bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

comms: add mas bot users and revert synapse auth

Browse Source
This commit is contained in:
Brad Stein 2026-01-08 05:12:14 -03:00
parent acedad02c0
commit 7bea022311
6 changed files with 161 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/comms/atlasbot-deployment.yaml
View File

@ -32,7 +32,7 @@ spec:
- name: MATRIX_BASE
value: http://othrys-synapse-matrix-synapse:8008
- name: AUTH_BASE
value: http://othrys-synapse-matrix-synapse:8008
value: http://matrix-authentication-service:8080
- name: KB_DIR
value: /kb
- name: VM_URL

1
services/comms/kustomization.yaml
View File

@ -16,6 +16,7 @@ resources:
- mas-db-ensure-job.yaml
- comms-secrets-ensure-job.yaml
- synapse-user-seed-job.yaml
- mas-local-users-ensure-job.yaml
- mas-deployment.yaml
- element-rendered.yaml
- livekit-config.yaml

155
services/comms/mas-local-users-ensure-job.yaml Normal file
View File

@ -0,0 +1,155 @@
# services/comms/mas-local-users-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: mas-local-users-ensure-1
namespace: comms
spec:
backoffLimit: 1
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
volumes:
- name: mas-admin-client
secret:
secretName: mas-admin-client-runtime
items:
- key: client_secret
path: client_secret
containers:
- name: ensure
image: python:3.11-slim
volumeMounts:
- name: mas-admin-client
mountPath: /etc/mas-admin-client
readOnly: true
env:
- name: MAS_ADMIN_CLIENT_ID
value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
- name: MAS_ADMIN_CLIENT_SECRET_FILE
value: /etc/mas-admin-client/client_secret
- name: MAS_TOKEN_URL
value: http://matrix-authentication-service:8080/oauth2/token
- name: MAS_ADMIN_API_BASE
value: http://matrix-authentication-service:8081/api/admin/v1
- name: SEEDER_USER
value: othrys-seeder
- name: SEEDER_PASS
valueFrom:
secretKeyRef:
name: atlasbot-credentials-runtime
key: seeder-password
- name: BOT_USER
value: atlasbot
- name: BOT_PASS
valueFrom:
secretKeyRef:
name: atlasbot-credentials-runtime
key: bot-password
command:
- /bin/sh
- -c
- |
set -euo pipefail
pip install --no-cache-dir requests >/dev/null
python - <<'PY'
import base64
import os
import time
import requests
import urllib.parse
MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"]
MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"]
MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"]
MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/")
def admin_token():
with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f:
secret = f.read().strip()
basic = base64.b64encode(f"{MAS_ADMIN_CLIENT_ID}:{secret}".encode()).decode()
last = None
for attempt in range(1, 6):
try:
r = requests.post(
MAS_TOKEN_URL,
headers={"Authorization": f"Basic {basic}"},
data={"grant_type": "client_credentials", "scope": "urn:mas:admin"},
timeout=30,
)
if r.status_code == 200:
return r.json()["access_token"]
except Exception as exc: # noqa: BLE001
last = exc
time.sleep(attempt * 2)
raise RuntimeError(f"MAS admin token request failed: {last}")
def get_user(token, username):
r = requests.get(
f"{MAS_ADMIN_API_BASE}/users/by-username/{urllib.parse.quote(username)}",
headers={"Authorization": f"Bearer {token}"},
timeout=30,
)
if r.status_code == 404:
return None
r.raise_for_status()
return r.json()["data"]
def create_user(token, username, password):
payload = {
"data": {
"type": "user",
"attributes": {
"username": username,
"password": password,
},
}
}
r = requests.post(
f"{MAS_ADMIN_API_BASE}/users",
headers={"Authorization": f"Bearer {token}"},
json=payload,
timeout=30,
)
if r.status_code in (200, 201):
return r.json()["data"]
if r.status_code == 409:
return None
r.raise_for_status()
return None
def update_password(token, user_id, password):
payload = {
"data": {
"type": "user",
"id": user_id,
"attributes": {
"password": password,
},
}
}
r = requests.patch(
f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}",
headers={"Authorization": f"Bearer {token}"},
json=payload,
timeout=30,
)
if r.status_code in (200, 204):
return True
return False
def ensure_user(token, username, password):
user = get_user(token, username)
if user is None:
user = create_user(token, username, password)
if user is None:
user = get_user(token, username)
if user is None:
raise RuntimeError(f"failed to ensure user {username}")
update_password(token, user["id"], password)
token = admin_token()
ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"])
ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"])
PY

2
services/comms/pin-othrys-job.yaml
View File

@ -23,7 +23,7 @@ spec:
- name: SYNAPSE_BASE
value: http://othrys-synapse-matrix-synapse:8008
- name: AUTH_BASE
value: http://othrys-synapse-matrix-synapse:8008
value: http://matrix-authentication-service:8080
- name: SEEDER_USER
value: othrys-seeder
- name: SEEDER_PASS

2
services/comms/seed-othrys-room.yaml
View File

@ -21,7 +21,7 @@ spec:
- name: SYNAPSE_BASE
value: http://othrys-synapse-matrix-synapse:8008
- name: AUTH_BASE
value: http://othrys-synapse-matrix-synapse:8008
value: http://matrix-authentication-service:8080
- name: SEEDER_USER
value: othrys-seeder
- name: SEEDER_PASS

4
services/comms/synapse-rendered.yaml
View File

@ -340,7 +340,7 @@ data:
msc4222_enabled: true
max_event_delay_duration: 24h
password_config:
enabled: true
enabled: false
turn_uris:
- "turn:turn.live.bstein.dev:3478?transport=udp"
- "turn:turn.live.bstein.dev:3478?transport=tcp"
@ -671,7 +671,7 @@ spec:
template:
metadata:
annotations:
checksum/config: manual-rtc-enable-10
checksum/config: manual-rtc-enable-11
checksum/secrets: ec9f3b254a562a0f0709461eb74a8cc91b8c1a2fb06be2594a131776c2541773
labels:
app.kubernetes.io/name: matrix-synapse