Add Azure Keyvault secret store (#654)

Co-authored-by: Artur Souza <artursouza.ms@outlook.com>

.github/workflows/conformance.yml

@@ -41,6 +41,7 @@ jobs:
         - bindings.redis
         - pubsub.azure.servicebus
         - pubsub.redis
+        - secretstores.azure.keyvault
         - secretstores.localenv
         - secretstores.localfile
         - state.cosmosdb
@@ -72,6 +73,9 @@ jobs:
           required-secrets: AzureServiceBusConnectionString
         - component: bindings.azure.storagequeues
           required-secrets: AzureBlobStorageAccessKey,AzureBlobStorageAccount,AzureBlobStorageQueue
+        - component: secretstores.azure.keyvault
+          required-secrets: AzureKeyVaultSecretStoreTenantId,AzureKeyVaultSecretStoreClientId
+          required-certs: AzureKeyVaultSecretStoreCert
     steps:
     - name: Check out code onto GOPATH
       uses: actions/checkout@v2
@@ -103,6 +107,19 @@ jobs:
         echo "Ngrok's endpoint: ${NGROK_ENDPOINT}"
         echo "AzureEventGridSubscriberEndpoint=${NGROK_ENDPOINT}/api/events" >> $GITHUB_ENV
 
+    # Download the required certificates into files, and set env var pointing to their names
+    - name: Setup certs
+      if: matrix.required-certs != ''
+      run: |
+        for CERT_NAME in $(echo "${{ matrix.required-certs }}" | sed 's/,/ /g'); do
+          CERT_FILE=$(mktemp --suffix .pfx)
+          echo "Downloading cert $CERT_NAME into file $CERT_FILE"
+          rm $CERT_FILE && \
+            az keyvault secret download --vault-name $AZURE_KEYVAULT --name $CERT_NAME --encoding base64 --file $CERT_FILE
+          echo 'Setting $CERT_NAME to' "$CERT_FILE"
+          echo "$CERT_NAME=$CERT_FILE" >> $GITHUB_ENV
+        done
+
     - name: Start Redis
       uses: supercharge/redis-github-action@1.2.0
       with:
@@ -141,4 +158,15 @@ jobs:
         if grep -q "warning: no tests to run" output.log ; then
           echo "::error:: No test was found for component ${{ matrix.component }}"
           exit -1
-        fi
+        fi
+
+    # Download the required certificates into files, and set env var pointing to their names
+    - name: Clean up certs
+      if: matrix.required-certs != ''
+      run: |
+        for CERT_NAME in $(echo "${{ matrix.required-certs }}" | sed 's/,/ /g'); do
+          CERT_FILE=$(printenv $CERT_NAME)
+
+          echo "Cleaning up the certificate file $CERT_FILE..."
+          rm $CERT_FILE
+        done

tests/config/secretstores/azure/keyvault/azure-keyvault.yaml

@@ -0,0 +1,15 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azurekeyvault
+spec:
+  type: secretstores.azure.keyvault
+  metadata:
+  - name: vaultName
+    value: secretstore-keyvault
+  - name: spnTenantId
+    value: ${{AzureKeyVaultSecretStoreTenantId}}
+  - name: spnClientId
+    value: ${{AzureKeyVaultSecretStoreClientId}}
+  - name: spnCertificateFile
+    value : ${{AzureKeyVaultSecretStoreCert}}

tests/config/secretstores/tests.yml

@@ -3,4 +3,7 @@ components:
   - component: localenv
     operations: ["get"]
   - component: localfile
-    allOperations: true
+    allOperations: true
+  - component: azure.keyvault
+    allOperations: true
+

tests/conformance/common.go

@@ -27,6 +27,7 @@ import (
 	p_servicebus "github.com/dapr/components-contrib/pubsub/azure/servicebus"
 	p_redis "github.com/dapr/components-contrib/pubsub/redis"
 	"github.com/dapr/components-contrib/secretstores"
+	ss_azure "github.com/dapr/components-contrib/secretstores/azure/keyvault"
 	ss_local_env "github.com/dapr/components-contrib/secretstores/local/env"
 	ss_local_file "github.com/dapr/components-contrib/secretstores/local/file"
 	"github.com/dapr/components-contrib/state"
@@ -274,6 +275,8 @@ func loadSecretStore(tc TestComponent) secretstores.SecretStore {
 		store = ss_local_file.NewLocalSecretStore(testLogger)
 	case "localenv":
 		store = ss_local_env.NewEnvSecretStore(testLogger)
+	case "azure.keyvault":
+		store = ss_azure.NewAzureKeyvaultSecretStore(testLogger)
 	default:
 		return nil
 	}