Skip to content

397 - HashiCorp Vault support for database secrets #398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

397 - HashiCorp Vault support for database secrets #398

wants to merge 2 commits into from
+331 −0

Conversation

ilmarkerm
Copy link

Signed-off-by: Ilmar Kerm [email protected]

Support HashiCorp Vault secret store for database credentials.

📌 Description

This is a first release for supporting HashiCorp Vault for database login credentials. First release supports connecting to Vault Proxy via Unix socket and fetching secrets from key-value stores.

✅ Checklist

  • [ ✅ ] Code builds and runs locally
  • [ ✅ ] Tests have been added/updated (if applicable)
  • [ ✅ ] Documentation has been updated (if applicable)
  • [ ✅ ] Follows project coding style and conventions
  • [ ✅ ] Signed the Oracle Contributor Agreement (OCA) to contribute to this project

🔗 Related Issue

#397

@ilmarkerm
Signed-off-by: Ilmar Kerm <[email protected]>
4d7e96c 
First edition of HashiCorp Vault support
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Oct 10, 2025
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
hashivault/hashivault.go
Connects client to Vault backend, need to handle different connection methods in the future
*/
promLogConfig := &promslog.Config{}
logger := promslog.New(promLogConfig)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use the provided *slog.Logger, if necessary move logging statements higher in the stack or pass the *slog.Logger down the stack

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if not possible, what you're doing is fine

anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
hashivault/hashivault.go

result := map[string]string{}
var err error
if mountType == "kvv2" || mountType == "kvv1" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a vault const for these?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, these are just strings I made up. Vault has multiple plugins to handle secrets, "kvv1" and "kvv2" are the simplest key-value secret stores. I'll also soon work on adding the "database" secret store type. They all need slightly different SDK calls.

anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
anders-swanson
anders-swanson reviewed Oct 10, 2025
View reviewed changes
hashivault/hashivault_test.go
@@ -0,0 +1,53 @@
package hashivault
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is an integration test, it must live in another package/project - otherwise go test of this project will fail when the user doesn't have an external vault.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll remove it.

@anders-swanson
Copy link
Member

See comments, mainly formatting. Could use modify the vault test to use a stand-in or remove it?

@anders-swanson
Copy link
Member

And thank you for the contribution!

@ilmarkerm
Signed-off-by: Ilmar Kerm <[email protected]>
0c92afb 
Some style fixes based on PR comments
@anders-swanson
Copy link
Member

This is all looking good, except for the test file. If you could either add a HashiVault stand-in or remove the file I think it's ready to merge.

@ilmarkerm
Copy link
Author

This is all looking good, except for the test file. If you could either add a HashiVault stand-in or remove the file I think it's ready to merge.

Thank you, I'll do some final changes and push them when I get the opportunity to test in a few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anders-swanson anders-swanson anders-swanson left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ilmarkerm @anders-swanson