Migrate Element/Matrix from Ansible to Helm/ArgoCD (#1556)

Migrate Element/Matrix from Ansible to Helm/ArgoCD

Summary
Replaces the legacy Ansible-managed Matrix/Synapse deployment with a fully declarative Helm chart deployment managed by ArgoCD. Migrates the existing matrix.otc-service.com instance (users, rooms, message history) from the old cluster (otcinfra) to the new cluster (otcinfra2).
Changes
Added — Helm Charts

Upstream Element chart (upstream/element/): Wraps matrix-stack v26.2.3 from oci://ghcr.io/element-hq/ess-helm, deploying:

Synapse v1.125.0 with external PostgreSQL RDS (SSL verify-ca)
Element Web v1.11.86 (dark theme, branded "OTC Chat")
MatrixRTC with LiveKit SFU v1.9.1 (forced TCP for OTC security group compatibility)
Well-Known delegation with base domain redirect
HAProxy + Redis


Local Element chart (local/element/): Supplementary templates for:

Element Call deployment with LiveKit integration
SFU TCP LoadBalancer service (workaround for OTC ELB PreferDualStack incompatibility)
Matrix media PersistentVolume (SFS Turbo NFS)
Vault-injected secrets (signing key, registration secret, DB credentials, SSL CA)
Init DB job for database bootstrapping


Maubot Kustomize (kustomize/maubot/): Standalone Maubot deployment with prod overlay

Removed — Ansible Roles & Playbooks

playbooks/roles/matrix/ (8 files, ~3200 lines): Synapse K8s role with homeserver.yaml.j2 template
playbooks/roles/maubot/ (5 files, ~340 lines): Maubot K8s role with config template
playbooks/service-matrix.yaml
playbooks/service-maubot.yaml

Key Configuration



Component
Value




Server name
matrix.otc-service.com (preserved from legacy)


Authentication
Zitadel OIDC SSO (allow_existing_users: true)


Images
All mirrored to quay.io/opentelekomcloud/


TLS
cert-manager with letsencrypt-prod ClusterIssuer


WebRTC
ICE forced to TCP  — OTC SG blocks UDP


Database
External RDS with SSL verify-ca



Migration Details

Database dump/restore from old PostgreSQL  to new RDS
DNS records updated: matrix, element, call, matrixrtc .otc-service.com → 80.158.58.167
Original signing key preserved to maintain federation identity
3 users, 24 rooms, 112,482 events migrated

Reviewed-by: SebastianGode

Author: LukasCuperDT

kubernetes/helm_charts/local/element/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: element-additional-manifests
+description: Additional manifests for Element (Matrix) deployment - secrets, PV/PVC, Element Call
+version: 0.1.0

kubernetes/helm_charts/local/element/templates/element-call.yaml

@@ -0,0 +1,141 @@
+{{- if .Values.elementCall.enabled }}
+{{- /*
+  Element Call — Standalone video/voice calling frontend.
+
+  This deploys the Element Call web application at call.otc-service.com.
+  It provides a dedicated URL for video conferencing without needing
+  the full Element Web chat client.
+
+  Element Call is also available as a built-in widget in Element Web —
+  this standalone deployment is optional but useful for sharing call links
+  with external users.
+*/ -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: element-call-config
+  labels:
+    app.kubernetes.io/name: element-call
+data:
+  config.json: |
+    {
+      "default_server_config": {
+        "m.homeserver": {
+          "base_url": "https://{{ .Values.elementCall.homeserverHost | default "matrix.otc-service.com" }}",
+          "server_name": "{{ .Values.elementCall.homeserverHost | default "matrix.otc-service.com" }}"
+        }
+      },
+      "livekit": {
+        "livekit_service_url": "https://{{ .Values.elementCall.livekitHost | default "matrixrtc.otc-service.com" }}/sfu/get"
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: element-call
+  labels:
+    app.kubernetes.io/name: element-call
+    app.kubernetes.io/component: frontend
+spec:
+  replicas: {{ .Values.elementCall.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: element-call
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: element-call
+    spec:
+      imagePullSecrets:
+        - name: quay-pull-secret
+      containers:
+        - name: element-call
+          image: {{ .Values.elementCall.image | default "quay.io/opentelekomcloud/element-call:v0.17.0" }}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: config
+              mountPath: /app/config.json
+              subPath: config.json
+              readOnly: true
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: element-call-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: element-call
+  labels:
+    app.kubernetes.io/name: element-call
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: element-call
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: element-call
+  labels:
+    app.kubernetes.io/name: element-call
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    cert-manager.io/duration: "8760h"
+    cert-manager.io/renew-before: "720h"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ .Values.elementCall.host | default "call.otc-service.com" }}
+      secretName: element-call-tls
+  rules:
+    - host: {{ .Values.elementCall.host | default "call.otc-service.com" }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: element-call
+                port:
+                  number: 8080
+{{- end }}

kubernetes/helm_charts/local/element/templates/init-db-job.yaml

@@ -0,0 +1,60 @@
+{{- /*
+  One-shot Job: creates the "synapse" database on the external RDS instance
+  if it does not already exist.  Runs before Synapse starts (via helm hook).
+
+  Credentials come from the same AVP-injected secrets used by Synapse.
+*/ -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: init-synapse-db
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: init-db
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  backoffLimit: 4
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: matrix
+        app.kubernetes.io/component: init-db
+    spec:
+      restartPolicy: OnFailure
+      imagePullSecrets:
+        - name: quay-pull-secret
+      containers:
+        - name: init-db
+          image: postgres:16-alpine
+          env:
+            - name: PGHOST
+              value: "192.168.14.3"
+            - name: PGPORT
+              value: "5432"
+            - name: PGUSER
+              value: "<path:secret/data/postgres/element/admin#postgres-username>"
+            - name: PGPASSWORD
+              value: "<path:secret/data/postgres/element/admin#postgres-password>"
+            - name: PGSSLMODE
+              value: "require"
+          command:
+            - /bin/sh
+            - -ec
+            - |
+              echo "Checking if database 'synapse' exists..."
+              if psql -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1; then
+                echo "Database 'synapse' already exists — skipping."
+              else
+                echo "Creating database 'synapse' with UTF8/C locale..."
+                psql -d postgres -c "CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' TEMPLATE=template0;"
+                echo "Database 'synapse' created successfully."
+              fi
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              memory: 64Mi

kubernetes/helm_charts/local/element/templates/matrix-media-pv.yaml

@@ -0,0 +1,45 @@
+{{- /*
+  NFS PersistentVolume for Synapse media store.
+  Uses existing SFS Turbo NFS share at 192.168.171.186.
+  This PV is referenced by the PVC "matrix-media-pvc" which Synapse uses
+  via synapse.media.storage.existingClaim.
+*/ -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: matrix-nfs
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: media-storage
+spec:
+  capacity:
+    storage: {{ .Values.mediaStorage.capacity | default "500Gi" | quote }}
+  accessModes:
+    - ReadWriteMany
+  mountOptions:
+    - vers=3
+    - nolock
+    - noresvport
+    - timeo=600
+    - tcp
+  nfs:
+    server: {{ .Values.mediaStorage.nfs.server | quote }}
+    path: {{ .Values.mediaStorage.nfs.path | quote }}
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: {{ .Values.mediaStorage.storageClassName | default "csi-sfsturbo-retain" | quote }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: matrix-media-pvc
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: media-storage
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.mediaStorage.capacity | default "500Gi" | quote }}
+  volumeName: matrix-nfs
+  storageClassName: {{ .Values.mediaStorage.storageClassName | default "csi-sfsturbo-retain" | quote }}

kubernetes/helm_charts/local/element/templates/matrix-secrets.yaml

@@ -0,0 +1,54 @@
+{{- /*
+  Kubernetes Secrets for the Matrix Stack.
+  Values are injected by ArgoCD Vault Plugin (AVP) from HashiCorp Vault.
+
+  Vault paths:
+    secret/postgres/element/admin  -> postgres-username, postgres-password
+    secret/postgres/ca              -> cert (RDS CA certificate)
+    secret/element/synapse          -> signing-key, registration-shared-secret,
+                                       macaroon-secret-key, form-secret
+*/ -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-secrets
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: synapse
+type: Opaque
+stringData:
+  # -- Synapse signing key (full ed25519 key)
+  signing-key: "<path:secret/data/element/synapse#signing-key>"
+
+  # -- Registration shared secret
+  registration-shared-secret: "<path:secret/data/element/synapse#registration-shared-secret>"
+
+  # -- Macaroon secret key
+  macaroon-secret-key: "<path:secret/data/element/synapse#macaroon-secret-key>"
+
+  # -- Form secret
+  form-secret: "<path:secret/data/element/synapse#form-secret>"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-db-credentials
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: database
+type: Opaque
+stringData:
+  # -- PostgreSQL password for synapse user (from RDS)
+  password: "<path:secret/data/postgres/element/admin#postgres-password>"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: matrix-db-ssl-ca-crt
+  labels:
+    app.kubernetes.io/name: matrix
+    app.kubernetes.io/component: database
+type: Opaque
+stringData:
+  # -- RDS CA certificate for SSL connections
+  ca.crt: "<path:secret/data/postgres/ca#cert>"

kubernetes/helm_charts/local/element/templates/sfu-tcp-service.yaml

@@ -0,0 +1,42 @@
+{{/*
+  SFU TCP LoadBalancer Service
+  ----------------------------
+  Managed here (not in the upstream matrix-stack chart) because OTC CCE
+  requires:
+    1. kubernetes.io/elb.id  annotation pointing to an existing union ELB
+    2. ipFamilyPolicy: SingleStack (union ELBs reject IPv6 / DualStack)
+
+  The upstream chart hard-codes ipFamilyPolicy: PreferDualStack, so we
+  disable its rtcTcp service and provide our own.
+*/}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-matrix-rtc-sfu-tcp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: matrix-rtc-voip-server
+    app.kubernetes.io/instance: {{ .Release.Name }}-matrix-rtc-sfu-rtc
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: matrix-rtc-sfu-rtc
+    app.kubernetes.io/part-of: matrix-stack
+  annotations:
+    # Share the existing ingress-nginx ELB (80.158.58.167)
+    kubernetes.io/elb.id: "510d12e5-a578-46e5-acb0-32bc0ffcb04c"
+    kubernetes.io/elb.class: union
+    kubernetes.io/elb.pass-through: onlyLocal
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  # OTC union ELBs do not support IPv6 — must be SingleStack IPv4
+  ipFamilyPolicy: SingleStack
+  ipFamilies:
+    - IPv4
+  selector:
+    app.kubernetes.io/instance: {{ .Values.sfuReleaseName }}-matrix-rtc-sfu
+  ports:
+    - name: rtc-tcp
+      port: 30881
+      targetPort: 30881
+      protocol: TCP
+      nodePort: 30881

kubernetes/helm_charts/local/element/values-prod.yaml

@@ -0,0 +1,23 @@
+# -- Element Call standalone frontend deployment
+# Element Call is already available as a widget inside Element Web.
+# Enable this only if you want a dedicated call.otc-service.com URL
+# for standalone video conferencing (without the full chat client).
+elementCall:
+  enabled: true
+  image: quay.io/opentelekomcloud/element-call:v0.17.0
+  replicas: 1
+  host: call.otc-service.com
+
+# -- Upstream chart release name (needed for cross-chart service selectors)
+# The SFU TCP LoadBalancer service lives in this (local) chart but must
+# select pods deployed by the upstream chart, which has a different
+# Helm release name.
+sfuReleaseName: element-otcinfra2
+
+# -- NFS PersistentVolume for Synapse media store
+mediaStorage:
+  nfs:
+    server: "192.168.171.186"
+    path: "/"
+  capacity: "500Gi"
+  storageClassName: "csi-sfsturbo-retain"

kubernetes/helm_charts/upstream/element/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: element
+description: >-
+  Wrapper chart for Element's matrix-stack (ESS Community).
+  Deploys Synapse, Element Web, MatrixRTC (LiveKit + lk-jwt-service),
+  Well-Known Delegation, HAProxy, and optionally MAS and PostgreSQL.
+version: 0.1.0
+
+dependencies:
+  - name: matrix-stack
+    version: "26.2.3"
+    repository: "oci://ghcr.io/element-hq/ess-helm"