Skip to content

GUACAMOLE-2137: Introduce HashiCorp Vault token handler (based on the KSM module) #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GUACAMOLE-2137: Introduce HashiCorp Vault token handler (based on the KSM module) #1116

wants to merge 2 commits into from

Conversation

TdlQ
Copy link

@TdlQ TdlQ commented Sep 16, 2025

This PR introduces a new module to handle HashiCorp Vault tokens. It is heavily inspired by and reuses a significant amount of code from the existing KSM module.

The main goal is to provide a dedicated, lightweight solution for fetching secrets from HashiCorp Vault for use in Guacamole connection parameters. This allows for replacing static credentials with dynamic, centrally managed secrets.

Key Features & Implementation Details

  • Token Format: The module uses a new token format, ${HASHIVAULT:path/to/secret/key}, to reference secrets stored in Vault. For example: Password: ${HASHIVAULT:path/to/my/server/guacamole_connection/password}.
  • Centralized Configuration: Vault configuration is managed through a base64-encoded JSON object (vault_url, vault_token, cache_lifetime), which is stored in the HV_CONFIG parameter and can be overridden at connection groups level.
  • Efficient Caching: The module is optimized for performance. When multiple tokens reference the same Vault path (e.g., username and password from the same secret), it performs only a single HTTP query to Vault. Subsequent requests for keys within the same path are served directly from a concurrent, time-based cache.
  • Asynchronous Handling: All Vault queries are performed asynchronously to prevent blocking the connection process. This is achieved using CompletableFuture and a "in-flight" request caching pattern to handle concurrent requests for the same secret efficiently.

Notable Differences and Design Choices (vs KSM)

  • Simplicity: This module is designed to be a simpler, more lightweight alternative to the KSM module, focusing exclusively on basic token handling. It intentionally lacks more advanced features.
  • Execution Order: The setAttributes() method now directly calls processAttributes() to ensure correct execution order, which was an issue observed during development.
  • User Custom Configuration: The user-defined configuration part is currently a placeholder. It mimics KSM's design but might be simplified or removed in the future if a clear use case for it does not emerge.

@TdlQ TdlQ mentioned this pull request Sep 16, 2025
Closed
corentin-soriano
corentin-soriano reviewed Sep 29, 2025
View reviewed changes
Copy link
Member

@corentin-soriano corentin-soriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to add guacamole-vault/hv in the map_extensions to resolve the CI build error:

#20 143.2 Mapped: guacamole-vault/ksm -> KSM_
..........
#20 144.3 ERROR: Unmapped extension: /opt/guacamole/extensions/guacamole-vault/hv/guacamole-vault-hv.jar

After this line:

guacamole-client/guacamole-docker/build.d/010-map-guacamole-extensions.sh

Line 117 in 0336e2c

guacamole-vault/ksm.........................KSM_

@Jenjamsan
Copy link

Hi, can you provide an example of the hv-config property please ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corentin-soriano corentin-soriano corentin-soriano left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TdlQ @Jenjamsan @corentin-soriano