We now remove null-valued properties when transforming properties to their PropertySource representation. Vault can reply with null-valued properties that causes NullPointerException with the ConcurrentHashMap implementations.
Closes gh-69.
Replace static imports with qualified use. Add author tags. Add copyright header. Simplify code. Simplify JavaDoc documentation. Rename test class and methods to align with project style.
Original pull request: #64.
We now accept TaskScheduler in LifecycleAwareSessionManager to schedule session refresh tasks. Previously, LifecycleAwareSessionManager used AsyncTaskExecutor with Thread.sleep(…) to delay execution. Thread.sleep blocks a thread exclusively which is an inefficient resource usage.
Closes gh-59.
We now provide a Lease-aware PropertySource to renew and rotate secrets requested by that PropertySource. Lease renewal is applied per property source to control individual secrets with individual lease durations. A terminal expired lease can be either rotated to obtain new credentials. A non-rotated secret that terminally expires is removed from the property source. LeaseAwareVaultPropertySource is updated by SecretLeaseContainer on a background thread.
Components created with properties retrieved from LeaseAwareVaultPropertySource are not refreshed upon secret rotation.
@VaultPropertySource(value = "aws/creds/s3", renewal = Renewal.ROTATE)
public class Config {
}
@VaultPropertySource(value = "mysql/creds/my-role", renewal = Renewal.RENEW)
public class Config {
}
Closes gh-50.
Provide a EnvironmentVaultConfiguration for common configuration scenarios to obtain configuration from Spring's Environment. EnvironmentVaultConfiguration supports various authentication mechanisms: Token, AppId, AppRole, AWS EC2, Client-Certificates, and Cubbyhole.
Java-based configuration class:
@PropertySource("vault.properties")
@Import(EnvironmentVaultConfiguration.class)
public class MyConfiguration{
}
vault.properties
vault.uri=https://localhost:8200
vault.token=…
Closes gh-30.
VaultClients.createRestTemplate() creates a RestTemplate that is configured with ByteArray, String and Jackson 2 message converters to avoid additional message converters to be registered, if they were on available on the classpath.
Fixes gh-47.
Provide VaultTransitContext.empty() to create an empty VaultTransitContext for encryption/decryption of binary plaintext without requiring to use VaultTransitContext builder.
Closes gh-54.
Remove VaultClient from VaultTemplate and switch implementations to use RestOperations directly. VaultClient provided an additional abstraction level over RestTemplate with a large API surface adding only little value.
Implementations work directly with RestOperations. Relative URI expansion is handled by DefaultUriTemplateHandler configured with the VaultEndpoint base URI.
Closes gh-49.
Original pull request: gh-57.
We now support optional prefixing of property names. Property names coming from Vault are exposed with a prefixed name through VaultPropertySource.
@VaultPropertySource(value = "mysql/creds/readonly", propertyNamePrefix = "database.")
static class Configuration{}
will expose all keys under "mysql/creds/readonly" prefixed with "database." that lead properties known as "database.username" and "database.password".
Closes gh-48.