From 9daf283a6ea3625c4eac28179bfaf181101d8082 Mon Sep 17 00:00:00 2001 From: Florian Date: Wed, 5 Nov 2025 22:32:35 +0100 Subject: [PATCH] Added lib-secret-manager which consumes secrets after application launch --- requirements.txt | 1 + src/db.py | 2 +- src/dockerhub_api.py | 2 +- src/github_api.py | 2 +- src/main.py | 11 +++++++++++ src/secret_handler.py | 15 --------------- src/send_notification.py | 2 +- 7 files changed, 16 insertions(+), 19 deletions(-) delete mode 100644 src/secret_handler.py diff --git a/requirements.txt b/requirements.txt index 2b75b6f..a73ef16 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,6 +6,7 @@ click==8.3.0 fastapi==0.118.2 h11==0.16.0 idna==3.10 +lib-secret-manager @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main lib-uvicorn-config @ git+https://git.gansejunge.com/notifier/lib-uvicorn-config.git@main mysql-connector-python==9.4.0 prometheus_client==0.23.1 diff --git a/src/db.py b/src/db.py index 11ef0ae..d8aed1e 100644 --- a/src/db.py +++ b/src/db.py @@ -1,6 +1,6 @@ from mysql.connector import pooling, Error import threading -from secret_handler import return_credentials +from secret_manager import return_credentials import os import time from simple_logger_handler import setup_logger diff --git a/src/dockerhub_api.py b/src/dockerhub_api.py index 3b8c4df..872334f 100644 --- a/src/dockerhub_api.py +++ b/src/dockerhub_api.py @@ -1,5 +1,5 @@ import requests -from secret_handler import return_credentials +from secret_manager import return_credentials from simple_logger_handler import setup_logger dockerhub_token = return_credentials("/etc/secrets/dockerhub_token") diff --git a/src/github_api.py b/src/github_api.py index 969f2cf..d60d1d1 100644 --- a/src/github_api.py +++ b/src/github_api.py @@ -1,5 +1,5 @@ import requests -from secret_handler import return_credentials +from secret_manager import return_credentials from simple_logger_handler import setup_logger github_token = return_credentials("/etc/secrets/github_token") diff --git a/src/main.py b/src/main.py index 8fd4de0..f4d56fa 100644 --- a/src/main.py +++ b/src/main.py @@ -10,6 +10,7 @@ from send_notification import send_notification from metrics_server import REQUEST_COUNTER import asyncio from uvicorn_logger_config import LOGGING_CONFIG +from secret_manager import cleanup_secret_files logger = setup_logger(__name__) @@ -24,6 +25,16 @@ async def lifespan(app: FastAPI): start_healthcheck_thread() logger.info("[DB] MySQL healthcheck thread started.") + SECRET_PATHS = frozenset({ + "/etc/secrets/api_key", + "/etc/secrets/db_username", + "/etc/secrets/db_password", + "/etc/secrets/dockerhub_token", + "/etc/secrets/dockerhub_username", + "/etc/secrets/github_token" + }) + cleanup_secret_files(SECRET_PATHS) + yield logger.info("[App] Closing MySQL connection pool...") close_connection_pool() diff --git a/src/secret_handler.py b/src/secret_handler.py deleted file mode 100644 index 4530e7b..0000000 --- a/src/secret_handler.py +++ /dev/null @@ -1,15 +0,0 @@ -from simple_logger_handler import setup_logger - -logger = setup_logger(__name__) - -def return_credentials(path: str)->str: - logger.debug(f"[Secrets] Opening file:{path}") - try: - with open (path) as file: - return file.read().strip() - except FileNotFoundError: - logger.fatal(f"[FATAL] Secret file not found: {path}") - raise - except Exception as e: - logger.fatal(f"[FATAL] Failed to read secret file {path}: {e}") - raise diff --git a/src/send_notification.py b/src/send_notification.py index 6435967..40ee006 100644 --- a/src/send_notification.py +++ b/src/send_notification.py @@ -1,7 +1,7 @@ import requests from requests.exceptions import RequestException, Timeout, ConnectionError, HTTPError from fastapi import HTTPException -from secret_handler import return_credentials +from secret_manager import return_credentials import os import time from simple_logger_handler import setup_logger