titan-iac/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml

# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
# One-off job for sso/metis-node-passwords-secret-ensure-4.
# Purpose: ensure per-node Metis recovery placeholders exist in Vault.
# Atlas/root values are preserved while intranet IPs are standardized per node.
apiVersion: batch/v1
kind: Job
metadata:
  name: metis-node-passwords-secret-ensure-4
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      containers:
        - name: apply
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu

              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-sso-secrets}"

              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}"                 "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              ensured=0
              while read -r node intranet_ip; do
                if [ -z "${node}" ] || [ -z "${intranet_ip}" ]; then
                  continue
                fi

                secret_path="kv/data/atlas/nodes/${node}"
                read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}"                   -H "X-Vault-Token: ${vault_token}"                   "${vault_addr}/v1/${secret_path}" || true)"
                if [ "${read_status}" = "200" ]; then
                  atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)"
                  root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)"
                elif [ "${read_status}" = "404" ]; then
                  atlas_password=""
                  root_password=""
                else
                  echo "Vault read failed for ${node} (status ${read_status})" >&2
                  cat /tmp/node-read.json >&2 || true
                  exit 1
                fi

                payload="$(jq -nc                   --arg atlas_password "${atlas_password}"                   --arg root_password "${root_password}"                   --arg intranet_ip "${intranet_ip}"                   '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')"

                write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST                   -H "X-Vault-Token: ${vault_token}"                   -H 'Content-Type: application/json'                   -d "${payload}"                   "${vault_addr}/v1/${secret_path}")"
                if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
                  echo "Vault write failed for ${node} (status ${write_status})" >&2
                  cat /tmp/node-write.json >&2 || true
                  exit 1
                fi

                ensured=$((ensured + 1))
                echo "Ensured node secret placeholder for ${node} (${intranet_ip})"
              done <<'EOF_NODES'
              titan-jh 192.168.22.8
              titan-db 192.168.22.10
              titan-0a 192.168.22.11
              titan-0b 192.168.22.12
              titan-0c 192.168.22.13
              titan-20 192.168.22.20
              titan-21 192.168.22.21
              titan-22 192.168.22.22
              titan-23 192.168.22.23
              titan-24 192.168.22.26
              titan-04 192.168.22.30
              titan-05 192.168.22.31
              titan-06 192.168.22.32
              titan-07 192.168.22.33
              titan-08 192.168.22.34
              titan-09 192.168.22.35
              titan-10 192.168.22.36
              titan-11 192.168.22.37
              titan-12 192.168.22.40
              titan-13 192.168.22.41
              titan-14 192.168.22.42
              titan-15 192.168.22.43
              titan-16 192.168.22.44
              titan-17 192.168.22.45
              titan-18 192.168.22.46
              titan-19 192.168.22.47
              EOF_NODES

              echo "Ensured ${ensured} Metis node placeholders in Vault"
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00			`# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml`
keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`# One-off job for sso/metis-node-passwords-secret-ensure-4.`
			`# Purpose: ensure per-node Metis recovery placeholders exist in Vault.`
			`# Atlas/root values are preserved while intranet IPs are standardized per node.`
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`name: metis-node-passwords-secret-ensure-4`
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00			`namespace: sso`
			`spec:`
			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 3600`
			`template:`
			`spec:`
			`serviceAccountName: mas-secrets-ensure`
			`restartPolicy: Never`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
			`containers:`
			`- name: apply`
			`image: registry.bstein.dev/bstein/kubectl:1.35.0`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -eu`

			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-sso-secrets}"`

			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" "${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
			`fi`

			`ensured=0`
keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`while read -r node intranet_ip; do`
			`if [ -z "${node}" ] \|\| [ -z "${intranet_ip}" ]; then`
			`continue`
			`fi`

recovery(metis): use atlas kv node secrets 2026-04-24 17:29:58 -03:00			`secret_path="kv/data/atlas/nodes/${node}"`
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00			`read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" \|\| true)"`
			`if [ "${read_status}" = "200" ]; then`
			`atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)"`
			`root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)"`
			`elif [ "${read_status}" = "404" ]; then`
			`atlas_password=""`
			`root_password=""`
			`else`
			`echo "Vault read failed for ${node} (status ${read_status})" >&2`
			`cat /tmp/node-read.json >&2 \|\| true`
			`exit 1`
			`fi`

keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" --arg intranet_ip "${intranet_ip}" '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')"`
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00
			`write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")"`
			`if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then`
			`echo "Vault write failed for ${node} (status ${write_status})" >&2`
			`cat /tmp/node-write.json >&2 \|\| true`
			`exit 1`
			`fi`

			`ensured=$((ensured + 1))`
keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`echo "Ensured node secret placeholder for ${node} (${intranet_ip})"`
			`done <<'EOF_NODES'`
			`titan-jh 192.168.22.8`
			`titan-db 192.168.22.10`
			`titan-0a 192.168.22.11`
			`titan-0b 192.168.22.12`
			`titan-0c 192.168.22.13`
			`titan-20 192.168.22.20`
			`titan-21 192.168.22.21`
			`titan-22 192.168.22.22`
			`titan-23 192.168.22.23`
			`titan-24 192.168.22.26`
			`titan-04 192.168.22.30`
			`titan-05 192.168.22.31`
			`titan-06 192.168.22.32`
			`titan-07 192.168.22.33`
			`titan-08 192.168.22.34`
			`titan-09 192.168.22.35`
			`titan-10 192.168.22.36`
			`titan-11 192.168.22.37`
			`titan-12 192.168.22.40`
			`titan-13 192.168.22.41`
			`titan-14 192.168.22.42`
			`titan-15 192.168.22.43`
			`titan-16 192.168.22.44`
			`titan-17 192.168.22.45`
			`titan-18 192.168.22.46`
			`titan-19 192.168.22.47`
			`EOF_NODES`
recovery(metis): seed per-node vault password slots 2026-04-24 17:24:37 -03:00
keycloak(metis): seed node intranet ips in vault 2026-04-24 22:18:58 -03:00			`echo "Ensured ${ensured} Metis node placeholders in Vault"`