Package org.springframework.vault.core.certificate

Class CertificateContainer

java.lang.Object
org.springframework.vault.core.certificate.CertificateEventPublisher
org.springframework.vault.core.certificate.CertificateContainer
All Implemented Interfaces:
DisposableBean, InitializingBean, Lifecycle, Phased, SmartLifecycle, CertificateRegistry
public class CertificateContainer extends CertificateEventPublisher implements CertificateRegistry, InitializingBean, DisposableBean, SmartLifecycle
Event-based container to request certificates from Vault's PKI engine and rotate these on expiry. Usage example: 
 CertificateContainer container = new CertificateContainer(vaultOperations.opsForPki());
 RequestedCertificate cert = container
                .register(RequestedCertificate.trustAnchor("vault-ca"));
 container.addCertificateListener(new CertificateListenerAdapter() {
        @Override
        public void onCertificateEvent(CertificateEvent event) {
                if (cert.equals(event.getSource())) {
                        if (event instanceof CertificateObtainedEvent) {
                                // certificate obtained
                        }
                }
        }
 });
 container.afterPropertiesSet();
 container.start(); // events are triggered after starting the container

This container keeps track over RequestedCertificates and obtains/issues certificates upon start(). The container manages unique RequestedCertificate registrations and so multiple registrations of the same RequestedCertificate are considered as one registration.

The container dispatches certificate events to CertificateListener and CertificateErrorListener. Event notifications are dispatched either on the starting Thread or worker threads used for background renewal.

Instances are thread-safe once initialized.

Since:
4.1
Author:
Mark Paluch
See Also:

  • Constructor Details

  • Method Details

    • setTaskScheduler

      public void setTaskScheduler(TaskScheduler taskScheduler)
      Sets the TaskScheduler to use for scheduling and execution of lease renewals.
      Parameters:
      taskScheduler - must not be null.

    • getExpiryThreshold

      public Duration getExpiryThreshold()

    • setExpiryThreshold

      public void setExpiryThreshold(Duration expiryThreshold)
      Set the expiry threshold. A Certificate is rotated the given time before it expires.
      Parameters:
      expiryThreshold - duration before Certificate expiry, must not be null or negative.

    • register

      public void register(RequestedCertificate certificate)
      Description copied from interface: CertificateRegistry
      Register a RequestedCertificate with the registry.

      Subsequent registrations of the same RequestedCertificate are considered as a single registration and the secret will be managed only once.

      Specified by:
      register in interface CertificateRegistry
      Parameters:
      certificate - the certificate to be managed.

    • register

      public void register(RequestedCertificate certificate, CertificateListener listener)
      Description copied from interface: CertificateRegistry
      Register a RequestedCertificate with the registry with an associated CertificateListener.

      Subsequent registrations of the same RequestedCertificate are considered as a single registration and the secret will be managed only once. A requested secret that has been already been registered and activated by the container will not lead to emission of a new SecretLeaseCreatedEvent with the previous secrets body but rather only to future events such as rotations or renewals.

      Specified by:
      register in interface CertificateRegistry
      Parameters:
      certificate - the requested certificate to be managed.
      listener - listener to associate with the requested certificate. The listener will be notified only with events concerning the requested certificate.

    • unregister

      public boolean unregister(RequestedCertificate certificate)
      Description copied from interface: CertificateRegistry
      Unregister the RequestedCertificate from the registry. Removing the certificate stops rotations, and it removes listener registrations that were associated with the certificate registration.
      Specified by:
      unregister in interface CertificateRegistry
      Parameters:
      certificate - the certificate to be deregistered.
      Returns:
      true if the certificate was registered before and has been removed; false otherwise.

    • rotate

      public void rotate(RequestedCertificate requestedCertificate)
      Force certificate rotation.
      Parameters:
      requestedCertificate - the certificate to rotate.

    • start

      public void start()
      Start the CertificateContainer. Starting the container will initially obtain certificates for the requested certificates. A started container publishes events through CertificateListener. Additional certificates can be requested at any time.

      Multiple calls are synchronized to start the container only once. Container start requires initialization and cannot be started once the container was destroyed.

      Specified by:
      start in interface Lifecycle
      See Also:

    • stop

      public void stop()
      Stop the CertificateContainer. Stopping the container will stop certificate rotation and event publishing.

      Multiple calls are synchronized to stop the container only once.

      Specified by:
      stop in interface Lifecycle
      See Also:

    • isRunning

      public boolean isRunning()
      Specified by:
      isRunning in interface Lifecycle

    • getPhase

      public int getPhase()
      Specified by:
      getPhase in interface Phased
      Specified by:
      getPhase in interface SmartLifecycle

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface InitializingBean
      Overrides:
      afterPropertiesSet in class CertificateEventPublisher

    • destroy

      public void destroy() throws Exception
      Shutdown this CertificateContainer, disable rotation of active certificates.
      Specified by:
      destroy in interface DisposableBean
      Throws:
      Exception
      See Also: