diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml index 39d5890..266f19c 100644 --- a/services/communication/kustomization.yaml +++ b/services/communication/kustomization.yaml @@ -8,6 +8,7 @@ resources: - mas-configmap.yaml - mas-deployment.yaml - mas-ingress.yaml + - mas-syn2mas-check-job.yaml - element-rendered.yaml - livekit-config.yaml - livekit.yaml diff --git a/services/communication/mas-syn2mas-check-job.yaml b/services/communication/mas-syn2mas-check-job.yaml new file mode 100644 index 0000000..829a979 --- /dev/null +++ b/services/communication/mas-syn2mas-check-job.yaml @@ -0,0 +1,118 @@ +# services/communication/mas-syn2mas-check-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: mas-syn2mas-check + namespace: communication +spec: + backoffLimit: 0 + template: + metadata: + labels: + app: mas-syn2mas-check + spec: + enableServiceLinks: false + restartPolicy: Never + nodeSelector: + hardware: rpi5 + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 50 + preference: + matchExpressions: + - key: hardware + operator: In + values: ["rpi5","rpi4"] + initContainers: + - name: render-mas-config + image: alpine:3.20 + command: ["/bin/sh","-c"] + args: + - | + set -euo pipefail + umask 077 + DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')" + MATRIX_SECRET_ESCAPED="$(printf '%s' "${MATRIX_SHARED_SECRET}" | sed 's/[\\/&]/\\&/g')" + KC_SECRET_ESCAPED="$(printf '%s' "${KEYCLOAK_CLIENT_SECRET}" | sed 's/[\\/&]/\\&/g')" + + sed \ + -e "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" \ + -e "s/@@MATRIX_SHARED_SECRET@@/${MATRIX_SECRET_ESCAPED}/g" \ + -e "s/@@KEYCLOAK_CLIENT_SECRET@@/${KC_SECRET_ESCAPED}/g" \ + /etc/mas/config.yaml > /rendered/config.yaml + chmod 0644 /rendered/config.yaml + env: + - name: MAS_DB_PASSWORD + valueFrom: + secretKeyRef: + name: mas-db + key: password + - name: MATRIX_SHARED_SECRET + valueFrom: + secretKeyRef: + name: mas-secrets-runtime + key: matrix_shared_secret + - name: KEYCLOAK_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: mas-secrets-runtime + key: keycloak_client_secret + volumeMounts: + - name: mas-config + mountPath: /etc/mas/config.yaml + subPath: config.yaml + readOnly: true + - name: rendered + mountPath: /rendered + readOnly: false + containers: + - name: syn2mas-check + image: ghcr.io/element-hq/matrix-authentication-service:1.8.0 + args: + - syn2mas + - check + - --config + - /rendered/config.yaml + - --synapse-config + - /synapse-config/homeserver.yaml + - --synapse-database-uri + - postgresql: + env: + - name: PGHOST + value: postgres-service.postgres.svc.cluster.local + - name: PGPORT + value: "5432" + - name: PGDATABASE + value: synapse + - name: PGUSER + value: synapse + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: synapse-db + key: POSTGRES_PASSWORD + - name: PGSSLMODE + value: prefer + volumeMounts: + - name: rendered + mountPath: /rendered + readOnly: true + - name: synapse-config + mountPath: /synapse-config + readOnly: true + volumes: + - name: mas-config + configMap: + name: matrix-authentication-service-config + items: + - key: config.yaml + path: config.yaml + - name: rendered + emptyDir: {} + - name: synapse-config + configMap: + name: othrys-synapse-matrix-synapse + items: + - key: homeserver.yaml + path: homeserver.yaml