Implement support for Vault KV v2 backends

[daviddob]

Changes proposed by this PR:

Enables support for Vault's KV version 2 backends to enable versioning
and support default deployments of new vault instances. This implements a backwards
compatible change to detect kv2 backends and resolve the paths accordingly.

While RFC #39 was proposed to take this on it appears to still propose the use of a
vault type. As such hopefully this is not considered a quick-fix antipattern and
can be used to improve the credential-manager var sources as well.

Tested with all gingko + testflight cases.

Fixes #2374

Notes to reviewer:

Leverages the existing vault test suite as the changes are made to the underlying api client.

Release Note

Contributor Checklist

• Followed Code of conduct, Contributing Guide & avoided Anti-patterns
• Signed all commits
• Added tests (Unit and/or Integration)
• Updated Documentation
• Added release note (Optional)

Reviewer Checklist

• Code reviewed
• Tests reviewed
• Documentation reviewed
• Release notes reviewed
• PR acceptance performed
• New config flags added? Ensure that they are added to the
  BOSH and
  Helm packaging; otherwise, ignored for
  the integration
  tests
  (for example, if they are Garden configs that are not displayed in the
  --help text).

[vito]

Hey, thanks for picking this up!

It's unfortunate that we have to carry over so much internal code from Vault, but I get it, not sure what else to do there besides requesting upstream API changes.

There's a part of the code that mutates the client that I'm not sure will be safe though.

[vito]

Thanks for waiting - getting back to this now that v6.7 is out!

How would you feel about adding tests for this? Originally the API client was meant to be a thin layer that can be faked out for tests, but now it's getting a little thick. 🤔 There aren't currently tests for the API client, but they could probably be added by faking out the API endpoint using ghttp.NewServer.

[daviddob]

I think adding tests are a solid idea as more complexity gets added - though with it being holiday season my time is a bit limited. I'll see what I can do in the meantime but it may have to sit for a while on my end.

[vito]

@daviddob No worries - thanks for checking in!

Just as an FYI, we're working on a pretty big new feature that will allow all this code to be extracted into prototypes. It doesn't need to impact this PR either way, but I thought you might be interested in keeping it on your radar: #5229

[daviddob]

@vito Been a little while, finally got some time and finished writing tests using ghttp for both KV2 and KV1 vault apis to test the api_client. The way the ghttp handlers work make it a bit awkward and verbose as the requests much match the order of the handlers but everything seems to be functioning as expected after bringing my changes up to date with master.

[vito]

@daviddob Awesome, thanks for circling back to this! Just resolved a tiny conflict, commencing review now.

[vito]

Looks good and verified that the tests fail if the v2 support is removed. Left some nitpicky suggestions. I would have just merged and touched them up myself but it looks like some small changes need to be made since NewAPIClient changed on master recently. (I suggested changes for them.)

Once those NewAPIClient calls are fixed up I'm happy to merge this as-is.

[daviddob]

Updated as per your feedback - should be good to go. Thanks @vito!

[vito]

lgtm - thanks!