[FEATURE REQ] [REOPENED] TLS support in Spring Boot with Azure Key Vault Certificates

[gzmrst-sr]

Is your feature request related to a problem? Please describe. This is a reopening of issue #28243 Feature text copied from previous issue:

Spring web applications can either be an HTTP client or an HTTP server, if an application wants to secure the HTTP communication via TLS and the certificates are stored in Azure Key Vault, spring-cloud-azure-starter-keyvault-certificates should support it.

If one-way TLS is used:
    In the case of an HTTP server, users shall be able to configure the server's certificates in Azure Key Vault.
    In the case of an HTTP client, users shall be able to validate the server's certificates stored in Azure Key Vault.
If two-way TLS is used:
    In the case of an HTTP server:
        Users shall be able to configure the server's certificates in Azure Key Vault.
        Users shall be able to validate the client certificates in Azure Key Vault.
    In the case of an HTTP client:
        Users shall be able to configure the client's certificates stored in Azure Key Vault to the server.
        Users shall be able to validate the server's certificates stored in Azure Key Vault.

Given Spring MVC or WebFlux is used, the below scenarios should be supported:

As a web server, users shall be able to use this feature with Spring MVC with Tomcat, Jetty, and Undertow.
As a web server, users shall be able to use this feature with Spring WebFlux with Netty。
As a web client, users shall be able to use this feature with Spring MVC and RestTemplate.
As a web client, users shall be able to use this feature with Spring WebFlux and Web Client.

Additional context

The docs at https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates have a note:

Important

Currently, Spring Cloud Azure Certificate starter version 4.x or higher don't support TLS/mTLS, they only auto-configure the Key Vault certificate client. Therefore, if you want to use TLS/mTLS, you cannot migrate to version 4.x.

We are using the following in our pom.xml at the moment to get this support:

        <dependency>
            <groupId>com.azure.spring</groupId>
            <artifactId>azure-spring-boot-starter-keyvault-certificates</artifactId>
            <!-- Stuck on 3.14.0 for now until MS have updated to support TLS in 4.x/5.x -->
            <!-- Docs with note: https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault-certificates -->
            <!-- Feature request to add support: https://github.com/Azure/azure-sdk-for-java/issues/28243 -->
            <version>3.14.0</version>
        </dependency>

I.e. we cannot upgrade to a new version of the starter. This also means we are stuck with old versions of various libraries that are brought in by the starter - which is not a good situation to be in, especially when dealing with security related libs.

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• [x] Description Added
• [x] Expected solution specified

[github-actions[bot]]

@chenrujun @moarychan @netyyyy @saragluna

[github-actions[bot]]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[gzmrst-sr]

@saragluna I hope this issue description answers your question at https://github.com/Azure/azure-sdk-for-java/issues/28243#issuecomment-1973000167

Also related: #32854