diff --git a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml index 23adc9b1..745adf9b 100644 --- a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml @@ -1,11 +1,11 @@ # services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml -# One-off job for sso/metis-node-passwords-secret-ensure-3. -# Purpose: ensure per-node Metis recovery password placeholders exist in Vault. -# Atlas/root values are preserved while legacy password keys are removed. +# One-off job for sso/metis-node-passwords-secret-ensure-4. +# Purpose: ensure per-node Metis recovery placeholders exist in Vault. +# Atlas/root values are preserved while intranet IPs are standardized per node. apiVersion: batch/v1 kind: Job metadata: - name: metis-node-passwords-secret-ensure-3 + name: metis-node-passwords-secret-ensure-4 namespace: sso spec: backoffLimit: 0 @@ -47,35 +47,12 @@ spec: exit 1 fi - nodes=" - titan-04 - titan-05 - titan-06 - titan-07 - titan-08 - titan-09 - titan-0a - titan-0b - titan-0c - titan-10 - titan-11 - titan-12 - titan-13 - titan-14 - titan-15 - titan-16 - titan-17 - titan-18 - titan-19 - titan-20 - titan-21 - titan-22 - titan-23 - titan-24 - " - ensured=0 - for node in ${nodes}; do + while read -r node intranet_ip; do + if [ -z "${node}" ] || [ -z "${intranet_ip}" ]; then + continue + fi + secret_path="kv/data/atlas/nodes/${node}" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" if [ "${read_status}" = "200" ]; then @@ -90,7 +67,7 @@ spec: exit 1 fi - payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" '{data:{atlas_password:$atlas_password,root_password:$root_password}}')" + payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" --arg intranet_ip "${intranet_ip}" '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')" write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")" if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then @@ -100,7 +77,34 @@ spec: fi ensured=$((ensured + 1)) - echo "Ensured node secret placeholder for ${node}" - done + echo "Ensured node secret placeholder for ${node} (${intranet_ip})" + done <<'EOF_NODES' + titan-jh 192.168.22.8 + titan-db 192.168.22.10 + titan-0a 192.168.22.11 + titan-0b 192.168.22.12 + titan-0c 192.168.22.13 + titan-20 192.168.22.20 + titan-21 192.168.22.21 + titan-22 192.168.22.22 + titan-23 192.168.22.23 + titan-24 192.168.22.26 + titan-04 192.168.22.30 + titan-05 192.168.22.31 + titan-06 192.168.22.32 + titan-07 192.168.22.33 + titan-08 192.168.22.34 + titan-09 192.168.22.35 + titan-10 192.168.22.36 + titan-11 192.168.22.37 + titan-12 192.168.22.40 + titan-13 192.168.22.41 + titan-14 192.168.22.42 + titan-15 192.168.22.43 + titan-16 192.168.22.44 + titan-17 192.168.22.45 + titan-18 192.168.22.46 + titan-19 192.168.22.47 + EOF_NODES - echo "Ensured ${ensured} Metis node password placeholders in Vault" + echo "Ensured ${ensured} Metis node placeholders in Vault"