Encryption: Refactor secrets.Service initialization (#51091)

* Encryption: Refactor secrets.Service initialization

pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go

@@ -24,10 +24,6 @@ func ProvideService(enc encryption.Internal, settings setting.Provider, features
 }
 
 func (s Service) Provide() (map[secrets.ProviderID]secrets.Provider, error) {
-	if s.features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) {
-		return nil, nil
-	}
-
 	return map[secrets.ProviderID]secrets.Provider{
 		kmsproviders.Default: grafana.New(s.settings, s.enc),
 	}, nil

pkg/services/secrets/manager/manager.go

@@ -34,7 +34,10 @@ type SecretsService struct {
 	mtx          sync.Mutex
 	dataKeyCache *dataKeyCache
 
+	pOnce               sync.Once
 	providers           map[secrets.ProviderID]secrets.Provider
+	kmsProvidersService kmsproviders.Service
+
 	currentProviderID secrets.ProviderID
 
 	log log.Logger
@@ -48,46 +51,56 @@ func ProvideSecretsService(
 	features featuremgmt.FeatureToggles,
 	usageStats usagestats.Service,
 ) (*SecretsService, error) {
-	providers, err := kmsProvidersService.Provide()
+	ttl := settings.KeyValue("security.encryption", "data_keys_cache_ttl").MustDuration(15 * time.Minute)
-	if err != nil {
-		return nil, err
-	}
 
-	logger := log.New("secrets")
-	enabled := !features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption)
 	currentProviderID := kmsproviders.NormalizeProviderID(secrets.ProviderID(
 		settings.KeyValue("security", "encryption_provider").MustString(kmsproviders.Default),
 	))
 
-	if _, ok := providers[currentProviderID]; enabled && !ok {
-		return nil, fmt.Errorf("missing configuration for current encryption provider %s", currentProviderID)
-	}
-
-	if !enabled && currentProviderID != kmsproviders.Default {
-		logger.Warn("Changing encryption provider requires enabling envelope encryption feature")
-	}
-
-	logger.Info("Envelope encryption state", "enabled", enabled, "current provider", currentProviderID)
-
-	ttl := settings.KeyValue("security.encryption", "data_keys_cache_ttl").MustDuration(15 * time.Minute)
-
 	s := &SecretsService{
 		store:               store,
 		enc:                 enc,
 		settings:            settings,
 		usageStats:          usageStats,
-		providers:         providers,
+		kmsProvidersService: kmsProvidersService,
 		dataKeyCache:        newDataKeyCache(ttl),
 		currentProviderID:   currentProviderID,
 		features:            features,
-		log:               logger,
+		log:                 log.New("secrets"),
 	}
 
+	enabled := !features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption)
+
+	if enabled {
+		err := s.InitProviders()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if _, ok := s.providers[currentProviderID]; enabled && !ok {
+		return nil, fmt.Errorf("missing configuration for current encryption provider %s", currentProviderID)
+	}
+
+	if !enabled && currentProviderID != kmsproviders.Default {
+		s.log.Warn("Changing encryption provider requires enabling envelope encryption feature")
+	}
+
+	s.log.Info("Envelope encryption state", "enabled", enabled, "current provider", currentProviderID)
+
 	s.registerUsageMetrics()
 
 	return s, nil
 }
 
+func (s *SecretsService) InitProviders() (err error) {
+	s.pOnce.Do(func() {
+		s.providers, err = s.kmsProvidersService.Provide()
+	})
+
+	return
+}
+
 func (s *SecretsService) registerUsageMetrics() {
 	s.usageStats.RegisterMetricsFunc(func(context.Context) (map[string]interface{}, error) {
 		usageMetrics := make(map[string]interface{})