2026-01-13 20:42:30 -03:00
|
|
|
# services/comms/synapse-signingkey-ensure-job.yaml
|
|
|
|
|
apiVersion: batch/v1
|
|
|
|
|
kind: Job
|
|
|
|
|
metadata:
|
2026-01-17 01:52:16 -03:00
|
|
|
name: othrys-synapse-signingkey-ensure-7
|
2026-01-13 20:42:30 -03:00
|
|
|
namespace: comms
|
|
|
|
|
spec:
|
|
|
|
|
backoffLimit: 2
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
serviceAccountName: othrys-synapse-signingkey-job
|
|
|
|
|
restartPolicy: OnFailure
|
2026-01-17 01:47:53 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
nodeSelectorTerms:
|
|
|
|
|
- matchExpressions:
|
|
|
|
|
- key: node-role.kubernetes.io/worker
|
|
|
|
|
operator: Exists
|
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 100
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: kubernetes.io/arch
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["arm64"]
|
2026-01-13 20:42:30 -03:00
|
|
|
volumes:
|
|
|
|
|
- name: work
|
|
|
|
|
emptyDir: {}
|
|
|
|
|
initContainers:
|
|
|
|
|
- name: generate
|
|
|
|
|
image: ghcr.io/element-hq/synapse:v1.144.0
|
|
|
|
|
command: ["/bin/sh", "-c"]
|
|
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
umask 077
|
2026-01-13 20:45:14 -03:00
|
|
|
if which generate_signing_key.py >/dev/null; then
|
|
|
|
|
generate_signing_key.py -o /work/signing.key
|
|
|
|
|
else
|
|
|
|
|
generate_signing_key -o /work/signing.key
|
|
|
|
|
fi
|
2026-01-13 20:49:11 -03:00
|
|
|
chmod 0644 /work/signing.key
|
2026-01-13 20:42:30 -03:00
|
|
|
volumeMounts:
|
|
|
|
|
- name: work
|
|
|
|
|
mountPath: /work
|
|
|
|
|
containers:
|
|
|
|
|
- name: store
|
|
|
|
|
image: registry.bstein.dev/bstein/kubectl:1.35.0
|
|
|
|
|
command: ["/bin/sh", "-c"]
|
|
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
set -euo pipefail
|
2026-01-14 05:07:23 -03:00
|
|
|
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
|
|
|
|
|
vault_role="${VAULT_ROLE:-comms-secrets}"
|
|
|
|
|
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
|
|
|
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
|
|
|
|
|
vault_token="$(curl -sS --request POST --data "${login_payload}" \
|
|
|
|
|
"${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
|
|
|
|
|
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
|
|
|
|
|
echo "vault login failed" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
|
|
|
|
|
"${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" | jq -r '.data.data["signing.key"] // empty')"
|
|
|
|
|
if [ -n "${existing}" ]; then
|
2026-01-13 20:42:30 -03:00
|
|
|
exit 0
|
|
|
|
|
fi
|
2026-01-14 05:07:23 -03:00
|
|
|
|
|
|
|
|
value="$(cat /work/signing.key)"
|
|
|
|
|
payload="$(jq -nc --arg value "${value}" '{data:{"signing.key":$value}}')"
|
|
|
|
|
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
|
|
|
|
|
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" >/dev/null
|
2026-01-13 20:42:30 -03:00
|
|
|
volumeMounts:
|
|
|
|
|
- name: work
|
|
|
|
|
mountPath: /work
|
