bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak(metis): seed node intranet ips in vault

Browse Source
This commit is contained in:
Codex 2026-04-24 22:18:58 -03:00
parent 84934a6d1c
commit 0171ffad38
1 changed files with 40 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
View File

@ -1,11 +1,11 @@
# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml # services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
# One-off job for sso/metis-node-passwords-secret-ensure-3. # One-off job for sso/metis-node-passwords-secret-ensure-4.
# Purpose: ensure per-node Metis recovery password placeholders exist in Vault. # Purpose: ensure per-node Metis recovery placeholders exist in Vault.
# Atlas/root values are preserved while legacy password keys are removed. # Atlas/root values are preserved while intranet IPs are standardized per node.
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: metis-node-passwords-secret-ensure-3 name: metis-node-passwords-secret-ensure-4
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -47,35 +47,12 @@ spec:
exit 1 exit 1
fi fi
nodes="
titan-04
titan-05
titan-06
titan-07
titan-08
titan-09
titan-0a
titan-0b
titan-0c
titan-10
titan-11
titan-12
titan-13
titan-14
titan-15
titan-16
titan-17
titan-18
titan-19
titan-20
titan-21
titan-22
titan-23
titan-24
"
ensured=0 ensured=0
for node in ${nodes}; do while read -r node intranet_ip; do
if [ -z "${node}" ] || [ -z "${intranet_ip}" ]; then
continue
fi
secret_path="kv/data/atlas/nodes/${node}" secret_path="kv/data/atlas/nodes/${node}"
read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)"
if [ "${read_status}" = "200" ]; then if [ "${read_status}" = "200" ]; then
@ -90,7 +67,7 @@ spec:
exit 1 exit 1
fi fi
payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" '{data:{atlas_password:$atlas_password,root_password:$root_password}}')" payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" --arg intranet_ip "${intranet_ip}" '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')"
write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")" write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")"
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
@ -100,7 +77,34 @@ spec:
fi fi
ensured=$((ensured + 1)) ensured=$((ensured + 1))
echo "Ensured node secret placeholder for ${node}" echo "Ensured node secret placeholder for ${node} (${intranet_ip})"
done done <<'EOF_NODES'
titan-jh 192.168.22.8
titan-db 192.168.22.10
titan-0a 192.168.22.11
titan-0b 192.168.22.12
titan-0c 192.168.22.13
titan-20 192.168.22.20
titan-21 192.168.22.21
titan-22 192.168.22.22
titan-23 192.168.22.23
titan-24 192.168.22.26
titan-04 192.168.22.30
titan-05 192.168.22.31
titan-06 192.168.22.32
titan-07 192.168.22.33
titan-08 192.168.22.34
titan-09 192.168.22.35
titan-10 192.168.22.36
titan-11 192.168.22.37
titan-12 192.168.22.40
titan-13 192.168.22.41
titan-14 192.168.22.42
titan-15 192.168.22.43
titan-16 192.168.22.44
titan-17 192.168.22.45
titan-18 192.168.22.46
titan-19 192.168.22.47
EOF_NODES
echo "Ensured ${ensured} Metis node password placeholders in Vault" echo "Ensured ${ensured} Metis node placeholders in Vault"