change chart to align with cnpg's chart

* Update homeassistant/home-assistant Docker tag to v2024.4.3

* update chart

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Lebens <alexanderlebens@gmail.com>

.github/renovate-update-notification/Dockerfile

@@ -0,0 +1,2 @@
+# This file is processed by Renovate bot so that it creates a PR on new major Renovate versions
+FROM renovate/renovate:37

.github/renovate.json

@@ -0,0 +1,112 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended",
+        "mergeConfidence:all-badges",
+        ":rebaseStalePrs"
+    ],
+    "timezone": "US/Mountain",
+    "schedule": [
+        "every weekday"
+    ],
+    "labels": [],
+    "packageRules": [
+        {
+            "description": "Disables for non major Renovate version",
+            "matchPaths": [
+                ".github/renovate-update-notification/Dockerfile"
+            ],
+            "matchUpdateTypes": [
+                "minor",
+                "patch",
+                "pin",
+                "digest",
+                "rollback"
+            ],
+            "enabled": false
+        },
+        {
+            "description": "Generate for major Renovate version",
+            "matchPaths": [
+                ".github/renovate-update-notification/Dockerfile"
+            ],
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "addLabels": [
+                "upgrade"
+            ],
+            "automerge": false
+        },
+        {
+            "description": "Label service images",
+            "matchPackageNames": [
+                "ghcr.io/alex1989hu/kubelet-serving-cert-approver",
+                "ghcr.io/cloudnative-pg/postgresql",
+                "redis/redis-stack-server"
+            ],
+            "matchDatasources": [
+                "docker"
+            ],
+            "addLabels": [
+                "service",
+                "image"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Label service charts",
+            "matchPackageNames": [
+                "elasticsearch",
+                "redis"
+            ],
+            "matchDatasources": [
+                "helm"
+            ],
+            "addLabels": [
+                "serivce",
+                "chart"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Label application images",
+            "matchPackageNames": [
+                "bbilly1/tubearchivist-jf",
+                "bbilly1/tubearchivist",
+                "freshrss/freshrss",
+                "ghcr.io/gethomepage/homepage",
+                "homeassistant/home-assistant",
+                "linuxserver/calibre",
+                "linuxserver/code-server",
+                "linuxserver/cops",
+                "outlinewiki/outline",
+                "rmcrackan/libation"
+            ],
+            "matchDatasources": [
+                "docker"
+            ],
+            "addLabels": [
+                "application",
+                "image"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Label application charts",
+            "matchPackageNames": [],
+            "matchDatasources": [
+                "helm"
+            ],
+            "addLabels": [
+                "application",
+                "chart"
+            ],
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        }
+    ]
+}

.github/workflows/lint-test.yaml

@@ -12,7 +12,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.13.3
 
@@ -35,11 +35,3 @@ jobs:
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
-
-      - name: Create kind cluster
-        if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@v1.9.0
-
-      - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }}

charts/calibre-server/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: calibre-server
-version: 0.0.3
+version: 0.0.6
 description: Chart for Calibre content database
 keywords:
   - media

charts/calibre-server/README.md

@@ -11,6 +11,7 @@ This chart bootstraps a [Calibre](https://github.com/home-assistant) deployment
 - Kubernetes
 - Helm
 - Traefik v2 / IngressRoute
+- Authentik / Auth
 
 ## Parameters
 

charts/calibre-server/templates/deployment.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   revisionHistoryLimit: 3
   replicas: {{ .Values.deployment.replicas }}
@@ -28,7 +27,7 @@ spec:
       serviceAccountName: calibre-server
       automountServiceAccountToken: true
       containers:
-        - name: {{ .Release.Name }}
+        - name: calibre-server
           image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
           imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
           ports:
@@ -49,6 +48,8 @@ spec:
           {{- end }}
           volumeMounts:
             - mountPath: /config
+              name: calibre-server-config
+            - mountPath: /books
               name: calibre-server-books
           resources:
             {{- toYaml .Values.deployment.resources | nindent 12 }}
@@ -74,6 +75,9 @@ spec:
             timeoutSeconds: 1
             periodSeconds: 5
       volumes:
+        - name: calibre-server-config
+          persistentVolumeClaim:
+            claimName: calibre-server-config
         - name: calibre-server-books
           persistentVolumeClaim:
             claimName: {{ .Values.persistence.books.claimName }}

charts/calibre-server/templates/ingress-route.yaml

@@ -10,7 +10,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: calibre-server
-    app.kubernetes.io/managed-by: helm
 spec:
   entryPoints:
     - websecure
@@ -18,7 +17,7 @@ spec:
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.http.host }}`)"
       middlewares:
-        - name: authentik
+        - name: "authentik-{{ .Release.Name }}"
           namespace: {{ .Release.Namespace }}
       priority: 10
       services:

charts/calibre-server/templates/middleware.yaml

@@ -2,15 +2,14 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: authentik
+  name: "authentik-{{ .Release.Name }}"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: auth
-    app.kubernetes.io/part-of: calibre-server
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   forwardAuth:
     address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"

charts/calibre-server/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: calibre-server-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/calibre-server/templates/service-account.yaml

@@ -9,4 +9,3 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: calibre-server
-    app.kubernetes.io/managed-by: helm

charts/calibre-server/templates/service.yaml

@@ -2,14 +2,13 @@ apiVersion: v1
 kind: Service
 metadata:
   name: calibre-server
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: calibre-server
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:
@@ -26,14 +25,13 @@ apiVersion: v1
 kind: Service
 metadata:
   name: calibre-server-content
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: calibre-server
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:

charts/calibre-server/values.yaml

@@ -29,10 +29,14 @@ service:
 ingressRoute:
   enabled: true
   http:
-    host: server.calibre.alexlebens.net
+    host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem
   books:
-    claimName: calibre-server-nfs-storage
+    claimName:

charts/cops/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: cops
+version: 0.0.3
+description: Chart for Calibre OPDS (and HTML) PHP Server
+keywords:
+  - calibre
+  - OPDS
+sources:
+  - https://github.com/seblucas/cops
+maintainers:
+  - name: alexlebens
+appVersion: 1.1.3

charts/cops/README.md

@@ -0,0 +1,22 @@
+## Introduction
+
+[Calibre OPDS (and HTML) PHP Server](https://github.com/seblucas/cops)
+
+COPS's main advantages are :
+
+ - No need for many dependencies.
+ - No need for a lot of CPU or RAM.
+ - Not much code.
+ - Search is available.
+ - It was fun to code.
+
+This chart bootstraps a [COPS](https://github.com/seblucas/cops) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/cops/templates/deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Release.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /config
+              name: cops-config
+            - mountPath: /books
+              name: cops-books
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}            
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 5
+            failureThreshold: 30
+            periodSeconds: 10
+            timeoutSeconds: 1
+      volumes:
+        - name: cops-config
+          persistentVolumeClaim:
+            claimName: cops-config
+        - name: cops-books
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.books.claimName }}

charts/cops/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: http
+{{- end }}

charts/cops/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: cops-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/cops/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ .Release.Name }}:{{ .Values.service.http.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/cops/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/cops/templates/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  externalTrafficPolicy:
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/cops/values.yaml

@@ -0,0 +1,36 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: linuxserver/cops
+    tag: 2.3.1-ls185
+    imagePullPolicy: IfNotPresent
+  env:
+    PGID: "1000"
+    PUID: "1000"
+    TZ: UTC
+  envFrom:        
+  resources:    
+    limits:
+      cpu: 500m
+      memory: 1Gi
+    requests:
+      cpu: 50m
+      memory: 256Mi
+serviceAccount:
+  create: true
+service:
+  http:
+    port: 80
+ingress:
+  enabled: false
+  annotations:
+  className:
+  host:
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem
+  books:
+    claimName:

charts/freshrss/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: freshrss
+version: 0.0.3
+description: Chart for Freshrss
+keywords:
+  - rss
+sources:
+  - https://github.com/FreshRSS/FreshRSS
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/9414285?s=48&v=4
+appVersion: "1.23.1"

charts/freshrss/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[FreshRSS](https://github.com/FreshRSS/FreshRSS)
+
+FreshRSS is a self-hosted RSS feed aggregator.
+
+It is lightweight, easy to work with, powerful, and customizable.
+
+This chart bootstraps a [FreshRSS](https://github.com/FreshRSS/FreshRSS) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/freshrss/templates/deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Release.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Release.Name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: {{ .Release.Name }}-config
+              mountPath: /config
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          env:
+            - name: LISTEN
+              value: "0.0.0.0:{{ .Values.service.http.port }}"
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: {{ .Release.Name }}-config
+          persistentVolumeClaim:
+            claimName: {{ .Release.Name }}-config

charts/freshrss/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: http
+{{- end }}

charts/freshrss/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/freshrss/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ .Release.Name }}:{{ .Values.service.http.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/freshrss/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/freshrss/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/freshrss/values.yaml

@@ -0,0 +1,33 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: freshrss/freshrss
+    tag: 1.23.1
+    imagePullPolicy: IfNotPresent
+  env:
+    PGID: "568"
+    PUID: "568"
+    TZ: UTC
+    FRESHRSS_ENV: production
+  envFrom:
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1Gi
+    requests:
+      cpu: 50m
+      memory: 256Mi
+service:
+  http:
+    port: 80
+ingress:
+  enabled: true
+  className:
+  annotations:
+  host:
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem

charts/home-assistant/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: home-assistant
-version: 0.0.9
+version: 0.1.9
 description: Chart for Home Assistant
 keywords:
   - home-automation
@@ -9,4 +9,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/13844975?s=200&v=4
-appVersion: v2024.2.2
+appVersion: v2024.4.3

charts/home-assistant/templates/deployment.yaml

@@ -4,12 +4,11 @@ metadata:
   name: home-assistant
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   revisionHistoryLimit: 3
   replicas: {{ .Values.deployment.replicas }}
@@ -17,15 +16,15 @@ spec:
     type: {{ .Values.deployment.strategy }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/name: {{ .Release.Name }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: home-assistant
+        app.kubernetes.io/name: {{ .Release.Name }}
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
-      serviceAccountName: home-assistant
+      serviceAccountName: {{ .Release.Name }}
       automountServiceAccountToken: true
       containers:
         - name: {{ .Release.Name }}
@@ -96,4 +95,4 @@ spec:
       volumes:
         - name: home-assistant-config
           persistentVolumeClaim:
-            claimName: home-assistant-config
+            claimName: "{{ .Release.Name }}-config"

charts/home-assistant/templates/ingress-route.yaml

@@ -2,15 +2,14 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   entryPoints:
     - websecure
@@ -18,12 +17,12 @@ spec:
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.host }}`)"
       middlewares:
-        - name: authentik
-          namespace: {{ .Release.Namespace }}
+        - name: "authentik-{{ .Release.Name }}"
+          namespace: {{ .Release.Namespace }}           
       priority: 10
       services:
         - kind: Service
-          name: home-assistant
+          name: {{ .Release.Name }}
           port: {{ .Values.service.http.port }}
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
@@ -31,7 +30,7 @@ spec:
       services:
         - kind: Service
           name: {{ .Values.ingressRoute.authentik.outpost }}
-          port: {{ .Values.ingressRoute.authentik.port }}
+          port: {{ .Values.ingressRoute.authentik.port }}    
 {{- end }}
 
 ---
@@ -39,24 +38,33 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: home-assistant-codeserver
+  name: "{{ .Release.Name }}-codeserver"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   entryPoints:
     - websecure
   routes:
     - kind: Rule
       match: "Host(`{{ .Values.codeserver.ingressRoute.host }}`)"
+      middlewares:
+        - name: "authentik-{{ .Release.Name }}"
+          namespace: {{ .Release.Namespace }}      
       priority: 10
       services:
         - kind: Service
-          name: home-assistant-codeserver
+          name: "{{ .Release.Name }}-codeserver"
           port: {{ .Values.codeserver.service.http.port }}
-{{- end }}          
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      priority: 15
+      services:
+        - kind: Service
+          name: {{ .Values.ingressRoute.authentik.outpost }}
+          port: {{ .Values.ingressRoute.authentik.port }}          
+{{- end }}

charts/home-assistant/templates/middleware.yaml

@@ -2,15 +2,14 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: authentik
+  name: "authentik-{{ .Release.Name }}"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: auth
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   forwardAuth:
     address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"

charts/home-assistant/templates/persistant-volume-claim.yaml

@@ -1,15 +1,14 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: home-assistant-config
+  name: "{{ .Release.Name }}-config"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   accessModes:
     - ReadWriteOnce

charts/home-assistant/templates/prometheus-rule.yaml

@@ -2,15 +2,14 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   groups:
     - name: {{ .Release.Name }}

charts/home-assistant/templates/service-account.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/home-assistant/templates/service-monitor.yaml

@@ -2,19 +2,18 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: home-assistant
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: home-assistant
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/name: {{ .Release.Name }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   endpoints:
     - port: http

charts/home-assistant/templates/service.yaml

@@ -1,15 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: home-assistant
-  namespace: {{ .Release.Namespace }}  
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:
@@ -18,7 +17,7 @@ spec:
       protocol: TCP
       name: http
   selector:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 
 ---
@@ -26,15 +25,14 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: home-assistant-codeserver
-  namespace: {{ .Release.Namespace }}  
+  name: "{{ .Release.Name }}-codeserver"
+  namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:
@@ -43,6 +41,6 @@ spec:
       protocol: TCP
       name: codeserver-http
   selector:
-    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

charts/home-assistant/values.yaml

@@ -3,10 +3,10 @@ deployment:
   strategy: Recreate
   image:
     repository: homeassistant/home-assistant
-    tag: 2024.2.2
+    tag: 2024.4.3
     imagePullPolicy: IfNotPresent
   env:
-    TZ: US/Mountain
+    TZ: UTC
   envFrom:
   resources:
     requests:
@@ -20,9 +20,9 @@ service:
     port: 8123
 ingressRoute:
   enabled: true
-  host: homeassistant.alexlebens.net
+  host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 metrics:
   enabled: false
@@ -49,17 +49,17 @@ metrics:
           severity: critical
 persistence:
   config:
-    storageClassName: ceph-block
+    storageClassName: default
     storageSize: 1Gi
     volumeMode: Filesystem
 codeserver:
-  enabled: true
+  enabled: false
   image:
     repository: linuxserver/code-server
-    tag: 4.21.1
+    tag: 4.23.0
     imagePullPolicy: IfNotPresent
   env:
-    TZ: US/Mountain
+    TZ: UTC
     PUID: 1000
     PGID: 1000
     DEFAULT_WORKSPACE: /config
@@ -70,5 +70,5 @@ codeserver:
     http:
       port: 8443
   ingressRoute:
-    enabled: true
-    host: codeserver.homeassistant.alexlebens.net
+    enabled: false
+    host:

charts/homepage/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: homepage
-version: 0.0.5
+version: 0.0.10
 description: Chart for benphelps homepage
 keywords:
   - dashboard
@@ -9,4 +9,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://github.com/benphelps/homepage/blob/de584eae8f12a0d257e554e9511ef19bd2a1232c/public/mstile-150x150.png
-appVersion: v0.8.8
+appVersion: v0.8.11

charts/homepage/templates/cluster-role-binding.yaml

@@ -1,19 +1,18 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: homepage
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: homepage
+  name: {{ .Release.Name }}
 subjects:
   - kind: ServiceAccount
     name: homepage

charts/homepage/templates/cluster-role.yaml

@@ -1,15 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: homepage
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 rules:
   - apiGroups:
       - ""

charts/homepage/templates/config-map.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 data:
   bookmarks.yaml: {{- if .Values.config.bookmarks }} |
 {{- .Values.config.bookmarks | toYaml | nindent 4}}

charts/homepage/templates/deployment.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   revisionHistoryLimit: 3
   replicas: {{ .Values.deployment.replicas }}

charts/homepage/templates/ingress-route.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   entryPoints:
     - websecure
@@ -17,7 +16,7 @@ spec:
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.host }}`)"
       middlewares:
-        - name: authentik
+        - name: "authentik-{{ .Release.Name }}"
           namespace: {{ .Release.Namespace }}
       priority: 10
       services:

charts/homepage/templates/middleware.yaml

@@ -1,15 +1,14 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: authentik
+  name: "authentik-{{ .Release.Name }}"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: auth
-    app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   forwardAuth:
     address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"

charts/homepage/templates/secret.yaml

@@ -10,6 +10,5 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
   annotations:
     kubernetes.io/service-account.name: homepage

charts/homepage/templates/service-account.yaml

@@ -9,6 +9,5 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 secrets:
   - name: "{{ .Release.Name }}-sa-token"

charts/homepage/templates/service.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:

charts/homepage/values.yaml

@@ -3,7 +3,7 @@ deployment:
   strategy: Recreate
   image:
     repository: ghcr.io/gethomepage/homepage
-    tag: v0.8.8
+    tag: v0.8.11
     imagePullPolicy: IfNotPresent
   env:
   envFrom:
@@ -13,14 +13,14 @@ deployment:
       cpu: 50m
     limits:
       memory: 512Mi
-      cpu: 500m 
+      cpu: 500m
 service:
   http:
     port: 3000
 ingressRoute:
-  host: homepage.alexlebens.net
+  host:
   authentik:
-    outpost: authentik-proxy-outpost
+    outpost:
     port: 9000
 config:
   bookmarks:

charts/kubelet-serving-cert-approver/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: kubelet-serving-cert-approver
+version: 0.0.4
+description: Kubelet Serving TLS Certificate Signing Request Approver
+keywords:
+  - kubernetes
+  - certificate
+sources:
+  - https://github.com/alex1989hu/kubelet-serving-cert-approver
+  - https://github.com/alexlebens/helm-charts/charts/homepage
+maintainers:
+  - name: alexlebens
+appVersion: 0.8.1

charts/kubelet-serving-cert-approver/README.md

@@ -0,0 +1,16 @@
+## Introduction
+
+[Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver)
+
+Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.
+
+This chart bootstraps a [Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "certificates:{{ .Release.Name }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}

charts/kubelet-serving-cert-approver/templates/cluster-role.yaml

@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "certificates:{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - update
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - certificates.k8s.io
+    resourceNames:
+      - kubernetes.io/kubelet-serving
+    resources:
+      - signers
+    verbs:
+      - approve
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "events:{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approverv
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch

charts/kubelet-serving-cert-approver/templates/deployment.yaml

@@ -0,0 +1,88 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubelet-serving-cert-approver
+      app.kubernetes.io/instance: {{ .Release.Name }}
+
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kubelet-serving-cert-approver
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/master
+                    operator: DoesNotExist
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: DoesNotExist
+              weight: 100
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - containerPort: 8080
+              name: health
+            - containerPort: 9090
+              name: metrics
+          args:
+            - serve
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 6
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+            initialDelaySeconds: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+      priorityClassName: {{ .Values.deployment.priorityClassName }}
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kubelet-serving-cert-approver
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists

charts/kubelet-serving-cert-approver/templates/namespace.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted

charts/kubelet-serving-cert-approver/templates/role-binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "events:{{ .Release.Name }}"
+  namespace: default
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "events:{{ .Release.Name }}"
+subjects:
+  - kind: ServiceAccount
+    name: kubelet-serving-cert-approver
+    namespace: {{ .Release.Name }}

charts/kubelet-serving-cert-approver/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver

charts/kubelet-serving-cert-approver/templates/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+spec:
+  ports:
+    - name: metrics
+      port: 9090
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/kubelet-serving-cert-approver/values.yaml

@@ -0,0 +1,15 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  priorityClassName: system-cluster-critical
+  image:
+    repository: ghcr.io/alex1989hu/kubelet-serving-cert-approver
+    tag: main
+    imagePullPolicy: Always
+  resources:
+    limits:
+      cpu: 250m
+      memory: 32Mi
+    requests:
+      cpu: 10m
+      memory: 16Mi

charts/libation/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: libation
+version: 0.0.6
+description: Import library from audible
+keywords:
+  - audiobooks
+  - job
+sources:
+  - https://github.com/rmcrackan/Libation
+maintainers:
+  - name: alexlebens
+icon: https://getlibation.com/images/libation-logo.png
+appVersion: "11.1.0"

charts/libation/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[Libation](https://github.com/rmcrackan/Libation)
+
+Libation: Liberate your Library. Import library from audible, including cover art
+
+
+This chart bootstraps a [Libation](https://github.com/benphelps/homepage) CronJob on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- CronJob
+
+## Parameters
+
+See the [values files](values.yaml).

charts/libation/templates/job.yaml

@@ -0,0 +1,39 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: libation
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: job
+    app.kubernetes.io/part-of: libation
+spec:
+  schedule: {{ .Values.job.schedule }}
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: libation
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              env:
+                - name: SLEEP_TIME
+                  value: "-1"
+              volumeMounts:
+                - name: libation-config
+                  mountPath: /config
+                - name: libation-books
+                  mountPath: /data
+          volumes:
+            - name: libation-config
+              persistentVolumeClaim:
+                claimName: libation-config
+            - name: libation-books
+              persistentVolumeClaim:
+                claimName: {{ .Values.persistence.books.claimName }}

charts/libation/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: libation-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: libation
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/libation/values.yaml

@@ -0,0 +1,13 @@
+job:
+  schedule: "0 * * * *"
+image:
+  repository: rmcrackan/libation
+  tag: "11.1.0"
+  pullPolicy: IfNotPresent
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 1Gi
+    volumeMode: Filesystem
+  books:
+    claimName:

charts/matrix-hookshot/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: matrix-hookshot
+version: 0.1.0
+description: Chart for Matrix Hookshot
+keywords:
+  - matrix
+  - matrix-hookshot
+  - webhook
+sources:
+  - https://github.com/matrix-org/matrix-hookshot
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
+appVersion: "5.2.1"

charts/matrix-hookshot/templates/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "hookshot.secretName" -}}
+{{- if .Values.hookshot.existingSecret }}
+{{- printf "%s" .Values.hookshot.existingSecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "hookshot.registrationSecretName" -}}
+{{- if .Values.hookshot.existingRegistrationSecret }}
+{{- printf "%s" .Values.hookshot.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for passkey secret name
+*/}}
+{{- define "hookshot.passkeySecretName" -}}
+{{- if .Values.hookshot.existingPasskeySecret }}
+{{- printf "%s" .Values.hookshot.existingPasskeySecret -}}
+{{- else }}
+{{- printf "matrix-hookshot-passkey-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for passkey file name
+*/}}
+{{- define "hookshot.passFile" -}}
+{{- if .Values.hookshot.config.passFile }}
+{{- printf "%s" .Values.hookshot.config.passFile -}}
+{{- else }}
+{{- printf "passkey.pem" }}
+{{- end }}
+{{- end }}

charts/matrix-hookshot/templates/deployment.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-hookshot
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix-hookshot
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: matrix-hookshot
+      automountServiceAccountToken: true
+      containers:
+        - name: matrix-hookshot
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: webhook
+              containerPort: {{ .Values.service.webhook.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.service.metrics.port }}
+              protocol: TCP
+            - name: appservice
+              containerPort: {{ .Values.service.appservice.port }}
+              protocol: TCP
+            - name: widgets
+              containerPort: {{ .Values.service.widgets.port }}
+              protocol: TCP              
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yml
+              subPath: config.yml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yml
+              subPath: registration.yml
+              readOnly: true
+            - name: passkey
+              mountPath: "/data/{{ template "hookshot.passFile" . }}"
+              subPath: {{ template "hookshot.passFile" . }}
+              readOnly: true
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "hookshot.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "hookshot.registrationSecretName" . }}
+        - name: passkey
+          secret:
+            secretName: {{ template "hookshot.passkeySecretName" . }}

charts/matrix-hookshot/templates/ingress.yaml

@@ -0,0 +1,100 @@
+{{- if .Values.ingress.webhook.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-webhook
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.webhook.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.webhook.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.webhook.host }}
+      secretName: {{ .Release.Name }}-webhook-secret-tls
+  rules:
+    - host: {{ .Values.ingress.webhook.host }}
+      http:
+        paths:
+          - path: /webhook/
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: webhook
+{{- end }}
+
+---
+{{- if .Values.ingress.appservice.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-appservice
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-appservice
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.appservice.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.appservice.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.appservice.host }}
+      secretName: {{ .Release.Name }}-appservice-secret-tls
+  rules:
+    - host: {{ .Values.ingress.appservice.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: appservice
+{{- end }}
+
+---
+{{- if .Values.ingress.widgets.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-hookshot-widgets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-widgets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.widgets.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.widgets.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.widgets.host }}
+      secretName: {{ .Release.Name }}-widgets-secret-tls
+  rules:
+    - host: {{ .Values.ingress.widgets.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: widgets
+{{- end }}

charts/matrix-hookshot/templates/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: matrix-hookshot-test-connection
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-test-connection
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['matrix-hookshot:{{ .Values.service.webhook.port }}']
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1Gi
+        requests:
+          cpu: 50m
+          memory: 256Mi

charts/matrix-hookshot/templates/secret.yaml

@@ -0,0 +1,52 @@
+{{- if not .Values.hookshot.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yml: |
+{{ toYaml .Values.hookshot.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.hookshot.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yml: |
+{{ toYaml .Values.hookshot.registration | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.hookshot.existingPasskeySecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-hookshot-passkey-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-passkey
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  {{ .Values.hookshot.config.passFile }}: |
+{{ toYaml .Values.hookshot.passkey | indent 4 }}
+{{- end }}

charts/matrix-hookshot/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}

charts/matrix-hookshot/templates/service-monitor.yaml

@@ -0,0 +1,23 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    - port: metrics
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      path: /metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-hookshot
+      app.kubernetes.io/instance: {{ .Release.Name }}      
+{{- end }}

charts/matrix-hookshot/templates/service.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.webhook.port }}
+      targetPort: webhook
+      protocol: TCP
+      name: webhook
+    - port: {{ .Values.service.metrics.port }}
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    - port: {{ .Values.service.appservice.port }}
+      targetPort: appservice
+      protocol: TCP
+      name: appservice
+    - port: {{ .Values.service.widgets.port }}
+      targetPort: widgets
+      protocol: TCP
+      name: widgets      
+  selector:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/matrix-hookshot/values.yaml

@@ -0,0 +1,248 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: halfshot/matrix-hookshot
+    tag: "5.2.1"
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 512Mi
+      cpu: 100m
+    requests:
+      memory: 256Mi
+      cpu: 50m
+service:
+  type: ClusterIP
+  webhook:
+    port: 9000
+  metrics:
+    port: 9001
+  appservice:
+    port: 9002
+  widgets:
+    port: 9003
+ingress:
+  webhook:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""
+  appservice:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""
+  widgets:
+    enabled: false
+    className: ""
+    annotations: {}
+    host: ""    
+metrics:
+  enabled: false
+  serviceMonitor:
+    enabled: false
+    interval: 15s
+    scrapeTimeout: 5s
+
+# Reference the following for examples
+# https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html
+hookshot:
+
+  # config.yml contents
+  existingSecret: ""
+  config:
+    bridge:
+      domain: example.com
+      url: http://localhost:8008
+      mediaUrl: https://example.com
+      port: 9993
+      bindAddress: 0.0.0.0
+    passFile: passkey.pem
+    logging:
+      level: info
+      colorize: true
+      json: false
+      timestampFormat: HH:mm:ss:SSS
+    listeners:
+      - port: 9000
+        bindAddress: 0.0.0.0
+        resources:
+          - webhooks
+      - port: 9001
+        bindAddress: 0.0.0.0
+        resources:
+          - metrics
+          - provisioning
+      - port: 9003
+        bindAddress: 0.0.0.0
+        resources:
+          - widgets
+
+    #github:
+    #  # (Optional) Configure this to enable GitHub support
+    #  auth:
+    #    # Authentication for the GitHub App.
+    #    id: 123
+    #    privateKeyFile: github-key.pem
+    #  webhook:
+    #    # Webhook settings for the GitHub app.
+    #    secret: secrettoken
+    #  oauth:
+    #    # (Optional) Settings for allowing users to sign in via OAuth.
+    #    client_id: foo
+    #    client_secret: bar
+    #    redirect_uri: https://example.com/oauth/
+    #  defaultOptions:
+    #    # (Optional) Default options for GitHub connections.
+    #    showIssueRoomLink: false
+    #    hotlinkIssues:
+    #      prefix: "#"
+    #  userIdPrefix:
+    #    # (Optional) Prefix used when creating ghost users for GitHub accounts.
+    #    _github_
+
+    #gitlab:
+    #  # (Optional) Configure this to enable GitLab support
+    #  instances:
+    #    gitlab.com:
+    #      url: https://gitlab.com
+    #  webhook:
+    #    secret: secrettoken
+    #    publicUrl: https://example.com/hookshot/
+    #  userIdPrefix:
+    #    # (Optional) Prefix used when creating ghost users for GitLab accounts.
+    #    _gitlab_
+    #  commentDebounceMs:
+    #    # (Optional) Aggregate comments by waiting this many miliseconds before posting them to Matrix. Defaults to 5000 (5 seconds)
+    #    5000
+
+    #figma:
+    #  # (Optional) Configure this to enable Figma support
+    #  publicUrl: https://example.com/hookshot/
+    #  instances:
+    #    your-instance:
+    #      teamId: your-team-id
+    #      accessToken: your-personal-access-token
+    #      passcode: your-webhook-passcode
+
+    #jira:
+    #  # (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com)
+    #  webhook:
+    #    # Webhook settings for JIRA
+    #    secret: secrettoken
+    #  oauth:
+    #    # (Optional) OAuth settings for connecting users to JIRA. See documentation for more information
+    #    client_id: foo
+    #    client_secret: bar
+    #    redirect_uri: https://example.com/oauth/
+
+    #generic:
+    #  # (Optional) Support for generic webhook events.
+    #  #'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments
+
+    #  enabled: false
+    #  enableHttpGet: false
+    #  urlPrefix: https://example.com/webhook/
+    #  userIdPrefix: _webhooks_
+    #  allowJsTransformationFunctions: false
+    #  waitForComplete: false
+
+    #feeds:
+    #  # (Optional) Configure this to enable RSS/Atom feed support
+    #  enabled: false
+    #  pollConcurrency: 4
+    #  pollIntervalSeconds: 600
+    #  pollTimeoutSeconds: 30
+
+    #provisioning:
+    #  # (Optional) Provisioning API for integration managers
+    #  secret: "!secretToken"
+
+    #bot:
+    #  # (Optional) Define profile information for the bot user
+    #  displayname: Hookshot Bot
+    #  avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
+
+    #serviceBots:
+    #  # (Optional) Define additional bot users for specific services
+    #  - localpart: feeds
+    #    displayname: Feeds
+    #    avatar: ./assets/feeds_avatar.png
+    #    prefix: "!feeds"
+    #    service: feeds
+
+    #metrics:
+    #  # (Optional) Prometheus metrics support
+    #  enabled: true
+
+    #cache:
+    #  # (Optional) Cache options for large scale deployments.
+    #  # For encryption to work, this must be configured.
+    #  redisUri: redis://localhost:6379
+
+    #queue:
+    #  # (Optional) Message queue configuration options for large scale deployments.
+    #  # For encryption to work, this must not be configured.
+    #  redisUri: redis://localhost:6379
+
+    #widgets:
+    #  # (Optional) EXPERIMENTAL support for complimentary widgets
+    #  addToAdminRooms: false
+    #  disallowedIpRanges:
+    #    - 127.0.0.0/8
+    #    - 10.0.0.0/8
+    #    - 172.16.0.0/12
+    #    - 192.168.0.0/16
+    #    - 100.64.0.0/10
+    #    - 192.0.0.0/24
+    #    - 169.254.0.0/16
+    #    - 192.88.99.0/24
+    #    - 198.18.0.0/15
+    #    - 192.0.2.0/24
+    #    - 198.51.100.0/24
+    #    - 203.0.113.0/24
+    #    - 224.0.0.0/4
+    #    - ::1/128
+    #    - fe80::/10
+    #    - fc00::/7
+    #    - 2001:db8::/32
+    #    - ff00::/8
+    #    - fec0::/10
+    #  roomSetupWidget:
+    #    addOnInvite: false
+    #  publicUrl: https://example.com/widgetapi/v1/static/
+    #  branding:
+    #    widgetTitle: Hookshot Configuration
+
+    #sentry:
+    #  # (Optional) Configure Sentry error reporting
+    #  dsn: https://examplePublicKey@o0.ingest.sentry.io/0
+    #  environment: production
+
+    #permissions:
+    #  # (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help
+    #  - actor: example.com
+    #    services:
+    #      - service: "*"
+    #        level: admin
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    id: matrix-hookshot
+    as_token: ""
+    hs_token: ""
+    namespaces:
+      rooms: []
+      users: []
+    sender_localpart: hookshot
+    url: "http://example.com"
+    rate_limited: false
+
+  # A passkey used to encrypt tokens stored inside the bridge.
+  # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
+  existingPasskeySecret: ""
+  passkey: ""

charts/mautrix-discord/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: mautrix-discord
+version: 0.0.2
+description: Chart for Matrix Discord Bridge
+keywords:
+  - matrix
+  - mautrix-discord
+  - bridge
+  - discord
+sources:
+  - https://github.com/mautrix/discord
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/88519669?s=48&v=4
+appVersion: v0.6.5

charts/mautrix-discord/templates/_helpers.tpl

@@ -0,0 +1,41 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "mautrix-discord.secretName" -}}
+{{- if .Values.mautrixDiscord.existingSecret }}
+{{- printf "%s" .Values.mautrixDiscord.existingSecret -}}
+{{- else }}
+{{- printf "mautrix-discord-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "mautrix-discord.registrationSecretName" -}}
+{{- if .Values.mautrixDiscord.existingRegistrationSecret }}
+{{- printf "%s" .Values.mautrixDiscord.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "mautrix-discord-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate registration.yaml if not from existing secret
+*/}}
+{{- define "mautrix-discord.registration-yaml" -}}
+id: {{ .Values.mautrixDiscord.config.appservice.id | quote }}
+as_token: {{ .Values.mautrixDiscord.config.appservice.as_token | quote }}
+hs_token: {{ .Values.mautrixDiscord.config.appservice.hs_token | quote }}
+namespaces:
+  users:
+    - regex: {{ printf "^@discordbot:%s$" (replace "." "\\." .Values.mautrixDiscord.config.homeserver.domain) }}
+      exclusive: true
+    - regex: {{ printf "^@%s:%s$" (replace "{{.}}" ".*" (tpl .Values.mautrixDiscord.config.bridge.username_template .)) (replace "." "\\." .Values.mautrixDiscord.config.homeserver.domain) }}
+      exclusive: true
+url: {{ .Values.mautrixDiscord.config.appservice.address | quote }}
+sender_localpart: {{ .Values.mautrixDiscord.registration.sender_localpart | quote }}
+rate_limited: {{ .Values.mautrixDiscord.registration.rate_limited }}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+{{- end -}}

charts/mautrix-discord/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-discord
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-discord
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: mautrix-discord
+      automountServiceAccountToken: true
+      containers:
+        - name: mautrix-discord
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /_matrix/mau/live
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.liveness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.liveness.periodSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /_matrix/mau/ready
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.readiness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.readiness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yaml
+              subPath: registration.yaml
+              readOnly: true
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "mautrix-discord.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "mautrix-discord.registrationSecretName" . }}
+        - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default "mautrix-discord-data" }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+      {{- with .Values.deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/mautrix-discord/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: mautrix-discord
+                port:
+                  name: http
+{{- end }}

charts/mautrix-discord/templates/persistent-volume-claim.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mautrix-discord-data
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  {{- if not .Values.persistence.storageClass }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

charts/mautrix-discord/templates/secret.yaml

@@ -0,0 +1,33 @@
+{{- if not .Values.mautrixDiscord.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-discord-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yaml: |
+{{ toYaml .Values.mautrixDiscord.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.mautrixDiscord.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-discord-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yaml: {{ include "mautrix-discord.registration-yaml" . | b64enc | quote }}
+{{- end }}

charts/mautrix-discord/templates/service-account.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

charts/mautrix-discord/templates/service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  clusterIP: {{ .Values.service.clusterIP | quote }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: mautrix-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/mautrix-discord/values.yaml

@@ -0,0 +1,427 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: dock.mau.dev/mautrix/discord
+    tag: v0.6.5
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 128Mi
+      cpu: 200m
+    requests:
+      memory: 64Mi
+      cpu: 50m
+  probes:
+    liveness:
+      failureThreshold: 5
+      periodSeconds: 10
+    readiness:
+      failureThreshold: 5
+      periodSeconds: 10
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+serviceAccount:
+  create: true
+  annotations: {}
+service:
+  type: ClusterIP
+  clusterIP: None
+  port: 29334
+  externalTrafficPolicy: ""
+  publishNotReadyAddresses: true
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: ""
+persistence:
+  enabled: false
+  existingClaim: ""
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 500Mi
+
+
+# Reference the following for examples
+# https://github.com/mautrix/discord/blob/main/example-config.yaml
+mautrixDiscord:
+
+  # config.yml contents
+  existingSecret: ""
+  config:
+    # Homeserver details.
+    homeserver:
+        # The address that this appservice can use to connect to the homeserver.
+        address: https://matrix.example.com
+        # Publicly accessible base URL for media, used for avatars in relay mode.
+        # If not set, the connection address above will be used.
+        public_address: null
+        # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+        domain: example.com
+
+        # What software is the homeserver running?
+        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+        software: standard
+        # The URL to push real-time bridge status to.
+        # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
+        # The bridge will use the appservice as_token to authorize requests.
+        status_endpoint: null
+        # Endpoint for reporting per-message status.
+        message_send_checkpoint_endpoint: null
+        # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+        async_media: false
+
+        # Should the bridge use a websocket for connecting to the homeserver?
+        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+        # mautrix-asmux (deprecated), and hungryserv (proprietary).
+        websocket: false
+        # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+        ping_interval_seconds: 0
+
+    # Application service host/registration related details.
+    # Changing these values requires regeneration of the registration.
+    appservice:
+        # The address that the homeserver can use to connect to this appservice.
+        address: http://localhost:29334
+
+        # The hostname and port where this appservice should listen.
+        hostname: 0.0.0.0
+        port: 29334
+
+        # Database config.
+        database:
+            # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+            type: postgres
+            # The database URI.
+            #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+            #           https://github.com/mattn/go-sqlite3#connection-string
+            #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+            #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+            uri: postgres://user:password@host/database?sslmode=disable
+            # Maximum number of connections. Mostly relevant for Postgres.
+            max_open_conns: 20
+            max_idle_conns: 2
+            # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+            # Parsed with https://pkg.go.dev/time#ParseDuration
+            max_conn_idle_time: null
+            max_conn_lifetime: null
+
+        # The unique ID of this appservice.
+        id: discord
+        # Appservice bot details.
+        bot:
+            # Username of the appservice bot.
+            username: discordbot
+            # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+            # to leave display name/avatar as-is.
+            displayname: Discord bridge bot
+            avatar: mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC
+
+        # Whether or not to receive ephemeral events via appservice transactions.
+        # Requires MSC2409 support (i.e. Synapse 1.22+).
+        ephemeral_events: true
+
+        # Should incoming events be handled asynchronously?
+        # This may be necessary for large public instances with lots of messages going through.
+        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+        async_transactions: false
+
+        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+        as_token: "This value is generated when generating the registration"
+        hs_token: "This value is generated when generating the registration"
+
+    # Bridge config
+    bridge:
+        # Localpart template of MXIDs for Discord users.
+        # {{.}} is replaced with the internal ID of the Discord user.
+        username_template: discord_{{.}}
+        # Displayname template for Discord users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
+        # Available variables:
+        #   .ID - Internal user ID
+        #   .Username - Legacy display/username on Discord
+        #   .GlobalName - New displayname on Discord
+        #   .Discriminator - The 4 numbers after the name on Discord
+        #   .Bot - Whether the user is a bot
+        #   .System - Whether the user is an official system user
+        #   .Webhook - Whether the user is a webhook and is not an application
+        #   .Application - Whether the user is an application
+        displayname_template: '{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}'
+        # Displayname template for Discord channels (bridged as rooms, or spaces when type=4).
+        # Available variables:
+        #   .Name - Channel name, or user displayname (pre-formatted with displayname_template) in DMs.
+        #   .ParentName - Parent channel name (used for categories).
+        #   .GuildName - Guild name.
+        #   .NSFW - Whether the channel is marked as NSFW.
+        #   .Type - Channel type (see values at https://github.com/bwmarrin/discordgo/blob/v0.25.0/structs.go#L251-L267)
+        channel_name_template: '{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}}'
+        # Displayname template for Discord guilds (bridged as spaces).
+        # Available variables:
+        #   .Name - Guild name
+        guild_name_template: '{{.Name}}'
+        # Whether to explicitly set the avatar and room name for private chat portal rooms.
+        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+        # If set to `always`, all DM rooms will have explicit names and avatars set.
+        # If set to `never`, DM rooms will never have names and avatars set.
+        private_chat_portal_meta: default
+
+        portal_message_buffer: 128
+
+        # Number of private channel portals to create on bridge startup.
+        # Other portals will be created when receiving messages.
+        startup_private_channel_create_limit: 5
+        # Should the bridge send a read receipt from the bridge bot when a message has been sent to Discord?
+        delivery_receipts: false
+        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+        message_status_events: false
+        # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+        message_error_notices: true
+        # Should the bridge use space-restricted join rules instead of invite-only for guild rooms?
+        # This can avoid unnecessary invite events in guild rooms when members are synced in.
+        restricted_rooms: true
+        # Should the bridge automatically join the user to threads on Discord when the thread is opened on Matrix?
+        # This only works with clients that support thread read receipts (MSC3771 added in Matrix v1.4).
+        autojoin_thread_on_open: true
+        # Should inline fields in Discord embeds be bridged as HTML tables to Matrix?
+        # Tables aren't supported in all clients, but are the only way to emulate the Discord inline field UI.
+        embed_fields_as_tables: true
+        # Should guild channels be muted when the portal is created? This only meant for single-user instances,
+        # it won't mute it for all users if there are multiple Matrix users in the same Discord guild.
+        mute_channels_on_create: false
+        # Should the bridge update the m.direct account data event when double puppeting is enabled.
+        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+        # and is therefore prone to race conditions.
+        sync_direct_chat_list: false
+        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+        # This field will automatically be changed back to false after it, except if the config file is not writable.
+        resend_bridge_info: false
+        # Should incoming custom emoji reactions be bridged as mxc:// URIs?
+        # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available.
+        custom_emoji_reactions: true
+        # Should the bridge attempt to completely delete portal rooms when a channel is deleted on Discord?
+        # If true, the bridge will try to kick Matrix users from the room. Otherwise, the bridge only makes ghosts leave.
+        delete_portal_on_channel_delete: false
+        # Should the bridge delete all portal rooms when you leave a guild on Discord?
+        # This only applies if the guild has no other Matrix users on this bridge instance.
+        delete_guild_on_leave: true
+        # Whether or not created rooms should have federation enabled.
+        # If false, created portal rooms will never be federated.
+        federate_rooms: true
+        # Prefix messages from webhooks with the profile info? This can be used along with a custom displayname_template
+        # to better handle webhooks that change their name all the time (like ones used by bridges).
+        prefix_webhook_messages: false
+        # Bridge webhook avatars?
+        enable_webhook_avatars: true
+        # Should the bridge upload media to the Discord CDN directly before sending the message when using a user token,
+        # like the official client does? The other option is sending the media in the message send request as a form part
+        # (which is always used by bots and webhooks).
+        use_discord_cdn_upload: true
+        # Should mxc uris copied from Discord be cached?
+        # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
+        # If you have a media repo that generates non-unique mxc uris, you should set this to never.
+        cache_media: unencrypted
+        # Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
+        # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
+        direct_media:
+            # Should custom mxc:// URIs be used instead of reuploading media?
+            enabled: false
+            # The server name to use for the custom mxc:// URIs.
+            # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+            # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+            server_name: discord-media.example.com
+            # Optionally a custom .well-known response. This defaults to `server_name:443`
+            well_known_response:
+            # The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
+            # Optionally, you can force redirects and not allow proxying at all by setting this to false.
+            allow_proxy: true
+            # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+            # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+            server_key: generate
+        # Settings for converting animated stickers.
+        animated_sticker:
+            # Format to which animated stickers should be converted.
+            # disable - No conversion, send as-is (lottie JSON)
+            # png - converts to non-animated png (fastest)
+            # gif - converts to animated gif
+            # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
+            # webp - converts to animated webp, requires ffmpeg executable with webp codec/container support
+            target: webp
+            # Arguments for converter. All converters take width and height.
+            args:
+                width: 320
+                height: 320
+                fps: 25 # only for webm, webp and gif (2, 5, 10, 20 or 25 recommended)
+        # Servers to always allow double puppeting from
+        double_puppet_server_map:
+            example.com: https://example.com
+        # Allow using double puppeting from any server with a valid client .well-known file.
+        double_puppet_allow_discovery: false
+        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+        #
+        # If set, double puppeting will be enabled automatically for local users
+        # instead of users having to find an access token and run `login-matrix`
+        # manually.
+        login_shared_secret_map:
+            example.com: foobar
+
+        # The prefix for commands. Only required in non-management rooms.
+        command_prefix: '!discord'
+        # Messages sent upon joining a management room.
+        # Markdown is supported. The defaults are listed below.
+        management_room_text:
+            # Sent when joining a room.
+            welcome: "Hello, I'm a Discord bridge bot."
+            # Sent when joining a management room and the user is already logged in.
+            welcome_connected: "Use `help` for help."
+            # Sent when joining a management room and the user is not logged in.
+            welcome_unconnected: "Use `help` for help or `login` to log in."
+            # Optional extra text sent when joining a management room.
+            additional_help: ""
+
+        # Settings for backfilling messages.
+        backfill:
+            # Limits for forward backfilling.
+            forward_limits:
+                # Initial backfill (when creating portal). 0 means backfill is disabled.
+                # A special unlimited value is not supported, you must set a limit. Initial backfill will
+                # fetch all messages first before backfilling anything, so high limits can take a lot of time.
+                initial:
+                    dm: 0
+                    channel: 0
+                    thread: 0
+                # Missed message backfill (on startup).
+                # 0 means backfill is disabled, -1 means fetch all messages since last bridged message.
+                # When using unlimited backfill (-1), messages are backfilled as they are fetched.
+                # With limits, all messages up to the limit are fetched first and backfilled afterwards.
+                missed:
+                    dm: 0
+                    channel: 0
+                    thread: 0
+            # Maximum members in a guild to enable backfilling. Set to -1 to disable limit.
+            # This can be used as a rough heuristic to disable backfilling in channels that are too active.
+            # Currently only applies to missed message backfill.
+            max_guild_members: -1
+
+        # End-to-bridge encryption support options.
+        #
+        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+        encryption:
+            # Allow encryption, work in group chat rooms with e2ee enabled
+            allow: false
+            # Default to encryption, force-enable encryption in all portals the bridge creates
+            # This will cause the bridge bot to be in private chats for the encryption to work properly.
+            default: false
+            # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+            appservice: false
+            # Require encryption, drop any unencrypted messages.
+            require: false
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow_key_sharing: false
+            # Should users mentions be in the event wire content to enable the server to send push notifications?
+            plaintext_mentions: false
+            # Options for deleting megolm sessions from the bridge.
+            delete_keys:
+                # Beeper-specific: delete outbound sessions when hungryserv confirms
+                # that the user has uploaded the key to key backup.
+                delete_outbound_on_ack: false
+                # Don't store outbound sessions in the inbound table.
+                dont_store_outbound: false
+                # Ratchet megolm sessions forward after decrypting messages.
+                ratchet_on_decrypt: false
+                # Delete fully used keys (index >= max_messages) after decrypting messages.
+                delete_fully_used_on_decrypt: false
+                # Delete previous megolm sessions from same device when receiving a new one.
+                delete_prev_on_new_session: false
+                # Delete megolm sessions received from a device when the device is deleted.
+                delete_on_device_delete: false
+                # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+                periodically_delete_expired: false
+                # Delete inbound megolm sessions that don't have the received_at field used for
+                # automatic ratcheting and expired session deletion. This is meant as a migration
+                # to delete old keys prior to the bridge update.
+                delete_outdated_inbound: false
+            # What level of device verification should be required from users?
+            #
+            # Valid levels:
+            #   unverified - Send keys to all device in the room.
+            #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+            #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+            #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+            #                           Note that creating user signatures from the bridge bot is not currently possible.
+            #   verified - Require manual per-device verification
+            #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+            verification_levels:
+                # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+                receive: unverified
+                # Minimum level that the bridge should accept for incoming Matrix messages.
+                send: unverified
+                # Minimum level that the bridge should require for accepting key requests.
+                share: cross-signed-tofu
+            # Options for Megolm room key rotation. These options allow you to
+            # configure the m.room.encryption event content. See:
+            # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+            # more information about that event.
+            rotation:
+                # Enable custom Megolm room key rotation settings. Note that these
+                # settings will only apply to rooms created after this option is
+                # set.
+                enable_custom: false
+                # The maximum number of milliseconds a session should be used
+                # before changing it. The Matrix spec recommends 604800000 (a week)
+                # as the default.
+                milliseconds: 604800000
+                # The maximum number of messages that should be sent with a given a
+                # session before changing it. The Matrix spec recommends 100 as the
+                # default.
+                messages: 100
+
+                # Disable rotating keys when a user's devices change?
+                # You should not enable this option unless you understand all the implications.
+                disable_device_change_key_rotation: false
+
+        # Settings for provisioning API
+        provisioning:
+            # Prefix for the provisioning API paths.
+            prefix: /_matrix/provision
+            # Shared secret for authentication. If set to "generate", a random secret will be generated,
+            # or if set to "disable", the provisioning API will be disabled.
+            shared_secret: generate
+            # Enable debug API at /debug with provisioning authentication.
+            debug_endpoints: false
+
+        # Permissions for using the bridge.
+        # Permitted values:
+        #    relay - Talk through the relaybot (if enabled), no access otherwise
+        #     user - Access to use the bridge to chat with a Discord account.
+        #    admin - User level and some additional administration tools
+        # Permitted keys:
+        #        * - All Matrix users
+        #   domain - All users on that homeserver
+        #     mxid - Specific user
+        permissions:
+            "*": relay
+            "example.com": user
+            "@admin:example.com": admin
+
+    # Logging config. See https://github.com/tulir/zeroconfig for details.
+    logging:
+        min_level: debug
+        writers:
+        - type: stdout
+          format: pretty-colored
+        - type: file
+          format: json
+          filename: ./logs/mautrix-discord.log
+          max_size: 100
+          max_backups: 10
+          compress: true
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    rate_limited: false
+    sender_localpart: discordbridgebot

charts/mautrix-whatsapp/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: mautrix-whatsapp
+version: 0.0.2
+description: Chart for Matrix Whatsapp Bridge
+keywords:
+  - matrix
+  - mautrix-whatsapp
+  - bridge
+  - whatsapp
+sources:
+  - https://github.com/mautrix/whatsapp
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/88519669?s=48&v=4
+appVersion: v0.10.6

charts/mautrix-whatsapp/templates/_helpers.tpl

@@ -0,0 +1,41 @@
+{{/*
+Helper for secret name
+*/}}
+{{- define "mautrix-whatsapp.secretName" -}}
+{{- if .Values.mautrixWhatsapp.existingSecret }}
+{{- printf "%s" .Values.mautrixWhatsapp.existingSecret -}}
+{{- else }}
+{{- printf "mautrix-whatsapp-config-secret" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for registration secret name
+*/}}
+{{- define "mautrix-whatsapp.registrationSecretName" -}}
+{{- if .Values.mautrixWhatsapp.existingRegistrationSecret }}
+{{- printf "%s" .Values.mautrixWhatsapp.existingRegistrationSecret -}}
+{{- else }}
+{{- printf "mautrix-whatsapp-registration-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate registration.yaml if not from existing secret
+*/}}
+{{- define "mautrix-whatsapp.registration-yaml" -}}
+id: {{ .Values.mautrixWhatsapp.config.appservice.id | quote }}
+as_token: {{ .Values.mautrixWhatsapp.config.appservice.as_token | quote }}
+hs_token: {{ .Values.mautrixWhatsapp.config.appservice.hs_token | quote }}
+namespaces:
+  users:
+    - regex: {{ printf "^@whatsappbot:%s$" (replace "." "\\." .Values.mautrixWhatsapp.config.homeserver.domain) }}
+      exclusive: true
+    - regex: {{ printf "^@%s:%s$" (replace "{{.}}" ".*" (tpl .Values.mautrixWhatsapp.config.bridge.username_template .)) (replace "." "\\." .Values.mautrixWhatsapp.config.homeserver.domain) }}
+      exclusive: true
+url: {{ .Values.mautrixWhatsapp.config.appservice.address | quote }}
+sender_localpart: {{ .Values.mautrixWhatsapp.registration.sender_localpart | quote }}
+rate_limited: {{ .Values.mautrixWhatsapp.registration.rate_limited }}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+{{- end -}}

charts/mautrix-whatsapp/templates/deployment.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mautrix-whatsapp
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mautrix-whatsapp
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: mautrix-whatsapp
+      automountServiceAccountToken: true
+      containers:
+        - name: mautrix-whatsapp
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /_matrix/mau/live
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.liveness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.liveness.periodSeconds }}
+          readinessProbe:
+            httpGet:
+              path: /_matrix/mau/ready
+              port: http
+            failureThreshold: {{ .Values.deployment.probes.readiness.failureThreshold }}
+            periodSeconds: {{ .Values.deployment.probes.readiness.periodSeconds }}
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: registration
+              mountPath: /data/registration.yaml
+              subPath: registration.yaml
+              readOnly: true
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ template "mautrix-whatsapp.secretName" . }}
+        - name: registration
+          secret:
+            secretName: {{ template "mautrix-whatsapp.registrationSecretName" . }}
+        - name: data
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default "mautrix-whatsapp-data" }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+      {{- with .Values.deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/mautrix-whatsapp/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: mautrix-whatsapp
+                port:
+                  name: http
+{{- end }}

charts/mautrix-whatsapp/templates/persistent-volume-claim.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: mautrix-whatsapp-data
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.storageClass }}
+  {{- if not .Values.persistence.storageClass }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: {{ .Values.persistence.storageClass | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

charts/mautrix-whatsapp/templates/secret.yaml

@@ -0,0 +1,33 @@
+{{- if not .Values.mautrixWhatsapp.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  config.yaml: |
+{{ toYaml .Values.mautrixWhatsapp.config | indent 4 }}
+{{- end }}
+
+---
+{{- if not .Values.mautrixWhatsapp.existingRegistrationSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mautrix-whatsapp-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp-registration
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  registration.yaml: {{ include "mautrix-whatsapp.registration-yaml" . | b64enc | quote }}
+{{- end }}

charts/mautrix-whatsapp/templates/service-account.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

charts/mautrix-whatsapp/templates/service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mautrix-whatsapp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  clusterIP: {{ .Values.service.clusterIP | quote }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: mautrix-whatsapp
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/mautrix-whatsapp/values.yaml

@@ -0,0 +1,534 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: dock.mau.dev/mautrix/whatsapp
+    tag: v0.10.6
+    imagePullPolicy: IfNotPresent
+  env: {}
+  envFrom: []
+  resources:
+    limits:
+      memory: 128Mi
+      cpu: 200m
+    requests:
+      memory: 64Mi
+      cpu: 50m
+  probes:
+    liveness:
+      failureThreshold: 5
+      periodSeconds: 10
+    readiness:
+      failureThreshold: 5
+      periodSeconds: 10
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+serviceAccount:
+  create: true
+  annotations: {}
+service:
+  type: ClusterIP
+  clusterIP: None
+  port: 29334
+  externalTrafficPolicy: ""
+  publishNotReadyAddresses: true
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  host: ""
+persistence:
+  enabled: false
+  existingClaim: ""
+  storageClass: ""
+  accessMode: ReadWriteOnce
+  size: 500Mi
+
+
+# Reference the following for examples
+# https://github.com/mautrix/whatsapp/blob/main/example-config.yaml
+mautrixWhatsapp:
+
+  # config.yml contents
+  existingSecret: ""
+  config:
+    # Homeserver details.
+    homeserver:
+        # The address that this appservice can use to connect to the homeserver.
+        address: https://matrix.example.com
+        # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+        domain: example.com
+
+        # What software is the homeserver running?
+        # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+        software: standard
+        # The URL to push real-time bridge status to.
+        # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
+        # The bridge will use the appservice as_token to authorize requests.
+        status_endpoint: null
+        # Endpoint for reporting per-message status.
+        message_send_checkpoint_endpoint: null
+        # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+        async_media: false
+
+        # Should the bridge use a websocket for connecting to the homeserver?
+        # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+        # mautrix-asmux (deprecated), and hungryserv (proprietary).
+        websocket: false
+        # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+        ping_interval_seconds: 0
+
+    # Application service host/registration related details.
+    # Changing these values requires regeneration of the registration.
+    appservice:
+        # The address that the homeserver can use to connect to this appservice.
+        address: http://localhost:29318
+
+        # The hostname and port where this appservice should listen.
+        hostname: 0.0.0.0
+        port: 29318
+
+        # Database config.
+        database:
+            # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+            type: postgres
+            # The database URI.
+            #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+            #           https://github.com/mattn/go-sqlite3#connection-string
+            #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+            #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+            uri: postgres://user:password@host/database?sslmode=disable
+            # Maximum number of connections. Mostly relevant for Postgres.
+            max_open_conns: 20
+            max_idle_conns: 2
+            # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+            # Parsed with https://pkg.go.dev/time#ParseDuration
+            max_conn_idle_time: null
+            max_conn_lifetime: null
+
+        # The unique ID of this appservice.
+        id: whatsapp
+        # Appservice bot details.
+        bot:
+            # Username of the appservice bot.
+            username: whatsappbot
+            # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+            # to leave display name/avatar as-is.
+            displayname: WhatsApp bridge bot
+            avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr
+
+        # Whether or not to receive ephemeral events via appservice transactions.
+        # Requires MSC2409 support (i.e. Synapse 1.22+).
+        ephemeral_events: true
+
+        # Should incoming events be handled asynchronously?
+        # This may be necessary for large public instances with lots of messages going through.
+        # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+        async_transactions: false
+
+        # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+        as_token: "This value is generated when generating the registration"
+        hs_token: "This value is generated when generating the registration"
+
+    # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
+    analytics:
+        # Hostname of the tracking server. The path is hardcoded to /v1/track
+        host: api.segment.io
+        # API key to send with tracking requests. Tracking is disabled if this is null.
+        token: null
+        # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
+        user_id: null
+
+    # Prometheus config.
+    metrics:
+        # Enable prometheus metrics?
+        enabled: false
+        # IP and port where the metrics listener should be. The path is always /metrics
+        listen: 127.0.0.1:8001
+
+    # Config for things that are directly sent to WhatsApp.
+    whatsapp:
+        # Device name that's shown in the "WhatsApp Web" section in the mobile app.
+        os_name: Mautrix-WhatsApp bridge
+        # Browser name that determines the logo shown in the mobile app.
+        # Must be "unknown" for a generic icon or a valid browser name if you want a specific icon.
+        # List of valid browser names: https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64
+        browser_name: unknown
+
+    # Bridge config
+    bridge:
+        # Localpart template of MXIDs for WhatsApp users.
+        # {{.}} is replaced with the phone number of the WhatsApp user.
+        username_template: whatsapp_{{.}}
+        # Displayname template for WhatsApp users.
+        # {{.PushName}}     - nickname set by the WhatsApp user
+        # {{.BusinessName}} - validated WhatsApp business name
+        # {{.Phone}}        - phone number (international format)
+        # The following variables are also available, but will cause problems on multi-user instances:
+        # {{.FullName}}  - full name from contact list
+        # {{.FirstName}} - first name from contact list
+        displayname_template: "{{or .BusinessName .PushName .JID}} (WA)"
+        # Should the bridge create a space for each logged-in user and add bridged rooms to it?
+        # Users who logged in before turning this on should run `!wa sync space` to create and fill the space for the first time.
+        personal_filtering_spaces: false
+        # Should the bridge send a read receipt from the bridge bot when a message has been sent to WhatsApp?
+        delivery_receipts: false
+        # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+        message_status_events: false
+        # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+        message_error_notices: true
+        # Should incoming calls send a message to the Matrix room?
+        call_start_notices: true
+        # Should another user's cryptographic identity changing send a message to Matrix?
+        identity_change_notices: false
+        portal_message_buffer: 128
+        # Settings for handling history sync payloads.
+        history_sync:
+            # Enable backfilling history sync payloads from WhatsApp?
+            backfill: true
+            # The maximum number of initial conversations that should be synced.
+            # Other conversations will be backfilled on demand when receiving a message or when initiating a direct chat.
+            max_initial_conversations: -1
+            # Maximum number of messages to backfill in each conversation.
+            # Set to -1 to disable limit.
+            message_count: 50
+            # Should the bridge request a full sync from the phone when logging in?
+            # This bumps the size of history syncs from 3 months to 1 year.
+            request_full_sync: false
+            # Configuration parameters that are sent to the phone along with the request full sync flag.
+            # By default (when the values are null or 0), the config isn't sent at all.
+            full_sync_config:
+                # Number of days of history to request.
+                # The limit seems to be around 3 years, but using higher values doesn't break.
+                days_limit: null
+                # This is presumably the maximum size of the transferred history sync blob, which may affect what the phone includes in the blob.
+                size_mb_limit: null
+                # This is presumably the local storage quota, which may affect what the phone includes in the history sync blob.
+                storage_quota_mb: null
+            # If this value is greater than 0, then if the conversation's last message was more than
+            # this number of hours ago, then the conversation will automatically be marked it as read.
+            # Conversations that have a last message that is less than this number of hours ago will
+            # have their unread status synced from WhatsApp.
+            unread_hours_threshold: 0
+
+            ###############################################################################
+            # The settings below are only applicable for backfilling using batch sending, #
+            # which is no longer supported in Synapse.                                    #
+            ###############################################################################
+
+            # Settings for media requests. If the media expired, then it will not be on the WA servers.
+            # Media can always be requested by reacting with the ♻️ (recycle) emoji.
+            # These settings determine if the media requests should be done automatically during or after backfill.
+            media_requests:
+                # Should expired media be automatically requested from the server as part of the backfill process?
+                auto_request_media: true
+                # Whether to request the media immediately after the media message is backfilled ("immediate")
+                # or at a specific time of the day ("local_time").
+                request_method: immediate
+                # If request_method is "local_time", what time should the requests be sent (in minutes after midnight)?
+                request_local_time: 120
+            # Settings for immediate backfills. These backfills should generally be small and their main purpose is
+            # to populate each of the initial chats (as configured by max_initial_conversations) with a few messages
+            # so that you can continue conversations without losing context.
+            immediate:
+                # The number of concurrent backfill workers to create for immediate backfills.
+                # Note that using more than one worker could cause the room list to jump around
+                # since there are no guarantees about the order in which the backfills will complete.
+                worker_count: 1
+                # The maximum number of events to backfill initially.
+                max_events: 10
+            # Settings for deferred backfills. The purpose of these backfills are to fill in the rest of
+            # the chat history that was not covered by the immediate backfills.
+            # These backfills generally should happen at a slower pace so as not to overload the homeserver.
+            # Each deferred backfill config should define a "stage" of backfill (i.e. the last week of messages).
+            # The fields are as follows:
+            # - start_days_ago: the number of days ago to start backfilling from.
+            #     To indicate the start of time, use -1. For example, for a week ago, use 7.
+            # - max_batch_events: the number of events to send per batch.
+            # - batch_delay: the number of seconds to wait before backfilling each batch.
+            deferred:
+                # Last Week
+                - start_days_ago: 7
+                  max_batch_events: 20
+                  batch_delay: 5
+                # Last Month
+                - start_days_ago: 30
+                  max_batch_events: 50
+                  batch_delay: 10
+                # Last 3 months
+                - start_days_ago: 90
+                  max_batch_events: 100
+                  batch_delay: 10
+                # The start of time
+                - start_days_ago: -1
+                  max_batch_events: 500
+                  batch_delay: 10
+
+        # Should puppet avatars be fetched from the server even if an avatar is already set?
+        user_avatar_sync: true
+        # Should Matrix users leaving groups be bridged to WhatsApp?
+        bridge_matrix_leave: true
+        # Should the bridge update the m.direct account data event when double puppeting is enabled.
+        # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+        # and is therefore prone to race conditions.
+        sync_direct_chat_list: false
+        # Should the bridge use MSC2867 to bridge manual "mark as unread"s from
+        # WhatsApp and set the unread status on initial backfill?
+        # This will only work on clients that support the m.marked_unread or
+        # com.famedly.marked_unread room account data.
+        sync_manual_marked_unread: true
+        # When double puppeting is enabled, users can use `!wa toggle` to change whether
+        # presence is bridged. This setting sets the default value.
+        # Existing users won't be affected when these are changed.
+        default_bridge_presence: true
+        # Send the presence as "available" to whatsapp when users start typing on a portal.
+        # This works as a workaround for homeservers that do not support presence, and allows
+        # users to see when the whatsapp user on the other side is typing during a conversation.
+        send_presence_on_typing: false
+        # Should the bridge always send "active" delivery receipts (two gray ticks on WhatsApp)
+        # even if the user isn't marked as online (e.g. when presence bridging isn't enabled)?
+        #
+        # By default, the bridge acts like WhatsApp web, which only sends active delivery
+        # receipts when it's in the foreground.
+        force_active_delivery_receipts: false
+        # Servers to always allow double puppeting from
+        double_puppet_server_map:
+            example.com: https://example.com
+        # Allow using double puppeting from any server with a valid client .well-known file.
+        double_puppet_allow_discovery: false
+        # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+        #
+        # If set, double puppeting will be enabled automatically for local users
+        # instead of users having to find an access token and run `login-matrix`
+        # manually.
+        login_shared_secret_map:
+            example.com: foobar
+        # Whether to explicitly set the avatar and room name for private chat portal rooms.
+        # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+        # If set to `always`, all DM rooms will have explicit names and avatars set.
+        # If set to `never`, DM rooms will never have names and avatars set.
+        private_chat_portal_meta: default
+        # Should group members be synced in parallel? This makes member sync faster
+        parallel_member_sync: false
+        # Should Matrix m.notice-type messages be bridged?
+        bridge_notices: true
+        # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+        # This field will automatically be changed back to false after it, except if the config file is not writable.
+        resend_bridge_info: false
+        # When using double puppeting, should muted chats be muted in Matrix?
+        mute_bridging: false
+        # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+        # Note that WhatsApp unarchives chats when a message is received, which will also be mirrored to Matrix.
+        # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+        archive_tag: null
+        # Same as above, but for pinned chats. The favorite tag is called m.favourite
+        pinned_tag: null
+        # Should mute status and tags only be bridged when the portal room is created?
+        tag_only_on_create: true
+        # Should WhatsApp status messages be bridged into a Matrix room?
+        # Disabling this won't affect already created status broadcast rooms.
+        enable_status_broadcast: true
+        # Should sending WhatsApp status messages be allowed?
+        # This can cause issues if the user has lots of contacts, so it's disabled by default.
+        disable_status_broadcast_send: true
+        # Should the status broadcast room be muted and moved into low priority by default?
+        # This is only applied when creating the room, the user can unmute it later.
+        mute_status_broadcast: true
+        # Tag to apply to the status broadcast room.
+        status_broadcast_tag: m.lowpriority
+        # Should the bridge use thumbnails from WhatsApp?
+        # They're disabled by default due to very low resolution.
+        whatsapp_thumbnail: false
+        # Allow invite permission for user. User can invite any bots to room with whatsapp
+        # users (private chat and groups)
+        allow_user_invite: false
+        # Whether or not created rooms should have federation enabled.
+        # If false, created portal rooms will never be federated.
+        federate_rooms: true
+        # Should the bridge never send alerts to the bridge management room?
+        # These are mostly things like the user being logged out.
+        disable_bridge_alerts: false
+        # Should the bridge stop if the WhatsApp server says another user connected with the same session?
+        # This is only safe on single-user bridges.
+        crash_on_stream_replaced: false
+        # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
+        # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
+        # key in the event content even if this is disabled.
+        url_previews: false
+        # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+        # This is currently not supported in most clients.
+        caption_in_message: false
+        # Send galleries as a single event? This is not an MSC (yet).
+        beeper_galleries: false
+        # Should polls be sent using MSC3381 event types?
+        extev_polls: false
+        # Should cross-chat replies from WhatsApp be bridged? Most servers and clients don't support this.
+        cross_room_replies: false
+        # Disable generating reply fallbacks? Some extremely bad clients still rely on them,
+        # but they're being phased out and will be completely removed in the future.
+        disable_reply_fallbacks: false
+        # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
+        # Null means there's no enforced timeout.
+        message_handling_timeout:
+            # Send an error message after this timeout, but keep waiting for the response until the deadline.
+            # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
+            # If the message is older than this when it reaches the bridge, the message won't be handled at all.
+            error_after: null
+            # Drop messages after this timeout. They may still go through if the message got sent to the servers.
+            # This is counted from the time the bridge starts handling the message.
+            deadline: 120s
+
+        # The prefix for commands. Only required in non-management rooms.
+        command_prefix: "!wa"
+
+        # Messages sent upon joining a management room.
+        # Markdown is supported. The defaults are listed below.
+        management_room_text:
+            # Sent when joining a room.
+            welcome: "Hello, I'm a WhatsApp bridge bot."
+            # Sent when joining a management room and the user is already logged in.
+            welcome_connected: "Use `help` for help."
+            # Sent when joining a management room and the user is not logged in.
+            welcome_unconnected: "Use `help` for help or `login` to log in."
+            # Optional extra text sent when joining a management room.
+            additional_help: ""
+
+        # End-to-bridge encryption support options.
+        #
+        # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+        encryption:
+            # Allow encryption, work in group chat rooms with e2ee enabled
+            allow: false
+            # Default to encryption, force-enable encryption in all portals the bridge creates
+            # This will cause the bridge bot to be in private chats for the encryption to work properly.
+            default: false
+            # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+            appservice: false
+            # Require encryption, drop any unencrypted messages.
+            require: false
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow_key_sharing: false
+            # Should users mentions be in the event wire content to enable the server to send push notifications?
+            plaintext_mentions: false
+            # Options for deleting megolm sessions from the bridge.
+            delete_keys:
+                # Beeper-specific: delete outbound sessions when hungryserv confirms
+                # that the user has uploaded the key to key backup.
+                delete_outbound_on_ack: false
+                # Don't store outbound sessions in the inbound table.
+                dont_store_outbound: false
+                # Ratchet megolm sessions forward after decrypting messages.
+                ratchet_on_decrypt: false
+                # Delete fully used keys (index >= max_messages) after decrypting messages.
+                delete_fully_used_on_decrypt: false
+                # Delete previous megolm sessions from same device when receiving a new one.
+                delete_prev_on_new_session: false
+                # Delete megolm sessions received from a device when the device is deleted.
+                delete_on_device_delete: false
+                # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+                periodically_delete_expired: false
+                # Delete inbound megolm sessions that don't have the received_at field used for
+                # automatic ratcheting and expired session deletion. This is meant as a migration
+                # to delete old keys prior to the bridge update.
+                delete_outdated_inbound: false
+            # What level of device verification should be required from users?
+            #
+            # Valid levels:
+            #   unverified - Send keys to all device in the room.
+            #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+            #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+            #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+            #                           Note that creating user signatures from the bridge bot is not currently possible.
+            #   verified - Require manual per-device verification
+            #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+            verification_levels:
+                # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix.
+                receive: unverified
+                # Minimum level that the bridge should accept for incoming Matrix messages.
+                send: unverified
+                # Minimum level that the bridge should require for accepting key requests.
+                share: cross-signed-tofu
+            # Options for Megolm room key rotation. These options allow you to
+            # configure the m.room.encryption event content. See:
+            # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+            # more information about that event.
+            rotation:
+                # Enable custom Megolm room key rotation settings. Note that these
+                # settings will only apply to rooms created after this option is
+                # set.
+                enable_custom: false
+                # The maximum number of milliseconds a session should be used
+                # before changing it. The Matrix spec recommends 604800000 (a week)
+                # as the default.
+                milliseconds: 604800000
+                # The maximum number of messages that should be sent with a given a
+                # session before changing it. The Matrix spec recommends 100 as the
+                # default.
+                messages: 100
+
+                # Disable rotating keys when a user's devices change?
+                # You should not enable this option unless you understand all the implications.
+                disable_device_change_key_rotation: false
+
+        # Settings for provisioning API
+        provisioning:
+            # Prefix for the provisioning API paths.
+            prefix: /_matrix/provision
+            # Shared secret for authentication. If set to "generate", a random secret will be generated,
+            # or if set to "disable", the provisioning API will be disabled.
+            shared_secret: generate
+            # Enable debug API at /debug with provisioning authentication.
+            debug_endpoints: false
+
+        # Permissions for using the bridge.
+        # Permitted values:
+        #    relay - Talk through the relaybot (if enabled), no access otherwise
+        #     user - Access to use the bridge to chat with a WhatsApp account.
+        #    admin - User level and some additional administration tools
+        # Permitted keys:
+        #        * - All Matrix users
+        #   domain - All users on that homeserver
+        #     mxid - Specific user
+        permissions:
+            "*": relay
+            "example.com": user
+            "@admin:example.com": admin
+
+        # Settings for relay mode
+        relay:
+            # Whether relay mode should be allowed. If allowed, `!wa set-relay` can be used to turn any
+            # authenticated user into a relaybot for that chat.
+            enabled: false
+            # Should only admins be allowed to set themselves as relay users?
+            admin_only: true
+            # The formats to use when sending messages to WhatsApp via the relaybot.
+            message_formats:
+                m.text: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
+                m.notice: "<b>{{ .Sender.Displayname }}</b>: {{ .Message }}"
+                m.emote: "* <b>{{ .Sender.Displayname }}</b> {{ .Message }}"
+                m.file: "<b>{{ .Sender.Displayname }}</b> sent a file"
+                m.image: "<b>{{ .Sender.Displayname }}</b> sent an image"
+                m.audio: "<b>{{ .Sender.Displayname }}</b> sent an audio file"
+                m.video: "<b>{{ .Sender.Displayname }}</b> sent a video"
+                m.location: "<b>{{ .Sender.Displayname }}</b> sent a location"
+
+    # Logging config. See https://github.com/tulir/zeroconfig for details.
+    logging:
+        min_level: debug
+        writers:
+        - type: stdout
+          format: pretty-colored
+        - type: file
+          format: json
+          filename: ./logs/mautrix-whatsapp.log
+          max_size: 100
+          max_backups: 10
+          compress: true
+
+  # registration.yml contents
+  existingRegistrationSecret: ""
+  registration:
+    rate_limited: false
+    sender_localpart: whatsappbridgebot

charts/outline/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: outline
+version: 0.4.0
+description: Chart for Outline wiki
+keywords:
+  - wiki
+  - documentation
+sources:
+  - https://github.com/outline/outline
+  - https://github.com/bitnami/charts/tree/main/bitnami/redis
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/1765001?s=48&v=4
+dependencies:
+  - name: redis
+    repository: https://charts.bitnami.com/bitnami
+    version: 19.1.0
+appVersion: v0.75.2

charts/outline/README.md

@@ -0,0 +1,17 @@
+## Introduction
+
+[Outline](https://github.com/outline/outline)
+
+The fastest knowledge base for growing teams. Beautiful, realtime collaborative, feature packed, and markdown compatible.
+
+This chart bootstraps an [Outline](https://github.com/outline/outline) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- Bitnami Redis Chart
+
+## Parameters
+
+See the [values files](values.yaml).

charts/outline/templates/deployment.yaml

@@ -0,0 +1,210 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outline
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: outline
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: outline
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: outline
+      automountServiceAccountToken: true
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: web
+              containerPort: {{ .Values.service.web.port }}
+              protocol: TCP
+          env:
+            - name: NODE_ENV
+              value: "{{ .Values.outline.nodeEnv }}"
+            - name: URL
+              value: "{{ .Values.outline.url }}"
+            - name: PORT
+              value: "{{ .Values.service.web.port }}"
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.secretKey.existingSecretName }}"
+                  key: "{{ .Values.outline.secretKey.existingSecretKey }}"
+            - name: UTILS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.utilsSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.secretKey.existingSecretKey }}"
+            - name: POSTGRES_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.usernameSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.database.usernameSecret.existingSecretKey }}"                  
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.passwordSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.database.passwordSecret.existingSecretKey }}"
+            - name: POSTGRES_DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.databaseName.existingSecretName }}"
+                  key: "{{ .Values.outline.database.databaseName.existingSecretKey }}"
+            - name: POSTGRES_DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.databaseHost.existingSecretName }}"
+                  key: "{{ .Values.outline.database.databaseHost.existingSecretKey }}"
+            - name: POSTGRES_DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.databasePort.existingSecretName }}"
+                  key: "{{ .Values.outline.database.databasePort.existingSecretKey }}"                  
+            - name: DATABASE_URL
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)"
+            - name: DATABASE_URL_TEST
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_DATABASE_HOST):$(POSTGRES_DATABASE_PORT)/$(POSTGRES_DATABASE_NAME)-test"
+            - name: DATABASE_CONNECTION_POOL_MIN
+              value: "{{ .Values.outline.database.connectionPoolMin }}"
+            - name: DATABASE_CONNECTION_POOL_MAX
+              value: "{{ .Values.outline.database.connectionPoolMax }}"
+            - name: PGSSLMODE
+              value: "{{ .Values.outline.database.sslMode }}"
+            - name: REDIS_URL
+              value: "redis://{{ .Release.Name }}-redis-master:6379"
+            - name: FILE_STORAGE
+              value: "{{ .Values.persistence.type }}"
+
+          {{- if eq .Values.persistence.type "s3" }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.persistence.s3.credentialsSecret }}"
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.persistence.s3.credentialsSecret }}"
+                  key: AWS_SECRET_ACCESS_KEY
+          {{- if .Values.persistence.s3.endpointConfigMap.enabled }}
+            - name: AWS_REGION
+              valueFrom:
+                configMapKeyRef:
+                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
+                  key: BUCKET_REGION
+            - name: AWS_S3_UPLOAD_BUCKET_NAME
+              valueFrom:
+                configMapKeyRef:
+                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
+                  key: BUCKET_NAME
+            - name: AWS_S3_UPLOAD_BUCKET_HOST
+              valueFrom:
+                configMapKeyRef:
+                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
+                  key: BUCKET_HOST
+            - name: AWS_S3_UPLOAD_BUCKET_PORT
+              valueFrom:
+                configMapKeyRef:
+                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
+                  key: BUCKET_PORT
+            - name: AWS_S3_UPLOAD_BUCKET_URL
+              value: "{{ .Values.persistence.s3.urlProtocol }}://$(AWS_S3_UPLOAD_BUCKET_NAME).$(AWS_S3_UPLOAD_BUCKET_HOST):$(AWS_S3_UPLOAD_BUCKET_PORT)"
+            - name: AWS_S3_ACCELERATE_URL
+              value: "{{ .Values.persistence.s3.urlProtocol }}://$(AWS_S3_UPLOAD_BUCKET_NAME).$(AWS_S3_UPLOAD_BUCKET_HOST):$(AWS_S3_UPLOAD_BUCKET_PORT)"         
+          {{- else }}
+            - name: AWS_REGION
+              value: "{{ .Values.persistence.s3.region }}"
+            - name: AWS_S3_UPLOAD_BUCKET_NAME
+              value: "{{ .Values.persistence.s3.bucketName }}"
+            - name: AWS_S3_UPLOAD_BUCKET_URL
+              value: "{{ .Values.persistence.s3.urlProtocol }}://{{ .Values.persistence.s3.bucketName }}.{{ .Values.persistence.s3.host }}"
+            - name: AWS_S3_ACCELERATE_URL
+              value: "{{ .Values.persistence.s3.urlProtocol }}://{{ .Values.persistence.s3.bucketName }}.{{ .Values.persistence.s3.host }}"              
+          {{- end }}
+            - name: AWS_S3_FORCE_PATH_STYLE
+              value: "{{ .Values.persistence.s3.forcePathStyle }}"
+            - name: AWS_S3_ACL
+              value: "{{ .Values.persistence.s3.acl }}"
+            - name: FILE_STORAGE_UPLOAD_MAX_SIZE
+              value: "{{ .Values.persistence.s3.uploadMaxSize }}"
+          {{- else if eq .Values.persistence.type "local" }}
+            - name: FILE_STORAGE_LOCAL_ROOT_DIR
+              value: "{{ .Values.persistence.local.localRootDir }}"
+            - name: FILE_STORAGE_UPLOAD_MAX_SIZE
+              value: "{{ .Values.persistence.local.uploadMaxSize }}"
+          {{- end }}
+
+            - name: FORCE_HTTPS
+              value: "{{ .Values.outline.optional.forceHttps }}"
+            - name: ENABLE_UPDATES
+              value: "{{ .Values.outline.optional.enableUpdates }}"
+            - name: WEB_CONCURRENCY
+              value: "{{ .Values.outline.optional.webConcurrency }}"
+            - name: FILE_STORAGE_IMPORT_MAX_SIZE
+              value: "{{ .Values.outline.optional.maximumImportSize }}"
+            - name: LOG_LEVEL
+              value: "{{ .Values.outline.optional.logLevel }}"
+            - name: DEFAULT_LANGUAGE
+              value: "{{ .Values.outline.optional.defaultLanguage }}"
+            - name: RATE_LIMITER_ENABLED
+              value: "{{ .Values.outline.optional.rateLimiter.enabled }}"
+            - name: RATE_LIMITER_REQUESTS
+              value: "{{ .Values.outline.optional.rateLimiter.requests }}"
+            - name: RATE_LIMITER_DURATION_WINDOW
+              value: "{{ .Values.outline.optional.rateLimiter.durationWindow }}"
+            - name: DEVELOPMENT_UNSAFE_INLINE_CSP
+              value: "{{ .Values.outline.optional.developmentUnsafeInlineCsp }}"
+
+          {{- if .Values.outline.auth.oidc.enabled }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.auth.oidc.clientId.existingSecretName }}"
+                  key: "{{ .Values.outline.auth.oidc.clientId.existingSecretKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.auth.oidc.clientSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.auth.oidc.clientSecret.existingSecretKey }}"
+            - name: OIDC_AUTH_URI
+              value: "{{ .Values.outline.auth.oidc.authUri }}"
+            - name: OIDC_TOKEN_URI
+              value: "{{ .Values.outline.auth.oidc.tokenUri }}"
+            - name: OIDC_USERINFO_URI
+              value: "{{ .Values.outline.auth.oidc.userinfoUri }}"
+            - name: OIDC_USERNAME_CLAIM
+              value: "{{ .Values.outline.auth.oidc.usernameClaim }}"
+            - name: OIDC_DISPLAY_NAME
+              value: "{{ .Values.outline.auth.oidc.displayName }}"
+            - name: OIDC_SCOPES
+              value: "{{ .Values.outline.auth.oidc.scopes }}"
+          {{- end }}
+
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+
+      {{- if eq .Values.persistence.type "local" }}
+          volumeMounts:
+          - name: "{{ .Release.Name }}-volume-claim"
+            mountPath: {{ .Values.persistence.local.localRootDir }}
+      volumes:
+      - name: "{{ .Release.Name }}-volume-claim"
+        persistentVolumeClaim:
+          claimName: "{{ .Release.Name }}-volume-claim"
+      {{- end }}

charts/outline/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  name: web
+{{- end }}

charts/outline/templates/persistent-volume-claim.yaml

@@ -0,0 +1,20 @@
+{{- if eq .Values.persistence.type "local" }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-volume-claim
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: outline
+spec:
+  storageClassName: {{ .Values.persistence.local.storageClassName }}
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.local.storageSize }}
+{{- end }}

charts/outline/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outline
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline