# services/comms/oneoffs/synapse-signingkey-ensure-job.yaml
# One-off job for comms/othrys-synapse-signingkey-ensure-7.
# Purpose: othrys synapse signingkey ensure 7 (see container args/env in this file).
# Run by setting spec.suspend to false, reconcile, then set it back to true.
# Safe to delete the finished Job/pod; it should not run continuously.
apiVersion: batch/v1
kind: Job
metadata:
  name: othrys-synapse-signingkey-ensure-7
  namespace: comms
spec:
  suspend: true
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: othrys-synapse-signingkey-job
      restartPolicy: OnFailure
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: ghcr.io/element-hq/synapse:v1.144.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              umask 077
              if which generate_signing_key.py >/dev/null; then
                generate_signing_key.py -o /work/signing.key
              else
                generate_signing_key -o /work/signing.key
              fi
              chmod 0644 /work/signing.key
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: store
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-comms-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              existing="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
                "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" | jq -r '.data.data["signing.key"] // empty')"
              if [ -n "${existing}" ]; then
                exit 0
              fi

              value="$(cat /work/signing.key)"
              payload="$(jq -nc --arg value "${value}" '{data:{"signing.key":$value}}')"
              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/othrys-synapse-signingkey" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work