{{- $secretName := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey") }} {{- if .Values.signingkey.job.enabled }} {{- if .Values.signingkey.existingSecret }} {{- fail "Can't specify both signingkey.job.enabled and signingkey.existingSecret" }} {{- end }} {{- $name := include "matrix-synapse.workername" (dict "root" . "worker" "signingkey-job") }} --- apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: signingkey-job annotations: "helm.sh/resource-policy": keep "helm.sh/hook-delete-policy": "hook-failed" "helm.sh/hook": "pre-install" type: Opaque --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: signingkey-job {{- with .Values.signingkey.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: signingkey-job {{- with .Values.signingkey.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: - apiGroups: - "" resources: - secrets resourceNames: - {{ $secretName }} verbs: - get - update - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: signingkey-job {{- with .Values.signingkey.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ $name }} subjects: - kind: ServiceAccount name: {{ $name }} namespace: {{ .Release.Namespace }} --- apiVersion: batch/v1 kind: Job metadata: name: {{ $name }} labels: {{- include "matrix-synapse.labels" . | nindent 4 }} app.kubernetes.io/component: signingkey-job {{- with .Values.signingkey.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: ttlSecondsAfterFinished: 0 template: metadata: labels: {{- include "matrix-synapse.labels" . | nindent 8 }} app.kubernetes.io/component: signingkey-job spec: containers: - name: signing-key-generate {{- with .Values.image }} image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} {{- end }} command: - sh - -c - | echo "Generating signing key..." if which generate_signing_key.py >/dev/null; then generate_signing_key.py -o /synapse/keys/signing.key else generate_signing_key -o /synapse/keys/signing.key fi resources: {{- toYaml .Values.signingkey.resources | nindent 12 }} volumeMounts: - mountPath: /synapse/keys name: matrix-synapse-keys - name: signing-key-upload {{- with .Values.signingkey.job.publishImage }} image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} {{- end }} command: - sh - -c - | # check if key already exists key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing.key']}" 2> /dev/null) [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1 [ -n "$key" ] && echo "Key already created, exiting." && exit 0 # wait for config while [ ! -f /synapse/keys/signing.key ]; do echo "Waiting for key.." sleep 5; done # update secret kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /synapse/keys/signing.key | tr -d '\n')\"}}" [ $? -ne 0 ] && echo "Failed to update secret." && exit 1 echo "Key successfully created." resources: {{- toYaml .Values.signingkey.resources | nindent 12 }} volumeMounts: - mountPath: /synapse/keys name: matrix-synapse-keys readOnly: true restartPolicy: Never serviceAccount: {{ $name }} volumes: - name: matrix-synapse-keys emptyDir: {} parallelism: 1 completions: 1 backoffLimit: 1 {{- end }}