bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: inject comms and grafana secrets

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 22:29:27 -03:00
parent 4bb6c7e212
commit c38f77302f
6 changed files with 274 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
services/comms/helmrelease.yaml
View File

@ -30,6 +30,10 @@ spec:
config:
publicBaseurl: https://matrix.live.bstein.dev
serviceAccount:
create: false
name: comms-vault
externalPostgresql:
host: postgres-service.postgres.svc.cluster.local
port: 5432
@ -71,22 +75,32 @@ spec:
limits:
cpu: "2"
memory: 3Gi
extraEnv:
- name: TURN_SECRET
valueFrom:
secretKeyRef:
name: turn-shared-secret
key: TURN_STATIC_AUTH_SECRET
- name: MAS_SHARED_SECRET
valueFrom:
secretKeyRef:
name: mas-secrets-runtime
key: matrix_shared_secret
- name: MACAROON_SECRET_KEY
valueFrom:
secretKeyRef:
name: synapse-macaroon
key: macaroon_secret_key
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-synapse-env.sh: "kv/data/atlas/comms/synapse-db"
vault.hashicorp.com/agent-inject-template-synapse-env.sh: |
{{ with secret "kv/data/atlas/comms/synapse-db" }}
export POSTGRES_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
{{ end }}
{{ with secret "kv/data/atlas/comms/synapse-redis" }}
export REDIS_PASSWORD="{{ .Data.data.redis-password }}"
{{ end }}
{{ with secret "kv/data/atlas/comms/turn-shared-secret" }}
export TURN_SECRET="{{ .Data.data.TURN_STATIC_AUTH_SECRET }}"
{{ end }}
{{ with secret "kv/data/atlas/comms/mas-secrets-runtime" }}
export MAS_SHARED_SECRET="{{ .Data.data.matrix_shared_secret }}"
{{ end }}
{{ with secret "kv/data/atlas/comms/synapse-macaroon" }}
export MACAROON_SECRET_KEY="{{ .Data.data.macaroon_secret_key }}"
{{ end }}
vault.hashicorp.com/agent-inject-secret-synapse-signingkey: "kv/data/atlas/comms/othrys-synapse-signingkey"
vault.hashicorp.com/agent-inject-template-synapse-signingkey: |
{{ with secret "kv/data/atlas/comms/othrys-synapse-signingkey" }}
{{ index .Data.data "signing.key" }}
{{ end }}
extraEnv: []
extraCommands:
- >-
esc() { printf "%s" "$1" | sed "s/'/''/g"; };
@ -185,6 +199,112 @@ spec:
enabled: false
existingSecret: othrys-synapse-signingkey
existingSecretKey: signing.key
postRenderers:
- kustomize:
patches:
- target:
kind: Deployment
name: othrys-synapse-matrix-synapse
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: othrys-synapse-matrix-synapse
spec:
template:
spec:
serviceAccountName: comms-vault
automountServiceAccountToken: true
containers:
- name: matrix-synapse
command:
- /entrypoint.sh
args:
- sh
- -c
- |-
export POSTGRES_PASSWORD=$(echo "${POSTGRES_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g')
export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g')
cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
> /synapse/config/conf.d/secrets.yaml
esc() { printf "%s" "$1" | sed "s/'/''/g"; };
printf '%s\n' \
"matrix_authentication_service:" \
" enabled: true" \
" endpoint: http://matrix-authentication-service:8080/" \
" secret: '$(esc "${MAS_SHARED_SECRET:-}")'" \
"turn_shared_secret: '$(esc "${TURN_SECRET:-}")'" \
"macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'" \
> /synapse/config/conf.d/runtime-secrets.yaml
exec python -B -m synapse.app.homeserver \
-c /synapse/config/homeserver.yaml \
-c /synapse/config/conf.d/
env:
- $patch: replace
- name: VAULT_ENV_FILE
value: /vault/secrets/synapse-env.sh
- name: VAULT_COPY_FILES
value: /vault/secrets/synapse-signingkey:/synapse/keys/signing.key
volumeMounts:
- name: comms-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: comms-vault-entrypoint
configMap:
name: comms-vault-entrypoint
defaultMode: 493
- name: signingkey
$patch: delete
- name: signingkey
emptyDir: {}
- target:
kind: Deployment
name: othrys-synapse-redis-master
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: othrys-synapse-redis-master
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "comms"
vault.hashicorp.com/agent-inject-secret-redis-env.sh: "kv/data/atlas/comms/synapse-redis"
vault.hashicorp.com/agent-inject-template-redis-env.sh: |
{{ with secret "kv/data/atlas/comms/synapse-redis" }}
export REDIS_PASSWORD="{{ .Data.data.redis-password }}"
{{ end }}
spec:
serviceAccountName: comms-vault
automountServiceAccountToken: true
containers:
- name: redis
command:
- /entrypoint.sh
args:
- /bin/bash
- -c
- /opt/bitnami/scripts/start-scripts/start-master.sh
env:
- $patch: replace
- name: VAULT_ENV_FILE
value: /vault/secrets/redis-env.sh
volumeMounts:
- name: comms-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: comms-vault-entrypoint
configMap:
name: comms-vault-entrypoint
defaultMode: 493
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease

5
services/comms/kustomization.yaml
View File

@ -48,6 +48,11 @@ configMapGenerator:
- comms_vault_env.sh=scripts/comms_vault_env.sh
options:
disableNameSuffixHash: true
- name: comms-vault-entrypoint
files:
- scripts/vault-entrypoint.sh
options:
disableNameSuffixHash: true
- name: matrix-guest-register
files:
- server.py=scripts/guest-register/server.py

34
services/comms/scripts/vault-entrypoint.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/sh
set -eu
if [ -n "${VAULT_ENV_FILE:-}" ]; then
if [ -f "${VAULT_ENV_FILE}" ]; then
# shellcheck disable=SC1090
. "${VAULT_ENV_FILE}"
else
echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
exit 1
fi
fi
if [ -n "${VAULT_COPY_FILES:-}" ]; then
old_ifs="$IFS"
IFS=','
for pair in ${VAULT_COPY_FILES}; do
src="${pair%%:*}"
dest="${pair#*:}"
if [ -z "${src}" ] || [ -z "${dest}" ]; then
echo "Vault copy entry malformed: ${pair}" >&2
exit 1
fi
if [ ! -f "${src}" ]; then
echo "Vault file not found: ${src}" >&2
exit 1
fi
mkdir -p "$(dirname "${dest}")"
cp "${src}" "${dest}"
done
IFS="$old_ifs"
fi
exec "$@"

68
services/monitoring/helmrelease.yaml
View File

@ -259,6 +259,23 @@ spec:
existingSecret: grafana-admin
userKey: admin-user
passwordKey: admin-password
serviceAccount:
create: false
name: monitoring-vault-sync
automountServiceAccountToken: true
podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "monitoring"
vault.hashicorp.com/agent-inject-secret-grafana-env.sh: "kv/data/atlas/monitoring/grafana-admin"
vault.hashicorp.com/agent-inject-template-grafana-env.sh: |
{{ with secret "kv/data/atlas/monitoring/grafana-admin" }}
export GF_SECURITY_ADMIN_USER="{{ .Data.data.admin-user }}"
export GF_SECURITY_ADMIN_PASSWORD="{{ .Data.data.admin-password }}"
{{ end }}
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
export GF_SMTP_USER="{{ .Data.data.relay-username }}"
export GF_SMTP_PASSWORD="{{ .Data.data.relay-password }}"
{{ end }}
persistence:
enabled: true
size: 20Gi
@ -300,15 +317,6 @@ spec:
hide_version: true
users:
default_theme: dark
envValueFrom:
GF_SMTP_USER:
secretKeyRef:
name: grafana-smtp
key: username
GF_SMTP_PASSWORD:
secretKeyRef:
name: grafana-smtp
key: password
ingress:
enabled: true
ingressClassName: traefik
@ -429,6 +437,48 @@ spec:
mountPath: /etc/grafana/provisioning/alerting
configMap: grafana-alerting
readOnly: true
postRenderers:
- kustomize:
patches:
- target:
kind: Deployment
name: grafana
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
spec:
template:
spec:
serviceAccountName: monitoring-vault-sync
automountServiceAccountToken: true
containers:
- name: grafana
command:
- /entrypoint.sh
args:
- /run.sh
env:
- name: GF_SECURITY_ADMIN_USER
$patch: delete
- name: GF_SECURITY_ADMIN_PASSWORD
$patch: delete
- name: GF_SMTP_USER
$patch: delete
- name: GF_SMTP_PASSWORD
$patch: delete
- name: VAULT_ENV_FILE
value: /vault/secrets/grafana-env.sh
volumeMounts:
- name: monitoring-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: monitoring-vault-entrypoint
configMap:
name: monitoring-vault-entrypoint
defaultMode: 493
---

6
services/monitoring/kustomization.yaml
View File

@ -37,3 +37,9 @@ configMapGenerator:
- exporter.py=scripts/jetson_tegrastats_exporter.py
options:
disableNameSuffixHash: true
- name: monitoring-vault-entrypoint
namespace: monitoring
files:
- scripts/vault-entrypoint.sh
options:
disableNameSuffixHash: true

34
services/monitoring/scripts/vault-entrypoint.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/sh
set -eu
if [ -n "${VAULT_ENV_FILE:-}" ]; then
if [ -f "${VAULT_ENV_FILE}" ]; then
# shellcheck disable=SC1090
. "${VAULT_ENV_FILE}"
else
echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
exit 1
fi
fi
if [ -n "${VAULT_COPY_FILES:-}" ]; then
old_ifs="$IFS"
IFS=','
for pair in ${VAULT_COPY_FILES}; do
src="${pair%%:*}"
dest="${pair#*:}"
if [ -z "${src}" ] || [ -z "${dest}" ]; then
echo "Vault copy entry malformed: ${pair}" >&2
exit 1
fi
if [ ! -f "${src}" ]; then
echo "Vault file not found: ${src}" >&2
exit 1
fi
mkdir -p "$(dirname "${dest}")"
cp "${src}" "${dest}"
done
IFS="$old_ifs"
fi
exec "$@"