GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

fix(bootstrap): Write .env IMMEDIATELY after Vault unseal, re-init SecretsManager

Browse source 
The core issue was that .env was written at the END of setup_vault(),
but other components needed Vault credentials BEFORE that.

Now:
1. Unseal Vault
2. Write .env with VAULT_ADDR and VAULT_TOKEN immediately
3. Re-initialize SecretsManager so it connects to Vault
4. THEN store secrets in Vault

This ensures SecretsManager is properly configured before any
code tries to use create_conn() or other Vault-dependent functions.
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2025-12-09 08:52:19 -03:00
parent 87f4052b82
commit 1e98083d13
1 changed files with 36 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
src/core/bootstrap/mod.rs
View file

@ -1229,6 +1229,42 @@ meet IN A 127.0.0.1
// Set VAULT_TOKEN for subsequent commands // Set VAULT_TOKEN for subsequent commands
std::env::set_var("VAULT_TOKEN", &root_token); std::env::set_var("VAULT_TOKEN", &root_token);
// WRITE .env IMMEDIATELY so SecretsManager can work
info!("Writing .env file with Vault configuration...");
let env_content = format!(
r#"# BotServer Environment Configuration
# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
# All secrets are stored in Vault at the paths below:
# - gbo/tables - PostgreSQL credentials
# - gbo/drive - MinIO/S3 credentials
# - gbo/cache - Redis credentials
# - gbo/directory - Zitadel credentials
# - gbo/email - Email credentials
# - gbo/llm - LLM API keys
# - gbo/encryption - Encryption keys
# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
VAULT_ADDR={}
VAULT_TOKEN={}
# Vault uses HTTP for local development (TLS disabled in config.hcl)
# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
# Cache TTL for secrets (seconds)
VAULT_CACHE_TTL=300
"#,
vault_addr, root_token
);
fs::write(&env_file_path, &env_content)?;
info!(" * Created .env file with Vault configuration");
// Re-initialize SecretsManager now that .env exists
info!("Re-initializing SecretsManager with Vault credentials...");
match init_secrets_manager().await {
Ok(_) => info!(" * SecretsManager now connected to Vault"),
Err(e) => warn!("SecretsManager re-init warning: {}", e),
}
// Enable KV secrets engine at gbo/ path // Enable KV secrets engine at gbo/ path
info!("Enabling KV secrets engine..."); info!("Enabling KV secrets engine...");
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
@ -1313,36 +1349,6 @@ meet IN A 127.0.0.1
.output()?; .output()?;
info!(" Generated and stored encryption key"); info!(" Generated and stored encryption key");
// Write .env file with ONLY Vault variables - NO LEGACY FALLBACK
info!("Writing .env file with Vault configuration...");
let env_content = format!(
r#"# BotServer Environment Configuration
# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
# All secrets are stored in Vault at the paths below:
# - gbo/tables - PostgreSQL credentials
# - gbo/drive - MinIO/S3 credentials
# - gbo/cache - Redis credentials
# - gbo/directory - Zitadel credentials
# - gbo/email - Email credentials
# - gbo/llm - LLM API keys
# - gbo/encryption - Encryption keys
# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
VAULT_ADDR={}
VAULT_TOKEN={}
# Vault uses HTTP for local development (TLS disabled in config.hcl)
# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
# Cache TTL for secrets (seconds)
VAULT_CACHE_TTL=300
"#,
vault_addr, root_token
);
fs::write(&env_file_path, env_content)?;
info!(" Created .env file with Vault configuration");
info!("Vault setup complete!"); info!("Vault setup complete!");
info!(" Vault UI: {}/ui", vault_addr); info!(" Vault UI: {}/ui", vault_addr);
info!(" Root token saved to: {}", vault_init_path.display()); info!(" Root token saved to: {}", vault_init_path.display());