disinto-admin/disinto
1
0
Fork 0
Code Issues 17 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-4] S4-fix-1 — vault-seed-agents.sh must seed kv/disinto/bots/dev (missing from .env import) (#963)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details

Browse source
This commit is contained in:
dev-qwen2 2026-04-17 14:43:06 +00:00
parent edf7a28bd3
commit 1a637fdc27
1 changed files with 40 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

45
tools/vault-seed-agents.sh
View file

@ -84,6 +84,18 @@ hvault_ensure_kv_v2 "$KV_MOUNT" "${LOG_TAG}" \
# ── Step 2: seed each bot role ─────────────────────────────────────────────── # ── Step 2: seed each bot role ───────────────────────────────────────────────
total_generated=0 total_generated=0
# Check if shared forge credentials exist for dev role fallback
shared_forge_exists=0
shared_forge_raw="$(hvault_get_or_empty "${KV_MOUNT}/data/disinto/shared/forge")" \
|| true
if [ -n "$shared_forge_raw" ]; then
shared_forge_token="$(printf '%s' "$shared_forge_raw" | jq -r '.data.data.token // ""')"
shared_forge_pass="$(printf '%s' "$shared_forge_raw" | jq -r '.data.data.pass // ""')"
if [ -n "$shared_forge_token" ] && [ -n "$shared_forge_pass" ]; then
shared_forge_exists=1
fi
fi
for role in "${BOT_ROLES[@]}"; do for role in "${BOT_ROLES[@]}"; do
kv_logical="disinto/bots/${role}" kv_logical="disinto/bots/${role}"
kv_api="${KV_MOUNT}/data/${kv_logical}" kv_api="${KV_MOUNT}/data/${kv_logical}"
@ -103,7 +115,22 @@ for role in "${BOT_ROLES[@]}"; do
fi fi
generated=() generated=()
desired_token="$existing_token"
desired_pass="$existing_pass"
# Special case: dev role uses shared forge credentials if available
if [ "$role" = "dev" ] && [ "$shared_forge_exists" -eq 1 ]; then
# Use shared FORGE_TOKEN + FORGE_PASS for dev role
if [ -z "$existing_token" ]; then
desired_token="$shared_forge_token"
generated+=("token")
fi
if [ -z "$existing_pass" ]; then
desired_pass="$shared_forge_pass"
generated+=("pass")
fi
else
# Generate random values for missing keys
if [ -z "$existing_token" ]; then if [ -z "$existing_token" ]; then
generated+=("token") generated+=("token")
fi fi
@ -111,6 +138,14 @@ for role in "${BOT_ROLES[@]}"; do
generated+=("pass") generated+=("pass")
fi fi
for key in "${generated[@]}"; do
case "$key" in
token) desired_token="$(openssl rand -hex "$TOKEN_BYTES")" ;;
pass) desired_pass="$(openssl rand -hex "$PASS_BYTES")" ;;
esac
done
fi
if [ "${#generated[@]}" -eq 0 ]; then if [ "${#generated[@]}" -eq 0 ]; then
log "${role}: unchanged" log "${role}: unchanged"
continue continue
@ -122,16 +157,6 @@ for role in "${BOT_ROLES[@]}"; do
continue continue
fi fi
desired_token="$existing_token"
desired_pass="$existing_pass"
for key in "${generated[@]}"; do
case "$key" in
token) desired_token="$(openssl rand -hex "$TOKEN_BYTES")" ;;
pass) desired_pass="$(openssl rand -hex "$PASS_BYTES")" ;;
esac
done
# Merge new keys into existing data to preserve any keys we don't own. # Merge new keys into existing data to preserve any keys we don't own.
payload="$(printf '%s' "$existing_data" \ payload="$(printf '%s' "$existing_data" \
| jq --arg t "$desired_token" --arg p "$desired_pass" \ | jq --arg t "$desired_token" --arg p "$desired_pass" \