Skip to content

Commit d5e5c51

Browse files
erangi-arThirunayan22erangi-arnuwangeek
authored
Secure llm keys with encryption before saving in the vault (buerokratt#210)
* updated docker compose ec2 * integrate streaming endpoint with test prodction connection page * formatted response with markdown * fe logic for the encryption * vault secret update after fixing issues * fixed formatting issue * integration with be * update cron manager vault script * tested integration of vault security update * fix security issues * creation success model changes * clean vite config generated files * production inference display logic change * fixed requested issue --------- Co-authored-by: Thiru Dinesh <56014038+Thirunayan22@users.noreply.github.com> Co-authored-by: Thiru Dinesh <thiru.dinesh@rootcodelabs.com> Co-authored-by: erangi-ar <erangika.ariyasena@rootcode.io> Co-authored-by: nuwangeek <charith.bimsara@rootcode.io> Co-authored-by: Charith Nuwan Bimsara <59943919+nuwangeek@users.noreply.github.com>
1 parent 27f3d91 commit d5e5c51

File tree

21 files changed

+2771
-233
lines changed

21 files changed

+2771
-233
lines changed

.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@ logs/
1010
data_sets
1111
vault/agent-out
1212

13+
# RSA Private Keys - DO NOT COMMIT
14+
vault/keys/rsa_private_key.pem
15+
vault/keys/*.pem.old
16+
1317
# Snyk Security Extension - AI Rules (auto-generated)
1418
.github/instructions/snyk_rules.instructions.md
1519
# Dynamically created Ruuter health endpoint for tests

DSL/CronManager/script/delete_secrets_from_vault.sh

Lines changed: 8 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,9 @@
66
set -e # Exit on any error
77

88
# Configuration
9-
VAULT_ADDR="${VAULT_ADDR:-http://vault:8200}"
10-
VAULT_TOKEN_FILE="/agent/out/token"
9+
# Use VAULT_AGENT_URL which points to vault-agent-cron proxy
10+
# The agent automatically injects the authentication token
11+
VAULT_ADDR="${VAULT_AGENT_URL:-http://vault-agent-cron:8203}"
1112

1213
# Logging function
1314
log() {
@@ -24,20 +25,9 @@ log " llmModel: $llmModel"
2425
log " embeddingModel: $embeddingModel"
2526
log " embeddingPlatform: $embeddingPlatform"
2627
log " deploymentEnvironment: $deploymentEnvironment"
28+
log " Vault Address: $VAULT_ADDR"
2729

28-
# Read vault token
29-
if [ ! -f "$VAULT_TOKEN_FILE" ]; then
30-
log "ERROR: Vault token file not found at $VAULT_TOKEN_FILE"
31-
exit 1
32-
fi
33-
34-
VAULT_TOKEN=$(cat "$VAULT_TOKEN_FILE")
35-
if [ -z "$VAULT_TOKEN" ]; then
36-
log "ERROR: Vault token is empty"
37-
exit 1
38-
fi
39-
40-
log "Vault token loaded successfully"
30+
# Note: No token required - vault agent proxy automatically injects authentication
4131

4232
# Function to determine platform name
4333
get_platform_name() {
@@ -65,7 +55,7 @@ build_vault_path() {
6555
local platform_name=$2
6656
local model_name=$3
6757

68-
if [ "$deploymentEnvironment" = "test" ]; then
58+
if [ "$deploymentEnvironment" = "testing" ]; then
6959
echo "secret/$secret_type/connections/$platform_name/$deploymentEnvironment/$connectionId"
7060
else
7161
echo "secret/$secret_type/connections/$platform_name/$deploymentEnvironment/$model_name"
@@ -90,9 +80,9 @@ delete_vault_secret() {
9080

9181
# Delete secret data
9282
log "Deleting secret data..."
83+
# No X-Vault-Token header needed - vault agent proxy auto-injects it
9384
local data_response=$(curl -s -w "HTTPSTATUS:%{http_code}" \
9485
-X DELETE \
95-
-H "X-Vault-Token: $VAULT_TOKEN" \
9686
"$VAULT_ADDR/v1/$data_path")
9787

9888
local data_http_code=$(echo "$data_response" | grep -o "HTTPSTATUS:[0-9]*" | cut -d: -f2)
@@ -108,9 +98,9 @@ delete_vault_secret() {
10898

10999
# Delete secret metadata
110100
log "Deleting secret metadata..."
101+
# No X-Vault-Token header needed - vault agent proxy auto-injects it
111102
local metadata_response=$(curl -s -w "HTTPSTATUS:%{http_code}" \
112103
-X DELETE \
113-
-H "X-Vault-Token: $VAULT_TOKEN" \
114104
"$VAULT_ADDR/v1/$metadata_path")
115105

116106
local metadata_http_code=$(echo "$metadata_response" | grep -o "HTTPSTATUS:[0-9]*" | cut -d: -f2)

0 commit comments

Comments
 (0)