parent
79fa6bb3c9
commit
4d2f86202d
18 changed files with 82 additions and 283 deletions
|
@ -1,13 +1,11 @@
|
||||||
package org.keycloak.config;
|
package org.keycloak.config;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
public class VaultOptions {
|
public class VaultOptions {
|
||||||
|
|
||||||
public enum Provider {
|
public enum Provider {
|
||||||
file,
|
file;
|
||||||
hashicorp;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static final Option VAULT = new OptionBuilder<>("vault", Provider.class)
|
public static final Option VAULT = new OptionBuilder<>("vault", Provider.class)
|
||||||
|
@ -21,23 +19,4 @@ public class VaultOptions {
|
||||||
.description("If set, secrets can be obtained by reading the content of files within the given directory.")
|
.description("If set, secrets can be obtained by reading the content of files within the given directory.")
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
public static final Option VAULT_UNMAPPED = new OptionBuilder<>("vault-", String.class)
|
|
||||||
.category(OptionCategory.VAULT)
|
|
||||||
.description("Maps any vault option to their corresponding properties in quarkus-vault extension.")
|
|
||||||
.hidden()
|
|
||||||
.buildTime(true)
|
|
||||||
.build();
|
|
||||||
|
|
||||||
public static final Option VAULT_URL = new OptionBuilder<>("vault-url", String.class)
|
|
||||||
.category(OptionCategory.VAULT)
|
|
||||||
.description("The vault server url.")
|
|
||||||
.hidden()
|
|
||||||
.buildTime(true)
|
|
||||||
.build();
|
|
||||||
|
|
||||||
public static final Option VAULT_KV_PATHS = new OptionBuilder("vault-kv-paths", Map.class, String.class)
|
|
||||||
.category(OptionCategory.VAULT)
|
|
||||||
.description("A set of one or more key/value paths that should be used when looking up secrets.")
|
|
||||||
.hidden()
|
|
||||||
.build();
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,11 +101,6 @@
|
||||||
<artifactId>rest-assured</artifactId>
|
<artifactId>rest-assured</artifactId>
|
||||||
<scope>test</scope>
|
<scope>test</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
|
||||||
<groupId>io.quarkiverse.vault</groupId>
|
|
||||||
<artifactId>quarkus-vault-deployment</artifactId>
|
|
||||||
<version>${io.quarkiverse.vault.version}</version>
|
|
||||||
</dependency>
|
|
||||||
</dependencies>
|
</dependencies>
|
||||||
|
|
||||||
<build>
|
<build>
|
||||||
|
|
|
@ -47,11 +47,6 @@
|
||||||
<sun.saaj-impl.version>1.4.1.SP1</sun.saaj-impl.version>
|
<sun.saaj-impl.version>1.4.1.SP1</sun.saaj-impl.version>
|
||||||
<org.jvnet.staxex.version>1.8.3</org.jvnet.staxex.version>
|
<org.jvnet.staxex.version>1.8.3</org.jvnet.staxex.version>
|
||||||
|
|
||||||
<!--
|
|
||||||
Quarkiverse dependency versions
|
|
||||||
-->
|
|
||||||
<io.quarkiverse.vault.version>2.0.0</io.quarkiverse.vault.version>
|
|
||||||
|
|
||||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||||
<maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
|
<maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
|
||||||
<maven.compiler.release>11</maven.compiler.release>
|
<maven.compiler.release>11</maven.compiler.release>
|
||||||
|
|
|
@ -96,11 +96,6 @@
|
||||||
<groupId>org.wildfly.security</groupId>
|
<groupId>org.wildfly.security</groupId>
|
||||||
<artifactId>wildfly-elytron</artifactId>
|
<artifactId>wildfly-elytron</artifactId>
|
||||||
</dependency>
|
</dependency>
|
||||||
<dependency>
|
|
||||||
<groupId>io.quarkiverse.vault</groupId>
|
|
||||||
<artifactId>quarkus-vault</artifactId>
|
|
||||||
<version>${io.quarkiverse.vault.version}</version>
|
|
||||||
</dependency>
|
|
||||||
|
|
||||||
<!-- CLI -->
|
<!-- CLI -->
|
||||||
<dependency>
|
<dependency>
|
||||||
|
|
|
@ -17,17 +17,6 @@ final class VaultPropertyMappers {
|
||||||
fromOption(VaultOptions.VAULT_DIR)
|
fromOption(VaultOptions.VAULT_DIR)
|
||||||
.to("kc.spi-vault-file-dir")
|
.to("kc.spi-vault-file-dir")
|
||||||
.paramLabel("dir")
|
.paramLabel("dir")
|
||||||
.build(),
|
|
||||||
fromOption(VaultOptions.VAULT_UNMAPPED)
|
|
||||||
.to("quarkus.vault.")
|
|
||||||
.build(),
|
|
||||||
fromOption(VaultOptions.VAULT_URL)
|
|
||||||
.to("quarkus.vault.url")
|
|
||||||
.paramLabel("paths")
|
|
||||||
.build(),
|
|
||||||
fromOption(VaultOptions.VAULT_KV_PATHS)
|
|
||||||
.to("kc.spi-vault-hashicorp-paths")
|
|
||||||
.paramLabel("paths")
|
|
||||||
.build()
|
.build()
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,67 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
|
||||||
* and other contributors as indicated by the @author tags.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.keycloak.quarkus.runtime.vault;
|
|
||||||
|
|
||||||
import static org.keycloak.vault.DefaultVaultRawSecret.forBuffer;
|
|
||||||
|
|
||||||
import java.nio.CharBuffer;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
import java.util.List;
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.Optional;
|
|
||||||
|
|
||||||
import org.keycloak.vault.AbstractVaultProvider;
|
|
||||||
import org.keycloak.vault.VaultKeyResolver;
|
|
||||||
import org.keycloak.vault.VaultRawSecret;
|
|
||||||
|
|
||||||
import io.quarkus.vault.VaultKVSecretEngine;
|
|
||||||
|
|
||||||
public class QuarkusVaultProvider extends AbstractVaultProvider {
|
|
||||||
|
|
||||||
private VaultKVSecretEngine secretEngine;
|
|
||||||
private String[] kvPaths;
|
|
||||||
|
|
||||||
public QuarkusVaultProvider(VaultKVSecretEngine secretEngine, String[] kvPaths, String realm, List<VaultKeyResolver> keyResolvers) {
|
|
||||||
super(realm, keyResolvers);
|
|
||||||
this.secretEngine = secretEngine;
|
|
||||||
this.kvPaths = kvPaths;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected VaultRawSecret obtainSecretInternal(String key) {
|
|
||||||
if (kvPaths == null) {
|
|
||||||
return forBuffer(Optional.empty());
|
|
||||||
}
|
|
||||||
|
|
||||||
for (String path : kvPaths) {
|
|
||||||
Map<String, String> secrets = secretEngine.readSecret(path);
|
|
||||||
String secret = secrets.get(key);
|
|
||||||
|
|
||||||
if (secret != null) {
|
|
||||||
return forBuffer(Optional.of(StandardCharsets.UTF_8.encode(CharBuffer.wrap(secret))));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return forBuffer(Optional.empty());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void close() {
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,89 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
|
||||||
* and other contributors as indicated by the @author tags.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.keycloak.quarkus.runtime.vault;
|
|
||||||
|
|
||||||
import org.keycloak.Config;
|
|
||||||
import org.keycloak.models.KeycloakSession;
|
|
||||||
import org.keycloak.models.KeycloakSessionFactory;
|
|
||||||
import org.keycloak.provider.EnvironmentDependentProviderFactory;
|
|
||||||
import org.keycloak.quarkus.runtime.configuration.Configuration;
|
|
||||||
import org.keycloak.vault.AbstractVaultProviderFactory;
|
|
||||||
import org.keycloak.vault.VaultProvider;
|
|
||||||
|
|
||||||
import io.quarkus.arc.Arc;
|
|
||||||
import io.quarkus.arc.InstanceHandle;
|
|
||||||
import io.quarkus.vault.VaultKVSecretEngine;
|
|
||||||
import io.quarkus.vault.runtime.VaultConfigHolder;
|
|
||||||
|
|
||||||
public class QuarkusVaultProviderFactory extends AbstractVaultProviderFactory implements EnvironmentDependentProviderFactory {
|
|
||||||
|
|
||||||
private String[] kvPaths;
|
|
||||||
private VaultKVSecretEngine secretEngine;
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public VaultProvider create(KeycloakSession session) {
|
|
||||||
return new QuarkusVaultProvider(secretEngine, kvPaths, getRealmName(session), super.keyResolvers);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void init(Config.Scope config) {
|
|
||||||
super.init(config);
|
|
||||||
kvPaths = config.getArray("paths");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void postInit(KeycloakSessionFactory factory) {
|
|
||||||
InstanceHandle<VaultKVSecretEngine> engineInstance = Arc.container().instance(VaultKVSecretEngine.class);
|
|
||||||
|
|
||||||
if (engineInstance.isAvailable()) {
|
|
||||||
secretEngine = engineInstance.get();
|
|
||||||
}
|
|
||||||
|
|
||||||
InstanceHandle<VaultConfigHolder> configInstance = Arc.container().instance(VaultConfigHolder.class);
|
|
||||||
|
|
||||||
if (!configInstance.isAvailable() || configInstance.get().getVaultBootstrapConfig() == null) {
|
|
||||||
throw new RuntimeException("No configuration defined for hashicorp provider.");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void close() {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getId() {
|
|
||||||
return "hashicorp";
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public int order() {
|
|
||||||
return 10;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean isSupported(Config.Scope config) {
|
|
||||||
return getId().equals(Configuration.getRawValue("kc.vault"));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean isSupported() {
|
|
||||||
// in quarkus we do not use this method when installing providers
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,2 +1 @@
|
||||||
org.keycloak.quarkus.runtime.vault.FilesPlainTextVaultProviderFactory
|
org.keycloak.quarkus.runtime.vault.FilesPlainTextVaultProviderFactory
|
||||||
org.keycloak.quarkus.runtime.vault.QuarkusVaultProviderFactory
|
|
||||||
|
|
|
@ -78,7 +78,7 @@ Metrics:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
|
|
||||||
|
|
|
@ -43,24 +43,25 @@ Transaction:
|
||||||
|
|
||||||
Feature:
|
Feature:
|
||||||
|
|
||||||
--features <feature> Enables a set of one or more features. Possible values are: authorization,
|
--features <feature> Enables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
--features-disabled <feature>
|
--features-disabled <feature>
|
||||||
Disables a set of one or more features. Possible values are: authorization,
|
Disables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
|
|
||||||
HTTP/TLS:
|
HTTP/TLS:
|
||||||
|
|
||||||
--http-relative-path <path>
|
--http-relative-path <path>
|
||||||
Set the path relative to '/' for serving resources. Default: /.
|
Set the path relative to '/' for serving resources. The path must start with a
|
||||||
|
'/'. Default: /.
|
||||||
|
|
||||||
Health:
|
Health:
|
||||||
|
|
||||||
|
@ -77,7 +78,7 @@ Metrics:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
|
|
||||||
|
|
|
@ -164,7 +164,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -66,19 +66,19 @@ Transaction:
|
||||||
|
|
||||||
Feature:
|
Feature:
|
||||||
|
|
||||||
--features <feature> Enables a set of one or more features. Possible values are: authorization,
|
--features <feature> Enables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
--features-disabled <feature>
|
--features-disabled <feature>
|
||||||
Disables a set of one or more features. Possible values are: authorization,
|
Disables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
|
|
||||||
Hostname:
|
Hostname:
|
||||||
|
|
||||||
|
@ -113,7 +113,8 @@ HTTP/TLS:
|
||||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
--http-port <port> The used HTTP port. Default: 8080.
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
--http-relative-path <path>
|
--http-relative-path <path>
|
||||||
Set the path relative to '/' for serving resources. Default: /.
|
Set the path relative to '/' for serving resources. The path must start with a
|
||||||
|
'/'. Default: /.
|
||||||
--https-certificate-file <file>
|
--https-certificate-file <file>
|
||||||
The file path to a server certificate or certificate chain in PEM format.
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
--https-certificate-key-file <file>
|
--https-certificate-key-file <file>
|
||||||
|
@ -163,7 +164,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -222,7 +222,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -124,19 +124,19 @@ Transaction:
|
||||||
|
|
||||||
Feature:
|
Feature:
|
||||||
|
|
||||||
--features <feature> Enables a set of one or more features. Possible values are: authorization,
|
--features <feature> Enables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
docker, impersonation, openshift-integration, scripts, token-exchange,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
web-authn, client-policies, ciba, map-storage, par,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
declarative-user-profile, dynamic-scopes, client-secret-rotation,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
--features-disabled <feature>
|
--features-disabled <feature>
|
||||||
Disables a set of one or more features. Possible values are: authorization,
|
Disables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
docker, impersonation, openshift-integration, scripts, token-exchange,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
web-authn, client-policies, ciba, map-storage, par,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
declarative-user-profile, dynamic-scopes, client-secret-rotation,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
|
|
||||||
Hostname:
|
Hostname:
|
||||||
|
|
||||||
|
@ -222,7 +222,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -170,7 +170,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -72,19 +72,19 @@ Transaction:
|
||||||
|
|
||||||
Feature:
|
Feature:
|
||||||
|
|
||||||
--features <feature> Enables a set of one or more features. Possible values are: authorization,
|
--features <feature> Enables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
--features-disabled <feature>
|
--features-disabled <feature>
|
||||||
Disables a set of one or more features. Possible values are: authorization,
|
Disables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin2, docker,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
impersonation, openshift-integration, scripts, token-exchange, web-authn,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
client-policies, ciba, map-storage, par, declarative-user-profile,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
dynamic-scopes, client-secret-rotation, step-up-authentication,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
|
|
||||||
Hostname:
|
Hostname:
|
||||||
|
|
||||||
|
@ -119,7 +119,8 @@ HTTP/TLS:
|
||||||
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
--http-host <host> The used HTTP Host. Default: 0.0.0.0.
|
||||||
--http-port <port> The used HTTP port. Default: 8080.
|
--http-port <port> The used HTTP port. Default: 8080.
|
||||||
--http-relative-path <path>
|
--http-relative-path <path>
|
||||||
Set the path relative to '/' for serving resources. Default: /.
|
Set the path relative to '/' for serving resources. The path must start with a
|
||||||
|
'/'. Default: /.
|
||||||
--https-certificate-file <file>
|
--https-certificate-file <file>
|
||||||
The file path to a server certificate or certificate chain in PEM format.
|
The file path to a server certificate or certificate chain in PEM format.
|
||||||
--https-certificate-key-file <file>
|
--https-certificate-key-file <file>
|
||||||
|
@ -169,7 +170,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -228,7 +228,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
|
@ -130,19 +130,19 @@ Transaction:
|
||||||
|
|
||||||
Feature:
|
Feature:
|
||||||
|
|
||||||
--features <feature> Enables a set of one or more features. Possible values are: authorization,
|
--features <feature> Enables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
docker, impersonation, openshift-integration, scripts, token-exchange,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
web-authn, client-policies, ciba, map-storage, par,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
declarative-user-profile, dynamic-scopes, client-secret-rotation,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
--features-disabled <feature>
|
--features-disabled <feature>
|
||||||
Disables a set of one or more features. Possible values are: authorization,
|
Disables a set of one or more features. Possible values are: account-api,
|
||||||
account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2,
|
account2, admin, admin-api, admin-fine-grained-authz, admin2, authorization,
|
||||||
docker, impersonation, openshift-integration, scripts, token-exchange,
|
ciba, client-policies, client-secret-rotation, declarative-user-profile,
|
||||||
web-authn, client-policies, ciba, map-storage, par,
|
docker, dynamic-scopes, impersonation, js-adapter, map-storage,
|
||||||
declarative-user-profile, dynamic-scopes, client-secret-rotation,
|
openshift-integration, par, preview, recovery-codes, scripts,
|
||||||
step-up-authentication, recovery-codes, update-email, js-adapter, preview.
|
step-up-authentication, token-exchange, update-email, web-authn.
|
||||||
|
|
||||||
Hostname:
|
Hostname:
|
||||||
|
|
||||||
|
@ -228,7 +228,7 @@ Proxy:
|
||||||
|
|
||||||
Vault:
|
Vault:
|
||||||
|
|
||||||
--vault <provider> Enables a vault provider. Possible values are: file, hashicorp.
|
--vault <provider> Enables a vault provider. Possible values are: file.
|
||||||
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
--vault-dir <dir> If set, secrets can be obtained by reading the content of files within the
|
||||||
given directory.
|
given directory.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue