From 144467dfe2a4ca83e914a9a207fd227a26dad5c9 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 1 Jan 2026 18:22:32 -0300
Subject: [PATCH] comms(mas): enable internal admin API

---
 services/communication/mas-configmap.yaml  | 11 +++++++++--
 services/communication/mas-deployment.yaml | 18 +++++++++++++++++-
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/services/communication/mas-configmap.yaml b/services/communication/mas-configmap.yaml
index fab43c2..ea5c33c 100644
--- a/services/communication/mas-configmap.yaml
+++ b/services/communication/mas-configmap.yaml
@@ -22,13 +22,18 @@ data:
         - name: internal
           resources:
             - name: health
+            - name: adminapi
           binds:
-            - host: localhost
-              port: 8081
+            - address: "0.0.0.0:8081"
 
     database:
       uri: "postgresql://mas:@@MAS_DB_PASSWORD@@@postgres-service.postgres.svc.cluster.local:5432/mas?sslmode=prefer"
 
+    clients:
+      - client_id: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
+        client_auth_method: client_secret_basic
+        client_secret_file: /etc/mas/admin-client/client_secret
+
     secrets:
       encryption_file: /etc/mas/secrets/encryption
       keys:
@@ -72,6 +77,8 @@ data:
 
     policy:
       data:
+        admin_clients:
+          - 01KDXMVQBQ5JNY6SEJPZW6Z8BM
         client_registration:
           allow_insecure_uris: true
           allow_host_mismatch: true
diff --git a/services/communication/mas-deployment.yaml b/services/communication/mas-deployment.yaml
index 9643175..7034fc7 100644
--- a/services/communication/mas-deployment.yaml
+++ b/services/communication/mas-deployment.yaml
@@ -14,7 +14,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: v4-bind-1
+        checksum/config: v5-adminapi-1
       labels:
         app: matrix-authentication-service
     spec:
@@ -80,6 +80,9 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+            - name: internal
+              containerPort: 8081
+              protocol: TCP
           volumeMounts:
             - name: rendered
               mountPath: /rendered
@@ -87,6 +90,9 @@ spec:
             - name: secrets
               mountPath: /etc/mas/secrets
               readOnly: true
+            - name: admin-client
+              mountPath: /etc/mas/admin-client
+              readOnly: true
             - name: keys
               mountPath: /etc/mas/keys
               readOnly: true
@@ -122,6 +128,12 @@ spec:
             items:
               - key: rsa_key
                 path: rsa_key
+        - name: admin-client
+          secret:
+            secretName: mas-admin-client-runtime
+            items:
+              - key: client_secret
+                path: client_secret
 ---
 apiVersion: v1
 kind: Service
@@ -136,3 +148,7 @@ spec:
       port: 8080
       targetPort: http
       protocol: TCP
+    - name: internal
+      port: 8081
+      targetPort: internal
+      protocol: TCP