Spring Cloud Vault now handles lifecycle of obtained secrets by property sources. Secrets associated with a renewable lease are renewed before they expire until terminal expiration. Application shutdown revokes leases so generated credentials can be disabled by Vault.
Fixes gh-40.
assertj-core is dependency not a required during runtime/operations. Move this dependency to the project scope to not affect user dependencies.
Fixes gh-41.
VaultClient now uses a ClientHttpRequestInterceptor to force marshaling. Outgoing data is buffered and available as byte array. This allows setting a Content-Length header using netty. Previously, requests were streamed to the TCP channel without knowing the request body size in advance. Vault expects a Content-Length header and rejected requests with a body but without a Content-Length header.
Fixes gh-19.
We now support cubbyhole authentication to securely use tokens. Cubbyhole authentication uses Vault primitives to provide a secured authentication workflow. Cubbyhole authentication uses tokens as primary login method.
An ephemeral token is used to obtain a second, login VaultToken from Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to interact with Vault. The login token will be retrieved from a wrapped response stored at `/cubbyhole/response`.
A wrapped token can be created with:
vault token-create -wrap-ttl="10m"
boostrap.yml:
spring.cloud.vault:
authentication: CUBBYHOLE
token: (the wrapping token)
Fixes gh-15.
We now support setting a priority for VaultPropertySourceLocator by configuring `spring.cloud.vault.config.order`. Lower values increase priority, higher values decrease priority. Applying a priority can be used to control VaultPropertySourceLocator precedence over other property sources.
Original pull request: gh-36.
Reformat code. Use state key for health indicator details. Add health method declaration to VaultOperations. Switch actuator dependency to optional dependency. Add tests.
Original pull request: gh-29
Fixes gh-24
What we're missing ATM is different documentation versions for different application versions. What this change does is that it's:
- finding out what is the current branch (e.g. 1.0.x)
- finding out out what is the name of the main adoc file (e.g. spring-cloud-sleuth)
- pulling the changes from gh-pages after checkout
- finding out what is the list of comma separated whitelisted branches (via the `docs.whitelisted.branches` prop)
- in gh-pages creating a folder with name of the branch (e.g. /1.0.x)
copying all the docs/target/generated-docs/ to that folder
- if the branch from which we're calling the script is NOT master then we're changing the ${main.adoc}.html to index.html so that it's easier to access the docs (e.g. http://cloud.spring.io/spring-cloud-sleuth/1.0.x/)
We now support TLS client certificate authentication. The client needs to enable SSL and configure a keystore containing the client certificate/private key pair.
spring.cloud.vault:
authentication: CERT
ssl:
key-store: classpath:keystore.jks
key-store-password: changeit
Fixes gh-25
Split functionality from VaultClient and refactor it into VaultConfigOperations/VaultConfigTemplate. The template now holds the authentication state and the property source just uses the template.
Fixes gh-23
We now support AWS-EC2 authentication for applications running on EC2 instances. This authentication method uses the PKCS7 identity document to authenticate against Vault. It provides support for nonce (enabled by default) and roles.
fixes gh-17