feat(vault): added userpass auth method (#798)

pdrd · web-flow · commit 7aa0c25d0d10 · 2025-10-10T17:43:27.000+08:00
Signed-off-by: Philipp Reusch (pdrd) &lt;philipp.reusch@stackit.cloud&gt;
diff --git a/README.md b/README.md
@@ -320,6 +320,7 @@ Please see [pkg/providers](https://github.com/helmfile/vals/tree/master/pkg/prov
 - `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT&token_file=PATH/TO/FILE&token_env=VAULT_TOKEN&namespace=VAULT_NAMESPACE]#/fieldkey`
 - `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT&auth_method=approle&role_id=ce5e571a-f7d4-4c73-93dd-fd6922119839&secret_id=5c9194b9-585e-4539-a865-f45604bd6f56]#/fieldkey`
 - `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT&auth_method=kubernetes&role_id=K8S-ROLE`
+- `ref+vault://PATH/TO/KVBACKEND[?address=VAULT_ADDR:PORT&auth_method=userpass&username=some-user&password_file=PATH/TO/FILE&password_env=VAULT_PASSWORD]#/fieldkey`
 
 * `address` defaults to the value of the `VAULT_ADDR` envvar.
 * `namespace` defaults to the value of the `VAULT_NAMESPACE` envvar.
@@ -335,13 +336,16 @@ The `auth_method` or `VAULT_AUTH_METHOD` envar configures how `vals` authenticat
 * [approle](https://www.vaultproject.io/docs/auth/approle#via-the-api): it requires you pass on a `role_id` together with a `secret_id`.
 * [token](https://www.vaultproject.io/docs/auth/token): you just need creating and passing on a `VAULT_TOKEN`. If `VAULT_TOKEN` isn't set, token can be retrieved from `VAULT_TOKEN_FILE` env or `~/.vault-token` file.
 * [kubernetes](https://www.vaultproject.io/docs/auth/kubernetes): if you're running inside a Kubernetes cluster, you can use this option. It requires you [configure](https://www.vaultproject.io/docs/auth/kubernetes#configuration) a policy, a Kubernetes role, a service account and a JWT token. The login path can also be set using the environment variable `VAULT_KUBERNETES_MOUNT_POINT` (default is `/kubernetes`). You must also set `role_id` or `VAULT_ROLE_ID` envar to the Kubernetes role.
+* [userpass](https://developer.hashicorp.com/vault/docs/auth/userpass): you need to provide a username, e.g. via `VAULT_USERNAME`, and a password retrieved from the file `VAULT_PASSWORD_FILE` or from the env variable referred to in `VAULT_PASSWORD_ENV`. `VAULT_PASSWORD_ENV` takes precedence over `VAULT_PASSWORD_FILE`.
 
 Examples:
 
 - `ref+vault://mykv/foo?address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the envvar `VAULT_TOKEN`, or the file `~/.vault_token` when the envvar is not set**
 - `ref+vault://mykv/foo?token_env=VAULT_TOKEN_VAULT1&namespace=ns1&address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` from namespace `ns1` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the envvar `VAULT_TOKEN_VAULT1`**
 - `ref+vault://mykv/foo?token_file=~/.vault_token_vault1&address=https://vault1.example.com:8200#/bar` reads the value for the field `bar` in the kv `foo` on Vault listening on `https://vault1.example.com` with the Vault token read from **the file `~/.vault_token_vault1`**
 - `ref+vault://mykv/foo?role_id=my-kube-role#/bar` using the Kubernetes role to log in to Vault
+- `ref+vault://mykv/foo?auth_method=userpass&username=some-user&password_env=VAULT_PASSWORD#/bar` using `userpass` authentication with password read from env `VAULT_PASSWORD`
+- `ref+vault://mykv/foo?auth_method=userpass&username=some-user&password_file=PATH/TO/FILE#/bar` using `userpass` authentication with password read from file `VAULT_PASSWORD_FILE`
 
 ### AWS
 
diff --git a/pkg/providers/vault/vault.go b/pkg/providers/vault/vault.go
@@ -28,16 +28,19 @@ type provider struct {
 	client *vault.Client
 	log    *log.Logger
 
-	Address    string
-	Namespace  string
-	Proto      string
-	Host       string
-	TokenEnv   string
-	TokenFile  string
-	AuthMethod string
-	RoleId     string
-	SecretId   string
-	Version    string
+	Address      string
+	Namespace    string
+	Proto        string
+	Host         string
+	TokenEnv     string
+	TokenFile    string
+	AuthMethod   string
+	RoleId       string
+	SecretId     string
+	Username     string
+	PasswordEnv  string
+	PasswordFile string
+	Version      string
 }
 
 func New(l *log.Logger, cfg api.StaticConfig) *provider {
@@ -66,6 +69,8 @@ func New(l *log.Logger, cfg api.StaticConfig) *provider {
 			p.AuthMethod = "approle"
 		} else if os.Getenv("VAULT_AUTH_METHOD") == "kubernetes" {
 			p.AuthMethod = "kubernetes"
+		} else if os.Getenv("VAULT_AUTH_METHOD") == "userpass" {
+			p.AuthMethod = "userpass"
 		} else {
 			p.AuthMethod = "token"
 		}
@@ -86,6 +91,18 @@ func New(l *log.Logger, cfg api.StaticConfig) *provider {
 			p.SecretId = ""
 		}
 	}
+	p.Username = cfg.String("username")
+	if p.Username == "" {
+		p.Username = os.Getenv("VAULT_USERNAME")
+	}
+	p.PasswordEnv = cfg.String("password_env")
+	if p.PasswordEnv == "" {
+		p.PasswordEnv = os.Getenv("VAULT_PASSWORD_ENV")
+	}
+	p.PasswordFile = cfg.String("password_file")
+	if p.PasswordFile == "" {
+		p.PasswordFile = os.Getenv("VAULT_PASSWORD_FILE")
+	}
 	p.Version = cfg.String("version")
 
 	return p
@@ -195,7 +212,7 @@ func (p *provider) ensureClient() (*vault.Client, error) {
 			}
 
 			if p.TokenFile != "" {
-				token, err := p.readTokenFile(p.TokenFile)
+				token, err := p.readFile(p.TokenFile)
 				if err != nil {
 					return nil, err
 				}
@@ -214,7 +231,7 @@ func (p *provider) ensureClient() (*vault.Client, error) {
 					}
 				}
 				if tokenFile != "" {
-					token, _ := p.readTokenFile(tokenFile)
+					token, _ := p.readFile(tokenFile)
 					if token != "" {
 						cli.SetToken(token)
 					}
@@ -276,14 +293,54 @@ func (p *provider) ensureClient() (*vault.Client, error) {
 				return nil, fmt.Errorf("no auth info returned")
 			}
 
+			cli.SetToken(resp.Auth.ClientToken)
+		case "userpass":
+			var password = ""
+
+			if p.PasswordEnv != "" {
+				password = os.Getenv(p.PasswordEnv)
+				if password == "" {
+					return nil, fmt.Errorf("password_env configured to read vault password from envvar %q, but it isn't set", p.PasswordEnv)
+				}
+			} else if p.PasswordFile != "" {
+				password, err = p.readFile(p.PasswordFile)
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			if password == "" {
+				return nil, fmt.Errorf("password missing for userpass authentication")
+			}
+
+			data := map[string]interface{}{
+				"password": password,
+			}
+
+			mount_point, ok := os.LookupEnv("VAULT_LOGIN_MOUNT_POINT")
+			if !ok {
+				mount_point = "userpass"
+			}
+
+			auth_path := filepath.Join("auth", mount_point, "login", p.Username)
+
+			resp, err := cli.Logical().Write(auth_path, data)
+			if err != nil {
+				return nil, err
+			}
+
+			if resp.Auth == nil {
+				return nil, fmt.Errorf("no auth info returned")
+			}
+
 			cli.SetToken(resp.Auth.ClientToken)
 		}
 		p.client = cli
 	}
 	return p.client, nil
 }
 
-func (p *provider) readTokenFile(path string) (string, error) {
+func (p *provider) readFile(path string) (string, error) {
 	buff, err := os.ReadFile(path)
 	if err != nil {
 		return "", err
