java.lang.Object
io.confluent.kafka.schemaregistry.encryption.hcvault.HcVaultKmsClient
All Implemented Interfaces:
com.google.crypto.tink.KmsClient

public class HcVaultKmsClient extends Object implements com.google.crypto.tink.KmsClient
An implementation of KmsClient for Vault Transit Secrets Engine..
  • Field Details

  • Constructor Details

    • HcVaultKmsClient

      public HcVaultKmsClient()
    • HcVaultKmsClient

      public HcVaultKmsClient(String uri)
      Constructs a specific HcVaultKmsClient that is bound to a single key identified by uri.
  • Method Details

    • doesSupport

      public boolean doesSupport(String uri)
      Specified by:
      doesSupport in interface com.google.crypto.tink.KmsClient
      Returns:
    • withCredentials

      public com.google.crypto.tink.KmsClient withCredentials(String token) throws GeneralSecurityException
      Loads Vault config with the provided token.

      If token is null, loads token from "VAULT_TOKEN" environment variables.

      All other configuration elements will also be read from environment variables.

      Specified by:
      withCredentials in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException
    • withCredentials

      public com.google.crypto.tink.KmsClient withCredentials(String token, Optional<String> namespace) throws GeneralSecurityException
      Throws:
      GeneralSecurityException
    • withCredentials

      public com.google.crypto.tink.KmsClient withCredentials(io.github.jopenlibs.vault.SslConfig sslConfig, String token, Optional<String> namespace) throws GeneralSecurityException
      Throws:
      GeneralSecurityException
    • withDefaultCredentials

      public com.google.crypto.tink.KmsClient withDefaultCredentials() throws GeneralSecurityException
      Loads default Vault config.

      Token and timeouts can be loaded from environment variables.

      • Vault Token read from "VAULT_TOKEN" environment variable
      • Open Timeout read from "VAULT_OPEN_TIMEOUT" environment variable
      • Read Timeout read from "VAULT_READ_TIMEOUT" environment variable
      Specified by:
      withDefaultCredentials in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException
    • withConfig

      public com.google.crypto.tink.KmsClient withConfig(io.github.jopenlibs.vault.VaultConfig config) throws GeneralSecurityException
      Loads Vault credentials from a config.
      Throws:
      GeneralSecurityException
    • withVault

      public com.google.crypto.tink.KmsClient withVault(io.github.jopenlibs.vault.api.Logical vault)
      Specifies the Logical object to be used. Only used for testing.
    • getVaultConfig

      public io.github.jopenlibs.vault.VaultConfig getVaultConfig()
    • getAead

      public com.google.crypto.tink.Aead getAead(String uri) throws GeneralSecurityException
      Specified by:
      getAead in interface com.google.crypto.tink.KmsClient
      Throws:
      GeneralSecurityException