From 6c4a7dea29c38997e41c9fde70392c20acdee30d Mon Sep 17 00:00:00 2001 From: jenkins Date: Fri, 24 Apr 2026 17:29:58 -0300 Subject: [PATCH] recovery(metis): use atlas kv node secrets --- .../oneoffs/metis-node-passwords-secret-ensure-job.yaml | 2 +- services/vault/scripts/vault_k8s_auth_configure.sh | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml index 270c7c38..bb357d24 100644 --- a/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml +++ b/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml @@ -76,7 +76,7 @@ spec: ensured=0 for node in ${nodes}; do - secret_path="secret/data/nodes/${node}" + secret_path="kv/data/atlas/nodes/${node}" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" if [ "${read_status}" = "200" ]; then ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)" diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index b21ac3aa..1a8efc58 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -239,10 +239,10 @@ write_policy_and_role "health" "health" "health-vault-sync" \ write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \ "maintenance/ariadne-db maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" \ ' -path "secret/data/nodes/*" { +path "kv/data/atlas/nodes/*" { capabilities = ["read"] } -path "secret/metadata/nodes/*" { +path "kv/metadata/atlas/nodes/*" { capabilities = ["list"] } ' @@ -265,10 +265,10 @@ write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \ "shared/keycloak-admin maintenance/metis-ssh-keys" \ "harbor/harbor-oidc vault/vault-oidc-config comms/synapse-oidc logging/oauth2-proxy-logs-oidc finance/actual-oidc maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys" \ ' -path "secret/data/nodes/*" { +path "kv/data/atlas/nodes/*" { capabilities = ["create", "update", "read"] } -path "secret/metadata/nodes/*" { +path "kv/metadata/atlas/nodes/*" { capabilities = ["list"] } '