Skip to content

feat: Support Vault AppRole authentication method#190

Merged
clement0010 merged 12 commits intomasterfrom
feat/support-vault-approle-authn-method
Feb 25, 2026
Merged

feat: Support Vault AppRole authentication method#190
clement0010 merged 12 commits intomasterfrom
feat/support-vault-approle-authn-method

Conversation

@clement0010
Copy link
Copy Markdown
Contributor

@clement0010 clement0010 commented Feb 9, 2026
edited
Loading

Changes

  • Create newVaultAuthMethod to return the appropriate authMethod based on the gateway config
    • Support Vault AppRole authentication method
  • Create newVaultClient to return authenticated Vault client
  • Add ssh.vault.auth.approle configuration and validation

Notes

Support for token renewal will be added on a separate PR.

@clement0010 clement0010 requested a review from Copilot February 9, 2026 20:26
@coveralls
Copy link
Copy Markdown
Collaborator

coveralls commented Feb 9, 2026
edited
Loading

Pull Request Test Coverage Report for Build 22356474081

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 38 of 77 (49.35%) changed or added relevant lines in 3 files are covered.
  • 2 unchanged lines in 1 file lost coverage.
  • Overall coverage decreased (-0.4%) to 84.38%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/sshhandler/ca.go 0 2 0.0%
internal/config/config.go 24 28 85.71%
internal/sshhandler/vault.go 14 47 29.79%
Files with Coverage Reduction New Missed Lines %
internal/sshhandler/ca.go 2 52.15%
Totals Coverage Status
Change from base Build 22006295976: -0.4%
Covered Lines: 2755
Relevant Lines: 3265
💛 - Coveralls

Copilot AI reviewed Feb 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Vault AppRole authentication support for the SSH CA Vault integration, along with config schema/validation updates to allow either a static token, AppRole credentials, or implicit VAULT_TOKEN usage.

Changes:

  • Add Vault AppRole login support when ssh.ca.vault.auth.appRole is configured.
  • Add config types + validation for ssh.ca.vault.auth and ssh.ca.vault.auth.appRole.
  • Add go.mod/go.sum dependency for github.com/hashicorp/vault/api/auth/approle.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
internal/sshhandler/ca.go Adds AppRole authentication flow during Vault client initialization.
internal/config/config.go Extends Vault auth config schema and adds validation for token vs AppRole.
internal/config/config_test.go Adds unit tests for new auth config validation and AppRole mount defaulting.
go.mod Adds AppRole auth submodule dependency.
go.sum Adds checksums for the new dependency.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/sshhandler/ca.go Outdated
Comment thread internal/sshhandler/ca.go Outdated
Comment thread internal/sshhandler/ca.go Outdated
Comment thread internal/config/config.go
@clement0010 clement0010 marked this pull request as ready for review February 16, 2026 10:54
@clement0010 clement0010 requested a review from minhtule February 16, 2026 14:41
@clement0010 clement0010 force-pushed the feat/support-vault-approle-authn-method branch from 62f4c22 to b47a3a0 Compare February 18, 2026 04:22
@clement0010 clement0010 force-pushed the feat/support-vault-approle-authn-method branch 2 times, most recently from 9e0ad29 to 2361dc4 Compare February 19, 2026 11:10
@clement0010 clement0010 force-pushed the feat/support-vault-approle-authn-method branch from 2361dc4 to eaf3b25 Compare February 19, 2026 11:12
clement0010
clement0010 commented Feb 19, 2026
View reviewed changes
Comment thread internal/sshhandler/vault.go
return nil, fmt.Errorf("failed to create vault client: %w", err)
}

client.SetNamespace(vaultConfig.Namespace)
Copy link
Copy Markdown
Contributor Author

@clement0010 clement0010 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should set the namespace before auth to ensure the login request and all subsequent vault requests hit the same namespace.

@clement0010 clement0010 mentioned this pull request Feb 19, 2026
Merged
minhtule
minhtule approved these changes Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@minhtule minhtule left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@clement0010 clement0010 merged commit e869546 into master Feb 25, 2026
12 checks passed
@clement0010 clement0010 deleted the feat/support-vault-approle-authn-method branch February 25, 2026 04:10
clement0010 added a commit that referenced this pull request Mar 5, 2026
@clement0010
feat: Support Vault client token renewal (#201)
b1e3d26 
~⚠️ Branched off from #190~

## Changes
- Create a new `VaultClient` type that wraps the Vault API client with
token lifecycle management that watches token expiry, re-authenticates
on failure, and retries login.
- Start Vault client token renewal loop in `SSHProxy.Start()`, so we can
gracefully shut down the token lifecycle loop as SSHProxy terminates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@minhtule minhtule minhtule approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@clement0010 @coveralls @minhtule