Module io.helidon.integrations.vault.auths.k8s
Package io.helidon.integrations.vault.auths.k8s

Interface K8sAuth

  • public interface K8sAuth
    Kubernetes authentication method API. All methods block the current thread. This implementation is not suitable for reactive programming. Use K8sAuthRx in reactive code.

    • Method Detail

      • create

        static K8sAuth create​(K8sAuthRx reactive)
        Create blocking Kubernetes authentication API from its reactive counterpart.
        Parameters:
        reactive - k8s reactive API
        Returns:
        k8s blocking API

      • createRole

        CreateRole.Response createRole​(CreateRole.Request request)
        Registers a role in the auth method. Role types have specific entities that can perform login operations against this endpoint. Constraints specific to the role type must be set on the role. These are applied to the authenticated entities attempting to login.
        Parameters:
        request - create role request
        Returns:
        when the role is created

      • deleteRole

        DeleteRole.Response deleteRole​(DeleteRole.Request request)
        Deletes the previously registered role.
        Parameters:
        request - delete role request
        Returns:
        when the role is deleted

      • login

        Login.Response login​(Login.Request request)
        Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role.
        Parameters:
        request - login request
        Returns:
        login response

      • configure

        ConfigureK8s.Response configure​(ConfigureK8s.Request request)
        Configure this authentication method.

        The Kubernetes auth method validates service account JWTs and verifies their existence with the Kubernetes TokenReview API. This endpoint configures the public key used to validate the JWT signature and the necessary information to access the Kubernetes API.

        Caveats

        If Vault is running in a Kubernetes Pod, the kubernetes_ca_cert and token_reviewer_jwt parameters will automatically default to the local CA cert (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) and local service account JWT (/var/run/secrets/kubernetes.io/serviceaccount/token). This behavior may be disabled by setting disable_local_ca_jwt to true. When Vault is running in a non-Kubernetes environment, either kubernetes_ca_cert or pem_keys must be set by the user.

        Parameters:
        request - request to configure
        Returns:
        when configured