From 98f36cf8dd3fbb915c509344eab7318d6e6ab038 Mon Sep 17 00:00:00 2001 From: florian Date: Tue, 7 Oct 2025 21:45:54 +0200 Subject: [PATCH] Removed HVAC handler and changed deployment to Kubernetes --- requirements.txt | 9 ++------- src/db.py | 7 +++---- src/hvac_handler.py | 44 ----------------------------------------- src/rabbitmq_handler.py | 18 ++++++++++------- src/secret_handler.py | 3 +++ 5 files changed, 19 insertions(+), 62 deletions(-) delete mode 100644 src/hvac_handler.py create mode 100644 src/secret_handler.py diff --git a/requirements.txt b/requirements.txt index 1378026..e514438 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,23 +2,18 @@ annotated-types==0.7.0 anyio==4.11.0 argon2-cffi==25.1.0 argon2-cffi-bindings==25.1.0 -certifi==2025.10.5 cffi==2.0.0 -charset-normalizer==3.4.3 click==8.3.0 fastapi==0.118.0 h11==0.16.0 -hvac==2.3.0 idna==3.10 mysql-connector-python==9.4.0 pika==1.3.2 pycparser==2.23 -pydantic==2.11.10 -pydantic_core==2.33.2 -requests==2.32.5 +pydantic==2.12.0 +pydantic_core==2.41.1 sniffio==1.3.1 starlette==0.48.0 typing-inspection==0.4.2 typing_extensions==4.15.0 -urllib3==2.5.0 uvicorn==0.37.0 diff --git a/src/db.py b/src/db.py index 1e04d6a..852e421 100644 --- a/src/db.py +++ b/src/db.py @@ -1,14 +1,13 @@ import mysql.connector -from mysql.connector import pooling import threading -from hvac_handler import get_secret +from secret_handler import return_credentials import os import time import sys -db_username = get_secret("secret/api-internal/db", "username") -db_password = get_secret("secret/api-internal/db", "password") +db_username = return_credentials("/etc/secrets/db_username") +db_password = return_credentials("/etc/secrets/db_password") db_host = os.getenv("BACKEND_API_INTERNAL_DB_HOST","localhost") db_database = os.getenv("BACKEND_API_INTERNAL_DB_DATABASE","app") diff --git a/src/hvac_handler.py b/src/hvac_handler.py deleted file mode 100644 index 06ddd79..0000000 --- a/src/hvac_handler.py +++ /dev/null @@ -1,44 +0,0 @@ -import hvac -import base64 -import os -import time -import sys - -HVAC_AGENT_URL = os.getenv("HVAC_AGENT_URL","http://vault-agent:8201") - -MAX_RETRIES = 5 -BACKOFF = 5 - -def get_client(): - for attempt in range(1, MAX_RETRIES+1): - try: - client = hvac.Client(url=HVAC_AGENT_URL) - if client.is_authenticated(): - return client - raise Exception("Not authenticated") - except Exception as e: - print(f"Vault connection failed (attempt {attempt}/{MAX_RETRIES}): {e}") - time.sleep(BACKOFF * attempt) - print("Vault unreachable after retries. Exiting.") - sys.exit(1) - -client = get_client() - -def get_secret(path:str, key:str): - try: - secret = client.secrets.kv.v2.read_secret_version( - mount_point="kv", - path=path - ) - return secret["data"]["data"][key] - except Exception as e: - print(f"Failed to fetch secret '{path}:{key}': {e}") - sys.exit(1) - -def decrypt_token(ciphertext: str) -> str: - response = client.secrets.transit.decrypt_data( - name="push-tokens", - ciphertext=ciphertext - ) - plaintext_b64 = response["data"]["plaintext"] - return base64.b64decode(plaintext_b64).decode() diff --git a/src/rabbitmq_handler.py b/src/rabbitmq_handler.py index 73a4894..74beca1 100644 --- a/src/rabbitmq_handler.py +++ b/src/rabbitmq_handler.py @@ -1,13 +1,17 @@ import pika from typing import Dict +from secret_handler import return_credentials import ssl -from hvac_handler import get_secret import json import time import sys +import os -rmq_username = get_secret("secret/api-internal/rmq", "username") -rmq_password = get_secret("secret/api-internal/rmq", "password") +rmq_username = return_credentials("/etc/secrets/rmq_username") +rmq_password = return_credentials("/etc/secrets/rmq_password") +rmq_host = os.getenv("BACKEND_API_INTERNAL_RMQ_HOST","localhost") +rmq_vhost = os.getenv("BACKEND_API_INTERNAL_RMQ_VHOST","app_notifications") +rmq_exchange = os.getenv("BACKEND_API_INTERNAL_RMQ_EXCHANGE","app_notifications") MAX_RETRIES = 5 RETRY_DELAY = 5 @@ -18,21 +22,21 @@ def send_message_to_rmq(user_id: int, message: Dict): context.check_hostname = False ssl_options = pika.SSLOptions(context) conn_params = pika.ConnectionParameters( - host="localhost", + host=rmq_host, port=5671, ssl_options=ssl_options, credentials=credentials, - virtual_host="app_notifications" + virtual_host=rmq_vhost ) for attempt in range(1, MAX_RETRIES + 1): try: connection = pika.BlockingConnection(conn_params) channel = connection.channel() - channel.exchange_declare(exchange="app_notifications", exchange_type="topic", durable=True) + channel.exchange_declare(exchange=rmq_exchange, exchange_type="topic", durable=True) channel.confirm_delivery() channel.basic_publish( - exchange='app_notifications', + exchange=rmq_exchange, routing_key=f"notify.user.{user_id}", body=json.dumps(message), properties=pika.BasicProperties( diff --git a/src/secret_handler.py b/src/secret_handler.py new file mode 100644 index 0000000..921f45c --- /dev/null +++ b/src/secret_handler.py @@ -0,0 +1,3 @@ +def return_credentials(path: str)->str: + with open (path) as file: + return file.read() \ No newline at end of file -- 2.43.0