fix(k8s): drop stale ACME accounts during etcd cleanup #991

Open

AFDudley wants to merge 1 commits from fix-etcd-drop-stale-acme into main

Author	SHA1	Message	Date
A. F. Dudley	6a2f2a5dde	fix(k8s): drop stale ACME accounts during etcd cleanup Some checks failed Lint Checks / Run linter (push) Successful in 13s Details Lint Checks / Run linter (pull_request) Successful in 16s Details Smoke Test / Run basic test suite (pull_request) Successful in 1m23s Details K8s Deployment Control Test / Run deployment control suite on kind/k8s (pull_request) Failing after 1m53s Details K8s Deploy Test / Run deploy test suite on kind/k8s (pull_request) Failing after 2m7s Details Webapp Test / Run webapp test suite (pull_request) Successful in 2m8s Details Deploy Test / Run deploy test suite (pull_request) Successful in 2m17s Details _clean_etcd_keeping_certs() preserved ALL caddy-system secrets across cluster recreations, including ACME account secrets registered with wrong/empty email. Caddy reuses these stale accounts instead of registering fresh ones, causing recurring "unable to parse email address" errors. Filter the etcd restore loop to only keep certificate secrets (keys matching certificates). ACME accounts, OCSP staples, and locks are transient and get recreated automatically by Caddy on startup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-10 01:43:48 -05:00