Vault Support (GSI-973)

.devcontainer/.dev_config.yaml

@@ -2,6 +2,9 @@ service_instance_id: "1"
 token_hashes:
 # plaintext token: 43fadc91-b98f-4925-bd31-1b054b13dc55
 - 7ad83b6b9183c91674eec897935bc154ba9ff9704f8be0840e77f476b5062b6e
+vault_token: "dev-token"
+vault_url: "http://vault:8200"
+vault_path: sms
 db_connection_str: mongodb://mongodb:27017
 db_prefix: "test_"
 db_permissions:

.devcontainer/devcontainer.json

@@ -52,7 +52,8 @@
 				"visualstudioexptteam.vscodeintellicode",
 				"ymotongpoo.licenser",
 				"charliermarsh.ruff",
-				"ms-python.mypy-type-checker"
+				"ms-python.mypy-type-checker",
+				"-ms-python.autopep8"
 			]
 		}
 	},
@@ -71,4 +72,4 @@
 		// details can be found here: https://github.com/devcontainers/features/tree/main/src/docker-outside-of-docker
 		"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}
 	}
-}
+}

.pre-commit-config.yaml

@@ -45,13 +45,13 @@ repos:
       - id: no-commit-to-branch
         args: [--branch, dev, --branch, int, --branch, main]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.6.2
+    rev: v0.7.0
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
       - id: ruff-format
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.1
+    rev: v1.13.0
     hooks:
       - id: mypy
         args: [--no-warn-unused-ignores]

.pyproject_generation/pyproject_custom.toml

@@ -1,11 +1,12 @@
 [project]
 name = "sms"
-version = "1.3.1"
+version = "1.4.0"
 description = "State Management Service - Provides a REST API for basic infrastructure technology state management."
 dependencies = [
     "typer >= 0.12",
     "ghga-service-commons[api] >= 3.1",
     "hexkit[mongodb,s3,akafka] >= 3.5",
+    "hvac>=2",
 ]
 
 [project.urls]

README.md

@@ -24,21 +24,21 @@ We recommend using the provided Docker container.
 
 A pre-build version is available at [docker hub](https://hub.docker.com/repository/docker/ghga/state-management-service):
 ```bash
-docker pull ghga/state-management-service:1.3.1
+docker pull ghga/state-management-service:1.4.0
 ```
 
 Or you can build the container yourself from the [`./Dockerfile`](./Dockerfile):
 ```bash
 # Execute in the repo's root dir:
-docker build -t ghga/state-management-service:1.3.1 .
+docker build -t ghga/state-management-service:1.4.0 .
 ```
 
 For production-ready deployment, we recommend using Kubernetes, however,
 for simple use cases, you could execute the service using docker
 on a single server:
 ```bash
 # The entrypoint is preconfigured:
-docker run -p 8080:8080 ghga/state-management-service:1.3.1 --help
+docker run -p 8080:8080 ghga/state-management-service:1.4.0 --help
 ```
 
 If you prefer not to use containers, you may install the service from source:
@@ -125,6 +125,41 @@ The service requires the following configuration parameters:
 
   - **Additional properties**: Refer to *[#/$defs/S3ObjectStorageNodeConfig](#%24defs/S3ObjectStorageNodeConfig)*.
 
+- **`vault_url`** *(string, required)*: URL for the Vault.
+
+
+  Examples:
+
+  ```json
+  "http://vault:8200"
+  ```
+
+
+- **`vault_token`** *(string, required)*: Token for the Vault.
+
+
+  Examples:
+
+  ```json
+  "dev-token"
+  ```
+
+
+- **`vault_path`** *(string, required)*: Path for the Vault.
+
+
+  Examples:
+
+  ```json
+  "sms"
+  ```
+
+
+  ```json
+  "ekss"
+  ```
+
+
 - **`token_hashes`** *(array, required)*: List of token hashes corresponding to the tokens that can be used to authenticate calls to this service. Hashes are made with SHA-256.
 
   - **Items** *(string)*

config_schema.json

@@ -188,6 +188,31 @@
       "title": "Object Storages",
       "type": "object"
     },
+    "vault_url": {
+      "description": "URL for the Vault",
+      "examples": [
+        "http://vault:8200"
+      ],
+      "title": "Vault Url",
+      "type": "string"
+    },
+    "vault_token": {
+      "description": "Token for the Vault",
+      "examples": [
+        "dev-token"
+      ],
+      "title": "Vault Token",
+      "type": "string"
+    },
+    "vault_path": {
+      "description": "Path for the Vault",
+      "examples": [
+        "sms",
+        "ekss"
+      ],
+      "title": "Vault Path",
+      "type": "string"
+    },
     "token_hashes": {
       "description": "List of token hashes corresponding to the tokens that can be used to authenticate calls to this service. Hashes are made with SHA-256.",
       "examples": [
@@ -411,6 +436,9 @@
     "service_instance_id",
     "kafka_servers",
     "object_storages",
+    "vault_url",
+    "vault_token",
+    "vault_path",
     "token_hashes",
     "db_prefix",
     "db_connection_str"

example_config.yaml

@@ -46,4 +46,7 @@ service_instance_id: '1'
 service_name: sms
 token_hashes:
 - 7ad83b6b9183c91674eec897935bc154ba9ff9704f8be0840e77f476b5062b6e
+vault_path: sms
+vault_token: dev-token
+vault_url: http://vault:8200
 workers: 1