Example 1 with Vault
use of io.helidon.integrations.vault.Vault in project helidon by oracle.
the class K8sVaultAuth method authenticate.
@Override
public Optional<RestApi> authenticate(Config config, Vault.Builder vaultBuilder) {
boolean enabled = config.get("auth.k8s.enabled").asBoolean().orElse(true);
if (!enabled) {
return Optional.empty();
}
String jwtToken;
if (this.serviceAccountToken == null) {
Optional<String> maybeToken = config.get("auth.k8s.service-account-token").asString().or(() -> {
Path tokenPath = Paths.get(tokenLocation);
if (!Files.exists(tokenPath)) {
return Optional.empty();
}
try {
return Optional.of(Files.readString(tokenPath));
} catch (IOException e) {
throw new VaultApiException("Failed to read token from " + tokenPath.toAbsolutePath(), e);
}
});
if (maybeToken.isEmpty()) {
return Optional.empty();
}
jwtToken = maybeToken.get();
} else {
jwtToken = serviceAccountToken;
}
String roleName = Optional.ofNullable(this.tokenRole).or(() -> config.get("auth.k8s.token-role").asString().asOptional()).orElseThrow(() -> new VaultApiException("Token role must be defined when using Kubernetes vault " + "authentication."));
// this may be changed in the future, when running with a sidecar (there should be a way to get the address from evn)
String address = vaultBuilder.address().orElseThrow(() -> new VaultApiException("Address is required when using k8s authentication"));
Vault.Builder loginVaultBuilder = Vault.builder().address(address).disableVaultAuthDiscovery().faultTolerance(vaultBuilder.ftHandler()).updateWebClient(it -> vaultBuilder.webClientUpdater().accept(it)).addVaultAuth(NoVaultAuth.create());
vaultBuilder.baseNamespace().ifPresent(loginVaultBuilder::baseNamespace);
Vault loginVault = loginVaultBuilder.build();
String methodPath = Optional.ofNullable(this.methodPath).orElseGet(() -> config.get("auth.k8s.path").asString().orElse(K8sAuthRx.AUTH_METHOD.defaultPath()));
LOGGER.info("Authenticated Vault " + address + "/" + methodPath + " using k8s, role \"" + roleName + "\"");
return Optional.of(K8sRestApi.k8sBuilder().webClientBuilder(webclient -> {
webclient.baseUri(address + "/v1");
vaultBuilder.baseNamespace().ifPresent(ns -> webclient.addHeader("X-Vault-Namespace", ns));
vaultBuilder.webClientUpdater().accept(webclient);
}).faultTolerance(vaultBuilder.ftHandler()).auth(loginVault.auth(K8sAuthRx.AUTH_METHOD, methodPath)).roleName(roleName).jwtToken(jwtToken).build());
}
Also used :
Path(java.nio.file.Path)
VaultApiException(io.helidon.integrations.vault.VaultApiException)
Files(java.nio.file.Files)
Config(io.helidon.config.Config)
IOException(java.io.IOException)
Logger(java.util.logging.Logger)
Vault(io.helidon.integrations.vault.Vault)
NoVaultAuth(io.helidon.integrations.vault.auths.common.NoVaultAuth)
Paths(java.nio.file.Paths)
RestApi(io.helidon.integrations.common.rest.RestApi)
Optional(java.util.Optional)
Priority(jakarta.annotation.Priority)
VaultApiException(io.helidon.integrations.vault.VaultApiException)
VaultAuth(io.helidon.integrations.vault.spi.VaultAuth)
Path(java.nio.file.Path)
IOException(java.io.IOException)
Vault(io.helidon.integrations.vault.Vault)
Example 2 with Vault
use of io.helidon.integrations.vault.Vault in project helidon by oracle.
the class NoVaultAuth method authenticate.
@Override
public Optional<RestApi> authenticate(Config config, Vault.Builder vaultBuilder) {
boolean enabled = config.get("noauth.enabled").asBoolean().orElse(true);
if (!enabled) {
return Optional.empty();
}
String address = vaultBuilder.address().orElseThrow(() -> new VaultApiException("Address must be defined"));
return Optional.of(VaultRestApi.builder().webClientBuilder(webclient -> {
webclient.baseUri(address + "/v1");
vaultBuilder.baseNamespace().ifPresent(ns -> webclient.addHeader("X-Vault-Namespace", ns));
vaultBuilder.webClientUpdater().accept(webclient);
}).faultTolerance(vaultBuilder.ftHandler()).build());
}
Also used :
VaultApiException(io.helidon.integrations.vault.VaultApiException)
Vault(io.helidon.integrations.vault.Vault)
Config(io.helidon.config.Config)
RestApi(io.helidon.integrations.common.rest.RestApi)
Optional(java.util.Optional)
Priority(jakarta.annotation.Priority)
VaultApiException(io.helidon.integrations.vault.VaultApiException)
VaultAuth(io.helidon.integrations.vault.spi.VaultAuth)
Example 3 with Vault
use of io.helidon.integrations.vault.Vault in project helidon by oracle.
the class AppRoleVaultAuth method authenticate.
@Override
public Optional<RestApi> authenticate(Config config, Vault.Builder vaultBuilder) {
boolean enabled = config.get("auth.app-role.enabled").asBoolean().orElse(true);
if (!enabled) {
return Optional.empty();
}
Optional<String> maybeAppRoleId = Optional.ofNullable(this.appRoleId).or(() -> config.get("auth.app-role.role-id").asString().asOptional());
if (maybeAppRoleId.isEmpty()) {
LOGGER.fine("AppRole vault authentication not used, as app-role.role-id is not defined");
return Optional.empty();
}
String appRoleId = maybeAppRoleId.get();
String secretId = Optional.ofNullable(this.secretId).or(() -> config.get("auth.app-role.secret-id").asString().asOptional()).orElseThrow(() -> new VaultApiException("AppRole ID is defined (" + appRoleId + "), but secret id is not. " + "Cannot " + "authenticate."));
LOGGER.finest("Will try to login to Vault using app role id: " + appRoleId + " and a secret id.");
// this may be changed in the future, when running with a sidecar (there should be a way to get the address from evn)
String address = vaultBuilder.address().orElseThrow(() -> new VaultApiException("Address is required when using k8s authentication"));
Vault.Builder loginVaultBuilder = Vault.builder().address(address).disableVaultAuthDiscovery().updateWebClient(vaultBuilder.webClientUpdater()).faultTolerance(vaultBuilder.ftHandler()).addVaultAuth(NoVaultAuth.create());
vaultBuilder.baseNamespace().ifPresent(loginVaultBuilder::baseNamespace);
Vault loginVault = loginVaultBuilder.build();
String methodPath = Optional.ofNullable(this.methodPath).orElseGet(() -> config.get("auth.app-role.path").asString().orElse(AppRoleAuthRx.AUTH_METHOD.defaultPath()));
LOGGER.info("Authenticated Vault " + address + "/" + methodPath + " using AppRole, roleId \"" + appRoleId + "\"");
return Optional.of(AppRoleRestApi.appRoleBuilder().webClientBuilder(webclient -> {
webclient.baseUri(address + "/v1");
vaultBuilder.baseNamespace().ifPresent(ns -> webclient.addHeader("X-Vault-Namespace", ns));
vaultBuilder.webClientUpdater().accept(webclient);
}).faultTolerance(vaultBuilder.ftHandler()).auth(loginVault.auth(AppRoleAuthRx.AUTH_METHOD, methodPath)).appRoleId(appRoleId).secretId(secretId).build());
}
Also used :
VaultApiException(io.helidon.integrations.vault.VaultApiException)
Vault(io.helidon.integrations.vault.Vault)
Example 4 with Vault
use of io.helidon.integrations.vault.Vault in project helidon by oracle.
the class VaultCdiExtension method createInstance.
private Object createInstance(String name, RequiredProducer required, InjectionProvider.InjectionType<?> injectionType) {
Config config = producerConfig(name);
Vault vault = CDI.current().select(Vault.class, required.vaultQualifiers()).get();
return injectionType.createInstance(vault, config, required.instanceConfig());
}Example 5 with Vault
use of io.helidon.integrations.vault.Vault in project helidon by oracle.
the class TestKubernetesAuth method setupK8s.
@Test
@Order(0)
void setupK8s(SeContainer container) {
Sys sys = container.select(Sys.class).get();
Vault vault = container.select(Vault.class).get();
sys.enableAuth(K8sAuthRx.AUTH_METHOD);
K8sAuthRx k8sAuth = vault.auth(K8sAuthRx.AUTH_METHOD);
// kubernetes.default.svc
k8sAuth.configure(ConfigureK8s.Request.builder().address("https://10.96.0.1")).await();
sys.createPolicy("admin", VaultPolicy.POLICY);
k8sAuth.createRole(CreateRole.Request.builder().roleName("my-role").addBoundServiceAccountName("*").addBoundServiceAccountNamespace(findNamespace()).addTokenPolicy("admin")).await();
}
Also used :
K8sAuthRx(io.helidon.integrations.vault.auths.k8s.K8sAuthRx)
Vault(io.helidon.integrations.vault.Vault)
Sys(io.helidon.integrations.vault.sys.Sys)
Order(org.junit.jupiter.api.Order)
TestMethodOrder(org.junit.jupiter.api.TestMethodOrder)
HelidonTest(io.helidon.microprofile.tests.junit5.HelidonTest)
Test(org.junit.jupiter.api.Test)
Aggregations
Vault (io.helidon.integrations.vault.Vault)6
Config (io.helidon.config.Config)4
VaultApiException (io.helidon.integrations.vault.VaultApiException)3
RestApi (io.helidon.integrations.common.rest.RestApi)2
VaultAuth (io.helidon.integrations.vault.spi.VaultAuth)2
Priority (jakarta.annotation.Priority)2
Optional (java.util.Optional)2
LogConfig (io.helidon.common.LogConfig)1
CompletionAwaitable (io.helidon.common.reactive.CompletionAwaitable)1
ConfigSources.classpath (io.helidon.config.ConfigSources.classpath)1
ConfigSources.file (io.helidon.config.ConfigSources.file)1
NoVaultAuth (io.helidon.integrations.vault.auths.common.NoVaultAuth)1
K8sAuthRx (io.helidon.integrations.vault.auths.k8s.K8sAuthRx)1
CubbyholeSecretsRx (io.helidon.integrations.vault.secrets.cubbyhole.CubbyholeSecretsRx)1
Kv1SecretsRx (io.helidon.integrations.vault.secrets.kv1.Kv1SecretsRx)1
Kv2SecretsRx (io.helidon.integrations.vault.secrets.kv2.Kv2SecretsRx)1
TransitSecretsRx (io.helidon.integrations.vault.secrets.transit.TransitSecretsRx)1
Sys (io.helidon.integrations.vault.sys.Sys)1
SysRx (io.helidon.integrations.vault.sys.SysRx)1
HelidonTest (io.helidon.microprofile.tests.junit5.HelidonTest)1
