metis: source peer access keys from env-backed secrets

2026-04-05 10:06:55 -03:00 · 2026-04-05 10:06:55 -03:00 · da6bb1aaab
commit da6bb1aaab
parent edb718a5f6
2 changed files with 13 additions and 6 deletions
--- a/inventory.titan-rpi4.yaml
+++ b/inventory.titan-rpi4.yaml
@ -283,7 +283,7 @@ nodes:
    ssh_user: atlas
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
+      - ${METIS_SSH_KEY_BRAD}
  - name: titan-db
    class: rpi5-ubuntu-host
    hostname: titan-db
@ -294,8 +294,8 @@ nodes:
    ssh_user: atlas
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA48uzhL71cXeFDb+LGla1z0kFUYfWPWIgby7uaaGAaY hecate-tethys-forward
+      - ${METIS_SSH_KEY_BRAD}
+      - ${METIS_SSH_KEY_HECATE_TETHYS}
  - name: titan-24
    class: amd64-debian-worker
    hostname: titan-24
@ -306,7 +306,7 @@ nodes:
    ssh_user: atlas
    ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
+      - ${METIS_SSH_KEY_BRAD}
  - name: titan-0a
    class: rpi5-ubuntu-control-plane
    hostname: titan-0a
--- a/pkg/inventory/types.go
+++ b/pkg/inventory/types.go
@ -3,6 +3,7 @@ package inventory
 import (
 	"fmt"
 	"os"
+	"strings"

 	"gopkg.in/yaml.v3"
 )
@ -106,9 +107,15 @@ func expandInventory(inv *Inventory) {
 		for taintIdx, value := range inv.Nodes[idx].Taints {
 			inv.Nodes[idx].Taints[taintIdx] = os.ExpandEnv(value)
 		}
-		for keyIdx, value := range inv.Nodes[idx].SSHAuthorized {
-			inv.Nodes[idx].SSHAuthorized[keyIdx] = os.ExpandEnv(value)
+		expandedKeys := make([]string, 0, len(inv.Nodes[idx].SSHAuthorized))
+		for _, value := range inv.Nodes[idx].SSHAuthorized {
+			expanded := strings.TrimSpace(os.ExpandEnv(value))
+			if expanded == "" {
+				continue
+			}
+			expandedKeys = append(expandedKeys, expanded)
 		}
+		inv.Nodes[idx].SSHAuthorized = expandedKeys
 		for diskIdx := range inv.Nodes[idx].LonghornDisks {
 			inv.Nodes[idx].LonghornDisks[diskIdx].Mountpoint = os.ExpandEnv(inv.Nodes[idx].LonghornDisks[diskIdx].Mountpoint)
 			inv.Nodes[idx].LonghornDisks[diskIdx].UUID = os.ExpandEnv(inv.Nodes[idx].LonghornDisks[diskIdx].UUID)