From 84e857ffc1034137f4b94230b049550fd0873026 Mon Sep 17 00:00:00 2001
From: Ruslan Bakiev <ruslanbakiev@dsrptlab.com>
Date: Mon, 9 Mar 2026 14:30:10 +0700
Subject: [PATCH] Migrate from Infisical to Vault for secret loading

---
 .gitea/workflows/build.yaml | 12 ++++----
 Dockerfile                  | 18 +++++-------
 scripts/load-secrets.mjs    | 58 +++++++++++++++++++------------------
 3 files changed, 45 insertions(+), 43 deletions(-)

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index f5c69ac..75167c0 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -12,6 +12,8 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=dokploy-network
 
       - name: Login to Gitea Registry
         uses: docker/login-action@v3
@@ -26,12 +28,12 @@ jobs:
           context: .
           push: true
           tags: gitea.dsrptlab.com/optovia/webapp/webapp:latest
+          network: dokploy-network
           build-args: |
-            INFISICAL_API_URL=${{ secrets.INFISICAL_API_URL }}
-            INFISICAL_CLIENT_ID=${{ secrets.INFISICAL_CLIENT_ID }}
-            INFISICAL_CLIENT_SECRET=${{ secrets.INFISICAL_CLIENT_SECRET }}
-            INFISICAL_PROJECT_ID=${{ secrets.INFISICAL_PROJECT_ID }}
-            INFISICAL_ENV=prod
+            VAULT_ADDR=${{ secrets.VAULT_ADDR }}
+            VAULT_TOKEN=${{ secrets.VAULT_TOKEN }}
+            VAULT_SHARED_PATH=shared
+            VAULT_PROJECT_PATH=webapp
 
       - name: Deploy to Dokploy
         run: curl -X POST "https://dokploy.optovia.ru/api/deploy/0_iNAXPDx28BLZIddGTzB"
diff --git a/Dockerfile b/Dockerfile
index 2fc562e..b4b7c9c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,17 +12,15 @@ WORKDIR /app
 
 RUN corepack enable
 
-ARG INFISICAL_API_URL
-ARG INFISICAL_CLIENT_ID
-ARG INFISICAL_CLIENT_SECRET
-ARG INFISICAL_PROJECT_ID
-ARG INFISICAL_ENV
+ARG VAULT_ADDR
+ARG VAULT_TOKEN
+ARG VAULT_SHARED_PATH
+ARG VAULT_PROJECT_PATH
 
-ENV INFISICAL_API_URL=$INFISICAL_API_URL \
-    INFISICAL_CLIENT_ID=$INFISICAL_CLIENT_ID \
-    INFISICAL_CLIENT_SECRET=$INFISICAL_CLIENT_SECRET \
-    INFISICAL_PROJECT_ID=$INFISICAL_PROJECT_ID \
-    INFISICAL_ENV=$INFISICAL_ENV
+ENV VAULT_ADDR=$VAULT_ADDR \
+    VAULT_TOKEN=$VAULT_TOKEN \
+    VAULT_SHARED_PATH=$VAULT_SHARED_PATH \
+    VAULT_PROJECT_PATH=$VAULT_PROJECT_PATH
 
 COPY package.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile
diff --git a/scripts/load-secrets.mjs b/scripts/load-secrets.mjs
index fe81f82..39484fb 100644
--- a/scripts/load-secrets.mjs
+++ b/scripts/load-secrets.mjs
@@ -1,48 +1,50 @@
 /**
- * Load secrets from Infisical using Machine Identity (Universal Auth)
+ * Load secrets from Vault HTTP API
  * Writes secrets to .env.infisical file for sourcing
  */
-import { InfisicalSDK } from "@infisical/sdk";
 import { writeFileSync } from "fs";
 
-const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
-const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
-const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
-const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
-const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";
+const VAULT_ADDR = process.env.VAULT_ADDR;
+const VAULT_TOKEN = process.env.VAULT_TOKEN;
+const VAULT_KV_MOUNT = process.env.VAULT_KV_MOUNT || "secret";
+const VAULT_SHARED_PATH = process.env.VAULT_SHARED_PATH;
+const VAULT_PROJECT_PATH = process.env.VAULT_PROJECT_PATH;
 
-if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
-  process.stderr.write("Missing required Infisical environment variables\n");
+if (!VAULT_ADDR || !VAULT_TOKEN) {
+  process.stderr.write("Missing required Vault environment variables (VAULT_ADDR, VAULT_TOKEN)\n");
   process.exit(1);
 }
 
-const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });
-
-await client.auth().universalAuth.login({
-  clientId: INFISICAL_CLIENT_ID,
-  clientSecret: INFISICAL_CLIENT_SECRET,
-});
-
-process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);
+process.stderr.write(`Loading secrets from Vault...\n`);
 
 const envLines = [];
 
-for (const secretPath of ["/webapp", "/shared"]) {
-  const response = await client.secrets().listSecrets({
-    projectId: INFISICAL_PROJECT_ID,
-    environment: INFISICAL_ENV,
-    secretPath: secretPath,
-    expandSecretReferences: true,
+async function loadPath(path, sourceName) {
+  if (!path) return;
+
+  const url = `${VAULT_ADDR.replace(/\/$/, "")}/v1/${VAULT_KV_MOUNT}/data/${path}`;
+  const response = await fetch(url, {
+    headers: { "X-Vault-Token": VAULT_TOKEN },
   });
 
-  for (const secret of response.secrets) {
-    // Escape special characters for shell
-    const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
-    envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
+  if (!response.ok) {
+    throw new Error(`Failed to load Vault path ${VAULT_KV_MOUNT}/${path}: ${response.status}`);
   }
 
-  process.stderr.write(`  ${secretPath}: ${response.secrets.length} secrets loaded\n`);
+  const json = await response.json();
+  const secrets = json?.data?.data || {};
+  const keys = Object.keys(secrets);
+
+  for (const [key, value] of Object.entries(secrets)) {
+    const escapedValue = String(value).replace(/'/g, "'\\''");
+    envLines.push(`export ${key}='${escapedValue}'`);
+  }
+
+  process.stderr.write(`  ${sourceName}: ${keys.length} secrets loaded from ${VAULT_KV_MOUNT}/${path}\n`);
 }
 
+await loadPath(VAULT_SHARED_PATH, "shared");
+await loadPath(VAULT_PROJECT_PATH, "project");
+
 writeFileSync(".env.infisical", envLines.join("\n"));
 process.stderr.write("Secrets written to .env.infisical\n");