confluent-hub install confluentinc/kafka-config-provider-vault:latest
This plugin provides integration with Hashicorp Vault.
This config provider is used to retrieve secrets from the Hashicorp Vault.
retry.count
The number of attempts to retrieve a secret from the upstream secret store.
- Type: INT
- Default: 3
- Valid Values:
- Importance: LOW
retry.interval.seconds
The amount of time in seconds to wait between each attempt to retrieve a secret form the upstream secret store.
- Type: LONG
- Default: 10
- Valid Values:
- Importance: LOW
thread.count
The number of threads to use when retrieving secrets and executing subscription callbacks.
- Type: INT
- Default: 3
- Valid Values:
- Importance: LOW
timeout.seconds
The amount of time in seconds to wait before timing out a call to retrieve a secret from the upstream secret store. The total timeout of get(path)
and get(path, keys)
will be retry.count * timeout.seconds
. For example if timeout.seconds = 30
and retry.count = 3
then get(path)
and get(path, keys)
will block for 90 seconds.
- Type: LONG
- Default: 30
- Valid Values:
- Importance: LOW
vault.namespace
Sets a global namespace to the Vault server instance, if desired.
- Type: STRING
- Default:
- Valid Values:
- Importance: LOW
polling.enabled
Determines if the config provider supports polling the upstream secret stores for changes. If disabled the methods subscribe
, unsubscribe
, and unsubscribeAll
will throw a UnsupportedOperationException.
- Type: BOOLEAN
- Default: true
- Valid Values:
- Importance: MEDIUM
polling.interval.seconds
The number of seconds to wait between polling intervals.
- Type: LONG
- Default: 300
- Valid Values:
- Importance: MEDIUM
vault.address
Sets the address (URL) of the Vault server instance to which API calls should be sent. If no address is explicitly set, the object will look to the VAULT_ADDR
If you do not supply it explicitly AND no environment variable value is found, then initialization may fail.
- Type: STRING
- Default:
- Valid Values:
- Importance: HIGH
vault.auth.method
The login method to use. AppRole
- Authentication via the ldap <https://www.vaultproject.io/docs/auth/token>
. endpoint., Certificate
- Authentication via the ldap <https://www.vaultproject.io/docs/auth/token>
. endpoint., LDAP
- Authentication via the ldap <https://www.vaultproject.io/docs/auth/token>
. endpoint., Token
- Authentication via the token <https://www.vaultproject.io/docs/auth/token>
. endpoint., UserPass
- Authentication via the ldap <https://www.vaultproject.io/docs/auth/token>
_. endpoint.
- Type: STRING
- Default: Token
- Valid Values: Matches:
Token, LDAP, UserPass, Certificate, AppRole
- Importance: HIGH
vault.auth.mount
Location of the mount to use for authentication.
- Type: STRING
- Default:
- Valid Values:
- Importance: HIGH
vault.auth.password
The password to authenticate with.
- Type: PASSWORD
- Default: [hidden]
- Valid Values:
- Importance: HIGH
vault.auth.role
The role to use for authentication.
- Type: STRING
- Default:
- Valid Values:
- Importance: HIGH
vault.auth.secret
The secret to use for authentication.
- Type: PASSWORD
- Default: [hidden]
- Valid Values:
- Importance: HIGH
vault.auth.token
Sets the token used to access Vault. If no token is explicitly set then the VAULT_TOKEN
environment variable will be used.
- Type: PASSWORD
- Default: [hidden]
- Valid Values:
- Importance: HIGH
vault.auth.username
The username to authenticate with.
- Type: STRING
- Default:
- Valid Values:
- Importance: HIGH
vault.url.logging.enabled
Flag to copy java.util.logging messages for "sun.net.www.protocol.http.HttpURLConnection" to the providers logger. Warning this will log all of the traffic for ANY Vault client that is in the current JVM. This could also receive any log message for other code that uses java.net.UrlConnection.
- Type: BOOLEAN
- Default: false
- Valid Values:
- Importance: LOW
vault.prefixpath
Path prefix for the secrets.
- Type: STRING
- Default:
- Valid Values:
- Importance: MEDIUM
vault.secrets.version
The secrets engine version (1 or 2) to use.
- Type: INT
- Default: 2
- Valid Values:
- Importance: MEDIUM
vault.ssl.verify.enabled
Flag to determine if the configProvider should verify the SSL Certificate of the Vault server. Outside of development this should never be enabled.
- Type: BOOLEAN
- Default: true
- Valid Values:
- Importance: HIGH
The following example uses a ldap username and password to authenticate to vault.
config.providers=vault
config.providers.vault.class=io.confluent.csid.config.provider.vault.VaultConfigProvider
config.providers.vault.param.vault.token=sdifgnabdifgasbffvasdfasdfadf
config.providers.vault.param.vault.address=https://vault.example.com
config.providers.vault.param.vault.login.by=LDAP
The following example uses a token to authenticate to vault.
config.providers=vault
config.providers.vault.class=io.confluent.csid.config.provider.vault.VaultConfigProvider
config.providers.vault.param.vault.token=sdifgnabdifgasbffvasdfasdfadf
config.providers.vault.param.vault.address=https://vault.example.com
config.providers.vault.param.vault.login.by=Token