comms: fix synapse runtime config injection

2026-01-13 20:59:35 -03:00 · 2026-01-13 20:59:35 -03:00 · b710f45e5c
commit b710f45e5c
parent e6a3ae5f7b
1 changed files with 26 additions and 26 deletions
--- a/services/comms/helmrelease.yaml
+++ b/services/comms/helmrelease.yaml
@ -93,32 +93,32 @@ spec:
              name: synapse-macaroon
              key: macaroon_secret_key
      extraCommands:
-        - |
-          yaml_quote() { printf "%s" "$1" | sed "s/'/''/g"; }
-          cat > /synapse/config/conf.d/runtime-secrets.yaml <<EOF
-          oidc_providers:
-            - idp_id: keycloak
-              idp_name: Keycloak
-              issuer: https://sso.bstein.dev/realms/atlas
-              client_id: synapse
-              client_secret: '$(yaml_quote "${OIDC_CLIENT_SECRET:-}")'
-              client_auth_method: client_secret_post
-              scopes: ["openid", "profile", "email"]
-              authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
-              token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
-              userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
-              user_mapping_provider:
-                config:
-                  localpart_template: "{{ user.preferred_username }}"
-                  display_name_template: "{{ user.name }}"
-              allow_existing_users: true
-          matrix_authentication_service:
-            enabled: true
-            endpoint: http://matrix-authentication-service:8080/
-            secret: '$(yaml_quote "${MAS_SHARED_SECRET:-}")'
-          turn_shared_secret: '$(yaml_quote "${TURN_SECRET:-}")'
-          macaroon_secret_key: '$(yaml_quote "${MACAROON_SECRET_KEY:-}")'
-          EOF
+        - >-
+          esc() { printf "%s" "$1" | sed "s/'/''/g"; };
+          printf '%s\n'
+          "oidc_providers:"
+          "  - idp_id: keycloak"
+          "    idp_name: Keycloak"
+          "    issuer: https://sso.bstein.dev/realms/atlas"
+          "    client_id: synapse"
+          "    client_secret: '$(esc "${OIDC_CLIENT_SECRET:-}")'"
+          "    client_auth_method: client_secret_post"
+          "    scopes: [\"openid\", \"profile\", \"email\"]"
+          "    authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth"
+          "    token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token"
+          "    userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo"
+          "    user_mapping_provider:"
+          "      config:"
+          "        localpart_template: \"{{ user.preferred_username }}\""
+          "        display_name_template: \"{{ user.name }}\""
+          "    allow_existing_users: true"
+          "matrix_authentication_service:"
+          "  enabled: true"
+          "  endpoint: http://matrix-authentication-service:8080/"
+          "  secret: '$(esc "${MAS_SHARED_SECRET:-}")'"
+          "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"
+          "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"
+          > /synapse/config/conf.d/runtime-secrets.yaml
      nodeSelector:
        hardware: rpi5
      affinity: