comms(synapse): ensure signing key secret populated

services/communication/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: comms
 resources:
   - synapse-rendered.yaml
+  - synapse-signingkey-ensure-job.yaml
   - mas-configmap.yaml
   - mas-deployment.yaml
   - mas-ingress.yaml

services/communication/synapse-signingkey-ensure-job.yaml

@@ -0,0 +1,42 @@
+# services/communication/synapse-signingkey-ensure-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: othrys-synapse-signingkey-ensure
+  namespace: comms
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccountName: othrys-synapse-signingkey-job
+      restartPolicy: OnFailure
+      volumes:
+        - name: work
+          emptyDir: {}
+      initContainers:
+        - name: generate
+          image: ghcr.io/element-hq/synapse:v1.144.0
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              generate_signing_key -o /work/signing.key
+          volumeMounts:
+            - name: work
+              mountPath: /work
+      containers:
+        - name: patch
+          image: bitnami/kubectl:1.30.4
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              if kubectl -n comms get secret othrys-synapse-signingkey -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
+                exit 0
+              fi
+              signing_key_b64="$(base64 /work/signing.key | tr -d '\n')"
+              payload="$(printf '{\"data\":{\"signing.key\":\"%s\"}}' "${signing_key_b64}")"
+              kubectl -n comms patch secret othrys-synapse-signingkey --type=merge -p "${payload}" >/dev/null
+          volumeMounts:
+            - name: work
+              mountPath: /work