Add initial Portal version

src/app/api/tenants/[name]/secrets/route.ts

@@ -0,0 +1,100 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth";
+import { getTenant } from "@/lib/k8s";
+import { writePackageSecrets } from "@/lib/openbao";
+import { getPackageDef } from "@/lib/packages";
+
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ name: string }> }
+) {
+  const session = await auth();
+  if (!session?.user) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const { name } = await params;
+  const { orgId, roles } = session.user as any;
+  const userRoles = roles || [];
+
+  const isPlatform = userRoles.some((r: string) =>
+    ["platform_admin", "platform_operator"].includes(r)
+  );
+
+  if (!isPlatform && !userRoles.includes("owner")) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = await req.json();
+  const { packageId, secrets } = body as {
+    packageId: string;
+    secrets: Record<string, string>;
+  };
+
+  if (!packageId || !secrets || typeof secrets !== "object") {
+    return NextResponse.json(
+      { error: "Missing packageId or secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Validate package exists and requires secrets
+  const pkgDef = getPackageDef(packageId);
+  if (!pkgDef) {
+    return NextResponse.json(
+      { error: "Unknown package" },
+      { status: 400 }
+    );
+  }
+  if (!pkgDef.requiresSecrets) {
+    return NextResponse.json(
+      { error: "Package does not require secrets" },
+      { status: 400 }
+    );
+  }
+
+  // Verify all required secret keys are present
+  const requiredKeys = (pkgDef.secrets || []).map((s) => s.key);
+  const missingKeys = requiredKeys.filter((k) => !secrets[k]?.trim());
+  if (missingKeys.length > 0) {
+    return NextResponse.json(
+      { error: `Missing required secrets: ${missingKeys.join(", ")}` },
+      { status: 400 }
+    );
+  }
+
+  // Verify tenant ownership
+  try {
+    const tenant = await getTenant(name);
+    if (!tenant) {
+      return NextResponse.json(
+        { error: "Tenant not found" },
+        { status: 404 }
+      );
+    }
+    if (
+      !isPlatform &&
+      tenant.metadata?.labels?.["zitadel-org-id"] !== orgId
+    ) {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+  } catch (e: any) {
+    return NextResponse.json(
+      { error: "Tenant lookup failed" },
+      { status: e.statusCode || 500 }
+    );
+  }
+
+  // Write to OpenBao
+  try {
+    await writePackageSecrets(name, packageId, secrets);
+  } catch (err: any) {
+    console.error("OpenBao write error:", err.message);
+    return NextResponse.json(
+      { error: "Failed to store secrets" },
+      { status: 500 }
+    );
+  }
+
+  return NextResponse.json({ ok: true });
+}