bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

comms: move synapse secrets to vault

Browse Source
This commit is contained in:
Brad Stein 2026-01-15 00:35:41 -03:00
parent 139ca78c3d
commit 7f96daa7b8
2 changed files with 9 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
services/comms/helmrelease.yaml
View File

@ -29,6 +29,7 @@ spec:
config: config:
publicBaseurl: https://matrix.live.bstein.dev publicBaseurl: https://matrix.live.bstein.dev
registrationSharedSecret: "vault-managed"
serviceAccount: serviceAccount:
create: false create: false
@ -38,15 +39,15 @@ spec:
host: postgres-service.postgres.svc.cluster.local host: postgres-service.postgres.svc.cluster.local
port: 5432 port: 5432
username: synapse username: synapse
existingSecret: synapse-db existingSecret: vault-placeholder
existingSecretPasswordKey: POSTGRES_PASSWORD existingSecretPasswordKey: postgres-password
database: synapse database: synapse
redis: redis:
enabled: true enabled: true
auth: auth:
enabled: true enabled: true
existingSecret: synapse-redis existingSecret: vault-placeholder
existingSecretPasswordKey: redis-password existingSecretPasswordKey: redis-password
postgresql: postgresql:
@ -92,6 +93,9 @@ spec:
{{ with secret "kv/data/atlas/comms/mas-secrets-runtime" }} {{ with secret "kv/data/atlas/comms/mas-secrets-runtime" }}
export MAS_SHARED_SECRET="{{ .Data.data.matrix_shared_secret }}" export MAS_SHARED_SECRET="{{ .Data.data.matrix_shared_secret }}"
{{ end }} {{ end }}
{{ with secret "kv/data/atlas/comms/synapse-registration" }}
export REGISTRATION_SHARED_SECRET="{{ .Data.data.registration_shared_secret }}"
{{ end }}
{{ with secret "kv/data/atlas/comms/synapse-macaroon" }} {{ with secret "kv/data/atlas/comms/synapse-macaroon" }}
export MACAROON_SECRET_KEY="{{ .Data.data.macaroon_secret_key }}" export MACAROON_SECRET_KEY="{{ .Data.data.macaroon_secret_key }}"
{{ end }} {{ end }}
@ -109,6 +113,7 @@ spec:
" enabled: true" " enabled: true"
" endpoint: http://matrix-authentication-service:8080/" " endpoint: http://matrix-authentication-service:8080/"
" secret: '$(esc "${MAS_SHARED_SECRET:-}")'" " secret: '$(esc "${MAS_SHARED_SECRET:-}")'"
"registration_shared_secret: '$(esc "${REGISTRATION_SHARED_SECRET:-}")'"
"turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"
"macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"
> /synapse/config/conf.d/runtime-secrets.yaml > /synapse/config/conf.d/runtime-secrets.yaml
@ -197,7 +202,7 @@ spec:
signingkey: signingkey:
job: job:
enabled: false enabled: false
existingSecret: othrys-synapse-signingkey existingSecret: vault-placeholder
existingSecretKey: signing.key existingSecretKey: signing.key
postRenderers: postRenderers:
- kustomize: - kustomize:

113
services/comms/secretproviderclass.yaml
View File

@ -10,123 +10,10 @@ spec:
vaultAddress: "http://vault.vault.svc.cluster.local:8200" vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "comms" roleName: "comms"
objects: | objects: |
- objectName: "turn-secret"
secretPath: "kv/data/atlas/comms/turn-shared-secret"
secretKey: "TURN_STATIC_AUTH_SECRET"
- objectName: "synapse-db-pass"
secretPath: "kv/data/atlas/comms/synapse-db"
secretKey: "POSTGRES_PASSWORD"
- objectName: "synapse-redis__redis-password"
secretPath: "kv/data/atlas/comms/synapse-redis"
secretKey: "redis-password"
- objectName: "synapse-macaroon__macaroon_secret_key"
secretPath: "kv/data/atlas/comms/synapse-macaroon"
secretKey: "macaroon_secret_key"
- objectName: "bot-pass"
secretPath: "kv/data/atlas/comms/atlasbot-credentials-runtime"
secretKey: "bot-password"
- objectName: "seeder-pass"
secretPath: "kv/data/atlas/comms/atlasbot-credentials-runtime"
secretKey: "seeder-password"
- objectName: "chat-matrix"
secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
secretKey: "matrix"
- objectName: "chat-homepage"
secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
secretKey: "homepage"
- objectName: "mas-admin-secret"
secretPath: "kv/data/atlas/comms/mas-admin-client-runtime"
secretKey: "client_secret"
- objectName: "mas-db-pass"
secretPath: "kv/data/atlas/comms/mas-db"
secretKey: "password"
- objectName: "mas-encryption"
secretPath: "kv/data/atlas/comms/mas-secrets-runtime"
secretKey: "encryption"
- objectName: "mas-matrix-shared"
secretPath: "kv/data/atlas/comms/mas-secrets-runtime"
secretKey: "matrix_shared_secret"
- objectName: "mas-kc-secret"
secretPath: "kv/data/atlas/comms/mas-secrets-runtime"
secretKey: "keycloak_client_secret"
- objectName: "mas-rsa-key"
secretPath: "kv/data/atlas/comms/mas-secrets-runtime"
secretKey: "rsa_key"
- objectName: "othrys-synapse-signingkey__signing.key"
secretPath: "kv/data/atlas/comms/othrys-synapse-signingkey"
secretKey: "signing.key"
- objectName: "synapse-oidc__client-secret"
secretPath: "kv/data/atlas/comms/synapse-oidc"
secretKey: "client-secret"
- objectName: "harbor-pull__dockerconfigjson" - objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/comms" secretPath: "kv/data/atlas/harbor-pull/comms"
secretKey: "dockerconfigjson" secretKey: "dockerconfigjson"
secretObjects: secretObjects:
- secretName: turn-shared-secret
type: Opaque
data:
- objectName: turn-secret
key: TURN_STATIC_AUTH_SECRET
- secretName: synapse-db
type: Opaque
data:
- objectName: synapse-db-pass
key: POSTGRES_PASSWORD
- secretName: synapse-redis
type: Opaque
data:
- objectName: synapse-redis__redis-password
key: redis-password
- secretName: synapse-macaroon
type: Opaque
data:
- objectName: synapse-macaroon__macaroon_secret_key
key: macaroon_secret_key
- secretName: atlasbot-credentials-runtime
type: Opaque
data:
- objectName: bot-pass
key: bot-password
- objectName: seeder-pass
key: seeder-password
- secretName: chat-ai-keys-runtime
type: Opaque
data:
- objectName: chat-matrix
key: matrix
- objectName: chat-homepage
key: homepage
- secretName: mas-admin-client-runtime
type: Opaque
data:
- objectName: mas-admin-secret
key: client_secret
- secretName: mas-db
type: Opaque
data:
- objectName: mas-db-pass
key: password
- secretName: mas-secrets-runtime
type: Opaque
data:
- objectName: mas-encryption
key: encryption
- objectName: mas-matrix-shared
key: matrix_shared_secret
- objectName: mas-kc-secret
key: keycloak_client_secret
- objectName: mas-rsa-key
key: rsa_key
- secretName: othrys-synapse-signingkey
type: Opaque
data:
- objectName: othrys-synapse-signingkey__signing.key
key: signing.key
- secretName: synapse-oidc
type: Opaque
data:
- objectName: synapse-oidc__client-secret
key: client-secret
- secretName: harbor-regcred - secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
data: data: