feat: add @kubricate/plugin-azure-keyvault with AzureKeyVaultConnector

[mildronize]

TL;DR

Adds @kubricate/plugin-azure-keyvault — the first real plugin in this repo, providing an AzureKeyVaultConnector that reads secrets from Azure Key Vault and wires into Kubricate's SecretManager.

• Type: feat

What & Why

What changed

• Created new dir packages/plugin-azure-keyvault/ and implemented AzureKeyVaultConnector
• Connector supports vaultUrl, optional prefix, and optional custom TokenCredential (defaults to DefaultAzureCredential)
• Values are JSON-parsed (flat object) when possible, raw string otherwise — consistent with EnvConnector
• Clean error messages on 404 (secret not found) and auth failures
• 6 unit tests covering: load success, prefix, 404, JSON-parse, get-before-load, non-404 bubbles
• Added examples/with-azure-keyvault/ showing the connector wired into a SecretManager + OpaqueSecretProvider

Why (problem / motivation)

• The repo was bootstrapped with a dummy placeholder package — this PR replaces it with the first real plugin
• Azure Key Vault is a common secret backend for teams deploying to AKS; this connector closes that gap for Kubricate users

Linked issues

• Closes #____
• Related: #____

Screenshots / Demos (if UI or DX)

Usage:

import { AzureKeyVaultConnector } from '@kubricate/plugin-azure-keyvault';
import { OpaqueSecretProvider } from '@kubricate/plugin-kubernetes';
import { SecretManager } from 'kubricate';

export const secretManager = new SecretManager()
  .addConnector('AzureKeyVaultConnector', new AzureKeyVaultConnector({
    vaultUrl: 'https://my-vault.vault.azure.net/',
    // prefix: 'myapp/',
    // credential: new ClientSecretCredential(tenantId, clientId, clientSecret),
  }))
  .addProvider('OpaqueSecretProvider', new OpaqueSecretProvider({ name: 'app-secrets' }))
  .setDefaultConnector('AzureKeyVaultConnector')
  .setDefaultProvider('OpaqueSecretProvider')
  .addSecret({ name: 'MY_APP_KEY' })
  .addSecret({ name: 'MY_DB_PASSWORD' });

How to Test

1. Clone the repo and run pnpm install
2. Build the plugin: pnpm --filter=@kubricate/plugin-azure-keyvault build
3. Run unit tests: pnpm --filter=@kubricate/plugin-azure-keyvault test
4. Type-check the example: pnpm --filter=@examples/with-azure-keyvault check-types
5. Expected: all pass with no errors

Breaking Changes?

• No breaking changes

Migration notes

• N/A — this is a new package, no existing API changed

Performance / Security / Compatibility

• Performance impact: none — connector is only invoked during kubricate secret apply, not at manifest generation time
• Security considerations: credentials never logged; DefaultAzureCredential follows Azure SDK best practices; custom credential injection allows managed identity or OIDC
• Compatibility: Node.js >= 22, @kubricate/core ^0.22.0, @azure/identity ^4.6, @azure/keyvault-secrets ^4.9

Docs & Changelog

• Code is commented where non-obvious
• Docs updated (README / website / examples) — examples/with-azure-keyvault/ added
• Add release note (one clear sentence)

Release note

Add @kubricate/plugin-azure-keyvault with AzureKeyVaultConnector for reading secrets from Azure Key Vault into Kubricate's secret management pipeline.

Checklist

• Follows style & lints pass
• Unit/integration tests added or not needed
• CI green (build, tests, typecheck)
• Feature flagged or safe by default
• No sensitive data committed

Maintainer checklist

• Labels: type/*, area/*, semver/*
• Milestone set
• Changelog entry generated
• Squash & merge with conventional title
• Backport? (if applicable)

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/kubricate/plugins/@kubricate/plugin-azure-keyvault@2

commit: 1a04456