Add configured certificate filtering and lazy loading in KeyVault JCA#49774
Add configured certificate filtering and lazy loading in KeyVault JCA#49774rujche wants to merge 20 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enhances azure-security-keyvault-jca to reduce unnecessary Key Vault reads by (1) allowing users to configure a subset of certificate aliases to consider and (2) lazily loading certificate details only when a specific alias is requested—addressing the scenario described in #39487 (iterating/fetching all aliases when only one is configured).
Changes:
- Added
azure.keyvault.jca.certificatessystem property support to filter Key Vault certificate aliases to a configured subset. - Implemented lazy loading of Key Vault certificate key/certificate/chain data per alias (instead of eagerly loading all details on refresh).
- Updated tests and documentation (README + CHANGELOG) to cover and describe the new behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java | Wires configured alias filtering into keystore initialization and routes Key Vault lookups through lazy-loading accessors. |
| sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificates.java | Implements configured-alias filtering and lazy loading of certificate details per alias. |
| sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreUnitTest.java | Adds unit coverage for parsing configured aliases and verifying they are passed into KeyVaultCertificates. |
| sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificatesTest.java | Adds unit coverage ensuring alias listing is not eager and that only requested/configured aliases trigger Key Vault reads. |
| sdk/keyvault/azure-security-keyvault-jca/README.md | Documents the new azure.keyvault.jca.certificates configuration option. |
| sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md | Records the new filtering + lazy-loading features for the upcoming release. |
| private void loadCertificateIfNeeded(String alias) { | ||
| refreshCertificatesIfNeeded(); | ||
| KeyVaultClient currentKeyVaultClient = getKeyVaultClient(); | ||
|
|
||
| if (alias == null || currentKeyVaultClient == null) { |
| private void loadCertificateChainIfNeeded(String alias) { | ||
| refreshCertificatesIfNeeded(); | ||
| KeyVaultClient currentKeyVaultClient = getKeyVaultClient(); | ||
|
|
||
| if (alias == null || currentKeyVaultClient == null) { |
| private void loadCertificateKeyIfNeeded(String alias) { | ||
| refreshCertificatesIfNeeded(); | ||
| KeyVaultClient currentKeyVaultClient = getKeyVaultClient(); | ||
|
|
||
| if (alias == null || currentKeyVaultClient == null) { | ||
| return; | ||
| } | ||
|
|
||
| synchronized (this) { | ||
| if (loadedCertificateKeyAliases.contains(alias) | ||
| || !Optional.ofNullable(aliases).orElse(Collections.emptyList()).contains(alias)) { | ||
| return; | ||
| } | ||
|
|
||
| try { | ||
| Key loadedKey = currentKeyVaultClient.getKey(alias, null); | ||
| if (loadedKey != null) { | ||
| certificateKeys.put(alias, loadedKey); | ||
| loadedCertificateKeyAliases.add(alias); | ||
| } | ||
| } catch (RuntimeException exception) { | ||
| LOGGER.log(WARNING, exception, () -> "Failed to load certificate key for alias: " + alias); | ||
| } | ||
| } | ||
| } |
| @@ -141,6 +141,7 @@ The JCA library supports configuring the following options: | |||
| * `azure.keyvault.jca.refresh-certificates-when-have-un-trust-certificate`: Indicates whether to refresh certificates when have untrusted certificate. | |||
| * `azure.keyvault.jca.certificates-refresh-interval`: The refresh interval time. | |||
| * `azure.keyvault.jca.certificates-refresh-interval-in-ms`: The refresh interval time. | |||
There was a problem hiding this comment.
Assuming the KV contains many certificates, I want to support the following filtering logic:
-
Forward filtering: Users can select aliases from a list of names or regular expressions. Without configuration, all aliases are read by default.
-
Reverse filtering: Exclusion by name or regular expression. Without configuration, no exclusions are allowed by default.
Description
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines