Add Azure Key Vault configuration support with object model, schema, and CLI options

[Copilot]

This PR implements comprehensive Azure Key Vault configuration support for Data API Builder, enabling users to configure Key Vault settings for secret management through both configuration files and CLI commands.

Changes Made

1. Object Model Classes

• AzureKeyVaultOptions: Top-level configuration class with endpoint and retry policy
• RetryPolicyOptions: Detailed retry configuration with mode, counts, delays, and timeouts
• RetryPolicyMode: Enum supporting Fixed and Exponential retry modes
• Updated RuntimeConfig to include the new AzureKeyVault property

2. JSON Schema Updates

Added azure-key-vault section to dab.draft.schema.json with:

• Optional endpoint property (string)
• Optional retry-policy object with configurable properties
• Proper defaults: mode=exponential, max-count=3, delay-seconds=1, max-delay-seconds=60, network-timeout-seconds=60
• Conditional constraints ensuring retry-policy options require an endpoint
• Additional constraint that max-delay-seconds is only valid for exponential mode

3. CLI Integration

Added 6 new CLI options following DAB naming conventions:

• --azure-key-vault.endpoint: Configure Key Vault endpoint URL
• --azure-key-vault.retry-policy.mode: Set retry mode (fixed/exponential)
• --azure-key-vault.retry-policy.max-count: Maximum retry attempts
• --azure-key-vault.retry-policy.delay-seconds: Initial delay between retries
• --azure-key-vault.retry-policy.max-delay-seconds: Maximum delay for exponential backoff
• --azure-key-vault.retry-policy.network-timeout-seconds: Network timeout duration

4. Configuration Processing

• Extended ConfigGenerator with TryUpdateConfiguredAzureKeyVaultOptions method
• Comprehensive input validation with meaningful error messages
• Proper handling of partial configurations (e.g., retry-policy without endpoint)
• Full serialization/deserialization support

Example Usage

# Configure Key Vault endpoint
dab configure --azure-key-vault.endpoint "https://my-vault.vault.azure.net/"

# Configure retry policy
dab configure --azure-key-vault.retry-policy.mode exponential
dab configure --azure-key-vault.retry-policy.max-count 5
dab configure --azure-key-vault.retry-policy.delay-seconds 2
dab configure --azure-key-vault.retry-policy.max-delay-seconds 120

Configuration Example

{
  "azure-key-vault": {
    "endpoint": "https://my-vault.vault.azure.net/",
    "retry-policy": {
      "mode": "exponential",
      "max-count": 5,
      "delay-seconds": 2,
      "max-delay-seconds": 120,
      "network-timeout-seconds": 90
    }
  }
}

Testing

• ✅ Full serialization/deserialization validation
• ✅ CLI option recognition and processing
• ✅ Input validation with proper error handling
• ✅ Schema constraints and defaults verification
• ✅ Integration testing with various configuration scenarios
• ✅ Build verification across all projects

Fixes #2733.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• test
  • Triggering command: /usr/lib/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/data-api-builder/data-api-builder/src/out/tests/net8.0/Azure.DataApiBuilder.Service.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/data-api-builder/data-api-builder/src/out/tests/net8.0/Azure.DataApiBuilder.Service.Tests.deps.json /home/REDACTED/work/data-api-builder/data-api-builder/src/out/tests/net8.0/testhost.dll --port 37677 --endpoint 127.0.0.1:037677 --role client --parentprocessid 4197 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.