Synapse on Kubernetes

Runs a Matrix server on a managed kubernetes cluster hosted by OVH.

Features

• Customized Synapse server as the Matrix messaging server along with it's database and s3 bucket
• Customized Keycloak as an alternative ID provider along with it's database
• Element-Web as a Matrix client
• Prometheus et Grafana for the monitoring
• The stack is also configured in a specific and configurable way cf. the ansible part.

Prerequisites

• an account in OVH hosting provider and its credentials (application key, application secret, consumer secret and endpoint)
• to store Terraform state files : a S3 object storage with the credentials to connect to (access key, secret key, endpoint and region) and a bucket named terraform-states-hp-myenv for example.
• a user and credentials dedicated to openstack with the following rights : [Network Security Operator, Volume Operator, Network Operator, Backup Operator, Compute Operator, Image Operator, Administrator, Infrastructure Supervisor]
• to reach the future Synapse homeserver : a valid dns zone hosted by OVH
• to send some mails to users : a valid access to a SMTP service

On the linux running this code :

• the terraform CLI
• the ansible tool
• the kubectl tool
• additional needed packages : openssl, yq

Provisioning infra

The following steps will setup various OVH resources necessary to run the Synapse homeserver.

[!TIP] The Octavia load balancer is only useful if you want the cluster to be isolated from the web. If it's not necessary don't use it and remove type: NodePort in ansible/roles/ingress-controller/tasks/templates/ingress-nginx-service.yml and manually set the dns entry

[!TIP] The other thing you may want to consider if not running an official production environment is to get rid of admin_vm this part was done to make sure the alert manager was able to reach an hypothetic Zabbix server on the admin private network.

• Create in the local folder a local.env.sh file copying the script/local.env.template.sh file and fill it with all the environment variables values needed. OS_variables relate to the openstack part.

  Then source this file :

  source local/local.env.sh

• Generate the var file for provisioning stage (terraform.tfvars) based on values previously set :

  sh scripts/generate_provisioning_var_files.sh

• Go to the terraform folder

  cd terraform

• Initialize the Terraform workspace specifying the name of the S3 bucket

  terraform init -backend-config="bucket=terraform-states-hp-$ENVIRONMENT"

• Create the Terraform execution plan to validate that everything is ok

  terraform plan

• Apply the Terraform plan

  terraform apply

  This will lead to the creation of a kubernetes cluster with 1 control plane node and several worker nodes

Configuration

The configuration part will be done with Ansible and is quite independent from the provisioning part.

• Generate the files (kubeconfig-$ENVIRONMENT.yml, ansible/group_vars/all.yml) and vars needed :

  ./scripts/generate_configuration_var_files.sh

  For more info on kubeconfig file see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

• And then execute :

  ./scripts/ansible_configuration.sh

This will lead to the installation of the following components in the cluster :

• basic components :
  • an ingress controller
  • a certificate manager
• components specific to our stack :
  • a Keycloak instance along with its operator
  • the synapse stack and its customization
  • the element-web stack
  • the stunner stack used to facilitate audio/video on element
  • a prometheus/grafana stack for monitoring
  • an alpha unofficial version of a MS teams bridge

Other credits

• The Matrix-synapse stack is based on the work done by Alexander Olofsson : https://gitlab.com/ananace/charts/-/tree/master/charts/matrix-synapse
• Technology icons created by juicy_fish - Flaticon