Vault integration for secret storage

[canercidam]

📝 Summary

• Integrates HashiCorp Vault for builder secret storage
• Bug fix: Config was never returned after set
• Including in docker-compose.yaml and testing above with integration tests

✅ I have run these commands

• make lint
• make test
• go mod tidy

[ilyaluk]

Please also support https://pkg.go.dev/github.com/hashicorp/vault/api/auth/kubernetes as an auth method in addition to plain token, as that's how pods authenticate in our Vault

[canercidam]

Added! Please let me know if you have any suggestions.

[Copilot]

Pull request overview

Integrates HashiCorp Vault as an additional secrets storage backend for BuilderHub, updates secret-access APIs to be context-aware, and fixes config+secrets responses by merging stored builder config with secrets.

Changes:

• Add a Vault-backed secrets adapter and wire Vault configuration/selection into the HTTP server CLI.
• Fix “config never returned after set” by merging builder config with secret JSON in both builder and admin “full config” endpoints.
• Update local docker-compose and CI integration tests to run with Vault enabled.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
scripts/ci/integration-test.sh	Stops previous compose stack and tweaks hurl invocation for CI/integration runs.
scripts/ci/e2e-test.hurl	Extends E2E assertions to ensure non-secret config is preserved alongside secrets.
ports/admin_handler.go	Updates secrets API to be context-aware and returns merged config+secrets for “full” config endpoint.
cmd/httpserver/main.go	Adds Vault CLI flags/env vars and selects secrets backend (mock/vault/aws).
adapters/secrets/hashicorp_vault.go	New Vault KV v2 secrets backend implementation.
adapters/secrets/service.go	Refactors AWS Secrets Manager adapter (naming + context-aware API) and aligns missing-secret error.
application/service.go	Introduces MergeJSON and updates config-with-secrets flow to return merged payload.
domain/inmemory_secret.go	Updates mock secrets service to accept context.
docker/docker-compose.yaml	Adds Vault dev container and configures builder-hub to use Vault in local compose.
docker/mock-proxy/Dockerfile	Adjusts COPY to match new build context.
.github/workflows/release.yaml	Updates proxy image build context/Dockerfile path for releases.
Makefile	Adds a docker-compose restart helper target.
go.mod / go.sum	Adds Vault client dependencies and updates module requirements.

Comments suppressed due to low confidence (1)

scripts/ci/integration-test.sh:36

• The script disables set -e around the hurl run, but then checks $? only after set -e has been re-enabled. That means the failure check is reading the exit status of set -e (almost always 0), so integration test failures won’t be detected and the script can report success incorrectly. Capture the hurl exit code immediately (or use an if ! hurl ...; then ... fi pattern) before re-enabling set -e.

hurl --test scripts/ci/e2e-test.hurl -v
set -e

# Cleanup after tests
if [ $? -ne 0 ]; then

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.