From 098a06e723321d7bb6eb8b9de1838a0a4cb31675 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 13 Jan 2026 20:42:30 -0300 Subject: [PATCH] comms: seed synapse signing key for helm --- services/comms/helmrelease.yaml | 9 ++-- services/comms/kustomization.yaml | 2 + .../comms/synapse-signingkey-ensure-job.yaml | 44 +++++++++++++++++++ .../comms/synapse-signingkey-ensure-rbac.yaml | 34 ++++++++++++++ 4 files changed, 83 insertions(+), 6 deletions(-) create mode 100644 services/comms/synapse-signingkey-ensure-job.yaml create mode 100644 services/comms/synapse-signingkey-ensure-rbac.yaml diff --git a/services/comms/helmrelease.yaml b/services/comms/helmrelease.yaml index 39cd534..d110456 100644 --- a/services/comms/helmrelease.yaml +++ b/services/comms/helmrelease.yaml @@ -163,12 +163,9 @@ spec: signingkey: job: - generateImage: - repository: matrixdotorg/synapse - tag: v1.144.0 - publishImage: - repository: registry.bstein.dev/bstein/kubectl - tag: 1.35.0 + enabled: false + existingSecret: othrys-synapse-signingkey + existingSecretKey: signing.key --- apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml index f8456ea..5e50d0f 100644 --- a/services/comms/kustomization.yaml +++ b/services/comms/kustomization.yaml @@ -17,9 +17,11 @@ resources: - mas-secrets-ensure-rbac.yaml - comms-secrets-ensure-rbac.yaml - mas-db-ensure-rbac.yaml + - synapse-signingkey-ensure-rbac.yaml - mas-admin-client-secret-ensure-job.yaml - mas-db-ensure-job.yaml - comms-secrets-ensure-job.yaml + - synapse-signingkey-ensure-job.yaml - synapse-seeder-admin-ensure-job.yaml - synapse-user-seed-job.yaml - mas-local-users-ensure-job.yaml diff --git a/services/comms/synapse-signingkey-ensure-job.yaml b/services/comms/synapse-signingkey-ensure-job.yaml new file mode 100644 index 0000000..4a2b89f --- /dev/null +++ b/services/comms/synapse-signingkey-ensure-job.yaml @@ -0,0 +1,44 @@ +# services/comms/synapse-signingkey-ensure-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: othrys-synapse-signingkey-ensure-1 + namespace: comms +spec: + backoffLimit: 2 + template: + spec: + serviceAccountName: othrys-synapse-signingkey-job + restartPolicy: OnFailure + volumes: + - name: work + emptyDir: {} + initContainers: + - name: generate + image: ghcr.io/element-hq/synapse:v1.144.0 + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + umask 077 + generate_signing_key -o /work/signing.key + volumeMounts: + - name: work + mountPath: /work + containers: + - name: store + image: registry.bstein.dev/bstein/kubectl:1.35.0 + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + if kubectl -n comms get secret othrys-synapse-signingkey \ + -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then + exit 0 + fi + kubectl -n comms create secret generic othrys-synapse-signingkey \ + --from-file=signing.key=/work/signing.key \ + --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null + volumeMounts: + - name: work + mountPath: /work diff --git a/services/comms/synapse-signingkey-ensure-rbac.yaml b/services/comms/synapse-signingkey-ensure-rbac.yaml new file mode 100644 index 0000000..c7f66bc --- /dev/null +++ b/services/comms/synapse-signingkey-ensure-rbac.yaml @@ -0,0 +1,34 @@ +# services/comms/synapse-signingkey-ensure-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: othrys-synapse-signingkey-job + namespace: comms +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: othrys-synapse-signingkey-job + namespace: comms +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["othrys-synapse-signingkey"] + verbs: ["get", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: othrys-synapse-signingkey-job + namespace: comms +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: othrys-synapse-signingkey-job +subjects: + - kind: ServiceAccount + name: othrys-synapse-signingkey-job + namespace: comms