com.bettercloud.vault

Class VaultConfig

java.lang.Object

com.bettercloud.vault.VaultConfig

public class VaultConfig
extends java.lang.Object

A container for the configuration settings needed to initialize a Vault driver instance.

There are two ways to create and setup a VaultConfig instance. The full-featured approach uses a builder pattern, calling setter methods for each value and then terminating with a call to build():

 final VaultConfig config = new VaultConfig()
                              .address("http://127.0.0.1:8200")
                              .token("eace6676-4d78-c687-4e54-03cad00e3abf")
                              .sslVerify(true)
                              .timeout(30)
                              .build();
 

If the only values that you need to set are address and token, then as a shortcut there is also a constructor method taking those two values:

 final VaultConfig config = new VaultConfig("http://127.0.0.1:8200", "eace6676-4d78-c687-4e54-03cad00e3abf");
 

Note that when using the shorthand convenience constructor, you should NOT set additional properties on the same instance afterward.

Constructor Summary

Constructors

Modifier	Constructor and Description
	VaultConfig() Default constructor.
	VaultConfig(java.lang.String address) A convenience constructor, for quickly creating a VaultConfig instance with its address field populated.
	VaultConfig(java.lang.String address, java.lang.String token) A convenience constructor, for quickly creating a VaultConfig instance with its address and token fields populated.
protected	VaultConfig(java.lang.String address, java.lang.String token, com.bettercloud.vault.VaultConfig.EnvironmentLoader environmentLoader) An overloaded version of the normal convenience constructor, used by unit tests to inject a mock environment variable loader and validate that loading logic.
protected	VaultConfig(java.lang.String address, com.bettercloud.vault.VaultConfig.EnvironmentLoader environmentLoader) An overloaded version of the normal convenience constructor, used by unit tests to inject a mock environment variable loader and validate that loading logic.

Method Summary

Modifier and Type	Method and Description
VaultConfig	address(java.lang.String address) Sets the address (URL) of the Vault server instance to which API calls should be sent.
VaultConfig	build() This is the terminating method in the builder pattern.
java.lang.String	getAddress()
int	getMaxRetries()
java.lang.Integer	getOpenTimeout()
java.lang.Integer	getReadTimeout()
int	getRetryIntervalMilliseconds()
java.lang.String	getSslPemUTF8()
java.lang.String	getToken()
java.lang.Boolean	isSslVerify()
VaultConfig	openTimeout(java.lang.Integer openTimeout) The number of seconds to wait before giving up on establishing an HTTP(S) connection to the Vault server.
VaultConfig	readTimeout(java.lang.Integer readTimeout) After an HTTP(S) connection has already been established, this is the number of seconds to wait for all data to finish downloading.
protected void	setMaxRetries(int maxRetries) Sets the maximum number of times that an API operation will retry upon failure.
protected void	setRetryIntervalMilliseconds(int retryIntervalMilliseconds) Sets the period of time (in milliseconds) that the driver will wait in between retry attempts for a failing API operation.
VaultConfig	sslPemFile(java.io.File sslPemFile) An X.509 certificate, to use when communicating with Vault over HTTPS.
VaultConfig	sslPemResource(java.lang.String classpathResource) An X.509 certificate, to use when communicating with Vault over HTTPS.
VaultConfig	sslPemUTF8(java.lang.String sslPemUTF8) An X.509 certificate, to use when communicating with Vault over HTTPS.
VaultConfig	sslVerify(java.lang.Boolean sslVerify) Whether or not HTTPS connections to the Vault server should verify that a valid SSL certificate is being used.
VaultConfig	token(java.lang.String token) Sets the token used to access Vault.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

VaultConfig

public VaultConfig()

Default constructor. Should be used in conjunction with the builder pattern, calling additional property setter methods and ultimately finishing with a call to build().

Note that when using this builder pattern approach, you must either set address and token explicitly, or else have them available as runtime environment variables.

VaultConfig

public VaultConfig(java.lang.String address,
                   java.lang.String token)
            throws VaultException

A convenience constructor, for quickly creating a VaultConfig instance with its address and token fields populated.

Although address and token are the only two properties explicitly passed, the constructor will still look to the runtime environment variables to populate any other fields when values are present.

When using this approach to creating a VaultConfig instance, you should NOT make additional setter method calls after construction. If you need other properties set explicitly, then use the builder pattern approach.

Parameters:

address - The URL of the target Vault server

token - The access token to enable Vault access

Throws:

VaultException - If any error occurs while loading and parsing config values

VaultConfig

public VaultConfig(java.lang.String address)
            throws VaultException

A convenience constructor, for quickly creating a VaultConfig instance with its address field populated.

While the other convenience constructor requires root token parameter, this constructor version does not. So it IS possible to construct a VaultConfig object with no root token present. However, such an object will be of no use with most actual Vault API calls. This constructor is therefore meant to be used when you plan to programmatically retrieve a token (e.g. from the "userpass" backend) and populate it prior to making other API calls.

When using this approach to creating a VaultConfig instance, you should NOT make additional setter method calls after construction... other than the token scenario described immediately above. If you need any other properties set explicitly, then use the builder pattern approach.

Parameters:

address - The URL of the target Vault server

Throws:

VaultException - If any error occurs while loading and parsing config values

VaultConfig

protected VaultConfig(java.lang.String address,
                      java.lang.String token,
                      com.bettercloud.vault.VaultConfig.EnvironmentLoader environmentLoader)
               throws VaultException

An overloaded version of the normal convenience constructor, used by unit tests to inject a mock environment variable loader and validate that loading logic.

Parameters:

address - The URL of the target Vault server

token - The access token to enable Vault access

environmentLoader - A (mock) environment loader implementation

Throws:

VaultException - If any error occurs while loading and parsing config values

VaultConfig

protected VaultConfig(java.lang.String address,
                      com.bettercloud.vault.VaultConfig.EnvironmentLoader environmentLoader)
               throws VaultException

An overloaded version of the normal convenience constructor, used by unit tests to inject a mock environment variable loader and validate that loading logic.

Parameters:

address - The URL of the target Vault server

environmentLoader - A (mock) environment loader implementation

Throws:

VaultException - If any error occurs while loading and parsing config values

Method Detail

address

public VaultConfig address(java.lang.String address)

Sets the address (URL) of the Vault server instance to which API calls should be sent. E.g. http://127.0.0.1:8200.

If no address is explicitly set, either by this method in a builder pattern approach or else by one of the convenience constructors, then VaultConfig will look to the VAULT_ADDR environment variable.

address is required for the Vault driver to function. If you do not supply it explicitly AND no environment variable value is found, then initialization of the VaultConfig object will fail.

Parameters:

address - The Vault server base URL

Returns:

This object, with address populated, ready for additional builder-pattern method calls or else finalization with the build() method

token

public VaultConfig token(java.lang.String token)

Sets the token used to access Vault.

If no token is explicitly set, either by this method in a builder pattern approach or else by one of the convenience constructors, then VaultConfig will look to the VAULT_TOKEN environment variable.

There are some cases where you might want to instantiate a VaultConfig object without a token (e.g. you plan to retrieve a token programmatically, with a call to the "userpass" auth backend, and populate it prior to making any other API calls). In such use cases, you can still use either the builder pattern approach or the single-argument convenience constructor.

Parameters:

token - The token to use for accessing Vault

Returns:

This object, with token populated, ready for additional builder-pattern method calls or else finalization with the build() method

sslPemUTF8

public VaultConfig sslPemUTF8(java.lang.String sslPemUTF8)

An X.509 certificate, to use when communicating with Vault over HTTPS. This method accepts a string containing the certificate data. This string should meet the following requirements:

• Contain an unencrypted X.509 certificate, in PEM format.
• Use UTF-8 encoding.
• Contain a line-break between the certificate header (e.g. "-----BEGIN CERTIFICATE-----") and the rest of the certificate content. It doesn't matter whether or not there are additional line breaks within the certificate content, or whether there is a line break before the certificate footer (e.g. "-----END CERTIFICATE-----"). But the Java standard library will fail to properly process the certificate without a break following the header (see http://www.doublecloud.org/2014/03/reading-x-509-certificate-in-java-how-to-handle-format-issue/).

If no certificate data is provided, either by this method or sslPemFile() or sslPemResource(), then VaultConfig will look to the VAULT_SSL_CERT environment variable.

Parameters:

sslPemUTF8 - An X.509 certificate, in unencrypted PEM format with UTF-8 encoding.

Returns:

This object, with sslPemUTF8 populated, ready for additional builder-pattern method calls or else finalization with the build() method

sslPemFile

public VaultConfig sslPemFile(java.io.File sslPemFile)
                       throws VaultException

An X.509 certificate, to use when communicating with Vault over HTTPS. This method accepts the path of a file containing the certificate data. This file's contents should meet the following requirements:

• Contain an unencrypted X.509 certificate, in PEM format.
• Use UTF-8 encoding.
• Contain a line-break between the certificate header (e.g. "-----BEGIN CERTIFICATE-----") and the rest of the certificate content. It doesn't matter whether or not there are additional line breaks within the certificate content, or whether there is a line break before the certificate footer (e.g. "-----END CERTIFICATE-----"). But the Java standard library will fail to properly process the certificate without a break following the header (see http://www.doublecloud.org/2014/03/reading-x-509-certificate-in-java-how-to-handle-format-issue/).

If no certificate data is provided, either by this method or sslPemResource() or sslPemUTF8(), then VaultConfig will look to the VAULT_SSL_CERT environment variable.

Parameters:

sslPemFile - The path of a file containing an X.509 certificate, in unencrypted PEM format with UTF-8 encoding.

Returns:

This object, with sslPemFile populated, ready for additional builder-pattern method calls or else finalization with the build() method

Throws:

VaultException - If any error occurs while loading and parsing the PEM file

sslPemResource

public VaultConfig sslPemResource(java.lang.String classpathResource)
                           throws VaultException

An X.509 certificate, to use when communicating with Vault over HTTPS. This method accepts the path of a classpath resource containing the certificate data (e.g. you've bundled the cert into your library or application's JAR/WAR/EAR file). This resource's contents should meet the following requirements:

• Contain an unencrypted X.509 certificate, in PEM format.
• Use UTF-8 encoding.
• Contain a line-break between the certificate header (e.g. "-----BEGIN CERTIFICATE-----") and the rest of the certificate content. It doesn't matter whether or not there are additional line breaks within the certificate content, or whether there is a line break before the certificate footer (e.g. "-----END CERTIFICATE-----"). But the Java standard library will fail to properly process the certificate without a break following the header (see http://www.doublecloud.org/2014/03/reading-x-509-certificate-in-java-how-to-handle-format-issue/).

If no certificate data is provided, either by this method or sslPemFile() or sslPemUTF8(), then VaultConfig will look to the VAULT_SSL_CERT environment variable.

Parameters:

classpathResource - The path of a classpath resource containing an X.509 certificate, in unencrypted PEM format with UTF-8 encoding.

Returns:

This object, with sslPemResource populated, ready for additional builder-pattern method calls or else finalization with the build() method

Throws:

VaultException - If any error occurs while loading and parsing the PEM file

sslVerify

public VaultConfig sslVerify(java.lang.Boolean sslVerify)

Whether or not HTTPS connections to the Vault server should verify that a valid SSL certificate is being used. Unless this is set to false, the default behavior is to always verify SSL certificates.

SSL CERTIFICATE VERIFICATION SHOULD NOT BE DISABLED IN PRODUCTION! This feature is made available to facilitate development or testing environments, where you might be using a self-signed cert that will not pass verification. However, even if you are using a self-signed cert on your Vault server, you can still leave SSL verification enabled and have your application supply the cert using sslPemFile(), sslPemResource(), or sslPemUTF8().

If no sslVerify is explicitly set, either by this method in a builder pattern approach or else by one of the convenience constructors, then VaultConfig will look to the VAULT_SSL_VERIFY environment variable.

Parameters:

sslVerify - Whether or not to verify the SSL certificate used by Vault with HTTPS connections. Default is true.

Returns:

This object, with sslVerify populated, ready for additional builder-pattern method calls or else finalization with the build() method

openTimeout

public VaultConfig openTimeout(java.lang.Integer openTimeout)

The number of seconds to wait before giving up on establishing an HTTP(S) connection to the Vault server.

If no openTimeout is explicitly set, either by this method in a builder pattern approach or else by one of the convenience constructors, then VaultConfig will look to the VAULT_OPEN_TIMEOUT environment variable.

Parameters:

openTimeout - Number of seconds to wait for an HTTP(S) connection to successfully establish

Returns:

This object, with openTimeout populated, ready for additional builder-pattern method calls or else finalization with the build() method

readTimeout

public VaultConfig readTimeout(java.lang.Integer readTimeout)

After an HTTP(S) connection has already been established, this is the number of seconds to wait for all data to finish downloading.

If no readTimeout is explicitly set, either by this method in a builder pattern approach or else by one of the convenience constructors, then VaultConfig will look to the VAULT_READ_TIMEOUT environment variable.

Parameters:

readTimeout - Number of seconds to wait for all data to be retrieved from an established HTTP(S) connection

Returns:

This object, with readTimeout populated, ready for additional builder-pattern method calls or else finalization with the build() method

setMaxRetries

protected void setMaxRetries(int maxRetries)

Sets the maximum number of times that an API operation will retry upon failure.

This method is not meant to be called from application-level code outside of this package (hence the protected access level. It is meant to be invoked via Vault.withRetries() in a builder pattern DSL-style.

Parameters:

maxRetries - The number of times that API operations will be retried when a failure occurs.

setRetryIntervalMilliseconds

protected void setRetryIntervalMilliseconds(int retryIntervalMilliseconds)

Sets the period of time (in milliseconds) that the driver will wait in between retry attempts for a failing API operation.

This method is not meant to be called from application-level code outside of this package (hence the protected access level. It is meant to be invoked via Vault.withRetries() in a builder pattern DSL-style.

Parameters:

retryIntervalMilliseconds - The number of milliseconds that the driver will wait in between retries.

build

public VaultConfig build()
                  throws VaultException

This is the terminating method in the builder pattern. The method that validates all of the fields that has been set already, uses environment variables when available to populate any unset fields, and returns a VaultConfig object that is ready for use.

Returns:

This object, with all available config options parsed and loaded

Throws:

VaultException - If the address field was left unset, and there is no VAULT_ADDR environment variable value with which to populate it.

getAddress

public java.lang.String getAddress()

getToken

public java.lang.String getToken()

getSslPemUTF8

public java.lang.String getSslPemUTF8()

isSslVerify

public java.lang.Boolean isSslVerify()

getOpenTimeout

public java.lang.Integer getOpenTimeout()

getReadTimeout

public java.lang.Integer getReadTimeout()

getMaxRetries

public int getMaxRetries()

getRetryIntervalMilliseconds

public int getRetryIntervalMilliseconds()