Skip to content

feat(vault): added userpass auth method #798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yxxhero merged 1 commit into from
Oct 10, 2025
Merged

feat(vault): added userpass auth method #798

yxxhero merged 1 commit into from
Oct 10, 2025

Conversation

@pdrd
Copy link
Contributor

@pdrd pdrd commented Sep 16, 2025
edited
Loading

We are using a custom implementation, that is HashiCorp Vault compatible, but requires the Userpass auth method.

This PR implements a new VAULT_AUTH_METHOD with name userpass and allows to authenticate against the Vault instance by passing the user credentials VAULT_USERNAME and a password from VAULT_PASSWORD_ENV or VAULT_PASSWORD_FILE. It additionally respects the VAULT_LOGIN_MOUNT_POINT.

@pdrd pdrd force-pushed the feat/auth-userpass branch from 90ccdd0 to 1bc2f5f Compare September 16, 2025 13:01
@pdrd pdrd marked this pull request as draft September 16, 2025 13:08
@yxxhero yxxhero requested a review from Copilot September 29, 2025 06:32
Copilot AI reviewed Sep 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for HashiCorp Vault's userpass authentication method to the vals configuration tool. The implementation allows users to authenticate using username/password credentials instead of the existing token, approle, or kubernetes methods.

  • Adds userpass as a new authentication method option
  • Implements username/password credential handling via environment variables
  • Supports configurable mount points for the userpass auth endpoint

@pdrd pdrd force-pushed the feat/auth-userpass branch 2 times, most recently from 46c1ca8 to 5482747 Compare October 2, 2025 07:44
@pdrd pdrd marked this pull request as ready for review October 2, 2025 07:46
@pdrd pdrd marked this pull request as draft October 2, 2025 07:53
@pdrd pdrd force-pushed the feat/auth-userpass branch from 5482747 to c7a5bc7 Compare October 2, 2025 12:22
@pdrd
Copy link
Contributor Author

pdrd commented Oct 2, 2025

Prerequisites

Start server in Terminal 1:

export VAULT_TOKEN=root
vault server -dev -dev-root-token-id="${VAULT_TOKEN}"

Enable KV engine and userpass in Terminal 2:

export VAULT_TOKEN=root
export VAULT_ADDR=http://127.0.0.1:8200
vault secrets enable -path=mykv kv
vault write mykv/foo mykey=myvalue
vault read mykv/foo

echo 'path "mykv/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' | vault policy write admin -
vault auth enable userpass
vault write auth/userpass/users/foo \
    password=bar \
    policies=admin

Tests

Password from env:

export VAULT_AUTH_METHOD=userpass
export VAULT_PASSWORD_ENV=VAULT_PASSWORD
export VAULT_PASSWORD=bar
export VAULT_USERNAME=foo
export VAULT_ADDR=http://127.0.0.1:8200

echo "mykv/foo#/mykey: ref+vault://mykv/foo#/mykey" | bin/vals eval -f -

Password from file:

echo "bar" > password.txt
export VAULT_AUTH_METHOD=userpass
export VAULT_PASSWORD_FILE=$(pwd)/password.txt
export VAULT_USERNAME=foo
export VAULT_ADDR=http://127.0.0.1:8200

echo "mykv/foo#/mykey: ref+vault://mykv/foo#/mykey" | bin/vals eval -f -

@pdrd pdrd marked this pull request as ready for review October 2, 2025 12:27
@pdrd pdrd force-pushed the feat/auth-userpass branch from c7a5bc7 to e62935a Compare October 2, 2025 12:50
@yxxhero yxxhero requested a review from Copilot October 3, 2025 00:22
Copilot AI reviewed Oct 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

@pdrd
feat(vault): added userpass auth method
c3427da 
Signed-off-by: Philipp Reusch (pdrd) <philipp.reusch@stackit.cloud>
@pdrd pdrd force-pushed the feat/auth-userpass branch from e62935a to c3427da Compare October 6, 2025 07:59
@yxxhero yxxhero merged commit 7aa0c25 into helmfile:main Oct 10, 2025
5 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Oct 10, 2025
Merged
@pdrd pdrd deleted the feat/auth-userpass branch December 16, 2025 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mumoshu mumoshu Awaiting requested review from mumoshu mumoshu is a code owner

@itscaro itscaro Awaiting requested review from itscaro itscaro is a code owner

@yxxhero yxxhero Awaiting requested review from yxxhero yxxhero is a code owner

@xiaomudk xiaomudk Awaiting requested review from xiaomudk xiaomudk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pdrd @yxxhero