From af95eefa7b097bedb0e1680926745d34d7bab397 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Mon, 16 Jun 2025 14:16:23 -0400
Subject: [PATCH] bootstrap secrets identity (#968)

---
 controller/bootstrap.go | 43 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/controller/bootstrap.go b/controller/bootstrap.go
index 8a03ea96..6d98993e 100644
--- a/controller/bootstrap.go
+++ b/controller/bootstrap.go
@@ -51,6 +51,10 @@ func Bootstrap(bootCfg *BootstrapConfig, ctrlCfg *config.Config) error {
 		return err
 	}
 
+	if err := assertSecretsListener(bootCfg, ctrlCfg, env, edge); err != nil {
+		return err
+	}
+
 	if err := assertZrokProxyConfigType(edge); err != nil {
 		return err
 	}
@@ -102,6 +106,45 @@ func assertFrontendIdentity(cfg *BootstrapConfig, env env_core.Root, edge *rest_
 	return nil
 }
 
+func assertSecretsListener(bCfg *BootstrapConfig, ctrlCfg *config.Config, env env_core.Root, edge *rest_management_api_client.ZitiEdgeManagement) error {
+	if !bCfg.SkipSecretsListener || ctrlCfg == nil || ctrlCfg.Secrets == nil {
+		logrus.Info("bootstrapping secrets listener")
+
+		if ctrlCfg.Secrets.ServiceName == "" {
+			return errors.New("no secrets service name provided")
+		}
+
+		var secretsZId string
+		var err error
+		if ctrlCfg.Secrets.IdentityPath == "" || ctrlCfg.Secrets.ZId == "" {
+			logrus.Warnf("no secrets identity path or ziti id provided; allocating a new identity")
+
+			secretsZId, err = bootstrapIdentity("secrets", edge)
+			if err != nil {
+				return errors.Wrap(err, "error bootstrapping secrets identity")
+			}
+			logrus.Infof("created secrets identity '%v' (configure this into the 'secrets > z_id' field in the controller config)", secretsZId)
+
+		} else {
+			logrus.Infof("asserting existing secrets identity '%v'", ctrlCfg.Secrets.ZId)
+
+			if err := assertIdentity(ctrlCfg.Secrets.ZId, edge); err != nil {
+				return errors.Wrapf(err, "error asserting existing secrets identity '%v'", ctrlCfg.Secrets.ZId)
+			}
+			secretsZId = ctrlCfg.Secrets.ZId
+			logrus.Infof("asserted secrets identity '%v'", ctrlCfg.Secrets.ZId)
+		}
+
+		if err := assertErpForIdentity("secrets", secretsZId, edge); err != nil {
+			return errors.Wrapf(err, "error asserting erp for secrets identity (secrets) '%v'", secretsZId)
+		}
+
+	} else {
+		logrus.Warnf("skipping secrets listener bootstrap")
+	}
+	return nil
+}
+
 func assertZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManagement) error {
 	filter := fmt.Sprintf("name=\"%v\"", sdk.ZrokProxyConfig)
 	limit := int64(100)