BetterCloud · rabbitzzy · May 7, 2019
diff --git a/src/main/java/com/bettercloud/vault/api/Auth.java b/src/main/java/com/bettercloud/vault/api/Auth.java
@@ -878,6 +878,71 @@ public AuthResponse loginByGithub(final String githubToken, final String githubA
         }
     }
 
+    /**
+     * <p>Basic login operation to authenticate to an Kubernetes backend.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final AuthResponse response = vault.auth().loginByKubeJwt("auth/test-env/login", "dev", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...");
+     *
+     * final String token = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param path The path on which the authentication is performed (e.g. <code>auth/test-env/login</code>)
+     * @param role The service account role used for authentication
+     * @param jwt  The JWT token for the role
+     * @return The auth token, with additional response metadata
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     */
+    // TODO: Needs integration test coverage if possible
+    public AuthResponse loginByKubeJwt(final String path, final String role, final String jwt) throws VaultException {
+        int retryCount = 0;
+
+        while (true) {
+            try {
+                // HTTP request to Vault
+                final String requestJson = Json.object().add("role", role).add("jwt", jwt).toString();
+                final RestResponse restResponse = new Rest()
+                        .url(config.getAddress() + "/v1/" + path)
+                        .optionalHeader("X-Vault-Namespace", this.nameSpace)
+                        .body(requestJson.getBytes(StandardCharsets.UTF_8))
+                        .connectTimeoutSeconds(config.getOpenTimeout())
+                        .readTimeoutSeconds(config.getReadTimeout())
+                        .sslVerification(config.getSslConfig().isVerify())
+                        .sslContext(config.getSslConfig().getSslContext())
+                        .post();
+
+                // Validate restResponse
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                }
+                final String mimeType = restResponse.getMimeType() == null ? "null" : restResponse.getMimeType();
+                if (!mimeType.equals("application/json")) {
+                    throw new VaultException("Vault responded with MIME type: " + mimeType, restResponse.getStatus());
+                }
+                return new AuthResponse(restResponse, retryCount);
+            } catch (Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
+
     /**
      * <p>Basic login operation to authenticate to an GCP backend.  Example usage:</p>
      *