adhoc: creds-bootstrap-agent dry-run no longer dies without age key

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-02 14:08:33 +02:00
parent 67b4677cea
commit 951ba07c30
2 changed files with 46 additions and 4 deletions

View File

@@ -88,10 +88,19 @@ if [[ ! -f "$AGE_KEY" ]]; then
fi
fi
AGE_PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}')
[[ -z "$AGE_PUBKEY" ]] && die "could not read public key from $AGE_KEY"
ok "age key ready: ${AGE_PUBKEY:0:20}"
state_set "age_key_present" "true"
if [[ -f "$AGE_KEY" ]]; then
AGE_PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}')
[[ -z "$AGE_PUBKEY" ]] && die "could not read public key from $AGE_KEY"
ok "age key ready: ${AGE_PUBKEY:0:20}"
state_set "age_key_present" "true"
elif [[ "$DRY_RUN" == true ]]; then
# Dry-run on a machine without the age key (key generation was skipped
# above): continue with a placeholder recipient so later phases can render.
AGE_PUBKEY="age1dryrunplaceholderrecipient"
ok "age key absent — dry-run continues with placeholder recipient"
else
die "could not read public key from $AGE_KEY"
fi
# Cluster reachability
if ! kubectl cluster-info &>/dev/null; then

View File

@@ -0,0 +1,33 @@
---
id: adhoc-2026-07-02
type: workplan
title: "Ad Hoc Tasks — 2026-07-02"
domain: infotech
repo: net-kingdom
status: finished
owner: codex
topic_slug: net-kingdom
created: "2026-07-02"
updated: "2026-07-02"
---
# Ad Hoc Tasks — 2026-07-02
## Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key
```task
id: ADHOC-2026-07-02-T01
status: done
priority: low
```
`--dry-run` previously aborted silently in Phase 0 on any machine without
`~/.config/sops/age/keys.txt`: key generation is correctly skipped in dry-run,
but the subsequent public-key read (`grep` on the missing file) killed the
script under `set -e`, so no later phase could be exercised.
Fix: when the key file is absent in dry-run, continue with a placeholder
recipient and a clear notice instead of dying; live runs without a key still
fail hard. Verified: full `--dry-run` now traverses Phase 0 through Phase 10
including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with
no age key.