hashivault: add configurable retry interval (#201)

Author: benbroadaway

tasks/hashivault/pom.xml

@@ -14,9 +14,8 @@
     <packaging>jar</packaging>
 
     <properties>
-        <okhttp.version>3.11.0</okhttp.version>
-        <nginx.image.version>nginx:1.21.5-alpine</nginx.image.version>
-        <vault.image.version>vault:1.1.3</vault.image.version>
+        <nginx.image.version>nginx:1.27-alpine</nginx.image.version>
+        <vault.image.version>hashicorp/vault:1.19</vault.image.version>
     </properties>
 
     <dependencies>
@@ -71,6 +70,17 @@
             <artifactId>junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>4.9.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>vault</artifactId>

tasks/hashivault/src/main/java/com/walmartlabs/concord/plugins/hashivault/HashiVaultTaskCommon.java

@@ -29,7 +29,6 @@
 import org.slf4j.LoggerFactory;
 
 import java.nio.charset.Charset;
-import java.util.Map;
 
 public class HashiVaultTaskCommon {
     Logger log = LoggerFactory.getLogger(HashiVaultTaskCommon.class);
@@ -75,27 +74,16 @@ private static VaultConfig buildConfig(TaskParams params) {
     public HashiVaultTaskResult execute(TaskParams params) {
         final VaultConfig config = buildConfig(params);
         final Vault vault = new Vault(config);
-        HashiVaultTaskResult result;
-
-        switch (params.action()) {
-            case READKV:
-                Map<String, String> data = readValue(vault, params);
-                result = HashiVaultTaskResult.of(true, data, null, params);
-                break;
-            case WRITEKV:
-                writeValue(vault, params);
-                result = HashiVaultTaskResult.of(true, null, null, params);
-                break;
-            default:
-                throw new HashiVaultTaskException("Unsupported action: " + params.action());
-        }
 
-        return result;
+        return switch (params.action()) {
+            case READKV -> readValue(vault, params);
+            case WRITEKV -> writeValue(vault, params);
+        };
     }
 
-    private Map<String, String> readValue(Vault vault, TaskParams params) {
+    private HashiVaultTaskResult readValue(Vault vault, TaskParams params) {
         try {
-            final LogicalResponse r = vault.withRetries(3, 5000).logical()
+            final LogicalResponse r = vault.withRetries(params.retryCount(), params.retryIntervalMs()).logical()
                     .withNameSpace(params.ns())
                     .read(params.path());
             final int status = r.getRestResponse().getStatus();
@@ -106,8 +94,7 @@ private Map<String, String> readValue(Vault vault, TaskParams params) {
                 throw new VaultException(body, status);
             }
 
-            return r.getData();
-
+            return HashiVaultTaskResult.of(true, r.getData(), null, params);
         } catch (VaultException e) {
             String msg = String.format("Error reading from vault (%s): %s",
                     e.getHttpStatusCode(), e.getMessage());
@@ -118,14 +105,14 @@ private Map<String, String> readValue(Vault vault, TaskParams params) {
         }
     }
 
-    private void writeValue(Vault vault, TaskParams params) {
+    private HashiVaultTaskResult writeValue(Vault vault, TaskParams params) {
         if (dryRunMode) {
             log.info("Dry-run mode enabled: Skipping write to vault");
-            return;
+            return HashiVaultTaskResult.of(true, null, null, params);
         }
 
         try {
-            final LogicalResponse r = vault.withRetries(3, 5000).logical()
+            final LogicalResponse r = vault.withRetries(params.retryCount(), params.retryIntervalMs()).logical()
                     .withNameSpace(params.ns())
                     .write(params.path(), params.kvPairs());
             final int status = r.getRestResponse().getStatus();
@@ -144,5 +131,7 @@ private void writeValue(Vault vault, TaskParams params) {
             log.error(msg);
             throw new HashiVaultTaskException(msg);
         }
+
+        return HashiVaultTaskResult.of(true, null, null, params);
     }
 }

tasks/hashivault/src/main/java/com/walmartlabs/concord/plugins/hashivault/TaskParams.java

@@ -33,6 +33,8 @@ public class TaskParams {
     private static final String DEFAULT_NAMESPACE = null;
     private static final int DEFAULT_ENGINE_VERSION = 2;
     private static final boolean DEFAULT_VERIFY_SSL = true;
+    private static final long DEFAULT_RETRY_COUNT = 3;
+    private static final long DEFAULT_RETRY_INTERVAL_MS = 5_000;
 
     public static final String DEFAULT_PARAMS_KEY = "hashivaultParams";
     public static final String TX_ID_KEY = "txId";
@@ -50,6 +52,8 @@ public class TaskParams {
     public static final String PATH_KEY = "path";
     public static final String KEY_KEY = "key";
     public static final String KV_PAIRS_KEY = "kvPairs";
+    public static final String RETRY_COUNT_KEY = "retryCount";
+    public static final String RETRY_INTERVAL_MS_KEY = "retryIntervalMs";
 
     protected final Variables variables;
 
@@ -69,28 +73,21 @@ public static TaskParams of(Variables input, Map<String, Object> defaults, Secre
         Variables variables = new MapBackedVariables(variablesMap);
         TaskParams p = new TaskParams(variables);
 
-        switch (p.action()) {
-            case READKV:
-            case WRITEKV:
-                return new TaskParams(variables);
-            default:
-                throw new IllegalArgumentException("Unsupported action type: " + p.action());
-        }
+        return switch (p.action()) {
+            case READKV, WRITEKV -> new TaskParams(variables);
+        };
     }
 
     private static String exportToken(SecretExporter secretExporter, Map<String, Object> secret) {
         String o = MapUtils.assertString(secret, ORG_KEY);
         String n = MapUtils.assertString(secret, NAME_KEY);
         String p = MapUtils.getString(secret, PASSWORD_KEY);
 
-        String token;
-
         try {
-            token = secretExporter.exportAsString(o, n, p);
+            return secretExporter.exportAsString(o, n, p);
         } catch (Exception e) {
             throw new HashiVaultTaskException("Error retrieving API token from Concord secret: " + e.getMessage());
         }
-        return token;
     }
 
     public Action action() {
@@ -122,6 +119,14 @@ public boolean verifySsl() {
         return variables.getBoolean(VERIFY_SSL_KEY, DEFAULT_VERIFY_SSL);
     }
 
+    public int retryCount() {
+        return variables.getNumber(RETRY_COUNT_KEY, DEFAULT_RETRY_COUNT).intValue();
+    }
+
+    public int retryIntervalMs() {
+        return variables.getNumber(RETRY_INTERVAL_MS_KEY, DEFAULT_RETRY_INTERVAL_MS).intValue();
+    }
+
     public int engineVersion() {
         if (path().matches("^/?cubbyhole.*")) {
             return 1;

tasks/hashivault/src/main/java/com/walmartlabs/concord/plugins/hashivault/v1/HashiVaultTask.java

@@ -111,4 +111,8 @@ public String exportAsString(String o, String n, String p) throws Exception {
             return secretService.exportAsString(ctx, txId, o, n, p);
         }
     }
+
+    protected void setDefaults(Map<String, Object> d) {
+        defaults = d;
+    }
 }

tasks/hashivault/src/main/java/com/walmartlabs/concord/plugins/hashivault/v2/HashiVaultTask.java

@@ -28,10 +28,8 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.Map;
 
-
 @Named("hashivault")
 @DryRunReady
 public class HashiVaultTask implements Task {
@@ -52,47 +50,45 @@ public TaskResult.SimpleResult execute(Variables input) {
         final TaskParams params = createParams(input);
         final HashiVaultTaskCommon delegate = new HashiVaultTaskCommon(dryRunMode);
         final HashiVaultTaskResult result = delegate.execute(params);
-        final Map<String, Object> data = new HashMap<>(1);
-        data.put("data", result.data());
+        final Object data = result.data() == null ? Map.of() : result.data();
 
-        return TaskResult.of(result.ok(), result.error(), data);
+        return result.ok()
+                ? TaskResult.success().values(Map.of("data", data))
+                : TaskResult.fail(result.error());
     }
 
     private TaskParams createParams(Variables input) {
-        final SecretExporterV2 exporterV2 = new SecretExporterV2(secretService);
+        final var exporterV2 = new SecretExporterV2(secretService);
         return TaskParams.of(input, defaults, exporterV2);
     }
 
     public Map<String, Object> readKV(String path) {
-        Map<String, Object> vars = new HashMap<>();
-        vars.put(TaskParams.ACTION_KEY, TaskParams.Action.READKV.toString());
-        vars.put(TaskParams.PATH_KEY, path);
-
-        final Variables input = new MapBackedVariables(vars);
+        final Variables input = new MapBackedVariables(Map.of(
+                TaskParams.ACTION_KEY, TaskParams.Action.READKV.toString(),
+                TaskParams.PATH_KEY, path
+        ));
         final TaskParams params = createParams(input);
         final HashiVaultTaskResult result = new HashiVaultTaskCommon().execute(params);
         return result.data();
     }
 
     public String readKV(String path, String field) {
-        Map<String, Object> vars = new HashMap<>();
-        vars.put(TaskParams.ACTION_KEY, TaskParams.Action.READKV.toString());
-        vars.put(TaskParams.PATH_KEY, path);
-        vars.put(TaskParams.KEY_KEY, field);
-
-        final Variables input = new MapBackedVariables(vars);
+        final Variables input = new MapBackedVariables(Map.of(
+                TaskParams.ACTION_KEY, TaskParams.Action.READKV.toString(),
+                TaskParams.PATH_KEY, path,
+                TaskParams.KEY_KEY, field
+        ));
         final TaskParams params = createParams(input);
         final HashiVaultTaskResult result = new HashiVaultTaskCommon().execute(params);
         return result.data();
     }
 
     public void writeKV(String path, Map<String, Object> kvPairs) {
-        Map<String, Object> vars = new HashMap<>();
-        vars.put(TaskParams.ACTION_KEY, TaskParams.Action.WRITEKV.toString());
-        vars.put(TaskParams.PATH_KEY, path);
-        vars.put(TaskParams.KV_PAIRS_KEY, kvPairs);
-
-        final Variables input = new MapBackedVariables(vars);
+        final Variables input = new MapBackedVariables(Map.of(
+                TaskParams.ACTION_KEY, TaskParams.Action.WRITEKV.toString(),
+                TaskParams.PATH_KEY, path,
+                TaskParams.KV_PAIRS_KEY, kvPairs
+        ));
         final TaskParams params = createParams(input);
         final HashiVaultTaskCommon delegate = new HashiVaultTaskCommon();
         delegate.execute(params);

tasks/hashivault/src/test/java/com/walmartlabs/concord/plugins/hashivault/AbstractVaultTest.java

@@ -48,6 +48,8 @@ public abstract class AbstractVaultTest {
                     .withNetworkAliases("vault")
                     .withSecretInVault("secret/testing", "top_secret=password1","db_password=dbpassword1")
                     .withSecretInVault("cubbyhole/hello", "cubbyKey=cubbyVal")
+                    // we could explicitly wait for the http endpoint to be available here,
+                    // but the nginx check will implicitly handle that
                     .waitingFor(Wait.forLogMessage(".*Vault server started.*", 1));
     @Container
     public static NginxContainer<?> nginxContainer =
@@ -61,7 +63,10 @@ public abstract class AbstractVaultTest {
                     .withCopyFileToContainer(mountRes("nginx.conf"), "/etc/nginx/templates/default.conf.template")
                     .withCopyFileToContainer(mountRes("server.crt"), "/etc/nginx/certs/server.crt")
                     .withCopyFileToContainer(mountRes("server.key"), "/etc/nginx/certs/server.key")
-                    .waitingFor(Wait.forLogMessage(".*ready for start up.*", 1));
+                    .waitingFor(Wait.forHttps("/v1/sys/health")
+                            .forPort(NGINX_SSL_PORT)
+                            .forStatusCode(200)
+                            .allowInsecure());
 
     protected static String getVaultBaseUrl() {
         return String.format("http://%s:%s",