bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

recovery(metis): trim node vault password placeholders

Browse Source
This commit is contained in:
jenkins 2026-04-24 18:07:15 -03:00
parent 49e714c88c
commit 0fa1b38f95
1 changed files with 4 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
View File

@ -1,11 +1,11 @@
# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml # services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
# One-off job for sso/metis-node-passwords-secret-ensure-2. # One-off job for sso/metis-node-passwords-secret-ensure-3.
# Purpose: ensure per-node Metis recovery password placeholders exist in Vault. # Purpose: ensure per-node Metis recovery password placeholders exist in Vault.
# Existing values are preserved; only missing fields are initialized. # Atlas/root values are preserved while legacy password keys are removed.
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: metis-node-passwords-secret-ensure-2 name: metis-node-passwords-secret-ensure-3
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -79,26 +79,18 @@ spec:
secret_path="kv/data/atlas/nodes/${node}" secret_path="kv/data/atlas/nodes/${node}"
read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)"
if [ "${read_status}" = "200" ]; then if [ "${read_status}" = "200" ]; then
ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)"
ssh_password_hash="$(jq -r '.data.data.ssh_password_hash // empty' /tmp/node-read.json)"
atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)" atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)"
atlas_password_hash="$(jq -r '.data.data.atlas_password_hash // empty' /tmp/node-read.json)"
root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)" root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)"
root_password_hash="$(jq -r '.data.data.root_password_hash // empty' /tmp/node-read.json)"
elif [ "${read_status}" = "404" ]; then elif [ "${read_status}" = "404" ]; then
ssh_password=""
ssh_password_hash=""
atlas_password="" atlas_password=""
atlas_password_hash=""
root_password="" root_password=""
root_password_hash=""
else else
echo "Vault read failed for ${node} (status ${read_status})" >&2 echo "Vault read failed for ${node} (status ${read_status})" >&2
cat /tmp/node-read.json >&2 || true cat /tmp/node-read.json >&2 || true
exit 1 exit 1
fi fi
payload="$(jq -nc --arg hostname "${node}" --arg ssh_password "${ssh_password}" --arg ssh_password_hash "${ssh_password_hash}" --arg atlas_password "${atlas_password}" --arg atlas_password_hash "${atlas_password_hash}" --arg root_password "${root_password}" --arg root_password_hash "${root_password_hash}" '{data:{hostname:$hostname,ssh_password:$ssh_password,ssh_password_hash:$ssh_password_hash,atlas_password:$atlas_password,atlas_password_hash:$atlas_password_hash,root_password:$root_password,root_password_hash:$root_password_hash}}')" payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" '{data:{atlas_password:$atlas_password,root_password:$root_password}}')"
write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")" write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")"
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then