feat(infra): add Spring Cloud Vault secrets management (STA-219) (#236)

* feat(infra): add Spring Cloud Vault secrets management across all services (STA-219)

Integrate HashiCorp Vault via Spring Cloud Vault 5.0.1 for centralised
secrets management. Vault is opt-in (app.vault.enabled=false by default)
so existing env-var workflow and all tests continue to work unchanged.

- Add spring-cloud-starter-vault-config to platform-infra
- Add VaultConfig with @ConditionalOnProperty toggle (matchIfMissing=false)
- Add optional:vault:// ConfigData import to all 10 service application.yml
- Configure KV v2 backend with per-service and shared (application) contexts
- Add vault-init Docker Compose service that seeds dev secrets on startup
- Add init-vault.sh script seeding DB creds, API keys, JWT keys per service

Closes STA-219

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(infra): add spring.cloud.vault.enabled=false to all integration test configs

Fixes duplicate YAML key errors in CI where integration test application.yml
files that already had spring.cloud.stream conflicted with the new
spring.cloud.vault block from the main application.yml.

Also explicitly disables Vault in all IT configs to prevent connection
attempts in CI where no Vault instance is running.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(infra): default Vault scheme to HTTPS and remove dev token fallback (STA-219)

Addresses CodeRabbit review: scheme defaults to HTTPS for production safety,
token has no fallback to prevent accidental auth with dev-root-token.
Local dev sets VAULT_SCHEME=http and VAULT_TOKEN=dev-root-token via docker-compose.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Puneethkumarck

api-gateway-iam/api-gateway-iam/src/main/resources/application-integration-test.yml

@@ -25,6 +25,8 @@ spring:
       port: 6379
 
   cloud:
+    vault:
+      enabled: false
     stream:
       kafka:
         binder:

api-gateway-iam/api-gateway-iam/src/main/resources/application.yml

@@ -2,6 +2,27 @@ spring:
   application:
     name: api-gateway-iam
 
+  config:
+    import: optional:vault://
+
+  cloud:
+    vault:
+      enabled: ${app.vault.enabled:false}
+      host: ${VAULT_HOST:localhost}
+      port: ${VAULT_PORT:8200}
+      scheme: ${VAULT_SCHEME:https}
+      authentication: TOKEN
+      token: ${VAULT_TOKEN:}
+      kv:
+        enabled: true
+        backend: secret
+        default-context: application
+    stream:
+      kafka:
+        binder:
+          brokers: ${KAFKA_BROKERS:localhost:9092}
+          auto-create-topics: false
+
   datasource:
     url: ${DB_URL:jdbc:postgresql://localhost:5432/s10_api_gateway_iam}
     username: ${DB_USER:sp_user}
@@ -47,13 +68,6 @@ spring:
       key-deserializer: org.apache.kafka.common.serialization.StringDeserializer
       value-deserializer: org.apache.kafka.common.serialization.StringDeserializer
 
-  cloud:
-    stream:
-      kafka:
-        binder:
-          brokers: ${KAFKA_BROKERS:localhost:9092}
-          auto-create-topics: false
-
 app:
   idempotency:
     ttl-hours: 24

blockchain-custody/blockchain-custody/src/integration-test/resources/application-integration-test.yml

@@ -1,4 +1,7 @@
 spring:
+  cloud:
+    vault:
+      enabled: false
   main:
     allow-bean-definition-overriding: true
   jpa:

blockchain-custody/blockchain-custody/src/main/resources/application.yml

@@ -2,6 +2,22 @@ spring:
   application:
     name: blockchain-custody
 
+  config:
+    import: optional:vault://
+
+  cloud:
+    vault:
+      enabled: ${app.vault.enabled:false}
+      host: ${VAULT_HOST:localhost}
+      port: ${VAULT_PORT:8200}
+      scheme: ${VAULT_SCHEME:https}
+      authentication: TOKEN
+      token: ${VAULT_TOKEN:}
+      kv:
+        enabled: true
+        backend: secret
+        default-context: application
+
   datasource:
     url: ${DB_URL:jdbc:postgresql://localhost:5432/s4_blockchain_custody}
     username: ${DB_USER:dev}

compliance-travel-rule/compliance-travel-rule/src/integration-test/resources/application-integration-test.yml

@@ -1,4 +1,7 @@
 spring:
+  cloud:
+    vault:
+      enabled: false
   main:
     allow-bean-definition-overriding: true
   jpa:

compliance-travel-rule/compliance-travel-rule/src/main/resources/application.yml

@@ -2,6 +2,32 @@ spring:
   application:
     name: compliance-travel-rule
 
+  config:
+    import: optional:vault://
+
+  cloud:
+    vault:
+      enabled: ${app.vault.enabled:false}
+      host: ${VAULT_HOST:localhost}
+      port: ${VAULT_PORT:8200}
+      scheme: ${VAULT_SCHEME:https}
+      authentication: TOKEN
+      token: ${VAULT_TOKEN:}
+      kv:
+        enabled: true
+        backend: secret
+        default-context: application
+    stream:
+      kafka:
+        binder:
+          brokers: ${KAFKA_BROKERS:localhost:9092}
+          auto-create-topics: false
+      bindings:
+        compliance-result-out-0:
+          destination: compliance.result
+        sanctions-hit-out-0:
+          destination: sanctions.hit
+
   datasource:
     url: ${DB_URL:jdbc:postgresql://localhost:5432/s2_compliance}
     username: ${DB_USER:sp_user}
@@ -36,18 +62,6 @@ spring:
       key-serializer: org.apache.kafka.common.serialization.StringSerializer
       value-serializer: org.springframework.kafka.support.serializer.JsonSerializer
 
-  cloud:
-    stream:
-      kafka:
-        binder:
-          brokers: ${KAFKA_BROKERS:localhost:9092}
-          auto-create-topics: false
-      bindings:
-        compliance-result-out-0:
-          destination: compliance.result
-        sanctions-hit-out-0:
-          destination: sanctions.hit
-
 namastack:
   outbox:
     poll-interval: 2000

docker-compose.dev.yml

@@ -193,6 +193,23 @@ services:
       timeout: 5s
       retries: 10
 
+  # ─────────────────────────────────────────────
+  # Vault init — seeds KV v2 secrets for local dev
+  # ─────────────────────────────────────────────
+  vault-init:
+    image: hashicorp/vault:latest
+    container_name: sp-vault-init
+    depends_on:
+      vault:
+        condition: service_healthy
+    environment:
+      VAULT_ADDR: http://vault:8200
+      VAULT_TOKEN: dev-root-token
+    volumes:
+      - ./infra/local/vault/init-vault.sh:/vault/init-vault.sh
+    entrypoint: ["/bin/sh", "/vault/init-vault.sh"]
+    restart: "no"
+
   # ─────────────────────────────────────────────
   # Mailhog — captures outbound email (replaces SendGrid in dev)
   # ─────────────────────────────────────────────

fiat-off-ramp/fiat-off-ramp/src/integration-test/resources/application-integration-test.yml

@@ -1,4 +1,7 @@
 spring:
+  cloud:
+    vault:
+      enabled: false
   main:
     allow-bean-definition-overriding: true
   jpa:

fiat-off-ramp/fiat-off-ramp/src/main/resources/application.yml

@@ -2,6 +2,34 @@ spring:
   application:
     name: fiat-off-ramp
 
+  config:
+    import: optional:vault://
+
+  cloud:
+    vault:
+      enabled: ${app.vault.enabled:false}
+      host: ${VAULT_HOST:localhost}
+      port: ${VAULT_PORT:8200}
+      scheme: ${VAULT_SCHEME:https}
+      authentication: TOKEN
+      token: ${VAULT_TOKEN:}
+      kv:
+        enabled: true
+        backend: secret
+        default-context: application
+    stream:
+      kafka:
+        binder:
+          brokers: ${KAFKA_BROKERS:localhost:9092}
+          auto-create-topics: false
+      bindings:
+        fiat-payout-initiated-out-0:
+          destination: fiat.payout.initiated
+        fiat-payout-completed-out-0:
+          destination: fiat.payout.completed
+        fiat-payout-failed-out-0:
+          destination: fiat.payout.failed
+
   datasource:
     url: ${DB_URL:jdbc:postgresql://localhost:5432/s5_fiat_off_ramp}
     username: ${DB_USER:sp_user}
@@ -36,20 +64,6 @@ spring:
       key-serializer: org.apache.kafka.common.serialization.StringSerializer
       value-serializer: org.springframework.kafka.support.serializer.JsonSerializer
 
-  cloud:
-    stream:
-      kafka:
-        binder:
-          brokers: ${KAFKA_BROKERS:localhost:9092}
-          auto-create-topics: false
-      bindings:
-        fiat-payout-initiated-out-0:
-          destination: fiat.payout.initiated
-        fiat-payout-completed-out-0:
-          destination: fiat.payout.completed
-        fiat-payout-failed-out-0:
-          destination: fiat.payout.failed
-
 namastack:
   outbox:
     poll-interval: 2000

fiat-on-ramp/fiat-on-ramp/src/integration-test/resources/application-integration-test.yml

@@ -1,4 +1,7 @@
 spring:
+  cloud:
+    vault:
+      enabled: false
   main:
     allow-bean-definition-overriding: true
   jpa: