From 0fa1b38f95e7db1f0646a3a9ac01ed6a79659e9b Mon Sep 17 00:00:00 2001 From: jenkins Date: Fri, 24 Apr 2026 18:07:15 -0300 Subject: [PATCH] recovery(metis): trim node vault password placeholders --- .../metis-node-passwords-secret-ensure-job.yaml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml index aa21110c..23adc9b1 100644 --- a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml @@ -1,11 +1,11 @@ # services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml -# One-off job for sso/metis-node-passwords-secret-ensure-2. +# One-off job for sso/metis-node-passwords-secret-ensure-3. # Purpose: ensure per-node Metis recovery password placeholders exist in Vault. -# Existing values are preserved; only missing fields are initialized. +# Atlas/root values are preserved while legacy password keys are removed. apiVersion: batch/v1 kind: Job metadata: - name: metis-node-passwords-secret-ensure-2 + name: metis-node-passwords-secret-ensure-3 namespace: sso spec: backoffLimit: 0 @@ -79,26 +79,18 @@ spec: secret_path="kv/data/atlas/nodes/${node}" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" if [ "${read_status}" = "200" ]; then - ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)" - ssh_password_hash="$(jq -r '.data.data.ssh_password_hash // empty' /tmp/node-read.json)" atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)" - atlas_password_hash="$(jq -r '.data.data.atlas_password_hash // empty' /tmp/node-read.json)" root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)" - root_password_hash="$(jq -r '.data.data.root_password_hash // empty' /tmp/node-read.json)" elif [ "${read_status}" = "404" ]; then - ssh_password="" - ssh_password_hash="" atlas_password="" - atlas_password_hash="" root_password="" - root_password_hash="" else echo "Vault read failed for ${node} (status ${read_status})" >&2 cat /tmp/node-read.json >&2 || true exit 1 fi - payload="$(jq -nc --arg hostname "${node}" --arg ssh_password "${ssh_password}" --arg ssh_password_hash "${ssh_password_hash}" --arg atlas_password "${atlas_password}" --arg atlas_password_hash "${atlas_password_hash}" --arg root_password "${root_password}" --arg root_password_hash "${root_password_hash}" '{data:{hostname:$hostname,ssh_password:$ssh_password,ssh_password_hash:$ssh_password_hash,atlas_password:$atlas_password,atlas_password_hash:$atlas_password_hash,root_password:$root_password,root_password_hash:$root_password_hash}}')" + payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" '{data:{atlas_password:$atlas_password,root_password:$root_password}}')" write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")" if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then