titan-iac/services/comms/oneoffs/synapse-signingkey-ensure-job.yaml

# services/comms/oneoffs/synapse-signingkey-ensure-job.yaml
# One-off job for comms/othrys-synapse-signingkey-ensure-7.
# Purpose: othrys synapse signingkey ensure 7 (see container args/env in this file).
# Run by setting spec.suspend to false, reconcile, then set it back to true.
# Safe to delete the finished Job/pod; it should not run continuously.
apiVersion: batch/v1
kind: Job
metadata:
  name: othrys-synapse-signingkey-ensure-7
  namespace: comms
spec:
  suspend: true
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: othrys-synapse-signingkey-job
      restartPolicy: OnFailure
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: ghcr.io/element-hq/synapse:v1.144.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              umask 077
              if which generate_signing_key.py >/dev/null; then
                generate_signing_key.py -o /work/signing.key
              else
                generate_signing_key -o /work/signing.key
              fi
              chmod 0644 /work/signing.key
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: store
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-comms-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
                "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" | jq -r '.data.data["signing.key"] // empty')"
              if [ -n "${existing}" ]; then
                exit 0
              fi

              value="$(cat /work/signing.key)"
              payload="$(jq -nc --arg value "${value}" '{data:{"signing.key":$value}}')"
              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work
chore: organize one-off jobs 2026-01-28 01:48:32 -03:00			`# services/comms/oneoffs/synapse-signingkey-ensure-job.yaml`
			`# One-off job for comms/othrys-synapse-signingkey-ensure-7.`
			`# Purpose: othrys synapse signingkey ensure 7 (see container args/env in this file).`
			`# Run by setting spec.suspend to false, reconcile, then set it back to true.`
			`# Safe to delete the finished Job/pod; it should not run continuously.`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
jobs: bump names after affinity update 2026-01-17 01:52:16 -03:00			`name: othrys-synapse-signingkey-ensure-7`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`namespace: comms`
			`spec:`
chore: organize one-off jobs 2026-01-28 01:48:32 -03:00			`suspend: true`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`backoffLimit: 2`
			`template:`
			`spec:`
			`serviceAccountName: othrys-synapse-signingkey-job`
			`restartPolicy: OnFailure`
jobs: prefer arm64 workers 2026-01-17 01:47:53 -03:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`volumes:`
			`- name: work`
			`emptyDir: {}`
			`initContainers:`
			`- name: generate`
			`image: ghcr.io/element-hq/synapse:v1.144.0`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
			`umask 077`
comms: retry synapse signing key job 2026-01-13 20:45:14 -03:00			`if which generate_signing_key.py >/dev/null; then`
			`generate_signing_key.py -o /work/signing.key`
			`else`
			`generate_signing_key -o /work/signing.key`
			`fi`
comms: fix signing key job permissions 2026-01-13 20:49:11 -03:00			`chmod 0644 /work/signing.key`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`volumeMounts:`
			`- name: work`
			`mountPath: /work`
			`containers:`
			`- name: store`
			`image: registry.bstein.dev/bstein/kubectl:1.35.0`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-comms-secrets}"`
			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" \`
			`"${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
			`fi`

			`existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \`
			`"${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" \| jq -r '.data.data["signing.key"] // empty')"`
			`if [ -n "${existing}" ]; then`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`exit 0`
			`fi`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00
			`value="$(cat /work/signing.key)"`
			`payload="$(jq -nc --arg value "${value}" '{data:{"signing.key":$value}}')"`
			`curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \`
			`-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" >/dev/null`
comms: seed synapse signing key for helm 2026-01-13 20:42:30 -03:00			`volumeMounts:`
			`- name: work`
			`mountPath: /work`