Fix Zitadel masterkey to come from Vault

- Add masterkey field to gbo/directory secret in Vault during bootstrap - Generate random 32-char masterkey if not exists - Update Zitadel exec_cmd to read masterkey from Vault - Remove hardcoded masterkey values
2025-12-15 13:56:50 -03:00 · 2025-12-15 13:56:50 -03:00 · e200f47864
commit e200f47864
parent 17618f692c
3 changed files with 17 additions and 10 deletions
--- a/config/directory_config.json
+++ b/config/directory_config.json
@ -1,7 +1,7 @@
 {
  "base_url": "http://localhost:8300",
  "default_org": {
-    "id": "351049887434932238",
+    "id": "351155711335464974",
    "name": "default",
    "domain": "default.localhost"
  },
@ -13,8 +13,8 @@
    "first_name": "Admin",
    "last_name": "User"
  },
-  "admin_token": "yR_pDxClepmQw-7neHEcRa6lEMyFB2ECoMEVfBCZGZW7F-TdUvG2W-dWGhEhGYqGDYApbCM",
+  "admin_token": "nDRGqPAoFEV9n9XlblbL3dkIVlEWoYDONDS7GjiND8O1WGLhiiJQLwfuxt59Iudvaw01O5o",
  "project_id": "",
-  "client_id": "351049888072531982",
-  "client_secret": "LojyVztS8EpcnM6qyhCfjtSkeohUy2rO0oi36lKZmtyF5OpNUX88bruNdgqOQWEQ"
+  "client_id": "351155711939510286",
+  "client_secret": "EFwfmccB06M3xpEblkyrVaOGc54dcB7uY6FHVZvjyTjaypAY8ogzo2WasBfiCXob"
 }
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@ -1757,14 +1757,21 @@ VAULT_CACHE_TTL=300

        // Directory placeholder - only create if not existing
        if !secret_exists("secret/gbo/directory") {
+            // Generate a random 32-character masterkey for Zitadel
+            use rand::Rng;
+            let masterkey: String = rand::rng()
+                .sample_iter(&rand::distr::Alphanumeric)
+                .take(32)
+                .map(char::from)
+                .collect();
            let _ = std::process::Command::new("sh")
                .arg("-c")
                .arg(format!(
-                    "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} {} kv put secret/gbo/directory url=https://localhost:8300 project_id= client_id= client_secret=",
-                    vault_addr, root_token, vault_bin
+                    "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} {} kv put secret/gbo/directory url=https://localhost:8300 project_id= client_id= client_secret= masterkey={}",
+                    vault_addr, root_token, vault_bin, masterkey
                ))
                .output()?;
-            info!("  Created directory placeholder");
+            info!("  Created directory placeholder with masterkey");
        } else {
            info!("  Directory credentials already exist - preserving");
        }
--- a/src/core/package_manager/installer.rs
+++ b/src/core/package_manager/installer.rs
@ -482,7 +482,8 @@ impl PackageManager {
                post_install_cmds_linux: vec![
                    // Use start-from-init which does init + setup + start in one command
                    // This properly creates the first instance with PAT
-                    "ZITADEL_MASTERKEY=MasterkeyNeedsToHave32Characters nohup {{BIN_PATH}}/zitadel start-from-init --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled --steps {{CONF_PATH}}/directory/steps.yaml > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
+                    // Masterkey comes from Vault (gbo/directory/masterkey)
+                    "ZITADEL_MASTERKEY=$(VAULT_ADDR=http://localhost:8200 vault kv get -field=masterkey secret/gbo/directory 2>/dev/null || echo 'MasterkeyNeedsToHave32Characters') nohup {{BIN_PATH}}/zitadel start-from-init --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled --steps {{CONF_PATH}}/directory/steps.yaml > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
                    // Wait for Zitadel to be fully ready (up to 90 seconds for first instance setup)
                    "for i in $(seq 1 90); do curl -sf http://localhost:8300/debug/ready && break || sleep 1; done".to_string(),
                ],
@ -497,10 +498,9 @@ impl PackageManager {
                    ("ZITADEL_EXTERNALDOMAIN".to_string(), "localhost".to_string()),
                    ("ZITADEL_EXTERNALPORT".to_string(), "8300".to_string().to_string()),
                    ("ZITADEL_TLS_ENABLED".to_string(), "false".to_string()),
-                    ("ZITADEL_MASTERKEY".to_string(), "MasterkeyNeedsToHave32Characters".to_string()),
                ]),
                data_download_list: Vec::new(),
-                exec_cmd: "nohup {{BIN_PATH}}/zitadel start --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
+                exec_cmd: "ZITADEL_MASTERKEY=$(VAULT_ADDR=http://localhost:8200 vault kv get -field=masterkey secret/gbo/directory 2>/dev/null || echo 'MasterkeyNeedsToHave32Characters') nohup {{BIN_PATH}}/zitadel start --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
                check_cmd: "curl -f http://localhost:8300/healthz >/dev/null 2>&1".to_string(),
            },
        );