Migrate Vault V1 secrets to V3#3346
Conversation
- Replace `vault-setup` with `vault-get-secret` in Linux Semaphore prologues - Update Windows Semaphore blocks to use V3 vault auth and paths - Update Makefile to read test credentials from env vars (set by vault-get-secret) - Update Gulpfile.js to check env vars before calling vault CLI, with V3 fallback paths - Secrets migrated: vscodeextension/testing, vscodeextension/telemetry, vscodeextension/feature-flags Note: Some `vault-setup` calls remain in release/packaging/reporting pipelines that may use vault for other purposes. These need separate migration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR migrates CI/test/build secret retrieval from Vault V1 to the newer Vault V3 layout, updating Semaphore pipelines and local build tooling so credentials can be injected via environment variables (e.g., vault-get-secret) rather than direct vault kv get calls from Make/Gulp.
Changes:
- Update Linux Semaphore prologues to source
vault-get-secretfor testing/telemetry/feature-flags secrets. - Update Windows Semaphore blocks to use the new Vault address/auth mount and V3 secret paths.
- Adjust Makefile/Gulpfile to prefer env vars (with Vault CLI fallback using new paths).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
Makefile |
Writes test .env from pre-injected environment variables instead of calling Vault directly. |
Gulpfile.js |
Uses env vars when present; otherwise fetches Sentry/Segment/LaunchDarkly secrets from updated Vault paths. |
.semaphore/semaphore.yml |
Migrates Vault setup in Linux blocks to vault-get-secret and updates Windows Vault auth + paths. |
.semaphore/playwright-e2e.yml |
Same Vault migration for Playwright E2E pipelines (Linux via vault-get-secret, Windows via new auth + paths). |
| @echo "Writing test credentials to .env file for testing" | ||
| @if [ -z "$(IDE_SIDECAR_CONNECTIONS_CCLOUD_BASE_PATH)" ] || [ "$(IDE_SIDECAR_CONNECTIONS_CCLOUD_BASE_PATH)" = "confluent.cloud" ]; then \ | ||
| echo "Setting up prod env vars for testing"; \ | ||
| echo "E2E_USERNAME=$(shell vault kv get -field=E2E_USERNAME v1/ci/kv/vscodeextension/testing)" > .env; \ | ||
| echo "E2E_PASSWORD=$(shell vault kv get -field=E2E_PASSWORD v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_SR_API_KEY=$(shell vault kv get -field=E2E_SR_API_KEY v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_SR_API_SECRET=$(shell vault kv get -field=E2E_SR_API_SECRET v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_SR_URL=$(shell vault kv get -field=E2E_SR_URL v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_KAFKA_API_KEY=$(shell vault kv get -field=E2E_KAFKA_API_KEY v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_KAFKA_API_SECRET=$(shell vault kv get -field=E2E_KAFKA_API_SECRET v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_KAFKA_BOOTSTRAP_SERVERS=$(shell vault kv get -field=E2E_KAFKA_BOOTSTRAP_SERVERS v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_KAFKA_CLUSTER_NAME=$(shell vault kv get -field=E2E_KAFKA_CLUSTER_NAME v1/ci/kv/vscodeextension/testing)" >> .env; \ | ||
| echo "E2E_USERNAME=$$E2E_USERNAME" > .env; \ | ||
| echo "E2E_PASSWORD=$$E2E_PASSWORD" >> .env; \ | ||
| echo "E2E_SR_API_KEY=$$E2E_SR_API_KEY" >> .env; \ | ||
| echo "E2E_SR_API_SECRET=$$E2E_SR_API_SECRET" >> .env; \ | ||
| echo "E2E_SR_URL=$$E2E_SR_URL" >> .env; \ | ||
| echo "E2E_KAFKA_API_KEY=$$E2E_KAFKA_API_KEY" >> .env; \ | ||
| echo "E2E_KAFKA_API_SECRET=$$E2E_KAFKA_API_SECRET" >> .env; \ | ||
| echo "E2E_KAFKA_BOOTSTRAP_SERVERS=$$E2E_KAFKA_BOOTSTRAP_SERVERS" >> .env; \ | ||
| echo "E2E_KAFKA_CLUSTER_NAME=$$E2E_KAFKA_CLUSTER_NAME" >> .env; \ |
There was a problem hiding this comment.
setup-test-env now writes credentials from environment variables without validating they are set. If any of these vars are missing/empty (e.g., running locally without vault-get-secret), this will silently generate a .env with empty values and cause confusing downstream test failures. Consider failing fast with a clear error when required variables are unset, and prefer printf over echo to avoid shell-specific escaping issues for secrets containing backslashes/newlines.
| function setupSentry() { | ||
| // If env vars already set (e.g., by vault-get-secret in CI), use them directly | ||
| if (process.env.SENTRY_AUTH_TOKEN && process.env.SENTRY_DSN) { | ||
| const sentryRelease = getSentryReleaseVersion(); | ||
| console.log(`Setting SENTRY_RELEASE to "${sentryRelease}"`); | ||
| process.env.SENTRY_RELEASE = sentryRelease; | ||
| return; | ||
| } |
There was a problem hiding this comment.
setupSentry() only takes the “env vars already set” fast path when both SENTRY_AUTH_TOKEN and SENTRY_DSN are present. If SENTRY_AUTH_TOKEN is provided via env (common in CI) but SENTRY_DSN is missing, the function will still attempt Vault access and may fail without ever setting SENTRY_RELEASE, even though the Sentry rollup plugin depends on SENTRY_AUTH_TOKEN + SENTRY_RELEASE. Consider: (1) computing/setting SENTRY_RELEASE whenever SENTRY_AUTH_TOKEN is set, and (2) fetching only the missing values from Vault (don’t refetch/require Vault when one var is already present).
| function setupLaunchDarkly() { | ||
| // If env var already set (e.g., by vault-get-secret in CI), use it directly | ||
| if (process.env.LD_CLIENT_ID) { | ||
| process.env.LAUNCHDARKLY_CLIENT_ID = process.env.LD_CLIENT_ID; | ||
| return; | ||
| } |
There was a problem hiding this comment.
setupLaunchDarkly() only checks process.env.LD_CLIENT_ID, but local/dev configuration (see .env.example) uses LAUNCHDARKLY_CLIENT_ID. With the current logic, a production build that already has LAUNCHDARKLY_CLIENT_ID set will still try to call the Vault CLI and overwrite/fail unnecessarily. Consider short-circuiting when LAUNCHDARKLY_CLIENT_ID is already set, and only mapping LD_CLIENT_ID -> LAUNCHDARKLY_CLIENT_ID when the latter is absent.
| echo "Skipping Vault setup for Semaphore CI" | ||
| else | ||
| . vault-setup | ||
| . vault-setup --version v3 --role vscode |
There was a problem hiding this comment.
Dave Shoup (@shouples) I think we need to change instances of . vault-setup to . vault-setup --version v3 --role vscode, if we want to minimize changes applied to Gulpfile.js and Makefile.
|
Summary of Changes
vault-setupwithvault-get-secretin Linux Semaphore prologuesNote: Some
vault-setupcalls remain in release/packaging/reporting pipelines that may use vault for other purposes. These need separate migration.Click-testing instructions
Optional: Any additional details or context that should be provided?
Pull request checklist
Please check if your PR fulfills the following (if applicable):
Tests
Release notes