Add vault variable provider

Signed-off-by: Ryan Levick <[email protected]>
fermyon · Jul 29, 2024 · 947b720 · 947b720
1 parent 1a97874
commit 947b720
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 0 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/factor-variables/Cargo.toml b/crates/factor-variables/Cargo.toml
@@ -13,6 +13,7 @@ spin-world = { path = "../world" }
 tokio = { version = "1", features = ["rt-multi-thread"] }
 toml = "0.8"
 tracing = { workspace = true }
+vaultrs = "0.6.2"
 
 [dev-dependencies]
 spin-factors-test = { path = "../factors-test" }

diff --git a/crates/factor-variables/src/spin_cli/mod.rs b/crates/factor-variables/src/spin_cli/mod.rs
@@ -2,11 +2,13 @@
 
 mod env;
 mod statik;
+mod vault;
 
 use serde::Deserialize;
 use spin_expressions::Provider;
 use spin_factors::anyhow;
 use statik::StaticVariablesProvider;
+use vault::VaultVariablesProvider;
 
 use crate::runtime_config::RuntimeConfig;
 
@@ -30,6 +32,8 @@ pub fn runtime_config_from_toml(table: &toml::Table) -> anyhow::Result<Option<Ru
 pub enum VariableProviderConfiguration {
     /// A static provider of variables.
     Static(StaticVariablesProvider),
+    /// A provider that uses HashiCorp Vault.
+    Vault(VaultVariablesProvider),
     /// An environment variable provider.
     Env(env::EnvVariablesConfig),
 }
@@ -44,6 +48,7 @@ impl VariableProviderConfiguration {
                 |s| std::env::var(s),
                 config.dotenv_path,
             )),
+            VariableProviderConfiguration::Vault(provider) => Box::new(provider),
         }
     }
 }
diff --git a/crates/factor-variables/src/spin_cli/vault.rs b/crates/factor-variables/src/spin_cli/vault.rs
@@ -0,0 +1,55 @@
+use serde::{Deserialize, Serialize};
+use spin_expressions::async_trait::async_trait;
+use spin_factors::anyhow::{self, Context as _};
+use tracing::{instrument, Level};
+use vaultrs::{
+    client::{VaultClient, VaultClientSettingsBuilder},
+    error::ClientError,
+    kv2,
+};
+
+use spin_expressions::{Key, Provider};
+
+#[derive(Debug, Default, Deserialize)]
+#[serde(deny_unknown_fields)]
+/// A config Provider that uses HashiCorp Vault.
+pub struct VaultVariablesProvider {
+    /// The URL of the Vault server.
+    url: String,
+    /// The token to authenticate with.
+    token: String,
+    /// The mount point of the KV engine.
+    mount: String,
+    /// The optional prefix to use for all keys.
+    #[serde(default)]
+    prefix: Option<String>,
+}
+
+#[async_trait]
+impl Provider for VaultVariablesProvider {
+    #[instrument(name = "spin_variables.get_from_vault", skip(self), err(level = Level::INFO), fields(otel.kind = "client"))]
+    async fn get(&self, key: &Key) -> anyhow::Result<Option<String>> {
+        let client = VaultClient::new(
+            VaultClientSettingsBuilder::default()
+                .address(&self.url)
+                .token(&self.token)
+                .build()?,
+        )?;
+        let path = match &self.prefix {
+            Some(prefix) => format!("{}/{}", prefix, key.as_str()),
+            None => key.as_str().to_string(),
+        };
+
+        #[derive(Deserialize, Serialize)]
+        struct Secret {
+            value: String,
+        }
+        match kv2::read::<Secret>(&client, &self.mount, &path).await {
+            Ok(secret) => Ok(Some(secret.value)),
+            // Vault doesn't have this entry so pass along the chain
+            Err(ClientError::APIError { code: 404, .. }) => Ok(None),
+            // Other Vault error so bail rather than looking elsewhere
+            Err(e) => Err(e).context("Failed to check Vault for config"),
+        }
+    }
+}