public class FilesPlainTextVaultProvider extends AbstractVaultProvider
VaultKeyResolver
. A typical vault directory
layout looks like this:
${VAULT}/realma__key1 (contains secret for key 1) ${VAULT}/realma__key2 (contains secret for key 2) etc...Note, that in this case each key is prefixed by realm name. This particular kind of layout is used by Kubernetes by default (when mounting a volume into the pod) and can be used by selecting the
REALM_UNDERSCORE_KEY
resolver (which is
the default resolver when none is defined). Other layouts are available through different resolvers.
See https://kubernetes.io/docs/concepts/configuration/secret/
See https://github.com/keycloak/keycloak-community/blob/master/design/secure-credentials-store.md#plain-text-file-per-secret-kubernetes--openshiftrealm, resolvers
Constructor and Description |
---|
FilesPlainTextVaultProvider(Path path,
String realmName,
List<VaultKeyResolver> resolvers)
Creates a new
FilesPlainTextVaultProvider . |
Modifier and Type | Method and Description |
---|---|
void |
close() |
protected VaultRawSecret |
obtainSecretInternal(String vaultSecretId)
Subclasses of
AbstractVaultProvider must implement this method. |
obtainSecret
public FilesPlainTextVaultProvider(Path path, String realmName, List<VaultKeyResolver> resolvers)
FilesPlainTextVaultProvider
.path
- A path to a vault. Can not be null.realmName
- A realm name. Can not be null.protected VaultRawSecret obtainSecretInternal(String vaultSecretId)
AbstractVaultProvider
AbstractVaultProvider
must implement this method. It is meant to be implemented in the same
way as the AbstractVaultProvider.obtainSecret(String)
method from the VaultProvider
interface, but the specified vault
key must be used as is - i.e. implementations should refrain from processing the key again as the format was already
defined by one of the configured key resolvers.obtainSecretInternal
in class AbstractVaultProvider
vaultSecretId
- a String
representing the name of the entry that is being fetched from the vault.VaultRawSecret
representing the obtained secret. It can be a empty secret if no secret could be
obtained using the specified vault key.public void close()
Copyright © 2021 JBoss by Red Hat. All rights reserved.