Module io.helidon.integrations.vault.auths.k8s
Package io.helidon.integrations.vault.auths.k8s

Interface K8sAuth

public interface K8sAuth
Kubernetes authentication method API. All methods block the current thread. This implementation is not suitable for reactive programming. Use K8sAuthRx in reactive code.

  • Field Details

  • Method Details

    • create

      static K8sAuth create(K8sAuthRx reactive)
      Create blocking Kubernetes authentication API from its reactive counterpart.
      Parameters:
      reactive - k8s reactive API
      Returns:
      k8s blocking API

    • createRole

      CreateRole.Response createRole(CreateRole.Request request)
      Registers a role in the auth method. Role types have specific entities that can perform login operations against this endpoint. Constraints specific to the role type must be set on the role. These are applied to the authenticated entities attempting to login.
      Parameters:
      request - create role request
      Returns:
      when the role is created

    • deleteRole

      DeleteRole.Response deleteRole(DeleteRole.Request request)
      Deletes the previously registered role.
      Parameters:
      request - delete role request
      Returns:
      when the role is deleted

    • login

      Login.Response login(Login.Request request)
      Fetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role.
      Parameters:
      request - login request
      Returns:
      login response

    • configure

      ConfigureK8s.Response configure(ConfigureK8s.Request request)
      Configure this authentication method.

      The Kubernetes auth method validates service account JWTs and verifies their existence with the Kubernetes TokenReview API. This endpoint configures the public key used to validate the JWT signature and the necessary information to access the Kubernetes API.

      Caveats

      If Vault is running in a Kubernetes Pod, the kubernetes_ca_cert and token_reviewer_jwt parameters will automatically default to the local CA cert (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt) and local service account JWT (/var/run/secrets/kubernetes.io/serviceaccount/token). This behavior may be disabled by setting disable_local_ca_jwt to true. When Vault is running in a non-Kubernetes environment, either kubernetes_ca_cert or pem_keys must be set by the user.

      Parameters:
      request - request to configure
      Returns:
      when configured