Package com.maybeitssquid.rotatingsecrets

Class CredentialsProviderService

java.lang.Object
com.maybeitssquid.rotatingsecrets.CredentialsProviderService
@Service("credentialsProvider") public class CredentialsProviderService extends Object
Service that reads database credentials from Kubernetes-mounted secret files and notifies registered UpdatableCredential components when credentials change.

This service implements the credential rotation pattern for Kubernetes environments. It periodically reads username and password from files in a configurable directory (typically mounted by a secrets manager like HashiCorp Vault, OpenBao, or the External Secrets Operator). When credentials change, all registered connection pools are notified to update their credentials.

File Structure

The service expects the following files in the secrets directory:

  • username - Contains the database username
  • password - Contains the database password

Configuration Properties

  • k8s.secrets.path - Base directory for secret files (default: /var/run/secrets/database)
  • k8s.secrets.refreshInterval - Interval in milliseconds between credential checks (default: 30000)

Thread Safety

This service is thread-safe. Credential reads and updates are performed atomically, and the list of updatable components is safely managed.

See Also:

  • Field Details

    • usernamePath

      protected final Path usernamePath
      Path to the file containing the database username.

    • passwordPath

      protected final Path passwordPath
      Path to the file containing the database password.

  • Constructor Details

    • CredentialsProviderService

      public CredentialsProviderService(@Value("${k8s.secrets.path:/var/run/secrets/database}") String secretsPath)
      Creates a new credentials provider reading from the specified secrets path.

      The provider will look for username and password files within the specified directory.

      Parameters:
      secretsPath - base path where Kubernetes mounts the secret files; defaults to /var/run/secrets/database

  • Method Details

    • validateSecretFilePermissions

      @PostConstruct public void validateSecretFilePermissions()
      Validates file permissions on startup to warn about insecure configurations.

      This method checks if secret files are world-readable and logs a security warning if they are. On non-POSIX filesystems, this check is skipped.

    • refreshCredentials

      @Scheduled(fixedDelayString="${k8s.secrets.refreshInterval:30000}") public void refreshCredentials()
      Scheduled task that periodically checks for credential changes.

      This method reads the current credentials from the mounted secret files and compares them with the cached values. If either the username or password has changed, it updates the cache and notifies all registered UpdatableCredential components.

      The refresh interval is controlled by the k8s.secrets.refreshInterval property (default: 30000ms).

    • setHikariUpdatable

      @Autowired @Qualifier("hikariUpdater") public void setHikariUpdatable(UpdatableCredential<String> updatable)
      Registers the HikariCP credentials updater to receive credential change notifications.
      Parameters:
      updatable - the HikariCP credentials updater bean

    • setUcpUpdatable

      @Autowired @Qualifier("ucpUpdater") public void setUcpUpdatable(UpdatableCredential<String> updatable)
      Registers the Oracle UCP credentials updater to receive credential change notifications.
      Parameters:
      updatable - the Oracle UCP credentials updater bean

    • updateCredentials

      public void updateCredentials()
      Notifies all registered UpdatableCredential components of the current credentials.

      This method iterates through all registered updatable components and calls UpdatableCredential.setCredential(String, Object) with the current username and password. Each component is responsible for its own thread-safe credential update logic.