From c7691dcf155db6d8f1f9ce6afc78a552ab401dff Mon Sep 17 00:00:00 2001
From: Florian <flo@meergans.org>
Date: Wed, 5 Nov 2025 21:56:39 +0100
Subject: [PATCH] Added lib-secret-manager which consumes secrets after
 application launch

---
 requirements.txt        |  1 +
 src/db.py               |  2 +-
 src/main.py             |  9 +++++++++
 src/rabbitmq_handler.py |  2 +-
 src/secret_handler.py   | 14 --------------
 5 files changed, 12 insertions(+), 16 deletions(-)
 delete mode 100644 src/secret_handler.py

diff --git a/requirements.txt b/requirements.txt
index 05a2ccd..be2e15b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,6 +9,7 @@ click==8.3.0
 fastapi==0.119.0
 h11==0.16.0
 idna==3.11
+lib-secret-manager @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
 lib-uvicorn-config @ git+https://git.gansejunge.com/notifier/lib-uvicorn-config.git@main
 multidict==6.7.0
 mysql-connector-python==9.4.0
diff --git a/src/db.py b/src/db.py
index 84da86d..1d0fd72 100644
--- a/src/db.py
+++ b/src/db.py
@@ -1,6 +1,6 @@
 from mysql.connector import pooling, Error
 import threading
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 import time
 from simple_logger_handler import setup_logger
diff --git a/src/main.py b/src/main.py
index 53103b2..5f9cce6 100644
--- a/src/main.py
+++ b/src/main.py
@@ -13,6 +13,7 @@ from contextlib import asynccontextmanager
 from metrics_server import REQUEST_COUNTER
 import asyncio
 from uvicorn_logger_config import LOGGING_CONFIG
+from secret_manager import cleanup_secret_files
 
 logger = setup_logger(__name__)
 producer = RabbitMQProducer()
@@ -38,6 +39,14 @@ async def lifespan(app: FastAPI):
 	app.state.rmq_producer = producer
 	logger.info("[FastAPI] RabbitMQ producer initialized.")
 
+	SECRET_PATHS = frozenset({
+		"/etc/secrets/db_username",
+		"/etc/secrets/db_password",
+		"/etc/secrets/rmq_username",
+		"/etc/secrets/rmq_password"
+	})
+	cleanup_secret_files(SECRET_PATHS)
+
 	yield
 	logger.info("Closing RabbitMQ producer...")
 	await producer.close()
diff --git a/src/rabbitmq_handler.py b/src/rabbitmq_handler.py
index 6e818df..a356189 100644
--- a/src/rabbitmq_handler.py
+++ b/src/rabbitmq_handler.py
@@ -1,7 +1,7 @@
 import asyncio
 import aio_pika
 from aio_pika.exceptions import AMQPException
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 from simple_logger_handler import setup_logger
 import json
diff --git a/src/secret_handler.py b/src/secret_handler.py
deleted file mode 100644
index 696f176..0000000
--- a/src/secret_handler.py
+++ /dev/null
@@ -1,14 +0,0 @@
-from simple_logger_handler import setup_logger
-
-logger = setup_logger(__name__)
-
-def return_credentials(path: str)->str:
-	try:
-		with open (path) as file:
-			return file.read().strip()
-	except FileNotFoundError:
-		logger.fatal(f"[FATAL] Secret file not found: {path}")
-		raise
-	except Exception as e:
-		logger.fatal(f"[FATAL] Failed to read secret file {path}: {e}")
-		raise