Added lib-secret-manager which consumes secrets after application launch

requirements.txt

@@ -6,6 +6,7 @@ click==8.3.0
 fastapi==0.118.2
 h11==0.16.0
 idna==3.10
+lib-secret-manager @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
 lib-uvicorn-config @ git+https://git.gansejunge.com/notifier/lib-uvicorn-config.git@main
 mysql-connector-python==9.4.0
 prometheus_client==0.23.1

src/db.py

@@ -1,6 +1,6 @@
 from mysql.connector import pooling, Error
 import threading
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 import time
 from simple_logger_handler import setup_logger

src/dockerhub_api.py

@@ -1,5 +1,5 @@
 import requests
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 from simple_logger_handler import setup_logger
 
 dockerhub_token = return_credentials("/etc/secrets/dockerhub_token")

src/github_api.py

@@ -1,5 +1,5 @@
 import requests
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 from simple_logger_handler import setup_logger
 
 github_token = return_credentials("/etc/secrets/github_token")

src/main.py

@@ -10,6 +10,7 @@ from send_notification import send_notification
 from metrics_server import REQUEST_COUNTER
 import asyncio
 from uvicorn_logger_config import LOGGING_CONFIG
+from secret_manager import cleanup_secret_files
 
 logger = setup_logger(__name__)
 
@@ -24,6 +25,16 @@ async def lifespan(app: FastAPI):
 	start_healthcheck_thread()
 	logger.info("[DB] MySQL healthcheck thread started.")
 
+	SECRET_PATHS = frozenset({
+		"/etc/secrets/api_key",
+		"/etc/secrets/db_username",
+		"/etc/secrets/db_password",
+		"/etc/secrets/dockerhub_token",
+		"/etc/secrets/dockerhub_username",
+		"/etc/secrets/github_token"
+	})
+	cleanup_secret_files(SECRET_PATHS)
+
 	yield
 	logger.info("[App] Closing MySQL connection pool...")
 	close_connection_pool()

src/secret_handler.py

@@ -1,15 +0,0 @@
-from simple_logger_handler import setup_logger
-
-logger = setup_logger(__name__)
-
-def return_credentials(path: str)->str:
-	logger.debug(f"[Secrets] Opening file:{path}")
-	try:
-		with open (path) as file:
-			return file.read().strip()
-	except FileNotFoundError:
-		logger.fatal(f"[FATAL] Secret file not found: {path}")
-		raise
-	except Exception as e:
-		logger.fatal(f"[FATAL] Failed to read secret file {path}: {e}")
-		raise

src/send_notification.py

@@ -1,7 +1,7 @@
 import requests
 from requests.exceptions import RequestException, Timeout, ConnectionError, HTTPError
 from fastapi import HTTPException
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 import time
 from simple_logger_handler import setup_logger