services/comms/helmrelease.yaml

@@ -163,9 +163,12 @@ spec:
 
     signingkey:
       job:
-        enabled: false
-      existingSecret: othrys-synapse-signingkey
-      existingSecretKey: signing.key
+        generateImage:
+          repository: matrixdotorg/synapse
+          tag: v1.144.0
+        publishImage:
+          repository: registry.bstein.dev/bstein/kubectl
+          tag: 1.35.0
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease

services/comms/kustomization.yaml

@@ -17,11 +17,9 @@ resources:
   - mas-secrets-ensure-rbac.yaml
   - comms-secrets-ensure-rbac.yaml
   - mas-db-ensure-rbac.yaml
-  - synapse-signingkey-ensure-rbac.yaml
   - mas-admin-client-secret-ensure-job.yaml
   - mas-db-ensure-job.yaml
   - comms-secrets-ensure-job.yaml
-  - synapse-signingkey-ensure-job.yaml
   - synapse-seeder-admin-ensure-job.yaml
   - synapse-user-seed-job.yaml
   - mas-local-users-ensure-job.yaml

services/comms/synapse-signingkey-ensure-job.yaml

@@ -1,44 +0,0 @@
-# services/comms/synapse-signingkey-ensure-job.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: othrys-synapse-signingkey-ensure-1
-  namespace: comms
-spec:
-  backoffLimit: 2
-  template:
-    spec:
-      serviceAccountName: othrys-synapse-signingkey-job
-      restartPolicy: OnFailure
-      volumes:
-        - name: work
-          emptyDir: {}
-      initContainers:
-        - name: generate
-          image: ghcr.io/element-hq/synapse:v1.144.0
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              umask 077
-              generate_signing_key -o /work/signing.key
-          volumeMounts:
-            - name: work
-              mountPath: /work
-      containers:
-        - name: store
-          image: registry.bstein.dev/bstein/kubectl:1.35.0
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              if kubectl -n comms get secret othrys-synapse-signingkey \
-                -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
-                exit 0
-              fi
-              kubectl -n comms create secret generic othrys-synapse-signingkey \
-                --from-file=signing.key=/work/signing.key \
-                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
-          volumeMounts:
-            - name: work
-              mountPath: /work

services/comms/synapse-signingkey-ensure-rbac.yaml

@@ -1,34 +0,0 @@
-# services/comms/synapse-signingkey-ensure-rbac.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: othrys-synapse-signingkey-job
-  namespace: comms
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: othrys-synapse-signingkey-job
-  namespace: comms
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["create"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["othrys-synapse-signingkey"]
-    verbs: ["get", "patch", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: othrys-synapse-signingkey-job
-  namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: othrys-synapse-signingkey-job
-subjects:
-  - kind: ServiceAccount
-    name: othrys-synapse-signingkey-job
-    namespace: comms

services/harbor/helmrelease.yaml

@@ -117,21 +117,6 @@ spec:
       existingSecret: harbor-core
       existingXsrfSecret: harbor-core
       existingXsrfSecretKey: CSRF_KEY
-      # OIDC config; client secret is stored out-of-band.
-      configureUserSettings: |
-        {
-          "auth_mode": "oidc_auth",
-          "oidc_name": "Keycloak",
-          "oidc_endpoint": "https://sso.bstein.dev/realms/atlas",
-          "oidc_client_id": "harbor",
-          "oidc_verify_cert": true,
-          "oidc_auto_onboard": true,
-          "oidc_scope": "openid,profile,email,groups",
-          "oidc_groups_claim": "groups",
-          "oidc_user_claim": "preferred_username",
-          "oidc_admin_group": "admin",
-          "oidc_logout": true
-        }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution: