libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Management Interface is turned on even though nothing is exposed on it (#31938)

Browse source 
* Management Interface is turned on even though nothing is exposed on it

Fixes #31818

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Remove conditional enablement, add relevancy description

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
This commit is contained in:
Martin Bartoš 2024-08-19 14:52:59 +01:00 committed by GitHub
parent fa7c2b5da6
commit bf5cf47351
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 321 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/guides/server/management-interface.adoc
View file

@ -13,7 +13,8 @@ The most significant advantage might be seen in Kubernetes environments as the s
== Management interface configuration == Management interface configuration
The management interface is turned on by default, so management endpoints such as `/metrics`, and `/health` are exposed on the default management port `9000`. The management interface is turned on when something is exposed on it.
Management endpoints such as `/metrics` and `/health` are exposed on the default management port `9000` when metrics and health are enabled.
The management interface provides a set of options and is fully configurable. The management interface provides a set of options and is fully configurable.
In order to change the port for the management interface, you can use the {project_name} option `http-management-port`. In order to change the port for the management interface, you can use the {project_name} option `http-management-port`.

31
quarkus/config-api/src/main/java/org/keycloak/config/ManagementOptions.java
View file

@ -24,6 +24,13 @@ import java.util.List;
*/ */
public class ManagementOptions { public class ManagementOptions {
public static final Option<Boolean> HTTP_MANAGEMENT_ENABLED = new OptionBuilder<>("http-management-enabled", Boolean.class)
.category(OptionCategory.MANAGEMENT)
.description("Placeholder for resolving state of the management interface. If set, the value is ignored.")
.buildTime(true)
.hidden()
.build();
public static final Option<Boolean> LEGACY_OBSERVABILITY_INTERFACE = new OptionBuilder<>("legacy-observability-interface", Boolean.class) public static final Option<Boolean> LEGACY_OBSERVABILITY_INTERFACE = new OptionBuilder<>("legacy-observability-interface", Boolean.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.deprecated() .deprecated()
@ -32,30 +39,32 @@ public class ManagementOptions {
.buildTime(true) .buildTime(true)
.build(); .build();
static String RELEVANT_MSG = "Relevant only when something is exposed on the management interface - see the guide for details.";
public static final Option<String> HTTP_MANAGEMENT_RELATIVE_PATH = new OptionBuilder<>("http-management-relative-path", String.class) public static final Option<String> HTTP_MANAGEMENT_RELATIVE_PATH = new OptionBuilder<>("http-management-relative-path", String.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("Set the path relative to '/' for serving resources from management interface. The path must start with a '/'. If not given, the value is inherited from HTTP options.") .description("Set the path relative to '/' for serving resources from management interface. The path must start with a '/'. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.defaultValue("/") .defaultValue("/")
.buildTime(true) .buildTime(true)
.build(); .build();
public static final Option<Integer> HTTP_MANAGEMENT_PORT = new OptionBuilder<>("http-management-port", Integer.class) public static final Option<Integer> HTTP_MANAGEMENT_PORT = new OptionBuilder<>("http-management-port", Integer.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("Port of the management interface.") .description("Port of the management interface. " + RELEVANT_MSG)
.defaultValue(9000) .defaultValue(9000)
.build(); .build();
public static final Option<String> HTTP_MANAGEMENT_HOST = new OptionBuilder<>("http-management-host", String.class) public static final Option<String> HTTP_MANAGEMENT_HOST = new OptionBuilder<>("http-management-host", String.class)
.hidden() .hidden()
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("Host of the management interface. If not given, the value is inherited from HTTP options.") .description("Host of the management interface. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.defaultValue("0.0.0.0") .defaultValue("0.0.0.0")
.build(); .build();
//HTTPS //HTTPS
public static final Option<HttpOptions.ClientAuth> HTTPS_MANAGEMENT_CLIENT_AUTH = new OptionBuilder<>("https-management-client-auth", HttpOptions.ClientAuth.class) public static final Option<HttpOptions.ClientAuth> HTTPS_MANAGEMENT_CLIENT_AUTH = new OptionBuilder<>("https-management-client-auth", HttpOptions.ClientAuth.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("Configures the management interface to require/request client authentication. If not given, the value is inherited from HTTP options.") .description("Configures the management interface to require/request client authentication. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.defaultValue(HttpOptions.ClientAuth.none) .defaultValue(HttpOptions.ClientAuth.none)
.buildTime(true) .buildTime(true)
.build(); .build();
@ -63,42 +72,42 @@ public class ManagementOptions {
public static final Option<String> HTTPS_MANAGEMENT_CIPHER_SUITES = new OptionBuilder<>("https-management-cipher-suites", String.class) public static final Option<String> HTTPS_MANAGEMENT_CIPHER_SUITES = new OptionBuilder<>("https-management-cipher-suites", String.class)
.hidden() .hidden()
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The cipher suites to use for the management server. If not given, the value is inherited from HTTP options.") .description("The cipher suites to use for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.hidden() .hidden()
.build(); .build();
public static final Option<List<String>> HTTPS_MANAGEMENT_PROTOCOLS = OptionBuilder.listOptionBuilder("https-management-protocols", String.class) public static final Option<List<String>> HTTPS_MANAGEMENT_PROTOCOLS = OptionBuilder.listOptionBuilder("https-management-protocols", String.class)
.hidden() .hidden()
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The list of protocols to explicitly enable for the management server. If not given, the value is inherited from HTTP options.") .description("The list of protocols to explicitly enable for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.defaultValue(List.of("TLSv1.3,TLSv1.2")) .defaultValue(List.of("TLSv1.3,TLSv1.2"))
.hidden() .hidden()
.build(); .build();
public static final Option<File> HTTPS_MANAGEMENT_CERTIFICATE_FILE = new OptionBuilder<>("https-management-certificate-file", File.class) public static final Option<File> HTTPS_MANAGEMENT_CERTIFICATE_FILE = new OptionBuilder<>("https-management-certificate-file", File.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The file path to a server certificate or certificate chain in PEM format for the management server. If not given, the value is inherited from HTTP options.") .description("The file path to a server certificate or certificate chain in PEM format for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.build(); .build();
public static final Option<File> HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE = new OptionBuilder<>("https-management-certificate-key-file", File.class) public static final Option<File> HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE = new OptionBuilder<>("https-management-certificate-key-file", File.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The file path to a private key in PEM format for the management server. If not given, the value is inherited from HTTP options.") .description("The file path to a private key in PEM format for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.build(); .build();
public static final Option<File> HTTPS_MANAGEMENT_KEY_STORE_FILE = new OptionBuilder<>("https-management-key-store-file", File.class) public static final Option<File> HTTPS_MANAGEMENT_KEY_STORE_FILE = new OptionBuilder<>("https-management-key-store-file", File.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The key store which holds the certificate information instead of specifying separate files for the management server. If not given, the value is inherited from HTTP options.") .description("The key store which holds the certificate information instead of specifying separate files for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.build(); .build();
public static final Option<String> HTTPS_MANAGEMENT_KEY_STORE_PASSWORD = new OptionBuilder<>("https-management-key-store-password", String.class) public static final Option<String> HTTPS_MANAGEMENT_KEY_STORE_PASSWORD = new OptionBuilder<>("https-management-key-store-password", String.class)
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The password of the key store file for the management server. If not given, the value is inherited from HTTP options.") .description("The password of the key store file for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.defaultValue("password") .defaultValue("password")
.build(); .build();
public static final Option<String> HTTPS_MANAGEMENT_KEY_STORE_TYPE = new OptionBuilder<>("https-management-key-store-type", String.class) public static final Option<String> HTTPS_MANAGEMENT_KEY_STORE_TYPE = new OptionBuilder<>("https-management-key-store-type", String.class)
.hidden() .hidden()
.category(OptionCategory.MANAGEMENT) .category(OptionCategory.MANAGEMENT)
.description("The type of the key store file for the management server. If not given, the value is inherited from HTTP options.") .description("The type of the key store file for the management server. If not given, the value is inherited from HTTP options. " + RELEVANT_MSG)
.build(); .build();
} }

41
quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/ManagementPropertyMappers.java
View file

@ -16,90 +16,82 @@
*/ */
package org.keycloak.quarkus.runtime.configuration.mappers; package org.keycloak.quarkus.runtime.configuration.mappers;
import io.smallrye.config.ConfigSourceInterceptorContext; import org.keycloak.config.HealthOptions;
import org.keycloak.config.HttpOptions; import org.keycloak.config.HttpOptions;
import org.keycloak.config.ManagementOptions; import org.keycloak.config.ManagementOptions;
import org.keycloak.config.MetricsOptions;
import org.keycloak.quarkus.runtime.Messages; import org.keycloak.quarkus.runtime.Messages;
import org.keycloak.quarkus.runtime.cli.PropertyException; import org.keycloak.quarkus.runtime.cli.PropertyException;
import org.keycloak.quarkus.runtime.configuration.Configuration; import org.keycloak.quarkus.runtime.configuration.Configuration;
import java.util.Optional; import java.util.Optional;
import static org.keycloak.config.ManagementOptions.LEGACY_OBSERVABILITY_INTERFACE;
import static org.keycloak.quarkus.runtime.configuration.Configuration.isTrue; import static org.keycloak.quarkus.runtime.configuration.Configuration.isTrue;
import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption; import static org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.fromOption;
public class ManagementPropertyMappers { public class ManagementPropertyMappers {
private static final String MANAGEMENT_ENABLED_MSG = "Management interface is enabled";
private ManagementPropertyMappers() { private ManagementPropertyMappers() {
} }
public static PropertyMapper<?>[] getManagementPropertyMappers() { public static PropertyMapper<?>[] getManagementPropertyMappers() {
return new PropertyMapper[]{ return new PropertyMapper[]{
fromOption(ManagementOptions.HTTP_MANAGEMENT_ENABLED)
.to("quarkus.management.enabled")
.transformer((val, ctx) -> managementEnabledTransformer())
.build(),
fromOption(ManagementOptions.LEGACY_OBSERVABILITY_INTERFACE) fromOption(ManagementOptions.LEGACY_OBSERVABILITY_INTERFACE)
.to("quarkus.management.enabled") // ATM, the management interface state is only based on the legacy-observability-interface property
.paramLabel(Boolean.TRUE + "|" + Boolean.FALSE)
.transformer(ManagementPropertyMappers::managementEnabledTransformer)
.build(), .build(),
fromOption(ManagementOptions.HTTP_MANAGEMENT_RELATIVE_PATH) fromOption(ManagementOptions.HTTP_MANAGEMENT_RELATIVE_PATH)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTP_RELATIVE_PATH.getKey()) .mapFrom(HttpOptions.HTTP_RELATIVE_PATH.getKey())
.to("quarkus.management.root-path") .to("quarkus.management.root-path")
.paramLabel("path") .paramLabel("path")
.build(), .build(),
fromOption(ManagementOptions.HTTP_MANAGEMENT_PORT) fromOption(ManagementOptions.HTTP_MANAGEMENT_PORT)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.to("quarkus.management.port") .to("quarkus.management.port")
.paramLabel("port") .paramLabel("port")
.build(), .build(),
fromOption(ManagementOptions.HTTP_MANAGEMENT_HOST) fromOption(ManagementOptions.HTTP_MANAGEMENT_HOST)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTP_HOST.getKey()) .mapFrom(HttpOptions.HTTP_HOST.getKey())
.to("quarkus.management.host") .to("quarkus.management.host")
.paramLabel("host") .paramLabel("host")
.build(), .build(),
// HTTPS // HTTPS
fromOption(ManagementOptions.HTTPS_MANAGEMENT_CLIENT_AUTH) fromOption(ManagementOptions.HTTPS_MANAGEMENT_CLIENT_AUTH)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_CLIENT_AUTH.getKey()) .mapFrom(HttpOptions.HTTPS_CLIENT_AUTH.getKey())
.to("quarkus.management.ssl.client-auth") .to("quarkus.management.ssl.client-auth")
.paramLabel("auth") .paramLabel("auth")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_CIPHER_SUITES) fromOption(ManagementOptions.HTTPS_MANAGEMENT_CIPHER_SUITES)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_CIPHER_SUITES.getKey()) .mapFrom(HttpOptions.HTTPS_CIPHER_SUITES.getKey())
.to("quarkus.management.ssl.cipher-suites") .to("quarkus.management.ssl.cipher-suites")
.paramLabel("ciphers") .paramLabel("ciphers")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_PROTOCOLS) fromOption(ManagementOptions.HTTPS_MANAGEMENT_PROTOCOLS)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_PROTOCOLS.getKey()) .mapFrom(HttpOptions.HTTPS_PROTOCOLS.getKey())
.to("quarkus.management.ssl.protocols") .to("quarkus.management.ssl.protocols")
.paramLabel("protocols") .paramLabel("protocols")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_CERTIFICATE_FILE) fromOption(ManagementOptions.HTTPS_MANAGEMENT_CERTIFICATE_FILE)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_CERTIFICATE_FILE.getKey()) .mapFrom(HttpOptions.HTTPS_CERTIFICATE_FILE.getKey())
.to("quarkus.management.ssl.certificate.files") .to("quarkus.management.ssl.certificate.files")
.validator((mapper, value) -> validateTlsProperties()) .validator((mapper, value) -> validateTlsProperties())
.paramLabel("file") .paramLabel("file")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE) fromOption(ManagementOptions.HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_CERTIFICATE_KEY_FILE.getKey()) .mapFrom(HttpOptions.HTTPS_CERTIFICATE_KEY_FILE.getKey())
.to("quarkus.management.ssl.certificate.key-files") .to("quarkus.management.ssl.certificate.key-files")
.validator((mapper, value) -> validateTlsProperties()) .validator((mapper, value) -> validateTlsProperties())
.paramLabel("file") .paramLabel("file")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_FILE) fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_FILE)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_KEY_STORE_FILE.getKey()) .mapFrom(HttpOptions.HTTPS_KEY_STORE_FILE.getKey())
.to("quarkus.management.ssl.certificate.key-store-file") .to("quarkus.management.ssl.certificate.key-store-file")
.validator((mapper, value) -> validateTlsProperties()) .validator((mapper, value) -> validateTlsProperties())
.paramLabel("file") .paramLabel("file")
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_PASSWORD) fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_PASSWORD)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_KEY_STORE_PASSWORD.getKey()) .mapFrom(HttpOptions.HTTPS_KEY_STORE_PASSWORD.getKey())
.to("quarkus.management.ssl.certificate.key-store-password") .to("quarkus.management.ssl.certificate.key-store-password")
.validator((mapper, value) -> validateTlsProperties()) .validator((mapper, value) -> validateTlsProperties())
@ -107,7 +99,6 @@ public class ManagementPropertyMappers {
.isMasked(true) .isMasked(true)
.build(), .build(),
fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_TYPE) fromOption(ManagementOptions.HTTPS_MANAGEMENT_KEY_STORE_TYPE)
.isEnabled(ManagementPropertyMappers::isManagementEnabled, MANAGEMENT_ENABLED_MSG)
.mapFrom(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey()) .mapFrom(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey())
.to("quarkus.management.ssl.certificate.key-store-file-type") .to("quarkus.management.ssl.certificate.key-store-file-type")
.transformer((value, config) -> value.or(() -> Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey()))) .transformer((value, config) -> value.or(() -> Configuration.getOptionalKcValue(HttpOptions.HTTPS_KEY_STORE_TYPE.getKey())))
@ -117,7 +108,15 @@ public class ManagementPropertyMappers {
} }
public static boolean isManagementEnabled() { public static boolean isManagementEnabled() {
return isTrue("quarkus.management.enabled"); if (isTrue(LEGACY_OBSERVABILITY_INTERFACE)) {
return false;
}
var isManagementOccupied = isTrue(HealthOptions.HEALTH_ENABLED) || isTrue(MetricsOptions.METRICS_ENABLED);
return isManagementOccupied;
}
private static Optional<String> managementEnabledTransformer() {
return Optional.of(Boolean.toString(isManagementEnabled()));
} }
public static boolean isManagementTlsEnabled() { public static boolean isManagementTlsEnabled() {
@ -135,12 +134,4 @@ public class ManagementPropertyMappers {
throw new PropertyException(Messages.httpsConfigurationNotSet()); throw new PropertyException(Messages.httpsConfigurationNotSet());
} }
} }
private static Optional<String> managementEnabledTransformer(Optional<String> value, ConfigSourceInterceptorContext ctx) {
if (value.isPresent()) {
var b = Boolean.parseBoolean(value.get());
return Optional.of(Boolean.toString(!b)); // negate the output
}
return Optional.of(Boolean.TRUE.toString());
}
} }

68
quarkus/runtime/src/test/java/org/keycloak/quarkus/runtime/configuration/test/ManagementConfigurationTest.java
View file

@ -36,12 +36,43 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
"http-management-host", "0.0.0.0" "http-management-host", "0.0.0.0"
)); ));
assertManagementEnabled(true); assertManagementEnabled(false);
assertManagementHttpsEnabled(false); }
@Test
public void healthOccupied() {
assertOccupied("KC_HEALTH_ENABLED");
}
@Test
public void metricsOccupied() {
assertOccupied("KC_METRICS_ENABLED");
}
@Test
public void healthMetricsOccupied() {
assertOccupied("KC_HEALTH_ENABLED", "KC_METRICS_ENABLED");
}
@Test
public void immutableManagementEnabledProperty() {
initConfig();
assertConfig("http-management-enabled", "false");
putEnvVar("KC_MANAGEMENT_ENABLED", "true");
initConfig();
assertConfig("http-management-enabled", "false");
putEnvVar("KC_MANAGEMENT_ENABLED", "something-wrong");
initConfig();
assertConfig("http-management-enabled", "false");
} }
@Test @Test
public void managementBasicChanges() { public void managementBasicChanges() {
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTP_MANAGEMENT_PORT", "9999", "KC_HTTP_MANAGEMENT_PORT", "9999",
"KC_HTTP_MANAGEMENT_RELATIVE_PATH", "/management2", "KC_HTTP_MANAGEMENT_RELATIVE_PATH", "/management2",
@ -61,6 +92,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementRelativePath() { public void managementRelativePath() {
makeInterfaceOccupied();
putEnvVar("KC_HTTP_RELATIVE_PATH", "/management3"); putEnvVar("KC_HTTP_RELATIVE_PATH", "/management3");
initConfig(); initConfig();
@ -74,6 +106,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementHttpsValues() { public void managementHttpsValues() {
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTP_MANAGEMENT_HOST", "host1", "KC_HTTP_MANAGEMENT_HOST", "host1",
"KC_HTTPS_MANAGEMENT_CLIENT_AUTH", "requested", "KC_HTTPS_MANAGEMENT_CLIENT_AUTH", "requested",
@ -105,6 +138,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementMappedValues() { public void managementMappedValues() {
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTP_HOST", "host123", "KC_HTTP_HOST", "host123",
"KC_HTTPS_CLIENT_AUTH", "required", "KC_HTTPS_CLIENT_AUTH", "required",
@ -136,6 +170,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementDefaultHttps() { public void managementDefaultHttps() {
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTPS_CERTIFICATE_FILE", "/some/path/srv.crt.pem", "KC_HTTPS_CERTIFICATE_FILE", "/some/path/srv.crt.pem",
"KC_HTTPS_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem" "KC_HTTPS_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem"
@ -155,6 +190,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementDefaultHttpsManagementProps() { public void managementDefaultHttpsManagementProps() {
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTPS_MANAGEMENT_CERTIFICATE_FILE", "/some/path/srv.crt.pem", "KC_HTTPS_MANAGEMENT_CERTIFICATE_FILE", "/some/path/srv.crt.pem",
"KC_HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem" "KC_HTTPS_MANAGEMENT_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem"
@ -172,6 +208,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementDefaultHttpsCertDisabled() { public void managementDefaultHttpsCertDisabled() {
makeInterfaceOccupied();
putEnvVar("KC_HTTPS_CERTIFICATE_FILE", "/some/path/srv.crt.pem"); putEnvVar("KC_HTTPS_CERTIFICATE_FILE", "/some/path/srv.crt.pem");
initConfig(); initConfig();
@ -183,6 +220,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementDefaultHttpsKeyDisabled() { public void managementDefaultHttpsKeyDisabled() {
makeInterfaceOccupied();
putEnvVar("KC_HTTPS_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem"); putEnvVar("KC_HTTPS_CERTIFICATE_KEY_FILE", "/some/path/srv.key.pem");
initConfig(); initConfig();
@ -194,6 +232,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void managementEnabledDefaultHttpsKeystore(){ public void managementEnabledDefaultHttpsKeystore(){
makeInterfaceOccupied();
putEnvVar("KC_HTTPS_KEY_STORE_FILE", "keystore.p12"); putEnvVar("KC_HTTPS_KEY_STORE_FILE", "keystore.p12");
initConfig(); initConfig();
@ -208,6 +247,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void fipsKeystoreType(){ public void fipsKeystoreType(){
makeInterfaceOccupied();
putEnvVar("KC_FIPS_MODE", "strict"); putEnvVar("KC_FIPS_MODE", "strict");
initConfig(); initConfig();
@ -221,6 +261,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void keystoreType(){ public void keystoreType(){
makeInterfaceOccupied();
putEnvVars(Map.of( putEnvVars(Map.of(
"KC_HTTPS_KEY_STORE_TYPE", "pkcs12", "KC_HTTPS_KEY_STORE_TYPE", "pkcs12",
"KC_HTTPS_MANAGEMENT_KEY_STORE_TYPE", "BCFKS" "KC_HTTPS_MANAGEMENT_KEY_STORE_TYPE", "BCFKS"
@ -237,6 +278,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void legacyObservabilityInterface() { public void legacyObservabilityInterface() {
makeInterfaceOccupied();
putEnvVar("KC_LEGACY_OBSERVABILITY_INTERFACE", "true"); putEnvVar("KC_LEGACY_OBSERVABILITY_INTERFACE", "true");
initConfig(); initConfig();
@ -247,6 +289,7 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
@Test @Test
public void legacyObservabilityInterfaceFalse() { public void legacyObservabilityInterfaceFalse() {
makeInterfaceOccupied();
putEnvVar("KC_LEGACY_OBSERVABILITY_INTERFACE", "false"); putEnvVar("KC_LEGACY_OBSERVABILITY_INTERFACE", "false");
initConfig(); initConfig();
@ -255,6 +298,10 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
assertManagementEnabled(true); assertManagementEnabled(true);
} }
private void makeInterfaceOccupied() {
putEnvVar("KC_HEALTH_ENABLED", "true");
}
private void assertManagementEnabled(boolean expected) { private void assertManagementEnabled(boolean expected) {
assertThat("Expected value for Management interface state is different", ManagementPropertyMappers.isManagementEnabled(), is(expected)); assertThat("Expected value for Management interface state is different", ManagementPropertyMappers.isManagementEnabled(), is(expected));
} }
@ -262,4 +309,21 @@ public class ManagementConfigurationTest extends AbstractConfigurationTest {
private void assertManagementHttpsEnabled(boolean expected) { private void assertManagementHttpsEnabled(boolean expected) {
assertThat("Expected value for Management HTTPS is different", ManagementPropertyMappers.isManagementTlsEnabled(), is(expected)); assertThat("Expected value for Management HTTPS is different", ManagementPropertyMappers.isManagementTlsEnabled(), is(expected));
} }
private void assertOccupied(String... envVarChangeState) {
for (var env : envVarChangeState) {
putEnvVar(env, "true");
}
initConfig();
assertConfig(Map.of(
"http-management-port", "9000",
"http-management-relative-path", "/",
"http-management-host", "0.0.0.0"
));
assertManagementEnabled(true);
assertManagementHttpsEnabled(false);
}
} }

18
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/HealthDistTest.java vendored
View file

@ -24,7 +24,9 @@ import org.keycloak.it.utils.KeycloakDistribution;
import static io.restassured.RestAssured.when; import static io.restassured.RestAssured.when;
import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.equalTo;
import static org.junit.jupiter.api.Assertions.assertThrows;
import java.io.IOException;
import java.util.List; import java.util.List;
import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -36,21 +38,11 @@ public class HealthDistTest {
@Test @Test
@Launch({ "start-dev" }) @Launch({ "start-dev" })
void testHealthEndpointNotEnabled() { void testHealthEndpointNotEnabled(KeycloakDistribution distribution) {
assertThrows(IOException.class, () -> when().get("/health"), "Connection refused must be thrown");
distribution.setRequestPort(8080);
when().get("/health").then() when().get("/health").then()
.statusCode(404); .statusCode(404);
when().get("/q/health").then()
.statusCode(404);
when().get("/health/live").then()
.statusCode(404);
when().get("/q/health/live").then()
.statusCode(404);
when().get("/health/ready").then()
.statusCode(404);
when().get("/q/health/ready").then()
.statusCode(404);
when().get("/lb-check").then()
.statusCode(404);
} }
@Test @Test

44
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/ManagementOffDistTest.java vendored Normal file
View file

@ -0,0 +1,44 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.it.cli.dist;
import io.quarkus.test.junit.main.Launch;
import io.quarkus.test.junit.main.LaunchResult;
import org.junit.jupiter.api.Test;
import org.keycloak.it.junit5.extension.CLIResult;
import org.keycloak.it.junit5.extension.DistributionTest;
import java.io.IOException;
import static io.restassured.RestAssured.when;
import static org.junit.jupiter.api.Assertions.assertThrows;
@DistributionTest(keepAlive = true,
requestPort = 9000,
containerExposedPorts = {9000, 8080})
public class ManagementOffDistTest {
@Test
@Launch({"start-dev"})
public void notOccupied(LaunchResult result) {
CLIResult cliResult = (CLIResult) result;
cliResult.assertNoMessage("Management interface listening on");
assertThrows(IOException.class, () -> when().get("/"), "Connection refused must be thrown");
assertThrows(IOException.class, () -> when().get("/health"), "Connection refused must be thrown");
}
}

9
quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/MetricsDistTest.java vendored
View file

@ -20,7 +20,9 @@ package org.keycloak.it.cli.dist;
import static io.restassured.RestAssured.when; import static io.restassured.RestAssured.when;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.not;
import static org.junit.jupiter.api.Assertions.assertThrows;
import java.io.IOException;
import java.util.List; import java.util.List;
import java.util.concurrent.CompletableFuture; import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -37,7 +39,12 @@ public class MetricsDistTest {
@Test @Test
@Launch({ "start-dev" }) @Launch({ "start-dev" })
void testMetricsEndpointNotEnabled() { void testMetricsEndpointNotEnabled(KeycloakDistribution distribution) {
assertThrows(IOException.class, () -> when().get("/metrics"), "Connection refused must be thrown");
assertThrows(IOException.class, () -> when().get("/q/metrics"), "Connection refused must be thrown");
distribution.setRequestPort(8080);
when().get("/metrics").then() when().get("/metrics").then()
.statusCode(404); .statusCode(404);
when().get("/q/metrics").then() when().get("/q/metrics").then()

10
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.approved.txt vendored
View file

@ -56,13 +56,13 @@ Management:
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.approved.txt vendored
View file

@ -71,35 +71,37 @@ Feature:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.approved.txt vendored
View file

@ -71,35 +71,37 @@ Feature:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.approved.txt vendored
View file

@ -71,35 +71,37 @@ Feature:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.approved.txt vendored
View file

@ -71,35 +71,37 @@ Feature:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt vendored
View file

@ -193,35 +193,37 @@ Health:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt vendored
View file

@ -265,35 +265,37 @@ Health:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt vendored
View file

@ -194,35 +194,37 @@ Health:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

30
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt vendored
View file

@ -266,35 +266,37 @@ Health:
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--http-management-relative-path <path> --http-management-relative-path <path>
Set the path relative to '/' for serving resources from management interface. Set the path relative to '/' for serving resources from management interface.
The path must start with a '/'. If not given, the value is inherited from The path must start with a '/'. If not given, the value is inherited from
HTTP options. Default: /. Available only when Management interface is HTTP options. Relevant only when something is exposed on the management
enabled. interface - see the guide for details. Default: /.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-client-auth <auth> --https-management-client-auth <auth>
Configures the management interface to require/request client authentication. Configures the management interface to require/request client authentication.
If not given, the value is inherited from HTTP options. Possible values are: If not given, the value is inherited from HTTP options. Relevant only when
none, request, required. Default: none. Available only when Management something is exposed on the management interface - see the guide for
interface is enabled. details. Possible values are: none, request, required. Default: none.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
--legacy-observability-interface <true|false> --legacy-observability-interface <true|false>
DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP DEPRECATED. If metrics/health endpoints should be exposed on the main HTTP
server (not recommended). If set to true, the management interface is server (not recommended). If set to true, the management interface is

20
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt vendored
View file

@ -166,25 +166,27 @@ HTTP(S):
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
Proxy: Proxy:

20
quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt vendored
View file

@ -238,25 +238,27 @@ HTTP(S):
Management: Management:
--http-management-port <port> --http-management-port <port>
Port of the management interface. Default: 9000. Available only when Port of the management interface. Relevant only when something is exposed on
Management interface is enabled. the management interface - see the guide for details. Default: 9000.
--https-management-certificate-file <file> --https-management-certificate-file <file>
The file path to a server certificate or certificate chain in PEM format for The file path to a server certificate or certificate chain in PEM format for
the management server. If not given, the value is inherited from HTTP the management server. If not given, the value is inherited from HTTP
options. Available only when Management interface is enabled. options. Relevant only when something is exposed on the management interface
- see the guide for details.
--https-management-certificate-key-file <file> --https-management-certificate-key-file <file>
The file path to a private key in PEM format for the management server. If not The file path to a private key in PEM format for the management server. If not
given, the value is inherited from HTTP options. Available only when given, the value is inherited from HTTP options. Relevant only when
Management interface is enabled. something is exposed on the management interface - see the guide for details.
--https-management-key-store-file <file> --https-management-key-store-file <file>
The key store which holds the certificate information instead of specifying The key store which holds the certificate information instead of specifying
separate files for the management server. If not given, the value is separate files for the management server. If not given, the value is
inherited from HTTP options. Available only when Management interface is inherited from HTTP options. Relevant only when something is exposed on the
enabled. management interface - see the guide for details.
--https-management-key-store-password <password> --https-management-key-store-password <password>
The password of the key store file for the management server. If not given, The password of the key store file for the management server. If not given,
the value is inherited from HTTP options. Default: password. Available only the value is inherited from HTTP options. Relevant only when something is
when Management interface is enabled. exposed on the management interface - see the guide for details. Default:
password.
Proxy: Proxy:

3
testsuite/integration-arquillian/servers/auth-server/quarkus/src/main/content/conf/keycloak.conf
View file

@ -41,3 +41,6 @@ spi-connections-http-client-default-reuse-connections=false
# set known protocol ports for basicsamltest # set known protocol ports for basicsamltest
spi-login-protocol-saml-known-protocols=http=8180,https=8543 spi-login-protocol-saml-known-protocols=http=8180,https=8543
# expose something on management interface to turn it on
health-enabled=true

3
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/containers/AbstractQuarkusDeployableContainer.java
View file

@ -168,7 +168,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
if (suiteContext.get().isAuthServerMigrationEnabled()) { if (suiteContext.get().isAuthServerMigrationEnabled()) {
commands.add("--hostname-strict=false"); commands.add("--hostname-strict=false");
commands.add("--hostname-strict-https=false"); commands.add("--hostname-strict-https=false");
} else { // Do not set management port for older versions of Keycloak for migration tests - available since Keycloak ~22 } else { // Do not set management port for older versions of Keycloak for migration tests - available since Keycloak 25
commands.add("--http-management-port=" + configuration.getManagementPort()); commands.add("--http-management-port=" + configuration.getManagementPort());
} }
@ -232,6 +232,7 @@ public abstract class AbstractQuarkusDeployableContainer implements DeployableCo
private static void prepareCommandsForRebuilding(List<String> commands) { private static void prepareCommandsForRebuilding(List<String> commands) {
commands.removeIf("--optimized"::equals); commands.removeIf("--optimized"::equals);
commands.add("--http-relative-path=/auth"); commands.add("--http-relative-path=/auth");
commands.add("--health-enabled=true"); // expose something to management interface to turn it on
} }
protected void addFeaturesOption(List<String> commands) { protected void addFeaturesOption(List<String> commands) {