libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

9954 Review vault topic (#9955)

Browse source
This commit is contained in:
andymunro 2022-02-03 03:55:07 -05:00 committed by GitHub
parent 3fd725a3f5
commit c5e95b1dba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
docs/guides/src/main/server/vault.adoc
View file

@ -3,13 +3,14 @@
<@tmpl.guide
title="Using Kubernetes Secrets"
summary="Learn how to use Kubernetes / OpenShift secrets in Keycloak"
summary="Learn how to use Kubernetes/OpenShift secrets in Keycloak"
priority=30
includedOptions="vault vault-*">
Keycloak supports a file based vault implementation for Kubernetes / OpenShift secrets. Mount Kubernetes secrets into the Keycloak Container, and the data fields will be available in the mounted folder with a flat-file structure.
Keycloak supports a file-based vault implementation for Kubernetes/OpenShift secrets. Mount Kubernetes secrets into the Keycloak Container, and the data fields will be available in the mounted folder with a flat-file structure.
== Available integrations
You can use Kubernetes / OpenShift secrets for the following use-cases:
You can use Kubernetes/OpenShift secrets for the following purposes:
* Obtain the SMTP Mail server Password
* Obtain the LDAP Bind Credential when using LDAP-based User Federation
@ -21,19 +22,19 @@ Enable the file based vault by building Keycloak using the following build optio
<@kc.build parameters="--vault=file"/>
== Setting the base directory to lookup secrets
Kubernetes / OpenShift secrets are basically mounted files, so you have to configure a directory for these files to be mounted in:
Kubernetes/OpenShift secrets are basically mounted files. To configure a directory where these files should be mounted, enter this command:
<@kc.start parameters="--vault-dir=/my/path"/>
== Realm-specific secret files
Kubernetes / OpenShift Secrets are used per-realm basis in Keycloak, so there's a naming convention for the file in place:
Kubernetes/OpenShift Secrets are used on a per-realm basis in Keycloak, which requires a naming convention for the file in place:
[source, bash]
----
${r"${vault.<realmname>_<secretname>}"}
----
=== Using underscores in the Name
In order to process the secret correctly, it is needed to double all underscores in the <realmname> or the <secretname>, separated by a single underscore.
To process the secret correctly, you double all underscores in the <realmname> or the <secretname>, separated by a single underscore.
.Example
* Realm Name: `sso_realm`
@ -45,14 +46,14 @@ sso__realm_ldap__credential
----
Note the doubled underscores between __sso__ and __realm__ and also between __ldap__ and __credential__.
== Example: Use an LDAP bind credential secret in the admin console
== Example: Use an LDAP bind credential secret in the Admin Console
.Example setup
* A realm named `secrettest`
* A desired Name `ldapBc` for the bind Credential
* Resulting file name: `secrettest_ldapBc`
.Usage in admin console
You can then use this secret from the admin console by using `${r"${vault.ldapBc}"}` as value for the `Bind Credential` when configuring your LDAP User federation.
.Usage in Admin Console
You can then use this secret from the Admin Console by using `${r"${vault.ldapBc}"}` as the value for the `Bind Credential` when configuring your LDAP User federation.
</@tmpl.guide>
</@tmpl.guide>