metis: include reciprocal hecate db key for titan-24 recovery

2026-04-05 13:52:20 -03:00 · 2026-04-05 13:52:20 -03:00 · b0dc2d855d
commit b0dc2d855d
parent b42cf9564f
3 changed files with 23 additions and 2 deletions
--- a/inventory.titan-rpi4.yaml
+++ b/inventory.titan-rpi4.yaml
@ -307,6 +307,7 @@ nodes:
    ssh_authorized_keys:
      - ${METIS_SSH_KEY_BASTION}
      - ${METIS_SSH_KEY_BRAD}
+      - ${METIS_SSH_KEY_HECATE_DB}
  - name: titan-0a
    class: rpi5-ubuntu-control-plane
    hostname: titan-0a
@ -336,4 +337,4 @@ nodes:
    k3s_token: ${METIS_K3S_TOKEN}
    ssh_user: atlas
    ssh_authorized_keys:
-      - ${METIS_SSH_KEY_BASTION}
+      - ${METIS_SSH_KEY_BASTION}
--- a/pkg/service/remote.go
+++ b/pkg/service/remote.go
@ -604,6 +604,7 @@ export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}"
 export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
 export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
 export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
+export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}"
 {{ end }}`
 	}
 	return annotations
--- a/pkg/service/remote_test.go
+++ b/pkg/service/remote_test.go
@ -1,6 +1,9 @@
 package service

-import "testing"
+import (
+	"strings"
+	"testing"
+)

 func TestMountedHostTmpDirMapsConfiguredTmpPathIntoMount(t *testing.T) {
 	if got := mountedHostTmpDir("/tmp/metis-flash-test"); got != "/host-tmp/metis-flash-test" {
@ -10,3 +13,19 @@ func TestMountedHostTmpDirMapsConfiguredTmpPathIntoMount(t *testing.T) {
 		t.Fatalf("expected /host-tmp, got %q", got)
 	}
 }
+
+func TestVaultRuntimeAnnotationsIncludeReciprocalHecateKeys(t *testing.T) {
+	withKeys := vaultRuntimeAnnotations(true)
+	template := withKeys["vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh"]
+	if !strings.Contains(template, "METIS_SSH_KEY_HECATE_TETHYS") {
+		t.Fatalf("expected tethys hecate key export in vault template: %q", template)
+	}
+	if !strings.Contains(template, "METIS_SSH_KEY_HECATE_DB") {
+		t.Fatalf("expected db hecate key export in vault template: %q", template)
+	}
+
+	withoutKeys := vaultRuntimeAnnotations(false)
+	if _, ok := withoutKeys["vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh"]; ok {
+		t.Fatalf("did not expect ssh key template when includeSSHKeys=false")
+	}
+}