Skip to content

feat: Add Vault integration library to authlib#379

Draft
Alan-Cha wants to merge 1 commit into
mainfrom
feat/vault-integration
Draft

feat: Add Vault integration library to authlib#379
Alan-Cha wants to merge 1 commit into
mainfrom
feat/vault-integration

Conversation

@Alan-Cha

@Alan-Cha Alan-Cha commented May 7, 2026

Copy link
Copy Markdown
Member

Summary

Implements Phase 1 of the Vault pattern: a reusable Go library (authlib/vault) for Hashicorp Vault integration with SPIFFE JWT-SVID authentication support.

This enables Kagenti workloads to retrieve static credentials (API keys, database passwords, service tokens) from Vault using their SPIFFE identity for authentication.

Features

Authentication Methods (SPIFFE Priority)

  • JWT/OIDC auth — Uses SPIFFE JWT-SVID (priority 1)
  • Kubernetes service account auth — Fallback option
  • Token auth — Dev/testing

Secret Operations

  • KV v1/v2 auto-detection — Works with both Vault secret engine versions
  • Single & batch secret reading — Efficient multi-secret fetching
  • Secret listing — Discovery of available secrets

Caching & Renewal

  • Lease-aware caching — Cache TTL respects Vault lease durations
  • Background token renewal — Automatic renewal at 2/3 of lease duration
  • Thread-safe operations — Concurrent access with proper locking

Quality

  • Typed errors — Better error handling and debugging
  • Unit tests — All tests passing
  • Comprehensive documentation — README with examples, architecture docs

Code Reuse & Attribution

This implementation follows patterns from:

  • Klaviger (github.com/grs/klaviger) — KV auto-detection, K8s SA auth, lease-aware caching (~60% of core Vault logic)
  • IBM Trusted Service Identity examples — JWT/OIDC auth pattern for SPIFFE workloads
  • Hashicorp Vault Go SDK documentation

Key improvements over Klaviger:

  • JWT/OIDC auth method added (critical for SPIFFE workloads)
  • Background token renewal implemented (was TODO in Klaviger)
  • Batch secret reading support
  • Typed error system

Files Added

Core library:

  • authbridge/authlib/vault/auth.go (319 lines) — Authentication with renewal
  • authbridge/authlib/vault/cache.go (145 lines) — Lease-aware caching
  • authbridge/authlib/vault/client.go (202 lines) — Main client wrapper
  • authbridge/authlib/vault/config.go (133 lines) — Configuration with validation
  • authbridge/authlib/vault/errors.go (66 lines) — Typed errors
  • authbridge/authlib/vault/secret.go (142 lines) — KV v1/v2 secret reading
  • authbridge/authlib/vault/config_test.go (130 lines) — Unit tests
  • authbridge/authlib/vault/README.md (379 lines) — Complete documentation

Documentation:

  • VAULT_PATTERN_OVERVIEW.md (282 lines) — Architecture and use cases
  • VAULT_IMPLEMENTATION_PLAN.md (690 lines) — 4-phase implementation plan
  • KLAVIGER_ANALYSIS.md (423 lines) — Code reuse analysis
  • VAULT_PHASE1_COMPLETE.md (293 lines) — Phase 1 summary

Dependencies:

  • Updated authbridge/authlib/go.mod — Added hashicorp/vault/api v1.23.0
  • Updated authbridge/authlib/README.md — Added vault package to table

Total: ~3,270 lines added

Usage Example

```go
// Create client with JWT auth (SPIFFE)
cfg := &vault.Config{
Address: "https://vault.example.com",
AuthMethod: "jwt",
Role: "github-agent-role",
JWTPath: "/opt/jwt_svid.token",
}
client, _ := vault.NewClient(cfg)
defer client.Close()

// Authenticate (token renewal happens automatically in background)
ctx := context.Background()
client.Authenticate(ctx)

// Read secret (with automatic caching)
token, leaseDuration, _ := client.ReadSecret(ctx,
"secret/data/github/token",
"token")
```

Testing

```bash
$ cd authbridge/authlib
$ go test ./vault/... -v
=== RUN TestConfigValidate
--- PASS: TestConfigValidate (0.00s)
=== RUN TestConfigDefaults
--- PASS: TestConfigDefaults (0.00s)
PASS
ok github.com/kagenti/kagenti-extensions/authbridge/authlib/vault 0.493s

$ go build ./vault/...

Clean build ✅

```

Architecture

This library is a pure library (no protocol dependencies) that will be used by:

  1. Phase 2: vault-fetcher CLI tool (init container)
  2. Phase 3 (optional): AuthBridge unified binary (dynamic Vault injection mode)

The library does NOT modify the existing AuthBridge unified binary. It's a new reusable component.

Next Steps (Not in this PR)

  • Phase 2: Create vault-fetcher CLI tool and Docker image
  • Phase 3: Webhook integration for automatic injection
  • Phase 4: Demo and documentation

Review Notes

Key areas to review:

  1. Security: Auth methods, token handling, caching strategy
  2. API design: Does the Client interface make sense?
  3. Attribution: Proper credit to Klaviger and IBM TSI?
  4. Documentation: Clear enough for developers?
  5. Testing: Sufficient coverage for Phase 1?

Questions for reviewers:

  • Should we enforce a specific cache TTL default, or leave it fully configurable?
  • Any concerns about the background token renewal approach?
  • Should we add more validation in Config.Validate()?

Assisted-By: Claude (Anthropic AI) noreply@anthropic.com

Implement authlib/vault package with SPIFFE JWT-SVID authentication support.

This provides a reusable Go library for Hashicorp Vault integration with
the following features:

- JWT/OIDC authentication (SPIFFE pattern) — priority 1
- Kubernetes service account authentication — fallback
- Token authentication — dev/testing
- KV v1 and KV v2 secret engine support with auto-detection
- Lease-aware caching with automatic token renewal
- Thread-safe operations
- No protocol dependencies (pure library)

Code patterns adapted from:
- Klaviger project (github.com/grs/klaviger) — KV auto-detection, K8s SA auth, lease-aware caching
- IBM Trusted Service Identity examples — JWT/OIDC auth for SPIFFE workloads
- Hashicorp Vault Go SDK documentation

Key improvements over Klaviger:
- JWT/OIDC auth method added (critical for SPIFFE workloads)
- Background token renewal implemented (was TODO in Klaviger)
- Batch secret reading support
- Typed error system
- Integration with existing authlib/cache patterns

Files added:
- authlib/vault/auth.go (252 lines) — authentication with renewal
- authlib/vault/cache.go (127 lines) — lease-aware caching
- authlib/vault/client.go (174 lines) — main client wrapper
- authlib/vault/config.go (108 lines) — configuration with validation
- authlib/vault/errors.go (56 lines) — typed errors
- authlib/vault/secret.go (115 lines) — KV v1/v2 secret reading
- authlib/vault/config_test.go (110 lines) — unit tests
- authlib/vault/README.md (500+ lines) — complete documentation

Documentation:
- VAULT_PATTERN_OVERVIEW.md — architecture and use cases
- VAULT_IMPLEMENTATION_PLAN.md — 4-phase implementation plan
- KLAVIGER_ANALYSIS.md — code reuse analysis
- VAULT_PHASE1_COMPLETE.md — Phase 1 completion summary

This completes Phase 1 of the Vault pattern implementation. Phase 2 will
create the vault-fetcher CLI tool for init container use.

Ref: #vault-pattern
Signed-off-by: Alan Cha <Alan.cha1@ibm.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. If this PR is still relevant, please comment or remove the stale label.

@github-actions github-actions Bot added the stale label Jul 7, 2026
@mrsabath mrsabath moved this from New/ToDo to Backlog in Kagenti Issue Prioritization Jul 16, 2026
@mrsabath

Copy link
Copy Markdown
Contributor

We are putting Vault activity on hold until we figure out whether this work should be done by CPEX or directly in Cortex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

3 participants