K8SPSMDB-1448: sync user secrets with vault (#2121)

* K8SPSMDB-1448: sync user secrets with vault

https://perconadev.atlassian.net/browse/K8SPSMDB-1448

* use `github.com/pkg/errors`

* add `serviceAccountTokenPath`

* Update pkg/apis/psmdb/v1/psmdb_defaults.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* `go mod tidy`

* add `tlsSecret` field

* use `errors.Wrap`

* fix validation message

* add unit-tests

* fix users-vault test

* improve validation

* small fixes

* small go mod change

* add test cases

* improve test

* implement cached vault

* fix tests

* refactor

* remove debug prints

* small improvements

* small fix

* `make manifests`

* fix unit-tests

* address comments

* return on logged error

* fix cached vault

* secret client per cluster + provider handler for future secret storages

* mac fix

* logging improvements

* implement critical errors

* fix wrapped errors

* small fix

* fix if condition

* fix unit-tests

* apply copilot suggestions

* make `endpointURL` required

* fix test

* fix validation error

* improve logs

* continue reconcile on failed connection to the vault

* small test fix

* fix test

* block reconcile when user secret doesn't exist

* final fix for `users-vault` test

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Mayank Shah <mayank.shah@percona.com>
Co-authored-by: Viacheslav Sarzhan <slava.sarzhan@percona.com>

Author: 4 people

config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml

@@ -24852,6 +24852,29 @@ spec:
                   - roles
                   type: object
                 type: array
+              vault:
+                properties:
+                  endpointURL:
+                    type: string
+                    x-kubernetes-validations:
+                    - message: endpointURL must be a valid URL
+                      rule: isURL(self)
+                  syncUsers:
+                    properties:
+                      keyPath:
+                        type: string
+                      mountPath:
+                        type: string
+                      role:
+                        type: string
+                      tokenSecret:
+                        type: string
+                    type: object
+                  tlsSecret:
+                    type: string
+                required:
+                - endpointURL
+                type: object
             required:
             - image
             type: object

deploy/bundle.yaml

@@ -25711,6 +25711,29 @@ spec:
                   - roles
                   type: object
                 type: array
+              vault:
+                properties:
+                  endpointURL:
+                    type: string
+                    x-kubernetes-validations:
+                    - message: endpointURL must be a valid URL
+                      rule: isURL(self)
+                  syncUsers:
+                    properties:
+                      keyPath:
+                        type: string
+                      mountPath:
+                        type: string
+                      role:
+                        type: string
+                      tokenSecret:
+                        type: string
+                    type: object
+                  tlsSecret:
+                    type: string
+                required:
+                - endpointURL
+                type: object
             required:
             - image
             type: object

deploy/cr.yaml

@@ -49,6 +49,14 @@ spec:
     apply: disabled
     schedule: "0 2 * * *"
     setFCV: false
+#  vault:
+#    endpointURL: https://vault-service:8200
+#    tlsSecret: my-tls-vault-secret
+#    syncUsers:
+#      role: operator
+#      mountPath: secrets
+#      keyPath: psmdb/operator/namespace/my-cluster-name/users
+#      tokenSecret: my-vault-sync-token-secret
   secrets:
     users: my-cluster-name-secrets
     encryptionKey: my-cluster-name-mongodb-encryption-key

deploy/crd.yaml

@@ -25711,6 +25711,29 @@ spec:
                   - roles
                   type: object
                 type: array
+              vault:
+                properties:
+                  endpointURL:
+                    type: string
+                    x-kubernetes-validations:
+                    - message: endpointURL must be a valid URL
+                      rule: isURL(self)
+                  syncUsers:
+                    properties:
+                      keyPath:
+                        type: string
+                      mountPath:
+                        type: string
+                      role:
+                        type: string
+                      tokenSecret:
+                        type: string
+                    type: object
+                  tlsSecret:
+                    type: string
+                required:
+                - endpointURL
+                type: object
             required:
             - image
             type: object

deploy/cw-bundle.yaml

@@ -25711,6 +25711,29 @@ spec:
                   - roles
                   type: object
                 type: array
+              vault:
+                properties:
+                  endpointURL:
+                    type: string
+                    x-kubernetes-validations:
+                    - message: endpointURL must be a valid URL
+                      rule: isURL(self)
+                  syncUsers:
+                    properties:
+                      keyPath:
+                        type: string
+                      mountPath:
+                        type: string
+                      role:
+                        type: string
+                      tokenSecret:
+                        type: string
+                    type: object
+                  tlsSecret:
+                    type: string
+                required:
+                - endpointURL
+                type: object
             required:
             - image
             type: object