From cb82a44e2ea7d3d2178840deaf93b19b790d7e2a Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 31 Dec 2025 15:53:35 -0300 Subject: [PATCH] communication: enable MAS delegated auth --- services/communication/kustomization.yaml | 1 + services/communication/mas-ingress.yaml | 68 ++++++++++++++++++++ services/communication/synapse-rendered.yaml | 14 ++++ services/communication/wellknown.yaml | 4 ++ 4 files changed, 87 insertions(+) create mode 100644 services/communication/mas-ingress.yaml diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml index 6b4f4a0..39d5890 100644 --- a/services/communication/kustomization.yaml +++ b/services/communication/kustomization.yaml @@ -7,6 +7,7 @@ resources: - synapse-rendered.yaml - mas-configmap.yaml - mas-deployment.yaml + - mas-ingress.yaml - element-rendered.yaml - livekit-config.yaml - livekit.yaml diff --git a/services/communication/mas-ingress.yaml b/services/communication/mas-ingress.yaml new file mode 100644 index 0000000..6e4ad54 --- /dev/null +++ b/services/communication/mas-ingress.yaml @@ -0,0 +1,68 @@ +# services/communication/mas-ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: matrix-authentication-service + namespace: communication + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - matrix.live.bstein.dev + secretName: matrix-live-tls + rules: + - host: matrix.live.bstein.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: matrix-authentication-service + port: + number: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: matrix-authentication-service-compat + namespace: communication + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - matrix.live.bstein.dev + secretName: matrix-live-tls + rules: + - host: matrix.live.bstein.dev + http: + paths: + - path: /_matrix/client/v3/login + pathType: Exact + backend: + service: + name: matrix-authentication-service + port: + number: 8080 + - path: /_matrix/client/v3/logout + pathType: Exact + backend: + service: + name: matrix-authentication-service + port: + number: 8080 + - path: /_matrix/client/v3/refresh + pathType: Exact + backend: + service: + name: matrix-authentication-service + port: + number: 8080 diff --git a/services/communication/synapse-rendered.yaml b/services/communication/synapse-rendered.yaml index 3d77aec..c824b5d 100644 --- a/services/communication/synapse-rendered.yaml +++ b/services/communication/synapse-rendered.yaml @@ -394,6 +394,11 @@ data: display_name_template: '{{ user.name }}' localpart_template: '{{ user.preferred_username }}' userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo + + matrix_authentication_service: + enabled: true + endpoint: http://matrix-authentication-service:8080/ + secret: "@@MAS_SHARED_SECRET@@" --- # Source: matrix-synapse/templates/pvc.yaml kind: PersistentVolumeClaim @@ -711,6 +716,7 @@ spec: export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \ export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \ + export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \ cat /synapse/secrets/*.yaml | \ sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ @@ -722,6 +728,9 @@ spec: fi; \ if [ -n "${TURN_SECRET_ESCAPED}" ]; then \ sed -i "s/@@TURN_SECRET@@/${TURN_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \ + fi; \ + if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \ + sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \ fi exec python -B -m synapse.app.homeserver \ -c /synapse/runtime-config/homeserver.yaml \ @@ -747,6 +756,11 @@ spec: secretKeyRef: name: turn-shared-secret key: TURN_STATIC_AUTH_SECRET + - name: MAS_SHARED_SECRET + valueFrom: + secretKeyRef: + name: mas-secrets-runtime + key: matrix_shared_secret image: "ghcr.io/element-hq/synapse:v1.144.0" imagePullPolicy: IfNotPresent securityContext: diff --git a/services/communication/wellknown.yaml b/services/communication/wellknown.yaml index 655746a..8627e0e 100644 --- a/services/communication/wellknown.yaml +++ b/services/communication/wellknown.yaml @@ -10,6 +10,10 @@ data: "m.homeserver": { "base_url": "https://matrix.live.bstein.dev" }, + "org.matrix.msc2965.authentication": { + "issuer": "https://matrix.live.bstein.dev/", + "account": "https://matrix.live.bstein.dev/account/" + }, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit",