game-ci/unity-builder
1
0
Fork 0
mirror of https://github.com/game-ci/unity-builder.git synced 2026-06-17 21:46:48 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat(secrets): add HashiCorp Vault as first-class premade secret source

Browse Source 
Adds three Vault entries: hashicorp-vault (KV v2), hashicorp-vault-kv1
(KV v1), and vault (short alias). Uses VAULT_ADDR for server address and
VAULT_MOUNT env var for configurable mount path (defaults to 'secret').

Refs #776

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
frostebite
2026-03-05 08:41:04 +00:00
parent e4c156e7b0
commit 7f895304f4
3 changed files with 63 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/model/orchestrator/services/secrets/secret-source-service.ts
+23
View File
@@ -20,6 +20,8 @@ export interface SecretSourceDefinition {
* - `aws-parameter-store` — AWS Systems Manager Parameter Store
* - `gcp-secret-manager` — Google Cloud Secret Manager
* - `azure-key-vault` — Azure Key Vault (requires AZURE_VAULT_NAME env var)
* - `hashicorp-vault` — HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
* - `hashicorp-vault-kv1` — HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
* - `env` — Read from environment variables (no shell command needed)
*
* Custom YAML format:
@@ -59,6 +61,27 @@ export class SecretSourceService {
command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
parseOutput: 'raw',
},
'hashicorp-vault': {
// HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
// Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
// Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
name: 'hashicorp-vault',
command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
parseOutput: 'raw',
},
'hashicorp-vault-kv1': {
// HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
// Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
name: 'hashicorp-vault-kv1',
command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
parseOutput: 'raw',
},
'vault': {
// Short alias for hashicorp-vault (KV v2)
name: 'vault',
command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
parseOutput: 'raw',
},
};
/**