Removed HVAC handler and changed deployment to Kubernetes

2025-10-07 20:43:06 +02:00 · 2025-10-07 20:43:06 +02:00 · fc878e9d8f
commit fc878e9d8f
parent ea1615995d
6 changed files with 24 additions and 56 deletions
--- a/2
+++ b/2
@ -8,6 +8,6 @@ WORKDIR /app

 COPY src/ /app/

-ENTRYPOINT ["sh", "-c", "sleep 10 && python main.py"]
+ENTRYPOINT ["python","main.py"]


--- a/requirements.txt
+++ b/requirements.txt
@ -2,22 +2,18 @@ annotated-types==0.7.0
 anyio==4.11.0
 argon2-cffi==25.1.0
 argon2-cffi-bindings==25.1.0
-certifi==2025.8.3
 cffi==2.0.0
-charset-normalizer==3.4.3
 click==8.3.0
+cryptography==46.0.2
 fastapi==0.118.0
 h11==0.16.0
-hvac==2.3.0
 idna==3.10
 mysql-connector-python==9.4.0
 pycparser==2.23
-pydantic==2.11.9
-pydantic_core==2.33.2
-requests==2.32.5
+pydantic==2.12.0
+pydantic_core==2.41.1
 sniffio==1.3.1
 starlette==0.48.0
 typing-inspection==0.4.2
 typing_extensions==4.15.0
-urllib3==2.5.0
 uvicorn==0.37.0
--- a/src/db.py
+++ b/src/db.py
@ -1,14 +1,13 @@
 import mysql.connector
-from mysql.connector import pooling
 import threading
-from hvac_handler import get_secret
+from secret_handler import return_credentials
 import os
 import time
 import sys


-db_username = get_secret("secret/api/db", "username")
-db_password = get_secret("secret/api/db", "password")
+db_username = return_credentials("/etc/secrets/db_username")
+db_password = return_credentials("/etc/secrets/db_password")
 db_host = os.getenv("BACKEND_API_DB_HOST","localhost")
 db_database = os.getenv("BACKEND_API_DB_DATABASE","app")

--- a/src/hvac_handler.py
+++ b/src/hvac_handler.py
@ -1,43 +0,0 @@
-import hvac
-import base64
-import os
-import time
-import sys
-
-HVAC_AGENT_URL = os.getenv("HVAC_AGENT_URL","http://vault-agent:8201")
-
-MAX_RETRIES = 5
-BACKOFF = 5
-
-def get_client():
-	for attempt in range(1, MAX_RETRIES+1):
-		try:
-			client = hvac.Client(url=HVAC_AGENT_URL)
-			if client.is_authenticated():
-				return client
-			raise Exception("Not authenticated")
-		except Exception as e:
-			print(f"Vault connection failed (attempt {attempt}/{MAX_RETRIES}): {e}")
-			time.sleep(BACKOFF * attempt)
-	print("Vault unreachable after retries. Exiting.")
-	sys.exit(1)
-
-client = get_client()
-
-def get_secret(path:str, key:str):
-	try:
-		secret = client.secrets.kv.v2.read_secret_version(
-			mount_point="kv",
-			path=path
-		)
-		return secret["data"]["data"][key]
-	except Exception as e:
-		print(f"Failed to fetch secret '{path}:{key}': {e}")
-		sys.exit(1)
-
-def encrypt_token(token: str) -> str:
-	response = client.secrets.transit.encrypt_data(
-		name='push-tokens',
-		plaintext=base64.b64encode(token.encode()).decode()
-	)
-	return response['data']['ciphertext']
--- a/src/main.py
+++ b/src/main.py
@ -5,7 +5,7 @@ from starlette.exceptions import HTTPException as StarletteHTTPException
 from typing import Optional,List
 from pydantic import BaseModel
 from validator import is_valid_platform,is_valid_token,verify_api_key
-from hvac_handler import encrypt_token
+from secret_handler import encrypt_token
 from db import get_db
 from logger_handler import setup_logger
 import uuid
--- a/src/secret_handler.py
+++ b/src/secret_handler.py
@ -0,0 +1,16 @@
+from cryptography.fernet import Fernet
+
+with open("/etc/secrets/encryption_key","rb") as file:
+		  encryption_key = file.read()
+
+fernet = Fernet(encryption_key)
+
+def  encrypt_token(token:str)->str:
+	return fernet.encrypt(token.encode()).decode()
+
+def decrypt_token(token:str)->str:
+	return fernet.decrypt(token.encode()).decode()
+		  
+def return_credentials(path: str)->str:
+	with open (path) as file:
+	    return file.read()