jenkinsci · jetersen · Sep 20, 2019 · Sep 5, 2019 · Sep 6, 2019 · Sep 6, 2019
diff --git a/README.md b/README.md
@@ -67,6 +67,14 @@ You enter your github personal access token to authenticate to vault.
 
 You enter your Vault GCP auth `role` name and `audience`. The JWT will be automatically retrieved from GCE metdata. This requires that Jenkins master is running on a GCE instance.
 
+#### Vault Kubernetes Credential
+
+![Kubernetes Credential](docs/images/kubernetes_credential.png)
+
+You enter your Vault Kubernetes auth `role`. The JWT will be automatically retrieved from the
+mounted secret volume (`/var/run/secrets/kubernetes.io/serviceaccount/token`). This assumes,
+that the jenkins is running in Kubernetes Pod with a Service Account attached.
+
 #### Vault Token Credential
 
 ![Token Credential](docs/images/token_credential.png)

diff --git a/docs/images/kubernetes_credential.png b/docs/images/kubernetes_credential.png
diff --git a/src/main/java/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential.java b/src/main/java/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential.java
@@ -0,0 +1,63 @@
+package com.datapipe.jenkins.vault.credentials;
+
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultException;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.datapipe.jenkins.vault.exception.VaultPluginException;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import hudson.Extension;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.stream.Collectors;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+public class VaultKubernetesCredential extends AbstractVaultTokenCredential {
+
+    private static final String SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+
+    @NonNull
+    private final String role;
+
+    @DataBoundConstructor
+    public VaultKubernetesCredential(@CheckForNull CredentialsScope scope, @CheckForNull String id,
+        @CheckForNull String description, @NonNull String role) {
+        super(scope, id, description);
+        this.role = role;
+    }
+
+
+    @Override
+    @SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME")
+    public String getToken(Vault vault) {
+        String jwt;
+        try {
+            jwt = Files.lines(Paths.get(SERVICE_ACCOUNT_TOKEN_PATH)).collect(Collectors.joining());
+        } catch (IOException e) {
+            throw new VaultPluginException("could not get JWT from Service Account Token", e);
+        }
+
+        try {
+            return vault
+                .withRetries(5, 500)
+                .auth()
+                .loginByKubernetes(role, jwt)
+                .getAuthClientToken();
+        } catch (VaultException e) {
+            throw new VaultPluginException("could not log in into vault", e);
+        }
+    }
+
+    @Extension
+    public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
+
+        @NonNull
+        @Override
+        public String getDisplayName() {
+            return "Vault Kubernetes Credential";
+        }
+
+    }
+}
diff --git a/...ources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly b/...ources/com/datapipe/jenkins/vault/credentials/VaultKubernetesCredential/credentials.jelly
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
+  <f:entry title="Role">
+    <f:textbox field="role" name="role"/>
+  </f:entry>
+  <st:include page="id-and-description" class="${descriptor.clazz}"/>
+</j:jelly>