@varius.io/framework 13.11.4 → 13.12.0

package/bin/vatom-vault-env.mjs

@@ -0,0 +1,137 @@
+#!/usr/bin/env node
+
+import { spawn } from "child_process";
+import fsp from "node:fs/promises";
+import { format } from "node:util";
+
+const vaultApiBase = process.env.VAULT_ENV_VAULT_API_BASE;
+
+async function getKubernetesServiceAccountToken() {
+	const buffer = await fsp.readFile("/var/run/secrets/kubernetes.io/serviceaccount/token");
+	return buffer.toString("utf8");
+}
+
+async function fetchVaultTokenViaKubernetesAuth(role) {
+	const jwt = await getKubernetesServiceAccountToken();
+
+	const res = await fetch(`${vaultApiBase}/v1/auth/kubernetes/login`, {
+		method: "POST",
+		headers: { "content-type": "application/json" },
+		body: JSON.stringify({ role, jwt }),
+	});
+
+	if (!res.ok) {
+		throw new Error(
+			format(
+				`Error fetching vault token via kubernetes auth, role=%j, httpStatusCode=%j`,
+				role,
+				res.status
+			)
+		);
+	}
+
+	const resBody = await res.json();
+	return resBody.auth.client_token;
+}
+
+async function getVaultToken() {
+	const envToken = process.env.VAULT_ENV_VAULT_TOKEN;
+	const envRole = process.env.VAULT_ENV_ROLE;
+
+	if (envToken) {
+		return envToken;
+	} else if (envRole) {
+		return await fetchVaultTokenViaKubernetesAuth(envRole);
+	} else {
+		throw new Error("No available vault auth mechanism.");
+	}
+}
+
+async function fetchSecret(secretPath) {
+	const res = await fetch(`${vaultApiBase}/v1/${secretPath}`, {
+		headers: { "X-Vault-Token": await getVaultToken() },
+	});
+
+	if (!res.ok) {
+		throw new Error(
+			format(`Failed to fetch secret, secretPath=%j, httpStatusCode=%j`, secretPath, res.status)
+		);
+	}
+
+	const resBody = await res.json();
+	return resBody.data;
+}
+
+const resolvedSecrets = new Map();
+
+export async function resolveEnv() {
+	const newEnv = {};
+	const secretEnvVars = [];
+
+	for (const [envKey, envValue] of Object.entries(process.env)) {
+		if (envValue.startsWith("vault:")) {
+			const [secretPath, secretPropertyName] = envValue.split("vault:")[1].split("#");
+			secretEnvVars.push({ envKey, secretPath, secretPropertyName });
+		}
+	}
+
+	async function getSecret(secretPath) {
+		resolvedSecrets.set(secretPath, await fetchSecret(secretPath));
+	}
+
+	const secretPaths = Array.from(new Set(secretEnvVars.map(envVar => envVar.secretPath)));
+	await Promise.all(secretPaths.map(getSecret));
+
+	for (const envVar of secretEnvVars) {
+		const secret = resolvedSecrets.get(envVar.secretPath);
+		const secretPropertyValue = secret.data[envVar.secretPropertyName];
+		newEnv[envVar.envKey] = secretPropertyValue;
+	}
+
+	return newEnv;
+}
+
+function spawnChildProcess() {
+	// remove this script's args (before "--" separator)
+	while (process.argv[0] !== "--") {
+		process.argv.shift();
+	}
+
+	// remove "--" separator
+	process.argv.shift();
+
+	const childCommand = process.argv.shift();
+
+	const child = spawn(childCommand, process.argv, {
+		cwd: process.cwd(),
+		env: process.env,
+		stdio: "inherit",
+	});
+
+	child.on("error", function(e) {
+		console.error(e);
+	});
+}
+
+async function main() {
+	// need to temporarily allow self-signed certs
+	const oldRejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+	process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+
+	const newEnv = await setupEnv();
+
+	// reset self-signed cert permission, for the child process
+	process.env.NODE_TLS_REJECT_UNAUTHORIZED = oldRejectUnauthorized;
+
+	process.env = { ...process.env, ...newEnv };
+
+	for (const key of Object.keys(process.env)) {
+		if (key.startsWith("VAULT_ENV")) {
+			delete process.env[key];
+		}
+	}
+
+	spawnChildProcess();
+}
+
+main();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@varius.io/framework",
-  "version": "13.11.4",
+  "version": "13.12.0",
   "main": "./build/index.js",
   "type": "./build/index.d.ts",
   "scripts": {
@@ -79,6 +79,10 @@
   },
   "homepage": "https://github.com/VariusIO/framework#readme",
   "files": [
-    "build"
-  ]
+    "build",
+    "bin"
+  ],
+  "bin": {
+    "vatom-vault-env": "bin/vatom-vault-env.mjs"
+  }
 }