element-hq · benbz · Jun 16, 2025 · Jun 13, 2025 · Jun 13, 2025
@@ -11,6 +11,7 @@ replicas: 1
 {{- sub_schema_values.labels() }}
 {{- sub_schema_values.workloadAnnotations() }}
 {{- sub_schema_values.containersSecurityContext() }}
+{{- sub_schema_values.extraEnv() }}
 {{- sub_schema_values.nodeSelector() }}
 {{- sub_schema_values.podSecurityContext(user_id='10001', group_id='10001') }}
 {{- sub_schema_values.resources(requests_memory='100Mi', requests_cpu='100m', limits_memory='200Mi') }}

@@ -17,14 +17,13 @@ enabled: true
   {#- We set `initSecret=false` because we are describing the mechanism in the comment parameter #}
   {{- sub_schema_values.credential("The secret for the LiveKit SFU.\n## This is required if `sfu.enabled` and `keysYaml` is not used. It will be generated by the `initSecrets` job if it is empty", "secret", initIfAbsent=False, commented=True) | indent(2) }}
 
-{{- sub_schema_values.ingress() -}}
-{{- sub_schema_values.extraEnv() }}
-
 replicas: 1
+{{- sub_schema_values.ingress() }}
 {{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/lk-jwt-service', tag='0.2.3') }}
 {{- sub_schema_values.labels() }}
 {{- sub_schema_values.workloadAnnotations() }}
 {{- sub_schema_values.containersSecurityContext() }}
+{{- sub_schema_values.extraEnv() }}
 {{- sub_schema_values.nodeSelector() }}
 {{- sub_schema_values.podSecurityContext(user_id='10033', group_id='10033') }}
 {{- sub_schema_values.resources(requests_memory='20Mi', requests_cpu='50m', limits_memory='20Mi') }}

@@ -68,6 +68,7 @@ syn2mas:
   {{- sub_schema_values.podSecurityContext(user_id='10005', group_id='10005') | indent(2) -}}
   {{- sub_schema_values.resources(requests_memory='50Mi', requests_cpu='50m', limits_memory='350Mi') | indent(2) -}}
   {{- sub_schema_values.serviceAccount() | indent(2) -}}
+  {{- sub_schema_values.extraEnv() | indent(2) -}}
   {{- sub_schema_values.tolerations() | indent(2) }}
 
   ## Runs the syn2mas process in dryRun mode.

@@ -8,7 +8,8 @@ enabled: true
 postgresExporter:
   {{- sub_schema_values.image(registry='docker.io', repository='prometheuscommunity/postgres-exporter', tag='v0.17.0') | indent(2) }}
   {{- sub_schema_values.resources(requests_memory='10Mi', requests_cpu='10m', limits_memory='500Mi')| indent(2) }}
-  {{- sub_schema_values.containersSecurityContext()| indent(2) }}
+  {{- sub_schema_values.containersSecurityContext() | indent(2) }}
+  {{- sub_schema_values.extraEnv() | indent(2) }}
   {{- sub_schema_values.probe("liveness", periodSeconds=6, timeoutSeconds=2) | indent(2) }}
   {{- sub_schema_values.probe("readiness", periodSeconds=2, successThreshold=2, timeoutSeconds=2) | indent(2) }}
   {{- sub_schema_values.probe("startup", failureThreshold=20, periodSeconds=2) | indent(2) }}

@@ -77,19 +77,11 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" $
 {{- end }}
 {{- end }}
 
-{{- define "element-io.deployment-markers.env" }}
+{{- define "element-io.deployment-markers.overrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.deployment-markers.env missing context" .context -}}
-{{- $resultEnv := dict -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
-{{- $overrideEnv := dict "NAMESPACE" $root.Release.Namespace
--}}
-{{- $resultEnv := mustMergeOverwrite $resultEnv $overrideEnv -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
-{{- end -}}
+{{- with required "element-io.deployment-markers.overrideEnv missing context" .context -}}
+env:
+- name: "NAMESPACE"
+  value: {{ $root.Release.Namespace | quote }}
 {{- end -}}
 {{- end -}}
@@ -57,8 +57,7 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-        env:
-        {{- include "element-io.deployment-markers.env" (dict "root" $ "context" .) | nindent 8 }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "deployment-markers")) | nindent 8 }}
         command:
         - "/matrix-tools"
         - "deployment-markers"

@@ -26,24 +26,18 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .
 {{- end }}
 {{- end }}
 
-{{- define "element-io.element-web.env" -}}
+{{- define "element-io.element-web.overrideEnv" -}}
 {{- $root := .root -}}
-{{- with required "element-io.element-web.env missing context" .context -}}
-{{- $resultEnv := dict -}}
+{{- with required "element-io.element-web.overrideEnv missing context" .context -}}
 {{- /*
 https://github.com/nginxinc/docker-nginx/blob/1.26.1/entrypoint/20-envsubst-on-templates.sh#L31-L45
 If pods run with a GID of 0 this makes $output_dir to appear writable to sh, however
 due to running with a read-only FS the actual writing later fails. We short circuit this by using an
 invalid template directory and so templating as a whole is skipped by the script
 */ -}}
-{{- $_ := set $resultEnv "NGINX_ENVSUBST_TEMPLATE_DIR" "/non-existant-so-that-this-works-with-read-only-root-filesystem" -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
-{{- end -}}
+env:
+- name: "NGINX_ENVSUBST_TEMPLATE_DIR"
+  value: "/non-existant-so-that-this-works-with-read-only-root-filesystem"
 {{- end -}}
 {{- end -}}
 

@@ -43,8 +43,7 @@ spec:
         imagePullPolicy: {{ .pullPolicy | default "Always" }}
 {{- end }}
 {{- end }}
-        env:
-        {{- include "element-io.element-web.env" (dict "root" $ "context" .) | nindent 10 }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "element-web")) | nindent 8 }}
 {{- with .containersSecurityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}

@@ -118,3 +118,27 @@ successThreshold: {{ . }}
 timeoutSeconds: {{ . }}
 {{- end }}
 {{- end }}
+
+{{- define "element-io.ess-library.pods.env" -}}
+{{- $root := .root -}}
+{{- with required "element-io.ess-library.pods.env missing context" .context -}}
+{{- $componentValues := required "element-io.ess-library.pods.env missing context.componentValues" .componentValues -}}
+{{- $resultEnv := dict -}}
+{{- range $envEntry := $componentValues.extraEnv -}}
+{{- $_ := set $resultEnv $envEntry.name $envEntry -}}
+{{- end -}}
+{{- $componentName := required "element-io.ess-library.pods.env missing context.componentName" .componentName -}}
+{{- $overrideEnvType := .overrideEnvSuffix | default "overrideEnv" -}}
+{{- $overrideEnvDocument := include (printf "element-io.%s.%s" $componentName $overrideEnvType) (dict "root" $root "context" $componentValues) -}}
+{{- $overrideEnvYaml := $overrideEnvDocument | fromYaml -}}
+{{- range $envEntry := $overrideEnvYaml.env -}}
+{{- $_ := set $resultEnv $envEntry.name $envEntry -}}
+{{- end -}}
+{{- with $resultEnv }}
+env:
+{{- range $key, $fullEnvEntry := . }}
+- {{ $fullEnvEntry | toYaml | indent 2 | trim }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
@@ -53,9 +53,7 @@ SPDX-License-Identifier: AGPL-3.0-only
     {{- range $overrides }}
   - /config-templates/{{ . }}
     {{- end }}
-  env:
-  {{- include (printf "element-io.%s.matrixToolsEnv" $nameSuffix) (dict "root" $root "context" .) | nindent 2 }}
-  {{- include (printf "element-io.%s.env" $nameSuffix) (dict "root" $root "context" .) | nindent 2 }}
+  {{- include "element-io.ess-library.pods.env" (dict "root" $root "context" (dict "componentValues" . "componentName" $nameSuffix "overrideEnvSuffix" "renderConfigOverrideEnv")) | nindent 2 }}
 {{- with .resources }}
   resources:
     {{- toYaml . | nindent 4 }}

@@ -1,5 +1,5 @@
 {{- /*
-Copyright 2024 New Vector Ltd
+Copyright 2024-2025 New Vector Ltd
 
 SPDX-License-Identifier: AGPL-3.0-only
 */ -}}
@@ -24,3 +24,7 @@ haproxy.cfg: |
 {{- (tpl ($root.Files.Get "configs/haproxy/429.http.tpl") dict) | nindent 2 }}
 {{- end -}}
 {{- end -}}
+
+{{- define "element-io.haproxy.overrideEnv" }}
+env: []
+{{- end -}}
@@ -63,10 +63,7 @@ spec:
         securityContext:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-{{- with .extraEnv }}
-        env:
-          {{- toYaml . | nindent 10 }}
-{{- end }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "haproxy")) | nindent 8 }}
         ports:
 {{- if $.Values.synapse.enabled }}
         - containerPort: 8008

@@ -85,19 +85,11 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" $
 {{- end }}
 {{- end }}
 
-{{- define "element-io.init-secrets.env" }}
+{{- define "element-io.init-secrets.overrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.init-secrets.env missing context" .context -}}
-{{- $resultEnv := dict -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
-{{- $overrideEnv := dict "NAMESPACE" $root.Release.Namespace
--}}
-{{- $resultEnv := mustMergeOverwrite $resultEnv $overrideEnv -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
-{{- end -}}
+{{- with required "element-io.init-secrets.overrideEnv missing context" .context -}}
+env:
+- name: "NAMESPACE"
+  value: {{ $root.Release.Namespace | quote }}
 {{- end -}}
 {{- end -}}
@@ -57,8 +57,7 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-        env:
-        {{- include "element-io.init-secrets.env" (dict "root" $ "context" .) | nindent 8 }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "init-secrets")) | nindent 8 }}
         command:
         - "/matrix-tools"
         - "generate-secrets"

@@ -92,20 +92,12 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .
 {{- end }}
 {{- end }}
 
-{{- define "element-io.matrix-authentication-service.env" }}
+
+{{- define "element-io.matrix-authentication-service.overrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.matrix-authentication-service.env missing context" .context -}}
-{{- $resultEnv := dict -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
-{{- $overrideEnv := dict "MAS_CONFIG" "/conf/config.yaml" -}}
-{{- $resultEnv := mustMergeOverwrite $resultEnv $overrideEnv -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
-{{- end -}}
-{{- end -}}
+env:
+- name: "MAS_CONFIG"
+  value: "/conf/config.yaml"
 {{- end -}}
 
 {{- /* The filesystem structure is `/secrets`/<< secret name>>/<< secret key >>.
@@ -115,9 +107,10 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .
         These could be done as env vars with valueFrom.secretKeyRef, but that triggers CKV_K8S_35.
         Environment variables values found in the config file as ${VARNAME} are parsed through go template engine before being replaced in the target file.
 */}}
-{{- define "element-io.matrix-authentication-service.matrixToolsEnv" }}
+{{- define "element-io.matrix-authentication-service.renderConfigOverrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.matrix-authentication-service.matrixToolsEnv missing context" .context -}}
+{{- with required "element-io.matrix-authentication-service.renderConfigOverrideEnv missing context" .context -}}
+env:
 - name: POSTGRES_PASSWORD
   value: >-
     {{
@@ -343,11 +336,19 @@ true
 
 {{- define "element-io.syn2mas.configSecrets" -}}
 {{- $root := .root -}}
-{{- with required "element-io..matrix-authentication-service.syn2mas.configSecrets missing context" .context -}}
+{{- with required "element-io.syn2mas.configSecrets missing context" .context -}}
 {{- $masSecrets := include "element-io.matrix-authentication-service.configSecrets" (dict "root" $root "context" .masContext) | fromJsonArray }}
 {{- $synapseSecrets := include "element-io.synapse.configSecrets" (dict "root" $root "context" .synapseContext) | fromJsonArray }}
 {{- $syn2masSecrets := concat $masSecrets $synapseSecrets | uniq | sortAlpha }}
 {{- $syn2masSecrets | toJson -}}
 {{- end -}}
 {{- end -}}
 
+{{- define "element-io.syn2mas.overrideEnv" -}}
+{{- $root := .root -}}
+{{- with required "element-io.syn2mas.overrideEnv missing context" .context -}}
+env:
+- name: "NAMESPACE"
+  value: {{ $root.Release.Namespace | quote }}
+{{- end -}}
+{{- end -}}
@@ -83,8 +83,7 @@ spec:
         securityContext:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-        env:
-        {{- include "element-io.matrix-authentication-service.env" (dict "root" $ "context" .) | nindent 10 }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "matrix-authentication-service")) | nindent 8 }}
 {{- with .resources }}
         resources:
           {{- toYaml . | nindent 10 }}
@@ -118,8 +117,7 @@ We don't want background jobs to get failed use up their retries because MAS has
         securityContext:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-        env:
-        {{- include "element-io.matrix-authentication-service.env" (dict "root" $ "context" .) | nindent 10 }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "matrix-authentication-service")) | nindent 8 }}
         ports:
         - containerPort: 8080
           protocol: TCP

@@ -220,12 +220,7 @@ spec:
         securityContext:
           {{- toYaml . | nindent 10 }}
 {{- end }}
-        env:
-        - name: NAMESPACE
-          value: {{ $.Release.Namespace }}
-{{- with .extraEnv }}
-        {{- toYaml . | nindent 8 }}
-{{- end }}
+        {{- include "element-io.ess-library.pods.env" (dict "root" $ "context" (dict "componentValues" . "componentName" "syn2mas")) | nindent 8 }}
 {{- with .resources }}
         resources:
           {{- toYaml . | nindent 10 }}

@@ -38,40 +38,37 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .
 {{- end }}
 
 
-{{- define "element-io.matrix-rtc-authorisation-service.env" }}
+{{- define "element-io.matrix-rtc-authorisation-service.overrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.matrix-rtc-authorisation-service.env missing context" .context -}}
-{{- $resultEnv := dict -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
+{{- with required "element-io.matrix-rtc-authorisation-service.overrideEnv missing context" .context -}}
+env:
 {{- if (.livekitAuth).keysYaml }}
-{{- $_ := set $resultEnv "LIVEKIT_KEY_FILE" (printf "/secrets/%s"
+- name: "LIVEKIT_KEY_FILE"
+  value: {{ printf "/secrets/%s"
       (include "element-io.ess-library.provided-secret-path" (
         dict "root" $root "context" (
           dict "secretPath" "matrixRTC.livekitAuth.keysYaml"
               "defaultSecretName" (printf "%s-matrix-rtc-authorisation-service" $root.Release.Name)
               "defaultSecretKey" "LIVEKIT_KEYS_YAML"
               )
-        ))) }}
+        )) }}
 {{- else }}
-{{- $_ := set $resultEnv "LIVEKIT_KEY" ((.livekitAuth).key | default "matrix-rtc") -}}
-{{- $_ := set $resultEnv "LIVEKIT_SECRET_FROM_FILE" (printf "/secrets/%s"
+- name: "LIVEKIT_KEY"
+  value: {{ (.livekitAuth).key | default "matrix-rtc" }}
+- name: "LIVEKIT_SECRET_FROM_FILE"
+  value: {{ printf "/secrets/%s"
       (include "element-io.ess-library.init-secret-path" (
         dict "root" $root "context" (
           dict "secretPath" "matrixRTC.livekitAuth.secret"
               "initSecretKey" "ELEMENT_CALL_LIVEKIT_SECRET"
               "defaultSecretName" (printf "%s-matrix-rtc-authorisation-service" $root.Release.Name)
               "defaultSecretKey" "LIVEKIT_SECRET"
               )
-        ))) }}
+        )) }}
 {{- end }}
-{{- if .sfu.enabled -}}
-{{- $_ := set $resultEnv "LIVEKIT_URL" (printf "wss://%s" (tpl .ingress.host $root)) -}}
-{{- end -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
+{{- if .sfu.enabled }}
+- name: "LIVEKIT_URL"
+  value: {{ printf "wss://%s" (tpl .ingress.host $root) }}
 {{- end -}}
 {{- end -}}
 {{- end -}}

@@ -26,23 +26,14 @@ app.kubernetes.io/version: {{ include "element-io.ess-library.labels.makeSafe" .
 {{- end }}
 {{- end }}
 
-{{- define "element-io.matrix-rtc-sfu.env" }}
-{{- $root := .root -}}
-{{- with required "element-io.matrix-rtc-authorisation-service missing context" .context -}}
-{{- $resultEnv := dict -}}
-{{- range $envEntry := .extraEnv -}}
-{{- $_ := set $resultEnv $envEntry.name $envEntry.value -}}
-{{- end -}}
-{{- range $key, $value := $resultEnv }}
-- name: {{ $key | quote }}
-  value: {{ $value | quote }}
-{{- end -}}
-{{- end -}}
+{{- define "element-io.matrix-rtc-sfu.overrideEnv" }}
+env: []
 {{- end -}}
 
-{{- define "element-io.matrix-rtc-sfu.matrixToolsEnv" }}
+{{- define "element-io.matrix-rtc-sfu.renderConfigOverrideEnv" }}
 {{- $root := .root -}}
-{{- with required "element-io.matrix-rtc-sfu.matrixToolsEnv missing context" .context -}}
+{{- with required "element-io.matrix-rtc-sfu.renderConfigOverrideEnv missing context" .context -}}
+env:
 - name: "LIVEKIT_KEY"
   value: "{{ (.livekitAuth).key | default "matrix-rtc" }}"
 - name: LIVEKIT_SECRET