feat: decrypt env vars in CTRL workflow before passing to Krane (#4453)

* feat: add environment variables db schema and queries

* fix db query

* feat: add SecretsConfig proto for encrypted env vars

* [autofix.ci] apply automated fixes

* feat: dashboard UI for environment variables management

* fix comment and rename file

* fix file export name

* Remove unnecessary comments from add-env-vars

* add toasts for environment variable operations

* [autofix.ci] apply automated fixes

* fix: add try/catch error handling to env var mutations

* unfmt file

* [autofix.ci] apply automated fixes

* feat: decrypt env vars in CTRL workflow before passing to Krane

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andreas Thomas <[email protected]>

Author: 3 people

go/apps/ctrl/run.go

@@ -105,8 +105,6 @@ func Run(ctx context.Context, cfg Config) error {
 			return fmt.Errorf("unable to create vault service: %w", err)
 		}
 	}
-	// make go happy
-	_ = vaultSvc
 
 	// Initialize database
 	database, err := db.New(db.Config{
@@ -237,6 +235,7 @@ func Run(ctx context.Context, cfg Config) error {
 		Krane:         kraneDeploymentClient,
 		BuildClient:   buildService,
 		DefaultDomain: cfg.DefaultDomain,
+		Vault:         vaultSvc,
 	})))
 
 	restateSrv.Bind(hydrav1.NewRoutingServiceServer(routing.New(routing.Config{

go/apps/ctrl/services/deployment/create_deployment.go

@@ -13,6 +13,7 @@ import (
 	hydrav1 "github.com/unkeyed/unkey/go/gen/proto/hydra/v1"
 	"github.com/unkeyed/unkey/go/pkg/db"
 	"github.com/unkeyed/unkey/go/pkg/uid"
+	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -52,6 +53,26 @@ func (s *Service) CreateDeployment(
 			fmt.Errorf("failed to lookup environment: %w", err))
 	}
 
+	// Fetch environment variables and build secrets blob
+	envVars, err := db.Query.FindEnvironmentVariablesByEnvironmentId(ctx, s.db.RO(), env.ID)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeInternal,
+			fmt.Errorf("failed to fetch environment variables: %w", err))
+	}
+
+	secretsConfig := &ctrlv1.SecretsConfig{
+		Secrets: make(map[string]string, len(envVars)),
+	}
+	for _, ev := range envVars {
+		secretsConfig.Secrets[ev.Key] = ev.Value
+	}
+
+	secretsBlob, err := protojson.Marshal(secretsConfig)
+	if err != nil {
+		return nil, connect.NewError(connect.CodeInternal,
+			fmt.Errorf("failed to marshal secrets config: %w", err))
+	}
+
 	// Get git branch name for the deployment
 	gitBranch := req.Msg.GetBranch()
 	if gitBranch == "" {
@@ -143,6 +164,7 @@ func (s *Service) CreateDeployment(
 		}`),
 		OpenapiSpec:              sql.NullString{String: "", Valid: false},
 		GatewayConfig:            env.GatewayConfig,
+		SecretsConfig:            secretsBlob,
 		Status:                   db.DeploymentsStatusPending,
 		CreatedAt:                now,
 		UpdatedAt:                sql.NullInt64{Int64: now, Valid: true},

go/apps/ctrl/workflows/deploy/deploy_handler.go

@@ -14,8 +14,10 @@ import (
 	ctrlv1 "github.com/unkeyed/unkey/go/gen/proto/ctrl/v1"
 	hydrav1 "github.com/unkeyed/unkey/go/gen/proto/hydra/v1"
 	kranev1 "github.com/unkeyed/unkey/go/gen/proto/krane/v1"
+	vaultv1 "github.com/unkeyed/unkey/go/gen/proto/vault/v1"
 	"github.com/unkeyed/unkey/go/pkg/db"
 	"github.com/unkeyed/unkey/go/pkg/uid"
+	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -112,6 +114,29 @@ func (w *Workflow) Deploy(ctx restate.ObjectContext, req *hydrav1.DeployRequest)
 		return nil, err
 	}
 
+	// Unmarshal secrets config to get environment variables
+	var secretsConfig ctrlv1.SecretsConfig
+	if len(deployment.SecretsConfig) > 0 {
+		if err = protojson.Unmarshal(deployment.SecretsConfig, &secretsConfig); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal secrets config: %w", err)
+		}
+	}
+
+	// Decrypt environment variables using the workspace's keyring
+	decryptedEnvVars := make(map[string]string, len(secretsConfig.GetSecrets()))
+	if w.vault != nil {
+		for key, encryptedValue := range secretsConfig.GetSecrets() {
+			decrypted, decryptErr := w.vault.Decrypt(ctx, &vaultv1.DecryptRequest{
+				Keyring:   deployment.WorkspaceID,
+				Encrypted: encryptedValue,
+			})
+			if decryptErr != nil {
+				return nil, fmt.Errorf("failed to decrypt env var %s: %w", key, decryptErr)
+			}
+			decryptedEnvVars[key] = decrypted.GetPlaintext()
+		}
+	}
+
 	_, err = restate.Run(ctx, func(stepCtx restate.RunContext) (restate.Void, error) {
 		// Create deployment request
 
@@ -123,6 +148,7 @@ func (w *Workflow) Deploy(ctx restate.ObjectContext, req *hydrav1.DeployRequest)
 				Replicas:      1,
 				CpuMillicores: 512,
 				MemorySizeMib: 512,
+				EnvVars:       decryptedEnvVars,
 			},
 		}))
 		if err != nil {

go/apps/ctrl/workflows/deploy/service.go

@@ -6,6 +6,7 @@ import (
 	"github.com/unkeyed/unkey/go/gen/proto/krane/v1/kranev1connect"
 	"github.com/unkeyed/unkey/go/pkg/db"
 	"github.com/unkeyed/unkey/go/pkg/otel/logging"
+	"github.com/unkeyed/unkey/go/pkg/vault"
 )
 
 const hardcodedNamespace = "unkey"
@@ -27,6 +28,7 @@ type Workflow struct {
 	krane         kranev1connect.DeploymentServiceClient
 	buildClient   ctrlv1connect.BuildServiceClient
 	defaultDomain string
+	vault         *vault.Service
 }
 
 var _ hydrav1.DeploymentServiceServer = (*Workflow)(nil)
@@ -47,6 +49,9 @@ type Config struct {
 
 	// DefaultDomain is the apex domain for generated deployment URLs (e.g., "unkey.app").
 	DefaultDomain string
+
+	// Vault provides encryption/decryption services for secrets.
+	Vault *vault.Service
 }
 
 // New creates a new deployment workflow instance.
@@ -58,5 +63,6 @@ func New(cfg Config) *Workflow {
 		krane:                                cfg.Krane,
 		buildClient:                          cfg.BuildClient,
 		defaultDomain:                        cfg.DefaultDomain,
+		vault:                                cfg.Vault,
 	}
 }