Package org.keycloak.vault
Class FilesPlainTextVaultProvider
java.lang.Object
org.keycloak.vault.AbstractVaultProvider
org.keycloak.vault.FilesPlainTextVaultProvider
- All Implemented Interfaces:
Provider
,VaultProvider
A text-based vault provider, which stores each secret in a separate file. The file name needs to match a vault secret id (or
a key for short) and follows the format provided by the configured
VaultKeyResolver
. A typical vault directory
layout looks like this:
${VAULT}/realma__key1 (contains secret for key 1) ${VAULT}/realma__key2 (contains secret for key 2) etc...Note, that in this case each key is prefixed by realm name. This particular kind of layout is used by Kubernetes by default (when mounting a volume into the pod) and can be used by selecting the
REALM_UNDERSCORE_KEY
resolver (which is
the default resolver when none is defined). Other layouts are available through different resolvers.
See https://kubernetes.io/docs/concepts/configuration/secret/
See https://github.com/keycloak/keycloak-community/blob/main/design/secure-credentials-store.md#plain-text-file-per-secret-kubernetes--openshift- Author:
- Sebastian Ćaskawiec
-
Field Summary
Fields inherited from class org.keycloak.vault.AbstractVaultProvider
realm, resolvers
-
Constructor Summary
ConstructorDescriptionFilesPlainTextVaultProvider
(Path path, String realmName, List<VaultKeyResolver> resolvers) Creates a newFilesPlainTextVaultProvider
. -
Method Summary
Modifier and TypeMethodDescriptionvoid
close()
protected VaultRawSecret
obtainSecretInternal
(String vaultSecretId) Subclasses ofAbstractVaultProvider
must implement this method.protected boolean
validate
(VaultKeyResolver resolver, String key, String resolvedKey) Validates the resolved key to ensure it meets the necessary criteria.Methods inherited from class org.keycloak.vault.AbstractVaultProvider
obtainSecret
-
Constructor Details
-
FilesPlainTextVaultProvider
public FilesPlainTextVaultProvider(@Nonnull Path path, @Nonnull String realmName, @Nonnull List<VaultKeyResolver> resolvers) Creates a newFilesPlainTextVaultProvider
.- Parameters:
path
- A path to a vault. Can not be null.realmName
- A realm name. Can not be null.
-
-
Method Details
-
obtainSecretInternal
Description copied from class:AbstractVaultProvider
Subclasses ofAbstractVaultProvider
must implement this method. It is meant to be implemented in the same way as theAbstractVaultProvider.obtainSecret(String)
method from theVaultProvider
interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.- Specified by:
obtainSecretInternal
in classAbstractVaultProvider
- Parameters:
vaultSecretId
- aString
representing the name of the entry that is being fetched from the vault.- Returns:
- a
VaultRawSecret
representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
-
validate
Description copied from class:AbstractVaultProvider
Validates the resolved key to ensure it meets the necessary criteria.- Overrides:
validate
in classAbstractVaultProvider
- Parameters:
resolver
- theVaultKeyResolver
used to resolve the key.key
- the original key provided.resolvedKey
- the key after being resolved by the resolver.- Returns:
- a boolean indicating whether the validation passed.
-
close
public void close()
-