Package io.quarkus.vault.runtime.config

Interface VaultRuntimeConfig

  • @ConfigMapping(prefix="quarkus.vault")
@ConfigRoot(phase=RUN_TIME)
public interface VaultRuntimeConfig

    • Method Detail

      • configOrdinal

        @WithDefault("270")
int configOrdinal()
        Microprofile Config ordinal.

        This is provided as an alternative to the `config_ordinal` property defined by the specification, to make it easier and more natural for applications to override the default ordinal.

        The default value is higher than the file system or jar ordinals, but lower than env vars.

      • url

        Optional<URL> url()
        Vault server url.

        Example: https://localhost:8200

        See also the documentation for the `kv-secret-engine-mount-path` property for some insights on how the full Vault url gets built.

      • renewGracePeriod

        @WithDefault("1H")
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class)
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class) Duration renewGracePeriod()
        Renew grace period duration.

        This value if used to extend a lease before it expires its ttl, or recreate a new lease before the current lease reaches its max_ttl. By default Vault leaseDuration is equal to 7 days (ie: 168h or 604800s). If a connection pool maxLifetime is set, it is reasonable to set the renewGracePeriod to be greater than the maxLifetime, so that we are sure we get a chance to renew leases before we reach the ttl. In any case you need to make sure there will be attempts to fetch secrets within the renewGracePeriod, because that is when the renewals will happen. This is particularly important for db dynamic secrets because if the lease reaches its ttl or max_ttl, the password of the db user will become invalid and it will be not longer possible to log in. This value should also be smaller than the ttl, otherwise that would mean that we would try to recreate leases all the time.

      • secretConfigCachePeriod

        @WithDefault("10M")
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class)
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class) Duration secretConfigCachePeriod()
        Vault config source cache period.

        Properties fetched from vault as MP config will be kept in a cache, and will not be fetched from vault again until the expiration of that period. This property is ignored if `secret-config-kv-path` is not set.

      • secretConfigKvPath

        Optional<List<String>> secretConfigKvPath()
        List of comma separated vault paths in kv store, where all properties will be available as MP config properties **as-is**, with no prefix.

        For instance, if vault contains property `foo`, it will be made available to the quarkus application as `@ConfigProperty(name = "foo") String foo;`

        If 2 paths contain the same property, the last path will win.

        For instance if

        * `secret/base-config` contains `foo=bar` and * `secret/myapp/config` contains `foo=myappbar`, then

        `@ConfigProperty(name = "foo") String foo` will have value `myappbar` with application properties `quarkus.vault.secret-config-kv-path=base-config,myapp/config`

        See also the documentation for the `kv-secret-engine-mount-path` property for some insights on how the full Vault url gets built.

      • mpConfigInitialAttempts

        @WithDefault("1")
int mpConfigInitialAttempts()
        Maximum number of attempts when fetching MP Config properties on the initial connection.

      • logConfidentialityLevel

        @WithDefault("medium")
LogConfidentialityLevel logConfidentialityLevel()
        Used to hide confidential infos, for logging in particular. Possible values are:

        * low: display all secrets. * medium: display only usernames and lease ids (ie: passwords and tokens are masked). * high: hide lease ids and dynamic credentials username.

      • kvSecretEngineVersion

        @WithDefault("2")
int kvSecretEngineVersion()
        Kv secret engine version.

        see https://www.vaultproject.io/docs/secrets/kv/index.html

      • kvSecretEngineMountPath

        @WithDefault("secret")
String kvSecretEngineMountPath()
        KV secret engine path.

        This value is used when building the url path in the KV secret engine programmatic access (i.e. `VaultKVSecretEngine`) and the vault config source (i.e. fetching configuration properties from Vault).

        For a v2 KV secret engine (default - see `kv-secret-engine-version property`) the full url is built from the expression `/v1//data/...`.

        With property `quarkus.vault.url=https://localhost:8200`, the following call `vaultKVSecretEngine.readSecret("foo/bar")` would lead eventually to a `GET` on Vault with the following url: `https://localhost:8200/v1/secret/data/foo/bar`.

        With a KV secret engine v1, the url changes to: `/v1//...`.

        The same logic is applied to the Vault config source. With `quarkus.vault.secret-config-kv-path=config/myapp` The secret properties would be fetched from Vault using a `GET` on `https://localhost:8200/v1/secret/data/config/myapp` for a KV secret engine v2 (or `https://localhost:8200/v1/secret/config/myapp` for a KV secret engine v1).

        see https://www.vaultproject.io/docs/secrets/kv/index.html

      • connectTimeout

        @WithDefault("5S")
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class)
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class) Duration connectTimeout()
        Timeout to establish a connection with Vault.

      • readTimeout

        @WithDefault("5S")
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class)
@WithConverter(io.quarkus.runtime.configuration.DurationConverter.class) Duration readTimeout()
        Request timeout on Vault.

      • nonProxyHosts

        Optional<List<String>> nonProxyHosts()
        List of remote hosts that are not proxied when the client is configured to use a proxy. This list serves the same purpose as the JVM nonProxyHosts configuration.

        Entries can use the * wildcard character for pattern matching, e.g *.example.com matches www.example.com.

      • proxyHost

        Optional<String> proxyHost()
        The proxy host. If set the client is configured to use a proxy.

      • proxyPort

        @WithDefault("3128")
Integer proxyPort()
        The port the proxy is listening on, 3128 by default.

      • credentialsProvider

        Map<String,​CredentialsProviderConfig> credentialsProvider()
        List of named credentials providers, such as: `quarkus.vault.credentials-provider.foo.kv-path=mypath`

        This defines a credentials provider `foo` returning key `password` from vault path `mypath`. Once defined, this provider can be used in credentials consumers, such as the Agroal connection pool.

        Example: `quarkus.datasource.credentials-provider=foo`

      • toStringConfidential

        default String toStringConfidential()