fix opensearch pod resolution + sol-agent vault policy

os_api: resolve pod name by label instead of hardcoded opensearch-0. added find_pod_by_label helper to kube.rs. secrets.py: sol-agent policy (read/write sol-tokens/*) and k8s auth role bound to matrix namespace default SA.
2026-03-23 08:48:33 +00:00
parent faf525522c
commit 13e3f5d42e
5 changed files with 80 additions and 6 deletions
--- a/sunbeam-sdk/src/kube/mod.rs
+++ b/sunbeam-sdk/src/kube/mod.rs
@@ -308,6 +308,25 @@ pub async fn create_secret(ns: &str, name: &str, data: HashMap<String, String>)
    Ok(())
 }

+/// Find the first Running pod matching a label selector in a namespace.
+pub async fn find_pod_by_label(ns: &str, label: &str) -> Option<String> {
+    let client = get_client().await.ok()?;
+    let pods: kube::Api<k8s_openapi::api::core::v1::Pod> =
+        kube::Api::namespaced(client.clone(), ns);
+    let lp = kube::api::ListParams::default().labels(label);
+    let pod_list = pods.list(&lp).await.ok()?;
+    pod_list
+        .items
+        .iter()
+        .find(|p| {
+            p.status
+                .as_ref()
+                .and_then(|s| s.phase.as_deref())
+                == Some("Running")
+        })
+        .and_then(|p| p.metadata.name.clone())
+}
+
 /// Execute a command in a pod and return (exit_code, stdout).
 #[allow(dead_code)]
 pub async fn kube_exec(
--- a/sunbeam-sdk/src/manifests/mod.rs
+++ b/sunbeam-sdk/src/manifests/mod.rs
@@ -475,10 +475,15 @@ async fn os_api(path: &str, method: &str, body: Option<&str>) -> Option<String>
        curl_args.extend_from_slice(&["-H", "Content-Type: application/json", "-d", &body_string]);
    }

-    // Build the full exec command: exec deploy/opensearch -n data -c opensearch -- curl ...
-    let exec_cmd = curl_args;
+    let pod_name = match crate::kube::find_pod_by_label("data", "app=opensearch").await {
+        Some(name) => name,
+        None => {
+            crate::output::warn("No OpenSearch pod found in data namespace");
+            return None;
+        }
+    };

-    match crate::kube::kube_exec("data", "opensearch-0", &exec_cmd, Some("opensearch")).await {
+    match crate::kube::kube_exec("data", &pod_name, &curl_args, Some("opensearch")).await {
        Ok((0, out)) if !out.is_empty() => Some(out),
        _ => None,
    }