Wire Zabbix/Matrix credentials to 1Password-synced secrets, add OnePasswordItem CRDs

- Zabbix: Remove hardcoded zabbix-db-secret and zabbix-admin-secret, reference zabbix-credentials (1Password) for DB-User, DB-Password, and admin password - Matrix: Remove hardcoded matrix-db-secret, reference matrix-credentials for Postgres user/password. Convert ConfigMap homeserver.yaml to template with __DB_PASSWORD__/__DB_USER__ placeholders, inject via busybox init container - Guacamole: Add OnePasswordItem CRD for future use. MySQL DB creds remain in guac-db-secret (1Password item lacks DB-specific fields — gap documented) - All three services now include OnePasswordItem CRD manifests for ArgoCD mgmt
2026-03-09 18:28:38 -05:00
parent 8f405d4df0
commit 3199c509c0
3 changed files with 733 additions and 670 deletions
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -1,6 +1,8 @@
 # Matrix Synapse + Element Web
 # PostgreSQL 16 + Synapse homeserver + Element Web client
 # ArgoCD managed - BlueJay Lab
+# DB credentials sourced from 1Password via OnePasswordItem CRD (matrix-credentials)
+# Synapse homeserver.yaml DB password injected at runtime via init container
 ---
 apiVersion: v1
 kind: Namespace
@@ -9,26 +11,15 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: matrix-db-secret
-  namespace: matrix
-type: Opaque
-stringData:
-  POSTGRES_USER: synapse
-  POSTGRES_PASSWORD: BlueJay-Matrix-DB-2026
-  POSTGRES_DB: synapse
-  POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
---
-# Synapse homeserver.yaml ConfigMap
+# Synapse homeserver.yaml template ConfigMap
+# DB password placeholder __DB_PASSWORD__ is replaced at pod startup by init container
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: synapse-config
  namespace: matrix
 data:
-  homeserver.yaml: |
+  homeserver.yaml.template: |
    server_name: "iamworkin.lan"
    pid_file: /data/homeserver.pid
    public_baseurl: "https://matrix.iamworkin.lan/"
@@ -44,8 +35,8 @@ data:
    database:
      name: psycopg2
      args:
-        user: synapse
-        password: BlueJay-Matrix-DB-2026
+        user: __DB_USER__
+        password: __DB_PASSWORD__
        database: synapse
        host: matrix-postgres
        port: 5432
@@ -80,6 +71,7 @@ data:
    disable_existing_loggers: false
 ---
 # PostgreSQL 16 StatefulSet
+# Credentials from 1Password-synced matrix-credentials secret
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -104,9 +96,21 @@ spec:
          ports:
            - containerPort: 5432
              name: postgres
-          envFrom:
-            - secretRef:
-                name: matrix-db-secret
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: synapse
+            - name: POSTGRES_INITDB_ARGS
+              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
          volumeMounts:
            - name: matrix-postgres-data
              mountPath: /var/lib/postgresql/data
@@ -163,7 +167,8 @@ spec:
    requests:
      storage: 2Gi
 ---
-# Synapse init job: generate signing key if missing
+# Synapse Deployment
+# Init container injects DB credentials from 1Password secret into homeserver.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -192,7 +197,13 @@ spec:
          args:
            - |
              if [ \! -f /data/signing.key ]; then
-                python -m synapse.app.homeserver --generate-keys --config-path /config/homeserver.yaml
+                python -m synapse.app.homeserver --generate-keys --config-path /config-template/homeserver.yaml.template 2>/dev/null || true
+                # If key generation fails with template, create a minimal config for key gen
+                if [ \! -f /data/signing.key ]; then
+                  echo server_name: iamworkin.lan > /tmp/minimal.yaml
+                  echo signing_key_path: /data/signing.key >> /tmp/minimal.yaml
+                  python -c "from signedjson.key import generate_signing_key, write_signing_keys; import sys; key = generate_signing_key(a_auto); write_signing_keys(open(/data/signing.key,w), [key])" 2>/dev/null || true
+                fi
              fi
              chown 991:991 /data/signing.key 2>/dev/null || true
              chmod 644 /data/signing.key 2>/dev/null || true
@@ -201,7 +212,34 @@ spec:
          volumeMounts:
            - name: synapse-data
              mountPath: /data
-            - name: synapse-config
+            - name: synapse-config-template
+              mountPath: /config-template
+        - name: inject-credentials
+          image: busybox:latest
+          command: ["sh", "-c"]
+          args:
+            - |
+              # Copy template and substitute DB credentials from 1Password secret
+              cp /config-template/log.config /config/log.config
+              sed -e "s/__DB_PASSWORD__/${DB_PASSWORD}/g" \
+                  -e "s/__DB_USER__/${DB_USER}/g" \
+                  /config-template/homeserver.yaml.template > /config/homeserver.yaml
+              echo "Credentials injected into homeserver.yaml"
+          env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+          volumeMounts:
+            - name: synapse-config-template
+              mountPath: /config-template
+            - name: synapse-config-rendered
              mountPath: /config
      containers:
        - name: synapse
@@ -217,7 +255,7 @@ spec:
          volumeMounts:
            - name: synapse-data
              mountPath: /data
-            - name: synapse-config
+            - name: synapse-config-rendered
              mountPath: /config
          resources:
            requests:
@@ -242,9 +280,11 @@ spec:
        - name: synapse-data
          persistentVolumeClaim:
            claimName: synapse-data
-        - name: synapse-config
+        - name: synapse-config-template
          configMap:
            name: synapse-config
+        - name: synapse-config-rendered
+          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
@@ -407,3 +447,13 @@ spec:
          port: 80
  tls:
    secretName: element-tls
+---
+# 1Password secret sync — creates matrix-credentials K8s Secret
+# Fields: DB-User, DB-Password, Registration-Secret, username, password, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: matrix-credentials
+  namespace: matrix
+spec:
+  itemPath: vaults/IAmWorkin/items/Matrix Synapse