forked from hswaw/hscloud
app/matrix/appservice-irc: implement passwordEncryptionKey
This allows people to save their NickServ passwords into bridge's storage. Obviously nobody should trust us tho. Change-Id: I2afe9e5215cd8f7419e9eab8183789df13e21aacmaster
parent
3d5bb6f2e9
commit
37fbff768a
|
@ -6,9 +6,18 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
local cfg = bridge.cfg,
|
||||
cfg:: {
|
||||
metadata: {},
|
||||
config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0],
|
||||
config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] {
|
||||
ircService+: {
|
||||
[if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem"
|
||||
},
|
||||
},
|
||||
image: error "image must be set",
|
||||
storageClassName: error "storageClassName must be set",
|
||||
|
||||
# RSA encryption private key secret name containing "key.pem" key
|
||||
# Create using:
|
||||
# kubectl -n matrix create secret generic appservice-irc-password-encryption-key --from-file=key.pem=<(openssl genpkey -out - -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
|
||||
passwordEncryptionKeySecret: null,
|
||||
},
|
||||
|
||||
config: kube.ConfigMap("appservice-irc-%s" % [name]) {
|
||||
|
@ -67,7 +76,9 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
config: kube.ConfigMapVolume(bridge.config),
|
||||
data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
|
||||
registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
|
||||
},
|
||||
} + (if cfg.passwordEncryptionKeySecret != null then {
|
||||
key: { secret: { secretName: cfg.passwordEncryptionKeySecret } },
|
||||
} else {}),
|
||||
nodeSelector: cfg.nodeSelector,
|
||||
containers_: {
|
||||
appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
|
||||
|
@ -80,7 +91,9 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
registration: { mountPath: "/registration", },
|
||||
config: { mountPath: "/config", },
|
||||
data: { mountPath: "/data" },
|
||||
},
|
||||
} + (if cfg.passwordEncryptionKeySecret != null then {
|
||||
key: { mountPath: "/key" },
|
||||
} else {}),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -53,6 +53,7 @@ matrix {
|
|||
},
|
||||
},
|
||||
},
|
||||
passwordEncryptionKeySecret: "appservice-irc-password-encryption-key",
|
||||
},
|
||||
},
|
||||
"telegram-prod": telegram.AppServiceTelegram("prod") {
|
||||
|
|
Loading…
Reference in New Issue