From e200f47864a99f94b80eeeb265de517f06743f1b Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Mon, 15 Dec 2025 13:56:50 -0300
Subject: [PATCH] Fix Zitadel masterkey to come from Vault

- Add masterkey field to gbo/directory secret in Vault during bootstrap
- Generate random 32-char masterkey if not exists
- Update Zitadel exec_cmd to read masterkey from Vault
- Remove hardcoded masterkey values
---
 config/directory_config.json          |  8 ++++----
 src/core/bootstrap/mod.rs             | 13 ++++++++++---
 src/core/package_manager/installer.rs |  6 +++---
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/config/directory_config.json b/config/directory_config.json
index c4c713d3..d2c8d8c9 100644
--- a/config/directory_config.json
+++ b/config/directory_config.json
@@ -1,7 +1,7 @@
 {
   "base_url": "http://localhost:8300",
   "default_org": {
-    "id": "351049887434932238",
+    "id": "351155711335464974",
     "name": "default",
     "domain": "default.localhost"
   },
@@ -13,8 +13,8 @@
     "first_name": "Admin",
     "last_name": "User"
   },
-  "admin_token": "yR_pDxClepmQw-7neHEcRa6lEMyFB2ECoMEVfBCZGZW7F-TdUvG2W-dWGhEhGYqGDYApbCM",
+  "admin_token": "nDRGqPAoFEV9n9XlblbL3dkIVlEWoYDONDS7GjiND8O1WGLhiiJQLwfuxt59Iudvaw01O5o",
   "project_id": "",
-  "client_id": "351049888072531982",
-  "client_secret": "LojyVztS8EpcnM6qyhCfjtSkeohUy2rO0oi36lKZmtyF5OpNUX88bruNdgqOQWEQ"
+  "client_id": "351155711939510286",
+  "client_secret": "EFwfmccB06M3xpEblkyrVaOGc54dcB7uY6FHVZvjyTjaypAY8ogzo2WasBfiCXob"
 }
\ No newline at end of file
diff --git a/src/core/bootstrap/mod.rs b/src/core/bootstrap/mod.rs
index c79fd98f..c2f9e705 100644
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@@ -1757,14 +1757,21 @@ VAULT_CACHE_TTL=300
 
         // Directory placeholder - only create if not existing
         if !secret_exists("secret/gbo/directory") {
+            // Generate a random 32-character masterkey for Zitadel
+            use rand::Rng;
+            let masterkey: String = rand::rng()
+                .sample_iter(&rand::distr::Alphanumeric)
+                .take(32)
+                .map(char::from)
+                .collect();
             let _ = std::process::Command::new("sh")
                 .arg("-c")
                 .arg(format!(
-                    "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} {} kv put secret/gbo/directory url=https://localhost:8300 project_id= client_id= client_secret=",
-                    vault_addr, root_token, vault_bin
+                    "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} {} kv put secret/gbo/directory url=https://localhost:8300 project_id= client_id= client_secret= masterkey={}",
+                    vault_addr, root_token, vault_bin, masterkey
                 ))
                 .output()?;
-            info!("  Created directory placeholder");
+            info!("  Created directory placeholder with masterkey");
         } else {
             info!("  Directory credentials already exist - preserving");
         }
diff --git a/src/core/package_manager/installer.rs b/src/core/package_manager/installer.rs
index 48a11ecb..d8aab5ab 100644
--- a/src/core/package_manager/installer.rs
+++ b/src/core/package_manager/installer.rs
@@ -482,7 +482,8 @@ impl PackageManager {
                 post_install_cmds_linux: vec![
                     // Use start-from-init which does init + setup + start in one command
                     // This properly creates the first instance with PAT
-                    "ZITADEL_MASTERKEY=MasterkeyNeedsToHave32Characters nohup {{BIN_PATH}}/zitadel start-from-init --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled --steps {{CONF_PATH}}/directory/steps.yaml > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
+                    // Masterkey comes from Vault (gbo/directory/masterkey)
+                    "ZITADEL_MASTERKEY=$(VAULT_ADDR=http://localhost:8200 vault kv get -field=masterkey secret/gbo/directory 2>/dev/null || echo 'MasterkeyNeedsToHave32Characters') nohup {{BIN_PATH}}/zitadel start-from-init --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled --steps {{CONF_PATH}}/directory/steps.yaml > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
                     // Wait for Zitadel to be fully ready (up to 90 seconds for first instance setup)
                     "for i in $(seq 1 90); do curl -sf http://localhost:8300/debug/ready && break || sleep 1; done".to_string(),
                 ],
@@ -497,10 +498,9 @@ impl PackageManager {
                     ("ZITADEL_EXTERNALDOMAIN".to_string(), "localhost".to_string()),
                     ("ZITADEL_EXTERNALPORT".to_string(), "8300".to_string().to_string()),
                     ("ZITADEL_TLS_ENABLED".to_string(), "false".to_string()),
-                    ("ZITADEL_MASTERKEY".to_string(), "MasterkeyNeedsToHave32Characters".to_string()),
                 ]),
                 data_download_list: Vec::new(),
-                exec_cmd: "nohup {{BIN_PATH}}/zitadel start --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
+                exec_cmd: "ZITADEL_MASTERKEY=$(VAULT_ADDR=http://localhost:8200 vault kv get -field=masterkey secret/gbo/directory 2>/dev/null || echo 'MasterkeyNeedsToHave32Characters') nohup {{BIN_PATH}}/zitadel start --config {{CONF_PATH}}/directory/zitadel.yaml --masterkeyFromEnv --tlsMode disabled > {{LOGS_PATH}}/zitadel.log 2>&1 &".to_string(),
                 check_cmd: "curl -f http://localhost:8300/healthz >/dev/null 2>&1".to_string(),
             },
         );