apiVersion: batch/v1 kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git argocd.argoproj.io/sync-options: Replace=true,Force=true argocd.argoproj.io/sync-wave: "-1" name: synapse-signing-key-init namespace: matrix spec: template: spec: containers: - command: - sh - -c - | set -e SECRET="synapse-signing-key" if kubectl get secret "${SECRET}" -n "${NAMESPACE}" >/dev/null 2>&1; then echo "Secret ${SECRET} already exists, skipping" exit 0 fi kubectl create secret generic "${SECRET}" \ --namespace="${NAMESPACE}" \ --from-file=signing.key=/shared/signing.key echo "Created secret ${SECRET}" env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: alpine/k8s:1.32.3 name: store securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /shared name: shared readOnly: true initContainers: - command: - sh - -c - | set -e if [ -f /shared/signing.key ]; then exit 0 fi if command -v generate_signing_key >/dev/null 2>&1; then generate_signing_key -o /shared/signing.key else generate_signing_key.py -o /shared/signing.key fi image: ghcr.io/element-hq/synapse:v1.152.0 name: generate securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /shared name: shared restartPolicy: OnFailure securityContext: fsGroup: 991 runAsGroup: 991 runAsNonRoot: true runAsUser: 991 seccompProfile: type: RuntimeDefault serviceAccountName: synapse-signing-key-init volumes: - emptyDir: medium: Memory sizeLimit: 1Mi name: shared ttlSecondsAfterFinished: 300