diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml index 54b387f..1b8f17a 100644 --- a/services/communication/kustomization.yaml +++ b/services/communication/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: comms resources: - synapse-rendered.yaml + - synapse-signingkey-ensure-job.yaml - mas-configmap.yaml - mas-deployment.yaml - mas-ingress.yaml diff --git a/services/communication/synapse-signingkey-ensure-job.yaml b/services/communication/synapse-signingkey-ensure-job.yaml new file mode 100644 index 0000000..fc5ba5b --- /dev/null +++ b/services/communication/synapse-signingkey-ensure-job.yaml @@ -0,0 +1,42 @@ +# services/communication/synapse-signingkey-ensure-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: othrys-synapse-signingkey-ensure + namespace: comms +spec: + backoffLimit: 2 + template: + spec: + serviceAccountName: othrys-synapse-signingkey-job + restartPolicy: OnFailure + volumes: + - name: work + emptyDir: {} + initContainers: + - name: generate + image: ghcr.io/element-hq/synapse:v1.144.0 + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + generate_signing_key -o /work/signing.key + volumeMounts: + - name: work + mountPath: /work + containers: + - name: patch + image: bitnami/kubectl:1.30.4 + command: ["/bin/sh", "-c"] + args: + - | + set -euo pipefail + if kubectl -n comms get secret othrys-synapse-signingkey -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then + exit 0 + fi + signing_key_b64="$(base64 /work/signing.key | tr -d '\n')" + payload="$(printf '{\"data\":{\"signing.key\":\"%s\"}}' "${signing_key_b64}")" + kubectl -n comms patch secret othrys-synapse-signingkey --type=merge -p "${payload}" >/dev/null + volumeMounts: + - name: work + mountPath: /work