✨ implement vault delete for berglas (#7078)

imilchev · web-flow · commit da2594818f61 · 2026-03-31T14:23:13.000+02:00
* ✨ implement vault delete for berglas

Signed-off-by: Ivan Milchev &lt;ivan@mondoo.com&gt;

* address comments

Signed-off-by: Ivan Milchev &lt;ivan@mondoo.com&gt;

---------

Signed-off-by: Ivan Milchev &lt;ivan@mondoo.com&gt;
diff --git a/providers-sdk/v1/vault/awsparameterstore/parameterstore.go b/providers-sdk/v1/vault/awsparameterstore/parameterstore.go
@@ -70,3 +70,7 @@ func (v *Vault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret, err
 func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	return nil, errors.New("not implemented")
 }
+
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go b/providers-sdk/v1/vault/awssecretsmanager/secretsmanager.go
@@ -102,6 +102,10 @@ func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, e
 	return &vault.SecretID{Key: *o.ARN}, err
 }
 
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
+
 func (v *Vault) updateSecret(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	var kmsKeyID *string
 	if len(v.kmsKeyID) > 0 {
diff --git a/providers-sdk/v1/vault/cache/cached_vault.go b/providers-sdk/v1/vault/cache/cached_vault.go
@@ -42,3 +42,12 @@ func (c *cachedVault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secre
 func (c *cachedVault) Set(ctx context.Context, s *vault.Secret) (*vault.SecretID, error) {
 	return c.vault.Set(ctx, s)
 }
+
+func (c *cachedVault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	res, err := c.vault.Delete(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	delete(c.secrets, id.Key)
+	return res, nil
+}
diff --git a/providers-sdk/v1/vault/gcpberglas/berglas.go b/providers-sdk/v1/vault/gcpberglas/berglas.go
@@ -114,6 +114,28 @@ func (v *Vault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret, err
 	}, nil
 }
 
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	c, err := v.client(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	berglasInfo, err := getBerglasStorageInfo(id.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	err = c.Delete(ctx, &berglas.StorageDeleteRequest{
+		Bucket: berglasInfo.bucket,
+		Object: berglasInfo.object,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &vault.Empty{}, nil
+}
+
 func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	if len(v.kmsKeyID) == 0 {
 		return nil, errors.New("specified KMS key id is empty")
diff --git a/providers-sdk/v1/vault/gcpsecretmanager/secretmanager.go b/providers-sdk/v1/vault/gcpsecretmanager/secretmanager.go
@@ -87,3 +87,7 @@ func (v *Vault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret, err
 func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	return nil, errors.New("not implemented")
 }
+
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/hashivault/hashivault.go b/providers-sdk/v1/vault/hashivault/hashivault.go
@@ -126,3 +126,7 @@ func secretData(s *api.Secret) ([]byte, error) {
 func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	return nil, errors.New("not implemented")
 }
+
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/inmemory/inmemory.go b/providers-sdk/v1/vault/inmemory/inmemory.go
@@ -60,3 +60,15 @@ func (v *inmemoryVault) Get(ctx context.Context, id *vault.SecretID) (*vault.Sec
 	}
 	return s, nil
 }
+
+func (v *inmemoryVault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	if id == nil {
+		return nil, errors.New("secret id is empty")
+	}
+
+	if _, ok := v.secrets[id.Key]; !ok {
+		return nil, vault.NotFoundError
+	}
+	delete(v.secrets, id.Key)
+	return &vault.Empty{}, nil
+}
diff --git a/providers-sdk/v1/vault/keyring/keyring.go b/providers-sdk/v1/vault/keyring/keyring.go
@@ -125,3 +125,7 @@ func (v *Vault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret, err
 		Encoding: vault.SecretEncoding_encoding_json,
 	}, nil
 }
+
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/mock/mock_vault.go b/providers-sdk/v1/vault/mock/mock_vault.go
@@ -62,3 +62,7 @@ func (v *Vault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret, err
 func (v *Vault) Set(ctx context.Context, cred *vault.Secret) (*vault.SecretID, error) {
 	return nil, errors.New("not implemented")
 }
+
+func (v *Vault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/multivault/multivault.go b/providers-sdk/v1/vault/multivault/multivault.go
@@ -56,3 +56,7 @@ func (m *multiVault) Get(ctx context.Context, id *vault.SecretID) (*vault.Secret
 
 	return nil, vault.NotFoundError
 }
+
+func (m *multiVault) Delete(ctx context.Context, id *vault.SecretID) (*vault.Empty, error) {
+	return nil, vault.NotImplementedError
+}
diff --git a/providers-sdk/v1/vault/vault.go b/providers-sdk/v1/vault/vault.go
@@ -24,6 +24,7 @@ func EscapeSecretID(key string) string {
 }
 
 var NotFoundError = status.Error(codes.NotFound, "secret not found")
+var NotImplementedError = status.Error(codes.Unimplemented, "delete not implemented")
 
 // Credential parses the secret data and creates a credential
 func (x *Secret) Credential() (*Credential, error) {
diff --git a/providers-sdk/v1/vault/vault.pb.go b/providers-sdk/v1/vault/vault.pb.go
diff --git a/providers-sdk/v1/vault/vault.proto b/providers-sdk/v1/vault/vault.proto
@@ -21,6 +21,7 @@ service Vault {
   rpc About(Empty) returns (VaultInfo);
   rpc Get(SecretID) returns (Secret);
   rpc Set(Secret) returns (SecretID);
+  rpc Delete(SecretID) returns (Empty);
 }
 
 // protolint:disable:next ENUM_FIELD_NAMES_PREFIX 
diff --git a/providers-sdk/v1/vault/vault.ranger.go b/providers-sdk/v1/vault/vault.ranger.go

Original file line number	Diff line number	Diff line change
`@@ -70,3 +70,7 @@ func (v Vault) Get(ctx context.Context, id vault.SecretID) (*vault.Secret, err`
`70`	`70`	`func (v Vault) Set(ctx context.Context, cred vault.Secret) (*vault.SecretID, error) {`
`71`	`71`	`return nil, errors.New("not implemented")`
`72`	`72`	`}`
	`73`	`+`
	`74`	`+func (v Vault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`75`	`+ return nil, vault.NotImplementedError`
	`76`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -87,3 +87,7 @@ func (v Vault) Get(ctx context.Context, id vault.SecretID) (*vault.Secret, err`
`87`	`87`	`func (v Vault) Set(ctx context.Context, cred vault.Secret) (*vault.SecretID, error) {`
`88`	`88`	`return nil, errors.New("not implemented")`
`89`	`89`	`}`
	`90`	`+`
	`91`	`+func (v Vault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`92`	`+ return nil, vault.NotImplementedError`
	`93`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -126,3 +126,7 @@ func secretData(s *api.Secret) ([]byte, error) {`
`126`	`126`	`func (v Vault) Set(ctx context.Context, cred vault.Secret) (*vault.SecretID, error) {`
`127`	`127`	`return nil, errors.New("not implemented")`
`128`	`128`	`}`
	`129`	`+`
	`130`	`+func (v Vault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`131`	`+ return nil, vault.NotImplementedError`
	`132`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -125,3 +125,7 @@ func (v Vault) Get(ctx context.Context, id vault.SecretID) (*vault.Secret, err`
`125`	`125`	`Encoding: vault.SecretEncoding_encoding_json,`
`126`	`126`	`}, nil`
`127`	`127`	`}`
	`128`	`+`
	`129`	`+func (v Vault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`130`	`+ return nil, vault.NotImplementedError`
	`131`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -62,3 +62,7 @@ func (v Vault) Get(ctx context.Context, id vault.SecretID) (*vault.Secret, err`
`62`	`62`	`func (v Vault) Set(ctx context.Context, cred vault.Secret) (*vault.SecretID, error) {`
`63`	`63`	`return nil, errors.New("not implemented")`
`64`	`64`	`}`
	`65`	`+`
	`66`	`+func (v Vault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`67`	`+ return nil, vault.NotImplementedError`
	`68`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -56,3 +56,7 @@ func (m multiVault) Get(ctx context.Context, id vault.SecretID) (*vault.Secret`
`56`	`56`
`57`	`57`	`return nil, vault.NotFoundError`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+func (m multiVault) Delete(ctx context.Context, id vault.SecretID) (*vault.Empty, error) {`
	`61`	`+ return nil, vault.NotImplementedError`
	`62`	`+}`