diff --git a/services/comms/atlasbot-deployment.yaml b/services/comms/atlasbot-deployment.yaml index b2edb76..0d45fe0 100644 --- a/services/comms/atlasbot-deployment.yaml +++ b/services/comms/atlasbot-deployment.yaml @@ -32,7 +32,7 @@ spec: - name: MATRIX_BASE value: http://othrys-synapse-matrix-synapse:8008 - name: AUTH_BASE - value: http://othrys-synapse-matrix-synapse:8008 + value: http://matrix-authentication-service:8080 - name: KB_DIR value: /kb - name: VM_URL diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml index 6947617..206dda1 100644 --- a/services/comms/kustomization.yaml +++ b/services/comms/kustomization.yaml @@ -16,6 +16,7 @@ resources: - mas-db-ensure-job.yaml - comms-secrets-ensure-job.yaml - synapse-user-seed-job.yaml + - mas-local-users-ensure-job.yaml - mas-deployment.yaml - element-rendered.yaml - livekit-config.yaml diff --git a/services/comms/mas-local-users-ensure-job.yaml b/services/comms/mas-local-users-ensure-job.yaml new file mode 100644 index 0000000..04b41f6 --- /dev/null +++ b/services/comms/mas-local-users-ensure-job.yaml @@ -0,0 +1,155 @@ +# services/comms/mas-local-users-ensure-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: mas-local-users-ensure-1 + namespace: comms +spec: + backoffLimit: 1 + ttlSecondsAfterFinished: 3600 + template: + spec: + restartPolicy: Never + volumes: + - name: mas-admin-client + secret: + secretName: mas-admin-client-runtime + items: + - key: client_secret + path: client_secret + containers: + - name: ensure + image: python:3.11-slim + volumeMounts: + - name: mas-admin-client + mountPath: /etc/mas-admin-client + readOnly: true + env: + - name: MAS_ADMIN_CLIENT_ID + value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM + - name: MAS_ADMIN_CLIENT_SECRET_FILE + value: /etc/mas-admin-client/client_secret + - name: MAS_TOKEN_URL + value: http://matrix-authentication-service:8080/oauth2/token + - name: MAS_ADMIN_API_BASE + value: http://matrix-authentication-service:8081/api/admin/v1 + - name: SEEDER_USER + value: othrys-seeder + - name: SEEDER_PASS + valueFrom: + secretKeyRef: + name: atlasbot-credentials-runtime + key: seeder-password + - name: BOT_USER + value: atlasbot + - name: BOT_PASS + valueFrom: + secretKeyRef: + name: atlasbot-credentials-runtime + key: bot-password + command: + - /bin/sh + - -c + - | + set -euo pipefail + pip install --no-cache-dir requests >/dev/null + python - <<'PY' + import base64 + import os + import time + import requests + import urllib.parse + + MAS_ADMIN_CLIENT_ID = os.environ["MAS_ADMIN_CLIENT_ID"] + MAS_ADMIN_CLIENT_SECRET_FILE = os.environ["MAS_ADMIN_CLIENT_SECRET_FILE"] + MAS_TOKEN_URL = os.environ["MAS_TOKEN_URL"] + MAS_ADMIN_API_BASE = os.environ["MAS_ADMIN_API_BASE"].rstrip("/") + + def admin_token(): + with open(MAS_ADMIN_CLIENT_SECRET_FILE, "r", encoding="utf-8") as f: + secret = f.read().strip() + basic = base64.b64encode(f"{MAS_ADMIN_CLIENT_ID}:{secret}".encode()).decode() + last = None + for attempt in range(1, 6): + try: + r = requests.post( + MAS_TOKEN_URL, + headers={"Authorization": f"Basic {basic}"}, + data={"grant_type": "client_credentials", "scope": "urn:mas:admin"}, + timeout=30, + ) + if r.status_code == 200: + return r.json()["access_token"] + except Exception as exc: # noqa: BLE001 + last = exc + time.sleep(attempt * 2) + raise RuntimeError(f"MAS admin token request failed: {last}") + + def get_user(token, username): + r = requests.get( + f"{MAS_ADMIN_API_BASE}/users/by-username/{urllib.parse.quote(username)}", + headers={"Authorization": f"Bearer {token}"}, + timeout=30, + ) + if r.status_code == 404: + return None + r.raise_for_status() + return r.json()["data"] + + def create_user(token, username, password): + payload = { + "data": { + "type": "user", + "attributes": { + "username": username, + "password": password, + }, + } + } + r = requests.post( + f"{MAS_ADMIN_API_BASE}/users", + headers={"Authorization": f"Bearer {token}"}, + json=payload, + timeout=30, + ) + if r.status_code in (200, 201): + return r.json()["data"] + if r.status_code == 409: + return None + r.raise_for_status() + return None + + def update_password(token, user_id, password): + payload = { + "data": { + "type": "user", + "id": user_id, + "attributes": { + "password": password, + }, + } + } + r = requests.patch( + f"{MAS_ADMIN_API_BASE}/users/{urllib.parse.quote(user_id)}", + headers={"Authorization": f"Bearer {token}"}, + json=payload, + timeout=30, + ) + if r.status_code in (200, 204): + return True + return False + + def ensure_user(token, username, password): + user = get_user(token, username) + if user is None: + user = create_user(token, username, password) + if user is None: + user = get_user(token, username) + if user is None: + raise RuntimeError(f"failed to ensure user {username}") + update_password(token, user["id"], password) + + token = admin_token() + ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"]) + ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"]) + PY diff --git a/services/comms/pin-othrys-job.yaml b/services/comms/pin-othrys-job.yaml index b735273..c42c815 100644 --- a/services/comms/pin-othrys-job.yaml +++ b/services/comms/pin-othrys-job.yaml @@ -23,7 +23,7 @@ spec: - name: SYNAPSE_BASE value: http://othrys-synapse-matrix-synapse:8008 - name: AUTH_BASE - value: http://othrys-synapse-matrix-synapse:8008 + value: http://matrix-authentication-service:8080 - name: SEEDER_USER value: othrys-seeder - name: SEEDER_PASS diff --git a/services/comms/seed-othrys-room.yaml b/services/comms/seed-othrys-room.yaml index 1dc5090..5085aa3 100644 --- a/services/comms/seed-othrys-room.yaml +++ b/services/comms/seed-othrys-room.yaml @@ -21,7 +21,7 @@ spec: - name: SYNAPSE_BASE value: http://othrys-synapse-matrix-synapse:8008 - name: AUTH_BASE - value: http://othrys-synapse-matrix-synapse:8008 + value: http://matrix-authentication-service:8080 - name: SEEDER_USER value: othrys-seeder - name: SEEDER_PASS diff --git a/services/comms/synapse-rendered.yaml b/services/comms/synapse-rendered.yaml index f7d9188..097189a 100644 --- a/services/comms/synapse-rendered.yaml +++ b/services/comms/synapse-rendered.yaml @@ -340,7 +340,7 @@ data: msc4222_enabled: true max_event_delay_duration: 24h password_config: - enabled: true + enabled: false turn_uris: - "turn:turn.live.bstein.dev:3478?transport=udp" - "turn:turn.live.bstein.dev:3478?transport=tcp" @@ -671,7 +671,7 @@ spec: template: metadata: annotations: - checksum/config: manual-rtc-enable-10 + checksum/config: manual-rtc-enable-11 checksum/secrets: ec9f3b254a562a0f0709461eb74a8cc91b8c1a2fb06be2594a131776c2541773 labels: app.kubernetes.io/name: matrix-synapse