Switch from Infisical to Vault for secret loading
Some checks failed
Build Docker Image / build (push) Failing after 4m11s
Some checks failed
Build Docker Image / build (push) Failing after 4m11s
This commit is contained in:
Ruslan Bakiev
@@ -14,18 +14,18 @@ RUN npm run build
|
|||||||
|
|
||||||
FROM node:22-alpine
|
FROM node:22-alpine
|
||||||
|
|
||||||
|
RUN apk add --no-cache curl jq
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
COPY package.json ./
|
COPY package.json ./
|
||||||
RUN npm install --omit=dev && npm install @infisical/sdk
|
RUN npm install --omit=dev
|
||||||
|
|
||||||
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
|
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
|
||||||
COPY --from=builder /app/dist ./dist
|
COPY --from=builder /app/dist ./dist
|
||||||
COPY prisma ./prisma
|
COPY prisma ./prisma
|
||||||
COPY scripts ./scripts
|
COPY scripts ./scripts
|
||||||
|
|
||||||
ENV INFISICAL_SECRET_PATHS="/exchange,/shared"
|
|
||||||
|
|
||||||
EXPOSE 8000
|
EXPOSE 8000
|
||||||
|
|
||||||
CMD ["sh", "-c", "node scripts/load-secrets.mjs && . ./.env.infisical && npx prisma migrate resolve --applied 0_init 2>/dev/null; npx prisma migrate deploy && node dist/index.js"]
|
CMD ["sh", "-c", ". /app/scripts/load-vault-env.sh && npx prisma migrate resolve --applied 0_init 2>/dev/null; npx prisma migrate deploy && node dist/index.js"]
|
||||||
|
|||||||
60
scripts/load-vault-env.sh
Executable file
60
scripts/load-vault-env.sh
Executable file
@@ -0,0 +1,60 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
log() {
|
||||||
|
printf '%s\n' "$*" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
VAULT_ENABLED="${VAULT_ENABLED:-auto}"
|
||||||
|
if [ "$VAULT_ENABLED" = "false" ] || [ "$VAULT_ENABLED" = "0" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "${VAULT_ADDR:-}" ] || [ -z "${VAULT_TOKEN:-}" ]; then
|
||||||
|
if [ "$VAULT_ENABLED" = "true" ] || [ "$VAULT_ENABLED" = "1" ]; then
|
||||||
|
log "Vault bootstrap is required but VAULT_ADDR or VAULT_TOKEN is missing."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
|
||||||
|
log "Vault bootstrap requires curl and jq."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
VAULT_KV_MOUNT="${VAULT_KV_MOUNT:-secret}"
|
||||||
|
|
||||||
|
load_secret_path() {
|
||||||
|
path="$1"
|
||||||
|
source_name="$2"
|
||||||
|
if [ -z "$path" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
url="${VAULT_ADDR%/}/v1/${VAULT_KV_MOUNT}/data/${path}"
|
||||||
|
response="$(curl -fsS -H "X-Vault-Token: $VAULT_TOKEN" "$url")" || {
|
||||||
|
log "Failed to load Vault path ${VAULT_KV_MOUNT}/${path}."
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
encoded_items="$(printf '%s' "$response" | jq -r '.data.data // {} | to_entries[]? | @base64')"
|
||||||
|
if [ -z "$encoded_items" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
old_ifs="${IFS}"
|
||||||
|
IFS='
|
||||||
|
'
|
||||||
|
for encoded_item in $encoded_items; do
|
||||||
|
key="$(printf '%s' "$encoded_item" | base64 -d | jq -r '.key')"
|
||||||
|
value="$(printf '%s' "$encoded_item" | base64 -d | jq -r '.value | tostring')"
|
||||||
|
export "$key=$value"
|
||||||
|
done
|
||||||
|
IFS="${old_ifs}"
|
||||||
|
|
||||||
|
log "Loaded Vault ${source_name} secrets from ${VAULT_KV_MOUNT}/${path}."
|
||||||
|
}
|
||||||
|
|
||||||
|
load_secret_path "${VAULT_SHARED_PATH:-}" "shared"
|
||||||
|
load_secret_path "${VAULT_PROJECT_PATH:-}" "project"
|
||||||
Reference in New Issue
Block a user