Wire Infisical secret injection for RUNPOD_API_KEY

- Add Python entrypoint.sh to fetch secrets from Infisical at container startup
- Remove hardcoded API key fallback from server.py
- Replace RUNPOD_API_KEY env var with INFISICAL_* vars in docker-compose

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile

@@ -27,6 +27,10 @@ RUN pip install --no-cache-dir /wheels/* && rm -rf /wheels
 # Copy application code
 COPY server.py .
 
+# Copy Infisical entrypoint
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
 # Set ownership
 RUN chown -R appuser:appuser /app
 
@@ -45,4 +49,5 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
     CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8080/api/health')" || exit 1
 
 # Run the application
+ENTRYPOINT ["/entrypoint.sh"]
 CMD ["python", "-m", "uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8080"]

docker-compose.yml

@@ -7,8 +7,10 @@ services:
     container_name: ai-orchestrator
     restart: unless-stopped
     environment:
-      - RUNPOD_API_KEY=${RUNPOD_API_KEY}
       - OLLAMA_HOST=http://ollama:11434
+      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
+      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
+      - INFISICAL_PROJECT_SLUG=ai-orchestrator
     depends_on:
       ollama:
         condition: service_started

entrypoint.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+# Infisical secret injection entrypoint (Python)
+# Fetches secrets from Infisical API and injects them as env vars before starting the app.
+# Required env vars: INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET
+# Optional: INFISICAL_PROJECT_SLUG, INFISICAL_ENV (default: prod),
+#           INFISICAL_URL (default: http://infisical:8080)
+
+set -e
+
+export INFISICAL_URL="${INFISICAL_URL:-http://infisical:8080}"
+export INFISICAL_ENV="${INFISICAL_ENV:-prod}"
+# IMPORTANT: Set INFISICAL_PROJECT_SLUG in your docker-compose.yml
+export INFISICAL_PROJECT_SLUG="${INFISICAL_PROJECT_SLUG:?INFISICAL_PROJECT_SLUG must be set}"
+
+if [ -z "$INFISICAL_CLIENT_ID" ] || [ -z "$INFISICAL_CLIENT_SECRET" ]; then
+  echo "[infisical] No credentials set, starting without secret injection"
+  exec "$@"
+fi
+
+echo "[infisical] Fetching secrets from ${INFISICAL_PROJECT_SLUG}/${INFISICAL_ENV}..."
+
+EXPORTS=$(python3 -c "
+import urllib.request, json, os, sys
+
+base = os.environ['INFISICAL_URL']
+slug = os.environ['INFISICAL_PROJECT_SLUG']
+env = os.environ['INFISICAL_ENV']
+
+try:
+    data = json.dumps({'clientId': os.environ['INFISICAL_CLIENT_ID'], 'clientSecret': os.environ['INFISICAL_CLIENT_SECRET']}).encode()
+    req = urllib.request.Request(f'{base}/api/v1/auth/universal-auth/login', data=data, headers={'Content-Type': 'application/json'})
+    auth = json.loads(urllib.request.urlopen(req).read())
+    token = auth.get('accessToken')
+    if not token:
+        print('[infisical] Auth failed', file=sys.stderr)
+        sys.exit(1)
+
+    req = urllib.request.Request(f'{base}/api/v3/secrets/raw?workspaceSlug={slug}&environment={env}&secretPath=/&recursive=true')
+    req.add_header('Authorization', f'Bearer {token}')
+    secrets = json.loads(urllib.request.urlopen(req).read())
+
+    if 'secrets' not in secrets:
+        print('[infisical] No secrets returned', file=sys.stderr)
+        sys.exit(1)
+
+    for s in secrets['secrets']:
+        key = s['secretKey']
+        val = s['secretValue'].replace(\"'\", \"'\\\\'\")
+        print(f\"export {key}='{val}'\")
+except Exception as e:
+    print(f'[infisical] Error: {e}', file=sys.stderr)
+    sys.exit(1)
+" 2>&1) || {
+  echo "[infisical] WARNING: Failed to fetch secrets, starting with existing env vars"
+  exec "$@"
+}
+
+if echo "$EXPORTS" | grep -q "^export "; then
+  COUNT=$(echo "$EXPORTS" | grep -c "^export ")
+  eval "$EXPORTS"
+  echo "[infisical] Injected ${COUNT} secrets"
+else
+  echo "[infisical] WARNING: $EXPORTS"
+  echo "[infisical] Starting with existing env vars"
+fi
+
+exec "$@"

server.py

@@ -20,7 +20,7 @@ from typing import Optional, List, Dict, Any, Literal
 from enum import Enum
 
 # Config
-RUNPOD_API_KEY = os.getenv("RUNPOD_API_KEY", "rpa_YYOARL5MEBTTKKWGABRKTW2CVHQYRBTOBZNSGIL3lwwfdz")
+RUNPOD_API_KEY = os.getenv("RUNPOD_API_KEY", "")
 RUNPOD_API_BASE = "https://api.runpod.ai/v2"
 OLLAMA_HOST = os.getenv("OLLAMA_HOST", "http://localhost:11434")