# services/communication/synapse-guest-appservice-secret-ensure-job.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: synapse-guest-appservice-secret-writer
  namespace: comms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: synapse-guest-appservice-secret-writer
  namespace: comms
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["synapse-guest-appservice-runtime"]
    verbs: ["get", "patch", "update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: synapse-guest-appservice-secret-writer
  namespace: comms
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: synapse-guest-appservice-secret-writer
subjects:
  - kind: ServiceAccount
    name: synapse-guest-appservice-secret-writer
    namespace: comms
---
apiVersion: batch/v1
kind: Job
metadata:
  name: synapse-guest-appservice-secret-ensure-1
  namespace: comms
spec:
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: synapse-guest-appservice-secret-writer
      restartPolicy: OnFailure
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              umask 077
              AS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')"
              HS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')"

              printf '%s' "${AS_TOKEN}" > /work/as_token
              printf '%s' "${HS_TOKEN}" > /work/hs_token

              cat > /work/registration.yaml <<EOF
              id: othrys-guest-register
              url: http://matrix-guest-register:8080
              as_token: ${AS_TOKEN}
              hs_token: ${HS_TOKEN}
              sender_localpart: guest-register
              rate_limited: true
              namespaces:
                users:
                  - regex: '@guest-[0-9a-f]+:live.bstein.dev'
                    exclusive: true
                aliases: []
                rooms: []
              EOF

              chmod 0644 /work/as_token /work/hs_token /work/registration.yaml
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: write
          image: bitnami/kubectl:latest
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              if kubectl -n comms get secret synapse-guest-appservice-runtime >/dev/null 2>&1; then
                if kubectl -n comms get secret synapse-guest-appservice-runtime -o jsonpath='{.data.registration\.yaml}' 2>/dev/null | grep -q .; then
                  exit 0
                fi
              else
                kubectl -n comms create secret generic synapse-guest-appservice-runtime \
                  --from-file=registration.yaml=/work/registration.yaml \
                  --from-file=as_token=/work/as_token \
                  --from-file=hs_token=/work/hs_token >/dev/null
                exit 0
              fi

              reg_b64="$(base64 /work/registration.yaml | tr -d '\n')"
              as_b64="$(base64 /work/as_token | tr -d '\n')"
              hs_b64="$(base64 /work/hs_token | tr -d '\n')"

              payload="$(printf '{\"data\":{\"registration.yaml\":\"%s\",\"as_token\":\"%s\",\"hs_token\":\"%s\"}}' \"${reg_b64}\" \"${as_b64}\" \"${hs_b64}\")"
              kubectl -n comms patch secret synapse-guest-appservice-runtime --type=merge -p \"${payload}\" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work