Feat/add seald secret vault support (token auth)

[matzegebbe]

Description

Adding secret support for Vault by HashiCorp
. Vault is very common for secret management and should be supported by kluctl. In the change only token authentications are supported for the time being

docker run -p 8200:8200 --cap-add=IPC_LOCK -d -e 'VAULT_DEV_ROOT_TOKEN_ID=admintoken' --name=dev-vault vault

{
  "secrets": {
    "database": {
      "password": "password",
      "username": "admin"
    }
  }
}

secrets.sealme:

kind: Secret
apiVersion: v1
metadata:
  name: db-secrets
stringData:
  DB_USERNAME: {{ secrets.database.username }}
  DB_PASSWORD: {{ secrets.database.password }}

.kluctl.yml

targets:
  - name: simple
    cluster: kind
    args:
      environment: simple
    sealingConfig:
      secretSets:
        - simple

secretsConfig:
  secretSets:
    - name: simple
      sources:
        - vaultSecretsManager:
            vaultAddr: http://localhost:8200
            secretPath: kluctl/data/simple
            tokenEnvVar: VAULT_TOKEN

VAULT_TOKEN=admintoken kluctl seal -t simple

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update
• This change requires a new example

All Submissions:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• Have you lint your code locally before submission?
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• All commits are signed off which certify that you created the patch and that you agree to the Developer Certificate of Origin

[codablock]

Thanks :)

Can you change the source spec to be:

secretsConfig:
  secretSets:
    - name: simple
      sources:
        - vault:
            address: http://localhost:8200
            key: kluctl/data/simple

So:

1. vaultSecretsManager -> to vault: I assume you copied this from the awsSecretsManager, which is the full name of the service as it's called in the AWS world, "secretsManager" should only be in the name of the awsSecretsManagers
2. vaultAddr -> address: No need to have "vault" as prefix here, as we're already in the "vault" spec. Should also not abbreviate "address" so that it aligns with the vault api/cli.
3. secretPath -> key: This aligns with the terminology used in the vault api/cli.
4. Remove tokenEnvVar: Let's omit this for now and not make it configurable. Also, simply rely on this and let NewClient read the env var instead of supplying it via SetToken.

[codablock]

LGTM 👍

[codablock]

@matzegebbe fyi, I somehow misread the golang client code. They use "address" and "path" internally, so I changed the field names to "address" and "path".