bea/infra-prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89173418cdffd459d5a6961261cd85e19b8ee155
infra-prod/deploy/rocket-chat
History
Beatrice Dellacà 2ae346e8ef add n8n
2025-04-04 20:59:32 +02:00
..
charts
update rocket-chat
2025-04-03 15:16:10 +02:00
ci
update rocket-chat
2025-04-03 15:16:10 +02:00
templates
fix secret
2025-04-03 15:26:54 +02:00
.helmignore
update rocket-chat
2025-04-03 15:16:10 +02:00
Chart.lock
update rocket-chat
2025-04-03 15:16:10 +02:00
Chart.yaml
add rocketchat helm
2025-04-03 15:02:31 +02:00
README.md
update rocket-chat
2025-04-03 15:16:10 +02:00
values-custom.yaml
add n8n
2025-04-04 20:59:32 +02:00
values.yaml
update values
2025-04-03 15:28:53 +02:00

README.md

Rocket.Chat

Rocket.Chat is free, unlimited and open source. Replace email, HipChat & Slack with the ultimate team chat software solution.

Warning

: Upgrading to chart version 5.4.3 or higher might require extra steps to successfully update MongoDB and Rocket.Chat. See Upgrading to 5.4.3 for more details.

Introduction

This chart bootstraps a Rocket.Chat Deployment on a Kubernetes cluster using the Helm package manager. It provisions a fully featured Rocket.Chat installation.

In addition, this chart supports scaling of Rocket.Chat for increased server capacity and high availability (requires enterprise license). For more information on Rocket.Chat and its capabilities, see its documentation.

Prerequisites Details

The chart has an optional dependency on the MongoDB chart. By default, the MongoDB chart requires PV support on underlying infrastructure (may be disabled).

Installing the Chart

To install the chart with the release name rocketchat:

$ helm install rocketchat rocketchat/rocketchat --set mongodb.auth.passwords={rocketchatPassword},mongodb.auth.rootPassword=rocketchatRootPassword

If you got a registration token for Rocket.Chat Cloud, you can also include it:

$ helm install rocketchat rocketchat/rocketchat --set mongodb.auth.passwords={rocketchatPassword},mongodb.auth.rootPassword=rocketchatRootPassword,registrationToken=<paste the token here>

Usage of Values.yaml file is recommended over using command line arguments --set. You must set at least the database password and root password in the values file.

mongodb:
  auth:
    passwords:
      - rocketchat
    rootPassword: rocketchatroot

Now use the following command to deploy

helm install rocketchat -f Values.yaml rocketchat/rocketchat

Starting chart version 5.4.3, due to mongodb dependency, username, password and database entries must be arrays of the same length. Rocket.Chat will use the first entries of those arrays for its own use. mongodb.auth.usernames array defaults to {rocketchat} and mongodb.auth.databases array defaults to {rocketchat}

Uninstalling the Chart

To uninstall/delete the rocketchat deployment:

$ helm delete rocketchat

Configuration

The following table lists the configurable parameters of the Rocket.Chat chart and their default values.

Parameter Description Default
image.repository Image repository registry.rocket.chat/rocketchat/rocket.chat
image.tag Image tag 3.18.3
image.pullPolicy Image pull policy IfNotPresent
host Hostname for Rocket.Chat. Also used for ingress (if enabled) ""
replicaCount Number of replicas to run 1
smtp.enabled Enable SMTP for sending mails false
smtp.existingSecret Use existing secret for SMTP account ""
smtp.username Username of the SMTP account ""
smtp.password Password of the SMTP account ""
smtp.host Hostname of the SMTP server ""
smtp.port Port of the SMTP server 587
extraEnv Extra environment variables for Rocket.Chat. Used with tpl function, so this needs to be a string ""
extraSecret An already existing secret to be used by chat deployment. It needs to be a string ""
extraVolumes Extra volumes allowing inclusion of certificates or any sort of file that might be required (see bellow) []
extraVolumeMounts Where the aforementioned extra volumes should be mounted inside the container []
podAntiAffinity Pod anti-affinity can prevent the scheduler from placing RocketChat replicas on the same node. The default value "soft" means that the scheduler should prefer to not schedule two replica pods onto the same node but no guarantee is provided. The value "hard" means that the scheduler is required to not schedule two replica pods onto the same node. The value "" will disable pod anti-affinity so that no anti-affinity rules will be configured. ""
podAntiAffinityTopologyKey If anti-affinity is enabled sets the topologyKey to use for anti-affinity. This can be changed to, for example failure-domain.beta.kubernetes.io/zone kubernetes.io/hostname
affinity Assign custom affinity rules to the RocketChat instance https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ {}
minAvailable Minimum number / percentage of pods that should remain scheduled 1
existingMongodbSecret An already existing secret containing MongoDB Connection URL ""
externalMongodbUrl MongoDB URL if using an externally provisioned MongoDB ""
externalMongodbOplogUrl MongoDB OpLog URL if using an externally provisioned MongoDB. Required if externalMongodbUrl is set ""
mongodb.enabled Enable or disable MongoDB dependency. Refer to the stable/mongodb docs for more information true
persistence.enabled Enable persistence using a PVC. This is not necessary if you're using the default GridFS file storage false
persistence.storageClass Storage class of the PVC to use ""
persistence.accessMode Access mode of the PVC ReadWriteOnce
persistence.size Size of the PVC 8Gi
persistence.existingClaim An Existing PVC name for rocketchat volume ""
resources Pod resource requests and limits {}
securityContext.enabled Enable security context for the pod true
securityContext.runAsUser User to run the pod as 999
securityContext.fsGroup fs group to use for the pod 999
serviceAccount.create Specifies whether a ServiceAccount should be created true
serviceAccount.name Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template ""
ingress.enabled If true, an ingress is created false
ingress.pathType Sets the value for pathType for the created Ingress resource Prefix
ingress.annotations Annotations for the ingress {}
ingress.path Path of the ingress /
ingress.tls A list of IngressTLS items []
license Contents of the Enterprise License file, if applicable ""
prometheusScraping.enabled Turn on and off /metrics endpoint for Prometheus scraping false
prometheusScraping.port Port to use for the metrics for Prometheus to scrap on 9458
serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator (prometheusScraping should be enabled) false
serviceMonitor.intervals The intervals at which metrics should be scraped [30s]
serviceMonitor.ports The port names at which container exposes Prometheus metrics [metrics]
serviceMonitor.interval deprecated, use serviceMonitor.intervals instead 30s
serviceMonitor.port deprecated, use serviceMonitor.ports instead metrics
livenessProbe.enabled Turn on and off liveness probe true
livenessProbe.initialDelaySeconds Delay before liveness probe is initiated 60
livenessProbe.periodSeconds How often to perform the probe 15
livenessProbe.timeoutSeconds When the probe times out 5
livenessProbe.failureThreshold Minimum consecutive failures for the probe 3
livenessProbe.successThreshold Minimum consecutive successes for the probe 1
global.tolerations common tolerations for all pods (rocket.chat and all microservices) []
global.annotations common annotations for all pods (rocket.chat and all microservices) {}
global.nodeSelector common nodeSelector for all pods (rocket.chat and all microservices) {}
global.affinity common affinity for all pods (rocket.chat and all microservices) {}
tolerations tolerations for main rocket.chat pods (the meteor service) []
microservices.enabled Use microservices architecture false
microservices.presence.replicas Number of replicas to run for the given service 1
microservices.ddpStreamer.replicas Idem 1
microservices.streamHub.replicas Idem 1
microservices.accounts.replicas Idem 1
microservices.authorization.replicas Idem 1
microservices.nats.replicas Idem 1
microservices.presence.tolerations Pod tolerations []
microservices.ddpStreamer.tolerations Pod tolerations []
microservices.streamHub.tolerations Pod tolerations []
microservices.accounts.tolerations Pod tolerations []
microservices.authorization.tolerations Pod tolerations []
microservices.presence.annotations Pod annotations {}
microservices.ddpStreamer.annotations Pod annotations {}
microservices.streamHub.annotations Pod annotations {}
microservices.accounts.annotations Pod annotations {}
microservices.authorization.annotations Pod annotations {}
microservices.presence.nodeSelector nodeSelector for the Pod {}
microservices.ddpStreamer.nodeSelector nodeSelector for the Pod {}
microservices.streamHub.nodeSelector nodeSelector for the Pod {}
microservices.accounts.nodeSelector nodeSelector for the Pod {}
microservices.authorization.nodeSelector nodeSelector for the Pod {}
microservices.presence.affinity Pod affinity {}
microservices.ddpStreamer.affinity Pod affinity {}
microservices.streamHub.affinity Pod affinity {}
microservices.accounts.affinity Pod affinity {}
microservices.authorization.affinity Pod affinity {}
readinessProbe.enabled affinity for the Pod []
readinessProbe.initialDelaySeconds Delay before readiness probe is initiated 10
readinessProbe.periodSeconds How often to perform the probe 15
readinessProbe.timeoutSeconds When the probe times out 5
readinessProbe.failureThreshold Minimum consecutive failures for the probe 3
readinessProbe.successThreshold Minimum consecutive successes for the probe 1
registrationToken Registration Token for Rocket.Chat Cloud ""
service.annotations Annotations for the Rocket.Chat service {}
service.labels Additional labels for the Rocket.Chat service {}
service.type The service type to use ClusterIP
service.port The service port 80
service.nodePort The node port used if the service is of type NodePort ""
podDisruptionBudget.enabled Enable or disable PDB for RC deployment true
podLabels Additional pod labels for the Rocket.Chat pods {}
podAnnotations Additional pod annotations for the Rocket.Chat pods {}
federation.enabled Enable Rocket.Chat federation (through matrix)
federation.host FQDN for your matrix instance
federation.image.repository Image repository to use for federation image, defaults to matrixdotorg
federation.image.registry Image registry to use for federation image, defaults to docker.io
federation.image.tag Image tag to use for federation image, defaults to latest
federation.persistence.enabled Enabling persistence for matrix pod
postgresql.enabled Enabling postgresql for matrix (synapse), defaults to false, if false, uses sqlite

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install rocketchat -f values.yaml rocketchat/rocketchat

Database Setup

Rocket.Chat uses a MongoDB instance to presist its data. By default, the MongoDB chart is deployed and a single MongoDB instance is created as the primary in a replicaset.
Please refer to this (MongoDB) chart for additional MongoDB configuration options. If you are using chart defaults, make sure to set at least the mongodb.auth.rootPassword and mongodb.auth.passwords values.

Warning

: The root credentials are used to connect to the MongoDB OpLog

Using an External Database

This chart supports using an existing MongoDB instance. Use the `` configuration options and disable MongoDB with --set mongodb.enabled=false

Configuring Additional Environment Variables

extraEnv: |
  - name: MONGO_OPTIONS
    value: '{"ssl": "true"}'

Specifying aditional volumes

Sometimes, it's needed to include extra sets of files by means of exposing them to the container as a mountpoint. The most common use case is the inclusion of SSL CA certificates.

extraVolumes: 
  - name: etc-certs
    hostPath:
    - path: /etc/ssl/certs
      type: Directory
extraVolumeMounts: 
  - mountPath: /etc/ssl/certs
    name: etc-certs   
    readOnly: true

Increasing Server Capacity and HA Setup

To increase the capacity of the server, you can scale up the number of Rocket.Chat server instances across available computing resources in your cluster, for example,

$ kubectl scale --replicas=3 deployment/rocketchat

By default, this chart creates one MongoDB instance as a Primary in a replicaset. This is the minimum requirement to run Rocket.Chat 1.x+. You can also scale up the capacity and availability of the MongoDB cluster independently. Please see the MongoDB chart for configuration information.

For information on running Rocket.Chat in scaled configurations, see the documentation for more details.

Adding tolerations, annotations, nodeSelector and affinity

To add common tolerations, annotations, nodeSelector and affinity to all deployments

global:
  tolerations:
    - # here
  annotations:
      # here
  nodeSelector:
      # here
      # kubernetes.io/arch: amd64
  affinity:
#   nodeAffinity:
#     requiredDuringSchedulingIgnoredDuringExecution:
#       nodeSelectorTerms:
#       - matchExpressions:
#         - key: kubernetes.io/arch
#           operator: In
#           values:
#           - amd64

Override tolerations or annotations for each microservice by adding to respective block's configuration. For example to override the global tolerations and annotations for ddp-streamer pods,

microservices:
  ddpStreamer:
    tolerations:
      - # add here
    annotations:
        # add here
  nodeSelector:
      # here
      # kubernetes.io/arch: amd64
  affinity:
#   nodeAffinity:
#     requiredDuringSchedulingIgnoredDuringExecution:
#       nodeSelectorTerms:
#       - matchExpressions:
#         - key: kubernetes.io/arch
#           operator: In
#           values:
#           - amd64

To override tolerations for meteor service, or the main rocket.chat deployment, add to the root tolerations key.

tolerations:
  - # ...

To override annotations for meteor service, or the main rocket.chat deployment, add to the root podAnnotations key.

podAnnotations:
    # add here

To override the nodeSelector for meteor service, or the main rocket.chat deployment, add to the root nodeSelector key.

nodeSelector:
    # add here

To override the affinity for meteor service, or the main rocket.chat deployment, add to the root affinity key.

  affinity:
#   nodeAffinity:
#     requiredDuringSchedulingIgnoredDuringExecution:
#       nodeSelectorTerms:
#       - matchExpressions:
#         - key: kubernetes.io/arch
#           operator: In
#           values:
#           - amd64

Manage MongoDB and NATS nodeSelector and Affinity

If MongoDB and NATS own charts are used in the deployment, add the nodeSelector and Affinity to each service. Example:

mongodb:
  enabled: true  
  nodeSelector:
   kubernetes.io/arch: amd64
  affinity:
   nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
          - amd64
nats:
    nodeSelector:
      kubernetes.io/arch: amd64
    affinity:
     nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
       nodeSelectorTerms:
       - matchExpressions:
         - key: kubernetes.io/arch
           operator: In
           values:
           - amd64

Manage MongoDB secrets

This chart provides several ways to manage the Connection for MongoDB

  • Values passed to the chart (externalMongodbUrl, externalMongodbOplogUrl)
  • An ExistingMongodbSecret containing the MongoURL and MongoOplogURL
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
type: Opaque
data:
  mongo-uri: mongodb://user:password@localhost:27017/rocketchat
  mongo-oplog-uri: mongodb://user:password@localhost:27017/local?replicaSet=rs0&authSource=admin

Federation

You can enable federation by setting federation.enabled to true.

You need to make sure you have two domains, one for rocket.chat another for matrix.

host: <rocket.chat domain>
federation:
    host: <matrix domain>

Add the domains to ingress tls config

ingress:
  tls:
    - secretName: <some secret>
      hosts:
        - <rocket.chat domain>
        - <matrix domain>

For production, postgres is recommended. Enabled postgres

postgresql:
  enabled: true

For more details on configs, check postgresql chart.

Since TLS is required, also make sure you have something like cert-manager is running on your cluster, and you add the annotations to the ingress with ingress.annotations (or whatever is the recommended way for your certificate issuer).

hooks

To add custom annotations and labels to pods spawned by pre-upgrade hook

hooks:
  preUpgrade:
    podAnnotatios: {} # here
    podLabels: {} # here

Upgrading

To 5.4.3

Due to changes on upstream MongoDB chart, some variables have been renamed (previously deprecated), which, in turn changed how this chart generates its manifests. Values that need changing -

  • mongodb.auth.username is no longer supported, and has been changed to mongodb.auth.usernames array. If you set it to something custom (defaults to rocketchat), make sure you update it to an array and the entry is the first entry in that array as that's what Rocket.Chat will use to connect to the database.
  • mongodb.auth.password is no longer supported either and has been changed to mongodb.auth.passwords array. Update your values file to make it an array and make sure it's the first entry of that array.
  • mongodb.auth.database is no longer supported either and has been changed to its plural version, mongodb.auth.databases. Update your values file, convert it to an array and make sure it's the first entry of that list.
  • mongodb.auth.rootUsername and mongodb.auth.rootPassword are staying the same.

usernames, passwords and databases arrays must be of the same length. Rocket.Chat chart will use the first entry for its mongodb connection string in MONGO_URL and MONGO_OPLOG_URL.

On each chart update, the used image tag gets updated, in most cases. Same is true for the MongoDB chart we use as our dependency. Pre-5.4.3, we had been using the chart version 10.x.x, but starting 5.4.3, the dependency chart version has been bumped to the latest available version, 13.x.x. This chart defaults to mongodb 6.0.x as of the time of writing this.

As a warning, this chart will not handle MongoDB upgrades and will depend on the user to make sure it's running on the supported version. The upgrade will fail if any of the following requirements are not met -

  • must not skip a MongoDB release. E.g. 4.2.x to 5.0.x will fail
  • current featureCompatibilityVersion must be compatible with the version user is trying to upgrade to. E.g. if current database version and feature compatibility is 4.4 and 4.2 respectively, but user is trying to upgrade to 5.0, it'll fail

The chart will not check if the mongodb version is supported by the Rocket.Chat version considering deployments, that might occur in an airgapped environment. It is up to the user to make sure of that. Users can check Rocket.Chat's release notes to confirm that.

To get the currently deployed MongoDB version, the easiest method is to get into the mongo shell and running db.version().

It is advised to pin your MongoDB dependency in the values file.

mongodb:
  image:
    tag: # find from https://hub.docker.com/r/bitnami/mongodb/tags

References:

To 6.13.0

This is only applicable if you both, enabled federation in chart version >=6.8, and want to keep using lighttpd.

IFF you manually enabled ingress.federation.serveWellKnown (which was a hidden setting) before, during upgrade, disable it once before enabling it again.

Chart contained a bug that would cause wellknown deployment to fail to update (illegal live modification of matchLabels).

Reference in New Issue View Git Blame Copy Permalink