Class HcVaultKmsClient
java.lang.Object
io.confluent.kafka.schemaregistry.encryption.hcvault.HcVaultKmsClient
- All Implemented Interfaces:
com.google.crypto.tink.KmsClient
An implementation of
KmsClient for Vault Transit Secrets Engine..-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionHcVaultKmsClient(String uri) Constructs a specific HcVaultKmsClient that is bound to a single key identified byuri. -
Method Summary
Modifier and TypeMethodDescriptionbooleandoesSupport(String uri) com.google.crypto.tink.Aeadio.github.jopenlibs.vault.VaultConfigcom.google.crypto.tink.KmsClientwithConfig(io.github.jopenlibs.vault.VaultConfig config) Loads Vault credentials from a config.com.google.crypto.tink.KmsClientwithCredentials(io.github.jopenlibs.vault.SslConfig sslConfig, String token, Optional<String> namespace) com.google.crypto.tink.KmsClientwithCredentials(String token) Loads Vault config with the providedtoken.com.google.crypto.tink.KmsClientwithCredentials(String token, Optional<String> namespace) com.google.crypto.tink.KmsClientLoads default Vault config.com.google.crypto.tink.KmsClientwithVault(io.github.jopenlibs.vault.api.Logical vault) Specifies theLogicalobject to be used.
-
Field Details
-
PREFIX
- See Also:
-
-
Constructor Details
-
HcVaultKmsClient
public HcVaultKmsClient() -
HcVaultKmsClient
Constructs a specific HcVaultKmsClient that is bound to a single key identified byuri.
-
-
Method Details
-
doesSupport
- Specified by:
doesSupportin interfacecom.google.crypto.tink.KmsClient- Returns:
-
withCredentials
public com.google.crypto.tink.KmsClient withCredentials(String token) throws GeneralSecurityException Loads Vault config with the providedtoken.If
tokenis null, loads token from "VAULT_TOKEN" environment variables.All other configuration elements will also be read from environment variables.
- Specified by:
withCredentialsin interfacecom.google.crypto.tink.KmsClient- Throws:
GeneralSecurityException
-
withCredentials
public com.google.crypto.tink.KmsClient withCredentials(String token, Optional<String> namespace) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
withCredentials
public com.google.crypto.tink.KmsClient withCredentials(io.github.jopenlibs.vault.SslConfig sslConfig, String token, Optional<String> namespace) throws GeneralSecurityException - Throws:
GeneralSecurityException
-
withDefaultCredentials
Loads default Vault config.Token and timeouts can be loaded from environment variables.
- Vault Token read from "VAULT_TOKEN" environment variable
- Open Timeout read from "VAULT_OPEN_TIMEOUT" environment variable
- Read Timeout read from "VAULT_READ_TIMEOUT" environment variable
- Specified by:
withDefaultCredentialsin interfacecom.google.crypto.tink.KmsClient- Throws:
GeneralSecurityException
-
withConfig
public com.google.crypto.tink.KmsClient withConfig(io.github.jopenlibs.vault.VaultConfig config) throws GeneralSecurityException Loads Vault credentials from a config.- Throws:
GeneralSecurityException
-
withVault
public com.google.crypto.tink.KmsClient withVault(io.github.jopenlibs.vault.api.Logical vault) Specifies theLogicalobject to be used. Only used for testing. -
getVaultConfig
public io.github.jopenlibs.vault.VaultConfig getVaultConfig() -
getAead
- Specified by:
getAeadin interfacecom.google.crypto.tink.KmsClient- Throws:
GeneralSecurityException
-