vault-secrets: enhances dynamic secret output

[austingebauer]

Changes proposed in this PR:

This PR enhances the output for dynamic secrets. Additionally, it makes the displayer the single source for fields to better encapsulate them. Adding a "secret type" to the displayer was necessary to be able to conditionally display fields.

List secrets:

• Removes latest version (open to bringing this back for lists)

# main branch
$ ./bin/hcp vs secrets list                         
Secret Name              Latest Version   Created At                 Type   
foo                      1                2024-06-21T16:11:29.863Z   kv     
s3_reader                0                2024-07-12T20:57:49.570Z   dynamic
service_account_viewer   0                2024-07-12T20:53:49.707Z   dynamic

# PR branch
$ ./bin/hcp vs secrets list                     
Secret Name              Type      Created At              
foo                      kv        2024-06-21T16:11:29.863Z
s3_reader                dynamic   2024-07-12T20:57:49.570Z
service_account_viewer   dynamic   2024-07-12T20:53:49.707Z

Read dynamic secret:

• Removes latest version for only dynamic secrets

# main branch
$ ./bin/hcp vs secrets read --format=table s3_reader
Secret Name   Latest Version   Created At                 Type   
s3_reader     0                2024-07-12T20:57:49.570Z   dynamic

# PR branch
$ ./bin/hcp vs secrets read --format=table s3_reader
Secret Name   Type      Created At              
s3_reader     dynamic   2024-07-12T20:57:49.570Z

Open secrets:

• Adds expires at, time-to-live for only dynamic secrets
• Removes latest version for only dynamic secrets
• Fixes created at to be the time the dynamic credential was generated instead of time dynamic secret resource was created

# main branch
$ ./bin/hcp vs secrets open --format=table s3_reader
Secret Name   Latest Version   Created At                 Values                                                                
s3_reader     0                2024-07-12T20:57:49.570Z   access_key_id: redacted
                                                          assumed_role_user_arn: redacted                                
                                                          secret_access_key: redacted
                                                          session_token: redacted

# PR branch
$ ./bin/hcp vs secrets open --format=table s3_reader
Secret Name   Type      Created At                 Expires At                 Time-to-Live   Values                             
s3_reader     dynamic   2024-07-18T16:12:13.765Z   2024-07-18T17:12:13.765Z   3600s          access_key_id: redacted
                                                                                             assumed_role_user_arn: redacted                                
                                                                                             secret_access_key: redacted           
                                                                                             session_token: redacted

How I've tested this PR:

Ran make go/test and manual testing. I will address test coverage once I get feedback this is directionally okay.

How I expect reviewers to test this PR:

Run commands above with different secret types to see if there are any bugs / missing information.

Checklist:

• Tests added if applicable
• CHANGELOG entry added or label 'pr/no-changelog' added to PR

  Run CHANGELOG_PR=<PR number> make changelog/new-entry for guidance
  in authoring a changelog entry, and commit the resulting file, which should
  have a name matching your PR number. Entries should use imperative present
  tense (e.g. Add support for...)

[austingebauer]

A boolean argument to newDisplayer() was the indication of displaying a single secret or a list of secrets before. With this change, I've introduced a SetSingleSecret(type). I think this is clearer but could use feedback.

[maxcoulombe]

When chaining OpenAppSecrets(resp.Payload.Secret) it gives the displayer instance access to the secret's type.

If the displayer internally had a map[secretType]openSecretFormatter populated in automatically in newDisplayer() it'd encapsulate that complexity for the callers and remove the need to use switch cases.

[austingebauer]

I like this idea. Reworking it now!

[austingebauer]

Okay I introduced an interface and removed all of the secret type switch cases in 6cd82c7. I was also able to simplify by deleting SetSecretType and the private single method. Those details are encapsulated now so that callers don't need to set them.

[maxcoulombe]

Removes latest version (open to bringing this back for lists)

I have no super strong opinion, but the latest version is useful information for kv/rotating secrets so I'd lean towards keeping it. What about something like:

$ ./bin/hcp vs secrets list                     
Secret Name              Type      Latest Version      Created At              
foo                      kv        0                   2024-06-21T16:11:29.863Z
s3_reader                dynamic   -                   2024-07-12T20:57:49.570Z
service_account_viewer   dynamic   -                   2024-07-12T20:53:49.707Z

Instead of a 0to more clearly denote dynamic secrets are not versioned.

[maxcoulombe]

Looks good, 2 small suggestions for the list response and to simplify/eliminate the SetSingleSecret if we think it's worth it, but that can totally be done as follow-ups if ever.

[austingebauer]

Instead of a 0 to more clearly denote dynamic secrets are not versioned.

@maxcoulombe - Good suggestion! Using - for dynamic secrets in 1f10d7e and restored the version in lists.