macma/macma-keycloak-mssql

Database vendor.
Valid values: ORACLE, MSSQL

Yes

-

Database connection string. In case it is provided, this will have higher priority than DB_ADDR, DB_DATABASE, DB_PORT, even if they are configured. In case it is not provided, DB_ADDR, DB_DATABASE, DB_PORT must be provided to build the database connection string;

No

-

Hostname of the database server. Required if NEXEED_MACMA_KEYCLOAK_DB_URL is not provided.

No

-

Name of the database. Required if NEXEED_MACMA_KEYCLOAK_DB_URL is not provided.

No

-

Port of the database connection. For MSSQL typically 1433. Required if NEXEED_MACMA_KEYCLOAK_DB_URL is not provided.

No

-

Username for connection to database server. For MSSQL its default schema has to match DB_SCHEMA.

Yes

-

Password for connection to database server.

Yes

-

Specify the Duration between liveness-checks for pooled DB connections (optional, default is '55S' as it should not be the same value as idle-timeout(minutes)); the format for durations uses the standard java.time.Duration format. You can learn more about it in the [Duration#parse() javadoc](https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-). Influences failover behavior.

No

55S

Schema to use (MSSQL only). Needs to be default schema of DB_USER.

yes (on MSSQL)

dbo

Minimum db connection pool size (MSSQL only).

No

30

Maximum db connection pool size (MSSQL only).

No

100

Additional parameters for JDBC connection string. These parameters are only applied to MSSQL database connections. Can be set if NEXEED_MACMA_KEYCLOAK_DB_URL is not provided.
If encryption is enabled at your MSSQL database server, make sure to properly set encrypt and trustServerCertificate. See also MSSQL JDBC documentation regarding connecting with encryption.

encrypt=true;trustServerCertificate=false;

No

-

Admin user for Keycloak.

Yes

-

Password for admin user for Keycloak.

Yes

-

Hostname of the server where MACMA Keycloak will run.

yes

-

Public URL to reach MACMA Keycloak. This is important for correct functioning of OAuth2 login flows.

Yes

-

HTTP port.

Yes

80

HTTPS port.

Yes

443

Context path "in between" the origin and specific paths offered by Keycloak. If MACMA is offered under a sub-path (e.g. `https://testSystemA.de.bosch.com:8088/iam/`) (instead of a sub-domain like `https://iam.testSystemA.de.bosch.com:8088/`) this should be set to the sub-path (here `iam`).

no

"iam"

Client secret of the admin client in the master realm, which is required by MACMA to control Keycloak.

Yes

-

When running Keycloak behind a reverse proxy (or ingress), proxy address forwarding must be enabled. Provide edge, reencrypt or passthrough in order to activate.
The edge value automatically sets http.enabled=true and http.proxy-address-forwarding=true. This mode is suitable for deployments with a highly secure internal network where the reverse proxy keeps a secure connection (HTTP over TLS) with clients while communicating with Keycloak using HTTP.
The reencrypt value automatically sets http.proxy-address-forwarding=true and require the server to be configured with its own pair of keys and certificates so that the HTTPS listener can be properly set. This mode is suitable for deployments where internal communication between the reverse proxy and Keycloak should also be protected where different keys and certificates can be used on the reverse proxy as well as on Keycloak.
The passthrough value automatically sets http.proxy-address-forwarding=true. This mode is suitable for deployments where the reverse proxy is only forwarding the requests to the Keycloak server so that secure connections between the server and clients are based on the keys and certificates used by the Keycloak server itself.
See https://github.com/keycloak/keycloak-community/blob/main/design/keycloak.x/configuration.md for more details about KEYCLOAK_PROXY

Yes

edge

Sets the timeout in seconds for MACMA’s Keycloak migrations that run during startup.

No

3600

Sets the timeout that applies to all Keycloak transactions managed by the transaction manager; the format for durations uses the standard java.time.Duration format (https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/time/Duration.html#parse(java.lang.CharSequence))

No

PT3600S

Valid values: jdbc-ping, kubernetes (see https://www.keycloak.org/server/caching#_transport_stacks for more details).
By default, the Keycloak docker image is configured to run in High-Availability mode in a kubernetes environment. In order for this to work a minimum extra configuration is needed: -Djgroups.dns.query=<headless-service-FQDN> needs to be added to JAVA_OPTS_APPEND environment variable

No

kubernetes

Socket inactivity timeout in milliseconds. Can be increased if you have integrated slow IDPs and get sporadic `Unexpected error when authenticating with identity provider` while authenticating with an identity provider _and_ you have ruled out other possibilities.

No

15000

Sets the timeout (in milliseconds) when trying to make an initial socket connection for outgoing calls.

No

5000

Disable TLS / HTTPS. Set to true, if LOCAL_NETWORK_BASE_URL is http.

No

true

Import all default certificates from the Ubuntu ca-certificates package to Java. Custom certificates that are mounted to /certificates are imported as well. Required to enable TLS.

No

true

Enable OpenTelemetry agent.

No

false

Enable OpenTelemetry agent.

No

false

URL of the elastic APM server.

Yes (if enabled by OTEL_ENABLED)

-

Logs exporter to be used.

No

none

Metrics exporter to be used.

No

none

Traces exporter to be used.

No

none

The transport protocol of OpenTelemetry Exporter.

No

grpc

Specifies the Sampler used to sample traces by the OpenTelemetry SDK.

No

parentbased_always_on

Specifies argument for the trace smapler. Each Sampler type defines its own expected input.

No

-

Key-value pairs to be used as resource attributes for OpenTelemetry SDK, containing e.g. service.name, service.version, deployment.environment.

Yes (if enabled by OTEL_ENABLED)

-

Header of OpenTelemetry exporter including authentication at the APM server.

Yes (if enabled by OTEL_ENABLED)

-

Default loglevel except for the following explicit settings.

No

WARN

Loglevel for everything Keycloak

No

WARN

Loglevel for keycloak infinispan cache logger.

No

WARN

Loglevel for JGroups

No

WARN

Enable cache statistics on the /metrics endpoint.

No

false

Size of cache persisted realm data.

No

10000

Specifies the maximum amount of time, in milliseconds, that realm data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

Size of cache persisted users data

No

10000

Specifies the maximum amount of time, in milliseconds, that users data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

Size of cache persisted authorization data.

No

10000

Specifies the maximum amount of time, in milliseconds, that authorization data cache entries can remain idle. Can be disabled with a value of -1.

No

-1

Size of cache persisted external public keys.

No

1000

Specifies the maximum amount of time, in milliseconds, that keys data cache entries can remain idle. Can be disabled with a value of -1.

No

3600000

The timeout (in ms) used to wait for an acknowledgment when making a remote call to another keycloak instance, after which the call is aborted and an exception is thrown.

No

15000

Maximum time to attempt a particular lock acquisition.

No

10000

Size of cache persisted user session data.

No

10000

Size of cache persisted client session data.

No

10000

Size of cache persisted offline user session data.

No

10000

Size of cache persisted offline client session data.

No

10000

Size of cache X.509 authenticator data.

No

10000

The locking mode for all keycloak infinispan cache, one of OPTIMISTIC or PESSIMISTIC.

No

OPTIMISTIC

Specify the initial Java heap size percentage from the containers limit (optional, default is `20`)

No

20

Specify the maximum Java heap size percentage from the containers limit (optional, default is `80`)

No

80

If the number of records in a database table exceeds this threshold, the index is not created. Instead, you will find a warning in the server logs with the SQL commands that you can apply manually. To disable this threshold set a value ≤ 0. (optional, default is `0`)

No

0

Base URL for Microsoft Graph API

No

https://graph.microsoft.com/v1.0

If this is disabled the Brute Force Protector will reject all login attempts (including correct password attempts) that occur while another login is in progress in the same server.

No

true

Comma sepreated list of allowed frame ancestors in the CSP Header.

No

Comma separated list of frame ancestors to be removed from the CSP Header.

No

The timeout to wait for running requests to finish. If this is not set then the application will exit immediately. Setting this timeout will incur a small performance penalty, as it requires active requests to be tracked.

No

45

Flag to enable a delay where Keycloak initiates a shutdown.

No

false

Delay between shutdown being requested and actually initiated (pre-shutdwon phase). In pre-shutdown, the server continues working as usual, except a readiness probe starts reporting "down". Useful to give infrastructure time to detect and react. Only applied when delay is enabled.

No

15

Enable additional metrics for Keycloak, such as user activities, http and cache histograms.

No

false