fix: remove hwlab v02 device pod key bootstrap

This commit is contained in:
Codex
2026-06-05 06:17:59 +00:00
parent 73a4fb57ee
commit 58a9c8dfb3
2 changed files with 95 additions and 97 deletions
+94 -96
View File
@@ -30,8 +30,6 @@ const V02_GITOPS_BRANCH = "v0.2-gitops";
const V02_CATALOG_PATH = "deploy/artifact-catalog.v02.json";
const V02_RUNTIME_PATH = "deploy/gitops/g14/runtime-v02";
const V02_RUNTIME_NAMESPACE = "hwlab-v02";
const V02_DEVICE_POD_API_KEY_SECRET = "hwlab-v02-device-pod-api-key";
const V02_DEVICE_POD_API_KEY_SECRET_KEY = "api-key";
const V02_OPENFGA_SECRET = "hwlab-v02-openfga";
const V02_OPENFGA_AUTHN_SECRET_KEY = "authn-preshared-key";
const V02_OPENFGA_DATASTORE_URI_SECRET_KEY = "datastore-uri";
@@ -189,13 +187,13 @@ interface G14ObservabilityOptions {
}
interface G14SecretOptions {
action: "status" | "ensure";
action: "status" | "ensure" | "delete";
lane: "v02";
dryRun: boolean;
confirm: boolean;
name: typeof V02_DEVICE_POD_API_KEY_SECRET | typeof V02_OPENFGA_SECRET;
key?: typeof V02_DEVICE_POD_API_KEY_SECRET_KEY | typeof V02_OPENFGA_AUTHN_SECRET_KEY | typeof V02_OPENFGA_DATASTORE_URI_SECRET_KEY | typeof V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY;
preset: "device-pod-api-key" | "openfga";
name: string;
key?: typeof V02_OPENFGA_AUTHN_SECRET_KEY | typeof V02_OPENFGA_DATASTORE_URI_SECRET_KEY | typeof V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY;
preset: "openfga" | "generic-delete";
timeoutSeconds: number;
}
@@ -506,34 +504,44 @@ function parseObservabilityOptions(args: string[]): G14ObservabilityOptions {
function parseSecretOptions(args: string[]): G14SecretOptions {
const [actionRaw] = args;
if (actionRaw !== "status" && actionRaw !== "ensure") {
throw new Error("secret usage: status|ensure --lane v02 --name hwlab-v02-device-pod-api-key --key api-key | --name hwlab-v02-openfga [--dry-run|--confirm]");
if (actionRaw !== "status" && actionRaw !== "ensure" && actionRaw !== "delete") {
throw new Error("secret usage: status|ensure --lane v02 --name hwlab-v02-openfga [--dry-run|--confirm] | delete --lane v02 --name <obsolete-secret> [--dry-run|--confirm]");
}
const lane = optionValue(args, "--lane") ?? "v02";
if (lane !== "v02") throw new Error("secret currently supports --lane v02");
const name = optionValue(args, "--name") ?? V02_DEVICE_POD_API_KEY_SECRET;
if (name !== V02_DEVICE_POD_API_KEY_SECRET && name !== V02_OPENFGA_SECRET) {
throw new Error(`secret currently supports --name ${V02_DEVICE_POD_API_KEY_SECRET} or ${V02_OPENFGA_SECRET}`);
}
const name = optionValue(args, "--name") ?? V02_OPENFGA_SECRET;
const key = optionValue(args, "--key");
const preset = name === V02_OPENFGA_SECRET ? "openfga" : "device-pod-api-key";
if (preset === "device-pod-api-key") {
const effectiveKey = key ?? V02_DEVICE_POD_API_KEY_SECRET_KEY;
if (effectiveKey !== V02_DEVICE_POD_API_KEY_SECRET_KEY) throw new Error(`secret ${V02_DEVICE_POD_API_KEY_SECRET} supports --key ${V02_DEVICE_POD_API_KEY_SECRET_KEY}`);
} else if (key !== undefined && key !== V02_OPENFGA_AUTHN_SECRET_KEY && key !== V02_OPENFGA_DATASTORE_URI_SECRET_KEY && key !== V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY) {
throw new Error(`secret ${V02_OPENFGA_SECRET} supports keys ${V02_OPENFGA_AUTHN_SECRET_KEY}, ${V02_OPENFGA_DATASTORE_URI_SECRET_KEY}, and ${V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY}`);
}
const confirm = args.includes("--confirm");
const explicitDryRun = args.includes("--dry-run");
if (confirm && explicitDryRun) throw new Error("secret accepts only one of --confirm or --dry-run");
if (actionRaw === "delete") {
if (key !== undefined) throw new Error("secret delete does not accept --key; it deletes a whole obsolete Secret object");
if (!/^hwlab-v02-[a-z0-9-]+$/u.test(name)) throw new Error("secret delete requires a hwlab-v02-* Secret name");
if (name === V02_OPENFGA_SECRET || name === "hwlab-v02-postgres") throw new Error(`secret delete refuses required v0.2 Secret ${name}`);
return {
action: actionRaw,
lane,
confirm,
dryRun: explicitDryRun || !confirm,
name,
preset: "generic-delete",
timeoutSeconds: positiveIntegerOption(args, "--timeout-seconds", 120, 600),
};
}
if (name !== V02_OPENFGA_SECRET) {
throw new Error(`secret status/ensure currently supports only --name ${V02_OPENFGA_SECRET}; use secret delete for obsolete Secret objects`);
}
if (key !== undefined && key !== V02_OPENFGA_AUTHN_SECRET_KEY && key !== V02_OPENFGA_DATASTORE_URI_SECRET_KEY && key !== V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY) {
throw new Error(`secret ${V02_OPENFGA_SECRET} supports keys ${V02_OPENFGA_AUTHN_SECRET_KEY}, ${V02_OPENFGA_DATASTORE_URI_SECRET_KEY}, and ${V02_OPENFGA_POSTGRES_PASSWORD_SECRET_KEY}`);
}
return {
action: actionRaw,
lane,
confirm,
dryRun: actionRaw === "status" ? true : explicitDryRun || !confirm,
name,
key: preset === "device-pod-api-key" ? V02_DEVICE_POD_API_KEY_SECRET_KEY : key,
preset,
key,
preset: "openfga",
timeoutSeconds: positiveIntegerOption(args, "--timeout-seconds", 120, 600),
};
}
@@ -3310,66 +3318,46 @@ function runV02ControlPlane(options: G14ControlPlaneOptions): Record<string, unk
}
function v02SecretScript(options: G14SecretOptions): string {
if (options.preset === "openfga") return v02OpenFgaSecretScript(options);
const key = options.key ?? V02_DEVICE_POD_API_KEY_SECRET_KEY;
const emitAfterStatus = [
"after_exists=$(secret_exists_flag)",
"after_b64=$(secret_b64)",
"after_key_present=$([ -n \"$after_b64\" ] && printf yes || printf no)",
"after_value_bytes=$(decoded_length \"$after_b64\")",
"printf 'namespace\\t%s\\n' \"$namespace\"",
"printf 'secret\\t%s\\n' \"$name\"",
"printf 'key\\t%s\\n' \"$key\"",
"printf 'action\\t%s\\n' \"$action\"",
"printf 'dryRun\\t%s\\n' \"$dry_run\"",
"printf 'mutation\\t%s\\n' \"$mutation\"",
"printf 'beforeExists\\t%s\\n' \"$before_exists\"",
"printf 'beforeKeyPresent\\t%s\\n' \"$before_key_present\"",
"printf 'beforeValueBytes\\t%s\\n' \"$before_value_bytes\"",
"printf 'afterExists\\t%s\\n' \"$after_exists\"",
"printf 'afterKeyPresent\\t%s\\n' \"$after_key_present\"",
"printf 'afterValueBytes\\t%s\\n' \"$after_value_bytes\"",
"printf 'applyExitCode\\t%s\\n' \"$apply_exit\"",
if (options.preset === "generic-delete") return v02DeleteSecretScript(options);
return [
v02OpenFgaSecretScript(options),
].join("\n");
}
function v02DeleteSecretScript(options: G14SecretOptions): string {
return [
"set +e",
`namespace=${shellQuote(V02_RUNTIME_NAMESPACE)}`,
`name=${shellQuote(options.name)}`,
`key=${shellQuote(key)}`,
"preset=device-pod-api-key",
`action_request=${shellQuote(options.action)}`,
`dry_run=${shellQuote(options.dryRun ? "true" : "false")}`,
`field_manager=${shellQuote(V02_SECRET_FIELD_MANAGER)}`,
"preset=generic-delete",
"secret_exists_flag() { kubectl -n \"$namespace\" get secret \"$name\" >/dev/null 2>&1 && printf yes || printf no; }",
"secret_b64() { kubectl -n \"$namespace\" get secret \"$name\" -o \"go-template={{ index .data \\\"$key\\\" }}\" 2>/dev/null || true; }",
"decoded_length() { if [ -n \"$1\" ]; then printf '%s' \"$1\" | base64 -d 2>/dev/null | wc -c | tr -d ' '; else printf '0'; fi; }",
"before_exists=$(secret_exists_flag)",
"before_b64=$(secret_b64)",
"before_key_present=$([ -n \"$before_b64\" ] && printf yes || printf no)",
"before_value_bytes=$(decoded_length \"$before_b64\")",
"delete_exit=",
"action=observed",
"mutation=false",
"apply_exit=",
"if [ \"$action_request\" = ensure ]; then",
" if [ \"$dry_run\" = true ]; then",
" if [ \"$before_key_present\" = yes ] && [ \"$before_value_bytes\" -gt 0 ]; then action=kept; else action=would-create; fi",
" elif [ \"$before_key_present\" = yes ] && [ \"$before_value_bytes\" -gt 0 ]; then",
" action=kept",
"if [ \"$dry_run\" = true ]; then",
" if [ \"$before_exists\" = yes ]; then action=would-delete; else action=already-absent; fi",
"else",
" kubectl -n \"$namespace\" delete secret \"$name\" --ignore-not-found=true >/tmp/hwlab-secret-delete.out 2>/tmp/hwlab-secret-delete.err",
" delete_exit=$?",
" if [ \"$delete_exit\" -eq 0 ]; then",
" if [ \"$before_exists\" = yes ]; then action=deleted; mutation=true; else action=already-absent; fi",
" else",
" if ! command -v openssl >/dev/null 2>&1; then",
" action=openssl-missing",
" apply_exit=127",
" else",
" generated_key=$(openssl rand -base64 48)",
" kubectl -n \"$namespace\" create secret generic \"$name\" --from-literal=\"$key=$generated_key\" --dry-run=client -o yaml | kubectl apply --server-side --force-conflicts --field-manager=\"$field_manager\" -f -",
" apply_exit=$?",
" generated_key=",
" if [ \"$apply_exit\" -eq 0 ]; then action=ensured; mutation=true; else action=apply-failed; fi",
" fi",
" action=delete-failed",
" fi",
"fi",
emitAfterStatus,
"if [ -n \"$apply_exit\" ] && [ \"$apply_exit\" != 0 ]; then exit \"$apply_exit\"; fi",
"after_exists=$(secret_exists_flag)",
"printf 'namespace\\t%s\\n' \"$namespace\"",
"printf 'secret\\t%s\\n' \"$name\"",
"printf 'preset\\t%s\\n' \"$preset\"",
"printf 'action\\t%s\\n' \"$action\"",
"printf 'dryRun\\t%s\\n' \"$dry_run\"",
"printf 'mutation\\t%s\\n' \"$mutation\"",
"printf 'beforeExists\\t%s\\n' \"$before_exists\"",
"printf 'afterExists\\t%s\\n' \"$after_exists\"",
"printf 'deleteExitCode\\t%s\\n' \"$delete_exit\"",
"if [ -n \"$delete_exit\" ] && [ \"$delete_exit\" != 0 ]; then exit \"$delete_exit\"; fi",
].join("\n");
}
@@ -3528,6 +3516,31 @@ function v02OpenFgaSecretScript(options: G14SecretOptions): string {
function v02SecretStatusFromText(text: string, commandOk: boolean, exitCode: number | null, stderr: string): Record<string, unknown> {
const fields = keyValueLinesFromText(text);
if (fields.preset === "generic-delete") {
const absent = fields.afterExists !== "yes";
return {
ok: commandOk && absent,
namespace: fields.namespace || V02_RUNTIME_NAMESPACE,
secret: fields.secret || null,
preset: "generic-delete",
action: fields.action || null,
dryRun: fields.dryRun === "true",
mutation: fields.mutation === "true",
before: {
exists: fields.beforeExists === "yes",
},
after: {
exists: fields.afterExists === "yes",
},
deleteExitCode: numericField(fields.deleteExitCode),
exitCode,
stderr: commandOk ? "" : stderr.trim().slice(0, 2000),
valuesRedacted: true,
summary: absent
? `${fields.secret || "secret"} absent`
: `${fields.secret || "secret"} still exists`,
};
}
if (fields.preset === "openfga") {
const afterAuthnBytes = numericField(fields.afterAuthnBytes);
const afterUriBytes = numericField(fields.afterDatastoreUriBytes);
@@ -3586,35 +3599,18 @@ function v02SecretStatusFromText(text: string, commandOk: boolean, exitCode: num
: `${fields.secret || V02_OPENFGA_SECRET} keys or Postgres database missing`,
};
}
const afterExists = fields.afterExists === "yes";
const afterKeyPresent = fields.afterKeyPresent === "yes";
const afterValueBytes = numericField(fields.afterValueBytes);
const healthy = afterExists && afterKeyPresent && typeof afterValueBytes === "number" && afterValueBytes > 0;
return {
ok: commandOk && healthy,
ok: false,
namespace: fields.namespace || V02_RUNTIME_NAMESPACE,
secret: fields.secret || V02_DEVICE_POD_API_KEY_SECRET,
key: fields.key || V02_DEVICE_POD_API_KEY_SECRET_KEY,
secret: fields.secret || null,
preset: fields.preset || null,
action: fields.action || null,
dryRun: fields.dryRun === "true",
mutation: fields.mutation === "true",
before: {
exists: fields.beforeExists === "yes",
keyPresent: fields.beforeKeyPresent === "yes",
valueBytes: numericField(fields.beforeValueBytes),
},
after: {
exists: afterExists,
keyPresent: afterKeyPresent,
valueBytes: afterValueBytes,
},
applyExitCode: numericField(fields.applyExitCode),
exitCode,
stderr: commandOk ? "" : stderr.trim().slice(0, 2000),
stderr: stderr.trim().slice(0, 2000),
valuesRedacted: true,
summary: healthy
? `${fields.secret || V02_DEVICE_POD_API_KEY_SECRET}/${fields.key || V02_DEVICE_POD_API_KEY_SECRET_KEY} exists`
: `${fields.secret || V02_DEVICE_POD_API_KEY_SECRET}/${fields.key || V02_DEVICE_POD_API_KEY_SECRET_KEY} missing or empty`,
summary: "unrecognized secret status output",
};
}
@@ -3623,7 +3619,8 @@ function runG14Secret(options: G14SecretOptions): Record<string, unknown> {
const result = g14K3s(["script", "--", script], options.timeoutSeconds * 1000);
const status = v02SecretStatusFromText(statusText(result), isCommandSuccess(result), result.exitCode, result.stderr);
const dryRunOk = options.action === "ensure" && options.dryRun && isCommandSuccess(result);
const ok = dryRunOk ? true : status.ok === true;
const deleteDryRunOk = options.action === "delete" && options.dryRun && isCommandSuccess(result);
const ok = dryRunOk || deleteDryRunOk ? true : status.ok === true;
return {
ok,
command: `hwlab g14 secret ${options.action} --lane v02`,
@@ -3632,14 +3629,16 @@ function runG14Secret(options: G14SecretOptions): Record<string, unknown> {
secret: options.name,
key: options.key ?? null,
preset: options.preset,
mode: options.action === "status" ? "status" : options.dryRun ? "dry-run" : "confirmed-ensure",
mode: options.action === "status" ? "status" : options.dryRun ? "dry-run" : options.action === "delete" ? "confirmed-delete" : "confirmed-ensure",
status,
mutation: status.mutation === true,
result: compactCommandResult(result),
valuesRedacted: true,
next: ok && options.action === "status"
? undefined
: { ensure: `bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name ${options.name}${options.key ? ` --key ${options.key}` : ""} --confirm` },
: options.action === "delete"
? undefined
: { ensure: `bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name ${options.name}${options.key ? ` --key ${options.key}` : ""} --confirm` },
};
}
@@ -7427,12 +7426,11 @@ export function hwlabG14Help(): Record<string, unknown> {
"bun scripts/cli.ts hwlab g14 control-plane runtime-migration --lane v02 --dry-run",
"bun scripts/cli.ts hwlab g14 control-plane runtime-migration --lane v02 --allow-live-db-read --dry-run",
"bun scripts/cli.ts hwlab g14 control-plane runtime-migration --lane v02 --confirm",
"bun scripts/cli.ts hwlab g14 secret status --lane v02 --name hwlab-v02-device-pod-api-key --key api-key",
"bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name hwlab-v02-device-pod-api-key --key api-key --dry-run",
"bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name hwlab-v02-device-pod-api-key --key api-key --confirm",
"bun scripts/cli.ts hwlab g14 secret status --lane v02 --name hwlab-v02-openfga",
"bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name hwlab-v02-openfga --dry-run",
"bun scripts/cli.ts hwlab g14 secret ensure --lane v02 --name hwlab-v02-openfga --confirm",
"bun scripts/cli.ts hwlab g14 secret delete --lane v02 --name <obsolete-hwlab-v02-secret> --dry-run",
"bun scripts/cli.ts hwlab g14 secret delete --lane v02 --name <obsolete-hwlab-v02-secret> --confirm",
"bun scripts/cli.ts hwlab g14 git-mirror status",
"bun scripts/cli.ts hwlab g14 git-mirror apply --confirm",
"bun scripts/cli.ts hwlab g14 git-mirror sync --confirm",