All commands now auto-reaugment except show-config

Closes #15782
Closes #15898
Closes #17498

docs/documentation/release_notes/topics/22_0_0.adoc

@@ -1,3 +1,10 @@
 = Legacy Promise API removed from Keycloak JS adapter
 
 With this release, we have removed the legacy Promise API methods from the Keycloak JS adapter. This means that calling `.success()` and `.error()` on promises returned from the adapter is no longer possible.
+
+= Export and Import perform an automatic build
+
+In previous releases, the `export` and `import` commands required a `build` command to be run first.
+Starting with this release, the `export` and `import` commands perform an automatic rebuild of Keycloak if a build time configuration has changed.
+
+See the migration guide for details.

docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc

@@ -38,3 +38,39 @@ try {
   alert('failed to initialize');
 }
 ```
+
+= Export and Import perform an automatic build
+
+In previous releases, the `export` and `import` commands required a `build` command to be run first.
+Starting with this release, the `export` and `import` commands perform an automatic rebuild of Keycloak if a build time configuration has changed.
+
+When migrating existing scripts that run a `build` command first, migrate by adding the `--optimized` command line option to the `export` and `import` command to avoid Keycloak automatically re-building the image.
+Not adding the `--optimized` option in this might make Keycloak trigger a rebuild and revert to the default values, and then connecting to the database for export and import will not work.
+
+The following examples assume that runtime parameters like a database password are provided via a configuration file or an environment variable.
+
+.Before migration: Running the build command before running the export command
+[source,bash]
+----
+bin/kc.[sh|bat] build --db=postgres ...
+bin/kc.[sh|bat] export --dir <dir>
+----
+
+.After migration: Adding `--optimized` to the export command
+[source,bash,subs="+quotes"]
+----
+bin/kc.[sh|bat] build --db=postgres ...
+bin/kc.[sh|bat] export ##--optimized## --dir <dir>
+----
+
+.After migration: Leveraging the auto-build functionality
+[source,bash]
+----
+bin/kc.[sh|bat] export --dir <dir> --db=postgres ...
+----
+
+NOTE:: When the auto-build runs, the build time options will be in effect for all subsequent commands that are started with the `--optimized` flag, including the `start` command.
+
+In previous releases the `export` and `import` commands allowed runtime parameters like, for example, a database URL only in configuration files or environment variables.
+Starting with this release, those runtime parameters are now available on the command line as well.
+Use the `--help` option to find out about the supported parameters.

docs/guides/server/importExport.adoc

@@ -1,5 +1,6 @@
 <#import "/templates/guide.adoc" as tmpl>
 <#import "/templates/kc.adoc" as kc>
+<#import "/templates/links.adoc" as links>
 
 <@tmpl.guide
     title="Importing and Exporting Realms"
@@ -7,6 +8,18 @@
 
 In this guide, you are going to understand the different approaches for importing and exporting realms using JSON files.
 
+== Providing options for database connection parameters
+
+When using the `export` and the `import` commands below, Keycloak needs to know how to connect to the database where the information about realms, clients, users and other entities is stored.
+As described in <@links.server id="configuration"/> that information can be provided as command line parameters, environment variables or a configuration file.
+Use the `--help` command line option for each command to see the available options.
+
+Some of the configuration options are build time configuration options.
+As default, Keycloak will re-build automatically for the `export` and `import` commands if it detects a change of a build time parameter.
+
+If you have built an optimized version of Keycloak with the `build` command as outlined in <@links.server id="configuration"/>, use the command line option `--optimized` to have Keycloak skip the build check for a faster startup time.
+When doing this, remove the build time options from the command line and keep only the runtime options.
+
 == Exporting a Realm to a Directory
 
 To export a realm, you can use the `export` command. Your Keycloak server instance must not be started when invoking this command.

operator/src/main/java/org/keycloak/operator/controllers/KeycloakRealmImportJob.java

@@ -165,7 +165,7 @@ public class KeycloakRealmImportJob extends OperatorManagedResource {
         var runBuild = (keycloak.getSpec().getImage() == null) ? "/opt/keycloak/bin/kc.sh build && " : "";
 
         var commandArgs = List.of("-c",
-                runBuild + "/opt/keycloak/bin/kc.sh import --file='" + importMntPath + getRealmName() + "-realm.json' " + override);
+                runBuild + "/opt/keycloak/bin/kc.sh import --optimized --file='" + importMntPath + getRealmName() + "-realm.json' " + override);
 
         keycloakContainer
                 .setCommand(command);

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/Picocli.java

@@ -21,6 +21,7 @@ import static org.keycloak.quarkus.runtime.Environment.isRebuildCheck;
 import static org.keycloak.quarkus.runtime.Environment.isRebuilt;
 import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.*;
 import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.AUTO_BUILD_OPTION_LONG;
+import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG;
 import static org.keycloak.quarkus.runtime.configuration.ConfigArgsConfigSource.parseConfigArgs;
 import static org.keycloak.quarkus.runtime.configuration.Configuration.OPTION_PART_SEPARATOR;
 import static org.keycloak.quarkus.runtime.configuration.Configuration.getBuildTimeProperty;
@@ -53,11 +54,9 @@ import org.keycloak.config.OptionCategory;
 import org.keycloak.quarkus.runtime.cli.command.AbstractCommand;
 import org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand;
 import org.keycloak.quarkus.runtime.cli.command.Build;
-import org.keycloak.quarkus.runtime.cli.command.Export;
-import org.keycloak.quarkus.runtime.cli.command.Import;
 import org.keycloak.quarkus.runtime.cli.command.ImportRealmMixin;
 import org.keycloak.quarkus.runtime.cli.command.Main;
-import org.keycloak.quarkus.runtime.cli.command.Start;
+import org.keycloak.quarkus.runtime.cli.command.ShowConfig;
 import org.keycloak.quarkus.runtime.cli.command.StartDev;
 import org.keycloak.quarkus.runtime.configuration.ConfigArgsConfigSource;
 import org.keycloak.quarkus.runtime.configuration.PersistedConfigSource;
@@ -117,7 +116,7 @@ public final class Picocli {
                 Environment.forceDevProfile();
             }
         }
-        if (requiresReAugmentation(cmd)) {
+        if (requiresReAugmentation(getCurrentCommandSpec(cliArgs, cmd.getCommandSpec()))) {
             exitCode = runReAugmentation(cliArgs, cmd);
         }
 
@@ -128,12 +127,11 @@ public final class Picocli {
         return cliArgs.contains("--help")
                 || cliArgs.contains("-h")
                 || cliArgs.contains("--help-all")
-                || cliArgs.contains(Export.NAME)
+                || cliArgs.contains(ShowConfig.NAME);
-                || cliArgs.contains(Import.NAME);
     }
 
-    public static boolean requiresReAugmentation(CommandLine cmd) {
+    public static boolean requiresReAugmentation(CommandLine cmdCommand) {
-        if (hasConfigChanges()) {
+        if (hasConfigChanges(cmdCommand)) {
             if (!ConfigArgsConfigSource.getAllCliArgs().contains(StartDev.NAME) && "dev".equals(getConfig().getOptionalValue("kc.profile", String.class).orElse(null))) {
                 return false;
             }
@@ -174,17 +172,17 @@ public final class Picocli {
             cmd.getOut().println("Changes detected in configuration. Updating the server image.");
         }
 
-        int exitCode = 0;
+        int exitCode;
 
         List<String> configArgsList = new ArrayList<>(cliArgs);
 
-        configArgsList.replaceAll(Picocli::replaceStartWithBuild);
+        configArgsList.replaceAll(arg -> replaceCommandWithBuild(getCurrentCommandSpec(cliArgs, cmd.getCommandSpec()).getCommandName(), arg));
         configArgsList.removeIf(Picocli::isRuntimeOption);
 
         exitCode = cmd.execute(configArgsList.toArray(new String[0]));
 
         if(!isDevMode() && exitCode == cmd.getCommandSpec().exitCodeOnSuccess()) {
-            cmd.getOut().printf("Next time you run the server, just run:%n%n\t%s %s %s %s%n%n", Environment.getCommand(), Start.NAME, OPTIMIZED_BUILD_OPTION_LONG, String.join(" ", getSanitizedRuntimeCliOptions()));
+            cmd.getOut().printf("Next time you run the server, just run:%n%n\t%s %s %s %s%n%n", Environment.getCommand(), getCurrentCommandSpec(cliArgs, cmd.getCommandSpec()).getCommandName(), OPTIMIZED_BUILD_OPTION_LONG, String.join(" ", getSanitizedRuntimeCliOptions()));
         }
 
         return exitCode;
@@ -222,7 +220,7 @@ public final class Picocli {
         return false;
     }
 
-    private static boolean hasConfigChanges() {
+    private static boolean hasConfigChanges(CommandLine cmdCommand) {
         Optional<String> currentProfile = Optional.ofNullable(Environment.getProfile());
         Optional<String> persistedProfile = getBuildTimeProperty("kc.profile");
 
@@ -250,6 +248,17 @@ public final class Picocli {
             String persistedValue = getBuildTimeProperty(propertyName).orElse("");
             String runtimeValue = getRuntimeProperty(propertyName).orElse(null);
 
+            // compare only the relevant options for this command, as not all options might be set for this command
+            if (cmdCommand.getCommand() instanceof AbstractCommand) {
+                AbstractCommand abstractCommand = cmdCommand.getCommand();
+                PropertyMapper mapper = PropertyMappers.getMapper(propertyName);
+                if (mapper != null) {
+                    if (!abstractCommand.getOptionCategories().contains(mapper.getCategory())) {
+                        continue;
+                    }
+                }
+            }
+
             if (runtimeValue == null && isNotBlank(persistedValue)) {
                 PropertyMapper mapper = PropertyMappers.getMapper(propertyName);
 
@@ -375,7 +384,7 @@ public final class Picocli {
 
             if (!includeBuildTime && !includeRuntime) {
                 return;
-            } else if (includeRuntime && !includeBuildTime && (Start.NAME.equals(command.getCommandName())) || StartDev.NAME.equals(command.getCommandName())) {
+            } else if (includeRuntime && !includeBuildTime && !ShowConfig.NAME.equals(command.getCommandName())) {
                 includeBuildTime = isRebuilt() || !cliArgs.contains(OPTIMIZED_BUILD_OPTION_LONG);
             } else if (includeBuildTime && !includeRuntime) {
                 includeRuntime = isRebuildCheck();
@@ -519,8 +528,8 @@ public final class Picocli {
         return args;
     }
 
-    private static String replaceStartWithBuild(String arg) {
+    private static String replaceCommandWithBuild(String commandName, String arg) {
-        if (arg.equals(Start.NAME) || arg.equals(StartDev.NAME)) {
+        if (arg.equals(commandName)) {
             return Build.NAME;
         }
         return arg;

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/AbstractExportImportCommand.java

@@ -28,6 +28,9 @@ public abstract class AbstractExportImportCommand extends AbstractStartCommand i
 
     private final String action;
 
+    @CommandLine.Mixin
+    OptimizedMixin optimizedMixin;
+
     @CommandLine.Mixin
     HelpAllMixin helpAllMixin;
 
@@ -51,6 +54,9 @@ public abstract class AbstractExportImportCommand extends AbstractStartCommand i
                         optionCategory != OptionCategory.PROXY &&
                         optionCategory != OptionCategory.HOSTNAME &&
                         optionCategory != OptionCategory.METRICS &&
+                        optionCategory != OptionCategory.VAULT &&
+                        optionCategory != OptionCategory.SECURITY &&
+                        optionCategory != OptionCategory.CACHE &&
                         optionCategory != OptionCategory.HEALTH).collect(Collectors.toList());
     }
 

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Build.java

@@ -34,7 +34,6 @@ import picocli.CommandLine;
 import picocli.CommandLine.Command;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
 @Command(name = Build.NAME,
         header = "Creates a new and optimized server image.",
@@ -91,7 +90,8 @@ public final class Build extends AbstractCommand implements Runnable {
     }
 
     public List<OptionCategory> getOptionCategories() {
-        return super.getOptionCategories().stream().filter(optionCategory -> optionCategory != OptionCategory.EXPORT && optionCategory != OptionCategory.IMPORT).collect(Collectors.toList());
+        // all options should work for the build command, otherwise re-augmentation might fail due to unknown options
+        return super.getOptionCategories();
     }
 
     private void exitWithErrorIfDevProfileIsSetAndNotStartDev() {

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/OptimizedMixin.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.quarkus.runtime.cli.command;
+
+import picocli.CommandLine;
+
+import static org.keycloak.quarkus.runtime.cli.Picocli.NO_PARAM_LABEL;
+import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG;
+
+public final class OptimizedMixin {
+
+    @CommandLine.Option(names = {OPTIMIZED_BUILD_OPTION_LONG},
+            description = "Use this option to achieve an optimal startup time if you have previously built a server image using the 'build' command.",
+            paramLabel = NO_PARAM_LABEL,
+            order = 1)
+    Boolean optimized;
+
+}

quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/cli/command/Start.java

@@ -19,6 +19,7 @@ package org.keycloak.quarkus.runtime.cli.command;
 
 import static org.keycloak.quarkus.runtime.Environment.setProfile;
 import static org.keycloak.quarkus.runtime.cli.Picocli.NO_PARAM_LABEL;
+import static org.keycloak.quarkus.runtime.cli.command.AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG;
 import static org.keycloak.quarkus.runtime.configuration.Configuration.getRawPersistedProperty;
 
 import org.keycloak.config.OptionCategory;
@@ -37,8 +38,8 @@ import java.util.stream.Collectors;
         description = {
                 "%nUse this command to run the server in production."
         },
-        footer = "%nBy default, this command tries to update the server configuration by running a '" + Build.NAME + "' before starting the server. You can disable this behavior by using the '" + Start.OPTIMIZED_BUILD_OPTION_LONG + "' option:%n%n"
+        footer = "%nBy default, this command tries to update the server configuration by running a '" + Build.NAME + "' before starting the server. You can disable this behavior by using the '" + OPTIMIZED_BUILD_OPTION_LONG + "' option:%n%n"
-                + "      $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} ${COMMAND-NAME} '" + Start.OPTIMIZED_BUILD_OPTION_LONG + "'%n%n"
+                + "      $ ${PARENT-COMMAND-FULL-NAME:-$PARENTCOMMAND} ${COMMAND-NAME} '" + OPTIMIZED_BUILD_OPTION_LONG + "'%n%n"
                 + "By doing that, the server should start faster based on any previous configuration you have set when manually running the '" + Build.NAME + "' command.")
 public final class Start extends AbstractStartCommand implements Runnable {
 
@@ -52,11 +53,8 @@ public final class Start extends AbstractStartCommand implements Runnable {
             order = 1)
     Boolean autoConfig;
 
-    @CommandLine.Option(names = {OPTIMIZED_BUILD_OPTION_LONG},
+    @CommandLine.Mixin
-            description = "Use this option to achieve an optional startup time if you have previously built a server image using the 'build' command.",
+    OptimizedMixin optimizedMixin;
-            paramLabel = NO_PARAM_LABEL,
-            order = 1)
-    Boolean optimized;
 
     @CommandLine.Mixin
     ImportRealmMixin importRealmMixin;

quarkus/runtime/src/main/resources/META-INF/keycloak.conf

@@ -22,6 +22,7 @@ metrics-enabled=false
 %import_export.http-server-enabled=false
 %import_export.hostname-strict=false
 %import_export.hostname-strict-https=false
+%import_export.cache=local
 
 #logging defaults
 log-console-output=default

quarkus/tests/integration/src/test/java/org/keycloak/it/storage/database/BasicDatabaseTest.java

@@ -38,7 +38,7 @@ public abstract class BasicDatabaseTest {
     }
 
     @Test
-    @Launch({ "start", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG,"--http-enabled=true", "--hostname-strict=false", "--db-username=wrong" })
+    @Launch({ "start", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG, "--http-enabled=true", "--hostname-strict=false", "--db-username=wrong" })
     void testWrongUsername(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
         cliResult.assertMessage("ERROR: Failed to obtain JDBC connection");
@@ -48,7 +48,7 @@ public abstract class BasicDatabaseTest {
     protected abstract void assertWrongUsername(CLIResult cliResult);
 
     @Test
-    @Launch({ "start", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG,"--http-enabled=true", "--hostname-strict=false", "--db-password=wrong" })
+    @Launch({ "start", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG, "--http-enabled=true", "--hostname-strict=false", "--db-password=wrong" })
     void testWrongPassword(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
         cliResult.assertMessage("ERROR: Failed to obtain JDBC connection");
@@ -59,7 +59,7 @@ public abstract class BasicDatabaseTest {
 
     @Order(1)
     @Test
-    @Launch({ "export", "--dir=./target/export"})
+    @Launch({ "export", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG, "--dir=./target/export"})
     public void testExportSucceeds(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
         cliResult.assertMessage("Full model export requested");
@@ -68,7 +68,7 @@ public abstract class BasicDatabaseTest {
 
     @Order(2)
     @Test
-    @Launch({ "import", "--dir=./target/export" })
+    @Launch({ "import", AbstractStartCommand.OPTIMIZED_BUILD_OPTION_LONG, "--dir=./target/export" })
     void testImportSucceeds(LaunchResult result) {
         CLIResult cliResult = (CLIResult) result;
         cliResult.assertMessage("target/export");

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt

@@ -10,9 +10,13 @@ Options:
 
 -h, --help           This help message.
 --help-all           This same help message but with additional options.
+--optimized          Use this option to achieve an optimal startup time if you have previously
+                       built a server image using the 'build' command.
 
 Database:
 
+--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
+                       mysql, oracle, postgres. Default: dev-file.
 --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                        driver is set accordingly to the chosen database.
 --db-password <password>
@@ -41,10 +45,29 @@ Database:
 --db-username <username>
                      The username of the database user.
 
-Vault:
+Transaction:
 
---vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
+--transaction-xa-enabled <true|false>
-                       given directory.
+                     If set to false, Keycloak uses a non-XA datasource in case the database does
+                       not support XA transactions. Default: true.
+
+Feature:
+
+--features <feature> Enables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
+--features-disabled <feature>
+                     Disables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
 
 Logging:
 

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt

@@ -10,9 +10,52 @@ Options:
 
 -h, --help           This help message.
 --help-all           This same help message but with additional options.
+--optimized          Use this option to achieve an optimal startup time if you have previously
+                       built a server image using the 'build' command.
 
 Storage (Experimental):
 
+--storage <type>     Experimental: Sets the default storage mechanism for all areas. Possible
+                       values are: jpa, chm, hotrod, file.
+--storage-area-auth-session <type>
+                     Experimental: Sets a storage mechanism for authentication sessions. Possible
+                       values are: jpa, chm, hotrod, file.
+--storage-area-authorization <type>
+                     Experimental: Sets a storage mechanism for authorizations. Possible values
+                       are: jpa, chm, hotrod, file.
+--storage-area-client <type>
+                     Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-client-scope <type>
+                     Experimental: Sets a storage mechanism for client scopes. Possible values are:
+                       jpa, chm, hotrod, file.
+--storage-area-event-admin <type>
+                     Experimental: Sets a storage mechanism for admin events. Possible values are:
+                       jpa, chm, hotrod, file.
+--storage-area-event-auth <type>
+                     Experimental: Sets a storage mechanism for authentication and authorization
+                       events. Possible values are: jpa, chm, hotrod, file.
+--storage-area-group <type>
+                     Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-login-failure <type>
+                     Experimental: Sets a storage mechanism for login failures. Possible values
+                       are: jpa, chm, hotrod, file.
+--storage-area-realm <type>
+                     Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-role <type>
+                     Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-single-use-object <type>
+                     Experimental: Sets a storage mechanism for single use objects. Possible values
+                       are: jpa, chm, hotrod.
+--storage-area-user <type>
+                     Experimental: Sets a storage mechanism for users. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-user-session <type>
+                     Experimental: Sets a storage mechanism for user and client sessions. Possible
+                       values are: jpa, chm, hotrod, file.
 --storage-deployment-state-version-seed <type>
                      Experimental: Secret that serves as a seed to mask the version number of
                        Keycloak in URLs. Need to be identical across all servers in the cluster.
@@ -29,9 +72,14 @@ Storage (Experimental):
                      Experimental: Sets the port of the Infinispan server.
 --storage-hotrod-username <username>
                      Experimental: Sets the username of the Infinispan user.
+--storage-jpa-db <type>
+                     Experimental: The database vendor for jpa map storage. Possible values are:
+                       postgres, cockroach. Default: postgres.
 
 Database:
 
+--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
+                       mysql, oracle, postgres. Default: dev-file.
 --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                        driver is set accordingly to the chosen database.
 --db-password <password>
@@ -60,10 +108,29 @@ Database:
 --db-username <username>
                      The username of the database user.
 
-Vault:
+Transaction:
 
---vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
+--transaction-xa-enabled <true|false>
-                       given directory.
+                     If set to false, Keycloak uses a non-XA datasource in case the database does
+                       not support XA transactions. Default: true.
+
+Feature:
+
+--features <feature> Enables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
+--features-disabled <feature>
+                     Disables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
 
 Logging:
 

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt

@@ -10,9 +10,13 @@ Options:
 
 -h, --help           This help message.
 --help-all           This same help message but with additional options.
+--optimized          Use this option to achieve an optimal startup time if you have previously
+                       built a server image using the 'build' command.
 
 Database:
 
+--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
+                       mysql, oracle, postgres. Default: dev-file.
 --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                        driver is set accordingly to the chosen database.
 --db-password <password>
@@ -41,10 +45,29 @@ Database:
 --db-username <username>
                      The username of the database user.
 
-Vault:
+Transaction:
 
---vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
+--transaction-xa-enabled <true|false>
-                       given directory.
+                     If set to false, Keycloak uses a non-XA datasource in case the database does
+                       not support XA transactions. Default: true.
+
+Feature:
+
+--features <feature> Enables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
+--features-disabled <feature>
+                     Disables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
 
 Logging:
 

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt

@@ -10,9 +10,52 @@ Options:
 
 -h, --help           This help message.
 --help-all           This same help message but with additional options.
+--optimized          Use this option to achieve an optimal startup time if you have previously
+                       built a server image using the 'build' command.
 
 Storage (Experimental):
 
+--storage <type>     Experimental: Sets the default storage mechanism for all areas. Possible
+                       values are: jpa, chm, hotrod, file.
+--storage-area-auth-session <type>
+                     Experimental: Sets a storage mechanism for authentication sessions. Possible
+                       values are: jpa, chm, hotrod, file.
+--storage-area-authorization <type>
+                     Experimental: Sets a storage mechanism for authorizations. Possible values
+                       are: jpa, chm, hotrod, file.
+--storage-area-client <type>
+                     Experimental: Sets a storage mechanism for clients. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-client-scope <type>
+                     Experimental: Sets a storage mechanism for client scopes. Possible values are:
+                       jpa, chm, hotrod, file.
+--storage-area-event-admin <type>
+                     Experimental: Sets a storage mechanism for admin events. Possible values are:
+                       jpa, chm, hotrod, file.
+--storage-area-event-auth <type>
+                     Experimental: Sets a storage mechanism for authentication and authorization
+                       events. Possible values are: jpa, chm, hotrod, file.
+--storage-area-group <type>
+                     Experimental: Sets a storage mechanism for groups. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-login-failure <type>
+                     Experimental: Sets a storage mechanism for login failures. Possible values
+                       are: jpa, chm, hotrod, file.
+--storage-area-realm <type>
+                     Experimental: Sets a storage mechanism for realms. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-role <type>
+                     Experimental: Sets a storage mechanism for roles. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-single-use-object <type>
+                     Experimental: Sets a storage mechanism for single use objects. Possible values
+                       are: jpa, chm, hotrod.
+--storage-area-user <type>
+                     Experimental: Sets a storage mechanism for users. Possible values are: jpa,
+                       chm, hotrod, file.
+--storage-area-user-session <type>
+                     Experimental: Sets a storage mechanism for user and client sessions. Possible
+                       values are: jpa, chm, hotrod, file.
 --storage-deployment-state-version-seed <type>
                      Experimental: Secret that serves as a seed to mask the version number of
                        Keycloak in URLs. Need to be identical across all servers in the cluster.
@@ -29,9 +72,14 @@ Storage (Experimental):
                      Experimental: Sets the port of the Infinispan server.
 --storage-hotrod-username <username>
                      Experimental: Sets the username of the Infinispan user.
+--storage-jpa-db <type>
+                     Experimental: The database vendor for jpa map storage. Possible values are:
+                       postgres, cockroach. Default: postgres.
 
 Database:
 
+--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
+                       mysql, oracle, postgres. Default: dev-file.
 --db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                        driver is set accordingly to the chosen database.
 --db-password <password>
@@ -60,10 +108,29 @@ Database:
 --db-username <username>
                      The username of the database user.
 
-Vault:
+Transaction:
 
---vault-dir <dir>    If set, secrets can be obtained by reading the content of files within the
+--transaction-xa-enabled <true|false>
-                       given directory.
+                     If set to false, Keycloak uses a non-XA datasource in case the database does
+                       not support XA transactions. Default: true.
+
+Feature:
+
+--features <feature> Enables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
+--features-disabled <feature>
+                     Disables a set of one or more features. Possible values are: account-api,
+                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
+                       authorization, ciba, client-policies, client-secret-rotation,
+                       declarative-user-profile, docker, dynamic-scopes, fips, impersonation,
+                       js-adapter, kerberos, map-storage, openshift-integration, par, preview,
+                       recovery-codes, scripts, step-up-authentication, token-exchange,
+                       update-email, web-authn.
 
 Logging:
 

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Cache:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.windows.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Cache:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Cache:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.windows.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Cache:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.unix.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Database:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.windows.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Database:

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.unix.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Storage (Experimental):

quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.windows.approved.txt

@@ -17,7 +17,7 @@ Options:
 --help-all           This same help message but with additional options.
 --import-realm       Import realms during startup by reading any realm configuration file from the
                        'data/import' directory.
---optimized          Use this option to achieve an optional startup time if you have previously
+--optimized          Use this option to achieve an optimal startup time if you have previously
                        built a server image using the 'build' command.
 
 Storage (Experimental):