feat: implement Hashicorp Vault Kubernetes authentication support

[vitali-zevako]

PR Description

This PR implements native Kubernetes Service Account authentication for Hashicorp Vault, allowing Web3Signer to authenticate with Vault without requiring a static token.

Key Changes

• Added KUBERNETES as a valid authMethod in HashicorpSigningMetadata.
• Implemented authenticateWithKubernetes in HashicorpConnection to exchange a K8s JWT for a Vault client token using the /v1/auth/kubernetes/login endpoint.
• Added support for configurable kubernetesRole, kubernetesAuthPath (default: kubernetes), and kubernetesServiceAccountTokenPath (default: /var/run/secrets/kubernetes.io/serviceaccount/token).
• Refactored AbstractArtifactSignerFactory to support dynamic token acquisition.
• Maintained backward compatibility for existing static token authentication.
• Added unit and integration tests.

Fixed Issue(s)

None.

Documentation

• I thought about documentation and added the doc-change-required label to this PR if updates are required.

Changelog

• I thought about adding a changelog entry, and added one if I deemed necessary.

Testing

• I thought about testing these changes in a realistic/non-local environment.

---

Note

Medium Risk
Changes Vault authentication and secret-loading paths for Hashicorp signers; misconfiguration could block key load, though TOKEN remains default and auth-path validation reduces path injection risk.

Overview
Adds HashiCorp Vault Kubernetes auth so Hashicorp signing metadata can obtain a Vault client token from the pod service-account JWT instead of a static token.

HashicorpSigningMetadata gains authMethod (TOKEN default, KUBERNETES), optional kubernetesRole, kubernetesAuthPath, and kubernetesServiceAccountTokenPath; token is no longer required at deserialization time and is validated when TOKEN is selected. AbstractArtifactSignerFactory exchanges the JWT via HashicorpConnection.authenticateWithKubernetes before secret reads, resolving relative token paths against the config directory.

The keystorage layer implements login (POST /v1/auth/<path>/login), JWT file read, response parsing, and auth-path hardening (reject . / .. / empty segments). Vault HTTP calls now restore interrupt status on InterruptedException. Coverage includes unit tests, YAML deserialization tests, and a MockServer integration test; the changelog records the feature.

^{Reviewed by Cursor Bugbot for commit 2379e51. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[vitali-zevako]

recheck

[vitali-zevako]

I have read the CLA Document and I hereby sign the CLA

[vitali-zevako]

@usmansaleem hi, is there any chance that this feature will be included in next releases or we have to fork? thank you

[usmansaleem]

@vitali-zevako Yes, its on my plate to review (was bogged down with some other tickets), planning to review/merge by end of next week at max. It will make part of next release.

[usmansaleem]

A changelog entry under Features Added, something on the lines of:

### Features Added
- Support for Hashicorp Vault Kubernetes authentication [PR 1195](https://github.com/Consensys/web3signer/pull/1195)

[usmansaleem]

some suggestions, otherwise LGTM.

[usmansaleem]

Local testing document:
pr1195_vault_k8s_testing.md

[usmansaleem]

@vitali-zevako one of your commit has a different id (hence CLA failing). Easiest is to rebase and push as a single commit so that your commits are associated with a single account.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit ee01471. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud