feat(secrets): add HashiCorp Vault as first-class premade secret source

Adds three Vault entries: hashicorp-vault (KV v2), hashicorp-vault-kv1 (KV v1), and vault (short alias). Uses VAULT_ADDR for server address and VAULT_MOUNT env var for configurable mount path (defaults to 'secret'). Refs #776 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-10 16:03:54 -07:00 · 2026-03-05 08:41:04 +00:00
parent e4c156e7b0
commit 7f895304f4
3 changed files with 63 additions and 5 deletions
@@ -199,9 +199,10 @@ inputs:
    required: false
    description:
      '[Orchestrator] Premade secret source for pulling build secrets. Supported values: aws-secrets-manager,
-      aws-parameter-store, gcp-secret-manager, azure-key-vault, env. Can also be a custom shell command
-      with {0} placeholder for the key, or a path to a YAML file defining custom sources.
-      Takes precedence over inputPullCommand when set.'
+      aws-parameter-store, gcp-secret-manager, azure-key-vault, hashicorp-vault, hashicorp-vault-kv1,
+      vault (alias for hashicorp-vault), env. Can also be a custom shell command with {0} placeholder
+      for the key, or a path to a YAML file defining custom sources. Takes precedence over
+      inputPullCommand when set.'
  resourceTracking:
    default: 'false'
    required: false
@@ -44,8 +44,20 @@ describe('SecretSourceService', () => {
      expect(SecretSourceService.isPremadeSource('azure-key-vault')).toBe(true);
    });

+    it('should return true for hashicorp-vault', () => {
+      expect(SecretSourceService.isPremadeSource('hashicorp-vault')).toBe(true);
+    });
+
+    it('should return true for hashicorp-vault-kv1', () => {
+      expect(SecretSourceService.isPremadeSource('hashicorp-vault-kv1')).toBe(true);
+    });
+
+    it('should return true for vault (short alias)', () => {
+      expect(SecretSourceService.isPremadeSource('vault')).toBe(true);
+    });
+
    it('should return false for unknown source', () => {
-      expect(SecretSourceService.isPremadeSource('hashicorp-vault')).toBe(false);
+      expect(SecretSourceService.isPremadeSource('unknown-source')).toBe(false);
    });
  });

@@ -56,7 +68,10 @@ describe('SecretSourceService', () => {
      expect(sources).toContain('aws-parameter-store');
      expect(sources).toContain('gcp-secret-manager');
      expect(sources).toContain('azure-key-vault');
-      expect(sources.length).toBeGreaterThanOrEqual(5);
+      expect(sources).toContain('hashicorp-vault');
+      expect(sources).toContain('hashicorp-vault-kv1');
+      expect(sources).toContain('vault');
+      expect(sources.length).toBeGreaterThanOrEqual(8);
    });
  });

@@ -266,5 +281,24 @@ sources:
      const source = SecretSourceService.resolveSource('azure-key-vault')!;
      expect(source.command).toContain('$AZURE_VAULT_NAME');
    });
+
+    it('hashicorp-vault uses vault kv get with VAULT_MOUNT', () => {
+      const source = SecretSourceService.resolveSource('hashicorp-vault')!;
+      expect(source.command).toContain('vault kv get');
+      expect(source.command).toContain('VAULT_MOUNT');
+      expect(source.command).toContain('-field=value');
+    });
+
+    it('hashicorp-vault-kv1 uses vault read for KV v1', () => {
+      const source = SecretSourceService.resolveSource('hashicorp-vault-kv1')!;
+      expect(source.command).toContain('vault read');
+      expect(source.command).toContain('-field=value');
+    });
+
+    it('vault alias resolves to same command as hashicorp-vault', () => {
+      const vault = SecretSourceService.resolveSource('vault')!;
+      const hashicorpVault = SecretSourceService.resolveSource('hashicorp-vault')!;
+      expect(vault.command).toBe(hashicorpVault.command);
+    });
  });
 });
@@ -20,6 +20,8 @@ export interface SecretSourceDefinition {
 *   - `aws-parameter-store` — AWS Systems Manager Parameter Store
 *   - `gcp-secret-manager` — Google Cloud Secret Manager
 *   - `azure-key-vault` — Azure Key Vault (requires AZURE_VAULT_NAME env var)
+ *   - `hashicorp-vault` — HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
+ *   - `hashicorp-vault-kv1` — HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
 *   - `env` — Read from environment variables (no shell command needed)
 *
 * Custom YAML format:
@@ -59,6 +61,27 @@ export class SecretSourceService {
      command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
      parseOutput: 'raw',
    },
+    'hashicorp-vault': {
+      // HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
+      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
+      // Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
+      name: 'hashicorp-vault',
+      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
+    'hashicorp-vault-kv1': {
+      // HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
+      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
+      name: 'hashicorp-vault-kv1',
+      command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
+    'vault': {
+      // Short alias for hashicorp-vault (KV v2)
+      name: 'vault',
+      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
+      parseOutput: 'raw',
+    },
  };

  /**