feat(prefect): Add Infisical SDK for secrets management

- Add config.py to load secrets from Infisical /prefect and /shared paths - Update docker-compose.yml with Infisical env vars instead of hardcoded secrets - Add infisical-sdk to requirements.txt - Import config in sync_node.py to trigger secret loading at startup
2025-12-26 08:11:47 +07:00
parent 66d82a2b29
commit 18bd8c58d4
4 changed files with 45 additions and 4 deletions
--- a/prefect/docker-compose.yml
+++ b/prefect/docker-compose.yml
@@ -90,9 +90,13 @@ services:
        condition: service_healthy
    environment:
      PREFECT_API_URL: http://prefect-server:4200/api
-      ARANGODB_URL: http://217.216.32.39:32844
-      ARANGODB_DATABASE: optovia_maps
-      ARANGODB_PASSWORD: 78gwcnmmneriiju
+      # Infisical Machine Identity auth
+      INFISICAL_API_URL: ${INFISICAL_API_URL}
+      INFISICAL_CLIENT_ID: ${INFISICAL_CLIENT_ID}
+      INFISICAL_CLIENT_SECRET: ${INFISICAL_CLIENT_SECRET}
+      INFISICAL_PROJECT_ID: ${INFISICAL_PROJECT_ID}
+      INFISICAL_ENV: ${INFISICAL_ENV:-prod}
+      # Static URLs (not secrets)
      GRAPHHOPPER_URL: https://graphhopper.optovia.ru
      RAIL_ROUTING_URL: https://openrailrouting.optovia.ru
      ODOO_URL: http://odoo:8069
--- a/prefect/flows/config.py
+++ b/prefect/flows/config.py
@@ -0,0 +1,33 @@
+"""
+Configuration for Prefect flows.
+Loads secrets from Infisical using Machine Identity auth.
+"""
+
+import os
+from infisical_sdk import InfisicalSDKClient
+
+
+# Load secrets from Infisical before anything else
+INFISICAL_API_URL = os.environ["INFISICAL_API_URL"]
+INFISICAL_CLIENT_ID = os.environ["INFISICAL_CLIENT_ID"]
+INFISICAL_CLIENT_SECRET = os.environ["INFISICAL_CLIENT_SECRET"]
+INFISICAL_PROJECT_ID = os.environ["INFISICAL_PROJECT_ID"]
+INFISICAL_ENV = os.environ.get("INFISICAL_ENV", "prod")
+
+_client = InfisicalSDKClient(host=INFISICAL_API_URL)
+_client.auth.universal_auth.login(
+    client_id=INFISICAL_CLIENT_ID,
+    client_secret=INFISICAL_CLIENT_SECRET,
+)
+
+# Fetch secrets from /prefect and /shared
+for _secret_path in ["/prefect", "/shared"]:
+    _secrets_response = _client.secrets.list_secrets(
+        environment_slug=INFISICAL_ENV,
+        secret_path=_secret_path,
+        project_id=INFISICAL_PROJECT_ID,
+        expand_secret_references=True,
+        view_secret_value=True,
+    )
+    for _secret in _secrets_response.secrets:
+        os.environ[_secret.secretKey] = _secret.secretValue
--- a/prefect/flows/sync_node.py
+++ b/prefect/flows/sync_node.py
@@ -10,13 +10,16 @@ import os
 import json
 from datetime import datetime, timedelta

+# Load secrets from Infisical first
+import config  # noqa: F401
+
 import httpx
 from arango import ArangoClient
 from prefect import flow, task, get_run_logger
 from prefect.concurrency.sync import concurrency


-# Environment
+# Environment (loaded from Infisical via config.py)
 ODOO_URL = os.environ.get("ODOO_URL", "http://odoo:8069")
 GRAPHHOPPER_URL = os.environ.get("GRAPHHOPPER_URL", "https://graphhopper.optovia.ru")
 RAIL_ROUTING_URL = os.environ.get("RAIL_ROUTING_URL", "https://openrailrouting.optovia.ru")
--- a/prefect/requirements.txt
+++ b/prefect/requirements.txt
@@ -4,3 +4,4 @@ python-arango>=8.0.0
 fastapi>=0.109.0
 uvicorn>=0.27.0
 asyncpg>=0.29.0
+infisical-sdk>=1.0.0