Support Vault Provider for Secrets

[heurtematte]

Support Vault Provider in addition to Pass and Bitwarden.

e.g:

    orgs.newOrgSecret('REPO3_TOKEN_PASSWORD') {
      value: "vault:technology.cbi/repo3.eclipse.org/token-password",
    },
    orgs.newOrgSecret('REPO3_TOKEN_USERNAME') {
      value: "vault:technology.cbi/repo3.eclipse.org/token-username",
    },
``

[netomi]

This fixes #196

[lukpueh]

FYI, in a different project I created a signing abstraction for Vault, and tested it against a real vault instance: secure-systems-lab/securesystemslib#800

If we want tests that go beyond mocking, we could take inspiration from that setup. Should I open a ticket?

[netomi]

so I cant really test right now as I dont have access to a vault instance.

if you provide such local setup @lukpueh I could review this PR.

[lukpueh]

so I cant really test right now as I dont have access to a vault instance.

if you provide such local setup @lukpueh I could review this PR.

The referenced setup creates a local vault instance on the fly. So everyone (devs, CI) can run it...

I'll start with a ticket and put the implementation in my backlog. :)

[heurtematte]

if needed, I have created a specific mount point named "test" in our internal secrets manager and granted you access to test this feature out. you will need to override the default moint point which is "cbi".

[heurtematte]

What is the status of this PR? Let me know if you need help to test it.

[mbarbero]

@kairoaraujo , @lukpueh , could you please look into adding this to the next sprint release?

[kairoaraujo]

@heurtematte can you solve the conflict, I will do a final round on this PR

[heurtematte]

done!

[kairoaraujo]

@heurtematte it is good to merge, only the poetry.lock config.

[heurtematte]

I’ve just fixed the errors reported by Prek. It would be worth taking another look.

[heurtematte]

How did you test this feature? As far as I can see, you don’t currently have access to the secrets manager.

[kairoaraujo]

Hi @heurtematte,

On top of your branch, I’ve started adding support for the development environment (this is how I’m currently testing the implementation):
https://github.com/eclipse-csi/otterdog/compare/main...kairoaraujo:otterdog:hashicorp-vault-support?expand=1

If you agree, I think we should continue this work in a separate feature branch.
Before including it in an Otterdog release, I believe we should improve a few things:

• Provide a user guide explaining how to operate Otterdog with Vault.
• Review some small (nit) hardcoded defaults that make sense for EF, but could be made more flexible and generic.

Let me know what you think.

[heurtematte]

@kairoaraujo makes sense. Let me know when the branch is ready.