Kubernetes auth method for Hashicorp Vault #129

saschaisele-zf · 2024-07-24T10:06:21Z

saschaisele-zf
Jul 24, 2024

Kubernetes auth method for Hashicorp Vault

This proposal aims to introduce the Kubernetes auth method (based on the Kubernetes Service Account token) to the Hashicorp Vault extension of the Eclipse Dataspace Components.

Use-Case

Easy Provisioning

The authentication through a Kubernetes Service Account enables easy and automatic provisioning of new applications/services/components.
Components and their Service accounts will automatically receive certain roles and policies within Hashicorp Vault.
In this way, no manual configuration like token creation is needed any longer.

Easy Administration

Using the Kubernetes auth method, it is possible to do authentication exclusively through Kubernetes and you no longer have to interact with Hashicorp Vault, once the initial setup is complete.
This means that there no longer is any need to create and manage a token in Hashicorp Vault for each Component that uses it.
A Kubernetes Service account will suffice instead.

Affected Areas

Hashicorp Vault extension

Solution Proposal

Refactoring

To enable the addition of an alternative authentication mechanism, first the existing Token authentication has to be refactored.
For this, the authentication functionality is removed from the HashicorpVaultClient.java class.
A new interface called HashicorpVaultAuth.java is introduced, which will be the base for the authentication specific implementations.
The interface is then implemented in the classes HashicorpVaultAuthToken.java and HashicorpVaultAuthKubernetes.java.