External secret management via HashiCorp's Vault

[edigaryev]

This takes a bit different approach than Vault GitHub Action in terms of querying the secrets.

Because there's no reliable way to differentiate between V1 and V2 secrets, automatically unwrapping the data field might result in a false-positive, where a V1 key contains a field named data.

So instead, the V2 secrets can be queried similarly to the CLI, by adding a data selector manually:

% vault read secret/data/admin       
Key         Value
---         -----
data        map[password:secret]
metadata    map[created_time:2022-10-19T16:19:46.629916765Z custom_metadata:<nil> deletion_time: destroyed:false version:2]

This V2 storage password can be queried with VAULT[secret/data/admin data.password].

The PR introduces a CIRRUS_VAULT_NAMESPACE environment variable because without it, Vault Enterprise is unusable.

See https://github.com/cirruslabs/cirrus-ci-docs/issues/1079.

[edigaryev]

@fkorotkov I'm also a bit wary of how the errors are reported currently in executor.RunBuild() (which is called from main()):

https://github.com/cirruslabs/cirrus-ci-agent/blob/990c55f6e6a23728adcc11882b4d459f865ef4b5/internal/executor/executor.go#L142-L144

Should we use a ReportAgentError() RPC call instead or devise a new method of reporting errors in places that are not instructions?

[fkorotkov]

Good point. Let's report it as an agent error.

[edigaryev]

Good point. Let's report it as an agent error.

See https://github.com/cirruslabs/cirrus-ci-agent/pull/253/commits/7d3452dcda7ecfbaf15508c9d30520ad91ae8968.