feat: azure key vault persistence (#13791)

Co-authored-by: perangel <[email protected]>

Author: bgroff

airbyte-config/config-secrets/src/main/kotlin/secrets/persistence/AzureKeyVaultPersistence.kt

@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2020-2024 Airbyte, Inc., all rights reserved.
+ */
+
+package secrets.persistence
+
+import com.azure.identity.ClientSecretCredentialBuilder
+import com.azure.security.keyvault.secrets.SecretClient
+import com.azure.security.keyvault.secrets.SecretClientBuilder
+import com.azure.security.keyvault.secrets.models.KeyVaultSecret
+import com.azure.security.keyvault.secrets.models.SecretProperties
+import io.airbyte.config.secrets.SecretCoordinate
+import io.airbyte.config.secrets.persistence.SecretPersistence
+import io.micronaut.context.annotation.Requires
+import io.micronaut.context.annotation.Value
+import jakarta.inject.Named
+import jakarta.inject.Singleton
+import java.time.Duration
+
+/**
+ * SecretPersistence implementation for Azure Key Vault
+ */
+@Singleton
+@Requires(property = "airbyte.secret.persistence", pattern = "(?i)^azure_key_vault$")
+@Named("secretPersistence")
+class AzureKeyVaultPersistence(private val secretClient: AzureKeyVaultClient) : SecretPersistence {
+  override fun read(coordinate: SecretCoordinate): String {
+    val key = coordinate.fullCoordinate.replace("_", "-")
+    return secretClient.client.getSecret(
+      key,
+    ).value
+  }
+
+  override fun write(
+    coordinate: SecretCoordinate,
+    payload: String,
+  ) {
+    val key = coordinate.fullCoordinate.replace("_", "-")
+    val secret =
+      KeyVaultSecret(
+        key,
+        payload,
+      )
+
+    if (secretClient.tags.isNotEmpty()) {
+      secret.setProperties(SecretProperties().setTags(secretClient.tags))
+    }
+
+    secretClient.client.setSecret(secret)
+  }
+
+  override fun delete(coordinate: SecretCoordinate) {
+    val key = coordinate.fullCoordinate.replace("_", "-")
+    secretClient.client
+      .beginDeleteSecret(key)
+      .waitForCompletion(Duration.ofSeconds(5))
+    secretClient.client
+      .purgeDeletedSecret(key)
+  }
+}
+
+@Singleton
+class AzureKeyVaultClient(
+  @Value("\${airbyte.secret.store.azure.vault-url}") private val vaultUrl: String,
+  @Value("\${airbyte.secret.store.azure.tenant-id}") private val tenantId: String,
+  @Value("\${airbyte.secret.store.azure.client-id}") private val clientId: String,
+  @Value("\${airbyte.secret.store.azure.client-secret}") private val clientSecret: String,
+  @Value("\${airbyte.secret.store.azure.tags}") val unparsedTags: String?,
+) {
+  val tags: Map<String, String> = parseTags(unparsedTags)
+
+  private fun parseTags(tags: String?): Map<String, String> {
+    // Define the regex pattern for the whole string validation
+    val pattern = "^[\\w\\s._:/=+-@]+=[\\w\\s._:/=+-@]+(,\\s*[\\w\\s._:/=+-@]+=[\\w\\s._:/=+-@]+)*$".toRegex()
+
+    // Check if unparsedTags is not null, not blank, and matches the pattern
+    return if (!tags.isNullOrBlank() && pattern.matches(tags)) {
+      tags.split(",").associate { part ->
+        val (key, value) = part.trim().split("=")
+        key to value
+      }
+    } else if (tags.isNullOrBlank()) {
+      emptyMap() // Return an empty map if unparsedTags is null or blank
+    } else {
+      // If the string doesn't match the pattern, throw an error
+      throw IllegalArgumentException(
+        "AB_SECRET_MANAGER_SECRET_TAGS does not match the expected format \"key1=value2,key2=value2\": $tags." +
+          " Please update the AB_SECRET_MANAGER_SECRET_TAGS env var configurations.",
+      )
+    }
+  }
+
+  val client: SecretClient by lazy {
+    SecretClientBuilder()
+      .vaultUrl(vaultUrl)
+      .credential(
+        ClientSecretCredentialBuilder()
+          .clientSecret(clientSecret)
+          .clientId(clientId)
+          .tenantId(tenantId)
+          .build(),
+      )
+      .buildClient()
+  }
+}

airbyte-server/src/main/resources/application.yml

@@ -158,6 +158,12 @@ airbyte:
         address: ${VAULT_ADDRESS:}
         prefix: ${VAULT_PREFIX:}
         token: ${VAULT_AUTH_TOKEN:}
+      azure:
+        vault-url: ${AB_AZURE_KEY_VAULT_VAULT_URL:}
+        tenant-id: ${AB_AZURE_KEY_VAULT_TENANT_ID:}
+        client-id: ${AB_AZURE_KEY_VAULT_CLIENT_ID:}
+        client-secret: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET:}
+        tags: ${AB_AZURE_KEY_VAULT_TAGS:}
   role: ${AIRBYTE_ROLE:dev}
   tracking:
     strategy: ${TRACKING_STRATEGY:LOGGING}

airbyte-workers/src/main/resources/application.yml

@@ -247,6 +247,12 @@ airbyte:
         address: ${VAULT_ADDRESS:}
         prefix: ${VAULT_PREFIX:}
         token: ${VAULT_AUTH_TOKEN:}
+      azure:
+        vault-url: ${AB_AZURE_KEY_VAULT_VAULT_URL:}
+        tenant-id: ${AB_AZURE_KEY_VAULT_TENANT_ID:}
+        client-id: ${AB_AZURE_KEY_VAULT_CLIENT_ID:}
+        client-secret: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET:}
+        tags: ${AB_AZURE_KEY_VAULT_TAGS:}
   temporal:
     worker:
       ports: ${TEMPORAL_WORKER_PORTS:}

airbyte-workload-init-container/src/main/resources/application.yml

@@ -52,6 +52,12 @@ airbyte:
         prefix: ${VAULT_PREFIX:}
         # injects the actual secret value
         token: ${VAULT_AUTH_TOKEN:vaultAuthTokenForTest}
+      azure:
+        vault-url: ${AB_AZURE_KEY_VAULT_VAULT_URL:}
+        tenant-id: ${AB_AZURE_KEY_VAULT_TENANT_ID:}
+        client-id: ${AB_AZURE_KEY_VAULT_CLIENT_ID:}
+        client-secret: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET:}
+        tags: ${AB_AZURE_KEY_VAULT_TAGS:}
   workload-api:
     base-path: ${WORKLOAD_API_HOST:}
     bearer-token: ${WORKLOAD_API_BEARER_TOKEN:}

airbyte-workload-launcher/src/main/kotlin/config/EnvVarConfigBeanFactory.kt

@@ -400,6 +400,9 @@ class EnvVarConfigBeanFactory {
     @Value("\${airbyte.secret.store.aws.region}") awsRegion: String,
     @Value("\${airbyte.secret.store.aws.kms-key-arn}") awsKmsKeyArn: String,
     @Value("\${airbyte.secret.store.aws.tags}") awsTags: String,
+    @Value("\${airbyte.secret.store.azure.vault-url}") azureVaultUrl: String,
+    @Value("\${airbyte.secret.store.azure.tenant-id}") azureTenantId: String,
+    @Value("\${airbyte.secret.store.azure.tags}") azureTags: String,
     @Value("\${airbyte.secret.store.vault.address}") vaultAddress: String,
     @Value("\${airbyte.secret.store.vault.prefix}") vaultPrefix: String,
   ): Map<String, String> {
@@ -409,6 +412,9 @@ class EnvVarConfigBeanFactory {
       put(EnvVarConstants.AWS_SECRET_MANAGER_REGION, awsRegion)
       put(EnvVarConstants.AWS_KMS_KEY_ARN, awsKmsKeyArn)
       put(EnvVarConstants.AWS_SECRET_MANAGER_SECRET_TAGS, awsTags)
+      put(EnvVarConstants.AZURE_KEY_VAULT_VAULT_URL, azureVaultUrl)
+      put(EnvVarConstants.AZURE_KEY_VAULT_TENANT_ID, azureTenantId)
+      put(EnvVarConstants.AZURE_KEY_VAULT_SECRET_TAGS, azureTags)
       put(EnvVarConstants.VAULT_ADDRESS, vaultAddress)
       put(EnvVarConstants.VAULT_PREFIX, vaultPrefix)
     }
@@ -429,6 +435,10 @@ class EnvVarConfigBeanFactory {
     @Value("\${airbyte.secret.store.aws.access-key-ref-key}") awsAccessKeyRefKey: String,
     @Value("\${airbyte.secret.store.aws.secret-key-ref-name}") awsSecretKeyRefName: String,
     @Value("\${airbyte.secret.store.aws.secret-key-ref-key}") awsSecretKeyRefKey: String,
+    @Value("\${airbyte.secret.store.azure.client-id-ref-name}") azureClientKeyRefName: String,
+    @Value("\${airbyte.secret.store.azure.client-id-ref-key}") azureClientKeyRefKey: String,
+    @Value("\${airbyte.secret.store.azure.client-secret-ref-name}") azureSecretKeyRefName: String,
+    @Value("\${airbyte.secret.store.azure.client-secret-ref-key}") azureSecretKeyRefKey: String,
     @Value("\${airbyte.secret.store.vault.token-ref-name}") vaultTokenRefName: String,
     @Value("\${airbyte.secret.store.vault.token-ref-key}") vaultTokenRefKey: String,
   ): Map<String, EnvVarSource> {
@@ -443,6 +453,13 @@ class EnvVarConfigBeanFactory {
       if (awsSecretKeyRefName.isNotBlank() && awsSecretKeyRefKey.isNotBlank()) {
         put(EnvVarConstants.AWS_SECRET_MANAGER_SECRET_ACCESS_KEY, createEnvVarSource(awsSecretKeyRefName, awsSecretKeyRefKey))
       }
+      // Azure
+      if (azureClientKeyRefName.isNotBlank() && azureClientKeyRefKey.isNotBlank()) {
+        put(EnvVarConstants.AZURE_KEY_VAULT_CLIENT_ID, createEnvVarSource(azureClientKeyRefName, azureClientKeyRefKey))
+      }
+      if (azureSecretKeyRefName.isNotBlank() && azureSecretKeyRefKey.isNotBlank()) {
+        put(EnvVarConstants.AZURE_KEY_VAULT_CLIENT_SECRET, createEnvVarSource(azureSecretKeyRefName, azureSecretKeyRefKey))
+      }
       if (vaultTokenRefName.isNotBlank() && vaultTokenRefKey.isNotBlank()) {
         put(EnvVarConstants.VAULT_AUTH_TOKEN, createEnvVarSource(vaultTokenRefName, vaultTokenRefKey))
       }

airbyte-workload-launcher/src/main/kotlin/constants/EnvVarConstants.kt

@@ -38,6 +38,9 @@ object EnvVarConstants {
   const val AWS_SECRET_MANAGER_REGION = "AWS_SECRET_MANAGER_REGION"
   const val AWS_KMS_KEY_ARN = "AWS_KMS_KEY_ARN"
   const val AWS_SECRET_MANAGER_SECRET_TAGS = "AWS_SECRET_MANAGER_SECRET_TAGS"
+  const val AZURE_KEY_VAULT_VAULT_URL = "AB_AZURE_KEY_VAULT_VAULT_URL"
+  const val AZURE_KEY_VAULT_TENANT_ID = "AB_AZURE_KEY_VAULT_TENANT_ID"
+  const val AZURE_KEY_VAULT_SECRET_TAGS = "AB_AZURE_KEY_VAULT_TAGS"
   const val VAULT_ADDRESS = "VAULT_ADDRESS"
   const val VAULT_PREFIX = "VAULT_PREFIX"
   const val CONCURRENT_SOURCE_STREAM_READ_ENV_VAR = "CONCURRENT_SOURCE_STREAM_READ"
@@ -52,5 +55,7 @@ object EnvVarConstants {
   const val SECRET_STORE_GCP_CREDENTIALS = "SECRET_STORE_GCP_CREDENTIALS"
   const val AWS_SECRET_MANAGER_ACCESS_KEY_ID = "AWS_SECRET_MANAGER_ACCESS_KEY_ID"
   const val AWS_SECRET_MANAGER_SECRET_ACCESS_KEY = "AWS_SECRET_MANAGER_SECRET_ACCESS_KEY"
+  const val AZURE_KEY_VAULT_CLIENT_ID = "AB_AZURE_KEY_VAULT_CLIENT_ID"
+  const val AZURE_KEY_VAULT_CLIENT_SECRET = "AB_AZURE_KEY_VAULT_CLIENT_SECRET"
   const val VAULT_AUTH_TOKEN = "VAULT_AUTH_TOKEN"
 }

airbyte-workload-launcher/src/main/resources/application.yml

@@ -75,7 +75,7 @@ airbyte:
         parallelism: ${WORKLOAD_LAUNCHER_PARALLELISM:10}
         workflow-parallelism: ${WORKLOAD_LAUNCHER_WORKFLOW_PARALLELISM:10}
   secret:
-    persistence: ${SECRET_PERSISTENCE}
+    persistence: ${SECRET_PERSISTENCE:TESTING_CONFIG_DB_TABLE}
     store:
       aws:
         region: ${AWS_SECRET_MANAGER_REGION:}
@@ -104,6 +104,18 @@ airbyte:
         # injects the name/key for secret reference
         token-ref-name: ${VAULT_AUTH_TOKEN_REF_NAME:}
         token-ref-key: ${VAULT_AUTH_TOKEN_REF_KEY:}
+      azure:
+        vault-url: ${AB_AZURE_KEY_VAULT_VAULT_URL:}
+        tenant-id: ${AB_AZURE_KEY_VAULT_TENANT_ID:}
+        tags: ${AB_AZURE_KEY_VAULT_TAGS:}
+        # injects actual secret values
+        client-id: ${AB_AZURE_KEY_VAULT_CLIENT_ID:}
+        client-secret: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET:}
+        # injects the name/key for secret reference
+        client-id-ref-name: ${AB_AZURE_KEY_VAULT_CLIENT_ID_REF_NAME:}
+        client-id-ref-key: ${AB_AZURE_KEY_VAULT_CLIENT_ID_REF_REF_KEY:}
+        client-secret-ref-name: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET_REF_REF_NAME:}
+        client-secret-ref-key: ${AB_AZURE_KEY_VAULT_CLIENT_SECRET_REF_REF_KEY:}
   version: ${AIRBYTE_VERSION}
   container.orchestrator:
     data-plane-creds:

charts/airbyte-server/templates/deployment.yaml

@@ -269,6 +269,33 @@ spec:
           value: {{ ((((.Values.global).secretsManager).awsSecretManager).kms) | default "" }}
         {{- end }}
 
+        # Values for Azure Key Vault
+        {{- if (((.Values.global).secretsManager).azureKeyVault) }}
+
+        - name: AB_AZURE_KEY_VAULT_VAULT_URL
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).vaultUrl }}
+
+        - name: AB_AZURE_KEY_VAULT_TENANT_ID
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).tenantId }}
+
+        - name: AB_AZURE_KEY_VAULT_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientIdSecretKey" .Values.global.secretsManager.azureKeyVault.clientIdSecretKey }}
+        - name: AB_AZURE_KEY_VAULT_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientSecretSecretKey" .Values.global.secretsManager.azureKeyVault.clientSecretSecretKey }}
+
+        {{- end }}
+
+        {{- if ((((.Values.global).secretsManager).azureKeyVault).tags) }}
+        - name: AB_AZURE_KEY_VAULT_TAGS
+          value: {{ include "airbyte.tagsToString" .Values.global.secretsManager.azureKeyVault.tags }}
+        {{- end }}
+
         # Values for googleSecretManager secrets
         {{- if (((.Values.global).secretsManager).googleSecretManager) }}
         - name: SECRET_STORE_GCP_PROJECT_ID

charts/airbyte-worker/templates/deployment.yaml

@@ -325,6 +325,33 @@ spec:
           value: {{ ((((.Values.global).secretsManager).awsSecretManager).kms) | default "" }}
         {{- end }}
 
+        # Values for Azure Key Vault
+        {{- if (((.Values.global).secretsManager).azureKeyVault) }}
+
+        - name: AB_AZURE_KEY_VAULT_VAULT_URL
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).vaultUrl }}
+
+        - name: AB_AZURE_KEY_VAULT_TENANT_ID
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).tenantId }}
+
+        - name: AB_AZURE_KEY_VAULT_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientIdSecretKey" .Values.global.secretsManager.azureKeyVault.clientIdSecretKey }}
+        - name: AB_AZURE_KEY_VAULT_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientSecretSecretKey" .Values.global.secretsManager.azureKeyVault.clientSecretSecretKey }}
+
+        {{- end }}
+
+        {{- if ((((.Values.global).secretsManager).azureKeyVault).tags) }}
+        - name: AB_AZURE_KEY_VAULT_TAGS
+          value: {{ include "airbyte.tagsToString" .Values.global.secretsManager.azureKeyVault.tags }}
+        {{- end }}
+
         # Values for googleSecretManager secrets
         {{- if (((.Values.global).secretsManager).googleSecretManager) }}
         - name: SECRET_STORE_GCP_PROJECT_ID

charts/airbyte-workload-launcher/templates/_helpers.tpl

@@ -113,6 +113,30 @@ Get awsSecretManager secret access key secret key or default
 {{- end -}}
 {{- end -}}
 
+{{/*
+Get azureKeyVault clientId or default
+*/}}
+{{- define "airbyte.azureKeyVaultClientIdSecretKey" -}}
+{{- $azureKeyVaultClientIdSecretKey := . -}}
+{{- if $azureKeyVaultClientIdSecretKey -}}
+  {{- printf "%s" $azureKeyVaultClientIdSecretKey -}}
+{{- else -}}
+  {{- printf "azure-key-vault-client-id" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get azureKeyVault clientSecret or default
+*/}}
+{{- define "airbyte.azureKeyVaultClientSecretSecretKey" -}}
+{{- $azureKeyVaultClientSecretSecretKey := . -}}
+{{- if $azureKeyVaultClientSecretSecretKey -}}
+  {{- printf "%s" $azureKeyVaultClientSecretSecretKey -}}
+{{- else -}}
+  {{- printf "azure-key-vault-client-secret" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get googleSecretManager credentials secret key or default
 */}}

charts/airbyte-workload-launcher/templates/deployment.yaml

@@ -367,6 +367,43 @@ spec:
           value: {{ ((((.Values.global).secretsManager).awsSecretManager).kms) | default "" }}
         {{- end }}
 
+        # Values for Azure Key Vault
+        {{- if (((.Values.global).secretsManager).azureKeyVault) }}
+
+        - name: AB_AZURE_KEY_VAULT_VAULT_URL
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).vaultUrl }}
+
+        - name: AB_AZURE_KEY_VAULT_TENANT_ID
+          value: {{ (((.Values.global).secretsManager).azureKeyVault).tenantId }}
+
+        - name: AB_AZURE_KEY_VAULT_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientIdSecretKey" .Values.global.secretsManager.azureKeyVault.clientIdSecretKey }}
+        - name: AB_AZURE_KEY_VAULT_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+              key: {{ include "airbyte.azureKeyVaultClientSecretSecretKey" .Values.global.secretsManager.azureKeyVault.clientSecretSecretKey }}
+
+        - name: AB_AZURE_KEY_VAULT_CLIENT_ID_REF_NAME
+          value: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+        - name: AB_AZURE_KEY_VAULT_CLIENT_ID_REF_REF_KEY
+          value: {{ include "airbyte.azureKeyVaultClientIdSecretKey" .Values.global.secretsManager.azureKeyVault.clientIdSecretKey }}
+
+        - name: AB_AZURE_KEY_VAULT_CLIENT_SECRET_REF_REF_NAME
+          value: {{ include "airbyte.secretStoreName" .Values.global.secretsManager.secretsManagerSecretName }}
+        - name: AB_AZURE_KEY_VAULT_CLIENT_SECRET_REF_REF_KEY
+          value: {{ include "airbyte.azureKeyVaultClientSecretSecretKey" .Values.global.secretsManager.azureKeyVault.clientSecretSecretKey }}
+
+        {{- end }}
+
+        {{- if ((((.Values.global).secretsManager).azureKeyVault).tags) }}
+        - name: AB_AZURE_KEY_VAULT_TAGS
+          value: {{ include "airbyte.tagsToString" .Values.global.secretsManager.azureKeyVault.tags }}
+        {{- end }}
+
         # Values for googleSecretManager secrets
         {{- if (((.Values.global).secretsManager).googleSecretManager) }}
         - name: SECRET_STORE_GCP_PROJECT_ID