app/matrix/appservice-irc: implement passwordEncryptionKey
This allows people to save their NickServ passwords into bridge's
storage. Obviously nobody should trust us tho.
Change-Id: I2afe9e5215cd8f7419e9eab8183789df13e21aac
diff --git a/app/matrix/lib/appservice-irc.libsonnet b/app/matrix/lib/appservice-irc.libsonnet
index 7628920..b9e5b84 100644
--- a/app/matrix/lib/appservice-irc.libsonnet
+++ b/app/matrix/lib/appservice-irc.libsonnet
@@ -6,9 +6,18 @@
local cfg = bridge.cfg,
cfg:: {
metadata: {},
- config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0],
+ config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] {
+ ircService+: {
+ [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem"
+ },
+ },
image: error "image must be set",
storageClassName: error "storageClassName must be set",
+
+ # RSA encryption private key secret name containing "key.pem" key
+ # Create using:
+ # kubectl -n matrix create secret generic appservice-irc-password-encryption-key --from-file=key.pem=<(openssl genpkey -out - -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
+ passwordEncryptionKeySecret: null,
},
config: kube.ConfigMap("appservice-irc-%s" % [name]) {
@@ -67,7 +76,9 @@
config: kube.ConfigMapVolume(bridge.config),
data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
- },
+ } + (if cfg.passwordEncryptionKeySecret != null then {
+ key: { secret: { secretName: cfg.passwordEncryptionKeySecret } },
+ } else {}),
nodeSelector: cfg.nodeSelector,
containers_: {
appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
@@ -80,7 +91,9 @@
registration: { mountPath: "/registration", },
config: { mountPath: "/config", },
data: { mountPath: "/data" },
- },
+ } + (if cfg.passwordEncryptionKeySecret != null then {
+ key: { mountPath: "/key" },
+ } else {}),
},
},
},