titan-iac/services/comms/synapse-user-seed-job.yaml

# services/comms/synapse-user-seed-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: synapse-user-seed-3
  namespace: comms
spec:
  backoffLimit: 1
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      restartPolicy: Never
      serviceAccountName: comms-vault
      containers:
        - name: seed
          image: python:3.11-slim
          env:
            - name: PGHOST
              value: postgres-service.postgres.svc.cluster.local
            - name: PGPORT
              value: "5432"
            - name: PGDATABASE
              value: synapse
            - name: PGUSER
              value: synapse
            - name: SEEDER_USER
              value: othrys-seeder
            - name: BOT_USER
              value: atlasbot
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              . /vault/scripts/comms_vault_env.sh
              pip install --no-cache-dir psycopg2-binary bcrypt >/dev/null
              python - <<'PY'
              import os
              import time
              import bcrypt
              import psycopg2

              def get_cols(cur):
                  cur.execute(
                      """
                      SELECT column_name, is_nullable, column_default, data_type
                      FROM information_schema.columns
                      WHERE table_schema = 'public' AND table_name = 'users'
                      """
                  )
                  cols = {}
                  for name, is_nullable, default, data_type in cur.fetchall():
                      cols[name] = {
                          "nullable": is_nullable == "YES",
                          "default": default,
                          "type": data_type,
                      }
                  return cols

              def upsert_user(cur, cols, user_id, password, admin):
                  now_ms = int(time.time() * 1000)
                  values = {
                      "name": user_id,
                      "password_hash": bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode(),
                      "creation_ts": now_ms,
                  }
                  def add_flag(name, flag):
                      if name not in cols:
                          return
                      if cols[name]["type"] in ("smallint", "integer"):
                          values[name] = int(flag)
                      else:
                          values[name] = bool(flag)

                  add_flag("admin", admin)
                  add_flag("deactivated", False)
                  add_flag("shadow_banned", False)
                  add_flag("is_guest", False)

                  columns = list(values.keys())
                  placeholders = ", ".join(["%s"] * len(columns))
                  updates = ", ".join([f"{col}=EXCLUDED.{col}" for col in columns if col != "name"])
                  query = f"INSERT INTO users ({', '.join(columns)}) VALUES ({placeholders}) ON CONFLICT (name) DO UPDATE SET {updates};"
                  cur.execute(query, [values[c] for c in columns])

              seeder_user = os.environ["SEEDER_USER"]
              bot_user = os.environ["BOT_USER"]
              server = "live.bstein.dev"
              seeder_id = f"@{seeder_user}:{server}"
              bot_id = f"@{bot_user}:{server}"

              conn = psycopg2.connect(
                  host=os.environ["PGHOST"],
                  port=int(os.environ["PGPORT"]),
                  dbname=os.environ["PGDATABASE"],
                  user=os.environ["PGUSER"],
                  password=os.environ["PGPASSWORD"],
              )
              try:
                  with conn:
                      with conn.cursor() as cur:
                          cols = get_cols(cur)
                          upsert_user(cur, cols, seeder_id, os.environ["SEEDER_PASS"], True)
                          upsert_user(cur, cols, bot_id, os.environ["BOT_PASS"], False)
              finally:
                  conn.close()
              PY
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: comms-vault
        - name: vault-scripts
          configMap:
            name: comms-vault-env
            defaultMode: 0555