Add Infisical secret loading at startup
All checks were successful
Build Docker Image / build (push) Successful in 3m18s
All checks were successful
Build Docker Image / build (push) Successful in 3m18s
This commit is contained in:
Ruslan Bakiev
@@ -17,12 +17,15 @@ FROM node:22-alpine
|
||||
WORKDIR /app
|
||||
|
||||
COPY package.json ./
|
||||
RUN npm install --omit=dev
|
||||
RUN npm install --omit=dev && npm install @infisical/sdk
|
||||
|
||||
COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
|
||||
COPY --from=builder /app/dist ./dist
|
||||
COPY prisma ./prisma
|
||||
COPY scripts ./scripts
|
||||
|
||||
ENV INFISICAL_SECRET_PATHS="/exchange,/shared"
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
CMD ["sh", "-c", "npx prisma migrate deploy && node dist/index.js"]
|
||||
CMD ["sh", "-c", "node scripts/load-secrets.mjs && . ./.env.infisical && npx prisma migrate deploy && node dist/index.js"]
|
||||
|
||||
44
scripts/load-secrets.mjs
Normal file
44
scripts/load-secrets.mjs
Normal file
@@ -0,0 +1,44 @@
|
||||
import { InfisicalSDK } from "@infisical/sdk";
|
||||
import { writeFileSync } from "fs";
|
||||
|
||||
const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
|
||||
const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
|
||||
const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
|
||||
const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
|
||||
const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";
|
||||
const SECRET_PATHS = (process.env.INFISICAL_SECRET_PATHS || "/shared").split(",");
|
||||
|
||||
if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
|
||||
process.stderr.write("Missing required Infisical environment variables\n");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });
|
||||
|
||||
await client.auth().universalAuth.login({
|
||||
clientId: INFISICAL_CLIENT_ID,
|
||||
clientSecret: INFISICAL_CLIENT_SECRET,
|
||||
});
|
||||
|
||||
process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);
|
||||
|
||||
const envLines = [];
|
||||
|
||||
for (const secretPath of SECRET_PATHS) {
|
||||
const response = await client.secrets().listSecrets({
|
||||
projectId: INFISICAL_PROJECT_ID,
|
||||
environment: INFISICAL_ENV,
|
||||
secretPath: secretPath.trim(),
|
||||
expandSecretReferences: true,
|
||||
});
|
||||
|
||||
for (const secret of response.secrets) {
|
||||
const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
|
||||
envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
|
||||
}
|
||||
|
||||
process.stderr.write(` ${secretPath.trim()}: ${response.secrets.length} secrets loaded\n`);
|
||||
}
|
||||
|
||||
writeFileSync(".env.infisical", envLines.join("\n"));
|
||||
process.stderr.write("Secrets written to .env.infisical\n");
|
||||
Reference in New Issue
Block a user