Class SecretLeaseContainer
- All Implemented Interfaces:
DisposableBean
,InitializingBean
,Lifecycle
,Phased
,SmartLifecycle
Lease
. Secrets can be rotated, depending on the requested
RequestedSecret.getMode()
. Usage example:
SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
taskScheduler);
RequestedSecret requestedSecret = container
.requestRotatingSecret("mysql/creds/my-role");
container.addLeaseListener(new LeaseListenerAdapter() {
@Override
public void onLeaseEvent(SecretLeaseEvent secretLeaseEvent) {
if (requestedSecret == secretLeaseEvent.getSource()) {
if (secretLeaseEvent instanceof SecretLeaseCreatedEvent) {
}
if (secretLeaseEvent instanceof SecretLeaseExpiredEvent) {
}
}
}
});
container.afterPropertiesSet();
container.start(); // events are triggered after starting the container
This container keeps track over RequestedSecret
s and requests secrets upon
start()
. Leases qualified for renewal
are renewed
by this container applying minRenewalSeconds
/expiryThresholdSeconds
on
a background thread
.
Requests for secrets can define either renewal or rotation. The container renews leases until expiry. Rotating secrets renew their associated lease until expiry and request new secrets after expiry. Vault requires active interaction from a caller side to determine a secret is expired. Vault does not send any events. Expired secrets events can dispatch later than the actual expiry.
The container dispatches lease events to LeaseListener
and
LeaseErrorListener
. Event notifications are dispatched either on the
starting
Thread
or worker threads used for background renewal.
Instances are thread-safe once initialized
.
- Author:
- Mark Paluch, Steven Swor, Erik Lindblom
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class org.springframework.vault.core.lease.SecretLeaseEventPublisher
SecretLeaseEventPublisher.LoggingErrorListener
-
Field Summary
Fields inherited from interface org.springframework.context.SmartLifecycle
DEFAULT_PHASE
-
Constructor Summary
ConstructorDescriptionSecretLeaseContainer
(VaultOperations operations) Create a newSecretLeaseContainer
givenVaultOperations
.SecretLeaseContainer
(VaultOperations operations, TaskScheduler taskScheduler) -
Method Summary
Modifier and TypeMethodDescriptionaddRequestedSecret
(RequestedSecret requestedSecret) Add aRequestedSecret
.void
void
destroy()
Shutdown thisSecretLeaseContainer
, disable lease renewal and revoke leases.protected VaultResponseSupport<Map<String,
Object>> doGetSecrets
(RequestedSecret requestedSecret) Retrieve secrets fromVaultOperations
.protected Lease
doRenewLease
(RequestedSecret requestedSecret, Lease lease) Renew aLease
for aRequestedSecret
.protected void
doRevokeLease
(RequestedSecret requestedSecret, Lease lease) Revoke theLease
.Returns theAuthenticationListener
to listen for login token error events.Returns theAuthenticationListener
to listen for login token events.int
int
int
getPhase()
boolean
protected void
onLeaseExpired
(RequestedSecret requestedSecret, Lease lease) Hook method called when aLease
expires.boolean
renew
(RequestedSecret secret) Renew asecret
.requestRenewableSecret
(String path) Request a renewable secret atpath
.requestRotatingSecret
(String path) Request a rotating secret atpath
.void
rotate
(RequestedSecret secret) Rotate asecret
.void
setExpiryThreshold
(Duration expiryThreshold) Set the expiry threshold.void
setLeaseEndpoints
(LeaseEndpoints leaseEndpoints) Set theLeaseEndpoints
to delegate renewal/revocation calls to.void
setLeaseStrategy
(LeaseStrategy leaseStrategy) Set theLeaseStrategy
for lease renewal error handling.void
setMinRenewal
(Duration minRenewal) Sets the amountDuration
that is at least required before renewing a lease.void
setTaskScheduler
(TaskScheduler taskScheduler) Sets theTaskScheduler
to use for scheduling and execution of lease renewals.void
start()
Start theSecretLeaseContainer
.void
stop()
Stop theSecretLeaseContainer
.Methods inherited from class org.springframework.vault.core.lease.SecretLeaseEventPublisher
addErrorListener, addLeaseListener, onAfterLeaseRenewed, onAfterLeaseRevocation, onBeforeLeaseRevocation, onError, onSecretsNotFound, onSecretsObtained, onSecretsRotated, removeLeaseErrorListener, removeLeaseListener
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.context.SmartLifecycle
isAutoStartup, stop
-
Constructor Details
-
SecretLeaseContainer
Create a newSecretLeaseContainer
givenVaultOperations
.- Parameters:
operations
- must not be null.
-
SecretLeaseContainer
- Parameters:
operations
- must not be null.taskScheduler
- must not be null.
-
-
Method Details
-
getAuthenticationListener
Returns theAuthenticationListener
to listen for login token events.- Returns:
- the
AuthenticationListener
to listen for login token events. - Since:
- 3.1
-
getAuthenticationErrorListener
Returns theAuthenticationListener
to listen for login token error events.- Returns:
- the
AuthenticationListener
to listen for login token error events - Since:
- 3.1
-
setLeaseEndpoints
Set theLeaseEndpoints
to delegate renewal/revocation calls to.LeaseEndpoints
encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints.- Parameters:
leaseEndpoints
- must not be null.- Since:
- 2.1
- See Also:
-
setMinRenewal
Sets the amountDuration
that is at least required before renewing a lease.minRenewal
prevents renewals from happening too often.- Parameters:
minRenewal
- duration that is at least required before renewing aLease
, must not be null or negative.- Since:
- 2.0
-
setExpiryThreshold
Set the expiry threshold. ALease
is renewed the given time before it expires.- Parameters:
expiryThreshold
- duration beforeLease
expiry, must not be null or negative.- Since:
- 2.0
-
getMinRenewalSeconds
public int getMinRenewalSeconds() -
getMinRenewal
- Returns:
- minimum renewal timeout.
- Since:
- 2.0
-
getExpiryThresholdSeconds
public int getExpiryThresholdSeconds() -
getExpiryThreshold
- Returns:
- expiry threshold.
- Since:
- 2.0
-
setLeaseStrategy
Set theLeaseStrategy
for lease renewal error handling.- Parameters:
leaseStrategy
- theLeaseStrategy
, must not be null.- Since:
- 2.2
-
setTaskScheduler
Sets theTaskScheduler
to use for scheduling and execution of lease renewals.- Parameters:
taskScheduler
- must not be null.
-
requestRenewableSecret
Request a renewable secret atpath
.- Parameters:
path
- must not be null or empty.- Returns:
- the
RequestedSecret
.
-
requestRotatingSecret
Request a rotating secret atpath
.- Parameters:
path
- must not be null or empty.- Returns:
- the
RequestedSecret
.
-
addRequestedSecret
Add aRequestedSecret
.- Parameters:
requestedSecret
- must not be null.
-
start
public void start()Start theSecretLeaseContainer
. Starting the container will initially obtain secrets and leases for the requested secrets. A started container publishes events throughLeaseListener
. Additional secrets can be requested at any time.Multiple calls are synchronized to start the container only once. Container start requires
initialization
and cannot be started once the container wasdestroyed
. -
stop
public void stop()Stop theSecretLeaseContainer
. Stopping the container will stop lease renewal, secrets rotation and event publishing. Active leases are not expired.Multiple calls are synchronized to stop the container only once.
-
isRunning
public boolean isRunning() -
getPhase
public int getPhase()- Specified by:
getPhase
in interfacePhased
- Specified by:
getPhase
in interfaceSmartLifecycle
-
afterPropertiesSet
public void afterPropertiesSet()- Specified by:
afterPropertiesSet
in interfaceInitializingBean
- Overrides:
afterPropertiesSet
in classSecretLeaseEventPublisher
-
destroy
Shutdown thisSecretLeaseContainer
, disable lease renewal and revoke leases.- Specified by:
destroy
in interfaceDisposableBean
- Throws:
Exception
- See Also:
-
renew
Renew asecret
.- Parameters:
secret
- thesecret
' to renew.- Returns:
- true if the lease was renewed.
- Throws:
IllegalArgumentException
- if thesecret
was not previouslyregistered
.IllegalStateException
- if there's noLease
associated with thesecret
or the secret is not qualified for renewal.- Since:
- 2.2
-
rotate
Rotate asecret
.- Parameters:
secret
- thesecret
' to rotate.- Throws:
IllegalArgumentException
- if thesecret
was not previouslyregistered
.IllegalStateException
- if there's noLease
associated with thesecret
or the secret is not qualified for rotation.- Since:
- 2.2
-
doGetSecrets
@Nullable protected VaultResponseSupport<Map<String,Object>> doGetSecrets(RequestedSecret requestedSecret) Retrieve secrets fromVaultOperations
.- Parameters:
requestedSecret
- theRequestedSecret
providing the secretpath
.- Returns:
- the response.
-
doRenewLease
Renew aLease
for aRequestedSecret
.- Parameters:
requestedSecret
- the requested secret.lease
- the lease.- Returns:
- the new lease or null if expired/secret cannot be rotated.
-
onLeaseExpired
Hook method called when aLease
expires. The default implementation is to notifyLeaseListener
. Implementations can override this method in subclasses.- Overrides:
onLeaseExpired
in classSecretLeaseEventPublisher
- Parameters:
requestedSecret
- must not be null.lease
- must not be null.- See Also:
-
doRevokeLease
Revoke theLease
.- Parameters:
requestedSecret
- must not be null.lease
- must not be null.
-