bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
titan-iac/services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml

115 lines
5.3 KiB
YAML
Raw Blame History

# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
# One-off job for sso/metis-node-passwords-secret-ensure-2.
# Purpose: ensure per-node Metis recovery password placeholders exist in Vault.
# Existing values are preserved; only missing fields are initialized.
apiVersion: batch/v1
kind: Job
metadata:
name: metis-node-passwords-secret-ensure-2
namespace: sso
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 3600
template:
spec:
serviceAccountName: mas-secrets-ensure
restartPolicy: Never
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: Exists
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values: ["arm64"]
containers:
- name: apply
image: registry.bstein.dev/bstein/kubectl:1.35.0
command: ["/bin/sh", "-c"]
args:
- |
set -eu
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
vault_role="${VAULT_ROLE:-sso-secrets}"
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
vault_token="$(curl -sS --request POST --data "${login_payload}" "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
echo "vault login failed" >&2
exit 1
fi
nodes="
titan-04
titan-05
titan-06
titan-07
titan-08
titan-09
titan-0a
titan-0b
titan-0c
titan-10
titan-11
titan-12
titan-13
titan-14
titan-15
titan-16
titan-17
titan-18
titan-19
titan-20
titan-21
titan-22
titan-23
titan-24
"
ensured=0
for node in ${nodes}; do
secret_path="kv/data/atlas/nodes/${node}"
read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)"
if [ "${read_status}" = "200" ]; then
ssh_password="$(jq -r '.data.data.ssh_password // empty' /tmp/node-read.json)"
ssh_password_hash="$(jq -r '.data.data.ssh_password_hash // empty' /tmp/node-read.json)"
atlas_password="$(jq -r '.data.data.atlas_password // empty' /tmp/node-read.json)"
atlas_password_hash="$(jq -r '.data.data.atlas_password_hash // empty' /tmp/node-read.json)"
root_password="$(jq -r '.data.data.root_password // empty' /tmp/node-read.json)"
root_password_hash="$(jq -r '.data.data.root_password_hash // empty' /tmp/node-read.json)"
elif [ "${read_status}" = "404" ]; then
ssh_password=""
ssh_password_hash=""
atlas_password=""
atlas_password_hash=""
root_password=""
root_password_hash=""
else
echo "Vault read failed for ${node} (status ${read_status})" >&2
cat /tmp/node-read.json >&2 || true
exit 1
fi
payload="$(jq -nc --arg hostname "${node}" --arg ssh_password "${ssh_password}" --arg ssh_password_hash "${ssh_password_hash}" --arg atlas_password "${atlas_password}" --arg atlas_password_hash "${atlas_password_hash}" --arg root_password "${root_password}" --arg root_password_hash "${root_password_hash}" '{data:{hostname:$hostname,ssh_password:$ssh_password,ssh_password_hash:$ssh_password_hash,atlas_password:$atlas_password,atlas_password_hash:$atlas_password_hash,root_password:$root_password,root_password_hash:$root_password_hash}}')"
write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")"
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
echo "Vault write failed for ${node} (status ${write_status})" >&2
cat /tmp/node-write.json >&2 || true
exit 1
fi
ensured=$((ensured + 1))
echo "Ensured node secret placeholder for ${node}"
done
echo "Ensured ${ensured} Metis node password placeholders in Vault"
Reference in New Issue View Git Blame Copy Permalink