k8s-and-chill/rendered/envs/minikube/matrix-synapse/deployment-matrix-synapse.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/component: synapse
    app.kubernetes.io/instance: matrix-synapse
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: matrix-synapse
    app.kubernetes.io/version: 1.152.0
    helm.sh/chart: matrix-synapse-3.12.26
  name: matrix-synapse
  namespace: matrix
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/component: synapse
      app.kubernetes.io/instance: matrix-synapse
      app.kubernetes.io/name: matrix-synapse
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        checksum/config: b3e92fce9a7e5897b6fc2e70062c6e23d2c266b55272de2993799c85b3e94952
        checksum/secrets: 54091df516cd7bf15484597ec0c9613cd969341f977e3228b5416997dc9b8c95
      labels:
        app.kubernetes.io/component: synapse
        app.kubernetes.io/instance: matrix-synapse
        app.kubernetes.io/name: matrix-synapse
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \
              export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \
              cat /synapse/secrets/*.yaml | \
                sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
                    -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
                       > /synapse/config/conf.d/secrets.yaml


              i=0; while [ ! -s /synapse/extra-secrets/registration_shared_secret ] && [ $i -lt 60 ]; do echo "waiting for synapse-secrets"; sleep 2; i=$((i+1)); done
              printf 'registration_shared_secret: "%s"\nmacaroon_secret_key: "%s"\nform_secret: "%s"\n' "$(cat /synapse/extra-secrets/registration_shared_secret)" "$(cat /synapse/extra-secrets/macaroon_secret_key)" "$(cat /synapse/extra-secrets/form_secret)" > /synapse/config/conf.d/zz-overrides.yaml

              exec python -B -m synapse.app.homeserver \
                          -c /synapse/config/homeserver.yaml \
                          -c /synapse/config/conf.d/              
          env:
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: synapse-cnpg-app
          image: ghcr.io/element-hq/synapse:v1.152.0
          imagePullPolicy: IfNotPresent
          livenessProbe:
            httpGet:
              path: /health
              port: http
          name: synapse
          ports:
            - containerPort: 8008
              name: http
              protocol: TCP
            - containerPort: 9093
              name: replication
              protocol: TCP
            - containerPort: 9090
              name: metrics
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /health
              port: http
          resources:
            limits:
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 256Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          startupProbe:
            failureThreshold: 12
            httpGet:
              path: /health
              port: http
          volumeMounts:
            - mountPath: /synapse/config
              name: config
            - mountPath: /synapse/config/conf.d
              name: tmpconf
            - mountPath: /synapse/secrets
              name: secrets
            - mountPath: /synapse/keys
              name: signingkey
            - mountPath: /synapse/data
              name: media
            - mountPath: /tmp
              name: tmpdir
            - mountPath: /synapse/extra-secrets
              name: synapse-secrets
              readOnly: true
      securityContext:
        fsGroup: 991
        runAsGroup: 991
        runAsNonRoot: true
        runAsUser: 991
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: matrix-synapse
      volumes:
        - configMap:
            name: matrix-synapse
          name: config
        - name: secrets
          secret:
            secretName: matrix-synapse
        - name: signingkey
          secret:
            items:
              - key: signing.key
                path: signing.key
            secretName: synapse-signing-key
        - emptyDir: {}
          name: tmpconf
        - emptyDir: {}
          name: tmpdir
        - name: media
          persistentVolumeClaim:
            claimName: matrix-synapse
        - name: synapse-secrets
          secret:
            secretName: synapse-secrets