HashiCorp Vault
Overview
HashiCorp Vault is a commonly used Vault in many microservices. The APIs are REST-based and Helidon implements them using WebClient.
Maven Coordinates
To enable HashiCorp Vault, add the following dependency to your project’s
pom.xml (see Managing Dependencies).
<dependency>
<groupId>io.helidon.integrations.vault</groupId>
<artifactId>helidon-integrations-vault</artifactId>
</dependency>
The following is a list of maven coordinates of all Vault modules available:
<dependencies>
<dependency>
<groupId>io.helidon.integrations.vault.auths</groupId>
<artifactId>helidon-integrations-vault-auths-token</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.auths</groupId>
<artifactId>helidon-integrations-vault-auths-approle</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.auths</groupId>
<artifactId>helidon-integrations-vault-auths-k8s</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.secrets</groupId>
<artifactId>helidon-integrations-vault-secrets-kv1</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.secrets</groupId>
<artifactId>helidon-integrations-vault-secrets-kv2</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.secrets</groupId>
<artifactId>helidon-integrations-vault-secrets-cubbyhole</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.secrets</groupId>
<artifactId>helidon-integrations-vault-secrets-transit</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.secrets</groupId>
<artifactId>helidon-integrations-vault-secrets-database</artifactId>
</dependency>
<dependency>
<groupId>io.helidon.integrations.vault.sys</groupId>
<artifactId>helidon-integrations-vault-sys</artifactId>
</dependency>
</dependencies>
Usage
Vault integration supports the following:
- Secret Engines: Key/Value version 2, Key/Value version 1, Cubbyhole, PKI, Transit, Database
- Authentication Methods: Token, Kubernetes (k8s), AppRole
- Other Sys Operations and Configurations
Each of these features is implemented as a separate module, with the Vault class binding them together. Code to set up Vault and obtain a specific secret engine:
Vault vault = Vault.builder()
.config(config.get("vault"))
.build();
Kv2Secrets secrets = vault.secrets(Kv2Secrets.ENGINE);
Similar code can be used for any secret engine available:
- Kv2SecretsRx - Key/Value Version 2 Secrets (versioned secrets, default)
- Kv1SecretsRx - Key/Value Version 1 Secrets (unversioned secrets, legacy)
- CubbyholeSecretsRx - Cubbyhole secrets (token bound secrets)
- DbSecretsRx - Database secrets (for generating temporary DB credentials)
- PkiSecretsRx - PKI secrets (for generating keys and X.509 certificates)
- TransitSecretsRx - Transit operations (encryption, signatures, HMAC)
In addition to these features, Vault itself can be authenticated as follows:
- Token authentication - token is configured when connecting to Vault
vault: address: "http://localhost:8200" token: "my-token" - AppRole authentication - AppRole ID and secret ID are configured, integration
exchanges these for a temporary token that is used to connect to Vault
vault: auth: app-role: role-id: "app-role-id" secret-id: app-role-secret-id - K8s authentication - the k8s JWT token is discovered on current node and used
to obtain a temporary token that is used to connect to Vault
Minimal configuration to connect to Vault:
Code to get the Sys operations of Vault:
Sys sys = vault.sys(Sys.API);
Extensibility
New secret engines and authentication methods can be implemented quite easily, as the integration is based on service providers (using ServiceLoader). This gives us (or you, as the users) the option to add new secret engines and/or authentication methods without adding a plethora of methods to the Vault class.
See the following SPIs:
io.helidon.integrations.vault.spi.AuthMethodProvider
io.helidon.integrations.vault.spi.SecretsEngineProvider
io.helidon.integrations.vault.spi.SysProvider
io.helidon.integrations.vault.spi.VaultAuth
io.helidon.integrations.vault.spi.InjectionProvider
Examples
The following example shows usage of Vault to encrypt a secret.
Usage with WebServer
Configure the Vault object using token base configuration:
Vault tokenVault = Vault.builder()
.config(config.get("vault.token"))
.updateWebClient(it -> it
.connectTimeout(Duration.ofSeconds(5))
.readTimeout(Duration.ofSeconds(5)))
.build();
Then WebServer has to be configured with endpoints routing registered:
Sys sys = tokenVault.sys(Sys.API);
WebServer webServer = WebServer.builder()
.config(config.get("server"))
.routing(routing -> routing
.register("/cubbyhole", new CubbyholeService(sys, tokenVault.secrets(CubbyholeSecrets.ENGINE)))
.register("/kv1", new Kv1Service(sys, tokenVault.secrets(Kv1Secrets.ENGINE)))
.register("/kv2", new Kv2Service(sys, tokenVault.secrets(Kv2Secrets.ENGINE)))
.register("/transit", new TransitService(sys, tokenVault.secrets(TransitSecrets.ENGINE))))
.build()
.start();
AppRole-based and Kubernetes authentications are available.
Cubbyhole secrets
Cubbyhole secrets engine operations:
KV1 Secrets
Key/Value version 1 secrets engine operations:
KV2 Secrets
Key/Value version 2 secrets engine operations:
Transit secrets
Transit secrets engine operations:
Authentication with Kubernetes
In order to use Kubernetes authentication:
Local testing
Vault is available as a docker image, so to test locally, you can simply:
docker run -d \
-e VAULT_DEV_ROOT_TOKEN_ID=my-token \
--name=vault \
-p 8200:8200 \
vault
This will create a Vault docker image, run it in background and open it on
localhost:8200 with a custom root token my-token, using name vault. This is of
course only suitable for local testing, as the root token has too many rights,
but it can be easily used with the examples below.