se.integrations.hcv.adoc Maven / Gradle / Ivy
///////////////////////////////////////////////////////////////////////////////
Copyright (c) 2021, 2024 Oracle and/or its affiliates.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
///////////////////////////////////////////////////////////////////////////////
= HashiCorp Vault
:description: Helidon HashiCorp Vault integration
:keywords: vault, hashicorp
:feature-name: HashiCorp Vault
:rootdir: {docdir}/../..
include::{rootdir}/includes/se.adoc[]
== Contents
- <>
- <>
- <>
- <>
- <>
- <>
== Overview
HashiCorp Vault is a commonly used Vault in many microservices. The APIs are REST-based and Helidon implements them using
xref:{webclient-page}[WebClient].
include::{rootdir}/includes/dependencies.adoc[]
[source,xml]
----
io.helidon.integrations.vault
helidon-integrations-vault
----
The following is a list of maven coordinates of all Vault modules available:
[source,xml]
----
io.helidon.integrations.vault.auths
helidon-integrations-vault-auths-token
io.helidon.integrations.vault.auths
helidon-integrations-vault-auths-approle
io.helidon.integrations.vault.auths
helidon-integrations-vault-auths-k8s
io.helidon.integrations.vault.secrets
helidon-integrations-vault-secrets-kv1
io.helidon.integrations.vault.secrets
helidon-integrations-vault-secrets-kv2
io.helidon.integrations.vault.secrets
helidon-integrations-vault-secrets-cubbyhole
io.helidon.integrations.vault.secrets
helidon-integrations-vault-secrets-transit
io.helidon.integrations.vault.secrets
helidon-integrations-vault-secrets-database
io.helidon.integrations.vault.sys
helidon-integrations-vault-sys
----
== Usage
Vault integration supports the following:
* *Secret Engines*: Key/Value version 2, Key/Value version 1, Cubbyhole, PKI, Transit, Database
* *Authentication Methods*: Token, Kubernetes (k8s), AppRole
* *Other Sys Operations and Configurations*
Each of these features is implemented as a separate module, with the Vault class binding them together. Code to set up Vault and obtain a specific secret engine:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_1, indent=0]
----
Similar code can be used for any secret engine available:
* Kv2SecretsRx - Key/Value Version 2 Secrets (versioned secrets, default)
* Kv1SecretsRx - Key/Value Version 1 Secrets (unversioned secrets, legacy)
* CubbyholeSecretsRx - Cubbyhole secrets (token bound secrets)
* DbSecretsRx - Database secrets (for generating temporary DB credentials)
* PkiSecretsRx - PKI secrets (for generating keys and X.509 certificates)
* TransitSecretsRx - Transit operations (encryption, signatures, HMAC)
In addition to these features, Vault itself can be authenticated as follows:
* Token authentication - token is configured when connecting to Vault
[source,yaml]
----
vault:
address: "http://localhost:8200"
token: "my-token"
----
* AppRole authentication - AppRole ID and secret ID are configured, integration exchanges these for a temporary token that is used to connect to Vault
[source,yaml]
----
vault:
auth:
app-role:
role-id: "app-role-id"
secret-id: app-role-secret-id
----
* K8s authentication - the k8s JWT token is discovered on current node and used to obtain a temporary token that is used to connect to Vault
[source,yaml]
----
vault:
auth:
k8s:
token-role: "my-role" <1>
----
<1> The token role must be configured in Vault
Minimal configuration to connect to Vault:
Code to get the Sys operations of Vault:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_2, indent=0]
----
=== Extensibility
New secret engines and authentication methods can be implemented quite easily, as the integration is based on service providers (using ServiceLoader). This gives us (or you, as the users) the option to add new secret engines and/or authentication methods without adding a plethora of methods to the Vault class.
See the following SPIs:
[source,text]
----
io.helidon.integrations.vault.spi.AuthMethodProvider
io.helidon.integrations.vault.spi.SecretsEngineProvider
io.helidon.integrations.vault.spi.SysProvider
io.helidon.integrations.vault.spi.VaultAuth
io.helidon.integrations.vault.spi.InjectionProvider
----
== Examples
The following example shows usage of Vault to encrypt a secret.
=== Usage with WebServer
Configure the `Vault` object using token base configuration:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_3, indent=0]
----
Then `WebServer` has to be configured with endpoints routing registered:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_4, indent=0]
----
AppRole-based and Kubernetes authentications are available.
=== Cubbyhole secrets
Cubbyhole secrets engine operations:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_5, indent=0]
----
<1> Create a secret from request entity.
<2> Get the secret on a specified path.
=== KV1 Secrets
Key/Value version 1 secrets engine operations:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_6, indent=0]
----
<1> Disable the secrets engine on the default path.
<2> Enable the secrets engine on the default path.
<3> Create a secret from request entity.
<4> Delete the secret on a specified path.
<5> Get the secret on a specified path.
=== KV2 Secrets
Key/Value version 2 secrets engine operations:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_7, indent=0]
----
<1> Create a secret from request entity.
<2> Delete the secret on a specified path.
<3> Get the secret on a specified path.
=== Transit secrets
Transit secrets engine operations:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_8, indent=0]
----
<1> Enable the secrets engine on the default path.
<2> Disable the secrets engine on the default path.
<3> Create the encryption and signature keys.
<4> Delete the encryption and signature keys.
<5> Encrypt a secret.
<6> Decrypt a secret.
<7> Create an HMAC for text.
<8> Create a signature for text.
<9> Verify HMAC.
<10> Verify signature.
=== Authentication with Kubernetes
In order to use Kubernetes authentication:
[source,java]
----
include::{sourcedir}/se/integrations/HcvSnippets.java[tag=snippet_9, indent=0]
----
<1> Run the Kubernetes Authentication by enabling it.
<2> Create Kubernetes secrets.
<3> Disable Kubernetes authentication if needed.
<4> Function used to enable Kubernetes authentication.
== Local testing [[Local-Testing]]
Vault is available as a docker image, so to test locally, you can simply:
[source,bash]
----
docker run -e VAULT_DEV_ROOT_TOKEN_ID=my-token -d --name=vault -p8200:8200 vault
----
This will create a Vault docker image, run it in background and open it on `localhost:8200` with a custom root token my-token,
using name vault.
This is of course only suitable for local testing, as the root token has too many rights,
but it can be easily used with the examples below.
== References
* link:{helidon-github-tree-url}/examples/integrations/vault[Hashicorp Vault Usage Examples]
© 2015 - 2025 Weber Informatics LLC | Privacy Policy