Adam Harwell
6abfbee61a
Add support for token-based authentication with Vault, enabling castellan to authenticate using a token read from a file. This covers Kubernetes ServiceAccount tokens, JWT/OIDC tokens, and other file-based token mechanisms supported by Vault. A new auth_method option (choices: 'approle', 'jwt', 'kubernetes'; default: 'approle') controls the authentication method. This makes auth selection explicit and authoritative rather than implicit. When auth_method is jwt or kubernetes, these options are used: - token_role: Vault role name (required) - token_file: path to the token file (required) - auth_path: mount path of the Vault auth backend, used in the login URL /v1/auth/<auth_path>/login. Defaults to auth_method value when not set. Override for non-default mount paths (e.g. 'kubernetes-my-cluster' instead of 'kubernetes'). See: https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#login The implementation reads the token from the configured file and POSTs it as a JWT to the Vault auth backend's login endpoint. The resulting Vault token is cached with TTL-based expiry, using the same caching mechanism shared with AppRole auth via a common _vault_login() method. The root_token_id option continues to take priority over any configured auth_method when set. Generated-By: claude-opus-4-6 (OpenCode) Signed-off-by: flux.adam@gmail.com Change-Id: I2a3fd872d046467a2ca9dca0856bbfa43a6c239e
Castellan
Generic Key Manager interface for OpenStack.
- License: Apache License, Version 2.0
- Documentation: https://docs.openstack.org/castellan/latest
- Source: https://opendev.org/openstack/castellan
- Bugs: https://bugs.launchpad.net/castellan
- Release notes: https://docs.openstack.org/releasenotes/castellan
- Wiki: https://wiki.openstack.org/wiki/Castellan