feat: Add Vault integration library to authlib#379
Draft
Alan-Cha wants to merge 1 commit into
Draft
Conversation
Implement authlib/vault package with SPIFFE JWT-SVID authentication support. This provides a reusable Go library for Hashicorp Vault integration with the following features: - JWT/OIDC authentication (SPIFFE pattern) — priority 1 - Kubernetes service account authentication — fallback - Token authentication — dev/testing - KV v1 and KV v2 secret engine support with auto-detection - Lease-aware caching with automatic token renewal - Thread-safe operations - No protocol dependencies (pure library) Code patterns adapted from: - Klaviger project (github.com/grs/klaviger) — KV auto-detection, K8s SA auth, lease-aware caching - IBM Trusted Service Identity examples — JWT/OIDC auth for SPIFFE workloads - Hashicorp Vault Go SDK documentation Key improvements over Klaviger: - JWT/OIDC auth method added (critical for SPIFFE workloads) - Background token renewal implemented (was TODO in Klaviger) - Batch secret reading support - Typed error system - Integration with existing authlib/cache patterns Files added: - authlib/vault/auth.go (252 lines) — authentication with renewal - authlib/vault/cache.go (127 lines) — lease-aware caching - authlib/vault/client.go (174 lines) — main client wrapper - authlib/vault/config.go (108 lines) — configuration with validation - authlib/vault/errors.go (56 lines) — typed errors - authlib/vault/secret.go (115 lines) — KV v1/v2 secret reading - authlib/vault/config_test.go (110 lines) — unit tests - authlib/vault/README.md (500+ lines) — complete documentation Documentation: - VAULT_PATTERN_OVERVIEW.md — architecture and use cases - VAULT_IMPLEMENTATION_PLAN.md — 4-phase implementation plan - KLAVIGER_ANALYSIS.md — code reuse analysis - VAULT_PHASE1_COMPLETE.md — Phase 1 completion summary This completes Phase 1 of the Vault pattern implementation. Phase 2 will create the vault-fetcher CLI tool for init container use. Ref: #vault-pattern Signed-off-by: Alan Cha <Alan.cha1@ibm.com>
This was referenced May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements Phase 1 of the Vault pattern: a reusable Go library (
authlib/vault) for Hashicorp Vault integration with SPIFFE JWT-SVID authentication support.This enables Kagenti workloads to retrieve static credentials (API keys, database passwords, service tokens) from Vault using their SPIFFE identity for authentication.
Features
Authentication Methods (SPIFFE Priority)
Secret Operations
Caching & Renewal
Quality
Code Reuse & Attribution
This implementation follows patterns from:
Key improvements over Klaviger:
Files Added
Core library:
authbridge/authlib/vault/auth.go(319 lines) — Authentication with renewalauthbridge/authlib/vault/cache.go(145 lines) — Lease-aware cachingauthbridge/authlib/vault/client.go(202 lines) — Main client wrapperauthbridge/authlib/vault/config.go(133 lines) — Configuration with validationauthbridge/authlib/vault/errors.go(66 lines) — Typed errorsauthbridge/authlib/vault/secret.go(142 lines) — KV v1/v2 secret readingauthbridge/authlib/vault/config_test.go(130 lines) — Unit testsauthbridge/authlib/vault/README.md(379 lines) — Complete documentationDocumentation:
VAULT_PATTERN_OVERVIEW.md(282 lines) — Architecture and use casesVAULT_IMPLEMENTATION_PLAN.md(690 lines) — 4-phase implementation planKLAVIGER_ANALYSIS.md(423 lines) — Code reuse analysisVAULT_PHASE1_COMPLETE.md(293 lines) — Phase 1 summaryDependencies:
authbridge/authlib/go.mod— Addedhashicorp/vault/api v1.23.0authbridge/authlib/README.md— Added vault package to tableTotal: ~3,270 lines added
Usage Example
```go
// Create client with JWT auth (SPIFFE)
cfg := &vault.Config{
Address: "https://vault.example.com",
AuthMethod: "jwt",
Role: "github-agent-role",
JWTPath: "/opt/jwt_svid.token",
}
client, _ := vault.NewClient(cfg)
defer client.Close()
// Authenticate (token renewal happens automatically in background)
ctx := context.Background()
client.Authenticate(ctx)
// Read secret (with automatic caching)
token, leaseDuration, _ := client.ReadSecret(ctx,
"secret/data/github/token",
"token")
```
Testing
```bash
$ cd authbridge/authlib
$ go test ./vault/... -v
=== RUN TestConfigValidate
--- PASS: TestConfigValidate (0.00s)
=== RUN TestConfigDefaults
--- PASS: TestConfigDefaults (0.00s)
PASS
ok github.com/kagenti/kagenti-extensions/authbridge/authlib/vault 0.493s
$ go build ./vault/...
Clean build ✅
```
Architecture
This library is a pure library (no protocol dependencies) that will be used by:
vault-fetcherCLI tool (init container)The library does NOT modify the existing AuthBridge unified binary. It's a new reusable component.
Next Steps (Not in this PR)
vault-fetcherCLI tool and Docker imageReview Notes
Key areas to review:
Clientinterface make sense?Questions for reviewers:
Config.Validate()?Assisted-By: Claude (Anthropic AI) noreply@anthropic.com