Class FilesPlainTextVaultProvider

  • All Implemented Interfaces:
    Provider, VaultProvider

    public class FilesPlainTextVaultProvider
    extends AbstractVaultProvider
    A text-based vault provider, which stores each secret in a separate file. The file name needs to match a vault secret id (or a key for short) and follows the format provided by the configured VaultKeyResolver. A typical vault directory layout looks like this:
         ${VAULT}/realma__key1 (contains secret for key 1)
         ${VAULT}/realma__key2 (contains secret for key 2)
         etc...
     
    Note, that in this case each key is prefixed by realm name. This particular kind of layout is used by Kubernetes by default (when mounting a volume into the pod) and can be used by selecting the REALM_UNDERSCORE_KEY resolver (which is the default resolver when none is defined). Other layouts are available through different resolvers. See https://kubernetes.io/docs/concepts/configuration/secret/ See https://github.com/keycloak/keycloak-community/blob/main/design/secure-credentials-store.md#plain-text-file-per-secret-kubernetes--openshift
    Author:
    Sebastian Ɓaskawiec
    • Constructor Detail

      • FilesPlainTextVaultProvider

        public FilesPlainTextVaultProvider​(@Nonnull
                                           Path path,
                                           @Nonnull
                                           String realmName,
                                           @Nonnull
                                           List<VaultKeyResolver> resolvers)
        Parameters:
        path - A path to a vault. Can not be null.
        realmName - A realm name. Can not be null.
    • Method Detail

      • obtainSecretInternal

        protected VaultRawSecret obtainSecretInternal​(String vaultSecretId)
        Description copied from class: AbstractVaultProvider
        Subclasses of AbstractVaultProvider must implement this method. It is meant to be implemented in the same way as the AbstractVaultProvider.obtainSecret(String) method from the VaultProvider interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.
        Specified by:
        obtainSecretInternal in class AbstractVaultProvider
        Parameters:
        vaultSecretId - a String representing the name of the entry that is being fetched from the vault.
        Returns:
        a VaultRawSecret representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
      • close

        public void close()