bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

communication: wire MAS secrets via init render

Browse Source
This commit is contained in:
Brad Stein 2025-12-31 15:49:21 -03:00
parent 45f62bc331
commit 940e0cc613
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
services/communication/mas-configmap.yaml
View File

@ -14,7 +14,9 @@ data:
secrets: secrets:
encryption_file: /etc/mas/secrets/encryption encryption_file: /etc/mas/secrets/encryption
keys_dir: /etc/mas/keys keys:
- kid: "othrys-rsa-1"
key_file: /etc/mas/keys/rsa_key
passwords: passwords:
enabled: true enabled: true
@ -23,7 +25,7 @@ data:
kind: synapse kind: synapse
homeserver: live.bstein.dev homeserver: live.bstein.dev
endpoint: "http://othrys-synapse-matrix-synapse:8008/" endpoint: "http://othrys-synapse-matrix-synapse:8008/"
secret_file: /etc/mas/secrets/matrix_shared_secret secret: "@@MATRIX_SHARED_SECRET@@"
upstream_oauth2: upstream_oauth2:
providers: providers:
@ -33,7 +35,7 @@ data:
human_name: "Keycloak" human_name: "Keycloak"
brand_name: "keycloak" brand_name: "keycloak"
client_id: "othrys-mas" client_id: "othrys-mas"
client_secret_file: /etc/mas/secrets/keycloak_client_secret client_secret: "@@KEYCLOAK_CLIENT_SECRET@@"
token_endpoint_auth_method: client_secret_post token_endpoint_auth_method: client_secret_post
scope: "openid profile email" scope: "openid profile email"
claims_imports: claims_imports:

19
services/communication/mas-deployment.yaml
View File

@ -37,7 +37,14 @@ spec:
set -euo pipefail set -euo pipefail
umask 077 umask 077
DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')" DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')"
sed "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" /etc/mas/config.yaml > /rendered/config.yaml MATRIX_SECRET_ESCAPED="$(printf '%s' "${MATRIX_SHARED_SECRET}" | sed 's/[\\/&]/\\&/g')"
KC_SECRET_ESCAPED="$(printf '%s' "${KEYCLOAK_CLIENT_SECRET}" | sed 's/[\\/&]/\\&/g')"
sed \
-e "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" \
-e "s/@@MATRIX_SHARED_SECRET@@/${MATRIX_SECRET_ESCAPED}/g" \
-e "s/@@KEYCLOAK_CLIENT_SECRET@@/${KC_SECRET_ESCAPED}/g" \
/etc/mas/config.yaml > /rendered/config.yaml
chmod 0644 /rendered/config.yaml chmod 0644 /rendered/config.yaml
env: env:
- name: MAS_DB_PASSWORD - name: MAS_DB_PASSWORD
@ -45,6 +52,16 @@ spec:
secretKeyRef: secretKeyRef:
name: mas-db name: mas-db
key: password key: password
- name: MATRIX_SHARED_SECRET
valueFrom:
secretKeyRef:
name: mas-secrets-runtime
key: matrix_shared_secret
- name: KEYCLOAK_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: mas-secrets-runtime
key: keycloak_client_secret
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /etc/mas/config.yaml mountPath: /etc/mas/config.yaml