org.keycloak.vault.AbstractVaultProvider

org.keycloak.vault.FilesPlainTextVaultProvider

All Implemented Interfaces:: Provider, VaultProvider

public class FilesPlainTextVaultProvider extends AbstractVaultProvider

A text-based vault provider, which stores each secret in a separate file. The file name needs to match a vault secret id (or a key for short) and follows the format provided by the configured VaultKeyResolver. A typical vault directory layout looks like this:

     ${VAULT}/realma__key1 (contains secret for key 1)
     ${VAULT}/realma__key2 (contains secret for key 2)
     etc...

Note, that in this case each key is prefixed by realm name. This particular kind of layout is used by Kubernetes by default (when mounting a volume into the pod) and can be used by selecting the REALM_UNDERSCORE_KEY resolver (which is the default resolver when none is defined). Other layouts are available through different resolvers. See https://kubernetes.io/docs/concepts/configuration/secret/ See https://github.com/keycloak/keycloak-community/blob/main/design/secure-credentials-store.md#plain-text-file-per-secret-kubernetes--openshift

Author:: Sebastian Łaskawiec

Field Summary

Fields inherited from class org.keycloak.vault.AbstractVaultProvider
realm, resolvers
Constructor Summary

Constructors

Constructor

Description

FilesPlainTextVaultProvider(Path path, String realmName, List<VaultKeyResolver> resolvers)

Creates a new FilesPlainTextVaultProvider.
Method Summary

Modifier and Type

Method

Description

void

close()

protected VaultRawSecret

obtainSecretInternal(String vaultSecretId)

Subclasses of AbstractVaultProvider must implement this method.

Methods inherited from class org.keycloak.vault.AbstractVaultProvider
obtainSecret

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- FilesPlainTextVaultProvider
  
  public FilesPlainTextVaultProvider(@Nonnull Path path, @Nonnull String realmName, @Nonnull List<VaultKeyResolver> resolvers)
  
  Creates a new FilesPlainTextVaultProvider.
  
  Parameters:
  
  path - A path to a vault. Can not be null.
  
  realmName - A realm name. Can not be null.
Method Details
- obtainSecretInternal
  
  protected VaultRawSecret obtainSecretInternal(String vaultSecretId)
  
  Description copied from class: AbstractVaultProvider
  
  Subclasses of AbstractVaultProvider must implement this method. It is meant to be implemented in the same way as the AbstractVaultProvider.obtainSecret(String) method from the VaultProvider interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.
  
  Specified by:
  
  obtainSecretInternal in class AbstractVaultProvider
  
  Parameters:
  
  vaultSecretId - a String representing the name of the entry that is being fetched from the vault.
  
  Returns:
  
  a VaultRawSecret representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
- close
  
  public void close()

Class FilesPlainTextVaultProvider

Field Summary

Fields inherited from class org.keycloak.vault.AbstractVaultProvider

Constructor Summary

Method Summary

Methods inherited from class org.keycloak.vault.AbstractVaultProvider

Methods inherited from class java.lang.Object

Constructor Details

FilesPlainTextVaultProvider

Method Details

obtainSecretInternal

close