communication: enable MAS delegated auth

2025-12-31 15:53:35 -03:00 · 2025-12-31 15:53:35 -03:00 · cb82a44e2e
commit cb82a44e2e
parent 940e0cc613
4 changed files with 87 additions and 0 deletions
--- a/services/communication/kustomization.yaml
+++ b/services/communication/kustomization.yaml
@ -7,6 +7,7 @@ resources:
  - synapse-rendered.yaml
  - mas-configmap.yaml
  - mas-deployment.yaml
+  - mas-ingress.yaml
  - element-rendered.yaml
  - livekit-config.yaml
  - livekit.yaml
--- a/services/communication/mas-ingress.yaml
+++ b/services/communication/mas-ingress.yaml
@ -0,0 +1,68 @@
+# services/communication/mas-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-authentication-service
+  namespace: communication
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts:
+        - matrix.live.bstein.dev
+      secretName: matrix-live-tls
+  rules:
+    - host: matrix.live.bstein.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-authentication-service-compat
+  namespace: communication
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts:
+        - matrix.live.bstein.dev
+      secretName: matrix-live-tls
+  rules:
+    - host: matrix.live.bstein.dev
+      http:
+        paths:
+          - path: /_matrix/client/v3/login
+            pathType: Exact
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /_matrix/client/v3/logout
+            pathType: Exact
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+          - path: /_matrix/client/v3/refresh
+            pathType: Exact
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
--- a/services/communication/synapse-rendered.yaml
+++ b/services/communication/synapse-rendered.yaml
@ -394,6 +394,11 @@ data:
          display_name_template: '{{ user.name }}'
          localpart_template: '{{ user.preferred_username }}'
      userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
+
+    matrix_authentication_service:
+      enabled: true
+      endpoint: http://matrix-authentication-service:8080/
+      secret: "@@MAS_SHARED_SECRET@@"
 ---
 # Source: matrix-synapse/templates/pvc.yaml
 kind: PersistentVolumeClaim
@ -711,6 +716,7 @@ spec:
              export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \
              export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
              export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
+              export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
              cat /synapse/secrets/*.yaml | \
                sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
                    -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
@ -722,6 +728,9 @@ spec:
              fi; \
              if [ -n "${TURN_SECRET_ESCAPED}" ]; then \
                sed -i "s/@@TURN_SECRET@@/${TURN_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
+              fi; \
+              if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \
+                sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
              fi
              exec python -B -m synapse.app.homeserver \
                          -c /synapse/runtime-config/homeserver.yaml \
@ -747,6 +756,11 @@ spec:
                secretKeyRef:
                  name: turn-shared-secret
                  key: TURN_STATIC_AUTH_SECRET
+            - name: MAS_SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mas-secrets-runtime
+                  key: matrix_shared_secret
          image: "ghcr.io/element-hq/synapse:v1.144.0"
          imagePullPolicy: IfNotPresent
          securityContext:
--- a/services/communication/wellknown.yaml
+++ b/services/communication/wellknown.yaml
@ -10,6 +10,10 @@ data:
      "m.homeserver": {
        "base_url": "https://matrix.live.bstein.dev"
      },
+      "org.matrix.msc2965.authentication": {
+        "issuer": "https://matrix.live.bstein.dev/",
+        "account": "https://matrix.live.bstein.dev/account/"
+      },
      "org.matrix.msc4143.rtc_foci": [
        {
          "type": "livekit",