hpcc-systems · kenrowland · Mar 25, 2026 · Mar 26, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/helm/hpcc/values.schema.json b/helm/hpcc/values.schema.json
@@ -1038,7 +1038,7 @@
         },
         "kind": {
           "type": "string",
-          "enum": ["kv-v2", "kv-v1"]
+          "enum": ["kv-v2", "kv-v1", "akeyless"]
         },
         "type": {
           "description": "The vault provider type (e.g. 'akeyless' or kv backend)",
@@ -1114,6 +1114,7 @@
             "required": ["type"]
           },
           "then": {
+            "required": ["accessId"],
             "oneOf": [
               {
                 "required": ["accessKey"],
@@ -1123,7 +1124,47 @@
                 "required": ["client-secret"],
                 "not": { "required": ["accessKey"] }
               }
-            ]
+            ],
+            "properties": {
+              "kind": { "enum": ["akeyless"] }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": {
+              "kind": { "const": "akeyless" }
+            },
+            "required": ["kind"]
+          },
+          "then": {
+            "required": ["accessId"],
+            "oneOf": [
+              {
+                "required": ["accessKey"],
+                "not": { "required": ["client-secret"] }
+              },
+              {
+                "required": ["client-secret"],
+                "not": { "required": ["accessKey"] }
+              }
+            ],
+            "properties": {
+              "type": { "enum": ["akeyless"] }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": {
+              "type": { "enum": ["kv-v1", "kv-v2"] }
+            },
+            "required": ["type"]
+          },
+          "then": {
+            "properties": {
+              "kind": { "enum": ["kv-v1", "kv-v2"] }
+            }
           }
         }
       ]

diff --git a/initfiles/componentfiles/configxml/CMakeLists.txt b/initfiles/componentfiles/configxml/CMakeLists.txt
@@ -22,6 +22,7 @@ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/espsmcservice.xsd.in ${CMAKE_CURRENT_
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/ftslave_linux.xsd.in ${CMAKE_CURRENT_BINARY_DIR}/ftslave_linux.xsd)
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/roxie.xsd.in ${CMAKE_CURRENT_BINARY_DIR}/roxie.xsd)
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/RoxieTopology.xsl ${CMAKE_CURRENT_BINARY_DIR}/RoxieTopology.xsl)
+CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/vaults-common.xsl ${CMAKE_CURRENT_BINARY_DIR}/vaults-common.xsl)
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/thor.xsd.in ${CMAKE_CURRENT_BINARY_DIR}/thor.xsd)
 CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/thor.xsl ${CMAKE_CURRENT_BINARY_DIR}/thor.xsl)
 
@@ -43,6 +44,7 @@ FOREACH( iFILES
     ${CMAKE_CURRENT_BINARY_DIR}/ftslave_linux.xsd
     ${CMAKE_CURRENT_BINARY_DIR}/roxie.xsd
     ${CMAKE_CURRENT_BINARY_DIR}/RoxieTopology.xsl
+    ${CMAKE_CURRENT_BINARY_DIR}/vaults-common.xsl
     ${CMAKE_CURRENT_BINARY_DIR}/thor.xsd
     ${CMAKE_CURRENT_BINARY_DIR}/thor.xsl
     ${CMAKE_CURRENT_SOURCE_DIR}/setvars_linux.xsl

diff --git a/initfiles/componentfiles/configxml/RoxieTopology.xsl b/initfiles/componentfiles/configxml/RoxieTopology.xsl
@@ -20,6 +20,7 @@
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xml:space="default"
  xmlns:seisint="http://seisint.com" exclude-result-prefixes="seisint">
     <xsl:output method="xml" indent="yes" omit-xml-declaration="no" encoding="UTF-8"/>
+    <xsl:include href="vaults-common.xsl"/>
     <xsl:template match="text()"/>
     <xsl:param name="process" select="'unknown'"/>
     <xsl:param name="isLinuxInstance" select="1"/>
@@ -123,7 +124,7 @@
             </xsl:attribute>
             <xsl:copy-of select="./expert"/>
             <xsl:copy-of select="./pageCache"/>
-            <xsl:copy-of select="/Environment/Software/vaults"/>
+            <xsl:call-template name="copyVaultsConfig"/>
             <xsl:copy-of select="/Environment/Software/Directories"/>
             <xsl:choose>
                 <xsl:when test="tracing">

diff --git a/initfiles/componentfiles/configxml/agentexec.xsl b/initfiles/componentfiles/configxml/agentexec.xsl
@@ -20,6 +20,7 @@
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
   <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" omit-xml-declaration="yes"/>
+  <xsl:include href="vaults-common.xsl"/>
 
   <xsl:param name="process" select="'unknown'"/>
   <xsl:param name="instance" select="'s1'"/>
@@ -125,7 +126,7 @@
         </xsl:attribute>
       </xsl:if>
       <xsl:copy-of select="analyzerOptions"/>
-      <xsl:copy-of select="/Environment/Software/vaults"/>
+      <xsl:call-template name="copyVaultsConfig"/>
       <xsl:copy-of select="/Environment/Software/Directories"/>  
       <xsl:choose>
           <xsl:when test="tracing">

diff --git a/initfiles/componentfiles/configxml/dali.xsl b/initfiles/componentfiles/configxml/dali.xsl
@@ -19,6 +19,7 @@
 
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xml:space="default">
   <xsl:output method="xml" indent="yes" omit-xml-declaration="no" encoding="UTF-8"/>
+  <xsl:include href="vaults-common.xsl"/>
   <xsl:template match="text()"/>
   <xsl:param name="process" select="'dali'"/>
   <xsl:param name="isLinuxInstance" select="0"/>
@@ -403,7 +404,8 @@
   </xsl:template>
 
   <xsl:template name="addVaultsConfig">
-    <xsl:copy-of select="/Environment/Software/vaults"/>
+    <xsl:call-template name="validateLdapVaultReferences"/>
+    <xsl:call-template name="copyVaultsConfig"/>
   </xsl:template>
 
 </xsl:stylesheet>
diff --git a/initfiles/componentfiles/configxml/eclccserver.xsl b/initfiles/componentfiles/configxml/eclccserver.xsl
@@ -20,6 +20,7 @@
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 
 <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" omit-xml-declaration="yes"/>
+<xsl:include href="vaults-common.xsl"/>
 
 <xsl:param name="process" select="'eclccserver'"/>
 <xsl:param name="instance" select="'s1'"/>
@@ -73,7 +74,7 @@
 
       <xsl:apply-templates select="Option[string(@name) != '']" mode="copy"/>
 
-      <xsl:copy-of select="/Environment/Software/vaults"/>
+      <xsl:call-template name="copyVaultsConfig"/>
 
       <xsl:choose>
             <xsl:when test="tracing">

diff --git a/initfiles/componentfiles/configxml/esp.xsl b/initfiles/componentfiles/configxml/esp.xsl
@@ -22,6 +22,7 @@
     xmlns:seisint="http://seisint.com" xmlns:exslt="http://exslt.org/common" exclude-result-prefixes="seisint exslt">
 
     <xsl:output method="xml" indent="yes" omit-xml-declaration="no" encoding="UTF-8"/>
+    <xsl:include href="vaults-common.xsl"/>
     <!--xsl:template match="text()"/-->
     <xsl:param name="process" select="'esp'"/>
     <xsl:param name="instance" select="'2wd20'"/>
@@ -274,7 +275,8 @@
             </xsl:variable>
             <xsl:apply-templates select="exslt:node-set($importedServiceDefinitionFiles)" mode="processImportedServiceDefinitions"/>
             <xsl:apply-templates select="node()"/>
-            <xsl:copy-of select="/Environment/Software/vaults"/>
+            <xsl:call-template name="validateLdapVaultReferences"/>
+            <xsl:call-template name="copyVaultsConfig"/>
         </xsl:copy>
 
     </xsl:template>

diff --git a/initfiles/componentfiles/configxml/thor.xsl b/initfiles/componentfiles/configxml/thor.xsl
@@ -20,6 +20,7 @@
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:fo="http://www.w3.org/1999/XSL/Format" xml:space="default">
     <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes" omit-xml-declaration="yes"/>
+  <xsl:include href="vaults-common.xsl"/>
     <xsl:param name="process" select="'thor'"/>
     <xsl:param name="isLinuxInstance" select="0"/>
     <xsl:param name="tempPath" select="'c:\temp\'"/>
@@ -190,7 +191,7 @@
 
       <xsl:apply-templates select="@*[string(.) != '']"/>
 
-      <xsl:copy-of select="/Environment/Software/vaults"/>
+      <xsl:call-template name="copyVaultsConfig"/>
       <xsl:copy-of select="/Environment/Software/Directories"/> 
       <xsl:choose>
           <xsl:when test="tracing">

diff --git a/initfiles/componentfiles/configxml/vaults-common.xsl b/initfiles/componentfiles/configxml/vaults-common.xsl
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+################################################################################
+#    HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+################################################################################
+-->
+
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+  <xsl:template name="validateLdapVaultReferences">
+    <xsl:for-each select="/Environment/Software/LDAPServerProcess">
+      <xsl:variable name="ldapServerName" select="@name"/>
+      <xsl:variable name="ldapAdminVaultId" select="normalize-space(@ldapAdminVaultId)"/>
+      <xsl:variable name="hpccAdminVaultId" select="normalize-space(@hpccAdminVaultId)"/>
+
+      <xsl:if test="$ldapAdminVaultId != '' and not(/Environment/Software/vaults/authn[@name=$ldapAdminVaultId])">
+        <xsl:message terminate="yes">LDAPServerProcess '<xsl:value-of select="$ldapServerName"/>' references ldapAdminVaultId '<xsl:value-of select="$ldapAdminVaultId"/>' which does not match any /Environment/Software/vaults/authn/@name.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$hpccAdminVaultId != '' and not(/Environment/Software/vaults/authn[@name=$hpccAdminVaultId])">
+        <xsl:message terminate="yes">LDAPServerProcess '<xsl:value-of select="$ldapServerName"/>' references hpccAdminVaultId '<xsl:value-of select="$hpccAdminVaultId"/>' which does not match any /Environment/Software/vaults/authn/@name.</xsl:message>
+      </xsl:if>
+    </xsl:for-each>
+  </xsl:template>
+
+  <xsl:template name="validateVaultTypeKind">
+    <xsl:for-each select="/Environment/Software/vaults/*">
+      <xsl:variable name="vaultName" select="@name"/>
+      <xsl:variable name="vaultType" select="translate(normalize-space(@type), 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
+      <xsl:variable name="vaultKind" select="translate(normalize-space(@kind), 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz')"/>
+      <xsl:variable name="isAkeyless" select="$vaultType='akeyless' or ($vaultType='' and $vaultKind='akeyless')"/>
+
+      <xsl:if test="$vaultType='' and $vaultKind=''">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' is invalid: either type or kind must be specified.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="normalize-space(@url) = ''">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' is missing required attribute url.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$vaultType != '' and not($vaultType='akeyless' or $vaultType='hashicorp' or $vaultType='kv-v1' or $vaultType='kv-v2')">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' has invalid type '<xsl:value-of select="@type"/>'. Allowed values are: akeyless, hashicorp, kv-v1, kv-v2.</xsl:message>
+      </xsl:if>
+
+      <!-- Match runtime behavior in jsecrets.cpp: only akeyless is a distinct provider; any other/non-empty type is treated as hashicorp-like. -->
+      <xsl:if test="$vaultType='akeyless' and $vaultKind != '' and $vaultKind != 'akeyless'">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' has invalid type/kind combination: type='<xsl:value-of select="@type"/>' kind='<xsl:value-of select="@kind"/>'.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$vaultType != '' and $vaultType != 'akeyless' and $vaultKind = 'akeyless'">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' has invalid type/kind combination: type='<xsl:value-of select="@type"/>' kind='<xsl:value-of select="@kind"/>'.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$isAkeyless and normalize-space(@accessId) = ''">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' is missing required akeyless attribute accessId.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$isAkeyless and normalize-space(@accessKey) = '' and normalize-space(@client-secret) = ''">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' must specify one of akeyless attributes accessKey or client-secret.</xsl:message>
+      </xsl:if>
+
+      <xsl:if test="$isAkeyless and normalize-space(@accessKey) != '' and normalize-space(@client-secret) != ''">
+        <xsl:message terminate="yes">Vault '<xsl:value-of select="$vaultName"/>' cannot specify both akeyless attributes accessKey and client-secret.</xsl:message>
+      </xsl:if>
+    </xsl:for-each>
+  </xsl:template>
+
+  <xsl:template name="copyVaultsConfig">
+    <xsl:call-template name="validateVaultTypeKind"/>
+    <xsl:if test="/Environment/Software/vaults">
+      <vaults>
+        <xsl:copy-of select="/Environment/Software/vaults/@*"/>
+        <xsl:for-each select="/Environment/Software/vaults/*">
+          <xsl:copy>
+            <xsl:copy-of select="@*"/>
+            <xsl:copy-of select="node()"/>
+          </xsl:copy>
+        </xsl:for-each>
+      </vaults>
+    </xsl:if>
+  </xsl:template>
+
+</xsl:stylesheet>
diff --git a/testing/helm/errtests/akeyless-both-secrets.yaml b/testing/helm/errtests/akeyless-both-secrets.yaml
@@ -0,0 +1,9 @@
+# Invalid: Akeyless vault with both accessKey and client-secret (oneOf violation)
+vaults:
+  ecl:
+    - name: my-akeyless-vault
+      url: https://api.akeyless.io
+      type: akeyless
+      accessId: my-access-id
+      accessKey: my-access-key-value
+      client-secret: my-k8s-secret-name
diff --git a/testing/helm/errtests/akeyless-invalid-accesstype.yaml b/testing/helm/errtests/akeyless-invalid-accesstype.yaml
@@ -0,0 +1,9 @@
+# Invalid: Akeyless vault with unsupported accessType (only "access_key" allowed)
+vaults:
+  ecl:
+    - name: my-akeyless-vault
+      url: https://api.akeyless.io
+      type: akeyless
+      accessId: my-access-id
+      accessKey: my-access-key-value
+      accessType: invalid_type
diff --git a/testing/helm/errtests/akeyless-missing-accessid.yaml b/testing/helm/errtests/akeyless-missing-accessid.yaml
@@ -0,0 +1,7 @@
+# Invalid: Akeyless vault missing required accessId
+vaults:
+  ecl:
+    - name: my-akeyless-vault
+      url: https://api.akeyless.io
+      type: akeyless
+      accessKey: my-access-key-value
diff --git a/testing/helm/errtests/akeyless-no-secrets.yaml b/testing/helm/errtests/akeyless-no-secrets.yaml
@@ -0,0 +1,7 @@
+# Invalid: Akeyless vault with neither accessKey nor client-secret (oneOf violation)
+vaults:
+  ecl:
+    - name: my-akeyless-vault
+      url: https://api.akeyless.io
+      type: akeyless
+      accessId: my-access-id
diff --git a/testing/helm/tests/akeyless-valid.yaml b/testing/helm/tests/akeyless-valid.yaml
@@ -0,0 +1,16 @@
+# Valid: Akeyless vault with accessKey
+vaults:
+  ecl:
+    - name: my-akeyless-vault
+      url: https://api.akeyless.io
+      type: akeyless
+      accessId: my-access-id
+      accessKey: my-access-key-value
+      accessType: access_key
+  # Valid: Akeyless vault using client-secret instead
+  eclUser:
+    - name: my-akeyless-ecl-user-vault
+      url: https://api.akeyless.io
+      kind: akeyless
+      accessId: another-access-id
+      client-secret: my-k8s-secret-for-key