optovia/webapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate from Infisical to Vault for secret loading
Some checks failed
Build Docker Image / build (push) Failing after 34s
Details

Browse Source
This commit is contained in:
Ruslan Bakiev
2026-03-09 14:30:10 +07:00
parent e4d6c9ce81
commit 84e857ffc1
3 changed files with 45 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
scripts/load-secrets.mjs
View File

@@ -1,48 +1,50 @@
/**
* Load secrets from Infisical using Machine Identity (Universal Auth)
* Load secrets from Vault HTTP API
* Writes secrets to .env.infisical file for sourcing
*/
import { InfisicalSDK } from "@infisical/sdk";
import { writeFileSync } from "fs";
const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";
const VAULT_ADDR = process.env.VAULT_ADDR;
const VAULT_TOKEN = process.env.VAULT_TOKEN;
const VAULT_KV_MOUNT = process.env.VAULT_KV_MOUNT || "secret";
const VAULT_SHARED_PATH = process.env.VAULT_SHARED_PATH;
const VAULT_PROJECT_PATH = process.env.VAULT_PROJECT_PATH;
if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
process.stderr.write("Missing required Infisical environment variables\n");
if (!VAULT_ADDR || !VAULT_TOKEN) {
process.stderr.write("Missing required Vault environment variables (VAULT_ADDR, VAULT_TOKEN)\n");
process.exit(1);
}
const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });
await client.auth().universalAuth.login({
clientId: INFISICAL_CLIENT_ID,
clientSecret: INFISICAL_CLIENT_SECRET,
});
process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);
process.stderr.write(`Loading secrets from Vault...\n`);
const envLines = [];
for (const secretPath of ["/webapp", "/shared"]) {
const response = await client.secrets().listSecrets({
projectId: INFISICAL_PROJECT_ID,
environment: INFISICAL_ENV,
secretPath: secretPath,
expandSecretReferences: true,
async function loadPath(path, sourceName) {
if (!path) return;
const url = `${VAULT_ADDR.replace(/\/$/, "")}/v1/${VAULT_KV_MOUNT}/data/${path}`;
const response = await fetch(url, {
headers: { "X-Vault-Token": VAULT_TOKEN },
});
for (const secret of response.secrets) {
// Escape special characters for shell
const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
if (!response.ok) {
throw new Error(`Failed to load Vault path ${VAULT_KV_MOUNT}/${path}: ${response.status}`);
}
process.stderr.write(` ${secretPath}: ${response.secrets.length} secrets loaded\n`);
const json = await response.json();
const secrets = json?.data?.data || {};
const keys = Object.keys(secrets);
for (const [key, value] of Object.entries(secrets)) {
const escapedValue = String(value).replace(/'/g, "'\\''");
envLines.push(`export ${key}='${escapedValue}'`);
}
process.stderr.write(` ${sourceName}: ${keys.length} secrets loaded from ${VAULT_KV_MOUNT}/${path}\n`);
}
await loadPath(VAULT_SHARED_PATH, "shared");
await loadPath(VAULT_PROJECT_PATH, "project");
writeFileSync(".env.infisical", envLines.join("\n"));
process.stderr.write("Secrets written to .env.infisical\n");