Kubernetes auth method for Hashicorp Vault #4374
saschaisele-zf
started this conversation in
Ideas
Replies: 3 comments 6 replies
-
@saschaisele-zf Can you please provide a Decision Record specifically covering the changes first? To clarify, prior to the PR once the discussion resolves. |
Beta Was this translation helpful? Give feedback.
5 replies
-
FYI: we are already using this feature in our ZF EDCs for almost one year without any problems. Therefore, we are also able to provide the implementation quite fast. 😉 |
Beta Was this translation helpful? Give feedback.
1 reply
-
Hi |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Kubernetes auth method for Hashicorp Vault
This proposal aims to introduce the Kubernetes auth method (based on the Kubernetes Service Account token) to the Hashicorp Vault extension of the EDC.
Use-Case
Easy Provisioning
The authentication through a Kubernetes Service Account enables easy and automatic provisioning of new applications/services/components.
Components and their Service accounts will automatically receive certain roles and policies within Hashicorp Vault.
In this way, no manual configuration like token creation is needed any longer.
Easy Administration
Using the Kubernetes auth method, it is possible to do authentication exclusively through Kubernetes and you no longer have to interact with Hashicorp Vault, once the initial setup is complete.
This means that there no longer is any need to create and manage a token in Hashicorp Vault for each Component that uses it.
A Kubernetes Service account will suffice instead.
Affected Areas
Hashicorp Vault extension
Solution Proposal
Refactoring
To enable the addition of an alternative authentication mechanism, first the existing Token authentication has to be refactored.
For this, the authentication functionality is removed from the
HashicorpVaultClient.java
class.A new interface called
HashicorpVaultAuth.java
is introduced, which will be the base for the authentication specific implementations.The interface is then implemented in the classes
HashicorpVaultAuthToken.java
andHashicorpVaultAuthKubernetes.java
.Kubernetes auth method
The Kubernetes auth method is done with the help of the Hashicorp Vault API.
An HTTP request is built and then sent to the API for authentication.
Configuration and selection of Authentication
The already existing Configuration in
HashicorpVaultSettings.java
is extended.A new setting called
edc.vault.hashicorp.auth.method
is introduced, which governs the selection of the authentication method.By default, the existing token authentication is used to avoid breaking changes.
Beta Was this translation helpful? Give feedback.
All reactions