Secret provider


2.3.0 

Changes

  • All:
    • Security: Write maven Descriptors on packaging to avoid incorrect dependencies being identified by security scanner tools. (Fixes CVE-2023-1370).
    • Security: Add dependency checking as part of build process.
  • AES256 Provider:
    • Security: Change AES256 key to PASSWORD type to avoid logging secrets.
  • AWS Secrets Manager Provider:
    • New property : file.write
      Writes secrets to file on path. Required for Java trust stores, key stores, certs that need to be loaded from file. For ease of use for the secret provider, this is disabled by default.
    • New property : secret.default.ttl
      If no TTL is configured in AWS Secrets Manager, apply a default TTL (in milliseconds).
    • New property : aws.endpoint.override
      Add override for non-standard or compatible AWS endpoints.
    • Enhancement : Ensuring secrets are cached within their TTL (same as Vault).
    • Enhancement : Upgraded dependencies to use AWS V2 Client.
    • Enhancement : Added AWS STS dependency to avoid requirement of additional libraries for default authentication (eg. EKS).
    • Security: Don’t expose secret value in exception message on JsonParseException.
    • New property : secret.type
      Specify the type of secrets stored in Secret Manager. Defaults to JSON, to enable String secret values change to STRING.
    • Bugfix: enable accessKey and secretKey to remain blank if using DEFAULT auth mode.
  • Azure Secret Provider:
    • Bugfix: Recompute TTL values on each get so timestamp of reschedule shrinks until TTL is reached.
    • Bugfix: Fix so that UTF-8 encodings in Azure are correctly mapped to the UTF8 encoding in the secret provider.
  • Hashicorp Vault Provider:
    • Bugfix: Files will be written to the correct directory.
    • New property: app.role.path
      Support vault approle custom mount path.
    • New property: kubernetes.auth.path
      Support vault custom auth path (with default value to be auth/kubernetes).
    • Security: vault-java-driver was no longer maintained, switched to use a community fork io.github.jopenlibs
    • Add support for the Vault Database credential engine

2.2.0 

Changes

  • Vault Secret Provider:
    • New property : file.write
      Writes secrets to file on path. Required for Java trust stores, key stores, certs that need to be loaded from file. For ease of use for the secret provider, this is disabled by default.
    • New property : secret.default.ttl
      If no TTL is configured in Vault, apply a default TTL (in milliseconds).
--
Last modified: February 26, 2024