Update chart; Add simple test

2026-01-17 02:53:11 -06:00 · 2022-12-22 13:00:36 +01:00 · 2022-12-22 13:00:36 +01:00 · e0eb28d061
parent c77a10ea06
commit e0eb28d061
11 changed files with 211 additions and 165 deletions
--- a/helm/dendrite/README.md
+++ b/helm/dendrite/README.md
@ -41,55 +41,56 @@ Create a folder `appservices` and place your configurations in there.  The confi

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| clientapi.registration.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
-| clientapi.registration.guests_disabled | bool | `true` |  |
-| clientapi.registration.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
-| clientapi.registration.recaptcha_private_key | string | `""` | reCAPTCHA private key |
-| clientapi.registration.recaptcha_public_key | string | `""` | reCAPTCHA public key |
-| clientapi.registration.recaptcha_siteverify_api | string | `""` |  |
-| clientapi.registration.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
-| clientapi.registration.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
-| configuration.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
-| configuration.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
-| configuration.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
-| configuration.database.host | string | `""` | Default database host |
-| configuration.database.max_idle_conns | int | `2` | Default database maximum idle connections |
-| configuration.database.max_open_conns | int | `90` | Default database maximum open connections |
-| configuration.database.password | string | `""` | Default database password |
-| configuration.database.user | string | `""` | Default database user |
-| configuration.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
-| configuration.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
-| configuration.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
-| configuration.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
-| configuration.key_validity_period | string | `"168h0m0s"` |  |
-| configuration.logging | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | Default logging configuration |
-| configuration.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
-| configuration.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
-| configuration.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
-| configuration.mscs | list | `["msc2946"]` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
-| configuration.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
-| configuration.profiling.port | int | `65432` | pprof port, if enabled |
-| configuration.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
-| configuration.rate_limiting.enabled | bool | `true` | Enable rate limiting |
-| configuration.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
-| configuration.server_name | string | `""` | Servername for this Dendrite deployment |
-| configuration.signing_key.create | bool | `true` | Create a new signing key, if not exists |
-| configuration.signing_key.existingSecret | string | `""` | Use an existing secret |
-| configuration.tracing | object | disabled | Default tracing configuration |
-| configuration.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
-| configuration.turn.turn_password | string | `""` | The TURN password |
-| configuration.turn.turn_shared_secret | string | `""` |  |
-| configuration.turn.turn_uris | list | `[]` |  |
-| configuration.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
-| configuration.turn.turn_username | string | `""` | The TURN username |
-| configuration.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
-| configuration.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
+| clientapi.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
+| clientapi.guests_disabled | bool | `true` |  |
+| clientapi.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
+| clientapi.rate_limiting.enabled | bool | `true` | Enable rate limiting |
+| clientapi.rate_limiting.exempt_user_ids | string | `nil` | Users which should be exempt from rate limiting |
+| clientapi.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
+| clientapi.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
+| clientapi.recaptcha_private_key | string | `""` | reCAPTCHA private key |
+| clientapi.recaptcha_public_key | string | `""` | reCAPTCHA public key |
+| clientapi.recaptcha_siteverify_api | string | `""` |  |
+| clientapi.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
+| clientapi.shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
+| clientapi.turn.turn_password | string | `""` | The TURN password |
+| clientapi.turn.turn_shared_secret | string | `""` |  |
+| clientapi.turn.turn_uris | list | `[]` |  |
+| clientapi.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
+| clientapi.turn.turn_username | string | `""` | The TURN username |
 | federationapi.disable_tls_validation | bool | `false` | Disable TLS validation |
 | federationapi.prefer_direct_fetch | bool | `false` |  |
 | federationapi.send_max_retries | int | `16` |  |
+| global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
+| global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
+| global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
+| global.database.host | string | `""` | Default database host |
+| global.database.max_idle_conns | int | `2` | Default database maximum idle connections |
+| global.database.max_open_conns | int | `90` | Default database maximum open connections |
+| global.database.password | string | `""` | Default database password |
+| global.database.user | string | `""` | Default database user |
+| global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
+| global.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
+| global.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
+| global.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
+| global.key_validity_period | string | `"168h0m0s"` |  |
+| global.logging | list | [default dendrite config values](https://github.com/matrix-org/dendrite/blob/master/dendrite-config.yaml) | Default logging configuration |
+| global.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
+| global.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
+| global.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
+| global.mscs | list | `["msc2946"]` | Configuration for experimental MSC's. (Valid values are: msc2836 and msc2946) |
+| global.presence | object | `{"enable_inbound":false,"enable_outbound":false}` | Configures the handling of presence events. Inbound controls whether we receive presence events from other servers, outbound controls whether we send presence events for our local users to other servers. |
+| global.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
+| global.profiling.port | int | `65432` | pprof port, if enabled |
+| global.report_stats | object | `{"enabled":false,"endpoint":"https://matrix.org/report-usage-stats/push"}` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
+| global.server_name | string | `""` | Servername for this Dendrite deployment |
+| global.server_notices | object | `{"avatar_url":"","display_name":"Server Alerts","enabled":false,"local_part":"_server","room_name":"Server Alerts"}` | Server notices allows server admins to send messages to all users on the server. |
+| global.tracing | object | disabled | Default tracing configuration |
+| global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
+| global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
+| global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
 | image.name | string | `"ghcr.io/matrix-org/dendrite-monolith:v0.10.8"` | Docker repository/image to use |
 | image.pullPolicy | string | `"IfNotPresent"` | Kubernetes pullPolicy |
-| ingress.annotateFor | string | `""` |  |
 | ingress.annotations | object | `{}` | Extra, custom annotations |
 | ingress.className | string | `""` |  |
 | ingress.enabled | bool | `false` | Create an ingress for a monolith deployment |
@ -117,6 +118,8 @@ Create a folder `appservices` and place your configurations in there.  The confi
 | resources | object | sets some sane default values | Default resource requests/limits. |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
+| signing_key.create | bool | `true` | Create a new signing key, if not exists |
+| signing_key.existingSecret | string | `""` | Use an existing secret |
 | syncapi.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
 | syncapi.search | object | `{"enabled":false,"language":"en"}` | Configuration for the full-text search engine. |
 | syncapi.search.enabled | bool | `false` | Whether or not search is enabled. |
--- a/helm/dendrite/ci/ct-ingress-values.yaml
+++ b/helm/dendrite/ci/ct-ingress-values.yaml
@ -2,7 +2,7 @@
 postgresql:
  enabled: true

-configuration:
+global:
  server_name: "localhost"

 ingress:
--- a/helm/dendrite/ci/ct-postgres-values.yaml
+++ b/helm/dendrite/ci/ct-postgres-values.yaml
@ -2,5 +2,5 @@
 postgresql:
  enabled: true

-configuration:
+global:
  server_name: "localhost"
--- a/helm/dendrite/templates/_helpers.tpl
+++ b/helm/dendrite/templates/_helpers.tpl
@ -1,14 +1,14 @@
 {{- define "validate.config" }}
-{{- if not .Values.configuration.signing_key.create -}}
+{{- if not .Values.signing_key.create -}}
 {{-  fail "You must create a signing key for configuration.signing_key. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.host .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.host .Values.postgresql.enabled) -}}
 {{-  fail "Database server must be set." -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.user .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.user .Values.postgresql.enabled) -}}
 {{-  fail "Database user must be set." -}}
 {{- end -}}
-{{- if not (or .Values.configuration.database.password .Values.postgresql.enabled) -}}
+{{- if not (or .Values.global.database.password .Values.postgresql.enabled) -}}
 {{-  fail "Database password must be set." -}}
 {{- end -}}
 {{- end -}}
--- a/helm/dendrite/templates/deployment.yaml
+++ b/helm/dendrite/templates/deployment.yaml
@ -4,7 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: {{ $.Release.Namespace }}
-  name: {{ $.Chart.Name }}
+  name: {{ include "dendrite.fullname" . }}
  labels:
    app: {{ $.Chart.Name }}
 spec:
@ -23,7 +23,7 @@ spec:
          secretName: {{ .Release.Name }}-conf
      - name: {{ .Release.Name }}-signing-key
        secret:
-          secretName: {{ default (print .Release.Name "-signing-key") $.Values.configuration.signing_key.existingSecret | quote }}
+          secretName: {{ default (print .Release.Name "-signing-key") $.Values.signing_key.existingSecret | quote }}
      {{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
      - name:{{ .Release.Name }}-appservices
        secret:
@ -48,10 +48,10 @@ spec:
          - name: http
            containerPort: 8008
            protocol: TCP
-        {{- if $.Values.configuration.profiling.enabled }}
+        {{- if $.Values.global.profiling.enabled }}
        env:
          - name: PPROFLISTEN
-            value: "localhost:{{- $.Values.configuration.profiling.port -}}"
+            value: "localhost:{{- $.Values.global.profiling.port -}}"
        {{- end }}
        resources:
        {{- toYaml $.Values.resources | nindent 10 }}
--- a/helm/dendrite/templates/ingress.yaml
+++ b/helm/dendrite/templates/ingress.yaml
@ -19,15 +19,6 @@ metadata:
  labels:
    {{- include "dendrite.labels" . | nindent 4 }}
  annotations:
-    {{- if eq .Values.ingress.annotateFor "nginx" }}
-    nginx.ingress.kubernetes.io/upstream-hash-by: "$http_authorization"
-    nginx.org/proxy-connect-timeout: 60s
-    nginx.org/proxy-read-timeout: 60s
-    {{- else if eq .Values.ingress.annotateFor "openshift" }}
-    route.openshift.io/termination: edge
-    haproxy.router.openshift.io/balance: source
-    haproxy.router.openshift.io/timeout: 60000ms
-    {{- end}}
    {{- with .Values.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
--- a/helm/dendrite/templates/jobs.yaml
+++ b/helm/dendrite/templates/jobs.yaml
@ -1,4 +1,4 @@
-{{ if and .Values.configuration.signing_key.create (not .Values.configuration.signing_key.existingSecret ) }}
+{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
 {{ $name := (print .Release.Name "-signing-key") }}
 {{ $secretName := (print .Release.Name "-signing-key") }}
 ---
--- a/helm/dendrite/templates/secrets.yaml
+++ b/helm/dendrite/templates/secrets.yaml
@ -9,7 +9,7 @@ type: Opaque
 data:
 {{ (.Files.Glob "appservices/*").AsSecrets | indent 2 }}
 {{ end }}
-{{ if and .Values.configuration.signing_key.create (not .Values.configuration.signing_key.existingSecret) }}
+{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret) }}
 ---
 apiVersion: v1
 kind: Secret
@ -21,7 +21,7 @@ metadata:
 type: Opaque
 {{ end }}

-{{- $connectionString := print "postgresql://" .Values.configuration.database.user ":" .Values.configuration.database.password "@" .Values.configuration.database.host }}
+{{- $connectionString := print "postgresql://" .Values.global.database.user ":" .Values.global.database.password "@" .Values.global.database.host }}
 {{- if .Values.postgresql.enabled }}
 {{- $connectionString = print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite" -}}
 {{ end }}
@ -36,33 +36,39 @@ stringData:
  dendrite.yaml: |
    version: 2
    global:
-      server_name: {{ .Values.configuration.server_name }}
+      server_name: {{ .Values.global.server_name }}
      private_key: /etc/dendrite/secrets/signing.key
      key_id: ed25519:auto
-      key_validity_period: {{ .Values.configuration.key_validity_period | quote }}
+      key_validity_period: {{ .Values.global.key_validity_period | quote }}
      database:
        connection_string: {{ $connectionString }}?sslmode=disable
-        max_open_conns: {{ default 90 .Values.configuration.database.max_open_conns }}
-        max_idle_conns: {{ default 5 .Values.configuration.database.max_idle_conns }}
-        conn_max_lifetime: {{ default -1 .Values.configuration.database.conn_max_lifetime }}
+        max_open_conns: {{ default 90 .Values.global.database.max_open_conns }}
+        max_idle_conns: {{ default 5 .Values.global.database.max_idle_conns }}
+        conn_max_lifetime: {{ default -1 .Values.global.database.conn_max_lifetime }}
      cache:
-        max_size_estimated: {{ default "1gb" .Values.configuration.cache.max_size_estimated | quote }}
-        max_age: {{ default "1h" .Values.configuration.cache.max_age }}
-      well_known_server_name: {{ default "" .Values.configuration.well_known_server_name | quote }}
-      well_known_client_name: {{ default "" .Values.configuration.well_known_client_name | quote }}
+        max_size_estimated: {{ default "1gb" .Values.global.cache.max_size_estimated | quote }}
+        max_age: {{ default "1h" .Values.global.cache.max_age }}
+      well_known_server_name: {{ default "" .Values.global.well_known_server_name | quote }}
+      well_known_client_name: {{ default "" .Values.global.well_known_client_name | quote }}
      trusted_third_party_id_servers:
-      {{- toYaml .Values.configuration.trusted_third_party_id_servers | nindent 8 }}
-      disable_federation: {{ .Values.configuration.disable_federation }}
+      {{- toYaml .Values.global.trusted_third_party_id_servers | nindent 8 }}
+      disable_federation: {{ .Values.global.disable_federation }}
+      report_stats:
+        {{- toYaml .Values.global.report_stats | nindent 8 }}
+      presence:
+        {{- toYaml .Values.global.presence | nindent 8 }}
+      server_notices:
+        {{- toYaml .Values.global.server_notices | nindent 8 }}
      jetstream:
        in_memory: false
        storage_path: /data/jetstream
      metrics:
-        {{- toYaml .Values.configuration.metrics | nindent 8 }}
+        {{- toYaml .Values.global.metrics | nindent 8 }}
      dns_cache:
-        {{- toYaml .Values.configuration.dns_cache | nindent 8 }}
+        {{- toYaml .Values.global.dns_cache | nindent 8 }}
    mscs:
      mscs:
-        {{- toYaml .Values.configuration.mscs | nindent 8 }}
+        {{- toYaml .Values.global.mscs | nindent 8 }}
    app_service_api:
      config_files:
        {{- range $x, $y := .Files.Glob "appservices/*" }}
@ -70,19 +76,19 @@ stringData:
        {{ end }}
    client_api:
    {{- with .Values.clientapi }}
-      registration_disabled: {{ .registration.registration_disabled }}
-      guests_disabled: {{ .registration.guests_disabled }}
-      registration_shared_secret: {{ .registration.shared_secret | quote }}
-      enable_registration_captcha:  {{ .registration.enable_registration_captcha }}
-      recaptcha_public_key: {{ .registration.recaptcha_public_key | quote }}
-      recaptcha_private_key: {{ .registration.recaptcha_private_key | quote}}
-      recaptcha_bypass_secret: {{ .registration.recaptcha_bypass_secret | quote}}
-      recaptcha_siteverify_api: {{ .registration.recaptcha_siteverify_api | quote}}
-      {{ end }}
+      registration_disabled: {{ .registration_disabled }}
+      guests_disabled: {{ .guests_disabled }}
+      registration_shared_secret: {{ .shared_secret | quote }}
+      enable_registration_captcha:  {{ .enable_registration_captcha }}
+      recaptcha_public_key: {{ .recaptcha_public_key | quote }}
+      recaptcha_private_key: {{ .recaptcha_private_key | quote}}
+      recaptcha_bypass_secret: {{ .recaptcha_bypass_secret | quote}}
+      recaptcha_siteverify_api: {{ .recaptcha_siteverify_api | quote}}
      turn:
-        {{- toYaml .Values.configuration.turn | nindent 8 }}
+        {{- toYaml .turn | nindent 8 }}
      rate_limiting:
-        {{- toYaml .Values.configuration.rate_limiting | nindent 8 }}
+        {{- toYaml .rate_limiting | nindent 8 }}
+    {{ end }}
    federation_api:
      #federation_certificates: []
      send_max_retries: {{ default 16 .Values.federationapi.send_max_retries }}
@ -110,8 +116,8 @@ stringData:
        index_path: /data/search
        language: {{ default "en" .Values.syncapi.search.language }}
    tracing:
-      {{- toYaml .Values.configuration.tracing | nindent 6 }}
+      {{- toYaml .Values.global.tracing | nindent 6 }}
    logging:
-    {{- if .Values.configuration.logging }}
-    {{- toYaml .Values.configuration.logging | nindent 4 }}
+    {{- if .Values.global.logging }}
+    {{- toYaml .Values.global.logging | nindent 4 }}
    {{ end }}
--- a/helm/dendrite/templates/service.yaml
+++ b/helm/dendrite/templates/service.yaml
@ -5,7 +5,7 @@ apiVersion: v1
 kind: Service
 metadata:
  namespace: {{ $.Release.Namespace }}
-  name: {{ $.Chart.Name }}
+  name: {{ include "dendrite.fullname" . }}
  labels:
    {{- include "dendrite.labels" . | nindent 4 }}
 spec:
--- a/helm/dendrite/templates/tests/test-version.yaml
+++ b/helm/dendrite/templates/tests/test-version.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "dendrite.fullname" . }}-test-version"
+  labels:
+    {{- include "dendrite.selectorLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl
+      imagePullPolicy: IfNotPresent
+      args:
+        - 'http://{{- include "dendrite.fullname" . -}}:8008/_matrix/client/versions'
+  restartPolicy: Never
--- a/helm/dendrite/values.yaml
+++ b/helm/dendrite/values.yaml
@ -4,7 +4,40 @@ image:
  # -- Kubernetes pullPolicy
  pullPolicy: IfNotPresent

-configuration:
+
+# signing key to use
+signing_key:
+  # -- Create a new signing key, if not exists
+  create: true
+  # -- Use an existing secret
+  existingSecret: ""
+
+# -- Default resource requests/limits.
+# @default -- sets some sane default values
+resources:
+  requests:
+    memory: "512Mi"
+
+  limits:
+    memory: "4096Mi"
+
+persistence:
+  storageClass: ""
+  jetstream:
+    # -- Use an existing volume claim for jetstream
+    existingClaim: ""
+    capacity: "1Gi"
+  media:
+    # -- Use an existing volume claim for media files
+    existingClaim: ""
+    capacity: "1Gi"
+  search:
+    # -- Use an existing volume claim for the fulltext search index
+    existingClaim: ""
+    capacity: "1Gi"
+
+
+global:
  # -- Servername for this Dendrite deployment
  server_name: ""

@ -26,12 +59,6 @@ configuration:
  # to other servers and the federation API will not be exposed.
  disable_federation: false

-  # signing key to use
-  signing_key:
-    # -- Create a new signing key, if not exists
-    create: true
-    # -- Use an existing secret
-    existingSecret: ""
  key_validity_period: 168h0m0s

  database:
@ -64,6 +91,32 @@ configuration:
    # become popular.
    max_age: 1h

+  # -- Configures phone-home statistics reporting. These statistics contain the server
+  # name, number of active users and some information on your deployment config.
+  # We use this information to understand how Dendrite is being used in the wild.
+  report_stats:
+    enabled: false
+    endpoint: https://matrix.org/report-usage-stats/push
+
+  # -- Configures the handling of presence events. Inbound controls whether we receive
+  # presence events from other servers, outbound controls whether we send presence
+  # events for our local users to other servers.
+  presence:
+    enable_inbound: false
+    enable_outbound: false
+
+  # -- Server notices allows server admins to send messages to all users on the server.
+  server_notices:
+    enabled: false
+    # The local part, display name and avatar URL (as a mxc:// URL) for the user that
+    # will send the server notices. These are visible to all users on the deployment.
+    local_part: "_server"
+    display_name: "Server Alerts"
+    avatar_url: ""
+    # The room name to be used when sending server notices. This room name will
+    # appear in user clients.
+    room_name: "Server Alerts"
+
  # prometheus metrics
  metrics:
    # -- Whether or not Prometheus metrics are enabled.
@ -75,25 +128,6 @@ configuration:
      # -- HTTP basic authentication password
      password: metrics

-  # TURN server information that this homeserver should send to clients.
-  turn:
-    # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
-    turn_user_lifetime: "24h"
-    turn_uris: []
-    turn_shared_secret: ""
-    # -- The TURN username
-    turn_username: ""
-    # -- The TURN password
-    turn_password: ""
-
-  rate_limiting:
-    # -- Enable rate limiting
-    enabled: true
-    # -- After how many requests a rate limit should be activated
-    threshold: 20
-    # -- Cooloff time in milliseconds
-    cooloff_ms: 500
-
  dns_cache:
    # -- Whether or not the DNS cache is enabled.
    enabled: false
@ -139,53 +173,49 @@ configuration:
    # - msc2836    (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
    # - msc2946    (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)

-# -- Default resource requests/limits.
-# @default -- sets some sane default values
-resources:
-  requests:
-    memory: "512Mi"
-
-  limits:
-    memory: "4096Mi"
-
-persistence:
-  storageClass: ""
-  jetstream:
-    # -- Use an existing volume claim for jetstream
-    existingClaim: ""
-    capacity: "1Gi"
-  media:
-    # -- Use an existing volume claim for media files
-    existingClaim: ""
-    capacity: "1Gi"
-  search:
-    # -- Use an existing volume claim for the fulltext search index
-    existingClaim: ""
-    capacity: "1Gi"
-
 clientapi:
-  registration:
-    # -- Prevents new users from being able to register on this homeserver, except when
-    # using the registration shared secret below.
-    registration_disabled: true
+  # -- Prevents new users from being able to register on this homeserver, except when
+  # using the registration shared secret below.
+  registration_disabled: true

-    # Prevents new guest accounts from being created. Guest registration is also
-    # disabled implicitly by setting 'registration_disabled' above.
-    guests_disabled: true
+  # Prevents new guest accounts from being created. Guest registration is also
+  # disabled implicitly by setting 'registration_disabled' above.
+  guests_disabled: true

-    # -- If set, allows registration by anyone who knows the shared secret, regardless of
-    # whether registration is otherwise disabled.
-    shared_secret: ""
+  # -- If set, allows registration by anyone who knows the shared secret, regardless of
+  # whether registration is otherwise disabled.
+  shared_secret: ""

-    # -- enable reCAPTCHA registration
-    enable_registration_captcha: false
-    # -- reCAPTCHA public key
-    recaptcha_public_key: ""
-    # -- reCAPTCHA private key
-    recaptcha_private_key: ""
-    # -- reCAPTCHA bypass secret
-    recaptcha_bypass_secret: ""
-    recaptcha_siteverify_api: ""
+  # -- enable reCAPTCHA registration
+  enable_registration_captcha: false
+  # -- reCAPTCHA public key
+  recaptcha_public_key: ""
+  # -- reCAPTCHA private key
+  recaptcha_private_key: ""
+  # -- reCAPTCHA bypass secret
+  recaptcha_bypass_secret: ""
+  recaptcha_siteverify_api: ""
+
+  # TURN server information that this homeserver should send to clients.
+  turn:
+    # -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
+    turn_user_lifetime: "24h"
+    turn_uris: [ ]
+    turn_shared_secret: ""
+    # -- The TURN username
+    turn_username: ""
+    # -- The TURN password
+    turn_password: ""
+
+  rate_limiting:
+    # -- Enable rate limiting
+    enabled: true
+    # -- After how many requests a rate limit should be activated
+    threshold: 20
+    # -- Cooloff time in milliseconds
+    cooloff_ms: 500
+    # -- Users which should be exempt from rate limiting
+    exempt_user_ids:

 federationapi:
  send_max_retries: 16
@ -249,7 +279,6 @@ ingress:
  hosts: []
  className: ""
  hostName: ""
-  annotateFor: ""  # one of 'openshift' or 'nginx'
  # -- Extra, custom annotations
  annotations: {}