io.quarkus.vertx.http.runtime.CertificateConfig Maven / Gradle / Ivy
package io.quarkus.vertx.http.runtime;
import java.nio.file.Path;
import java.time.Duration;
import java.util.List;
import java.util.Optional;
import org.eclipse.microprofile.config.spi.ConfigSource;
import io.quarkus.credentials.CredentialsProvider;
import io.quarkus.runtime.annotations.ConfigGroup;
import io.quarkus.runtime.annotations.ConfigItem;
import io.quarkus.runtime.annotations.ConvertWith;
import io.quarkus.runtime.configuration.TrimmedStringConverter;
/**
* A certificate configuration.
* Provide either the certificate and key files or a keystore.
*/
@ConfigGroup
public class CertificateConfig {
/**
* The {@linkplain CredentialsProvider}.
* If this property is configured, then a matching 'CredentialsProvider' will be used
* to get the keystore, keystore key, and truststore passwords unless these passwords have already been configured.
*
* Please note that using MicroProfile {@linkplain ConfigSource} which is directly supported by Quarkus Configuration
* should be preferred unless using `CredentialsProvider` provides for some additional security and dynamism.
*/
@ConfigItem
@ConvertWith(TrimmedStringConverter.class)
public Optional credentialsProvider = Optional.empty();
/**
* The credentials provider bean name.
*
* This is a bean name (as in {@code @Named}) of a bean that implements {@code CredentialsProvider}.
* It is used to select the credentials provider bean when multiple exist.
* This is unnecessary when there is only one credentials provider available.
*
* For Vault, the credentials provider bean name is {@code vault-credentials-provider}.
*/
@ConfigItem
@ConvertWith(TrimmedStringConverter.class)
public Optional credentialsProviderName = Optional.empty();
/**
* The list of path to server certificates using the PEM format.
* Specifying multiple files requires SNI to be enabled.
*/
@ConfigItem
public Optional> files;
/**
* The list of path to server certificates private key files using the PEM format.
* Specifying multiple files requires SNI to be enabled.
*
* The order of the key files must match the order of the certificates.
*/
@ConfigItem
public Optional> keyFiles;
/**
* An optional keystore that holds the certificate information instead of specifying separate files.
*/
@ConfigItem
public Optional keyStoreFile;
/**
* An optional parameter to specify the type of the keystore file.
* If not given, the type is automatically detected based on the file name.
*/
@ConfigItem
public Optional keyStoreFileType;
/**
* An optional parameter to specify a provider of the keystore file.
* If not given, the provider is automatically detected based on the keystore file type.
*/
@ConfigItem
public Optional keyStoreProvider;
/**
* A parameter to specify the password of the keystore file.
* If not given, and if it can not be retrieved from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
*/
@ConfigItem(defaultValueDocumentation = "password")
public Optional keyStorePassword;
/**
* A parameter to specify a {@linkplain CredentialsProvider} property key,
* which can be used to get the password of the key
* store file from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
*/
@ConfigItem
public Optional keyStorePasswordKey;
/**
* An optional parameter to select a specific key in the keystore.
* When SNI is disabled, and the keystore contains multiple
* keys and no alias is specified; the behavior is undefined.
*
* @deprecated Use {@link #keyStoreAlias} instead.
*/
@ConfigItem
@Deprecated
public Optional keyStoreKeyAlias;
/**
* An optional parameter to select a specific key in the keystore.
* When SNI is disabled, and the keystore contains multiple
* keys and no alias is specified; the behavior is undefined.
*/
@ConfigItem
public Optional keyStoreAlias;
/**
* An optional parameter to define the password for the key,
* in case it is different from {@link #keyStorePassword}
* If not given, it might be retrieved from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}.
* @deprecated Use {@link #keyStoreAliasPassword} instead.
*/
@Deprecated
@ConfigItem
public Optional keyStoreKeyPassword;
/**
* An optional parameter to define the password for the key,
* in case it is different from {@link #keyStorePassword}
* If not given, it might be retrieved from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}.
*/
@ConfigItem
public Optional keyStoreAliasPassword;
/**
* A parameter to specify a {@linkplain CredentialsProvider} property key,
* which can be used to get the password for the alias from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
* @deprecated Use {@link #keyStoreAliasPasswordKey} instead.
*/
@ConfigItem
@Deprecated
public Optional keyStoreKeyPasswordKey;
/**
* A parameter to specify a {@linkplain CredentialsProvider} property key,
* which can be used to get the password for the alias from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
*/
@ConfigItem
public Optional keyStoreAliasPasswordKey;
/**
* An optional trust store that holds the certificate information of the trusted certificates.
*/
@ConfigItem
public Optional trustStoreFile;
/**
* An optional list of trusted certificates using the PEM format.
* If you pass multiple files, you must use the PEM format.
*/
@ConfigItem
public Optional> trustStoreFiles;
/**
* An optional parameter to specify the type of the trust store file.
* If not given, the type is automatically detected based on the file name.
*/
@ConfigItem
public Optional trustStoreFileType;
/**
* An optional parameter to specify a provider of the trust store file.
* If not given, the provider is automatically detected based on the trust store file type.
*/
@ConfigItem
public Optional trustStoreProvider;
/**
* A parameter to specify the password of the trust store file.
* If not given, it might be retrieved from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}.
*/
@ConfigItem
public Optional trustStorePassword;
/**
* A parameter to specify a {@linkplain CredentialsProvider} property key,
* which can be used to get the password of the trust store file from {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
*/
@ConfigItem
public Optional trustStorePasswordKey;
/**
* An optional parameter to trust a single certificate from the trust store rather than trusting all certificates in the
* store.
*/
@ConfigItem
public Optional trustStoreCertAlias;
/**
* When set, the configured certificate will be reloaded after the given period.
* Note that the certificate will be reloaded only if the file has been modified.
*
* Also, the update can also occur when the TLS certificate is configured using paths (and not in-memory).
*
* The reload period must be equal or greater than 30 seconds. If not set, the certificate will not be reloaded.
*
* IMPORTANT: It's recommended to use the TLS registry to handle the certificate reloading.
*
*/
@ConfigItem
public Optional reloadPeriod;
}