bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

communication: enable MAS delegated auth

Browse Source
This commit is contained in:
Brad Stein 2025-12-31 15:53:35 -03:00
parent 940e0cc613
commit cb82a44e2e
4 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
services/communication/kustomization.yaml
View File

@ -7,6 +7,7 @@ resources:
- synapse-rendered.yaml - synapse-rendered.yaml
- mas-configmap.yaml - mas-configmap.yaml
- mas-deployment.yaml - mas-deployment.yaml
- mas-ingress.yaml
- element-rendered.yaml - element-rendered.yaml
- livekit-config.yaml - livekit-config.yaml
- livekit.yaml - livekit.yaml

68
services/communication/mas-ingress.yaml Normal file
View File

@ -0,0 +1,68 @@
# services/communication/mas-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: matrix-authentication-service
namespace: communication
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- matrix.live.bstein.dev
secretName: matrix-live-tls
rules:
- host: matrix.live.bstein.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: matrix-authentication-service
port:
number: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: matrix-authentication-service-compat
namespace: communication
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- matrix.live.bstein.dev
secretName: matrix-live-tls
rules:
- host: matrix.live.bstein.dev
http:
paths:
- path: /_matrix/client/v3/login
pathType: Exact
backend:
service:
name: matrix-authentication-service
port:
number: 8080
- path: /_matrix/client/v3/logout
pathType: Exact
backend:
service:
name: matrix-authentication-service
port:
number: 8080
- path: /_matrix/client/v3/refresh
pathType: Exact
backend:
service:
name: matrix-authentication-service
port:
number: 8080

14
services/communication/synapse-rendered.yaml
View File

@ -394,6 +394,11 @@ data:
display_name_template: '{{ user.name }}' display_name_template: '{{ user.name }}'
localpart_template: '{{ user.preferred_username }}' localpart_template: '{{ user.preferred_username }}'
userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
matrix_authentication_service:
enabled: true
endpoint: http://matrix-authentication-service:8080/
secret: "@@MAS_SHARED_SECRET@@"
--- ---
# Source: matrix-synapse/templates/pvc.yaml # Source: matrix-synapse/templates/pvc.yaml
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -711,6 +716,7 @@ spec:
export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \ export REDIS_PASSWORD=$(echo "${REDIS_PASSWORD:-}" | sed 's/\//\\\//g' | sed 's/\&/\\\&/g') && \
export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \ export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \ export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
cat /synapse/secrets/*.yaml | \ cat /synapse/secrets/*.yaml | \
sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \ sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
-e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \ -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
@ -722,6 +728,9 @@ spec:
fi; \ fi; \
if [ -n "${TURN_SECRET_ESCAPED}" ]; then \ if [ -n "${TURN_SECRET_ESCAPED}" ]; then \
sed -i "s/@@TURN_SECRET@@/${TURN_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \ sed -i "s/@@TURN_SECRET@@/${TURN_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
fi; \
if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \
sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
fi fi
exec python -B -m synapse.app.homeserver \ exec python -B -m synapse.app.homeserver \
-c /synapse/runtime-config/homeserver.yaml \ -c /synapse/runtime-config/homeserver.yaml \
@ -747,6 +756,11 @@ spec:
secretKeyRef: secretKeyRef:
name: turn-shared-secret name: turn-shared-secret
key: TURN_STATIC_AUTH_SECRET key: TURN_STATIC_AUTH_SECRET
- name: MAS_SHARED_SECRET
valueFrom:
secretKeyRef:
name: mas-secrets-runtime
key: matrix_shared_secret
image: "ghcr.io/element-hq/synapse:v1.144.0" image: "ghcr.io/element-hq/synapse:v1.144.0"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:

4
services/communication/wellknown.yaml
View File

@ -10,6 +10,10 @@ data:
"m.homeserver": { "m.homeserver": {
"base_url": "https://matrix.live.bstein.dev" "base_url": "https://matrix.live.bstein.dev"
}, },
"org.matrix.msc2965.authentication": {
"issuer": "https://matrix.live.bstein.dev/",
"account": "https://matrix.live.bstein.dev/account/"
},
"org.matrix.msc4143.rtc_foci": [ "org.matrix.msc4143.rtc_foci": [
{ {
"type": "livekit", "type": "livekit",