recovery(metis): trim node vault password placeholders

services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml

@@ -1,11 +1,11 @@
 # services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
-# One-off job for sso/metis-node-passwords-secret-ensure-2.
+# One-off job for sso/metis-node-passwords-secret-ensure-3.
 # Purpose: ensure per-node Metis recovery password placeholders exist in Vault.
-# Existing values are preserved; only missing fields are initialized.
+# Atlas/root values are preserved while legacy password keys are removed.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: metis-node-passwords-secret-ensure-2
+  name: metis-node-passwords-secret-ensure-3
   namespace: sso
 spec:
   backoffLimit: 0
@@ -79,26 +79,18 @@ spec:
                 secret_path="kv/data/atlas/nodes/${node}"
                 read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}"                   -H "X-Vault-Token: ${vault_token}"                   "${vault_addr}/v1/${secret_path}" || true)"
                 if [ "${read_status}" = "200" ]; then
-                  ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)"
-                  ssh_password_hash="$(jq -r '.data.data.ssh_password_hash // empty' /tmp/node-read.json)"
                   atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)"
-                  atlas_password_hash="$(jq -r '.data.data.atlas_password_hash // empty' /tmp/node-read.json)"
                   root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)"
-                  root_password_hash="$(jq -r '.data.data.root_password_hash // empty' /tmp/node-read.json)"
                 elif [ "${read_status}" = "404" ]; then
-                  ssh_password=""
-                  ssh_password_hash=""
                   atlas_password=""
-                  atlas_password_hash=""
                   root_password=""
-                  root_password_hash=""
                 else
                   echo "Vault read failed for ${node} (status ${read_status})" >&2
                   cat /tmp/node-read.json >&2 || true
                   exit 1
                 fi
 
-                payload="$(jq -nc                   --arg hostname "${node}"                   --arg ssh_password "${ssh_password}"                   --arg ssh_password_hash "${ssh_password_hash}"                   --arg atlas_password "${atlas_password}"                   --arg atlas_password_hash "${atlas_password_hash}"                   --arg root_password "${root_password}"                   --arg root_password_hash "${root_password_hash}"                   '{data:{hostname:$hostname,ssh_password:$ssh_password,ssh_password_hash:$ssh_password_hash,atlas_password:$atlas_password,atlas_password_hash:$atlas_password_hash,root_password:$root_password,root_password_hash:$root_password_hash}}')"
+                payload="$(jq -nc                   --arg atlas_password "${atlas_password}"                   --arg root_password "${root_password}"                   '{data:{atlas_password:$atlas_password,root_password:$root_password}}')"
 
                 write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST                   -H "X-Vault-Token: ${vault_token}"                   -H 'Content-Type: application/json'                   -d "${payload}"                   "${vault_addr}/v1/${secret_path}")"
                 if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then