Vault Guide v1 (#9772)
* Vault Guide v1 Containing only Kubernetes / OpenShift secrets via file based vault for now Closes #9462 * Apply suggestions from code review Co-authored-by: Andrea Peruffo <andrea.peruffo1982@gmail.com> Co-authored-by: Andrea Peruffo <andrea.peruffo1982@gmail.com>
This commit is contained in:
Dominik Guhr
GitHub
parent
47ad9a29eb
commit
6395e89cfc
1 changed files with 59 additions and 0 deletions
59
docs/guides/src/main/server/vault.adoc
Normal file
59
docs/guides/src/main/server/vault.adoc
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
<#import "/templates/guide.adoc" as tmpl>
|
||||
<#import "/templates/kc.adoc" as kc>
|
||||
|
||||
<@tmpl.guide
|
||||
title="Using Kubernetes Secrets"
|
||||
summary="Learn how to use Kubernetes / OpenShift secrets in Keycloak"
|
||||
priority=30
|
||||
includedOptions="vault vault-*">
|
||||
|
||||
Keycloak supports a file based vault implementation for Kubernetes / OpenShift secrets. Mount Kubernetes secrets into the Keycloak Container, and the data fields will be available in the mounted folder with a flat-file structure.
|
||||
|
||||
== Available integrations
|
||||
You can use Kubernetes / OpenShift secrets for the following use-cases:
|
||||
|
||||
* Obtain the SMTP Mail server Password
|
||||
* Obtain the LDAP Bind Credential when using LDAP-based User Federation
|
||||
* Obtain the OIDC identity providers Client Secret when integrating external identity providers
|
||||
|
||||
== Enabling the vault
|
||||
Enable the file based vault by building Keycloak using the following build option:
|
||||
|
||||
<@kc.build parameters="--vault=file"/>
|
||||
|
||||
== Setting the base directory to lookup secrets
|
||||
Kubernetes / OpenShift secrets are basically mounted files, so you have to configure a directory for these files to be mounted in:
|
||||
|
||||
<@kc.start parameters="--vault-dir=/my/path"/>
|
||||
|
||||
== Realm-specific secret files
|
||||
Kubernetes / OpenShift Secrets are used per-realm basis in Keycloak, so there's a naming convention for the file in place:
|
||||
[source, bash]
|
||||
----
|
||||
${r"${vault.<realmname>_<secretname>}"}
|
||||
----
|
||||
|
||||
=== Using underscores in the Name
|
||||
In order to process the secret correctly, it is needed to double all underscores in the <realmname> or the <secretname>, separated by a single underscore.
|
||||
|
||||
.Example
|
||||
* Realm Name: `sso_realm`
|
||||
* Desired Name: `ldap_credential`
|
||||
* Resulting file Name:
|
||||
[source, bash]
|
||||
----
|
||||
sso__realm_ldap__credential
|
||||
----
|
||||
Note the doubled underscores between __sso__ and __realm__ and also between __ldap__ and __credential__.
|
||||
|
||||
== Example: Use an LDAP bind credential secret in the admin console
|
||||
|
||||
.Example setup
|
||||
* A realm named `secrettest`
|
||||
* A desired Name `ldapBc` for the bind Credential
|
||||
* Resulting file name: `secrettest_ldapBc`
|
||||
|
||||
.Usage in admin console
|
||||
You can then use this secret from the admin console by using `${r"${vault.ldapBc}"}` as value for the `Bind Credential` when configuring your LDAP User federation.
|
||||
|
||||
</@tmpl.guide>
|
||||
Loading…
Reference in a new issue