Wire Infisical for backend and worker secrets
- Add Python entrypoint.sh for Infisical secret injection - Both backend and worker fetch DATABASE_URL, OPENAI_API_KEY from Infisical - Worker uses network_mode:service:wireguard (shares traefik-public via WG) - Keep env_file for non-secret config vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
e1d9085396
commit
8efeae63c7
|
|
@ -17,7 +17,12 @@ RUN pip install --no-cache-dir -r requirements.txt
|
|||
# Copy application
|
||||
COPY . .
|
||||
|
||||
# Copy Infisical entrypoint
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
# Default: run API server
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,67 @@
|
|||
#!/bin/sh
|
||||
# Infisical secret injection entrypoint (Python)
|
||||
# Fetches secrets from Infisical API and injects them as env vars before starting the app.
|
||||
# Required env vars: INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET
|
||||
# Optional: INFISICAL_PROJECT_SLUG, INFISICAL_ENV (default: prod),
|
||||
# INFISICAL_URL (default: http://infisical:8080)
|
||||
|
||||
set -e
|
||||
|
||||
export INFISICAL_URL="${INFISICAL_URL:-http://infisical:8080}"
|
||||
export INFISICAL_ENV="${INFISICAL_ENV:-prod}"
|
||||
# IMPORTANT: Set INFISICAL_PROJECT_SLUG in your docker-compose.yml
|
||||
export INFISICAL_PROJECT_SLUG="${INFISICAL_PROJECT_SLUG:?INFISICAL_PROJECT_SLUG must be set}"
|
||||
|
||||
if [ -z "$INFISICAL_CLIENT_ID" ] || [ -z "$INFISICAL_CLIENT_SECRET" ]; then
|
||||
echo "[infisical] No credentials set, starting without secret injection"
|
||||
exec "$@"
|
||||
fi
|
||||
|
||||
echo "[infisical] Fetching secrets from ${INFISICAL_PROJECT_SLUG}/${INFISICAL_ENV}..."
|
||||
|
||||
EXPORTS=$(python3 -c "
|
||||
import urllib.request, json, os, sys
|
||||
|
||||
base = os.environ['INFISICAL_URL']
|
||||
slug = os.environ['INFISICAL_PROJECT_SLUG']
|
||||
env = os.environ['INFISICAL_ENV']
|
||||
|
||||
try:
|
||||
data = json.dumps({'clientId': os.environ['INFISICAL_CLIENT_ID'], 'clientSecret': os.environ['INFISICAL_CLIENT_SECRET']}).encode()
|
||||
req = urllib.request.Request(f'{base}/api/v1/auth/universal-auth/login', data=data, headers={'Content-Type': 'application/json'})
|
||||
auth = json.loads(urllib.request.urlopen(req).read())
|
||||
token = auth.get('accessToken')
|
||||
if not token:
|
||||
print('[infisical] Auth failed', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
req = urllib.request.Request(f'{base}/api/v3/secrets/raw?workspaceSlug={slug}&environment={env}&secretPath=/&recursive=true')
|
||||
req.add_header('Authorization', f'Bearer {token}')
|
||||
secrets = json.loads(urllib.request.urlopen(req).read())
|
||||
|
||||
if 'secrets' not in secrets:
|
||||
print('[infisical] No secrets returned', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
for s in secrets['secrets']:
|
||||
key = s['secretKey']
|
||||
val = s['secretValue'].replace(\"'\", \"'\\\\'\")
|
||||
print(f\"export {key}='{val}'\")
|
||||
except Exception as e:
|
||||
print(f'[infisical] Error: {e}', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
" 2>&1) || {
|
||||
echo "[infisical] WARNING: Failed to fetch secrets, starting with existing env vars"
|
||||
exec "$@"
|
||||
}
|
||||
|
||||
if echo "$EXPORTS" | grep -q "^export "; then
|
||||
COUNT=$(echo "$EXPORTS" | grep -c "^export ")
|
||||
eval "$EXPORTS"
|
||||
echo "[infisical] Injected ${COUNT} secrets"
|
||||
else
|
||||
echo "[infisical] WARNING: $EXPORTS"
|
||||
echo "[infisical] Starting with existing env vars"
|
||||
fi
|
||||
|
||||
exec "$@"
|
||||
|
|
@ -34,8 +34,9 @@ services:
|
|||
restart: unless-stopped
|
||||
env_file: .env
|
||||
environment:
|
||||
- DATABASE_URL=${DATABASE_URL:-postgresql+asyncpg://clipforge:changeme_clipforge_2025@postgres:5432/clipforge}
|
||||
- REDIS_URL=${REDIS_URL:-redis://redis:6379/0}
|
||||
- INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
|
||||
- INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
|
||||
- INFISICAL_PROJECT_SLUG=clip-forge
|
||||
volumes:
|
||||
- media_data:/data
|
||||
depends_on:
|
||||
|
|
@ -84,8 +85,9 @@ services:
|
|||
network_mode: "service:wireguard"
|
||||
env_file: .env
|
||||
environment:
|
||||
- DATABASE_URL=${DATABASE_URL:-postgresql+asyncpg://clipforge:changeme_clipforge_2025@postgres:5432/clipforge}
|
||||
- REDIS_URL=${REDIS_URL:-redis://redis:6379/0}
|
||||
- INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
|
||||
- INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
|
||||
- INFISICAL_PROJECT_SLUG=clip-forge
|
||||
- YTDLP_COOKIES_FILE=/app/cookies.txt
|
||||
volumes:
|
||||
- media_data:/data
|
||||
|
|
|
|||
Loading…
Reference in New Issue