feat(secret): secret reference

Author: vm-001

config/config.go

@@ -1,12 +1,17 @@
 package config
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"slices"
 
 	"github.com/creasty/defaults"
 	"github.com/webhookx-io/webhookx/pkg/envconfig"
+	"github.com/webhookx-io/webhookx/pkg/secret"
+	"github.com/webhookx-io/webhookx/pkg/secret/reference"
+	"github.com/webhookx-io/webhookx/utils"
+	"go.uber.org/zap"
 	"gopkg.in/yaml.v3"
 )
 
@@ -37,6 +42,7 @@ type Config struct {
 	Tracing          TracingConfig   `yaml:"tracing" json:"tracing" envconfig:"TRACING"`
 	Role             Role            `yaml:"role" json:"role" envconfig:"ROLE" default:"standalone"`
 	AnonymousReports bool            `yaml:"anonymous_reports" json:"anonymous_reports" envconfig:"ANONYMOUS_REPORTS" default:"true"`
+	Secret           SecretConfig    `yaml:"secret" json:"secret" envconfig:"SECRET"`
 }
 
 func (cfg Config) String() string {
@@ -81,6 +87,9 @@ func (cfg Config) Validate() error {
 	if !slices.Contains([]Role{RoleStandalone, RoleCP, RoleDPWorker, RoleDPProxy}, cfg.Role) {
 		return fmt.Errorf("invalid role: '%s'", cfg.Role)
 	}
+	if err := cfg.Secret.Validate(); err != nil {
+		return err
+	}
 
 	return nil
 }
@@ -89,27 +98,126 @@ type Options struct {
 	YAML []byte
 }
 
+func resolveReferences(n *yaml.Node, manager *secret.Manager) error {
+	switch n.Kind {
+	case yaml.ScalarNode:
+		if reference.IsReference(n.Value) {
+			ref, err := reference.Parse(n.Value)
+			if err != nil {
+				return err
+			}
+			val, err := manager.ResolveReference(context.TODO(), ref)
+			if err != nil {
+				return err
+			}
+			n.Value = val
+		}
+	case yaml.MappingNode:
+		for i := 0; i < len(n.Content); i += 2 {
+			if err := resolveReferences(n.Content[i+1], manager); err != nil {
+				return err
+			}
+		}
+	case yaml.AliasNode:
+		if n.Alias != nil {
+			if err := resolveReferences(n.Alias, manager); err != nil {
+				return err
+			}
+		}
+	default:
+		for _, c := range n.Content {
+			if err := resolveReferences(c, manager); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 func New(opts *Options) (*Config, error) {
 	var cfg Config
 	err := defaults.Set(&cfg)
 	if err != nil {
 		return nil, err
 	}
 
-	if opts != nil {
-		if len(opts.YAML) > 0 {
-			if err := yaml.Unmarshal(opts.YAML, &cfg); err != nil {
-				return nil, err
+	if opts == nil {
+		opts = &Options{}
+	}
+
+	var doc *yaml.Node
+	if len(opts.YAML) > 0 {
+		doc = new(yaml.Node)
+		if err := yaml.Unmarshal(opts.YAML, doc); err != nil {
+			return nil, err
+		}
+	}
+
+	// todo: only if secret feature is allowed
+	if doc != nil {
+		// fixme
+		if len(doc.Content) > 0 {
+			if node := utils.FindYaml(doc.Content[0], "secret"); node != nil {
+				if err := node.Decode(&cfg.Secret); err != nil {
+					return nil, err
+				}
 			}
 		}
 	}
+	if err := envconfig.Process("WEBHOOKX_SECRET", &cfg.Secret); err != nil {
+		return nil, err
+	}
 
-	err = envconfig.Process("WEBHOOKX", &cfg)
-	if err != nil {
+	var reader = envconfig.EnvironmentReader
+
+	if err := cfg.Secret.Validate(); err != nil {
 		return nil, err
 	}
 
-	return &cfg, nil
+	if cfg.Secret.Enabled() {
+		providers := make(map[string]map[string]interface{})
+		for _, p := range cfg.Secret.Providers {
+			name := string(p)
+			providers[name] = cfg.Secret.GetProviderConfiguration(name)
+		}
+		manager := secret.NewManager(zap.S(), providers)
+		reader = func(key string) (string, bool, error) {
+			value, ok, _ := envconfig.EnvironmentReader.Read(key)
+			if ok && reference.IsReference(value) {
+				ref, err := reference.Parse(value)
+				if err != nil {
+					return "", false, err
+				}
+				resolved, err := manager.ResolveReference(context.TODO(), ref)
+				if err != nil {
+					return "", false, err
+				}
+				value = resolved
+			}
+			return value, ok, nil
+		}
+
+		if doc != nil {
+			if len(doc.Content) > 0 {
+				if err := resolveReferences(doc.Content[0], manager); err != nil {
+					return nil, err
+				}
+			}
+			resolvedYaml := utils.Must(yaml.Marshal(doc))
+			fmt.Println(string(resolvedYaml))
+			doc = new(yaml.Node)
+			_ = yaml.Unmarshal(resolvedYaml, doc)
+		}
+	}
+
+	if doc != nil {
+		if err := doc.Decode(&cfg); err != nil {
+			return nil, err
+		}
+	}
+
+	err = envconfig.ProcessWithReader("WEBHOOKX", &cfg, reader)
+	return &cfg, err
 }
 
 func (cfg *Config) OverrideByRole(role Role) {

config/config_test.go

@@ -481,6 +481,47 @@ func TestWorkerProxyConfig(t *testing.T) {
 	}
 }
 
+func TestSecretConfig(t *testing.T) {
+	tests := []struct {
+		desc        string
+		cfg         SecretConfig
+		validateErr error
+	}{
+		{
+			desc: "sanity",
+			cfg: SecretConfig{
+				Vault: VaultProviderConfig{
+					AuthMethod: "token",
+				},
+			},
+			validateErr: nil,
+		},
+		{
+			desc: "invalid provider",
+			cfg: SecretConfig{
+				Providers: []Provider{"aws", "vault", "unknown"},
+				Vault: VaultProviderConfig{
+					AuthMethod: "token",
+				},
+			},
+			validateErr: errors.New("invalid provider: unknown"),
+		},
+		{
+			desc: "invalid vault.auth_method",
+			cfg: SecretConfig{
+				Vault: VaultProviderConfig{
+					AuthMethod: "unknown",
+				},
+			},
+			validateErr: errors.New("invalid auth_method: unknown"),
+		},
+	}
+	for _, test := range tests {
+		actual := test.cfg.Validate()
+		assert.Equal(t, test.validateErr, actual, "expected %v got %v", test.validateErr, actual)
+	}
+}
+
 func TestConfig(t *testing.T) {
 	cfg, err := New(nil)
 	assert.Nil(t, err)

config/secret.go

@@ -0,0 +1,76 @@
+package config
+
+import (
+	"fmt"
+	"slices"
+
+	"github.com/webhookx-io/webhookx/pkg/secret/provider/vault"
+	"github.com/webhookx-io/webhookx/utils"
+)
+
+type Provider string
+
+const (
+	ProviderAWS   Provider = "aws"
+	ProviderVault Provider = "vault"
+)
+
+type SecretConfig struct {
+	Providers []Provider          `json:"providers" yaml:"providers" default:"[\"aws\", \"vault\"]"`
+	Aws       AwsProviderConfig   `json:"aws" yaml:"aws"`
+	Vault     VaultProviderConfig `json:"vault" yaml:"vault"`
+}
+
+func (cfg *SecretConfig) Validate() error {
+	for _, name := range cfg.Providers {
+		if !slices.Contains([]Provider{ProviderAWS, ProviderVault}, name) {
+			return fmt.Errorf("invalid provider: %s", name)
+		}
+	}
+	if err := cfg.Aws.Validate(); err != nil {
+		return err
+	}
+	if err := cfg.Vault.Validate(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (cfg *SecretConfig) Enabled() bool {
+	return len(cfg.Providers) > 0
+}
+
+func (cfg *SecretConfig) GetProviderConfiguration(name string) map[string]interface{} {
+	switch Provider(name) {
+	case ProviderAWS:
+		return utils.Must(utils.StructToMap(cfg.Aws))
+	case ProviderVault:
+		return utils.Must(utils.StructToMap(cfg.Vault))
+	default:
+		return nil
+	}
+}
+
+type AwsProviderConfig struct {
+	Region string `json:"region" yaml:"region"`
+	URL    string `json:"url" yaml:"url"`
+}
+
+func (cfg *AwsProviderConfig) Validate() error {
+	return nil
+}
+
+type VaultProviderConfig struct {
+	Address    string      `json:"address" yaml:"address" default:"http://localhost:8200"`
+	MountPath  string      `json:"mount_path" yaml:"mount_path" default:"secret" split_words:"true"`
+	Namespace  string      `json:"namespace" yaml:"namespace"`
+	AuthMethod string      `json:"auth_method" yaml:"auth_method" default:"token" split_words:"true"`
+	AuthN      vault.AuthN `json:"authn" yaml:"authn"`
+}
+
+func (cfg *VaultProviderConfig) Validate() error {
+	if !slices.Contains([]string{"token", "approle", "kubernetes"}, cfg.AuthMethod) {
+		return fmt.Errorf("invalid auth_method: %s", cfg.AuthMethod)
+	}
+	return nil
+}

go.mod

@@ -5,6 +5,11 @@ go 1.25.4
 require (
 	github.com/Masterminds/squirrel v1.5.4
 	github.com/asaskevich/EventBus v0.0.0-20200907212545-49d423059eef
+	github.com/aws/aws-sdk-go-v2 v1.39.6
+	github.com/aws/aws-sdk-go-v2/config v1.31.20
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.24
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.39.13
+	github.com/aws/smithy-go v1.23.2
 	github.com/creasty/defaults v1.8.0
 	github.com/dop251/goja v0.0.0-20251103141225-af2ceb9156d7
 	github.com/elazarl/goproxy v1.7.2
@@ -17,9 +22,13 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.19.0
 	github.com/gorilla/mux v1.8.1
 	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/hashicorp/vault/api v1.22.0
+	github.com/hashicorp/vault/api/auth/approle v0.11.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.10.0
 	github.com/jackc/pgx/v5 v5.7.6
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/lib/pq v1.10.9
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
 	github.com/pkg/errors v0.9.1
@@ -30,6 +39,7 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/tetratelabs/wazero v1.10.0
+	github.com/tidwall/gjson v1.18.0
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	go.opentelemetry.io/contrib/propagators/autoprop v0.63.0
 	go.opentelemetry.io/otel v1.38.0
@@ -52,23 +62,44 @@ require github.com/felixge/httpsnoop v1.0.4 // indirect
 
 require (
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/dlclark/regexp2 v1.11.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
 	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/tidwall/match v1.2.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/woodsbury/decimal128 v1.3.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
@@ -78,6 +109,7 @@ require (
 	go.opentelemetry.io/contrib/propagators/ot v1.38.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
 )
 
 require (