From 772f59d5890ceee7e24964e07f41ca619e689ec8 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 5 Apr 2026 23:18:16 +0300
Subject: [PATCH] fix: add Vault-managed DB credentials for Matrix Synapse

- Create dedicated 'matrix' PostgreSQL user (was using 'postgres' superuser)
- Add Vault DB static role pg-matrix with 24h rotation
- Add ExternalSecret matrix-db-creds syncing password from Vault
- Add inject-db-password init container that patches homeserver.yaml
  with current Vault password on every pod start
- Update dependency annotation to pg-cluster-rw.dbaas
- Also updated Vault DB config to use pg-cluster-rw (was legacy postgresql.dbaas)
---
 stacks/matrix/main.tf | 60 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf
index 88cc783b..08726025 100644
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@@ -15,6 +15,41 @@ resource "kubernetes_namespace" "matrix" {
   }
 }
 
+# DB credentials from Vault database engine (rotated every 24h)
+resource "kubernetes_manifest" "db_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "matrix-db-creds"
+      namespace = "matrix"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-database"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "matrix-db-creds"
+        template = {
+          data = {
+            DB_PASSWORD = "{{ .password }}"
+          }
+        }
+      }
+      data = [{
+        secretKey = "password"
+        remoteRef = {
+          key      = "static-creds/pg-matrix"
+          property = "password"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.matrix]
+}
+
 module "tls_secret" {
   source          = "../../modules/kubernetes/setup_tls_secret"
   namespace       = kubernetes_namespace.matrix.metadata[0].name
@@ -89,6 +124,31 @@ resource "kubernetes_deployment" "matrix" {
             mount_path = "/extra-packages"
           }
         }
+        init_container {
+          name  = "inject-db-password"
+          image = "busybox:1.37"
+          command = ["/bin/sh", "-c", <<-EOF
+            # Update database config in homeserver.yaml with current Vault-managed password
+            sed -i "s|host: .*dbaas.*|host: pg-cluster-rw.dbaas.svc.cluster.local|" /data/homeserver.yaml
+            sed -i "s|user: .*|user: matrix|" /data/homeserver.yaml
+            sed -i "s|password: .*|password: $DB_PASSWORD|" /data/homeserver.yaml
+            echo "DB password injected"
+          EOF
+          ]
+          env {
+            name = "DB_PASSWORD"
+            value_from {
+              secret_key_ref {
+                name = "matrix-db-creds"
+                key  = "DB_PASSWORD"
+              }
+            }
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+        }
         container {
           image = "matrixdotorg/synapse:latest"
           name  = "matrix"