bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

comms: seed synapse signing key for helm

Browse Source
This commit is contained in:
Brad Stein 2026-01-13 20:42:30 -03:00
parent bcef167b50
commit 098a06e723
4 changed files with 83 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
services/comms/helmrelease.yaml
View File

@ -163,12 +163,9 @@ spec:
signingkey: signingkey:
job: job:
generateImage: enabled: false
repository: matrixdotorg/synapse existingSecret: othrys-synapse-signingkey
tag: v1.144.0 existingSecretKey: signing.key
publishImage:
repository: registry.bstein.dev/bstein/kubectl
tag: 1.35.0
--- ---
apiVersion: helm.toolkit.fluxcd.io/v2 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease kind: HelmRelease

2
services/comms/kustomization.yaml
View File

@ -17,9 +17,11 @@ resources:
- mas-secrets-ensure-rbac.yaml - mas-secrets-ensure-rbac.yaml
- comms-secrets-ensure-rbac.yaml - comms-secrets-ensure-rbac.yaml
- mas-db-ensure-rbac.yaml - mas-db-ensure-rbac.yaml
- synapse-signingkey-ensure-rbac.yaml
- mas-admin-client-secret-ensure-job.yaml - mas-admin-client-secret-ensure-job.yaml
- mas-db-ensure-job.yaml - mas-db-ensure-job.yaml
- comms-secrets-ensure-job.yaml - comms-secrets-ensure-job.yaml
- synapse-signingkey-ensure-job.yaml
- synapse-seeder-admin-ensure-job.yaml - synapse-seeder-admin-ensure-job.yaml
- synapse-user-seed-job.yaml - synapse-user-seed-job.yaml
- mas-local-users-ensure-job.yaml - mas-local-users-ensure-job.yaml

44
services/comms/synapse-signingkey-ensure-job.yaml Normal file
View File

@ -0,0 +1,44 @@
# services/comms/synapse-signingkey-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: othrys-synapse-signingkey-ensure-1
namespace: comms
spec:
backoffLimit: 2
template:
spec:
serviceAccountName: othrys-synapse-signingkey-job
restartPolicy: OnFailure
volumes:
- name: work
emptyDir: {}
initContainers:
- name: generate
image: ghcr.io/element-hq/synapse:v1.144.0
command: ["/bin/sh", "-c"]
args:
- |
set -euo pipefail
umask 077
generate_signing_key -o /work/signing.key
volumeMounts:
- name: work
mountPath: /work
containers:
- name: store
image: registry.bstein.dev/bstein/kubectl:1.35.0
command: ["/bin/sh", "-c"]
args:
- |
set -euo pipefail
if kubectl -n comms get secret othrys-synapse-signingkey \
-o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
exit 0
fi
kubectl -n comms create secret generic othrys-synapse-signingkey \
--from-file=signing.key=/work/signing.key \
--dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
volumeMounts:
- name: work
mountPath: /work

34
services/comms/synapse-signingkey-ensure-rbac.yaml Normal file
View File

@ -0,0 +1,34 @@
# services/comms/synapse-signingkey-ensure-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: othrys-synapse-signingkey-job
namespace: comms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: othrys-synapse-signingkey-job
namespace: comms
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["othrys-synapse-signingkey"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: othrys-synapse-signingkey-job
namespace: comms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: othrys-synapse-signingkey-job
subjects:
- kind: ServiceAccount
name: othrys-synapse-signingkey-job
namespace: comms