diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml index 42aa7ea..f161e0e 100644 --- a/services/communication/kustomization.yaml +++ b/services/communication/kustomization.yaml @@ -7,6 +7,7 @@ resources: - synapse-rendered.yaml - synapse-signingkey-ensure-job.yaml - synapse-seeder-admin-ensure-job.yaml + - synapse-guest-appservice-secret-ensure-job.yaml - mas-configmap.yaml - mas-admin-client-secret-ensure-job.yaml - mas-deployment.yaml diff --git a/services/communication/synapse-guest-appservice-secret-ensure-job.yaml b/services/communication/synapse-guest-appservice-secret-ensure-job.yaml new file mode 100644 index 0000000..6dd8564 --- /dev/null +++ b/services/communication/synapse-guest-appservice-secret-ensure-job.yaml @@ -0,0 +1,111 @@ +# services/communication/synapse-guest-appservice-secret-ensure-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: synapse-guest-appservice-secret-writer + namespace: comms +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: synapse-guest-appservice-secret-writer + namespace: comms +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["synapse-guest-appservice-runtime"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: synapse-guest-appservice-secret-writer + namespace: comms +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: synapse-guest-appservice-secret-writer +subjects: + - kind: ServiceAccount + name: synapse-guest-appservice-secret-writer + namespace: comms +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: synapse-guest-appservice-secret-ensure-1 + namespace: comms +spec: + backoffLimit: 2 + template: + spec: + serviceAccountName: synapse-guest-appservice-secret-writer + restartPolicy: OnFailure + volumes: + - name: work + emptyDir: {} + initContainers: + - name: generate + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + umask 077 + AS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')" + HS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')" + + printf '%s' "${AS_TOKEN}" > /work/as_token + printf '%s' "${HS_TOKEN}" > /work/hs_token + + cat > /work/registration.yaml </dev/null 2>&1; then + if kubectl -n comms get secret synapse-guest-appservice-runtime -o jsonpath='{.data.registration\.yaml}' 2>/dev/null | grep -q .; then + exit 0 + fi + else + kubectl -n comms create secret generic synapse-guest-appservice-runtime \ + --from-file=registration.yaml=/work/registration.yaml \ + --from-file=as_token=/work/as_token \ + --from-file=hs_token=/work/hs_token >/dev/null + exit 0 + fi + + reg_b64="$(base64 /work/registration.yaml | tr -d '\n')" + as_b64="$(base64 /work/as_token | tr -d '\n')" + hs_b64="$(base64 /work/hs_token | tr -d '\n')" + + payload="$(printf '{\"data\":{\"registration.yaml\":\"%s\",\"as_token\":\"%s\",\"hs_token\":\"%s\"}}' \"${reg_b64}\" \"${as_b64}\" \"${hs_b64}\")" + kubectl -n comms patch secret synapse-guest-appservice-runtime --type=merge -p \"${payload}\" >/dev/null + volumeMounts: + - name: work + mountPath: /work +