# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml # One-off job for sso/metis-node-passwords-secret-ensure-4. # Purpose: ensure per-node Metis recovery placeholders exist in Vault. # Atlas/root values are preserved while intranet IPs are standardized per node. apiVersion: batch/v1 kind: Job metadata: name: metis-node-passwords-secret-ensure-4 namespace: sso spec: backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/worker operator: Exists preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/arch operator: In values: ["arm64"] containers: - name: apply image: registry.bstein.dev/bstein/kubectl:1.35.0 command: ["/bin/sh", "-c"] args: - | set -eu vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}" vault_role="${VAULT_ROLE:-sso-secrets}" jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')" vault_token="$(curl -sS --request POST --data "${login_payload}" "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then echo "vault login failed" >&2 exit 1 fi ensured=0 while read -r node intranet_ip; do if [ -z "${node}" ] || [ -z "${intranet_ip}" ]; then continue fi secret_path="kv/data/atlas/nodes/${node}" read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)" if [ "${read_status}" = "200" ]; then atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)" root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)" elif [ "${read_status}" = "404" ]; then atlas_password="" root_password="" else echo "Vault read failed for ${node} (status ${read_status})" >&2 cat /tmp/node-read.json >&2 || true exit 1 fi payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" --arg intranet_ip "${intranet_ip}" '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')" write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")" if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then echo "Vault write failed for ${node} (status ${write_status})" >&2 cat /tmp/node-write.json >&2 || true exit 1 fi ensured=$((ensured + 1)) echo "Ensured node secret placeholder for ${node} (${intranet_ip})" done <<'EOF_NODES' titan-jh 192.168.22.8 titan-db 192.168.22.10 titan-0a 192.168.22.11 titan-0b 192.168.22.12 titan-0c 192.168.22.13 titan-20 192.168.22.20 titan-21 192.168.22.21 titan-22 192.168.22.22 titan-23 192.168.22.23 titan-24 192.168.22.26 titan-04 192.168.22.30 titan-05 192.168.22.31 titan-06 192.168.22.32 titan-07 192.168.22.33 titan-08 192.168.22.34 titan-09 192.168.22.35 titan-10 192.168.22.36 titan-11 192.168.22.37 titan-12 192.168.22.40 titan-13 192.168.22.41 titan-14 192.168.22.42 titan-15 192.168.22.43 titan-16 192.168.22.44 titan-17 192.168.22.45 titan-18 192.168.22.46 titan-19 192.168.22.47 EOF_NODES echo "Ensured ${ensured} Metis node placeholders in Vault"