titan-iac/services/communication/synapse-signingkey-ensure-job.yaml

# services/communication/synapse-signingkey-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: othrys-synapse-signingkey-ensure-4
  namespace: comms
spec:
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: othrys-synapse-signingkey-job
      restartPolicy: OnFailure
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: ghcr.io/element-hq/synapse:v1.144.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              generate_signing_key -o /work/signing.key
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: patch
          image: bitnami/kubectl:latest
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              if kubectl -n comms get secret othrys-synapse-signingkey -o jsonpath='{.data.signing\.key}' 2>/dev/null | grep -q .; then
                exit 0
              fi
              signing_key_b64="$(base64 /work/signing.key | tr -d '\n')"
              payload="$(printf '{"data":{"signing.key":"%s"}}' "${signing_key_b64}")"
              kubectl -n comms patch secret othrys-synapse-signingkey --type=merge -p "${payload}" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work