feat: update vault code for api

Bisonai · May 18, 2024 · c305c92 · c305c92
1 parent 28a2f1e
commit c305c92
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 67 deletions.
diff --git a/api/secrets/secrets.go b/api/secrets/secrets.go
@@ -2,57 +2,77 @@ package secrets
 
 import (
 	"context"
-	"fmt"
+	"os"
+	"sync"
 
 	vault "github.com/hashicorp/vault/api"
 	auth "github.com/hashicorp/vault/api/auth/kubernetes"
+	"github.com/rs/zerolog/log"
 )
 
-type SecretEnv struct {
-	VaultRole       string
-	JwtPath         string
-	VaultSecretPath string
-	VaultKeyName    string
-}
+var secretData map[string]interface{}
+var initialized bool = false
+var once sync.Once
 
-type Secrets struct {
-	DatabaseURL     string
-	EncryptPassword string
-}
+func init() {
+	once.Do(func() {
+		ctx := context.Background()
 
-func (s *SecretEnv) GetSecretFromVaultWithKubernetesAuth() (*Secrets, error) {
-	ctx := context.Background()
-	config := vault.DefaultConfig()
-	client, err := vault.NewClient(config)
-	if err != nil {
-		return nil, fmt.Errorf("unable to initialize Vault client: %w", err)
-	}
+		vaultRole := os.Getenv("VAULT_ROLE")
+		jwtPath := os.Getenv("JWT_PATH")
+		vaultSecretPath := os.Getenv("VAULT_SECRET_PATH")
+		vaultKeyName := os.Getenv("VAULT_KEY_NAME")
 
-	k8sAuth, err := auth.NewKubernetesAuth(
-		s.VaultRole,
-		auth.WithServiceAccountTokenPath(s.JwtPath),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
-	}
+		if vaultRole != "" && jwtPath != "" && vaultSecretPath != "" && vaultKeyName != "" {
+			config := vault.DefaultConfig()
+			client, err := vault.NewClient(config)
+			if err != nil {
+				log.Error().Err(err).Msg("unable to initialize Vault client")
+				return
+			}
 
-	authInfo, err := client.Auth().Login(ctx, k8sAuth)
-	if err != nil {
-		return nil, fmt.Errorf("unable to log in with Kubernetes auth: %w", err)
-	}
-	if authInfo == nil {
-		return nil, fmt.Errorf("no auth info was returned after login")
-	}
+			k8sAuth, err := auth.NewKubernetesAuth(
+				vaultRole,
+				auth.WithServiceAccountTokenPath(jwtPath),
+			)
+			if err != nil {
+				log.Error().Err(err).Msg("unable to initialize Kubernetes auth method")
+				return
+			}
 
-	secrets, err := client.KVv2(s.VaultSecretPath).Get(context.Background(), s.VaultKeyName)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read secret: %w", err)
-	}
+			authInfo, err := client.Auth().Login(ctx, k8sAuth)
+			if err != nil {
+				log.Error().Err(err).Msg("unable to log in with Kubernetes auth")
+				return
+			}
+			if authInfo == nil {
+				log.Error().Err(err).Msg("no auth info was returned after login")
+				return
+			}
 
-	secretDataSet := &Secrets{
-		DatabaseURL:     secrets.Data["DATABASE_URL"].(string),
-		EncryptPassword: secrets.Data["ENCRYPT_PASSWORD"].(string),
-	}
+			secrets, err := client.KVv2(vaultSecretPath).Get(ctx, vaultKeyName)
+			if err != nil {
+				log.Error().Err(err).Msg("unable to read secret")
+				return
+			}
+
+			secretData = secrets.Data
+			initialized = true
+		}
+	})
+}
 
-	return secretDataSet, nil
+func GetSecret(key string) string {
+	if !initialized {
+		return os.Getenv(key)
+	}
+	value, ok := secretData[key]
+	if !ok {
+		return os.Getenv(key)
+	}
+	result, ok := value.(string)
+	if !ok || result == "" {
+		return os.Getenv(key)
+	}
+	return result
 }
diff --git a/api/utils/utils.go b/api/utils/utils.go
@@ -265,32 +265,8 @@ func DecryptText(encryptedText string) (string, error) {
 }
 
 func LoadEnvVars() (map[string]interface{}, error) {
-
-	databaseURL := ""
-	encryptPassword := ""
-	vaultRole := os.Getenv("VAULT_ROLE")
-	jwtPath := os.Getenv("JWT_PATH")
-	vaultSecretPath := os.Getenv("VAULT_SECRET_PATH")
-	vaultKeyName := os.Getenv("VAULT_KEY_NAME")
-
-	if vaultRole != "" && jwtPath != "" && vaultSecretPath != "" && vaultKeyName != "" {
-		log.Println("Using Vault to get secrets")
-		secretsEnv := secrets.SecretEnv{
-			VaultRole:       vaultRole,
-			JwtPath:         jwtPath,
-			VaultSecretPath: vaultSecretPath,
-			VaultKeyName:    vaultKeyName,
-		}
-		secrets, err := secretsEnv.GetSecretFromVaultWithKubernetesAuth()
-		if err != nil {
-			return nil, err
-		}
-		databaseURL = secrets.DatabaseURL
-		encryptPassword = secrets.EncryptPassword
-	} else {
-		databaseURL = os.Getenv("DATABASE_URL")
-		encryptPassword = os.Getenv("ENCRYPT_PASSWORD")
-	}
+	databaseURL := secrets.GetSecret("DATABASE_URL")
+	encryptPassword := secrets.GetSecret("ENCRYPT_PASSWORD")
 
 	redisHost := os.Getenv("REDIS_HOST")
 	redisPort := os.Getenv("REDIS_PORT")