1,44 @@ +{{- /* +Copyright 2026 New Vector Ltd +Copyright 2026 Element Creations Ltd + +SPDX-License-Identifier: AGPL-3.0-only +*/ -}} +{{- with $.Values.wellKnownDelegation -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "HTTPRoute"))) "true" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: +{{- include "element-io.ess-library.ingress.annotations" (dict "root" $ "context" (dict "ingress" .ingress)) | nindent 2 }} + labels: + {{- include "element-io.well-known-delegation-ingress.labels" (dict "root" $ "context" $.Values.haproxy) | nindent 4 }} + name: {{ $.Release.Name }}-well-known + namespace: {{ $.Release.Namespace }} +spec: + parentRefs: + {{- include "element-io.ess-library.ingress.parentRefs" (dict "root" $ "context" (dict "serviceName" "well-known" "HTTPRoute" .ingress.HTTPRoute)) | nindent 4 }} + hostnames: + - {{ tpl $.Values.serverName $ }} + rules: + - matches: + - path: + type: PathPrefix + value: {{ include "element-io.well-known-delegation.httproute-path" (dict "root" $ "context" .baseDomainRedirect) }} + backendRefs: + - name: {{ $.Release.Name }}-well-known + port: 8010 + group: "" + kind: Service + {{- if eq (include "element-io.ess-library.ingress.tls.isEnabled" (dict "root" $ "context" .ingress)) "true" }} + - matches: + - path: + type: PathPrefix + value: {{ include "element-io.well-known-delegation.httproute-path" (dict "root" $ "context" .baseDomainRedirect) }} + filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/matrix-stack/templates/well-known/ingress.yaml b/charts/matrix-stack/templates/well-known/ingress.yaml index 68da34af8..3df03a445 100644 --- a/charts/matrix-stack/templates/well-known/ingress.yaml +++ b/charts/matrix-stack/templates/well-known/ingress.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: AGPL-3.0-only */ -}} {{- with $.Values.wellKnownDelegation -}} -{{- if .enabled -}} +{{- if eq (include "element-io.ess-library.ingress.isEnabled" (dict "root" $ "context" (dict "ingress" .ingress "type" "Ingress"))) "true" -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -17,7 +17,7 @@ metadata: namespace: {{ $.Release.Namespace }} spec: {{- include "element-io.ess-library.ingress.tls" (dict "root" $ "context" (dict "host" $.Values.serverName "ingress" .ingress "ingressName" "well-known")) | nindent 2 }} -{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.className) | nindent 2 }} +{{- include "element-io.ess-library.ingress.className" (dict "root" $ "context" .ingress.Ingress.className) | nindent 2 }} rules: - host: "{{ tpl $.Values.serverName $ }}" http: @@ -32,7 +32,7 @@ spec: name: haproxy-wkd {{- else }} - path: /.well-known/matrix - pathType: {{ include "element-io.ess-library.ingress.ingress-nginx-dot-path-type" (dict "root" $ "context" .ingress.controllerType) }} + pathType: {{ include "element-io.ess-library.ingress.ingress-nginx-dot-path-type" (dict "root" $ "context" .ingress.Ingress.controllerType) }} backend: service: name: "{{ $.Release.Name }}-well-known" diff --git a/charts/matrix-stack/values.schema.json b/charts/matrix-stack/values.schema.json index f837fd4cd..79a3a2f6a 100644 --- a/charts/matrix-stack/values.schema.json +++ b/charts/matrix-stack/values.schema.json @@ -224,6 +224,93 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "required": [ + "type", + "internalTrafficPolicy" + ], + "properties": { + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "tolerations": { "type": "array", "items": { @@ -373,6 +460,32 @@ }, "additionalProperties": false }, + "gateway": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "className": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + } + }, + "additionalProperties": false + }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "deploymentMarkers": { "$id": "file://deployment-markers", "$schema": "https://json-schema.org/draft/2020-12/schema", @@ -1307,6 +1420,14 @@ }, "additionalProperties": false }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "replicas": { "type": "integer" }, @@ -1553,6 +1674,101 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "labels": { "type": "object", "additionalProperties": { @@ -3039,6 +3255,14 @@ "minimum": 1, "type": "integer" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "image": { "type": "object", "required": [ @@ -3190,52 +3414,147 @@ }, "additionalProperties": false }, - "labels": { + "routes": { "type": "object", - "additionalProperties": { - "type": [ - "string", - "null" - ] - } - }, - "extraVolumes": { - "type": "array", - "items": { - "type": "object", - "required": [ - "name" - ], - "additionalProperties": true, - "properties": { - "name": { - "type": "string" - } - } - } - }, - "extraVolumeMounts": { - "type": "array", - "items": { - "required": [ - "name", - "mountPath" - ], - "type": "object", - "description": "VolumeMount describes a mounting of a Volume within a container.", - "properties": { - "readOnly": { - "type": "boolean", - "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false." - }, - "mountPath": { - "type": [ - "string", - "null" + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" ], - "description": "Path within the container at which the volume should be mounted. Must not contain ':'." + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false }, - "subPath": { + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "labels": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "extraVolumes": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "additionalProperties": true, + "properties": { + "name": { + "type": "string" + } + } + } + }, + "extraVolumeMounts": { + "type": "array", + "items": { + "required": [ + "name", + "mountPath" + ], + "type": "object", + "description": "VolumeMount describes a mounting of a Volume within a container.", + "properties": { + "readOnly": { + "type": "boolean", + "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false." + }, + "mountPath": { + "type": [ + "string", + "null" + ], + "description": "Path within the container at which the volume should be mounted. Must not contain ':'." + }, + "subPath": { "type": [ "string", "null" @@ -3744,6 +4063,14 @@ "minimum": 1, "type": "integer" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "extraVolumes": { "type": "array", "items": { @@ -3968,6 +4295,101 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "labels": { "type": "object", "additionalProperties": { @@ -5174,6 +5596,14 @@ }, "additionalProperties": false }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "additional": { "type": "object", "additionalProperties": { @@ -5293,6 +5723,101 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "image": { "type": "object", "required": [ @@ -6656,6 +7181,14 @@ }, "additionalProperties": false }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "type": "object", "properties": { @@ -6732,6 +7265,101 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "host": { + "type": "string" + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "image": { "type": "object", "required": [ @@ -9408,6 +10036,14 @@ "type": "string" } }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "type": "object", "properties": { @@ -9555,6 +10191,174 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + } + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "host": { + "type": "string" + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + }, + "additionalPaths": { + "type": "array", + "items": { + "type": "object", + "required": [ + "path", + "availability" + ], + "properties": { + "path": { + "type": "string" + }, + "availability": { + "type": "string", + "enum": [ + "internally_and_externally", + "only_externally", + "blocked" + ] + }, + "service": { + "type": "object", + "required": [ + "name", + "port" + ], + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "object", + "oneOf": [ + { + "required": [ + "name" + ], + "not": { + "required": [ + "number" + ] + } + }, + { + "required": [ + "number" + ], + "not": { + "required": [ + "name" + ] + } + } + ], + "properties": { + "name": { + "type": "string" + }, + "number": { + "type": "integer" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + } + }, + "additionalProperties": false + }, "image": { "type": "object", "required": [ @@ -15199,6 +16003,14 @@ "enabled": { "type": "boolean" }, + "inboundTrafficHandler": { + "type": "string", + "enum": [ + "ingress", + "routes", + "none" + ] + }, "ingress": { "type": "object", "properties": { @@ -15272,6 +16084,98 @@ }, "additionalProperties": false }, + "routes": { + "type": "object", + "properties": { + "existingGateways": { + "type": "array", + "items": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "sectionName": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "tlsEnabled": { + "type": "boolean" + }, + "tlsSecret": { + "type": "string" + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": [ + "ClusterIP", + "NodePort", + "LoadBalancer" + ] + }, + "annotations": { + "type": "object", + "additionalProperties": { + "type": [ + "string", + "null" + ] + } + }, + "internalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalTrafficPolicy": { + "type": "string", + "enum": [ + "Cluster", + "Local" + ] + }, + "externalIPs": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, "labels": { "type": "object", "additionalProperties": { diff --git a/charts/matrix-stack/values.yaml b/charts/matrix-stack/values.yaml index 823865483..9dbd0d928 100644 --- a/charts/matrix-stack/values.yaml +++ b/charts/matrix-stack/values.yaml @@ -56,9 +56,6 @@ ingress: ## Annotations to be added to all Ingresses. Will be merged with component specific Ingress annotations annotations: {} - ## What Ingress Class Name that should be used for all Ingresses by default - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -73,10 +70,38 @@ ingress: # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` externalTrafficPolicy: Cluster internalTrafficPolicy: Cluster + + ## What Ingress Class Name that should be used for all Ingresses by default + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: +## How all routes should be constructed by default, unless overridden +routes: + ## Annotations to be added to all routes. Will be merged with component specific route annotations + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for all routes by default + # tlsSecret: + + ## How the Services behind all routes is constructed by default + service: + type: ClusterIP + ## Annotations to be added to all routes services. Will be merged with component specific route services annotations + annotations: {} + # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} + ## Common image properties that are applied as defaults to all components. image: ## The pullPolicy to use for all images. This overrides the pullPolicy used by the templates @@ -135,6 +160,20 @@ networking: ## Whether components should attempt to bind IPv4 (ipv4) /IPv6 (ipv6) / both (dual-stack) ipFamily: dual-stack +## Gateway configuration options +gateway: + ## Create a default gateway for all routes + create: false + + ## Set the gateway class to use. If not set it will use the cluster default + # className: "" + + ## Additional annotations to add to the gateway resource + annotations: {} + +## Set the default inbound traffic handler type. Options are ingress | routes | none +inboundTrafficHandler: ingress + ## Components initSecrets: enabled: true @@ -481,9 +520,6 @@ matrixRTC: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -500,9 +536,41 @@ matrixRTC: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} # Details of the image to be used image: ## The host and (optional) port of the container image registry for this component. @@ -1148,9 +1216,6 @@ elementAdmin: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -1167,9 +1232,41 @@ elementAdmin: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} ## Labels to add to all manifest for this component labels: {} ## Defines the annotations to add to the workload @@ -1410,9 +1507,6 @@ elementWeb: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -1429,9 +1523,41 @@ elementWeb: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} ## Labels to add to all manifest for this component labels: {} ## Defines the annotations to add to the workload @@ -1955,9 +2081,6 @@ hookshot: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -1974,10 +2097,43 @@ hookshot: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} + ## Additional configuration to provide to Hookshot. ## You can, if you whish, override it in the additional config. ## Each key under additional is an additional config to merge into Hookshot hookshot-config.yaml @@ -2405,9 +2561,6 @@ matrixAuthenticationService: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -2424,10 +2577,43 @@ matrixAuthenticationService: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} + ## Kubernetes resources to allocate to each instance. resources: ## Requests describes the minimum amount of compute resources required. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ @@ -4950,9 +5136,6 @@ synapse: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -4969,9 +5152,41 @@ synapse: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## What hostname should be used for this component + # host: + + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} ## Labels to add to all manifest for this component labels: {} ## Defines the annotations to add to the workload @@ -5189,9 +5404,6 @@ wellKnownDelegation: ## Annotations to be added to this Ingress annotations: {} - ## What Ingress Class Name that should be used for this Ingress - # className: - ## Disable TLS configuration by setting it to false tlsEnabled: true @@ -5208,10 +5420,40 @@ wellKnownDelegation: # # External IPs addresses of this service. # externalIPs: [] service: {} + + ## What Ingress Class Name that should be used for this Ingress + # className: + ## If set, some tweaks will be applied automatically to ingresses based on the controller type here. ## This can be set to `ingress-nginx`. # controllerType: + ## How this component's routes should be constructed + routes: + ## Annotations to be added to this route + annotations: {} + + ## Disable TLS configuration by setting it to false + tlsEnabled: true + + ## The name of the Secret containing the TLS certificate and the key that should be used for this route + # tlsSecret: + + ## How the Service behind this route is constructed + # service: + # type: ClusterIP + # annotations: {} + # # External traffic policy will be configured on services of type `NodePort` and `LoadBalancer` + # externalTrafficPolicy: Cluster + # internalTrafficPolicy: Cluster + # # External IPs addresses of this service. + # externalIPs: [] + service: {} + + ## List of existing Gateway parent refs to connect the routes to. + ## More info: https://gateway-api.sigs.k8s.io/reference/spec/#parentreference + # existingGateways: {} + ## If ElementWeb is deployed, the base domain will redirect to it's ingress host by default ## If ElementWeb is not deployed or this is disabled, no base domain URL redirect will be set. baseDomainRedirect: