hasura · karthikvt26 · Jan 24, 2025 · Jan 7, 2025 · Jan 13, 2025 · Jan 13, 2025
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,5 @@ testsecret
 testsecretJson
 iam_db_secret
 main
+*.secret
+k_config.yaml
diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@
 
 - [Architecture](#architecture)
 - [Deployment](#deployment)
+  - [Deployment Modes](#deployment-modes)
 - [Configuration](#configuration)
 - Provider types:
   - [proxy_awsm_oauth](#proxy_awsm_oauth)
@@ -117,6 +118,12 @@ The secrets from file provider type should also be mounted to the specified loca
 `kubectl exec -it <hasura_pod_id> -c secrets-management-proxy -- sh`
 Once you are into the shell, try doing `cat secret/dbsecret.txt`. This should fetch you the templatised secret from your secret manager.
 
+### Deployment Modes
+
+Hasura secret refresher can be deployed as a sidecar or an init container. The purposes of each are as follows
+1. Init Container (initcontainer) - for initialization purposes like fetching secrets from external sources and exit
+2. Sidecar (sidecar) - for assisting the main container for its lifetime
+
 ## Configuration
 The Secrets Proxy requires a configuration file which contains configuration for secrets manager integration and other directives.
 

diff --git a/config.yaml b/config.yaml
@@ -49,7 +49,7 @@ aws_iam_auth_rds:
   region: "ap-south-1"
   db_name: "postgres"
   db_user: "karthikvt26_iam"
-  db_host: "rds-hasura12a42cb.cdaicbsap2wa.ap-south-1.rds.amazonaws.com"
+  db_host: "rds-hasura510778c.cdaicbsap2wa.ap-south-1.rds.amazonaws.com"
   db_port: 5432
   path: /home/karthikv/Work/hasura-dev/pgproxy/token_file
 

diff --git a/main.go b/main.go
@@ -20,6 +20,13 @@ const (
 	ConfigFileCliFlagDescription = "path to config file"
 )
 
+type DeploymentType string
+
+const (
+	InitContainer DeploymentType = "initcontainer"
+	Sidecar       DeploymentType = "sidecar"
+)
+
 const (
 	aws_secrets_manager = "proxy_aws_secrets_manager"
 	aws_sm_oauth        = "proxy_awssm_oauth"
@@ -47,7 +54,7 @@ func main() {
 
 	conf := viper.GetViper().AllSettings()
 
-	config, fileProviders, err := parseConfig(conf, logger)
+	config, fileProviders, deploymentType, err := parseConfig(conf, logger)
 	if err != nil {
 		initLogger.Fatal().Err(err).Msg("Unable to parse config file")
 	}
@@ -57,6 +64,26 @@ func main() {
 	logger.Info().Msgf("%d providers initialized: %d file provider, %d http provider",
 		totalProviders, len(fileProviders), len(config.Providers),
 	)
+
+	// if the type is init container, then we need to identify the last execution status to mark
+	// whether we are done with fileProvider or not?
+	// init-container cannot be used to detect loading of proxy based secret
+	// retriever
+	if deploymentType == InitContainer {
+		// Just run the refresh method and if anything fails, exit
+		for _, p := range fileProviders {
+			err := p.Refresh()
+			if err != nil {
+				// os.Exit() or something
+				logger.Err(err).Msg("Encountered an error while loading secrets from configured file providers")
+				os.Exit(1)
+			}
+		}
+		logger.Info().Msg("Loaded all secrets into file")
+		os.Exit(0)
+		// Exit gracefully
+	}
+
 	for _, p := range fileProviders {
 		go p.Start()
 	}
@@ -94,10 +121,22 @@ func getLogLevel(level string, logger zerolog.Logger) zerolog.Level {
 	}
 }
 
-func parseConfig(rawConfig map[string]interface{}, logger zerolog.Logger) (config server.Config, fileProviders []provider.FileProvider, err error) {
+func parseConfig(rawConfig map[string]interface{}, logger zerolog.Logger) (config server.Config, fileProviders []provider.FileProvider, deploymentType DeploymentType, err error) {
 	config.Providers = make(map[string]provider.HttpProvider)
 	fileProviders = make([]provider.FileProvider, 0, 0)
 	for k, v := range rawConfig {
+		if k == "type" {
+			t := v.(string)
+			switch t {
+			case "initcontainer":
+				deploymentType = InitContainer
+			case "sidecar":
+				deploymentType = Sidecar
+			default:
+				err = fmt.Errorf("Unknown deployment type '%s'", t)
+				return
+			}
+		}
 		if k == "log_config" || k == "refresh_config" {
 			continue
 		}