Vault integration (helidon-io#2895)

* Integration with HashiCorp Vault + kv2 secrets engine * AppRole auth * k8s auth * kv1 secrets engine * Cubbyhole secrets engine * Transit secrets engine * PKI secrets engine * Database secrets engine * BOM pom update * Example * CDI integration.
aseovic · Apr 26, 2021 · d7ecf83 · d7ecf83
1 parent 72b4ea9
commit d7ecf83
Show file tree

Hide file tree

Showing 305 changed files with 25,592 additions and 78 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2021 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,6 +49,24 @@ pipeline {
             sh './etc/scripts/checkstyle.sh'
           }
         }
+        stage('integration-tests') {
+          stages {
+            stage('test-vault') {
+              agent {
+                kubernetes {
+                  inheritFrom 'k8s-slave'
+                  yamlFile 'etc/pods/vault.yaml'
+                  yamlMergeStrategy merge()
+                }
+              }
+              steps {
+                sh './etc/scripts/test-integ-vault.sh'
+                archiveArtifacts artifacts: "**/target/surefire-reports/*.txt"
+                junit testResults: '**/target/surefire-reports/*.xml'
+              }
+            }
+          }
+        }
       }
     }
     stage('release') {

diff --git a/bom/pom.xml b/bom/pom.xml
@@ -916,6 +916,72 @@
                 <artifactId>helidon-integrations-oci-cdi</artifactId>
                 <version>${helidon.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault</groupId>
+                <artifactId>helidon-integrations-vault</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.auths</groupId>
+                <artifactId>helidon-integrations-vault-auths-common</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.sys</groupId>
+                <artifactId>helidon-integrations-vault-sys</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-cubbyhole</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-kv1</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-kv2</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-database</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-pki</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.secrets</groupId>
+                <artifactId>helidon-integrations-vault-secrets-transit</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.auths</groupId>
+                <artifactId>helidon-integrations-vault-auths-token</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.auths</groupId>
+                <artifactId>helidon-integrations-vault-auths-k8s</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault.auths</groupId>
+                <artifactId>helidon-integrations-vault-auths-approle</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.helidon.integrations.vault</groupId>
+                <artifactId>helidon-integrations-vault-cdi</artifactId>
+                <version>${helidon.version}</version>
+            </dependency>
+
             <!-- OpenAPI support -->
             <dependency>
                 <groupId>io.helidon.openapi</groupId>

diff --git a/common/common/src/main/java/io/helidon/common/FeatureCatalog.java b/common/common/src/main/java/io/helidon/common/FeatureCatalog.java
@@ -184,6 +184,13 @@ final class FeatureCatalog {
                     .path("OCI")
                     .flavor(HelidonFlavor.SE)
                     .experimental(true));
+        add("io.helidon.integrations.vault",
+            FeatureDescriptor.builder()
+                    .name("HCP Vault")
+                    .description("Hashicorp Vault Integration")
+                    .path("HCP Vault")
+                    .flavor(HelidonFlavor.SE)
+                    .experimental(true));
         /*
          * MP Modules
          */
@@ -374,6 +381,14 @@ final class FeatureCatalog {
                     .flavor(HelidonFlavor.MP)
                     .experimental(true));
 
+        add("io.helidon.integrations.vault.cdi",
+            FeatureDescriptor.builder()
+                    .name("HCP Vault")
+                    .description("Hashicorp Vault Integration")
+                    .path("HCP Vault")
+                    .flavor(HelidonFlavor.MP)
+                    .experimental(true));
+
         /*
          * Common modules
          */
@@ -517,6 +532,9 @@ final class FeatureCatalog {
             "HTTP Signatures",
             "Security provider for HTTP Signature authentication and outbound",
             "Security", "Provider", "HttpSign");
+        add("io.helidon.security.providers.config.vault",
+            "Config Vault",
+            "Security", "Provider", "ConfigVault");
         add("io.helidon.security.providers.idcs.mapper",
             FeatureDescriptor.builder()
                     .name("IDCS Role Mapper")
@@ -604,6 +622,46 @@ final class FeatureCatalog {
             "OCI Telemetry",
             "Integration with OCI Telemetry",
             "OCI", "Telemetry");
+        add("io.helidon.integrations.vault.auths.approle",
+            "AppRole",
+            "AppRole Authentication Method",
+            "HCP Vault", "Auth", "AppRole");
+        add("io.helidon.integrations.vault.auths.k8s",
+            "k8s",
+            "Kubernetes Authentication Method",
+            "HCP Vault", "Auth", "k8s");
+        add("io.helidon.integrations.vault.auths.token",
+            "Token",
+            "Token Authentication Method",
+            "HCP Vault", "Auth", "Token");
+        add("io.helidon.integrations.vault.secrets.cubbyhole",
+            "Cubbyhole",
+            "Cubbyhole Secrets Engine",
+            "HCP Vault", "Secrets", "Cubbyhole");
+        add("io.helidon.integrations.vault.secrets.database",
+            "Database",
+            "Database Secrets Engine",
+            "HCP Vault", "Secrets", "Database");
+        add("io.helidon.integrations.vault.secrets.kv1",
+            "K/V 1",
+            "Key/Value Version 1 Secrets Engine",
+            "HCP Vault", "Secrets", "K/V 1");
+        add("io.helidon.integrations.vault.secrets.kv2",
+            "K/V 2",
+            "Key/Value Version 2 Secrets Engine",
+            "HCP Vault", "Secrets", "K/V 2");
+        add("io.helidon.integrations.vault.secrets.pki",
+            "PKI",
+            "PKI Secrets Engine",
+            "HCP Vault", "Secrets", "PKI");
+        add("io.helidon.integrations.vault.secrets.transit",
+            "Transit",
+            "Transit Secrets Engine",
+            "HCP Vault", "Secrets", "Transit");
+        add("io.helidon.integrations.vault.sys",
+            "Sys",
+            "System operations",
+            "HCP Vault", "Sys");
 
         /*
          * Packages that are not a feature

diff --git a/config/encryption/src/main/java/io/helidon/config/encryption/EncryptionUtil.java b/config/encryption/src/main/java/io/helidon/config/encryption/EncryptionUtil.java
@@ -35,6 +35,7 @@
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 
+import io.helidon.common.LazyValue;
 import io.helidon.common.configurable.Resource;
 import io.helidon.common.pki.KeyConfig;
 import io.helidon.config.Config;
@@ -47,7 +48,9 @@
 public final class EncryptionUtil {
     private static final Logger LOGGER = Logger.getLogger(EncryptionUtil.class.getName());
 
-    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+    // SecureRandom instances cannot be in memory when building native image
+    private static final LazyValue<SecureRandom> SECURE_RANDOM = LazyValue.create(SecureRandom::new);
+
     private static final int SALT_LENGTH = 16;
     private static final int NONCE_LENGTH = 12; //(Also called IV) Needs to be 12 when using GCM!
     private static final int SEED_LENGTH = 16;
@@ -165,8 +168,8 @@ public static String encryptAesBytes(char[] masterPassword, byte[] secret) throw
         Objects.requireNonNull(masterPassword, "Password must be provided for encryption");
         Objects.requireNonNull(secret, "Secret message must be provided to be encrypted");
 
-        byte[] salt = SECURE_RANDOM.generateSeed(SALT_LENGTH);
-        byte[] nonce = SECURE_RANDOM.generateSeed(NONCE_LENGTH);
+        byte[] salt = SECURE_RANDOM.get().generateSeed(SALT_LENGTH);
+        byte[] nonce = SECURE_RANDOM.get().generateSeed(NONCE_LENGTH);
 
         Cipher cipher = cipher(masterPassword, salt, nonce, Cipher.ENCRYPT_MODE);
         // encrypt

diff --git a/docs/mp/aot/01_introduction.adoc b/docs/mp/aot/01_introduction.adoc
@@ -67,7 +67,7 @@ for native image.
 |✅ |{nbsp} |JWT Auth |{nbsp}
 |✅ |{nbsp} |OIDC |{nbsp}
 |✅ |{nbsp} |Provider: ABAC |{nbsp}
-|❓ |{nbsp} |Provider/ABAC/Policy: EL |Not yet tested.
+|✅ |{nbsp} |Provider/ABAC/Policy: EL |Requires reflection configuration for used classes.
 |✅ |{nbsp} |Provider/ABAC: Role |{nbsp}
 |✅ |{nbsp} |Provider/ABAC: Scope |{nbsp}
 |✅ |{nbsp} |Provider/ABAC: Time |{nbsp}
@@ -90,11 +90,13 @@ for native image.
 |✅ |{nbsp} |Metrics |{nbsp}
 |✅ |{nbsp} |Security |{nbsp}
 |✅ |{nbsp} |Tracing |{nbsp}
-|❓ |Websocket |Websocket |Not yet tested.
-|❓ |gRPC Server |gRPC Server |Not yet tested.
-|❓ |gRPC Client |gRPC Client |Not yet tested.
+|✅ |{nbsp} |Websocket |Server only.
+|✅ |gRPC Server |gRPC Server |Since GraalVM 21.0.0
+|✅ |{nbsp} |Metrics |{nbsp}
+|✅ |gRPC Client |gRPC Client |Since GraalVM 21.0.0
 |✅ |{nbsp} |Metrics |{nbsp}
-|✅ |Metrics |Metrics |{nbsp}
 |✅ |Scheduling |Scheduling |{nbsp}
+|✅ |OCI |OCI Integration |Modules with group id `io.helidon.integrations.oci`
+|✅ |Vault |Hashicorp Vault Integration |{nbsp}
 |===
 
diff --git a/docs/mp/guides/03_config.adoc b/docs/mp/guides/03_config.adoc
@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.

diff --git a/docs/se/aot/01_introduction.adoc b/docs/se/aot/01_introduction.adoc
@@ -68,7 +68,7 @@ for native image.
 |✅ |{nbsp} |Integration: gRPC |{nbsp}
 |✅ |{nbsp} |OIDC |{nbsp}
 |✅ |{nbsp} |Provider: ABAC |{nbsp}
-|✅ |{nbsp} |Provider/ABAC/Policy: EL |Not yet tested.
+|✅ |{nbsp} |Provider/ABAC/Policy: EL |Requires reflection configuration for used classes.
 |✅ |{nbsp} |Provider/ABAC: Role |{nbsp}
 |✅ |{nbsp} |Provider/ABAC: Scope |{nbsp}
 |✅ |{nbsp} |Provider/ABAC: Time |{nbsp}
@@ -108,5 +108,7 @@ for native image.
 |✅ |gRPC Client |gRPC Client |Since GraalVM 21.0.0
 |✅ |{nbsp} |Metrics |{nbsp}
 |✅ |Scheduling |Scheduling |{nbsp}
+|✅ |OCI |OCI Integration |Modules with group id `io.helidon.integrations.oci`
+|✅ |Vault |Hashicorp Vault Integration |{nbsp}
 |===
 
diff --git a/docs/se/guides/03_config.adoc b/docs/se/guides/03_config.adoc
@@ -1,6 +1,6 @@
 ///////////////////////////////////////////////////////////////////////////////
 
-    Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+    Copyright (c) 2019, 2021 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.

diff --git a/etc/copyright.txt b/etc/copyright.txt
@@ -1,15 +1,13 @@
-/*
- * Copyright (c) YYYY Oracle and/or its affiliates.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+Copyright (c) YYYY Oracle and/or its affiliates.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/etc/pods/vault.yaml b/etc/pods/vault.yaml
@@ -0,0 +1,44 @@
+#
+# Copyright (c) 2021 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: vault
+spec:
+  containers:
+    - name: mysql
+      image: mysql:8
+      imagePullPolicy: "IfNotPresent"
+      ports:
+        - containerPort: 3306
+      env:
+        - name: MYSQL_USER
+          value: "user"
+        - name: MYSQL_PASSWORD
+          value: "password"
+        - name: MYSQL_ROOT_PASSWORD
+          value: "root"
+        - name: MYSQL_DATABASE
+          value: "pokemon"
+    - name: vault
+      image: vault:1.7.0
+      imagePullPolicy: "IfNotPresent"
+      ports:
+        - containerPort: 8200
+      env:
+        - name: VAULT_DEV_ROOT_TOKEN_ID
+          value: "myroot"