communication: wire MAS secrets via init render

2025-12-31 15:49:21 -03:00 · 2025-12-31 15:49:21 -03:00 · 940e0cc613
commit 940e0cc613
parent 45f62bc331
2 changed files with 23 additions and 4 deletions
--- a/services/communication/mas-configmap.yaml
+++ b/services/communication/mas-configmap.yaml
@ -14,7 +14,9 @@ data:

    secrets:
      encryption_file: /etc/mas/secrets/encryption
-      keys_dir: /etc/mas/keys
+      keys:
+        - kid: "othrys-rsa-1"
+          key_file: /etc/mas/keys/rsa_key

    passwords:
      enabled: true
@ -23,7 +25,7 @@ data:
      kind: synapse
      homeserver: live.bstein.dev
      endpoint: "http://othrys-synapse-matrix-synapse:8008/"
-      secret_file: /etc/mas/secrets/matrix_shared_secret
+      secret: "@@MATRIX_SHARED_SECRET@@"

    upstream_oauth2:
      providers:
@ -33,7 +35,7 @@ data:
          human_name: "Keycloak"
          brand_name: "keycloak"
          client_id: "othrys-mas"
-          client_secret_file: /etc/mas/secrets/keycloak_client_secret
+          client_secret: "@@KEYCLOAK_CLIENT_SECRET@@"
          token_endpoint_auth_method: client_secret_post
          scope: "openid profile email"
          claims_imports:
--- a/services/communication/mas-deployment.yaml
+++ b/services/communication/mas-deployment.yaml
@ -37,7 +37,14 @@ spec:
              set -euo pipefail
              umask 077
              DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')"
-              sed "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" /etc/mas/config.yaml > /rendered/config.yaml
+              MATRIX_SECRET_ESCAPED="$(printf '%s' "${MATRIX_SHARED_SECRET}" | sed 's/[\\/&]/\\&/g')"
+              KC_SECRET_ESCAPED="$(printf '%s' "${KEYCLOAK_CLIENT_SECRET}" | sed 's/[\\/&]/\\&/g')"
+
+              sed \
+                -e "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" \
+                -e "s/@@MATRIX_SHARED_SECRET@@/${MATRIX_SECRET_ESCAPED}/g" \
+                -e "s/@@KEYCLOAK_CLIENT_SECRET@@/${KC_SECRET_ESCAPED}/g" \
+                /etc/mas/config.yaml > /rendered/config.yaml
              chmod 0644 /rendered/config.yaml
          env:
            - name: MAS_DB_PASSWORD
@ -45,6 +52,16 @@ spec:
                secretKeyRef:
                  name: mas-db
                  key: password
+            - name: MATRIX_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mas-secrets-runtime
+                  key: matrix_shared_secret
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mas-secrets-runtime
+                  key: keycloak_client_secret
          volumeMounts:
            - name: config
              mountPath: /etc/mas/config.yaml