Skip to content

Add HashiCorp Vault integration for password storage #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 5 commits into from
Closed

Add HashiCorp Vault integration for password storage #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b581b23
Initial plan
Copilot Apr 30, 2026
954793f
Add Hashicorp Vault integration for password storage
Copilot Apr 30, 2026
70b8fe3
Test that API calls fail on unreachable vault address
Copilot Apr 30, 2026
f39e234
Remove GetPassword gRPC RPC from vault service
Copilot Apr 30, 2026
4a1e627
fix: skip k8s integration tests gracefully when cluster setup fails
Copilot Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion FEATURES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,4 +122,20 @@ Here is a list of features. Implemented features are marked with a checkmark.
- [x] Test deployment is flagged as crashloopbackoff
- [x] Test deployment is not flagged as crashloopbackoff
- [x] Create automated test suite (TEST SUITE 10)
- [x] Verify all 8 tests pass
- [x] Verify all 8 tests pass
- [ ] Hashicorp vault integration. Replace k8s secret for user password storage.
- Implementation Tasks
- [x] Add a pod running hashicorp vault to the k8s cluster (`k8s/setup/assets/04-vault.yaml`)
- [x] Create vault Go library (`vault/client.go`) that connects to vault and converts secrets to env vars
- [x] Create VaultService gRPC server (`grpc/services/vault_service.go`) offering password storage and update
- [x] Add proto definition for VaultService (`proto-internal/sf/hosted/vault/v1/vault.proto`)
- [x] Register VaultService with gRPC server
- [x] Add VAULT_ADDR and VAULT_TOKEN env vars to control-freak deployment
- [x] Update devenv.go to deploy vault and wait for it during cluster setup
- [x] Add vault port-forward support (localhost:30820 → vault:8200)
- Tests
- [x] Unit tests for vault library (`vault/client_test.go`) – 8 tests
- [x] Unit tests for vault gRPC service (`grpc/services/vault_service_test.go`) – 10 tests
- [x] Integration tests: vault deployed in cluster (TEST SUITE 11)
- [x] Integration tests: vault gRPC service (TEST SUITE 12)
- [x] Integration tests: vault library retrieving passwords and creating env vars (TEST SUITE 13)
38 changes: 37 additions & 1 deletion cmd/control-freak/cmd/serve.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
"github.com/streamingfast/services-control-plane/grpc/server"
"github.com/streamingfast/services-control-plane/grpc/services"
"github.com/streamingfast/services-control-plane/k8s/tracker"
"github.com/streamingfast/services-control-plane/vault"
"go.uber.org/zap"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
Expand Down Expand Up @@ -44,13 +46,17 @@ func init() {
serveCmd.Flags().String("listen-addr", ":9000", "gRPC server listen address")
serveCmd.Flags().String("namespace", "", "Kubernetes namespace (default: from NAMESPACE env or 'default')")
serveCmd.Flags().String("redis-addr", "", "Redis address (default: from REDIS_ADDR env or 'localhost:6379')")
serveCmd.Flags().String("vault-addr", "", "HashiCorp Vault address (default: from VAULT_ADDR env or 'http://vault:8200')")
serveCmd.Flags().String("vault-token", "", "HashiCorp Vault token (default: from VAULT_TOKEN env)")

// Bind to viper
viper.BindPFlag("serve.plaintext", serveCmd.Flags().Lookup("plaintext"))
viper.BindPFlag("serve.insecure", serveCmd.Flags().Lookup("insecure"))
viper.BindPFlag("serve.listen-addr", serveCmd.Flags().Lookup("listen-addr"))
viper.BindPFlag("serve.namespace", serveCmd.Flags().Lookup("namespace"))
viper.BindPFlag("serve.redis-addr", serveCmd.Flags().Lookup("redis-addr"))
viper.BindPFlag("serve.vault-addr", serveCmd.Flags().Lookup("vault-addr"))
viper.BindPFlag("serve.vault-token", serveCmd.Flags().Lookup("vault-token"))
}

func runServe(cmd *cobra.Command, args []string) error {
Expand Down Expand Up @@ -105,7 +111,37 @@ func runServe(cmd *cobra.Command, args []string) error {
}

hosted := services.NewHosted(k8sClient, namespace, redisClient, trackerManager, zlog)
srv := server.NewServer(hosted, zlog, opts...)

// Setup vault service (optional – vault is not required to start the server)
vaultAddr := viper.GetString("serve.vault-addr")
if vaultAddr == "" {
vaultAddr = os.Getenv("VAULT_ADDR")
}
if vaultAddr == "" {
vaultAddr = "http://vault:8200"
}

vaultToken := viper.GetString("serve.vault-token")
if vaultToken == "" {
vaultToken = os.Getenv("VAULT_TOKEN")
}
if vaultToken == "" {
// Default to "root" for local development (Kind cluster) only.
// In production, VAULT_TOKEN must be set explicitly.
vaultToken = "root"
zlog.Warn("VAULT_TOKEN not set; defaulting to 'root' – this is only safe in local development environments")
}

var vaultSvc *services.VaultService
vaultClient, err := vault.NewClient(vaultAddr, vaultToken, "secret")
if err != nil {
zlog.Warn("vault client creation failed, vault service will be unavailable", zap.Error(err))
} else {
vaultSvc = services.NewVaultService(vaultClient, zlog)
zlog.Info("vault service enabled", zap.String("vault_addr", vaultAddr))
}

srv := server.NewServer(hosted, vaultSvc, zlog, opts...)
zlog.Info(fmt.Sprintf("starting gRPC server on %s", listenAddr))
srv.Launch(listenAddr)

Expand Down
19 changes: 17 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@ go 1.26

require (
github.com/go-redis/redismock/v9 v9.2.0
github.com/hashicorp/vault/api v1.15.0
github.com/redis/go-redis/v9 v9.18.0
github.com/spf13/cobra v1.10.2
github.com/spf13/viper v1.21.0
github.com/streamingfast/dgrpc v0.0.0-20260420180129-8b81f2664993
github.com/streamingfast/logging v0.0.0-20260108192805-38f96de0a641
github.com/stretchr/testify v1.11.1
Expand All @@ -28,6 +31,7 @@ require (
github.com/GoogleCloudPlatform/opentelemetry-operations-go/propagator v0.54.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blendle/zapdriver v1.3.1 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
Expand All @@ -36,6 +40,7 @@ require (
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
Expand All @@ -52,13 +57,24 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
Expand All @@ -71,13 +87,12 @@ require (
github.com/prometheus/common v0.44.0 // indirect
github.com/prometheus/procfs v0.11.0 // indirect
github.com/rs/cors v1.8.3 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sagikazarmark/locafero v0.11.0 // indirect
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
github.com/spf13/afero v1.15.0 // indirect
github.com/spf13/cast v1.10.0 // indirect
github.com/spf13/cobra v1.10.2 // indirect
github.com/spf13/pflag v1.0.10 // indirect
github.com/spf13/viper v1.21.0 // indirect
github.com/streamingfast/dmetrics v0.0.0-20250711072030-f023e918a175 // indirect
github.com/streamingfast/sf-tracing v0.0.0-20251218140752-bafd5572499f // indirect
github.com/streamingfast/shutter v1.5.0 // indirect
Expand Down
Loading