Skip to content

KeyVault JCA: lazy-load certificate material and add alias regex filtering#49774

Open
rujche wants to merge 30 commits into
mainfrom
rujche/main/Just-load-configured-certificates-in-azure-security-keyvault-jca
Open

KeyVault JCA: lazy-load certificate material and add alias regex filtering#49774
rujche wants to merge 30 commits into
mainfrom
rujche/main/Just-load-configured-certificates-in-azure-security-keyvault-jca

Conversation

@rujche

@rujche rujche commented Jul 10, 2026

Copy link
Copy Markdown
Member

Description

This PR completes #39487 in azure-security-keyvault-jca and also finalizes the follow-up lazy-loading/thread-safety refinements requested during review.

What changed

  • Added lazy loading in KeyVaultCertificates for certificate, key, and certificate chain by alias.
  • Added alias regex filtering via system property:
    • azure.keyvault.jca.certificate-alias-filter-patterns
    • Include patterns are plain regex entries.
    • Exclude patterns are prefixed with !.
  • Improved concurrent behavior and refresh flow in KeyVaultCertificates:
    • Reduced lock contention during lazy loads.
    • Added retry semantics for transient/null load failures.
    • Preserved alias/cache consistency after refresh and client updates.
  • Updated KeyVaultKeyStore lookup pathing and filter-pattern parsing.
  • Updated module docs and release notes (README.md, CHANGELOG.md).
  • Added/updated unit tests in:
    • KeyVaultKeyStoreUnitTest
    • KeyVaultCertificatesTest

Validation

  • mvn -f sdk/keyvault/azure-security-keyvault-jca/pom.xml -Dtest=KeyVaultKeyStoreUnitTest,com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificatesTest test

Notes

  • This PR updates the unreleased filter property naming to azure.keyvault.jca.certificate-alias-filter-patterns for clearer semantics.

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

Copilot AI review requested due to automatic review settings July 10, 2026 01:43
@rujche rujche requested review from a team as code owners July 10, 2026 01:43
@rujche rujche self-assigned this Jul 10, 2026
@rujche rujche added azure-spring All azure-spring related issues azure-spring-jca labels Jul 10, 2026
@rujche rujche moved this to In Progress in Spring Cloud Azure Jul 10, 2026
@rujche rujche added this to the 2026-08 milestone Jul 10, 2026
@rujche rujche requested a review from moarychan July 10, 2026 01:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances azure-security-keyvault-jca to reduce unnecessary Key Vault reads by (1) allowing users to configure a subset of certificate aliases to consider and (2) lazily loading certificate details only when a specific alias is requested—addressing the scenario described in #39487 (iterating/fetching all aliases when only one is configured).

Changes:

  • Added azure.keyvault.jca.certificates system property support to filter Key Vault certificate aliases to a configured subset.
  • Implemented lazy loading of Key Vault certificate key/certificate/chain data per alias (instead of eagerly loading all details on refresh).
  • Updated tests and documentation (README + CHANGELOG) to cover and describe the new behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java Wires configured alias filtering into keystore initialization and routes Key Vault lookups through lazy-loading accessors.
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificates.java Implements configured-alias filtering and lazy loading of certificate details per alias.
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreUnitTest.java Adds unit coverage for parsing configured aliases and verifying they are passed into KeyVaultCertificates.
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificatesTest.java Adds unit coverage ensuring alias listing is not eager and that only requested/configured aliases trigger Key Vault reads.
sdk/keyvault/azure-security-keyvault-jca/README.md Documents the new azure.keyvault.jca.certificates configuration option.
sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md Records the new filtering + lazy-loading features for the upcoming release.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Comment thread sdk/keyvault/azure-security-keyvault-jca/README.md
@rujche rujche changed the title Add configured certificate filtering and lazy loading in KeyVault JCA KeyVault JCA: lazy-load certificate material and add alias regex filtering Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java:291

  • With the new lazy Key Vault loading, engineGetCertificate(candidateAlias) can legitimately return null even for aliases returned by getAllAliases() (e.g., transient failure / permission issue). engineGetCertificateAlias currently calls certificate.equals(cert) without a null check, which can throw a NullPointerException during alias lookup.
            certificate = keyVaultCertificates.getCertificate(alias);
        }

        return certificate;
    }

Comment thread sdk/keyvault/azure-security-keyvault-jca/README.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificates.java:300

  • The inline comment says this outer check avoids acquiring the lock, but certificatesNeedRefresh() is synchronized and always acquires the instance monitor. This is misleading when reasoning about contention; either adjust the comment or change the locking strategy.
    private void refreshCertificatesIfNeeded() {
        if (certificatesNeedRefresh()) { // Avoid acquiring the lock as much as possible.
            synchronized (this) {
                if (certificatesNeedRefresh()) { // After obtaining the lock, avoid doing too many operations.
                    refreshCertificates();
                }

Comment on lines +136 to +141
private Pattern compileRegexPattern(String regexPattern) {
try {
return Pattern.compile(regexPattern);
} catch (PatternSyntaxException exception) {
throw new IllegalArgumentException("Invalid certificate filter regex pattern: " + regexPattern, exception);
}
Comment on lines 93 to +97
this.refreshInterval = refreshInterval;
this.certificateFilterPatterns
= new HashSet<>(Optional.ofNullable(certificateFilterPatterns).orElse(Collections.emptySet()));
this.includeAliasPatterns = getAliasPatterns(this.certificateFilterPatterns, false);
this.excludeAliasPatterns = getAliasPatterns(this.certificateFilterPatterns, true);
Comment on lines +107 to +115
public KeyVaultCertificates(long refreshInterval, KeyVaultClient keyVaultClient,
Set<String> certificateFilterPatterns) {
this.refreshInterval = refreshInterval;
setKeyVaultClient(keyVaultClient);
this.certificateFilterPatterns
= new HashSet<>(Optional.ofNullable(certificateFilterPatterns).orElse(Collections.emptySet()));
this.includeAliasPatterns = getAliasPatterns(this.certificateFilterPatterns, false);
this.excludeAliasPatterns = getAliasPatterns(this.certificateFilterPatterns, true);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

azure-spring All azure-spring related issues azure-spring-jca KeyVault

Projects

Status: Untriaged
Status: In Progress

Development

Successfully merging this pull request may close these issues.

3 participants