From 951ba07c30f528872b2a410a0117cc14ba1d52ce Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 2 Jul 2026 14:08:33 +0200 Subject: [PATCH] adhoc: creds-bootstrap-agent dry-run no longer dies without age key Co-Authored-By: Claude Fable 5 --- sso-mfa/bootstrap/creds-bootstrap-agent.sh | 17 ++++++++--- workplans/ADHOC-2026-07-02.md | 33 ++++++++++++++++++++++ 2 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 workplans/ADHOC-2026-07-02.md diff --git a/sso-mfa/bootstrap/creds-bootstrap-agent.sh b/sso-mfa/bootstrap/creds-bootstrap-agent.sh index f704883..817b005 100755 --- a/sso-mfa/bootstrap/creds-bootstrap-agent.sh +++ b/sso-mfa/bootstrap/creds-bootstrap-agent.sh @@ -88,10 +88,19 @@ if [[ ! -f "$AGE_KEY" ]]; then fi fi -AGE_PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}') -[[ -z "$AGE_PUBKEY" ]] && die "could not read public key from $AGE_KEY" -ok "age key ready: ${AGE_PUBKEY:0:20}…" -state_set "age_key_present" "true" +if [[ -f "$AGE_KEY" ]]; then + AGE_PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}') + [[ -z "$AGE_PUBKEY" ]] && die "could not read public key from $AGE_KEY" + ok "age key ready: ${AGE_PUBKEY:0:20}…" + state_set "age_key_present" "true" +elif [[ "$DRY_RUN" == true ]]; then + # Dry-run on a machine without the age key (key generation was skipped + # above): continue with a placeholder recipient so later phases can render. + AGE_PUBKEY="age1dryrunplaceholderrecipient" + ok "age key absent — dry-run continues with placeholder recipient" +else + die "could not read public key from $AGE_KEY" +fi # Cluster reachability if ! kubectl cluster-info &>/dev/null; then diff --git a/workplans/ADHOC-2026-07-02.md b/workplans/ADHOC-2026-07-02.md new file mode 100644 index 0000000..b922d27 --- /dev/null +++ b/workplans/ADHOC-2026-07-02.md @@ -0,0 +1,33 @@ +--- +id: adhoc-2026-07-02 +type: workplan +title: "Ad Hoc Tasks — 2026-07-02" +domain: infotech +repo: net-kingdom +status: finished +owner: codex +topic_slug: net-kingdom +created: "2026-07-02" +updated: "2026-07-02" +--- + +# Ad Hoc Tasks — 2026-07-02 + +## Fix creds-bootstrap-agent Phase 0 dry-run on machines without the age key + +```task +id: ADHOC-2026-07-02-T01 +status: done +priority: low +``` + +`--dry-run` previously aborted silently in Phase 0 on any machine without +`~/.config/sops/age/keys.txt`: key generation is correctly skipped in dry-run, +but the subsequent public-key read (`grep` on the missing file) killed the +script under `set -e`, so no later phase could be exercised. + +Fix: when the key file is absent in dry-run, continue with a placeholder +recipient and a clear notice instead of dying; live runs without a key still +fail hard. Verified: full `--dry-run` now traverses Phase 0 through Phase 10 +including the new Phase 7b OpenBao hook (NET-WP-0020-T02) on a machine with +no age key.