Update federation related parameters/docs; upgrade synapse, coturn, a…

…nd element (#582)

* fist attempt at accommodating trusted keys from an existing secret

* add updates to deployment to echo out what's going on

* set a default value for trusted_key_servers

* update deployment to use a secret as a volume instead of an env var for trusted key servers

* add some notes about trusted key servers from existing secret for matrix

* add more federation notes

* fix callout in readme

* update element to v1.11.69 to fix #581

* helm-docs: automated action

* update coturn to v6.2.1 which fixes #579 and updates synapse to v1.109.0 which fixes #580

* update to a major release, so that people know that things may break

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -45,18 +45,79 @@ These features still need to be tested, but are technically baked into the chart
 - [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge
 - [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge
 
-
 # Notes
 
+* [Databases](#databases)
+* [Federation](#federation)
+    * [Federation not Working](#federation-not-working)
+    * [Addiing Trusted Key Servers from an existing Secret](#addiing-trusted-key-servers-from-an-existing-secret)
+* [Notes on using Matrix Sliding Sync](#notes-on-using-matrix-sliding-sync)
+* [Notes on using MAS (Matrix Authentication Service)](#notes-on-using-mas-matrix-authentication-service)
+* [About and Status](#about-and-status)
+
 ## Databases
 
 You must select one of the following options:
 
 - Use the [Bitnami PostgreSQL subchart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) (set `postgresql.enabled` to `true`)
 - Use your own external database, which can also be PostgreSQL. (set `externalDatabase.enabled` to `true`)
 
-Note: you cannot enable both `externalDatabase` and `postgresql`. You must select _one_.
+> [!NOTE]
+>
+> You cannot enable both `externalDatabase` and `postgresql`. You must select _one_.
+
+
+## Federation
+
+### Federation not Working
+
+This can be broken for a number of reasons, and some of them are listed in the official [synapse docs](https://element-hq.github.io/synapse/latest/federate.html#setting-up-federation), but one that was persistent for the devs here was constantly getting a 401 when testing.
+
+I managed to finally get past that by adding the following to my values.yaml:
+
+```yaml
+synapse:
+  ingress:
+    # replace matrix.mydomain.com with your actual matrix domain
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location /.well-known/matrix/server {
+        return 200 '{"m.server": "matrix.mydomain.com:443"}';
+        add_header Content-Type application/json;
+      }
+```
+
+> [!NOTE]
+>
+> By the way, you can test by going to `https://federationtester.matrix.org/api/report?server_name=matrix.mydomain.com` where `matrix.mydomain.com` is replaced by your synapse server.
+
+### Addiing Trusted Key Servers from an existing Secret
 
+If you'd like to get your [`trusted_key_servers`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers) from an existing Kubernetes Secret, you can do so with an in-line yaml block. Here's an example values.yaml:
+
+```yaml
+matrix:
+  security:
+    trustedKeyServersExistingSecret: "trusted-key-servers"
+    trustedKeyServersSecretKey: "trustedKeyServers"
+```
+
+Here's an example Kubernetes Secret using in-line YAML (NOTE the `trusted_key_servers`):
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: trusted-key-servers
+  namespace: matrix
+type: Opaque
+stringData:
+  # friend.com is the matrix server you'd like to federate with :)
+  trustedKeyServers: |-
+    trusted_key_servers:
+      - server_name: friend.com
+        verify_keys:
+          ed25519:auto: abcdefghijklmnopqrstuvwxyz1234567890
+```
 
 ## Notes on using Matrix Sliding Sync
 

charts/matrix/Chart.lock

@@ -4,12 +4,12 @@ dependencies:
   version: 15.1.4
 - name: coturn
   repository: https://small-hack.github.io/coturn-chart
-  version: 6.2.0
+  version: 6.2.1
 - name: matrix-sliding-sync
   repository: https://small-hack.github.io/matrix-sliding-sync-chart
   version: 0.5.0
 - name: matrix-authentication-service
   repository: https://small-hack.github.io/matrix-authentication-service-chart
   version: 0.8.1
-digest: sha256:eff383917708d0e81f115ba68241ba911a1979b22842ef3b63a4ea0b04b51995
-generated: "2024-06-09T11:07:51.017558786Z"
+digest: sha256:627a619aca7ddebe1a6fa738bd9d62ef2cf65eae7fb2147cfc22271eee8c0e19
+generated: "2024-06-20T13:11:00.78981229+02:00"

charts/matrix/Chart.yaml

@@ -8,10 +8,10 @@ sources:
 
 type: application
 
-version: 10.1.1
+version: 11.0.0
 
 # renovate: image=matrixdotorg/synapse
-appVersion: v1.108.0
+appVersion: v1.109.0
 
 maintainers:
   - name: "jessebot"
@@ -24,7 +24,7 @@ dependencies:
     condition: postgresql.enabled
 
   - name: coturn
-    version: 6.2.0
+    version: 6.2.1
     repository: https://small-hack.github.io/coturn-chart
     condition: coturn.enabled
 

charts/matrix/README.md

@@ -1,6 +1,6 @@
 # matrix
 
-![Version: 10.1.1](https://img.shields.io/badge/Version-10.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.108.0](https://img.shields.io/badge/AppVersion-v1.108.0-informational?style=flat-square)
+![Version: 11.0.0](https://img.shields.io/badge/Version-11.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.109.0](https://img.shields.io/badge/AppVersion-v1.109.0-informational?style=flat-square)
 
 A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 
@@ -20,7 +20,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://small-hack.github.io/coturn-chart | coturn | 6.2.0 |
+| https://small-hack.github.io/coturn-chart | coturn | 6.2.1 |
 | https://small-hack.github.io/matrix-authentication-service-chart | mas(matrix-authentication-service) | 0.8.1 |
 | https://small-hack.github.io/matrix-sliding-sync-chart | syncv3(matrix-sliding-sync) | 0.5.0 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 15.1.4 |
@@ -167,7 +167,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 | element.enabled | bool | `true` | Set to false to disable a deployment of Element. Users will still be able to connect via any other instances of Element e.g. https://app.element.io, Element Desktop, or any other Matrix clients |
 | element.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy to use for element image, set to Always if using latest tag |
 | element.image.repository | string | `"vectorim/element-web"` | registry and repository to use for element docker image |
-| element.image.tag | string | `"v1.11.68"` | tag to use for element docker image |
+| element.image.tag | string | `"v1.11.69"` | tag to use for element docker image |
 | element.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` | required for TLS certs issued by cert-manager |
 | element.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"proxy_intercept_errors off;\n"` |  |
 | element.ingress.className | string | `"nginx"` | ingressClassName for the k8s ingress |
@@ -405,7 +405,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 | matrix.experimental_features.msc3861.issuer | string | `"http://localhost:8080/"` | Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration |
 | matrix.extra_well_known_client_content | object | `{}` | extra sections for the your /.well-known/matrix/client which returns json used by clients to know where your matrix sliding sync server is |
 | matrix.federation.allowPublicRooms | bool | `true` | Allow members of other homeservers to fetch *public* rooms |
-| matrix.federation.blacklist | list | `["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]` | IP addresses to blacklist federation requests to |
+| matrix.federation.blacklist | list | `[]` | IP addresses to blacklist federation requests to example blacklist values:  - '127.0.0.0/8'  - '10.0.0.0/8'  - '172.16.0.0/12'  - '192.168.0.0/16'  - '100.64.0.0/10'  - '169.254.0.0/16'  - '::1/128'  - 'fe80::/64'  - 'fc00::/7' |
 | matrix.federation.enabled | bool | `false` | Set to true to enable federation |
 | matrix.federation.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-staging"` | required for TLS certs issued by cert-manager |
 | matrix.federation.ingress.annotations."nginx.ingress.kubernetes.io/configuration-snippet" | string | `"proxy_intercept_errors off;\n"` | required for the Nginx ingress provider. You can remove it if you use a different ingress provider |
@@ -467,6 +467,9 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 | matrix.retentionPeriod | string | `"7d"` | How long to keep redacted events in unredacted form in the database |
 | matrix.search | bool | `true` | Set to false to disable message searching |
 | matrix.security.surpressKeyServerWarning | bool | `true` |  |
+| matrix.security.trustedKeyServers | list | `[]` |  |
+| matrix.security.trustedKeyServersExistingSecret | string | `""` | use an existing Kubernetes Secret for trusted server list instead of matrix.security.trustedKeyServers |
+| matrix.security.trustedKeyServersSecretKey | string | `"trustedKeys"` | key in existing Kubernetes Secret for trusted server list |
 | matrix.serverName | string | `"example.com"` | Domain name of the server: This is not necessarily the host name where the service is reachable. In fact, you may want to omit any subdomains from this value as the server name set here will be the name of your homeserver in the fediverse, & will be the domain name at the end of every username |
 | matrix.telemetry | bool | `false` | Enable anonymous telemetry to matrix.org |
 | matrix.uploads | object | `{"maxPixels":"32M","maxSize":"10M"}` | Settings related to image and multimedia uploads |

charts/matrix/templates/synapse/_homeserver.yaml

@@ -1307,6 +1307,7 @@ signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key"
 #
 #key_refresh_interval: 1d
 
+{{- if and .Values.matrix.security.trustedKeyServers (not .Values.matrix.security.trustedKeyServersExistingSecret) }}
 # The trusted servers to download signing keys from.
 #
 # When we need to fetch a signing key, each server is tried in parallel.
@@ -1321,32 +1322,6 @@ signing_key_path: "/data/keys/{{ .Values.matrix.serverName }}.signing.key"
 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a
 # warning on start-up. To suppress this warning, set
 # 'suppress_key_server_warning' to true.
-#
-# Options for each entry in the list include:
-#
-#    server_name: the name of the server. required.
-#
-#    verify_keys: an optional map from key id to base64-encoded public key.
-#       If specified, we will check that the response is signed by at least
-#       one of the given keys.
-#
-#    accept_keys_insecurely: a boolean. Normally, if `verify_keys` is unset,
-#       and federation_verify_certificates is not `true`, synapse will refuse
-#       to start, because this would allow anyone who can spoof DNS responses
-#       to masquerade as the trusted key server. If you know what you are doing
-#       and are sure that your network environment provides a secure connection
-#       to the key server, you can set this to `true` to override this
-#       behaviour.
-#
-# An example configuration might look like:
-#
-#trusted_key_servers:
-#  - server_name: "my_trusted_server.example.com"
-#    verify_keys:
-#      "ed25519:auto": "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
-#  - server_name: "my_other_trusted_server.example.com"
-#
-{{- if .Values.matrix.security.trustedKeyServers }}
 trusted_key_servers:
     {{- range .Values.matrix.security.trustedKeyServers }}
     - server_name: {{ .serverName }}
@@ -1360,6 +1335,8 @@ trusted_key_servers:
       accept_keys_insecurely: {{ .acceptKeysInsecurely }}
       {{- end }}
     {{- end }}
+{{- else }}
+trusted_key_servers: []
 {{- end }}
 
 # Uncomment the following to disable the warning that is emitted when the

charts/matrix/templates/synapse/deployment.yaml

@@ -277,11 +277,19 @@ spec:
               yq eval -i '.email.smtp_user = env(SMTP_USER)' /data/homeserver.yaml && \
               yq eval -i '.email.smtp_pass = env(SMTP_PASS)' /data/homeserver.yaml && \
               {{- end }}
+              {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }}
+              yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' /data/homeserver.yaml /key-servers/{{ .Values.matrix.security.trustedKeyServersSecretKey }} && \
+              echo "Trusted key server merge finished." && \
+              {{- end }}
               yq eval -i '.database.args.host = env(DATABASE_HOSTNAME)' /data/homeserver.yaml && \
               yq eval -i '.database.args.database = env(DATABASE)' /data/homeserver.yaml && \
               yq eval -i '.database.args.user = env(DATABASE_USERNAME)' /data/homeserver.yaml && \
               yq eval -i '.database.args.password = env(DATABASE_PASSWORD)' /data/homeserver.yaml
           volumeMounts:
+            {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }}
+            - name: trusted-key-servers
+              mountPath: "/key-servers"
+            {{- end }}
             - name: synapse-initial-config
               mountPath: "/initial"
             - name: synapse-config
@@ -436,6 +444,11 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       volumes:
+        {{- if and .Values.matrix.security.trustedKeyServersExistingSecret (not .Values.matrix.security.trustedKeyServers) }}
+        - name: trusted-key-servers
+          secret:
+            secretName: {{ .Values.matrix.security.trustedKeyServersExistingSecret }}
+        {{- end }}
         - name: synapse-initial-config
           configMap:
             name: {{ include "matrix.fullname" . }}-initial-synapse-config

charts/matrix/values.yaml

@@ -82,16 +82,17 @@ matrix:
     whitelist: []
 
     # -- IP addresses to blacklist federation requests to
-    blacklist:
-      - '127.0.0.0/8'
-      - '10.0.0.0/8'
-      - '172.16.0.0/12'
-      - '192.168.0.0/16'
-      - '100.64.0.0/10'
-      - '169.254.0.0/16'
-      - '::1/128'
-      - 'fe80::/64'
-      - 'fc00::/7'
+    # example blacklist values:
+    #  - '127.0.0.0/8'
+    #  - '10.0.0.0/8'
+    #  - '172.16.0.0/12'
+    #  - '192.168.0.0/16'
+    #  - '100.64.0.0/10'
+    #  - '169.254.0.0/16'
+    #  - '::1/128'
+    #  - 'fe80::/64'
+    #  - 'fc00::/7'
+    blacklist: []
 
     ingress:
       # -- enable ingress for federation
@@ -348,6 +349,14 @@ matrix:
     #         key: "abcdefghijklmnopqrstuvwxyzabcdefghijklmopqr"
     #     acceptKeysInsecurely: false
     #   - serverName: my_other_trusted_server.example.com
+    trustedKeyServers: []
+
+    # -- use an existing Kubernetes Secret for trusted server list instead of
+    # matrix.security.trustedKeyServers
+    trustedKeyServersExistingSecret: ""
+
+    # -- key in existing Kubernetes Secret for trusted server list
+    trustedKeyServersSecretKey: "trustedKeys"
 
   # -- Set to true to globally block access to the homeserver
   disabled: false
@@ -1507,7 +1516,7 @@ element:
     # -- registry and repository to use for element docker image
     repository: "vectorim/element-web"
     # -- tag to use for element docker image
-    tag: v1.11.68
+    tag: v1.11.69
     # -- pullPolicy to use for element image, set to Always if using latest tag
     pullPolicy: IfNotPresent
   service: