diff --git a/Dockerfile b/Dockerfile index 44d0815..cd1522e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,6 +27,10 @@ RUN pip install --no-cache-dir /wheels/* && rm -rf /wheels # Copy application code COPY server.py . +# Copy Infisical entrypoint +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh + # Set ownership RUN chown -R appuser:appuser /app @@ -45,4 +49,5 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8080/api/health')" || exit 1 # Run the application +ENTRYPOINT ["/entrypoint.sh"] CMD ["python", "-m", "uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8080"] diff --git a/docker-compose.yml b/docker-compose.yml index 8024238..77987e1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,8 +7,10 @@ services: container_name: ai-orchestrator restart: unless-stopped environment: - - RUNPOD_API_KEY=${RUNPOD_API_KEY} - OLLAMA_HOST=http://ollama:11434 + - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID} + - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET} + - INFISICAL_PROJECT_SLUG=ai-orchestrator depends_on: ollama: condition: service_started diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..cdc7822 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# Infisical secret injection entrypoint (Python) +# Fetches secrets from Infisical API and injects them as env vars before starting the app. +# Required env vars: INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET +# Optional: INFISICAL_PROJECT_SLUG, INFISICAL_ENV (default: prod), +# INFISICAL_URL (default: http://infisical:8080) + +set -e + +export INFISICAL_URL="${INFISICAL_URL:-http://infisical:8080}" +export INFISICAL_ENV="${INFISICAL_ENV:-prod}" +# IMPORTANT: Set INFISICAL_PROJECT_SLUG in your docker-compose.yml +export INFISICAL_PROJECT_SLUG="${INFISICAL_PROJECT_SLUG:?INFISICAL_PROJECT_SLUG must be set}" + +if [ -z "$INFISICAL_CLIENT_ID" ] || [ -z "$INFISICAL_CLIENT_SECRET" ]; then + echo "[infisical] No credentials set, starting without secret injection" + exec "$@" +fi + +echo "[infisical] Fetching secrets from ${INFISICAL_PROJECT_SLUG}/${INFISICAL_ENV}..." + +EXPORTS=$(python3 -c " +import urllib.request, json, os, sys + +base = os.environ['INFISICAL_URL'] +slug = os.environ['INFISICAL_PROJECT_SLUG'] +env = os.environ['INFISICAL_ENV'] + +try: + data = json.dumps({'clientId': os.environ['INFISICAL_CLIENT_ID'], 'clientSecret': os.environ['INFISICAL_CLIENT_SECRET']}).encode() + req = urllib.request.Request(f'{base}/api/v1/auth/universal-auth/login', data=data, headers={'Content-Type': 'application/json'}) + auth = json.loads(urllib.request.urlopen(req).read()) + token = auth.get('accessToken') + if not token: + print('[infisical] Auth failed', file=sys.stderr) + sys.exit(1) + + req = urllib.request.Request(f'{base}/api/v3/secrets/raw?workspaceSlug={slug}&environment={env}&secretPath=/&recursive=true') + req.add_header('Authorization', f'Bearer {token}') + secrets = json.loads(urllib.request.urlopen(req).read()) + + if 'secrets' not in secrets: + print('[infisical] No secrets returned', file=sys.stderr) + sys.exit(1) + + for s in secrets['secrets']: + key = s['secretKey'] + val = s['secretValue'].replace(\"'\", \"'\\\\'\") + print(f\"export {key}='{val}'\") +except Exception as e: + print(f'[infisical] Error: {e}', file=sys.stderr) + sys.exit(1) +" 2>&1) || { + echo "[infisical] WARNING: Failed to fetch secrets, starting with existing env vars" + exec "$@" +} + +if echo "$EXPORTS" | grep -q "^export "; then + COUNT=$(echo "$EXPORTS" | grep -c "^export ") + eval "$EXPORTS" + echo "[infisical] Injected ${COUNT} secrets" +else + echo "[infisical] WARNING: $EXPORTS" + echo "[infisical] Starting with existing env vars" +fi + +exec "$@" diff --git a/server.py b/server.py index a315cb4..3dbbb46 100644 --- a/server.py +++ b/server.py @@ -20,7 +20,7 @@ from typing import Optional, List, Dict, Any, Literal from enum import Enum # Config -RUNPOD_API_KEY = os.getenv("RUNPOD_API_KEY", "rpa_YYOARL5MEBTTKKWGABRKTW2CVHQYRBTOBZNSGIL3lwwfdz") +RUNPOD_API_KEY = os.getenv("RUNPOD_API_KEY", "") RUNPOD_API_BASE = "https://api.runpod.ai/v2" OLLAMA_HOST = os.getenv("OLLAMA_HOST", "http://localhost:11434")