# services/comms/comms-secrets-ensure-job.yaml apiVersion: batch/v1 kind: Job metadata: name: comms-secrets-ensure-2 namespace: comms spec: backoffLimit: 1 ttlSecondsAfterFinished: 3600 template: spec: serviceAccountName: comms-secrets-ensure restartPolicy: Never containers: - name: ensure image: registry.bstein.dev/bstein/kubectl:1.35.0 command: ["/bin/sh", "-c"] args: - | set -eu trap 'echo "comms-secrets-ensure failed"; sleep 300' ERR umask 077 safe_pass() { head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=' } get_secret_value() { ns="$1" name="$2" key="$3" kubectl -n "${ns}" get secret "${name}" -o "jsonpath={.data.${key}}" 2>/dev/null | base64 -d 2>/dev/null || true } ensure_secret_key() { ns="$1" name="$2" key="$3" value="$4" if ! kubectl -n "${ns}" get secret "${name}" >/dev/null 2>&1; then kubectl -n "${ns}" create secret generic "${name}" --from-literal="${key}=${value}" >/dev/null return fi existing="$(kubectl -n "${ns}" get secret "${name}" -o "jsonpath={.data.${key}}" 2>/dev/null || true)" if [ -z "${existing}" ]; then b64="$(printf '%s' "${value}" | base64 | tr -d '\n')" payload="$(printf '{"data":{"%s":"%s"}}' "${key}" "${b64}")" kubectl -n "${ns}" patch secret "${name}" --type=merge -p "${payload}" >/dev/null fi } ensure_chat_secret() { ns="$1" if ! kubectl -n "${ns}" get secret chat-ai-keys-runtime >/dev/null 2>&1; then kubectl -n "${ns}" create secret generic chat-ai-keys-runtime \ --from-literal=matrix="${CHAT_KEY_MATRIX}" \ --from-literal=homepage="${CHAT_KEY_HOMEPAGE}" >/dev/null return fi ensure_secret_key "${ns}" chat-ai-keys-runtime matrix "${CHAT_KEY_MATRIX}" ensure_secret_key "${ns}" chat-ai-keys-runtime homepage "${CHAT_KEY_HOMEPAGE}" } CHAT_KEY_MATRIX="$(get_secret_value comms chat-ai-keys-runtime matrix)" CHAT_KEY_HOMEPAGE="$(get_secret_value comms chat-ai-keys-runtime homepage)" if [ -z "${CHAT_KEY_MATRIX}" ] || [ -z "${CHAT_KEY_HOMEPAGE}" ]; then ALT_MATRIX="$(get_secret_value bstein-dev-home chat-ai-keys-runtime matrix)" ALT_HOMEPAGE="$(get_secret_value bstein-dev-home chat-ai-keys-runtime homepage)" [ -z "${CHAT_KEY_MATRIX}" ] && CHAT_KEY_MATRIX="${ALT_MATRIX}" [ -z "${CHAT_KEY_HOMEPAGE}" ] && CHAT_KEY_HOMEPAGE="${ALT_HOMEPAGE}" fi [ -z "${CHAT_KEY_MATRIX}" ] && CHAT_KEY_MATRIX="$(safe_pass)" [ -z "${CHAT_KEY_HOMEPAGE}" ] && CHAT_KEY_HOMEPAGE="$(safe_pass)" ensure_chat_secret comms ensure_chat_secret bstein-dev-home ensure_secret_key comms turn-shared-secret TURN_STATIC_AUTH_SECRET "$(safe_pass)" ensure_secret_key comms livekit-api primary "$(safe_pass)" ensure_secret_key comms synapse-redis redis-password "$(safe_pass)" ensure_secret_key comms synapse-macaroon macaroon_secret_key "$(safe_pass)" ensure_secret_key comms atlasbot-credentials-runtime bot-password "$(safe_pass)" ensure_secret_key comms atlasbot-credentials-runtime seeder-password "$(safe_pass)" SYN_PASS="$(get_secret_value comms synapse-db POSTGRES_PASSWORD)" if [ -z "${SYN_PASS}" ]; then SYN_PASS="$(safe_pass)" kubectl -n comms create secret generic synapse-db --from-literal=POSTGRES_PASSWORD="${SYN_PASS}" >/dev/null fi POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')" if [ -z "${POD_NAME}" ]; then echo "postgres pod not found" >&2 exit 1 fi SYN_PASS_SQL="$(printf '%s' "${SYN_PASS}" | sed "s/'/''/g")" kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \ -c "CREATE ROLE synapse LOGIN PASSWORD '${SYN_PASS_SQL}';" || true kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \ -c "ALTER ROLE synapse WITH PASSWORD '${SYN_PASS_SQL}';" kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \ -c "CREATE DATABASE synapse OWNER synapse;" || true