Quarkus Integration With Hashicorp Vault

[rhuamanile]

Hi everyone.

I am working in a poc for integration with hashicorp vault for get secrets but I have some questions:

In my Poc I am using Kubernetes authentication and I configure all properties required according to official documentation.

For example:
quarkus.vault.url=http://localhost:8200 quarkus.vault.secret-config-kv-path=kv/poc/hashicorp quarkus.vault.authentication.kubernetes.role=poc-hashicorp quarkus.vault.enterprise.namespace=namespacetest quarkus.log.category."io.quarkus.vault".level=DEBUG

After that I created Service Account, Cluster role in kubernetes. In hashicorp I create Access group for Kubernetes Auth, Policies and Role where I associated to my Service Account in Kubernetes.

I test all this configuration from my pod using a curl and it's works well.

But, when I deployed my app in kubernetes I have an error:
`ERROR: Failed to start application (with profile desa)
io.quarkus.vault.runtime.client.VaultClientException code=400 body={"errors":["invalid role name "poc-hashicorp""]}

    at io.quarkus.vault.runtime.client.VertxVaultClient.throwVaultException(VertxVaultClient.java:258)
    at io.quarkus.vault.runtime.client.VertxVaultClient.exec(VertxVaultClient.java:206)
    at io.quarkus.vault.runtime.client.VertxVaultClient.exec(VertxVaultClient.java:195)
    at io.quarkus.vault.runtime.client.VertxVaultClient.post(VertxVaultClient.java:139)
    at io.quarkus.vault.runtime.client.VertxVaultClient.post(VertxVaultClient.java:133)
    at io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod.login(VaultInternalKubernetesAuthMethod.java:28)
    at io.quarkus.vault.runtime.VaultAuthManager.loginKubernetes(VaultAuthManager.java:256)
    at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:155)
    at io.quarkus.vault.runtime.VaultAuthManager.vaultLogin(VaultAuthManager.java:145)
    at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:116)
    at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:95)
    at io.quarkus.vault.runtime.VaultAuthManager.getClientToken(VaultAuthManager.java:79)
    at io.quarkus.vault.runtime.VaultKvManager.readSecret(VaultKvManager.java:36)
    at io.quarkus.vault.runtime.VaultKvManager_ClientProxy.readSecret(Unknown Source)
    at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecrets(VaultConfigSource.java:131)
    at io.quarkus.vault.runtime.config.VaultConfigSource.lambda$fetchSecrets$2(VaultConfigSource.java:127)
    at java.base/java.util.ArrayList.forEach(Unknown Source)
    at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecrets(VaultConfigSource.java:127)
    at io.quarkus.vault.runtime.config.VaultConfigSource.lambda$fetchSecrets$0(VaultConfigSource.java:120)
    at java.base/java.util.Optional.ifPresent(Unknown Source)
    at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecrets(VaultConfigSource.java:120)
    at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecretsFirstTime(VaultConfigSource.java:103)
    at io.quarkus.vault.runtime.config.VaultConfigSource.getSecretConfig(VaultConfigSource.java:81)
    at io.quarkus.vault.runtime.config.VaultConfigSource.getValue(VaultConfigSource.java:62)
    at io.smallrye.config.ConfigValueConfigSourceWrapper.getConfigValue(ConfigValueConfigSourceWrapper.java:20)
    at io.smallrye.config.SmallRyeConfigSources.getValue(SmallRyeConfigSources.java:29)
    at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
    at io.smallrye.config.SecretKeysConfigSourceInterceptor.getValue(SecretKeysConfigSourceInterceptor.java:22)
    at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
    at io.quarkus.runtime.configuration.ConfigUtils$1.getInterceptor(ConfigUtils.java:141)
    at io.smallrye.config.SmallRyeConfigBuilder$InterceptorWithPriority.getInterceptor(SmallRyeConfigBuilder.java:500)
    at io.smallrye.config.SmallRyeConfig$ConfigSources.<init>(SmallRyeConfig.java:534)
    at io.smallrye.config.SmallRyeConfig.<init>(SmallRyeConfig.java:68)
    at io.smallrye.config.SmallRyeConfigBuilder.build(SmallRyeConfigBuilder.java:449)
    at io.quarkus.runtime.generated.Config.readConfig(Unknown Source)
    at io.quarkus.deployment.steps.RuntimeConfigSetup.deploy(Unknown Source)
    at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
    at io.quarkus.runtime.Application.start(Application.java:101)
    at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:103)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:67)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:41)
    at io.quarkus.runtime.Quarkus.run(Quarkus.java:120)
    at io.quarkus.runner.GeneratedMain.main(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:60)
    at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:31)`

I was searching the cause and I found that Kubernetes is trying to login with this url:
http://localhost:8200/v1/auth/**kubernetes**/login

In hashicorp I have two Access group kubernetes and pocforhasdhicorp. I created in this Access group, this is where you can configure your ca.crt, issuer, jwt verifier that I got from Kubernetes.

So my role poc-hashicorp, I create in pocforhasdhicorp with the next command:
vault write auth/pocforhasdhicorp/role/poc-hashicorp bound_service_account_names=poc-hashicorp-sa ...

My pod is trying to login with default http://localhost:8200/v1/auth/**kubernetes**/login , but I need specified this login url: http://localhost:8200/v1/auth/**pocforhasdhicorp**/login, because my role is created here.

In other projects Like Spring boot: I use this environment SPRING_CLOUD_VAULT_KUBERNETES_KUBERNETES-PATH, but in Quarkus I can´t found any documentation for set this path authentication(Access group in Hashicorp) value to login with Hashicorp Vault.

I can´t any properties for set this value or probably override this value in Kubernetes or application.

Any suggestion or help or help will be well received.
Thanks a lot

[sberyozkin]

CC @vsevel @kdubb

[rhuamanile]

Thanks @sberyozkin

Hi everyone I was view code of client vault. I attach a screen of code. I need change this value from "auth/kubernetes" to "auth/pocforhasdhicorp".

It´s possible ? any properties do it?

[kdubb]

https://quarkiverse.github.io/quarkiverse-docs/quarkus-vault/dev/index.html#quarkus-vault_quarkus.vault.authentication.kubernetes.auth-mount-path

[kdubb]

You are correct that is the full and complete path, but the extension adds the protocol specific stuff (in this case the v1 and login) when it needs to. There are other REST endpoints that the extension needs to call besides login.

Notice in the screenshot above where you red boxed the default value, it is only auth/kubernetes; no v1 and no login.

[kdubb]

In the last stack trace you provided it is calling VaultInternalKvV2SecretEngine which is not that Kubernetes Authentication bean. This is the KV (v2) secret engine.

Whatever path you are changing seems to be for the KV secret engine not that Kubernetes auth-mount-path.

[rhuamanile]

Ok.

I have one question this exception meaning that authentication from kubernetes to hashicorp was success ?

I was reviewing the code of quarkus and I check this line of the exception class:

This String secretEnginePath is the route path where my secrets it's created in hashicorp vault?

In my properties I have this path:
#quarkus.vault.secret-config-kv-path=dev/test/test/getting-started-v1 ** Option 1
#quarkus.vault.secret-config-kv-path=getting-started-v1 **Option 2

What is the path secret correct Option 1 or option 2?

I have this path when I created my secrest in Hashicorp.

[kdubb]

With regard to authentication, yes. In the highlighted line of code, you'll see it takes a parameter named token. This means it has authenticated correctly.

I don't know what version of Vault you are using but from your last screenshot I would say your path should be:

quarkus.vault.secret-config-kv-path=kv2/dev/test/test/getting-started-v1

But I could be wrong on that.

[rhuamanile]

Hi @kdubb.
I was testing my POC and I remove this property from my application.properties:
quarkus.vault.secret-config-kv-path=dev/test/test/getting-started-v1

I deployed my app and I can see the app is running.

I have some questions because I was checking this documentation of quarkus with hashicorp vault.
https://quarkiverse.github.io/quarkiverse-docs/quarkus-vault/dev/vault-auth.html#_kubernetes_authentication

In this documentation the documentation don´t need define any root of secret like this property(quarkus.vault.secret-config-kv-path) in kubernetes auth. Different when you use other auth method like user & pass or approle authentication.

Accodly to my screen of my logs How I can get values from HV? or this property is necesary (documentation of quarkus in guide don´t declare)?

[rhuamanile]

Thanks for help. I found the solution configuring this property kv-secret-engine-mount-path and with this value my app got the secrets.