fix: add Vault-managed DB credentials for Matrix Synapse

- Create dedicated 'matrix' PostgreSQL user (was using 'postgres' superuser) - Add Vault DB static role pg-matrix with 24h rotation - Add ExternalSecret matrix-db-creds syncing password from Vault - Add inject-db-password init container that patches homeserver.yaml with current Vault password on every pod start - Update dependency annotation to pg-cluster-rw.dbaas - Also updated Vault DB config to use pg-cluster-rw (was legacy postgresql.dbaas)
2026-04-05 23:18:16 +03:00 · 2026-04-05 23:18:16 +03:00 · 772f59d589
commit 772f59d589
parent e064778c2c
1 changed files with 60 additions and 0 deletions
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@ -15,6 +15,41 @@ resource "kubernetes_namespace" "matrix" {
  }
 }

+# DB credentials from Vault database engine (rotated every 24h)
+resource "kubernetes_manifest" "db_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "matrix-db-creds"
+      namespace = "matrix"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-database"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "matrix-db-creds"
+        template = {
+          data = {
+            DB_PASSWORD = "{{ .password }}"
+          }
+        }
+      }
+      data = [{
+        secretKey = "password"
+        remoteRef = {
+          key      = "static-creds/pg-matrix"
+          property = "password"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.matrix]
+}
+
 module "tls_secret" {
  source          = "../../modules/kubernetes/setup_tls_secret"
  namespace       = kubernetes_namespace.matrix.metadata[0].name
@ -89,6 +124,31 @@ resource "kubernetes_deployment" "matrix" {
            mount_path = "/extra-packages"
          }
        }
+        init_container {
+          name  = "inject-db-password"
+          image = "busybox:1.37"
+          command = ["/bin/sh", "-c", <<-EOF
+            # Update database config in homeserver.yaml with current Vault-managed password
+            sed -i "s|host: .*dbaas.*|host: pg-cluster-rw.dbaas.svc.cluster.local|" /data/homeserver.yaml
+            sed -i "s|user: .*|user: matrix|" /data/homeserver.yaml
+            sed -i "s|password: .*|password: $DB_PASSWORD|" /data/homeserver.yaml
+            echo "DB password injected"
+          EOF
+          ]
+          env {
+            name = "DB_PASSWORD"
+            value_from {
+              secret_key_ref {
+                name = "matrix-db-creds"
+                key  = "DB_PASSWORD"
+              }
+            }
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+        }
        container {
          image = "matrixdotorg/synapse:latest"
          name  = "matrix"