# services/comms/synapse-signingkey-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: othrys-synapse-signingkey-ensure-2
  namespace: comms
spec:
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: othrys-synapse-signingkey-job
      restartPolicy: OnFailure
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: ghcr.io/element-hq/synapse:v1.144.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              umask 077
              if which generate_signing_key.py >/dev/null; then
                generate_signing_key.py -o /work/signing.key
              else
                generate_signing_key -o /work/signing.key
              fi
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: store
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              if kubectl -n comms get secret othrys-synapse-signingkey \
                -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
                exit 0
              fi
              kubectl -n comms create secret generic othrys-synapse-signingkey \
                --from-file=signing.key=/work/signing.key \
                --dry-run=client -o yaml | kubectl -n comms apply -f - >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work