feat: implement token-exchange auth for HashiCorp Vault

[paullatzelsperger]

Summary

• Replaces the previous HashicorpJwtTokenProvider and HashicorpVaultCredentials with a new HashicorpTokenExchangeProvider that implements RFC 8693 token exchange via an external service (e.g. jwtlet)
• Adds HashicorpVaultTokenProviderFactoryImpl which selects between static-token and token-exchange authentication based on configuration, supporting both simultaneously for mixed deployments (default vault partition uses a static token; per-participant partitions use token exchange)
• Vault tokens obtained via token exchange are cached until shortly before expiry; the participant context id is passed as the exchange resource so issued Vault tokens are scoped to individual participants

Motivation

In Kubernetes workload-identity deployments the connector should not hold a long-lived static Vault token, nor should credentials be stored in the database, if it can be helped.
Instead, the control plane presents its projected ServiceAccount token to a token-exchange service, which issues a short-lived, participant-scoped JWT that is then authenticated against Vault's JWT auth method. This enables fine-grained, per-participant Vault access without distributing static secrets.

This is somewhat similar to the previous JWT authentication method, because JWTs are used to authenticate against vault. The change is in the way how tokens are obtained: Oauth2 Client Credentials flow (old) vs. OAuth2 Token Exchange (new).

🤖 Generated with Claude Code