fix(bootstrap): Write .env IMMEDIATELY after Vault unseal, re-init SecretsManager
The core issue was that .env was written at the END of setup_vault(), but other components needed Vault credentials BEFORE that. Now: 1. Unseal Vault 2. Write .env with VAULT_ADDR and VAULT_TOKEN immediately 3. Re-initialize SecretsManager so it connects to Vault 4. THEN store secrets in Vault This ensures SecretsManager is properly configured before any code tries to use create_conn() or other Vault-dependent functions.
This commit is contained in:
parent
87f4052b82
commit
1e98083d13
1 changed files with 36 additions and 30 deletions
|
|
@ -1229,6 +1229,42 @@ meet IN A 127.0.0.1
|
|||
// Set VAULT_TOKEN for subsequent commands
|
||||
std::env::set_var("VAULT_TOKEN", &root_token);
|
||||
|
||||
// WRITE .env IMMEDIATELY so SecretsManager can work
|
||||
info!("Writing .env file with Vault configuration...");
|
||||
let env_content = format!(
|
||||
r#"# BotServer Environment Configuration
|
||||
# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
|
||||
# All secrets are stored in Vault at the paths below:
|
||||
# - gbo/tables - PostgreSQL credentials
|
||||
# - gbo/drive - MinIO/S3 credentials
|
||||
# - gbo/cache - Redis credentials
|
||||
# - gbo/directory - Zitadel credentials
|
||||
# - gbo/email - Email credentials
|
||||
# - gbo/llm - LLM API keys
|
||||
# - gbo/encryption - Encryption keys
|
||||
|
||||
# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
|
||||
VAULT_ADDR={}
|
||||
VAULT_TOKEN={}
|
||||
|
||||
# Vault uses HTTP for local development (TLS disabled in config.hcl)
|
||||
# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
|
||||
|
||||
# Cache TTL for secrets (seconds)
|
||||
VAULT_CACHE_TTL=300
|
||||
"#,
|
||||
vault_addr, root_token
|
||||
);
|
||||
fs::write(&env_file_path, &env_content)?;
|
||||
info!(" * Created .env file with Vault configuration");
|
||||
|
||||
// Re-initialize SecretsManager now that .env exists
|
||||
info!("Re-initializing SecretsManager with Vault credentials...");
|
||||
match init_secrets_manager().await {
|
||||
Ok(_) => info!(" * SecretsManager now connected to Vault"),
|
||||
Err(e) => warn!("SecretsManager re-init warning: {}", e),
|
||||
}
|
||||
|
||||
// Enable KV secrets engine at gbo/ path
|
||||
info!("Enabling KV secrets engine...");
|
||||
let _ = std::process::Command::new("sh")
|
||||
|
|
@ -1313,36 +1349,6 @@ meet IN A 127.0.0.1
|
|||
.output()?;
|
||||
info!(" Generated and stored encryption key");
|
||||
|
||||
// Write .env file with ONLY Vault variables - NO LEGACY FALLBACK
|
||||
info!("Writing .env file with Vault configuration...");
|
||||
let env_content = format!(
|
||||
r#"# BotServer Environment Configuration
|
||||
# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
|
||||
# All secrets are stored in Vault at the paths below:
|
||||
# - gbo/tables - PostgreSQL credentials
|
||||
# - gbo/drive - MinIO/S3 credentials
|
||||
# - gbo/cache - Redis credentials
|
||||
# - gbo/directory - Zitadel credentials
|
||||
# - gbo/email - Email credentials
|
||||
# - gbo/llm - LLM API keys
|
||||
# - gbo/encryption - Encryption keys
|
||||
|
||||
# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
|
||||
VAULT_ADDR={}
|
||||
VAULT_TOKEN={}
|
||||
|
||||
# Vault uses HTTP for local development (TLS disabled in config.hcl)
|
||||
# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
|
||||
|
||||
# Cache TTL for secrets (seconds)
|
||||
VAULT_CACHE_TTL=300
|
||||
"#,
|
||||
vault_addr, root_token
|
||||
);
|
||||
|
||||
fs::write(&env_file_path, env_content)?;
|
||||
info!(" Created .env file with Vault configuration");
|
||||
|
||||
info!("Vault setup complete!");
|
||||
info!(" Vault UI: {}/ui", vault_addr);
|
||||
info!(" Root token saved to: {}", vault_init_path.display());
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue