What is a key loader?
Key loaders are a mechanism to load private keys and certificates from outside the repository.
This is only available in versions 1.3.2-1276 and later.
A key loader is a Java class that implements the KeyLoader interface:
The KeyManager(s) and TrustManager(s) returned by the key loader will be added to all projects, in addition to any keys and/or certificates they may contain in the repository.
The key loader will also be invoked every time the repository is published.
A key loader can be compiled by using the Gallium Data Java library -- the same as the one used for Java filters.
The Java class will need to use the following libraries (here in Maven form):
Note that the exact version will depend on which version of Gallium Data you are using.
In addition, you'll need to add the following:
This will allow Maven to find the galliumdata:galliumdata-filter-library jar.
A key loader is installed by making its Java class(es) available to Gallium Data, usually in the form of a jar file in the /galliumdata/jars/ directory of the Docker image, or by making the jar available from a Maven repository and adding it to the repository.
Once the classes are available to Gallium Data, the key loader is specified by setting the environment variable GALLIUM_KEY_LOADER to the full name of the key loader class. So when starting Gallium Data from the command line, it might look something like:
If the specified class is not found, or if there is any problem during the invocation of the key loader, Gallium Data will continue the startup sequence but will log an error message describing the nature of the problem.
Here is a simple key loader that reads a private key and its certificate, and a CA certificate from PEM files.
Your implementation might differ quite a bit. You might for instance retrieve a private key from Kubernetes, or AWS Secrets Manager, or any other solution.