2026-01-08 05:12:14 -03:00
|
|
|
# services/comms/mas-local-users-ensure-job.yaml
|
|
|
|
|
apiVersion: batch/v1
|
|
|
|
|
kind: Job
|
|
|
|
|
metadata:
|
2026-01-27 01:19:43 -03:00
|
|
|
name: mas-local-users-ensure-18
|
2026-01-08 05:12:14 -03:00
|
|
|
namespace: comms
|
|
|
|
|
spec:
|
|
|
|
|
backoffLimit: 1
|
|
|
|
|
ttlSecondsAfterFinished: 3600
|
|
|
|
|
template:
|
2026-01-14 14:17:26 -03:00
|
|
|
metadata:
|
|
|
|
|
annotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
2026-01-14 14:29:29 -03:00
|
|
|
vault.hashicorp.com/agent-pre-populate-only: "true"
|
2026-01-14 14:17:26 -03:00
|
|
|
vault.hashicorp.com/role: "comms"
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-turn-secret: "kv/data/atlas/comms/turn-shared-secret"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-turn-secret: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-livekit-primary: "kv/data/atlas/comms/livekit-api"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-livekit-primary: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-bot-pass: "kv/data/atlas/comms/atlasbot-credentials-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-bot-pass: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-seeder-pass: "kv/data/atlas/comms/atlasbot-credentials-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-seeder-pass: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-chat-matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-chat-matrix: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-chat-homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-chat-homepage: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-mas-admin-secret: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-synapse-db-pass: "kv/data/atlas/comms/synapse-db"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-synapse-db-pass: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-mas-db-pass: "kv/data/atlas/comms/mas-db"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-mas-db-pass: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-mas-matrix-shared: "kv/data/atlas/comms/mas-secrets-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-mas-matrix-shared: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
|
2026-01-14 14:21:58 -03:00
|
|
|
vault.hashicorp.com/agent-inject-secret-mas-kc-secret: "kv/data/atlas/comms/mas-secrets-runtime"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-mas-kc-secret: |
|
2026-01-14 14:17:26 -03:00
|
|
|
{{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
|
2026-01-08 05:12:14 -03:00
|
|
|
spec:
|
|
|
|
|
restartPolicy: Never
|
2026-01-17 01:47:53 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: node-role.kubernetes.io/worker
|
|
|
|
|
operator: Exists
|
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 100
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["arm64"]
|
2026-01-14 05:07:23 -03:00
|
|
|
serviceAccountName: comms-vault
|
2026-01-08 05:12:14 -03:00
|
|
|
volumes:
|
2026-01-14 05:07:23 -03:00
|
|
|
- name: vault-scripts
|
|
|
|
|
configMap:
|
|
|
|
|
name: comms-vault-env
|
|
|
|
|
defaultMode: 0555
|
2026-01-08 05:12:14 -03:00
|
|
|
containers:
|
|
|
|
|
- name: ensure
|
|
|
|
|
image: python:3.11-slim
|
|
|
|
|
volumeMounts:
|
2026-01-14 05:07:23 -03:00
|
|
|
- name: vault-scripts
|
|
|
|
|
mountPath: /vault/scripts
|
2026-01-08 05:12:14 -03:00
|
|
|
readOnly: true
|
|
|
|
|
env:
|
|
|
|
|
- name: MAS_ADMIN_CLIENT_ID
|
|
|
|
|
value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
|
|
|
|
|
- name: MAS_ADMIN_CLIENT_SECRET_FILE
|
2026-01-14 14:21:58 -03:00
|
|
|
value: /vault/secrets/mas-admin-secret
|
2026-01-08 05:12:14 -03:00
|
|
|
- name: MAS_TOKEN_URL
|
|
|
|
|
value: http://matrix-authentication-service:8080/oauth2/token
|
|
|
|
|
- name: MAS_ADMIN_API_BASE
|
|
|
|
|
value: http://matrix-authentication-service:8081/api/admin/v1
|
|
|
|
|
- name: SEEDER_USER
|
|
|
|
|
value: othrys-seeder
|
|
|
|
|
- name: BOT_USER
|
|
|
|
|
value: atlasbot
|
|
|
|
|
command:
|
|
|
|
|
- /bin/sh
|
|
|
|
|
- -c
|
|
|
|
|
- |
|
|
|
|
|
set -euo pipefail
|
2026-01-14 05:07:23 -03:00
|
|
|
. /vault/scripts/comms_vault_env.sh
|
2026-01-08 05:12:14 -03:00
|
|
|
pip install --no-cache-dir requests >/dev/null
|
|
|
|
|
python - <<'PY'
|
|
|
|
|
import base64
|
|
|
|
|
import os
|
|
|
|
|
import time
|
|
|
|
|
import requests
|
|
|
|
|
import urllib.parse
|
|
|
|
|
|
|
|
|
|
MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"]
|
|
|
|
|
MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]
|
|
|
|
|
MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]
|
|
|
|
|
MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")
|
2026-01-08 05:21:30 -03:00
|
|
|
AUTH_BASE = "http://matrix-authentication-service:8080"
|
2026-01-08 06:05:20 -03:00
|
|
|
SERVER_NAME = "live.bstein.dev"
|
2026-01-08 05:12:14 -03:00
|
|
|
|
2026-01-17 02:34:36 -03:00
|
|
|
def wait_for_service(url):
|
|
|
|
|
last = None
|
|
|
|
|
for attempt in range(1, 11):
|
|
|
|
|
try:
|
|
|
|
|
requests.get(url, timeout=10)
|
|
|
|
|
return
|
|
|
|
|
except Exception as exc: # noqa: BLE001
|
|
|
|
|
last = exc
|
|
|
|
|
time.sleep(attempt * 2)
|
|
|
|
|
raise RuntimeError(f"MAS service not reachable: {last}")
|
|
|
|
|
|
2026-01-17 02:43:15 -03:00
|
|
|
def request_with_retry(method, url, attempts=6, **kwargs):
|
|
|
|
|
last = None
|
|
|
|
|
for attempt in range(1, attempts + 1):
|
|
|
|
|
try:
|
|
|
|
|
return requests.request(method, url, **kwargs)
|
|
|
|
|
except requests.RequestException as exc:
|
|
|
|
|
last = exc
|
|
|
|
|
time.sleep(attempt * 2)
|
|
|
|
|
raise RuntimeError(f"request failed for {url}: {last}")
|
|
|
|
|
|
2026-01-08 05:12:14 -03:00
|
|
|
def admin_token():
|
|
|
|
|
with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:
|
|
|
|
|
secret = f.read().strip()
|
|
|
|
|
basic = base64.b64encode(f"{MAS_ADMIN_CLIENT_ID}:{secret}".encode()).decode()
|
|
|
|
|
last = None
|
|
|
|
|
for attempt in range(1, 6):
|
|
|
|
|
try:
|
|
|
|
|
r = requests.post(
|
|
|
|
|
MAS_TOKEN_URL,
|
|
|
|
|
headers={"Authorization": f"Basic {basic}"},
|
|
|
|
|
data={"grant_type": "client_credentials", "scope": "urn:mas:admin"},
|
|
|
|
|
timeout=30,
|
|
|
|
|
)
|
|
|
|
|
if r.status_code == 200:
|
|
|
|
|
return r.json()["access_token"]
|
|
|
|
|
except Exception as exc: # noqa: BLE001
|
|
|
|
|
last = exc
|
|
|
|
|
time.sleep(attempt * 2)
|
|
|
|
|
raise RuntimeError(f"MAS admin token request failed: {last}")
|
|
|
|
|
|
|
|
|
|
def get_user(token, username):
|
2026-01-17 02:43:15 -03:00
|
|
|
r = request_with_retry(
|
|
|
|
|
"GET",
|
2026-01-08 05:12:14 -03:00
|
|
|
f"{MAS_ADMIN_API_BASE}/users/by-username/{urllib.parse.quote(username)}",
|
|
|
|
|
headers={"Authorization": f"Bearer {token}"},
|
|
|
|
|
timeout=30,
|
|
|
|
|
)
|
|
|
|
|
if r.status_code == 404:
|
|
|
|
|
return None
|
|
|
|
|
r.raise_for_status()
|
|
|
|
|
return r.json()["data"]
|
|
|
|
|
|
|
|
|
|
def create_user(token, username, password):
|
2026-01-08 05:21:30 -03:00
|
|
|
payloads = [
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"type": "user",
|
|
|
|
|
"attributes": {
|
|
|
|
|
"username": username,
|
|
|
|
|
"password": password,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{"username": username, "password": password},
|
|
|
|
|
]
|
|
|
|
|
for payload in payloads:
|
2026-01-17 02:43:15 -03:00
|
|
|
r = request_with_retry(
|
|
|
|
|
"POST",
|
2026-01-08 05:21:30 -03:00
|
|
|
f"{MAS_ADMIN_API_BASE}/users",
|
|
|
|
|
headers={"Authorization": f"Bearer {token}"},
|
|
|
|
|
json=payload,
|
|
|
|
|
timeout=30,
|
|
|
|
|
)
|
|
|
|
|
if r.status_code in (200, 201):
|
|
|
|
|
return r.json().get("data") or {}
|
|
|
|
|
if r.status_code == 409:
|
|
|
|
|
return None
|
2026-01-08 05:12:14 -03:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
def update_password(token, user_id, password):
|
2026-01-17 02:43:15 -03:00
|
|
|
r = request_with_retry(
|
|
|
|
|
"POST",
|
2026-01-08 06:01:45 -03:00
|
|
|
f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}/set-password",
|
2026-01-08 05:12:14 -03:00
|
|
|
headers={"Authorization": f"Bearer {token}"},
|
2026-01-08 05:21:30 -03:00
|
|
|
json={"password": password},
|
2026-01-08 05:12:14 -03:00
|
|
|
timeout=30,
|
|
|
|
|
)
|
2026-01-08 05:21:30 -03:00
|
|
|
return r.status_code in (200, 204)
|
2026-01-08 05:12:14 -03:00
|
|
|
|
|
|
|
|
def ensure_user(token, username, password):
|
|
|
|
|
user = get_user(token, username)
|
|
|
|
|
if user is None:
|
|
|
|
|
user = create_user(token, username, password)
|
2026-01-08 05:21:30 -03:00
|
|
|
user = get_user(token, username)
|
2026-01-08 05:12:14 -03:00
|
|
|
if user is None:
|
|
|
|
|
raise RuntimeError(f"failed to ensure user {username}")
|
|
|
|
|
update_password(token, user["id"], password)
|
2026-01-08 06:05:20 -03:00
|
|
|
login_name = username
|
|
|
|
|
if not login_name.startswith("@"):
|
|
|
|
|
login_name = f"@{login_name}:{SERVER_NAME}"
|
2026-01-17 02:43:15 -03:00
|
|
|
r = request_with_retry(
|
|
|
|
|
"POST",
|
2026-01-08 05:21:30 -03:00
|
|
|
f"{AUTH_BASE}/_matrix/client/v3/login",
|
|
|
|
|
json={
|
|
|
|
|
"type": "m.login.password",
|
2026-01-08 06:05:20 -03:00
|
|
|
"identifier": {"type": "m.id.user", "user": login_name},
|
2026-01-08 05:21:30 -03:00
|
|
|
"password": password,
|
|
|
|
|
},
|
|
|
|
|
timeout=30,
|
|
|
|
|
)
|
|
|
|
|
if r.status_code != 200:
|
|
|
|
|
raise RuntimeError(f"login failed for {username}: {r.status_code} {r.text}")
|
2026-01-08 05:12:14 -03:00
|
|
|
|
2026-01-17 02:34:36 -03:00
|
|
|
wait_for_service(MAS_ADMIN_API_BASE)
|
2026-01-08 05:12:14 -03:00
|
|
|
token = admin_token()
|
|
|
|
|
ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"])
|
|
|
|
|
ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"])
|
2026-01-17 01:47:53 -03:00
|
|
|
PY
|
