public class SecretLeaseContainer extends SecretLeaseEventPublisher implements InitializingBean, DisposableBean
Lease
. Secrets can be rotated, depending on the requested
RequestedSecret.getMode()
.
Usage example:
SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
taskScheduler);
RequestedSecret requestedSecret = container
.requestRotatingSecret("mysql/creds/my-role");
container.addLeaseListener(new LeaseListenerAdapter() {
@Override
public void onLeaseEvent(SecretLeaseEvent secretLeaseEvent) {
if (requestedSecret == secretLeaseEvent.getSource()) {
if (secretLeaseEvent instanceof SecretLeaseCreatedEvent) {
}
if (secretLeaseEvent instanceof SecretLeaseExpiredEvent) {
}
}
}
});
container.afterPropertiesSet();
container.start(); // events are triggered after starting the container
This container keeps track over RequestedSecret
s and requests secrets upon
start()
. Leases qualified for renewal
are renewed
by this container applying minRenewalSeconds
/expiryThresholdSeconds
on
a background thread
.
Requests for secrets can define either renewal or rotation. The container renews leases until expiry. Rotating secrets renew their associated lease until expiry and request new secrets after expiry. Vault requires active interaction from a caller side to determine a secret is expired. Vault does not send any events. Expired secrets events can dispatch later than the actual expiry.
The container dispatches lease events to LeaseListener
and
LeaseErrorListener
. Event notifications are dispatched either on the
starting
Thread
or worker threads used for background renewal.
Instances are thread-safe once initialized
.
RequestedSecret
,
SecretLeaseEventPublisher
,
Lease
,
LeaseEndpoints
SecretLeaseEventPublisher.LoggingErrorListener
Constructor and Description |
---|
SecretLeaseContainer(VaultOperations operations)
Create a new
SecretLeaseContainer given VaultOperations . |
SecretLeaseContainer(VaultOperations operations,
TaskScheduler taskScheduler)
|
Modifier and Type | Method and Description |
---|---|
RequestedSecret |
addRequestedSecret(RequestedSecret requestedSecret)
Add a
RequestedSecret . |
void |
afterPropertiesSet() |
void |
destroy()
Shutdown this
SecretLeaseContainer , disable lease renewal and revoke
leases. |
protected VaultResponseSupport<Map<String,Object>> |
doGetSecrets(RequestedSecret requestedSecret)
Retrieve secrets from
VaultOperations . |
protected Lease |
doRenewLease(RequestedSecret requestedSecret,
Lease lease)
Renew a
Lease for a RequestedSecret . |
protected void |
doRevokeLease(RequestedSecret requestedSecret,
Lease lease)
Revoke the
Lease . |
Duration |
getExpiryThreshold() |
int |
getExpiryThresholdSeconds() |
Duration |
getMinRenewal() |
int |
getMinRenewalSeconds() |
protected void |
onLeaseExpired(RequestedSecret requestedSecret,
Lease lease)
Hook method called when a
Lease expires. |
RequestedSecret |
requestRenewableSecret(String path)
Request a renewable secret at
path . |
RequestedSecret |
requestRotatingSecret(String path)
Request a rotating secret at
path . |
void |
setExpiryThreshold(Duration expiryThreshold)
Set the expiry threshold.
|
void |
setExpiryThresholdSeconds(int expiryThresholdSeconds)
Deprecated.
since 2.0, use
setExpiryThreshold(Duration) for time unit
safety. |
void |
setLeaseEndpoints(LeaseEndpoints leaseEndpoints)
Set the
LeaseEndpoints to delegate renewal/revocation calls to. |
void |
setMinRenewal(Duration minRenewal)
Sets the amount of seconds that is at least required before renewing a lease.
|
void |
setMinRenewalSeconds(int minRenewalSeconds)
Deprecated.
since 2.0, use
setMinRenewal(Duration) for time unit safety. |
void |
setTaskScheduler(TaskScheduler taskScheduler)
Sets the
TaskScheduler to use for scheduling and execution of lease
renewals. |
void |
start()
Start the
SecretLeaseContainer . |
void |
stop()
Stop the
SecretLeaseContainer . |
addErrorListener, addLeaseListener, onAfterLeaseRenewed, onAfterLeaseRevocation, onBeforeLeaseRevocation, onError, onSecretsObtained, removeLeaseErrorListener, removeLeaseListener
public SecretLeaseContainer(VaultOperations operations)
SecretLeaseContainer
given VaultOperations
.operations
- must not be null.public SecretLeaseContainer(VaultOperations operations, TaskScheduler taskScheduler)
operations
- must not be null.taskScheduler
- must not be null.public void setLeaseEndpoints(LeaseEndpoints leaseEndpoints)
LeaseEndpoints
to delegate renewal/revocation calls to.
LeaseEndpoints
encapsulates differences between Vault versions that affect
the location of renewal/revocation endpoints.leaseEndpoints
- must not be null.LeaseEndpoints
@Deprecated public void setMinRenewalSeconds(int minRenewalSeconds)
setMinRenewal(Duration)
for time unit safety.minRenewalSeconds
prevents renewals to happen too often.minRenewalSeconds
- number of seconds that is at least required before
renewing a Lease
, must not be negative.public void setMinRenewal(Duration minRenewal)
minRenewal
prevents renewals to happen too often.minRenewal
- duration that is at least required before renewing a
Lease
, must not be null or negative.@Deprecated public void setExpiryThresholdSeconds(int expiryThresholdSeconds)
setExpiryThreshold(Duration)
for time unit
safety.Lease
is renewed the given seconds before it
expires.expiryThresholdSeconds
- number of seconds before Lease
expiry, must
not be negative.public void setExpiryThreshold(Duration expiryThreshold)
Lease
is renewed the given time before it
expires.expiryThreshold
- duration before Lease
expiry, must not be
null or negative.public int getMinRenewalSeconds()
public Duration getMinRenewal()
public int getExpiryThresholdSeconds()
public Duration getExpiryThreshold()
public void setTaskScheduler(TaskScheduler taskScheduler)
TaskScheduler
to use for scheduling and execution of lease
renewals.taskScheduler
- must not be null.public RequestedSecret requestRenewableSecret(String path)
path
.path
- must not be null or empty.RequestedSecret
.public RequestedSecret requestRotatingSecret(String path)
path
.path
- must not be null or empty.RequestedSecret
.public RequestedSecret addRequestedSecret(RequestedSecret requestedSecret)
RequestedSecret
.requestedSecret
- must not be null.public void start()
SecretLeaseContainer
. Starting the container will initially
obtain secrets and leases for the requested secrets. A started container publishes
events through LeaseListener
. Additional secrets can be requested at any
time.
Multiple calls are synchronized to start the container only once. Container start
requires initialization
and cannot be started once
the container was destroyed
.
afterPropertiesSet()
,
stop()
public void stop()
SecretLeaseContainer
. Stopping the container will stop lease
renewal, secrets rotation and event publishing. Active leases are not expired.
Multiple calls are synchronized to stop the container only once.
start()
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface InitializingBean
afterPropertiesSet
in class SecretLeaseEventPublisher
Exception
public void destroy() throws Exception
SecretLeaseContainer
, disable lease renewal and revoke
leases.destroy
in interface DisposableBean
Exception
afterPropertiesSet()
,
start()
,
stop()
@Nullable protected VaultResponseSupport<Map<String,Object>> doGetSecrets(RequestedSecret requestedSecret)
VaultOperations
.requestedSecret
- the RequestedSecret
providing the secret
path
.protected Lease doRenewLease(RequestedSecret requestedSecret, Lease lease)
Lease
for a RequestedSecret
.requestedSecret
- the requested secret.lease
- the lease.protected void onLeaseExpired(RequestedSecret requestedSecret, Lease lease)
Lease
expires. The default implementation is to
notify LeaseListener
. Implementations can override this method in
subclasses.onLeaseExpired
in class SecretLeaseEventPublisher
requestedSecret
- must not be null.lease
- must not be null.protected void doRevokeLease(RequestedSecret requestedSecret, Lease lease)
Lease
.requestedSecret
- must not be null.lease
- must not be null.Copyright © 2016–2018 Pivotal Software, Inc.. All rights reserved.