@alacard-project/config-sdk 1.0.0

package/dist/vault-client.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultClient = void 0;
+const axios_1 = __importDefault(require("axios"));
+class VaultClient {
+    http;
+    options;
+    token = null;
+    tokenExpiry = 0;
+    constructor(options) {
+        this.options = options;
+        this.http = axios_1.default.create({
+            baseURL: `${options.address}/v1`,
+        });
+    }
+    async login() {
+        if (this.token && Date.now() < this.tokenExpiry) {
+            return;
+        }
+        try {
+            const response = await this.http.post('/auth/approle/login', {
+                role_id: this.options.roleId,
+                secret_id: this.options.secretId,
+            });
+            const { client_token, lease_duration } = response.data.auth;
+            this.token = client_token;
+            // Buffer of 60 seconds for token renewal
+            this.tokenExpiry = Date.now() + (lease_duration - 60) * 1000;
+            this.http.defaults.headers.common['X-Vault-Token'] = this.token;
+            console.log('[VaultSDK] Successfully authenticated with AppRole');
+        }
+        catch (error) {
+            throw new Error(`[VaultSDK] Login failed: ${error.response?.data?.errors?.[0] || error.message}`);
+        }
+    }
+    async getKVSecrets(path) {
+        await this.login();
+        try {
+            const response = await this.http.get(`/secret/data/${path}`);
+            return response.data.data.data;
+        }
+        catch (error) {
+            if (error.response?.status === 404) {
+                console.warn(`[VaultSDK] Secret not found at path: ${path}`);
+                return {};
+            }
+            throw new Error(`[VaultSDK] Failed to fetch secrets: ${error.message}`);
+        }
+    }
+    async issueCertificate(commonName) {
+        await this.login();
+        const pkiPath = this.options.pkiPath || 'pki/issue/config-service';
+        try {
+            const response = await this.http.post(pkiPath, {
+                common_name: commonName,
+            });
+            const { ca_chain, certificate, private_key } = response.data.data;
+            return {
+                ca: ca_chain[0] || '', // Use the first CA in the chain
+                certificate,
+                privateKey: private_key,
+            };
+        }
+        catch (error) {
+            throw new Error(`[VaultSDK] Failed to issue certificate: ${error.message}`);
+        }
+    }
+}
+exports.VaultClient = VaultClient;

package/package.json

@@ -0,0 +1,25 @@
+{
+    "name": "@alacard-project/config-sdk",
+    "version": "1.0.0",
+    "private": false,
+    "description": "Standalone gRPC-based Configuration SDK for Alacard microservices",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "scripts": {
+        "build": "tsc",
+        "gen:proto": "protoc --plugin=./node_modules/.bin/protoc-gen-ts_proto --ts_proto_out=src/proto --proto_path=proto proto/config.proto --ts_proto_opt=outputServices=grpc-js,env=node,useOptionals=messages,exportCommonSymbols=false,esModuleInterop=true",
+        "prepublishOnly": "npm run build"
+    },
+    "dependencies": {
+        "@grpc/grpc-js": "^1.14.3",
+        "@grpc/proto-loader": "^0.8.0",
+        "kafkajs": "^2.2.4",
+        "dotenv": "^16.4.6",
+        "axios": "^1.7.9"
+    },
+    "devDependencies": {
+        "typescript": "^5.5.6",
+        "@types/node": "^20.15.0",
+        "ts-proto": "^2.2.0"
+    }
+}

package/proto/config.proto

@@ -0,0 +1,39 @@
+syntax = "proto3";
+
+package config;
+
+service ConfigService {
+  rpc GetConfig (GetConfigRequest) returns (ConfigResponse);
+  rpc SetConfig (SetConfigRequest) returns (ConfigResponse);
+  rpc ListConfigs (ListConfigsRequest) returns (ListConfigsResponse);
+}
+
+message GetConfigRequest {
+  string serviceName = 1;
+  string environment = 2;
+  string version = 3;
+}
+
+message ConfigResponse {
+  map<string, string> values = 1;
+}
+
+message SetConfigRequest {
+  string serviceName = 1;
+  string environment = 2;
+  string key = 3;
+  string value = 4;
+}
+
+message ListConfigsRequest {
+  string environment = 1;
+}
+
+message ServiceConfig {
+  string serviceName = 1;
+  map<string, string> values = 2;
+}
+
+message ListConfigsResponse {
+  repeated ServiceConfig configs = 1;
+}

package/src/config-client.ts

@@ -0,0 +1,180 @@
+import * as grpc from '@grpc/grpc-js';
+import { Kafka, Consumer } from 'kafkajs';
+import * as path from 'path';
+import * as dotenv from 'dotenv';
+import { ConfigServiceClient } from './proto/config';
+import { GetConfigRequest } from './proto/config';
+import { VaultClient, VaultOptions } from './vault-client';
+
+export { VaultOptions };
+
+export interface ConfigOptions {
+    serviceName: string;
+    environment: string;
+    grpcUrl: string;
+    version?: string;
+    kafkaBrokers?: string[];
+    useDotenvFallback?: boolean;
+    internalKey?: string;
+    tls?: {
+        rootCert: Buffer;
+        clientCert: Buffer;
+        clientKey: Buffer;
+    };
+    vault?: VaultOptions;
+}
+
+export class ConfigClient {
+    private configMap: Record<string, string> = {};
+    private consumer: Consumer | null = null;
+    private options: ConfigOptions;
+    private vaultClient: VaultClient | null = null;
+    private static instance: ConfigClient | null = null;
+
+    constructor(options: ConfigOptions) {
+        this.options = options;
+    }
+
+    static async initialize(options: ConfigOptions): Promise<ConfigClient> {
+        const client = new ConfigClient(options);
+        await client.init();
+        this.instance = client;
+        return client;
+    }
+
+    static getInstance(): ConfigClient {
+        if (!this.instance) {
+            throw new Error('[ConfigSDK] ConfigClient not initialized. Call initialize() first.');
+        }
+        return this.instance;
+    }
+
+    private async init(): Promise<void> {
+        const { serviceName, environment, grpcUrl, version = 'v1', useDotenvFallback = true } = this.options;
+
+        try {
+            // 1. Fallback to .env
+            if (useDotenvFallback) {
+                const envFile = `.env.${environment}`;
+                dotenv.config({ path: path.resolve(process.cwd(), envFile) });
+
+                const ALLOWED_ENV_PREFIXES = ['APP_', 'KAFKA_', 'DB_', 'REDIS_', 'GRPC_', 'PORT', 'NODE_ENV'];
+                for (const [key, value] of Object.entries(process.env)) {
+                    if (value && ALLOWED_ENV_PREFIXES.some(prefix => key.startsWith(prefix))) {
+                        this.configMap[key] = value;
+                    }
+                }
+            }
+
+            // 2. Load from Vault (KV)
+            if (this.options.vault) {
+                this.vaultClient = new VaultClient(this.options.vault);
+                const vaultSecrets = await this.vaultClient.getKVSecrets(`config-service/${serviceName}`);
+                Object.assign(this.configMap, vaultSecrets);
+                console.log(`[ConfigSDK] Loaded secrets from Vault KV for ${serviceName}`);
+
+                // 3. Issue mTLS Certificates from Vault PKI if enabled
+                if (this.options.vault.pkiPath && !this.options.tls) {
+                    const certs = await this.vaultClient.issueCertificate(serviceName);
+                    this.options.tls = {
+                        rootCert: Buffer.from(certs.ca),
+                        clientCert: Buffer.from(certs.certificate),
+                        clientKey: Buffer.from(certs.privateKey),
+                    };
+                    console.log(`[ConfigSDK] Dynamic mTLS certificate issued from Vault PKI`);
+                }
+            }
+
+            // 4. Fetch additional config via gRPC
+            await this.fetchRemoteConfig(serviceName, environment, grpcUrl, version);
+
+            // 5. Start watching for changes via Kafka
+            if (this.options.kafkaBrokers && this.options.kafkaBrokers.length > 0) {
+                await this.startWatching();
+            }
+        } catch (error: any) {
+            console.error(`[ConfigSDK] Initialization failed: ${error.message}`);
+        }
+    }
+
+    private async fetchRemoteConfig(serviceName: string, environment: string, grpcUrl: string, version: string): Promise<void> {
+        let credentials = grpc.credentials.createInsecure();
+
+        if (this.options.tls) {
+            credentials = grpc.credentials.createSsl(
+                this.options.tls.rootCert,
+                this.options.tls.clientKey,
+                this.options.tls.clientCert,
+            );
+        }
+
+        const client = new ConfigServiceClient(grpcUrl, credentials);
+
+        return new Promise((resolve) => {
+            const request: GetConfigRequest = { serviceName, environment, version };
+            const metadata = new grpc.Metadata();
+            if (this.options.internalKey) {
+                metadata.set('x-internal-key', this.options.internalKey);
+            }
+
+            client.getConfig(request, metadata, (error, response) => {
+                if (error) {
+                    console.warn(`[ConfigSDK] Failed to fetch remote config from gRPC: ${error.message}. Using local/Vault fallback.`);
+                    return resolve();
+                }
+
+                if (response && response.values) {
+                    Object.assign(this.configMap, response.values);
+                    console.log(`[ConfigSDK] Remote config loaded for ${serviceName} (${environment}, ${version})`);
+                }
+                resolve();
+            });
+        });
+    }
+
+    private async startWatching(): Promise<void> {
+        if (this.consumer) return;
+
+        try {
+            const kafka = new Kafka({
+                clientId: `config-sdk-${this.options.serviceName}`,
+                brokers: this.options.kafkaBrokers!,
+            });
+
+            const groupId = `config-watch-${this.options.serviceName}-${this.options.environment}`;
+
+            this.consumer = kafka.consumer({ groupId });
+            await this.consumer.connect();
+            await this.consumer.subscribe({ topic: 'config.updated', fromBeginning: false });
+
+            await this.consumer.run({
+                eachMessage: async ({ message }) => {
+                    if (!message.value) return;
+                    const event = JSON.parse(message.value.toString());
+
+                    if (event.service === 'global' || event.service === this.options.serviceName) {
+                        if (event.environment === this.options.environment && event.version === (this.options.version || 'v1')) {
+                            console.log(`[ConfigSDK] Hot-reload: ${event.key} updated`);
+                            this.configMap[event.key] = event.value;
+                        }
+                    }
+                },
+            });
+        } catch (error: any) {
+            console.error(`[ConfigSDK] Watch mode failed: ${error.message}`);
+        }
+    }
+
+    get(key: string, defaultValue: string = ''): string {
+        return this.configMap[key] || defaultValue;
+    }
+
+    getInt(key: string, defaultValue: number = 0): number {
+        const val = this.get(key);
+        return val ? parseInt(val, 10) : defaultValue;
+    }
+
+    getAll(): Record<string, string> {
+        return { ...this.configMap };
+    }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export * from './config-client';