From 0dd8b13d621d5043da8493bfa61d49602a5923cd Mon Sep 17 00:00:00 2001 From: ZdenekSrotyr Date: Tue, 21 Apr 2026 15:34:35 +0200 Subject: [PATCH] infra: add fetch-env-from-secrets.sh for VM-side .env generation Reads JWT_SECRET_KEY and KEBOOLA_STORAGE_TOKEN from Secret Manager, combines with non-secret config, writes .env with chmod 600. Run as part of VM startup or manually for rotation. --- scripts/fetch-env-from-secrets.sh | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100755 scripts/fetch-env-from-secrets.sh diff --git a/scripts/fetch-env-from-secrets.sh b/scripts/fetch-env-from-secrets.sh new file mode 100755 index 0000000..d0de77a --- /dev/null +++ b/scripts/fetch-env-from-secrets.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +# Stáhne secrets z GCP Secret Manageru a vytvoří .env pro Agnes. +# Spouští se na VM pod uživatelem, který má gcloud přístup k Secret Manageru +# (typicky přes VM service account s roles/secretmanager.secretAccessor). +# +# Usage: ./fetch-env-from-secrets.sh [APP_DIR] +# Default APP_DIR: /home/deploy/app +set -euo pipefail + +APP_DIR="${1:-${APP_DIR:-/home/deploy/app}}" +ENV_FILE="${APP_DIR}/.env" + +# Non-secret config (override via environment or hardcoded defaults) +DATA_SOURCE="${DATA_SOURCE:-keboola}" +KEBOOLA_STACK_URL="${KEBOOLA_STACK_URL:-https://connection.us-east4.gcp.keboola.com/}" +SEED_ADMIN_EMAIL="${SEED_ADMIN_EMAIL:-zdenek.srotyr@keboola.com}" +LOG_LEVEL="${LOG_LEVEL:-info}" +DATA_DIR="${DATA_DIR:-/data}" +AGNES_TAG="${AGNES_TAG:-stable}" + +echo "Fetching secrets from Secret Manager..." +JWT_KEY=$(gcloud secrets versions access latest --secret=jwt-secret-key) +KEBOOLA_TOKEN="" +if [ "$DATA_SOURCE" = "keboola" ]; then + KEBOOLA_TOKEN=$(gcloud secrets versions access latest --secret=keboola-storage-token) +fi + +echo "Writing ${ENV_FILE}..." +cat > "${ENV_FILE}" </dev/null || true + +echo "Done. ${ENV_FILE} has $(wc -l < "${ENV_FILE}") lines, chmod 600."