comms: seed synapse signing key for helm

services/comms/helmrelease.yaml

@@ -163,12 +163,9 @@ spec:
 
     signingkey:
       job:
-        generateImage:
-          repository: matrixdotorg/synapse
-          tag: v1.144.0
-        publishImage:
-          repository: registry.bstein.dev/bstein/kubectl
-          tag: 1.35.0
+        enabled: false
+      existingSecret: othrys-synapse-signingkey
+      existingSecretKey: signing.key
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease

services/comms/kustomization.yaml

@@ -17,9 +17,11 @@ resources:
   - mas-secrets-ensure-rbac.yaml
   - comms-secrets-ensure-rbac.yaml
   - mas-db-ensure-rbac.yaml
+  - synapse-signingkey-ensure-rbac.yaml
   - mas-admin-client-secret-ensure-job.yaml
   - mas-db-ensure-job.yaml
   - comms-secrets-ensure-job.yaml
+  - synapse-signingkey-ensure-job.yaml
   - synapse-seeder-admin-ensure-job.yaml
   - synapse-user-seed-job.yaml
   - mas-local-users-ensure-job.yaml

services/comms/synapse-signingkey-ensure-job.yaml

@@ -0,0 +1,44 @@
+# services/comms/synapse-signingkey-ensure-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: othrys-synapse-signingkey-ensure-1
+  namespace: comms
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccountName: othrys-synapse-signingkey-job
+      restartPolicy: OnFailure
+      volumes:
+        - name: work
+          emptyDir: {}
+      initContainers:
+        - name: generate
+          image: ghcr.io/element-hq/synapse:v1.144.0
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              umask 077
+              generate_signing_key -o /work/signing.key
+          volumeMounts:
+            - name: work
+              mountPath: /work
+      containers:
+        - name: store
+          image: registry.bstein.dev/bstein/kubectl:1.35.0
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              if kubectl -n comms get secret othrys-synapse-signingkey \
+                -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
+                exit 0
+              fi
+              kubectl -n comms create secret generic othrys-synapse-signingkey \
+                --from-file=signing.key=/work/signing.key \
+                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
+          volumeMounts:
+            - name: work
+              mountPath: /work

services/comms/synapse-signingkey-ensure-rbac.yaml

@@ -0,0 +1,34 @@
+# services/comms/synapse-signingkey-ensure-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: othrys-synapse-signingkey-job
+  namespace: comms
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: othrys-synapse-signingkey-job
+  namespace: comms
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["othrys-synapse-signingkey"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: othrys-synapse-signingkey-job
+  namespace: comms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: othrys-synapse-signingkey-job
+subjects:
+  - kind: ServiceAccount
+    name: othrys-synapse-signingkey-job
+    namespace: comms

services/harbor/helmrelease.yaml

@@ -117,6 +117,21 @@ spec:
       existingSecret: harbor-core
       existingXsrfSecret: harbor-core
       existingXsrfSecretKey: CSRF_KEY
+      # OIDC config; client secret is stored out-of-band.
+      configureUserSettings: |
+        {
+          "auth_mode": "oidc_auth",
+          "oidc_name": "Keycloak",
+          "oidc_endpoint": "https://sso.bstein.dev/realms/atlas",
+          "oidc_client_id": "harbor",
+          "oidc_verify_cert": true,
+          "oidc_auto_onboard": true,
+          "oidc_scope": "openid,profile,email,groups",
+          "oidc_groups_claim": "groups",
+          "oidc_user_claim": "preferred_username",
+          "oidc_admin_group": "admin",
+          "oidc_logout": true
+        }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution: