Class FilesPlainTextVaultProvider

java.lang.Object
org.keycloak.vault.AbstractVaultProvider
org.keycloak.vault.FilesPlainTextVaultProvider
All Implemented Interfaces:
Provider, VaultProvider

public class FilesPlainTextVaultProvider extends AbstractVaultProvider
A text-based vault provider, which stores each secret in a separate file. The file name needs to match a vault secret id (or a key for short) and follows the format provided by the configured VaultKeyResolver. A typical vault directory layout looks like this:
     ${VAULT}/realma__key1 (contains secret for key 1)
     ${VAULT}/realma__key2 (contains secret for key 2)
     etc...
 
Note, that in this case each key is prefixed by realm name. This particular kind of layout is used by Kubernetes by default (when mounting a volume into the pod) and can be used by selecting the REALM_UNDERSCORE_KEY resolver (which is the default resolver when none is defined). Other layouts are available through different resolvers. See https://kubernetes.io/docs/concepts/configuration/secret/ See https://github.com/keycloak/keycloak-community/blob/main/design/secure-credentials-store.md#plain-text-file-per-secret-kubernetes--openshift
Author:
Sebastian Ɓaskawiec
  • Constructor Details

    • FilesPlainTextVaultProvider

      public FilesPlainTextVaultProvider(@Nonnull Path path, @Nonnull String realmName, @Nonnull List<VaultKeyResolver> resolvers)
      Parameters:
      path - A path to a vault. Can not be null.
      realmName - A realm name. Can not be null.
  • Method Details

    • obtainSecretInternal

      protected VaultRawSecret obtainSecretInternal(String vaultSecretId)
      Description copied from class: AbstractVaultProvider
      Subclasses of AbstractVaultProvider must implement this method. It is meant to be implemented in the same way as the AbstractVaultProvider.obtainSecret(String) method from the VaultProvider interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.
      Specified by:
      obtainSecretInternal in class AbstractVaultProvider
      Parameters:
      vaultSecretId - a String representing the name of the entry that is being fetched from the vault.
      Returns:
      a VaultRawSecret representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
    • validate

      protected boolean validate(VaultKeyResolver resolver, String key, String resolvedKey)
      Description copied from class: AbstractVaultProvider
      Validates the resolved key to ensure it meets the necessary criteria.
      Overrides:
      validate in class AbstractVaultProvider
      Parameters:
      resolver - the VaultKeyResolver used to resolve the key.
      key - the original key provided.
      resolvedKey - the key after being resolved by the resolver.
      Returns:
      a boolean indicating whether the validation passed.
    • close

      public void close()