bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

recovery(metis): use atlas kv node secrets

Browse Source
This commit is contained in:
jenkins 2026-04-24 17:29:58 -03:00
parent 04a80c1168
commit 6c4a7dea29
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
View File

@ -76,7 +76,7 @@ spec:
ensured=0
for node in ${nodes}; do
secret_path="secret/data/nodes/${node}"
secret_path="kv/data/atlas/nodes/${node}"
read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)"
if [ "${read_status}" = "200" ]; then
ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)"

8
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -239,10 +239,10 @@ write_policy_and_role "health" "health" "health-vault-sync" \
write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \
"maintenance/ariadne-db maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" \
'
path "secret/data/nodes/*" {
path "kv/data/atlas/nodes/*" {
capabilities = ["read"]
}
path "secret/metadata/nodes/*" {
path "kv/metadata/atlas/nodes/*" {
capabilities = ["list"]
}
'
@ -265,10 +265,10 @@ write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
"shared/keycloak-admin maintenance/metis-ssh-keys" \
"harbor/harbor-oidc vault/vault-oidc-config comms/synapse-oidc logging/oauth2-proxy-logs-oidc finance/actual-oidc maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys" \
'
path "secret/data/nodes/*" {
path "kv/data/atlas/nodes/*" {
capabilities = ["create", "update", "read"]
}
path "secret/metadata/nodes/*" {
path "kv/metadata/atlas/nodes/*" {
capabilities = ["list"]
}
'