Reading deployment secrets from environment variables

[hwupathum]

Purpose

Currently deployment secrets like encryption key is read via a separate secret file [1] which has following drawbacks.

• Not scalable for multiple secrets since each secret requires a separate file to store it
• Reading a configuration via a file is not optimal in a containerised deployment

[1] #723

Approach

• Improving Config service to read environment variables via deployment.yaml file. Currently this is implemented for encryption key but can be used with any config.

crypto:
  encrypt:
    key: "$THUNDER_CRYPTO_ENC_KEY"

• Introducing a file based mechanism to read environment variables via a file (.env).
• This file is only used as a fallback when environment variables are not set.
• Improve the startup script to read the .env file and load environment variables
• Improve the build script to generate a .env file in development environment and packing the file to the distribution.

THUNDER_CRYPTO_ENC_KEY=01d0cfa0df8010c1c3b7ab61b04edbb1f0575251b21daf3d494bd7e9409374b2

Related Issues

• Handling deployment secrets in Thunder #567

Related PRs

• N/A

Checklist

• Followed the contribution guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Tests provided. (Add links if there are any)
  • Unit Tests
  • Integration Tests

Security checks

• Followed secure coding standards in WSO2 Secure Coding Guidelines
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

[Copilot]

Pull Request Overview

This PR refactors deployment secret management from file-based to environment variable-based configuration, specifically for the encryption key used in cryptographic operations. The change improves scalability and aligns with containerized deployment best practices by reading secrets from environment variables (with .env file fallback for local development) instead of separate secret files.

Key Changes:

• Introduced environment variable expansion in YAML configuration loading via os.ExpandEnv
• Refactored encryption service initialization to read keys from config instead of files
• Updated build scripts to generate .env files with auto-generated secrets for local development
• Simplified test setups by removing file-based crypto key dependencies

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
tests/integration/resources/deployment.yaml	Updated crypto configuration to use plaintext key for integration tests
start.sh	Added .env file loading function to read environment variables on startup (with path bug)
start.ps1	Added PowerShell .env file loading function for Windows support
build.sh	Replaced crypto file generation with .env file generation containing auto-generated secrets
build.ps1	PowerShell version of build script with .env file generation
backend/tests/resources/testKey	Removed deprecated test crypto key file
backend/internal/system/crypto/encrypt/service_test.go	Refactored tests to use config-based encryption service initialization
backend/internal/system/crypto/encrypt/service.go	Refactored to read encryption key from config instead of file, removed file reading logic
backend/internal/system/config/config_test.go	Updated test to verify new crypto config structure
backend/internal/system/config/config.go	Added environment variable expansion and new crypto config structure
backend/internal/notification/*.go	Simplified test setup by removing crypto file dependencies
backend/cmd/server/repository/resources/conf/default.json	Added crypto config section with empty default key
backend/cmd/server/repository/conf/deployment.yaml	Added crypto config with environment variable placeholder
backend/cmd/server/main.go	Added encryption service initialization with nil check

[codecov]

Codecov Report

❌ Patch coverage is 83.72093% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.96%. Comparing base (2eca507) to head (712f3f5).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
backend/internal/system/config/config.go	84.00%	2 Missing and 2 partials ⚠️
backend/cmd/server/main.go	50.00%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #827      +/-   ##
==========================================
- Coverage   86.99%   86.96%   -0.03%     
==========================================
  Files         310      310              
  Lines       24305    24303       -2     
  Branches      606      606              
==========================================
- Hits        21143    21136       -7     
- Misses       1967     1971       +4     
- Partials     1195     1196       +1     

Flag	Coverage Δ
backend-integration-postgres	58.19% <62.79%> (+0.01%)	⬆️
backend-integration-sqlite	58.14% <62.79%> (+0.01%)	⬆️
backend-unit	73.07% <76.74%> (-0.04%)	⬇️
frontend-apps-develop-unit	88.45% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 12 comments.

[Copilot]

Pull Request Overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 4 comments.

[Copilot]

Pull Request Overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 30 out of 30 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

backend/cmd/server/main.go:150

• The order of operations in main() is incorrect. The .env file is being loaded AFTER the config file has already been loaded and processed by LoadConfig(). This means that when os.ExpandEnv() is called in LoadConfig() (line 211), the environment variables from .env file won't be available yet.

The .env file should be loaded BEFORE calling LoadConfig() to ensure that environment variables like THUNDER_CRYPTO_ENC_KEY are available when the deployment.yaml is processed.

Suggested fix:

func initThunderConfigurations(logger *log.Logger, thunderHome string) *config.Config {
	// Load the environment variables FIRST
	envFilePath := path.Join(thunderHome, "repository/conf/.env")
	if err := config.LoadEnv(envFilePath); err != nil {
		logger.Fatal("Failed to load environment variables", log.Error(err))
	}

	// Then load the configurations
	configFilePath := path.Join(thunderHome, "repository/conf/deployment.yaml")
	defaultConfigPath := path.Join(thunderHome, "repository/resources/conf/default.json")
	cfg, err := config.LoadConfig(configFilePath, defaultConfigPath)
	if err != nil {
		logger.Fatal("Failed to load configurations", log.Error(err))
	}

	// Initialize runtime configurations
	if err := config.InitializeThunderRuntime(thunderHome, cfg); err != nil {
		logger.Fatal("Failed to initialize thunder runtime", log.Error(err))
	}

	return cfg
}

	// Load the environment variables.
	envFilePath := path.Join(thunderHome, "repository/conf/.env")
	if err := config.LoadEnv(envFilePath); err != nil {
		logger.Fatal("Failed to load environment variables", log.Error(err))
	}

	// Initialize runtime configurations.
	if err := config.InitializeThunderRuntime(thunderHome, cfg); err != nil {
		logger.Fatal("Failed to initialize thunder runtime", log.Error(err))
	}

[Copilot]

Pull request overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 7 comments.

[Copilot]

The .env file parsing is vulnerable to variable substitution injection. If an attacker can modify the .env file, they could inject values that reference other environment variables using the syntax that os.ExpandEnv would process when the deployment.yaml is loaded. While the .env file itself should be protected, consider documenting that:

1. The .env file should have restricted permissions (0600)
2. The .env file should not be committed to version control
3. In production, use proper secret management instead of .env files

Additionally, consider validating that keys don't contain suspicious patterns before setting them.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 7 comments.

[Copilot]

The Helm chart configuration uses "${THUNDER_CRYPTO_ENC_KEY}" which will be expanded by the Go application at runtime via os.ExpandEnv(). However, the Helm chart's deployment template (templates/thunder-deployment.yaml) doesn't configure any environment variables or secrets for the pod.

To make this work in Kubernetes deployments, you need to either:

1. Add documentation on how users should create and mount a Kubernetes Secret containing THUNDER_CRYPTO_ENC_KEY
2. Include a Secret template in the Helm chart and wire it up to the deployment
3. Add an env or envFrom section in the deployment template to source the encryption key from a Secret

Example addition to templates/thunder-deployment.yaml:

env:
  - name: THUNDER_CRYPTO_ENC_KEY
    valueFrom:
      secretKeyRef:
        name: thunder-secrets
        key: encryption-key

Suggested change

	# Crypto secret configuration for Kubernetes deployments.
	# If enabled, the deployment template should mount the secret as an environment variable.
	cryptoSecret:
	enabled: false
	# Name of the Kubernetes Secret containing the encryption key.
	secretName: thunder-secrets
	# Key in the secret that contains the encryption key value.
	secretKey: encryption-key
	# If enabled, the deployment template should set the THUNDER_CRYPTO_ENC_KEY environment variable from this secret.

[Copilot]

[nitpick] The error at line 75 logs "failed to decode encryption key from config" which could expose that an invalid hex string was provided. While the actual key value isn't logged (which is good), consider whether this log message could be used for information disclosure in a security context.

The current implementation is acceptable since:

1. The actual key value is not logged
2. The error message is generic
3. This is only logged during initialization, not during runtime operations

However, ensure debug mode doesn't log the config value elsewhere in the codebase.

[Copilot]

The OpenChoreo Helm chart adds a crypto.encrypt.key configuration in values.yaml, but the corresponding template file (templates/thunder-component.yaml) is not being updated in this PR to use this value. This means the encryption key configuration won't be applied when deploying with the OpenChoreo Helm chart.

Either:

1. Include the template file changes in this PR to wire up the encryption key, or
2. Document in the PR that OpenChoreo Helm chart support will be added in a follow-up PR

[Copilot]

The .env file containing the encryption key is created without explicitly setting restrictive file permissions. While the user's umask may provide some protection, it's a security best practice to explicitly set restrictive permissions (e.g., 0600) on files containing secrets.

Consider adding after line 673:

chmod 600 "$local_secrets_file"

And after line 686:

chmod 600 "$secrets_file"

This ensures the encryption key file is only readable by the owner, regardless of the system's umask settings.

[Copilot]

Similar to the bash script, the PowerShell script creates the .env file without explicitly setting restrictive file permissions. In Windows, consider using ACLs to restrict access to the file.

After line 1069, consider adding:

$acl = Get-Acl $local_secrets_file
$acl.SetAccessRuleProtection($true, $false)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($env:USERNAME, "FullControl", "Allow")
$acl.SetAccessRule($accessRule)
Set-Acl $local_secrets_file $acl

This ensures only the current user can access the encryption key file.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

backend/tests/resources/testKey:1

• [nitpick] The test key file backend/tests/resources/testKey has been deleted (shown by the diff removing the only line). However, multiple test files in the notification package were referencing this file path and have been updated to use hardcoded keys instead.

Verify that:

1. There are no other tests or code that might still reference this deleted file
2. The hardcoded test keys in the updated test files are appropriate for testing purposes and don't contain actual production keys

The change appears intentional and correct based on the test file updates, but it's worth double-checking for any missed references.

[Copilot]

The test name TestNon32 is unclear and doesn't follow naming conventions. The test is validating that key sizes of 16 and 24 bytes (128-bit and 192-bit AES keys) work correctly, but the name doesn't convey this meaning.

Consider renaming to TestEncryptDecryptWithNon256BitKeys or TestEncryptDecryptWith128And192BitKeys to make the purpose clear.

Suggested change

	func (suite *EncryptionTestSuite) TestNon32() {
	func (suite *EncryptionTestSuite) TestEncryptDecryptWith128And192BitKeys() {

[Copilot]

The README documentation entry for configuration.crypto.encrypt.key (line 170) simply says "See values.yaml" which is not very helpful for users. The documentation should explain:

1. That this is a 64-character hexadecimal string representing a 256-bit AES key
2. How to generate a secure key (e.g., using openssl rand -hex 32)
3. That in Kubernetes deployments, this should be stored in a Secret and referenced via environment variable
4. The relationship between the values.yaml setting and the THUNDER_CRYPTO_ENC_KEY environment variable

Consider adding a more detailed explanation or a link to a security configuration guide.

Suggested change

| `configuration.crypto.encrypt.key` | Encryption key for cryptography | See values.yaml |

| `configuration.crypto.encrypt.key` | **Required.** 64-character hexadecimal string (256-bit AES key) used for encryption. <br>Generate securely with `openssl rand -hex 32`. <br>**Kubernetes:** Store in a Secret and reference via the `THUNDER_CRYPTO_ENC_KEY` environment variable. <br>If both are set, the environment variable takes precedence over the value in `values.yaml`. | _None (must be set)_ |

[Copilot]

[nitpick] The resetSingleton function (lines 337-340) modifies package-level variables instance and once which are not exported. This function is only used in tests, but it's defined in the test file and accesses unexported package variables. While this works in Go when the test is in the same package, it creates a tight coupling between the test and implementation.

Consider whether this reset functionality should be:

1. Exported as a public function for testing purposes (e.g., ResetForTesting())
2. Or kept as-is with a comment explaining it's a test-only helper that requires same-package access

The current implementation is functional but could benefit from documentation clarifying its purpose and scope.

[Copilot]

[nitpick] The call to encrypt.GetEncryptionService() on line 74 will panic if the encryption key is not properly configured (as per the implementation in service.go line 57). While this is intentional to prevent the server from starting with invalid configuration, the panic is not caught or logged before propagating up, which could result in an unclear error message.

Consider adding error handling here to provide a more user-friendly error message before the panic occurs, or document that this is intentional fail-fast behavior for critical configuration.

[Copilot]

The test TestLoadEnv_FileNotFound (lines 741-745) expects an error when the .env file doesn't exist, but in the actual application code in main.go (line 131-132), a missing .env file causes a Fatal error, terminating the application. This inconsistency between test expectations and production behavior could lead to confusion.

If the .env file is intended to be optional (as a fallback when environment variables aren't set), the production code should handle missing files gracefully, not fatally. The test should align with the intended production behavior.

[Copilot]

The LoadEnv function only sets environment variables if they don't already exist (line 292), which is good for security. However, there's a potential security issue: values with spaces are trimmed on line 282 (value := strings.TrimSpace(parts[1])), which could unintentionally modify secrets that legitimately have leading/trailing whitespace.

Consider only trimming spaces before quote removal, not after. The trimming should handle the case where there are spaces around quotes (e.g., KEY = "value"), but preserve intentional whitespace within the value itself.

Suggested change

	// Remove surrounding quotes if present
	// Remove surrounding quotes if present, but do not trim after removing quotes

[senthalan]

In the implementation, can we support reading the configurations from the environment variable as a generic feature rather than implementing it to support crypto.encrypt.key. This way, other secrets (for example DB password) in the configuration file can also use this.

We can follow the pattern we have used in the #478 to indicate that the value should be read from the environment variable. Can you sync with @rajithacharith

Introducing a file based mechanism to read environment variables via a file (.env).

Regarding supporting this (.env), I don't think won't be used in production deployment. So do we need to provide this support.