runtimevar/hashivault: add HashiVault runtimevar driver

allmodules

@@ -18,5 +18,6 @@ pubsub/kafkapubsub           yes
 pubsub/natspubsub            yes
 pubsub/rabbitpubsub          yes
 runtimevar/etcdvar           yes
+runtimevar/hashivault        yes
 samples                      no
 secrets/hashivault           yes

internal/testing/alldeps

@@ -187,6 +187,7 @@ gocloud.dev/pubsub/kafkapubsub
 gocloud.dev/pubsub/natspubsub
 gocloud.dev/pubsub/rabbitpubsub
 gocloud.dev/runtimevar/etcdvar
+gocloud.dev/runtimevar/hashivault
 gocloud.dev/samples
 gocloud.dev/secrets/hashivault
 golang.org/x/crypto

internal/website/content/howto/runtimevar/_index.md

@@ -250,6 +250,27 @@ and a URL.
 
 [`httpvar.OpenVariable`]: https://godoc.org/gocloud.dev/runtimevar/httpvar#OpenVariable
 
+### HashiCorp Vault {#hashivault}
+
+`hashivault` supports watching a variable stored in [HashiCorp Vault's KV Secrets Engine][].
+Use `runtimevar.OpenVariable` with a URL starting with `hashivault://`.
+
+The default URL opener will use the environment variables `VAULT_SERVER_URL` (or
+`VAULT_ADDR`) for the server address, and `VAULT_SERVER_TOKEN` (or `VAULT_TOKEN`)
+for authentication.
+
+[HashiCorp Vault's KV Secrets Engine]: https://www.vaultproject.io/docs/secrets/kv
+
+{{< goexample "gocloud.dev/runtimevar/hashivault.Example_openVariableFromURL" >}}
+
+#### HashiCorp Vault Constructor {#hashivault-ctor}
+
+The [`hashivault.OpenVariable`][] constructor opens a variable with a Vault client.
+
+{{< goexample "gocloud.dev/runtimevar/hashivault.ExampleOpenVariable" >}}
+
+[`hashivault.OpenVariable`]: https://godoc.org/gocloud.dev/runtimevar/hashivault#OpenVariable
+
 ### Blob {#blob}
 
 `blobvar` supports watching a variable based on the contents of a

internal/website/content/runtimevar/hashivault/_index.md

@@ -0,0 +1,4 @@
+---
+title: gocloud.dev/runtimevar/hashivault
+type: pkg
+---

runtimevar/hashivault/example_test.go

@@ -0,0 +1,64 @@
+// Copyright 2019 The Go Cloud Development Kit Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hashivault_test
+
+import (
+	"context"
+	"log"
+
+	"github.com/hashicorp/vault/api"
+	"gocloud.dev/runtimevar"
+	"gocloud.dev/runtimevar/hashivault"
+)
+
+func ExampleOpenVariable() {
+	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
+	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
+	ctx := context.Background()
+
+	// Get a client to use with the Vault API.
+	client, err := hashivault.Dial(ctx, &hashivault.Config{
+		Token: "CLIENT_TOKEN",
+		APIConfig: api.Config{
+			Address: "http://127.0.0.1:8200",
+		},
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Construct a *runtimevar.Variable that watches the secret.
+	v, err := hashivault.OpenVariable(client, "myapp/config", runtimevar.StringDecoder, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer v.Close()
+}
+
+func Example_openVariableFromURL() {
+	// PRAGMA: This example is used on gocloud.dev; PRAGMA comments adjust how it is shown and can be ignored.
+	// PRAGMA: On gocloud.dev, add a blank import: _ "gocloud.dev/runtimevar/hashivault"
+	// PRAGMA: On gocloud.dev, hide lines until the next blank line.
+	ctx := context.Background()
+
+	// runtimevar.OpenVariable creates a *runtimevar.Variable from a URL.
+	// The default opener connects to a Vault server based on the environment
+	// variables VAULT_SERVER_URL/VAULT_ADDR and VAULT_SERVER_TOKEN/VAULT_TOKEN.
+	v, err := runtimevar.OpenVariable(ctx, "hashivault://myapp/config?decoder=string")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer v.Close()
+}

runtimevar/hashivault/go.mod

@@ -0,0 +1,90 @@
+// Copyright 2018-2019 The Go Cloud Development Kit Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+module gocloud.dev/runtimevar/hashivault
+
+go 1.24.0
+
+toolchain go1.24.7
+
+require (
+	github.com/hashicorp/vault/api v1.22.0
+	gocloud.dev v0.44.0
+)
+
+require (
+	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.40.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.2 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.2 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-replayers/grpcreplay v1.3.0 // indirect
+	github.com/google/go-replayers/httpreplay v1.2.0 // indirect
+	github.com/google/martian/v3 v3.3.3 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/google/wire v0.7.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
+	google.golang.org/api v0.256.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
+)
+
+replace gocloud.dev => ../../