hairyhenderson · eufebius · Aug 4, 2025
@@ -681,6 +681,7 @@ This table describes the currently-supported authentication mechanisms and how t
 | [`userpass`](https://developer.hashicorp.com/vault/docs/auth/userpass) | Environment variables `$VAULT_AUTH_USERNAME` and `$VAULT_AUTH_PASSWORD` must be set to the appropriate values.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_USERPASS_MOUNT`. |
 | [`token`](https://developer.hashicorp.com/vault/docs/auth/token) | Determined from either the `$VAULT_TOKEN` environment variable, or read from the file `~/.vault-token` |
 | [`aws`](https://developer.hashicorp.com/vault/docs/auth/aws) | The env var  `$VAULT_AUTH_AWS_ROLE` defines the [role](https://developer.hashicorp.com/vault/api-docs/auth/aws#role-4) to log in with - defaults to the AMI ID of the EC2 instance. Usually a [Client Nonce](https://developer.hashicorp.com/vault/docs/auth/aws#client-nonce) should be used as well. Set `$VAULT_AUTH_AWS_NONCE` to the nonce value. The nonce can be generated and stored by setting `$VAULT_AUTH_AWS_NONCE_OUTPUT` to a path on the local filesystem.<br/>If the back-end is mounted to a different location, set `$VAULT_AUTH_AWS_MOUNT`.|
+| [`kubernetes`](https://developer.hashicorp.com/vault/docs/auth/kubernetes) | Environment variable `$VAULT_AUTH_K8S_ROLE` must be set to the name of the role configured in Vault.<br/> By default, the JWT token will be read from `/var/run/secrets/kubernetes.io/serviceaccount/token`, but this can be overridden via `$VAULT_AUTH_K8S_JWT_PATH`.<br/> If the back-end is mounted to a different location, set `$VAULT_AUTH_K8S_MOUNT` (default: `kubernetes`). |
 
 _**Note:**_ The secret values listed in the above table can either be set in environment variables or provided in files. This can increase security when using [Docker Swarm Secrets](https://docs.docker.com/engine/swarm/secrets/), for example. To use files, specify the filename by appending `_FILE` to the environment variable, (i.e. `VAULT_USER_ID_FILE`). If the non-file variable is set, this will override any `_FILE` variable and the secret file will be ignored.
 

@@ -128,6 +128,7 @@ require (
 	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/hashicorp/serf v0.10.2 // indirect
 	github.com/hashicorp/vault/api/auth/approle v0.9.0 // indirect
+	github.com/hashicorp/vault/api/auth/kubernetes v0.10.0 // indirect
 	github.com/hashicorp/vault/api/auth/userpass v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/itchyny/timefmt-go v0.1.6 // indirect

@@ -348,6 +348,8 @@ github.com/hashicorp/vault/api/auth/approle v0.9.0 h1:FdpspwGVWnGiWmAxd5L1Yd+T+f
 github.com/hashicorp/vault/api/auth/approle v0.9.0/go.mod h1:fvtJhBs3AYMs2fXk4U5+u+7unhUGuboiKzFpLPpIazw=
 github.com/hashicorp/vault/api/auth/aws v0.10.0 h1:65gibOnaZxflNVW3kxgbXZqIC1imVj6uB/TTWkf76c0=
 github.com/hashicorp/vault/api/auth/aws v0.10.0/go.mod h1:VBdP6zwH2MBC4BW+pZ+soPYeabXBVUTfWDccWfFo49I=
+github.com/hashicorp/vault/api/auth/kubernetes v0.10.0 h1:5rqWmUFxnu3S7XYq9dafURwBgabYDFzo2Wv+AMopPHs=
+github.com/hashicorp/vault/api/auth/kubernetes v0.10.0/go.mod h1:cZZmhF6xboMDmDbMY52oj2DKW6gS0cQ9g0pJ5XIXQ5U=
 github.com/hashicorp/vault/api/auth/userpass v0.9.0 h1:tdIY+xe9O0SAcNY1CK7Wk0ENWNKmmGzJ9+iqZfFBW4I=
 github.com/hashicorp/vault/api/auth/userpass v0.9.0/go.mod h1:W2Cb0z6MjAHkDjGG95mmRGzCETX5Y+O++UBXX/ZlNGc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=

@@ -11,6 +11,7 @@ import (
 	"github.com/hairyhenderson/gomplate/v4/internal/iohelpers"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/api/auth/aws"
+	authk8s "github.com/hashicorp/vault/api/auth/kubernetes"
 )
 
 // compositeVaultAuthMethod configures the auth method based on environment
@@ -19,6 +20,7 @@ import (
 func compositeVaultAuthMethod(envFsys fs.FS) api.AuthMethod {
 	return vaultauth.CompositeAuthMethod(
 		vaultauth.EnvAuthMethod(),
+		envKubernetesAuthAdapter(envFsys),
 		envEC2AuthAdapter(envFsys),
 		envIAMAuthAdapter(envFsys),
 	)
@@ -84,6 +86,25 @@ func envIAMAuthAdapter(envFS fs.FS) api.AuthMethod {
 	return awsauth
 }
 
+func envKubernetesAuthAdapter(envFS fs.FS) api.AuthMethod {
+    role := GetenvFsys(envFS, "VAULT_AUTH_K8S_ROLE")
+    if role == "" {
+        return nil
+    }
+    mount := GetenvFsys(envFS, "VAULT_AUTH_K8S_MOUNT", "kubernetes")
+    jwtPath := GetenvFsys(envFS, "VAULT_AUTH_K8S_JWT_PATH", "/var/run/secrets/kubernetes.io/serviceaccount/token")
+
+    k8sAuth, err := authk8s.NewKubernetesAuth(
+        role,
+        authk8s.WithMountPath(mount),
+        authk8s.WithServiceAccountTokenPath(jwtPath),
+    )
+    if err != nil {
+        return nil
+    }
+    return k8sAuth
+}
+
 // ec2AuthNonceWriter - wraps an AWSAuth, and writes the nonce to the nonce
 // output file - only for ec2 auth
 type ec2AuthNonceWriter struct {

@@ -0,0 +1,41 @@
+package datafs
+
+import (
+    "io/fs"
+    "os"
+    "testing"
+
+    authk8s "github.com/hashicorp/vault/api/auth/kubernetes"
+)
+
+type dummyFS struct{}
+
+// implement ReadFile if needed
+func (d dummyFS) Open(name string) (fs.File, error) { return nil, fs.ErrNotExist }
+
+func TestEnvKubernetesAuthAdapter_NoRole(t *testing.T) {
+    fsys := fs.OS // fallback, role unset
+    os.Unsetenv("VAULT_AUTH_K8S_ROLE")
+    method := envKubernetesAuthAdapter(fsys)
+    if method != nil {
+        t.Fatal("Expected nil adapter when VAULT_AUTH_K8S_ROLE is unset")
+    }
+}
+
+func TestEnvKubernetesAuthAdapter_WithRole(t *testing.T) {
+    os.Setenv("VAULT_AUTH_K8S_ROLE", "test-role")
+    os.Setenv("VAULT_AUTH_K8S_MOUNT", "myk8s")
+    tempFile := "/tmp/test-jwt.token"
+    os.WriteFile(tempFile, []byte("dummy-jwt"), 0o600)
+    os.Setenv("VAULT_AUTH_K8S_JWT_PATH", tempFile)
+
+    method := envKubernetesAuthAdapter(fs.OS)
+    if method == nil {
+        t.Fatal("Expected non-nil adapter when VAULT_AUTH_K8S_ROLE is set")
+    }
+
+    _, ok := method.(*authk8s.KubernetesAuth)
+    if !ok {
+        t.Fatalf("Expected KubernetesAuth type got %T", method)
+    }
+}