KeyVaultConfigProvider¶
com.github.jcustenborder.kafka.config.azure.KeyVaultConfigProvider
This config provider is used to retrieve secrets from the Microsoft Azure Key Vault service.
Tip
Config providers can be used with anything that supports the AbstractConfig base class that is shipped with Apache Kafka.
Secret Value¶
The value for the secret must be formatted as a JSON object. This allows multiple keys of data to be stored in a single secret. The name of the secret in Microsoft Azure Key Vault will correspond to the path that is requested by the config provider.
{
"username" : "db101",
"password" : "superSecretPassword"
}
Secret Retrieval¶
The ConfigProvider will use the name of the secret to build the request to the Key Vault service. This behavior can be overridden by setting config.providers.keyVault.param.prefix=staging- and requested the secret with ${keyVault:test-secret}, the ConfigProvider will build a request for staging-test-secret. Some behaviors can be overridden by query string parameters. More than one query string parameter can be used. For example ${keyVault:test-secret?ttl=30000&version=1} would return the secret named test-secret version 1 with a TTL of 30 seconds. After the TTL has expired the ConfigProvider will request an updated credential. If you’re using this with Kafka Connect, your tasks will be reconfigured if one of the values have changed.
| Parameter | Description | Default | Example |
|---|---|---|---|
| ttl | Used to override the TTL for the secret. | Value specified by config.providers.keyVault.param.secret.ttl.ms | ${keyVault:test-secret?ttl=60000} |
| version | Used to override the version of the secret. | latest | ${keyVault:test-secret?version=1} |
Configuration¶
General¶
vault.url¶
The vault url to connect to. For example https://example.vault.azure.net/
Importance: HIGH
Type: STRING
credential.type¶
The type of credentials to use. ClientCertificate - Uses the ClientCertificateCredential., ClientSecret - Uses the ClientSecretCredential., DefaultAzure - Uses the DefaultAzureCredential., UsernamePassword - Uses the UsernamePasswordCredential.
Importance: HIGH
Type: STRING
Default Value: DefaultAzure
Validator: Matches: DefaultAzure, ClientSecret, ClientCertificate, UsernamePassword
secret.prefix¶
Sets a prefix that will be added to all paths. For example you can use staging or production and all of the calls to Secrets Manager will be prefixed with that path. This allows the same configuration settings to be used across multiple environments.
Importance: LOW
Type: STRING
secret.ttl.ms¶
The minimum amount of time that a secret should be used. After this TTL has expired Secrets Manager will be queried again in case there is an updated configuration.
Importance: LOW
Type: LONG
Default Value: 300000
Validator: [1000,…]
Client Certificate¶
client.certificate.path¶
Location on the local filesystem for the client certificate that will be used to authenticate to Azure.
Importance: HIGH
Type: STRING
client.certificate.pfx.password¶
The password protecting the PFX file.
Importance: HIGH
Type: PASSWORD
Default Value: [hidden]
client.certificate.send.certificate.chain.enabled¶
Flag to indicate if certificate chain should be sent as part of authentication request.
Importance: HIGH
Type: BOOLEAN
client.certificate.type¶
The type of encoding used on the file specified in client.certificate.path. PEM - Certificate is formatted using PEM encoding., PFX - Certificate is formatted using PFX encoding. client.certificate.pfx.password is required.
Importance: HIGH
Type: STRING
Default Value: PEM
Validator: Matches: PEM, PFX