generated from coulomb/repo-seed
fix(creds-bootstrap): harden agent bootstrap for non-interactive execution
- creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied (avoids CNPG SSL connection drops from repeated reconciliation) - creds-bootstrap-agent.sh: wait for rollout to complete after restart before running enckey/admin bootstrap (fixes race with old pod) - creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran - create-pi-token.sh: use env-var + retry for token fetch (no heredoc stdin; handles transient 500 from idle connection pool) - create-pi-token.sh: create keycape-pi-token K8s Secret after fetching - creds-verify.sh: map keycape-pi-token to secrets_applied.keycape (not pi_admin_created, which caused spurious Phase 5 re-runs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -163,11 +163,19 @@ fi
|
||||
|
||||
step "3 — Inject secrets into cluster (postgres → lldap → authelia → privacyidea)"
|
||||
|
||||
if [[ "$DRY_RUN" == false ]]; then
|
||||
(cd "$SCRIPT_DIR" && bash creds-apply.sh "$SECRETS_DIR")
|
||||
ok "secrets applied to cluster"
|
||||
# Check if all non-keycape components are already applied
|
||||
PG=$(state_get_nested postgres); LLDAP=$(state_get_nested lldap)
|
||||
AUTH=$(state_get_nested authelia); PI=$(state_get_nested privacyidea)
|
||||
if [[ "$PG" == "true" && "$LLDAP" == "true" && "$AUTH" == "true" && "$PI" == "true" ]]; then
|
||||
ok "all cluster secrets already applied — skipping (avoids CNPG connection disruption)"
|
||||
else
|
||||
echo " [dry-run] would run: bash creds-apply.sh $SECRETS_DIR"
|
||||
if [[ "$DRY_RUN" == false ]]; then
|
||||
(cd "$SCRIPT_DIR" && bash creds-apply.sh "$SECRETS_DIR")
|
||||
ok "secrets applied to cluster"
|
||||
_PHASE3_RAN=true
|
||||
else
|
||||
echo " [dry-run] would run: bash creds-apply.sh $SECRETS_DIR"
|
||||
fi
|
||||
fi
|
||||
|
||||
# ── Phase 4: Verify initial secrets ───────────────────────────────────────────
|
||||
@@ -189,12 +197,17 @@ if [[ "$DRY_RUN" == false ]]; then
|
||||
done
|
||||
[[ "$ALL_OK" == true ]] || die "One or more required secrets are missing — check creds-apply output above"
|
||||
|
||||
# Restart privacyIDEA if the deployment exists, so it picks up the newly
|
||||
# generated secrets. Without this, a running pod would have stale env vars.
|
||||
if kubectl get deployment privacyidea -n mfa &>/dev/null 2>&1; then
|
||||
# Restart privacyIDEA ONLY if secrets were just applied this run.
|
||||
# Re-applying an unchanged secret still marks it "configured", so we track
|
||||
# whether Phase 3 actually ran to avoid spurious restarts on resume.
|
||||
if [[ "${_PHASE3_RAN:-false}" == "true" ]] && \
|
||||
kubectl get deployment privacyidea -n mfa &>/dev/null 2>&1; then
|
||||
log "restarting privacyIDEA deployment to pick up new secrets..."
|
||||
kubectl rollout restart deployment/privacyidea -n mfa
|
||||
ok "privacyIDEA restart triggered"
|
||||
log "waiting for rollout to complete..."
|
||||
kubectl rollout status deployment/privacyidea -n mfa --timeout=300s
|
||||
ok "privacyIDEA rollout complete"
|
||||
fi
|
||||
else
|
||||
echo " [dry-run] would verify K8s secrets"
|
||||
@@ -213,22 +226,20 @@ if [[ "$(state_get enckey_bootstrapped)" == "true" && "$(state_get pi_admin_crea
|
||||
else
|
||||
log "waiting for privacyIDEA pod to be Ready (max ${MAX_WAIT}s)..."
|
||||
if [[ "$DRY_RUN" == false ]]; then
|
||||
# Wait for pod to appear and be Ready
|
||||
WAITED=0
|
||||
PI_POD=""
|
||||
while [[ -z "$PI_POD" && $WAITED -lt $MAX_WAIT ]]; do
|
||||
PI_POD=$(kubectl get pod -n "$NAMESPACE" \
|
||||
-l app.kubernetes.io/name=privacyidea \
|
||||
--field-selector=status.phase=Running \
|
||||
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
|
||||
if [[ -z "$PI_POD" ]]; then
|
||||
sleep 10
|
||||
WAITED=$((WAITED + 10))
|
||||
log " waiting... (${WAITED}s / ${MAX_WAIT}s)"
|
||||
fi
|
||||
done
|
||||
# Wait for the deployment rollout to fully complete — this ensures any
|
||||
# previous pod from a rollout restart is terminated and the new pod is Ready.
|
||||
if ! kubectl rollout status deployment/privacyidea -n "$NAMESPACE" \
|
||||
--timeout="${MAX_WAIT}s" 2>/dev/null; then
|
||||
die "privacyIDEA deployment did not roll out within ${MAX_WAIT}s — check: kubectl get pods -n $NAMESPACE"
|
||||
fi
|
||||
|
||||
[[ -z "$PI_POD" ]] && die "privacyIDEA pod did not reach Running state within ${MAX_WAIT}s — check: kubectl get pods -n $NAMESPACE"
|
||||
# Find the ready pod (rollout status guarantees exactly one ready pod)
|
||||
PI_POD=$(kubectl get pod -n "$NAMESPACE" \
|
||||
-l app.kubernetes.io/name=privacyidea \
|
||||
--field-selector=status.phase=Running \
|
||||
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
|
||||
|
||||
[[ -z "$PI_POD" ]] && die "privacyIDEA pod not found after rollout — check: kubectl get pods -n $NAMESPACE"
|
||||
ok "privacyIDEA pod ready: $PI_POD"
|
||||
|
||||
# Run enckey bootstrap
|
||||
|
||||
Reference in New Issue
Block a user