maintenance: migrate metis ssh key names to ananke

2026-04-07 04:34:39 -03:00 · 2026-04-07 04:34:39 -03:00 · a4631dee81
commit a4631dee81
parent 525a0f9e71
2 changed files with 32 additions and 9 deletions
--- a/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
@ -1,7 +1,8 @@
 # services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml
 # One-off job for sso/metis-ssh-keys-secret-ensure-1.
 # Purpose: ensure Vault path maintenance/metis-ssh-keys exists for Metis key injection.
-# Migration behavior: if Vault path is missing, seed from existing maintenance/metis-ssh-keys Kubernetes Secret.
+# Migration behavior: if Vault path is missing/incomplete, seed from existing maintenance/metis-ssh-keys Kubernetes Secret.
 # Legacy key names are read as fallback, but only ananke_* keys are written.
 apiVersion: batch/v1
 kind: Job
 metadata:
@ -65,8 +66,9 @@ spec:
              if [ "${read_status}" = "200" ]; then
                bastion_existing="$(jq -r '.data.data.bastion_pub // empty' /tmp/metis-ssh-read.json)"
                brad_existing="$(jq -r '.data.data.brad_pub // empty' /tmp/metis-ssh-read.json)"
-                hecate_existing="$(jq -r '.data.data.hecate_tethys_pub // empty' /tmp/metis-ssh-read.json)"
+                ananke_tethys_existing="$(jq -r '.data.data.ananke_tethys_pub // .data.data.hecate_tethys_pub // empty' /tmp/metis-ssh-read.json)"
-                if [ -n "${bastion_existing}" ] && [ -n "${brad_existing}" ] && [ -n "${hecate_existing}" ]; then
+                ananke_db_existing="$(jq -r '.data.data.ananke_db_pub // .data.data.hecate_db_pub // empty' /tmp/metis-ssh-read.json)"
                if [ -n "${bastion_existing}" ] && [ -n "${brad_existing}" ] && [ -n "${ananke_tethys_existing}" ] && [ -n "${ananke_db_existing}" ]; then
                  echo "Vault metis-ssh-keys already present"
                  exit 0
                fi
@ -78,9 +80,29 @@ spec:
              bastion_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.bastion_pub}' 2>/dev/null | base64 -d || true)"
              brad_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.brad_pub}' 2>/dev/null | base64 -d || true)"
-              hecate_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_tethys_pub}' 2>/dev/null | base64 -d || true)"
+              ananke_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.ananke_tethys_pub}' 2>/dev/null | base64 -d || true)"
              if [ -z "${ananke_tethys_pub}" ]; then
                ananke_tethys_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_tethys_pub}' 2>/dev/null | base64 -d || true)"
              fi
              ananke_db_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.ananke_db_pub}' 2>/dev/null | base64 -d || true)"
              if [ -z "${ananke_db_pub}" ]; then
                ananke_db_pub="$(kubectl -n maintenance get secret metis-ssh-keys -o jsonpath='{.data.hecate_db_pub}' 2>/dev/null | base64 -d || true)"
              fi
-              if [ -z "${bastion_pub}" ] || [ -z "${brad_pub}" ] || [ -z "${hecate_tethys_pub}" ]; then
+              if [ -z "${bastion_pub}" ] && [ -n "${bastion_existing:-}" ]; then
                bastion_pub="${bastion_existing}"
              fi
              if [ -z "${brad_pub}" ] && [ -n "${brad_existing:-}" ]; then
                brad_pub="${brad_existing}"
              fi
              if [ -z "${ananke_tethys_pub}" ] && [ -n "${ananke_tethys_existing:-}" ]; then
                ananke_tethys_pub="${ananke_tethys_existing}"
              fi
              if [ -z "${ananke_db_pub}" ] && [ -n "${ananke_db_existing:-}" ]; then
                ananke_db_pub="${ananke_db_existing}"
              fi
              if [ -z "${bastion_pub}" ] || [ -z "${brad_pub}" ] || [ -z "${ananke_tethys_pub}" ] || [ -z "${ananke_db_pub}" ]; then
                echo "Cannot seed Vault metis-ssh-keys: maintenance/metis-ssh-keys missing required keys" >&2
                exit 1
              fi
@ -88,8 +110,9 @@ spec:
              payload="$(jq -nc \
                --arg bastion_pub "${bastion_pub}" \
                --arg brad_pub "${brad_pub}" \
-                --arg hecate_tethys_pub "${hecate_tethys_pub}" \
+                --arg ananke_tethys_pub "${ananke_tethys_pub}" \
-                '{data:{bastion_pub:$bastion_pub,brad_pub:$brad_pub,hecate_tethys_pub:$hecate_tethys_pub}}')"
+                --arg ananke_db_pub "${ananke_db_pub}" \
                '{data:{bastion_pub:$bastion_pub,brad_pub:$brad_pub,ananke_tethys_pub:$ananke_tethys_pub,ananke_db_pub:$ananke_db_pub}}')"
              write_status="$(curl -sS -o /tmp/metis-ssh-write.json -w "%{http_code}" -X POST \
                -H "X-Vault-Token: ${vault_token}" \
                -H 'Content-Type: application/json' \
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@ -31,8 +31,8 @@ spec:
        vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
          {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
          export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
-          export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub "" }}"
+          export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub "" }}"
-          export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub "" }}"
+          export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub "" }}"
          {{ end }}
    spec:
      serviceAccountName: metis