Migrate from Infisical to Vault for secret loading
Some checks failed
Build Docker Image / build (push) Failing after 34s
Some checks failed
Build Docker Image / build (push) Failing after 34s
This commit is contained in:
Ruslan Bakiev
@@ -12,6 +12,8 @@ jobs:
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
with:
|
||||
driver-opts: network=dokploy-network
|
||||
|
||||
- name: Login to Gitea Registry
|
||||
uses: docker/login-action@v3
|
||||
@@ -26,12 +28,12 @@ jobs:
|
||||
context: .
|
||||
push: true
|
||||
tags: gitea.dsrptlab.com/optovia/webapp/webapp:latest
|
||||
network: dokploy-network
|
||||
build-args: |
|
||||
INFISICAL_API_URL=${{ secrets.INFISICAL_API_URL }}
|
||||
INFISICAL_CLIENT_ID=${{ secrets.INFISICAL_CLIENT_ID }}
|
||||
INFISICAL_CLIENT_SECRET=${{ secrets.INFISICAL_CLIENT_SECRET }}
|
||||
INFISICAL_PROJECT_ID=${{ secrets.INFISICAL_PROJECT_ID }}
|
||||
INFISICAL_ENV=prod
|
||||
VAULT_ADDR=${{ secrets.VAULT_ADDR }}
|
||||
VAULT_TOKEN=${{ secrets.VAULT_TOKEN }}
|
||||
VAULT_SHARED_PATH=shared
|
||||
VAULT_PROJECT_PATH=webapp
|
||||
|
||||
- name: Deploy to Dokploy
|
||||
run: curl -X POST "https://dokploy.optovia.ru/api/deploy/0_iNAXPDx28BLZIddGTzB"
|
||||
|
||||
18
Dockerfile
18
Dockerfile
@@ -12,17 +12,15 @@ WORKDIR /app
|
||||
|
||||
RUN corepack enable
|
||||
|
||||
ARG INFISICAL_API_URL
|
||||
ARG INFISICAL_CLIENT_ID
|
||||
ARG INFISICAL_CLIENT_SECRET
|
||||
ARG INFISICAL_PROJECT_ID
|
||||
ARG INFISICAL_ENV
|
||||
ARG VAULT_ADDR
|
||||
ARG VAULT_TOKEN
|
||||
ARG VAULT_SHARED_PATH
|
||||
ARG VAULT_PROJECT_PATH
|
||||
|
||||
ENV INFISICAL_API_URL=$INFISICAL_API_URL \
|
||||
INFISICAL_CLIENT_ID=$INFISICAL_CLIENT_ID \
|
||||
INFISICAL_CLIENT_SECRET=$INFISICAL_CLIENT_SECRET \
|
||||
INFISICAL_PROJECT_ID=$INFISICAL_PROJECT_ID \
|
||||
INFISICAL_ENV=$INFISICAL_ENV
|
||||
ENV VAULT_ADDR=$VAULT_ADDR \
|
||||
VAULT_TOKEN=$VAULT_TOKEN \
|
||||
VAULT_SHARED_PATH=$VAULT_SHARED_PATH \
|
||||
VAULT_PROJECT_PATH=$VAULT_PROJECT_PATH
|
||||
|
||||
COPY package.json pnpm-lock.yaml ./
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
@@ -1,48 +1,50 @@
|
||||
/**
|
||||
* Load secrets from Infisical using Machine Identity (Universal Auth)
|
||||
* Load secrets from Vault HTTP API
|
||||
* Writes secrets to .env.infisical file for sourcing
|
||||
*/
|
||||
import { InfisicalSDK } from "@infisical/sdk";
|
||||
import { writeFileSync } from "fs";
|
||||
|
||||
const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
|
||||
const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
|
||||
const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
|
||||
const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
|
||||
const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";
|
||||
const VAULT_ADDR = process.env.VAULT_ADDR;
|
||||
const VAULT_TOKEN = process.env.VAULT_TOKEN;
|
||||
const VAULT_KV_MOUNT = process.env.VAULT_KV_MOUNT || "secret";
|
||||
const VAULT_SHARED_PATH = process.env.VAULT_SHARED_PATH;
|
||||
const VAULT_PROJECT_PATH = process.env.VAULT_PROJECT_PATH;
|
||||
|
||||
if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
|
||||
process.stderr.write("Missing required Infisical environment variables\n");
|
||||
if (!VAULT_ADDR || !VAULT_TOKEN) {
|
||||
process.stderr.write("Missing required Vault environment variables (VAULT_ADDR, VAULT_TOKEN)\n");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });
|
||||
|
||||
await client.auth().universalAuth.login({
|
||||
clientId: INFISICAL_CLIENT_ID,
|
||||
clientSecret: INFISICAL_CLIENT_SECRET,
|
||||
});
|
||||
|
||||
process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);
|
||||
process.stderr.write(`Loading secrets from Vault...\n`);
|
||||
|
||||
const envLines = [];
|
||||
|
||||
for (const secretPath of ["/webapp", "/shared"]) {
|
||||
const response = await client.secrets().listSecrets({
|
||||
projectId: INFISICAL_PROJECT_ID,
|
||||
environment: INFISICAL_ENV,
|
||||
secretPath: secretPath,
|
||||
expandSecretReferences: true,
|
||||
async function loadPath(path, sourceName) {
|
||||
if (!path) return;
|
||||
|
||||
const url = `${VAULT_ADDR.replace(/\/$/, "")}/v1/${VAULT_KV_MOUNT}/data/${path}`;
|
||||
const response = await fetch(url, {
|
||||
headers: { "X-Vault-Token": VAULT_TOKEN },
|
||||
});
|
||||
|
||||
for (const secret of response.secrets) {
|
||||
// Escape special characters for shell
|
||||
const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
|
||||
envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
|
||||
if (!response.ok) {
|
||||
throw new Error(`Failed to load Vault path ${VAULT_KV_MOUNT}/${path}: ${response.status}`);
|
||||
}
|
||||
|
||||
process.stderr.write(` ${secretPath}: ${response.secrets.length} secrets loaded\n`);
|
||||
const json = await response.json();
|
||||
const secrets = json?.data?.data || {};
|
||||
const keys = Object.keys(secrets);
|
||||
|
||||
for (const [key, value] of Object.entries(secrets)) {
|
||||
const escapedValue = String(value).replace(/'/g, "'\\''");
|
||||
envLines.push(`export ${key}='${escapedValue}'`);
|
||||
}
|
||||
|
||||
process.stderr.write(` ${sourceName}: ${keys.length} secrets loaded from ${VAULT_KV_MOUNT}/${path}\n`);
|
||||
}
|
||||
|
||||
await loadPath(VAULT_SHARED_PATH, "shared");
|
||||
await loadPath(VAULT_PROJECT_PATH, "project");
|
||||
|
||||
writeFileSync(".env.infisical", envLines.join("\n"));
|
||||
process.stderr.write("Secrets written to .env.infisical\n");
|
||||
|
||||
Reference in New Issue
Block a user