metis: include reciprocal hecate db key for titan-24 recovery

inventory.titan-rpi4.yaml

@@ -307,6 +307,7 @@ nodes:
     ssh_authorized_keys:
       - ${METIS_SSH_KEY_BASTION}
       - ${METIS_SSH_KEY_BRAD}
+      - ${METIS_SSH_KEY_HECATE_DB}
   - name: titan-0a
     class: rpi5-ubuntu-control-plane
     hostname: titan-0a

pkg/service/remote.go

@@ -604,6 +604,7 @@ export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}"
 export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
 export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
 export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
+export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}"
 {{ end }}`
 	}
 	return annotations

pkg/service/remote_test.go

@@ -1,6 +1,9 @@
 package service
 
-import "testing"
+import (
+	"strings"
+	"testing"
+)
 
 func TestMountedHostTmpDirMapsConfiguredTmpPathIntoMount(t *testing.T) {
 	if got := mountedHostTmpDir("/tmp/metis-flash-test"); got != "/host-tmp/metis-flash-test" {
@@ -10,3 +13,19 @@ func TestMountedHostTmpDirMapsConfiguredTmpPathIntoMount(t *testing.T) {
 		t.Fatalf("expected /host-tmp, got %q", got)
 	}
 }
+
+func TestVaultRuntimeAnnotationsIncludeReciprocalHecateKeys(t *testing.T) {
+	withKeys := vaultRuntimeAnnotations(true)
+	template := withKeys["vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh"]
+	if !strings.Contains(template, "METIS_SSH_KEY_HECATE_TETHYS") {
+		t.Fatalf("expected tethys hecate key export in vault template: %q", template)
+	}
+	if !strings.Contains(template, "METIS_SSH_KEY_HECATE_DB") {
+		t.Fatalf("expected db hecate key export in vault template: %q", template)
+	}
+
+	withoutKeys := vaultRuntimeAnnotations(false)
+	if _, ok := withoutKeys["vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh"]; ok {
+		t.Fatalf("did not expect ssh key template when includeSSHKeys=false")
+	}
+}