control-service: make kv store configurable (#3422)

Allow the configuration of the KV store name for Vault

---------

Signed-off-by: Dako Dakov <ddakov@vmware.com>

Author: dakodakov

projects/control-service/projects/helm_charts/pipelines-control-service/templates/_helpers.tpl

@@ -186,6 +186,8 @@ Generate default Vault configuration.
 URI: {{ default "http://localhost:8200" .Values.secrets.vault.uri | b64enc | quote }}
 ROLEID: {{ default "root" .Values.secrets.vault.approle.roleid | b64enc | quote }}
 SECRETID: {{ default "root" .Values.secrets.vault.approle.secretid | b64enc | quote }}
+KVSTORE: {{ default "secret" .Values.secrets.vault.kvstore | b64enc | quote }}
+KVSTOREMETA: {{ default "secret/metadata/" .Values.secrets.vault.kvstoremeta | b64enc | quote }}
 {{- end -}}
 
 {{/*

projects/control-service/projects/helm_charts/pipelines-control-service/templates/deployment.yaml

@@ -374,6 +374,16 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.secrets.vault.externalSecretName | default (include "pipelines-control-service.vaultSecretName" . ) }}
                   key: SECRETID
+            - name: VDK_VAULT_KVSTORE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.vault.externalSecretName | default (include "pipelines-control-service.vaultSecretName" . ) }}
+                  key: KVSTORE
+            - name: VDK_VAULT_KVSTOREMETA
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.vault.externalSecretName | default (include "pipelines-control-service.vaultSecretName" . ) }}
+                  key: KVSTOREMETA
             - name: DATAJOBS_VAULT_SIZE_LIMIT_BYTES
               value: "{{ .Values.secrets.vault.sizeLimitBytes }}"
             {{- end }}

projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml

@@ -1267,3 +1267,7 @@ secrets:
           roleid: foo
           secretid: foo
       sizeLimitBytes: "1048576"
+      ## name of the key-value store to use
+      kvstore: "secret"
+      ## location of the key-value store metadata, usually at "<kv store name>/metadata/"
+      kvstoremeta: "secret/metadata/"

projects/control-service/projects/pipelines_control_service/src/main/java/com/vmware/taurus/secrets/service/vault/VaultJobSecretsService.java

@@ -33,8 +33,11 @@ public class VaultJobSecretsService implements com.vmware.taurus.secrets.service
 
   //  package private so it can be used in tests
   static final int VAULT_SIZE_LIMIT_DEFAULT = 1048576; // 1 MB
-  private static final String SECRET = "secret";
-  public static final String METADATA_PATH = "secret/metadata/";
+
+  @Value("${vdk.vault.kvstore:secret}")
+  String kvStore;
+  @Value("${vdk.vault.kvstoremeta:secret/metadata/}")
+  String kvStoreMeta;
   public static final String TEAM_OAUTH_CREDENTIALS = "team-oauth-credentials";
 
   @Value("${datajobs.vault.size.limit.bytes}")
@@ -60,7 +63,7 @@ public void updateJobSecrets(String teamName, String jobName, Map<String, Object
     String secretKey = getJobSecretKey(teamName, jobName);
 
     Versioned<VaultJobSecrets> readResponse =
-        vaultOperations.opsForVersionedKeyValue(SECRET).get(secretKey, VaultJobSecrets.class);
+        vaultOperations.opsForVersionedKeyValue(kvStore).get(secretKey, VaultJobSecrets.class);
 
     VaultJobSecrets vaultJobSecrets;
 
@@ -90,7 +93,7 @@ public void updateJobSecrets(String teamName, String jobName, Map<String, Object
 
     vaultJobSecrets.setSecretsJson(updatedSecretsString);
 
-    vaultOperations.opsForVersionedKeyValue(SECRET).put(secretKey, vaultJobSecrets);
+    vaultOperations.opsForVersionedKeyValue(kvStore).put(secretKey, vaultJobSecrets);
   }
 
   @Override
@@ -101,7 +104,7 @@ public Map<String, Object> readJobSecrets(String teamName, String jobName)
     String secretKey = getJobSecretKey(teamName, jobName);
 
     Versioned<VaultJobSecrets> readResponse =
-        vaultOperations.opsForVersionedKeyValue(SECRET).get(secretKey, VaultJobSecrets.class);
+        vaultOperations.opsForVersionedKeyValue(kvStore).get(secretKey, VaultJobSecrets.class);
 
     VaultJobSecrets vaultJobSecrets;
 
@@ -127,7 +130,7 @@ public void updateTeamOauthCredentials(String teamName, String clientId, String
     VaultTeamCredentials teamCredentials =
         new VaultTeamCredentials(teamName, clientId, clientSecret);
 
-    vaultOperations.opsForVersionedKeyValue(SECRET).put(secretKey, teamCredentials);
+    vaultOperations.opsForVersionedKeyValue(kvStore).put(secretKey, teamCredentials);
     clientIdToTeamIdCache.put(teamCredentials.getClientId(), teamName);
     teamIdToCredentialsCache.put(teamName, teamCredentials);
   }
@@ -142,7 +145,7 @@ public VaultTeamCredentials readTeamOauthCredentials(String teamName) {
 
       Versioned<VaultTeamCredentials> readResponse =
           vaultOperations
-              .opsForVersionedKeyValue(SECRET)
+              .opsForVersionedKeyValue(kvStore)
               .get(secretKey, VaultTeamCredentials.class);
 
       if (readResponse != null && readResponse.hasData()) {
@@ -163,7 +166,7 @@ public String getTeamIdForClientId(String clientId) {
     } else {
       // Search through all team entries in Vault
       try {
-        var response = vaultOperations.list(METADATA_PATH);
+        var response = vaultOperations.list(kvStoreMeta);
         if (response != null) {
           for (String teamId : response) {
             teamId = StringUtils.removeEnd(teamId, "/");

projects/control-service/projects/pipelines_control_service/src/main/resources/application.properties

@@ -348,6 +348,8 @@ vdk.vault.uri=http://localhost:8200/v1/
 vdk.vault.approle.roleid=
 vdk.vault.approle.secretid=
 vdk.vault.token=
+vdk.vault.kvstore=secret
+vdk.vault.kvstoremeta=secret/metadata/
 datajobs.vault.size.limit.bytes=1048576
 
 datajobs.jfrog.artifactory.url=${JFROG_ARTIFACTORY_URL:}

projects/control-service/projects/pipelines_control_service/src/test/java/com/vmware/taurus/secrets/vault/VaultJobSecretsServiceTest.java

@@ -7,6 +7,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.vmware.taurus.ControlplaneApplication;
+import com.vmware.taurus.authorization.webhook.AuthorizationBody;
 import com.vmware.taurus.exception.DataJobSecretsException;
 import com.vmware.taurus.exception.DataJobSecretsSizeLimitException;
 import com.vmware.taurus.exception.DataJobTeamSecretsException;
@@ -16,13 +17,15 @@
 import org.apache.commons.lang3.RandomStringUtils;
 import org.hamcrest.CoreMatchers;
 import org.junit.Assert;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.vault.core.VaultTemplate;
 import org.springframework.vault.core.VaultVersionedKeyValueOperations;
 import org.springframework.vault.support.Versioned;
@@ -31,7 +34,6 @@
 import java.util.List;
 import java.util.Map;
 
-import static com.vmware.taurus.secrets.service.vault.VaultJobSecretsService.METADATA_PATH;
 import static com.vmware.taurus.secrets.service.vault.VaultJobSecretsService.TEAM_OAUTH_CREDENTIALS;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
@@ -47,16 +49,26 @@
 @TestPropertySource(
     properties = {
       "datajobs.vault.size.limit.bytes=1048576",
+      "vdk.vault.kvstore=secret",
+      "vdk.vault.kvstoremeta=secret/metadata/",
     })
 class VaultJobSecretsServiceTest {
 
   private static final String SECRET = "secret";
+  private static final String SECRET_META = "secret/metadata/";
 
   @Mock private VaultTemplate vaultTemplate;
   @Mock private VaultVersionedKeyValueOperations vaultOperations;
 
   @InjectMocks private VaultJobSecretsService secretsService;
 
+  @BeforeEach
+  public void setUp() {
+    ReflectionTestUtils.setField(secretsService, "kvStore", "secret");
+    ReflectionTestUtils.setField(secretsService, "kvStoreMeta", "secret/metadata/");
+  }
+
+
   @Test
   void testUpdateJobSecrets() throws JsonProcessingException {
     String jobName = "testJob";
@@ -268,7 +280,7 @@ void testGetTeamIdForClientId() {
     String secretKey = teamName + "/" + TEAM_OAUTH_CREDENTIALS;
     Versioned<VaultTeamCredentials> readResponse = Versioned.create(expectedCredentials);
 
-    when(vaultTemplate.list(METADATA_PATH)).thenReturn(List.of(teamName));
+    when(vaultTemplate.list(SECRET_META)).thenReturn(List.of(teamName));
     when(vaultTemplate.opsForVersionedKeyValue(SECRET)).thenReturn(vaultOperations);
     when(vaultOperations.get(secretKey, VaultTeamCredentials.class)).thenReturn(readResponse);
 
@@ -294,7 +306,7 @@ void testGetTeamIdForNonExistentClientId() {
     String nonExistentClientId = "nonExistentClient";
 
     when(vaultTemplate.opsForVersionedKeyValue(SECRET)).thenReturn(vaultOperations);
-    when(vaultOperations.list("secret/metadata/")).thenReturn(List.of("team1"));
+    when(vaultOperations.list(SECRET_META)).thenReturn(List.of("team1"));
     when(vaultOperations.get("secret/oauth/team1")).thenReturn(null);
 
     String result = secretsService.getTeamIdForClientId(nonExistentClientId);