Merge pull request #91 from diggerhq/secrets-setup

Secrets vault

Author: breardon2011

cmd/server/main.go

@@ -27,6 +27,11 @@ import (
 )
 
 func main() {
+	// Load secrets from Azure Key Vault if configured (before config.Load reads env vars).
+	if err := config.LoadSecretsFromKeyVault(); err != nil {
+		log.Fatalf("failed to load secrets from Key Vault: %v", err)
+	}
+
 	cfg, err := config.Load()
 	if err != nil {
 		log.Fatalf("failed to load config: %v", err)

cmd/worker/main.go

@@ -30,6 +30,11 @@ import (
 var AgentVersion = "dev"
 
 func main() {
+	// Load secrets from Azure Key Vault if configured (before config.Load reads env vars).
+	if err := config.LoadSecretsFromKeyVault(); err != nil {
+		log.Fatalf("failed to load secrets from Key Vault: %v", err)
+	}
+
 	cfg, err := config.Load()
 	if err != nil {
 		log.Fatalf("failed to load config: %v", err)

deploy/server.env.example

@@ -0,0 +1,47 @@
+# OpenComputer Control Plane — Environment Configuration
+#
+# Place at /etc/opensandbox/server.env on the control plane VM.
+# Secrets are loaded from Secrets Service at startup when SECRETS_VAULT_NAME is set.
+# Non-secret config values stay in this file.
+
+# ── Secrets Service ──────────────────────────────────────────────
+# Set this to enable secrets loading from secrets service.
+# When set, all values marked [KEY VAULT] below are fetched automatically.
+# Remove those values from this file — they're managed in the vault.
+SECRETS_VAULT_NAME=opencomputer-prod-kv
+
+# ── Server Config (not secret — stays in this file) ─────────────
+OPENSANDBOX_MODE=server
+OPENSANDBOX_PORT=8080
+OPENSANDBOX_REGION=eastus2
+OPENSANDBOX_SANDBOX_DOMAIN=workers.opencomputer.dev
+OPENSANDBOX_CONTROLPLANE_IP=10.200.1.4
+OPENSANDBOX_HTTP_ADDR=https://app.opencomputer.dev
+OPENSANDBOX_MAX_WORKERS=4
+OPENSANDBOX_MIN_WORKERS=1
+
+# WorkOS OAuth (non-secret config)
+WORKOS_REDIRECT_URI=https://app.opencomputer.dev/auth/callback
+WORKOS_COOKIE_DOMAIN=opencomputer.dev
+
+# Stripe (non-secret config)
+STRIPE_SUCCESS_URL=https://app.opencomputer.dev/billing?success=true
+STRIPE_CANCEL_URL=https://app.opencomputer.dev/billing?cancelled=true
+
+# ── Secrets (managed in secrets service) ───────────────────────────────
+# These are loaded from Secrets Service at startup.
+# Only set them here to override secrets service (e.g., local development).
+#
+# secrets service secret name          → Environment variable
+# ─────────────────────────────────────────────────────────
+# server-database-url            → OPENSANDBOX_DATABASE_URL
+# server-redis-url               → OPENSANDBOX_REDIS_URL
+# server-jwt-secret              → OPENSANDBOX_JWT_SECRET
+# server-api-key                 → OPENSANDBOX_API_KEY
+# server-secret-encryption-key   → OPENSANDBOX_SECRET_ENCRYPTION_KEY
+# server-workos-api-key          → WORKOS_API_KEY
+# server-workos-client-id        → WORKOS_CLIENT_ID
+# server-cf-api-token            → OPENSANDBOX_CF_API_TOKEN
+# server-cf-zone-id              → OPENSANDBOX_CF_ZONE_ID
+# server-stripe-secret-key       → STRIPE_SECRET_KEY
+# server-stripe-webhook-secret   → STRIPE_WEBHOOK_SECRET

deploy/worker.env.example

@@ -0,0 +1,49 @@
+# OpenComputer Worker — Environment Configuration
+#
+# Place at /etc/opensandbox/worker.env on each worker VM.
+# Secrets are loaded from Secrets Service at startup when SECRETS_VAULT_NAME is set.
+# Non-secret config values stay in this file.
+
+# ── Secrets Service ──────────────────────────────────────────────
+# Set this to enable secrets loading from secrets service.
+# When set, all values marked [KEY VAULT] below are fetched automatically.
+# Remove those values from this file — they're managed in the vault.
+SECRETS_VAULT_NAME=opencomputer-prod-kv
+
+# ── Worker Config (not secret — stays in this file) ──────────────
+OPENSANDBOX_MODE=worker
+OPENSANDBOX_VM_BACKEND=qemu
+OPENSANDBOX_QEMU_BIN=qemu-system-x86_64
+OPENSANDBOX_DATA_DIR=/data/sandboxes
+OPENSANDBOX_KERNEL_PATH=/opt/opensandbox/vmlinux
+OPENSANDBOX_IMAGES_DIR=/data/firecracker/images
+OPENSANDBOX_GRPC_ADVERTISE=10.200.1.5:9090
+OPENSANDBOX_HTTP_ADDR=http://10.200.1.5:8081
+OPENSANDBOX_WORKER_ID=w-oc-eastus2-1
+OPENSANDBOX_MACHINE_ID=oc-worker-1
+OPENSANDBOX_REGION=eastus2
+OPENSANDBOX_PORT=8081
+OPENSANDBOX_MAX_CAPACITY=250
+OPENSANDBOX_SANDBOX_DOMAIN=workers.opencomputer.dev
+
+# VM defaults
+OPENSANDBOX_DEFAULT_SANDBOX_MEMORY_MB=1024
+OPENSANDBOX_DEFAULT_SANDBOX_CPUS=2
+OPENSANDBOX_DEFAULT_SANDBOX_DISK_MB=20480
+
+# S3/Blob storage (non-secret config)
+OPENSANDBOX_S3_BUCKET=checkpoints
+OPENSANDBOX_S3_REGION=eastus2
+OPENSANDBOX_S3_ENDPOINT=https://occkpt3ccf3c31.blob.core.windows.net
+
+# ── Secrets (managed in secrets service) ───────────────────────────────
+# These are loaded from Secrets Service at startup.
+# Only set them here to override secrets service (e.g., local development).
+#
+# secrets service secret name     → Environment variable
+# ─────────────────────────────────────────────────────────
+# worker-jwt-secret         → OPENSANDBOX_JWT_SECRET
+# worker-database-url       → OPENSANDBOX_DATABASE_URL
+# worker-redis-url          → OPENSANDBOX_REDIS_URL
+# worker-s3-access-key      → OPENSANDBOX_S3_ACCESS_KEY_ID
+# worker-s3-secret-key      → OPENSANDBOX_S3_SECRET_ACCESS_KEY

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0
 	github.com/aws/aws-sdk-go-v2 v1.41.2
 	github.com/aws/aws-sdk-go-v2/config v1.32.10
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.10
@@ -35,6 +36,7 @@ require (
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 // indirect

go.sum

@@ -14,6 +14,10 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 h1:/g8S6wk65vfC6m3FIxJ+i5QDyN9JWwXI8Hb0Img10hU=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0/go.mod h1:gpl+q95AzZlKVI3xSoseF9QPrypk0hQqBiJYeB/cR/I=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=

internal/config/keyvault.go

@@ -0,0 +1,131 @@
+// Package config provides configuration loading from Azure Key Vault.
+//
+// If SECRETS_VAULT_NAME is set, LoadSecretsFromKeyVault fetches all secrets
+// from the vault and maps them to environment variables. The mapping is:
+//
+//	Key Vault secret name    →  Environment variable
+//	server-database-url      →  OPENSANDBOX_DATABASE_URL
+//	server-jwt-secret        →  OPENSANDBOX_JWT_SECRET
+//	worker-s3-secret-key     →  OPENSANDBOX_S3_SECRET_ACCESS_KEY
+//	...etc
+//
+// Secrets already set in the environment are NOT overwritten — env vars take
+// precedence over Key Vault. This allows local overrides for development.
+//
+// Authentication uses Azure Default Credential (Managed Identity on VMs,
+// CLI credentials locally). No explicit credentials needed.
+package config
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+)
+
+// secretMapping maps Key Vault secret names to environment variable names.
+// Only secrets in this map are loaded — unknown secrets in the vault are ignored.
+var secretMapping = map[string]string{
+	// Server secrets
+	"server-database-url":           "OPENSANDBOX_DATABASE_URL",
+	"server-redis-url":              "OPENSANDBOX_REDIS_URL",
+	"server-jwt-secret":             "OPENSANDBOX_JWT_SECRET",
+	"server-api-key":                "OPENSANDBOX_API_KEY",
+	"server-secret-encryption-key":  "OPENSANDBOX_SECRET_ENCRYPTION_KEY",
+	"server-workos-api-key":         "WORKOS_API_KEY",
+	"server-workos-client-id":       "WORKOS_CLIENT_ID",
+	"server-cf-api-token":           "OPENSANDBOX_CF_API_TOKEN",
+	"server-cf-zone-id":             "OPENSANDBOX_CF_ZONE_ID",
+	"server-stripe-secret-key":      "STRIPE_SECRET_KEY",
+	"server-stripe-webhook-secret":  "STRIPE_WEBHOOK_SECRET",
+
+	// Worker secrets
+	"worker-jwt-secret":    "OPENSANDBOX_JWT_SECRET",
+	"worker-database-url":  "OPENSANDBOX_DATABASE_URL",
+	"worker-redis-url":     "OPENSANDBOX_REDIS_URL",
+	"worker-s3-access-key": "OPENSANDBOX_S3_ACCESS_KEY_ID",
+	"worker-s3-secret-key": "OPENSANDBOX_S3_SECRET_ACCESS_KEY",
+
+	// Shared
+	"pg-password": "OPENSANDBOX_PG_PASSWORD",
+}
+
+// LoadSecretsFromKeyVault fetches secrets from Azure Key Vault and sets them
+// as environment variables. Only loads secrets relevant to the current mode
+// (server or worker), determined by the secret name prefix.
+//
+// Skips secrets that are already set in the environment.
+// Does nothing if SECRETS_VAULT_NAME is not set.
+func LoadSecretsFromKeyVault() error {
+	vaultName := os.Getenv("SECRETS_VAULT_NAME")
+	if vaultName == "" {
+		return nil // Key Vault not configured — use env file as-is
+	}
+
+	vaultURL := fmt.Sprintf("https://%s.vault.azure.net/", vaultName)
+	mode := os.Getenv("OPENSANDBOX_MODE") // "server" or "worker"
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		return fmt.Errorf("keyvault: azure credential: %w", err)
+	}
+
+	client, err := azsecrets.NewClient(vaultURL, cred, nil)
+	if err != nil {
+		return fmt.Errorf("keyvault: client: %w", err)
+	}
+
+	loaded := 0
+	skipped := 0
+
+	pager := client.NewListSecretPropertiesPager(nil)
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			return fmt.Errorf("keyvault: list secrets: %w", err)
+		}
+
+		for _, prop := range page.Value {
+			name := prop.ID.Name()
+			envVar, mapped := secretMapping[name]
+			if !mapped {
+				continue
+			}
+
+			// Only load secrets matching the current mode (or shared secrets)
+			if mode != "" && !strings.HasPrefix(name, mode+"-") && !strings.HasPrefix(name, "pg-") {
+				continue
+			}
+
+			// Don't overwrite existing env vars — local config takes precedence
+			if os.Getenv(envVar) != "" {
+				skipped++
+				continue
+			}
+
+			// Fetch the secret value
+			resp, err := client.GetSecret(ctx, name, "", nil)
+			if err != nil {
+				log.Printf("keyvault: failed to get secret %s: %v (skipping)", name, err)
+				continue
+			}
+			if resp.Value == nil {
+				continue
+			}
+
+			os.Setenv(envVar, *resp.Value)
+			loaded++
+		}
+	}
+
+	log.Printf("keyvault: loaded %d secrets from %s (%d skipped, already set)", loaded, vaultName, skipped)
+	return nil
+}