From 7f96daa7b825a78ae9510ca89678ed8c6eeba5c3 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 15 Jan 2026 00:35:41 -0300 Subject: [PATCH] comms: move synapse secrets to vault --- services/comms/helmrelease.yaml | 13 ++- services/comms/secretproviderclass.yaml | 113 ------------------------ 2 files changed, 9 insertions(+), 117 deletions(-) diff --git a/services/comms/helmrelease.yaml b/services/comms/helmrelease.yaml index 7c91e04..139ad25 100644 --- a/services/comms/helmrelease.yaml +++ b/services/comms/helmrelease.yaml @@ -29,6 +29,7 @@ spec: config: publicBaseurl: https://matrix.live.bstein.dev + registrationSharedSecret: "vault-managed" serviceAccount: create: false @@ -38,15 +39,15 @@ spec: host: postgres-service.postgres.svc.cluster.local port: 5432 username: synapse - existingSecret: synapse-db - existingSecretPasswordKey: POSTGRES_PASSWORD + existingSecret: vault-placeholder + existingSecretPasswordKey: postgres-password database: synapse redis: enabled: true auth: enabled: true - existingSecret: synapse-redis + existingSecret: vault-placeholder existingSecretPasswordKey: redis-password postgresql: @@ -92,6 +93,9 @@ spec: {{ with secret "kv/data/atlas/comms/mas-secrets-runtime" }} export MAS_SHARED_SECRET="{{ .Data.data.matrix_shared_secret }}" {{ end }} + {{ with secret "kv/data/atlas/comms/synapse-registration" }} + export REGISTRATION_SHARED_SECRET="{{ .Data.data.registration_shared_secret }}" + {{ end }} {{ with secret "kv/data/atlas/comms/synapse-macaroon" }} export MACAROON_SECRET_KEY="{{ .Data.data.macaroon_secret_key }}" {{ end }} @@ -109,6 +113,7 @@ spec: " enabled: true" " endpoint: http://matrix-authentication-service:8080/" " secret: '$(esc "${MAS_SHARED_SECRET:-}")'" + "registration_shared_secret: '$(esc "${REGISTRATION_SHARED_SECRET:-}")'" "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" > /synapse/config/conf.d/runtime-secrets.yaml @@ -197,7 +202,7 @@ spec: signingkey: job: enabled: false - existingSecret: othrys-synapse-signingkey + existingSecret: vault-placeholder existingSecretKey: signing.key postRenderers: - kustomize: diff --git a/services/comms/secretproviderclass.yaml b/services/comms/secretproviderclass.yaml index 251173c..69d4b2b 100644 --- a/services/comms/secretproviderclass.yaml +++ b/services/comms/secretproviderclass.yaml @@ -10,123 +10,10 @@ spec: vaultAddress: "http://vault.vault.svc.cluster.local:8200" roleName: "comms" objects: | - - objectName: "turn-secret" - secretPath: "kv/data/atlas/comms/turn-shared-secret" - secretKey: "TURN_STATIC_AUTH_SECRET" - - objectName: "synapse-db-pass" - secretPath: "kv/data/atlas/comms/synapse-db" - secretKey: "POSTGRES_PASSWORD" - - objectName: "synapse-redis__redis-password" - secretPath: "kv/data/atlas/comms/synapse-redis" - secretKey: "redis-password" - - objectName: "synapse-macaroon__macaroon_secret_key" - secretPath: "kv/data/atlas/comms/synapse-macaroon" - secretKey: "macaroon_secret_key" - - objectName: "bot-pass" - secretPath: "kv/data/atlas/comms/atlasbot-credentials-runtime" - secretKey: "bot-password" - - objectName: "seeder-pass" - secretPath: "kv/data/atlas/comms/atlasbot-credentials-runtime" - secretKey: "seeder-password" - - objectName: "chat-matrix" - secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime" - secretKey: "matrix" - - objectName: "chat-homepage" - secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime" - secretKey: "homepage" - - objectName: "mas-admin-secret" - secretPath: "kv/data/atlas/comms/mas-admin-client-runtime" - secretKey: "client_secret" - - objectName: "mas-db-pass" - secretPath: "kv/data/atlas/comms/mas-db" - secretKey: "password" - - objectName: "mas-encryption" - secretPath: "kv/data/atlas/comms/mas-secrets-runtime" - secretKey: "encryption" - - objectName: "mas-matrix-shared" - secretPath: "kv/data/atlas/comms/mas-secrets-runtime" - secretKey: "matrix_shared_secret" - - objectName: "mas-kc-secret" - secretPath: "kv/data/atlas/comms/mas-secrets-runtime" - secretKey: "keycloak_client_secret" - - objectName: "mas-rsa-key" - secretPath: "kv/data/atlas/comms/mas-secrets-runtime" - secretKey: "rsa_key" - - objectName: "othrys-synapse-signingkey__signing.key" - secretPath: "kv/data/atlas/comms/othrys-synapse-signingkey" - secretKey: "signing.key" - - objectName: "synapse-oidc__client-secret" - secretPath: "kv/data/atlas/comms/synapse-oidc" - secretKey: "client-secret" - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/harbor-pull/comms" secretKey: "dockerconfigjson" secretObjects: - - secretName: turn-shared-secret - type: Opaque - data: - - objectName: turn-secret - key: TURN_STATIC_AUTH_SECRET - - secretName: synapse-db - type: Opaque - data: - - objectName: synapse-db-pass - key: POSTGRES_PASSWORD - - secretName: synapse-redis - type: Opaque - data: - - objectName: synapse-redis__redis-password - key: redis-password - - secretName: synapse-macaroon - type: Opaque - data: - - objectName: synapse-macaroon__macaroon_secret_key - key: macaroon_secret_key - - secretName: atlasbot-credentials-runtime - type: Opaque - data: - - objectName: bot-pass - key: bot-password - - objectName: seeder-pass - key: seeder-password - - secretName: chat-ai-keys-runtime - type: Opaque - data: - - objectName: chat-matrix - key: matrix - - objectName: chat-homepage - key: homepage - - secretName: mas-admin-client-runtime - type: Opaque - data: - - objectName: mas-admin-secret - key: client_secret - - secretName: mas-db - type: Opaque - data: - - objectName: mas-db-pass - key: password - - secretName: mas-secrets-runtime - type: Opaque - data: - - objectName: mas-encryption - key: encryption - - objectName: mas-matrix-shared - key: matrix_shared_secret - - objectName: mas-kc-secret - key: keycloak_client_secret - - objectName: mas-rsa-key - key: rsa_key - - secretName: othrys-synapse-signingkey - type: Opaque - data: - - objectName: othrys-synapse-signingkey__signing.key - key: signing.key - - secretName: synapse-oidc - type: Opaque - data: - - objectName: synapse-oidc__client-secret - key: client-secret - secretName: harbor-regcred type: kubernetes.io/dockerconfigjson data: