diff --git a/README.md b/README.md index d1040ea0..95a1f189 100644 --- a/README.md +++ b/README.md @@ -95,33 +95,34 @@ Available storage backends are: You can configure Tapir passing the following environment variables: -| Variable | Description | Required | Default | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|--------------------| -| BACKEND_CONFIG | The database to make use of | X | dynamodb | -| BACKEND_ELASTICSEARCH_HOST | Host of the Elasticsearch instance | Yes, if BACKEND_CONFIG is elasticsearch | | -| BACKEND_AZURE_MASTER_KEY | Master key of your CosmosDb | Yes, if BACKEND_CONFIG is cosmosdb | | -| BACKEND_AZURE_ENDPOINT | Endpoint of your CosmosDb | Yes, if BACKEND_CONFIG is cosmosdb | | -| STORAGE_CONFIG | The blob storage to make use of | X | s3 | -| STORAGE_ACCESS_SESSION_DURATION | Amount of minutes the signed download url is valid | X | 5 | -| AZURE_BLOB_CONNECTION_STRING | [Connection string](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string) to use for authentication | Yes, if STORAGE_CONFIG is azureBlob | | -| AZURE_BLOB_CONTAINER_NAME | Blob container name to be used to store module archives | Yes, if STORAGE_CONFIG is azureBlob | tf-registry | -| S3_STORAGE_BUCKET_NAME | S3 bucket name to be used to store module archives | Yes, if STORAGE_CONFIG is s3 | tf-registry | -| S3_STORAGE_BUCKET_REGION | AWS region of the target S3 bucket | Yes, if STORAGE_CONFIG is s3 | eu-central-1 | -| REGISTRY_HOSTNAME | The hostname of the registry, must be set to the DNS record of Tapir | Yes, if STORAGE_CONFIG is local | localhost | -| REGISTRY_PORT | The port of the registry | Yes, if STORAGE_CONFIG is local | 443 | -| API_MAX_BODY_SIZE | The maximum payload size for module/providers to be uploaded | X | 100M | -| REGISTRY_GPG_KEYS_0__ID | GPG key ID of the key to be used (eg. D17C807B4156558133A1FB843C7461473EB779BD) | X | | -| REGISTRY_GPG_KEYS_0__ASCII_ARMOR | Ascii armored and bas64 encoded GPG public key (only RSA/DSA supported) | X | | -| AUTH_ENDPOINT | The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm. | | | -| AUTH_CLIENT_ID | The client id | | | -| AUTH_CLIENT_SECRET | Client secret if the client requires one | | | -| AUTH_TOKEN_PATH | Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens. | X | | -| AUTH_PATH | Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the application if OIDC discovery is not available. | Yes, if the Identity provider does not expose a discovery path | | -| AUTH_ROLE_SOURCE | The source of the role claim in the access token. The default value is 'accesstoken' which means the role claim is expected to be in the access token. If the role claim is in the ID token, set this property to 'idtoken'. If the role claim is in the userinfo endpoint, set this property to 'userinfo'. | X | accesstoken | | -| AUTH_TOKEN_ATTRIBUTE_EMAIL | The attribute name in the token where the email is placed in | X | email | -| AUTH_TOKEN_ATTRIBUTE_GIVEN_NAME | The attribute name in the token where the given name is placed in | X | given_name | -| AUTH_TOKEN_ATTRIBUTE_FAMILY_NAME | The attribute name in the token where the family name is placed in | X | family_name | -| AUTH_TOKEN_ATTRIBUTE_PREFERRED_USERNAME | The attribute name in the token where the preferred username is placed in | X | preferred_username | +| Variable | Description | Required | Default | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|---------------------------------| +| BACKEND_CONFIG | The database to make use of | X | dynamodb | +| BACKEND_ELASTICSEARCH_HOST | Host of the Elasticsearch instance | Yes, if BACKEND_CONFIG is elasticsearch | | +| BACKEND_AZURE_MASTER_KEY | Master key of your CosmosDb | Yes, if BACKEND_CONFIG is cosmosdb | | +| BACKEND_AZURE_ENDPOINT | Endpoint of your CosmosDb | Yes, if BACKEND_CONFIG is cosmosdb | | +| STORAGE_CONFIG | The blob storage to make use of | X | s3 | +| STORAGE_ACCESS_SESSION_DURATION | Amount of minutes the signed download url is valid | X | 5 | +| AZURE_BLOB_CONNECTION_STRING | [Connection string](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string) to use for authentication | Yes, if STORAGE_CONFIG is azureBlob | | +| AZURE_BLOB_CONTAINER_NAME | Blob container name to be used to store module archives | Yes, if STORAGE_CONFIG is azureBlob | tf-registry | +| S3_STORAGE_BUCKET_NAME | S3 bucket name to be used to store module archives | Yes, if STORAGE_CONFIG is s3 | tf-registry | +| S3_STORAGE_BUCKET_REGION | AWS region of the target S3 bucket | Yes, if STORAGE_CONFIG is s3 | eu-central-1 | +| REGISTRY_HOSTNAME | The hostname of the registry, must be set to the DNS record of Tapir | Yes, if STORAGE_CONFIG is local | localhost | +| REGISTRY_PORT | The port of the registry | Yes, if STORAGE_CONFIG is local | 443 | +| API_MAX_BODY_SIZE | The maximum payload size for module/providers to be uploaded | X | 100M | +| REGISTRY_GPG_KEYS_0__ID | GPG key ID of the key to be used (eg. D17C807B4156558133A1FB843C7461473EB779BD) | X | | +| REGISTRY_GPG_KEYS_0__ASCII_ARMOR | Ascii armored and bas64 encoded GPG public key (only RSA/DSA supported) | X | | +| AUTH_ENDPOINT | The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm. | | | +| AUTH_CLIENT_ID | The client id | | | +| AUTH_CLIENT_SECRET | Client secret if the client requires one | | | +| AUTH_TOKEN_PATH | Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens. | X | | +| AUTH_PATH | Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the application if OIDC discovery is not available. | Yes, if the Identity provider does not expose a discovery path | | +| AUTH_ROLE_SOURCE | The source of the role claim in the access token. The default value is 'accesstoken' which means the role claim is expected to be in the access token. If the role claim is in the ID token, set this property to 'idtoken'. If the role claim is in the userinfo endpoint, set this property to 'userinfo'. | X | accesstoken | | +| AUTH_TOKEN_ATTRIBUTE_EMAIL | The attribute name in the token where the email is placed in | X | email | +| AUTH_TOKEN_ATTRIBUTE_GIVEN_NAME | The attribute name in the token where the given name is placed in | X | given_name | +| AUTH_TOKEN_ATTRIBUTE_FAMILY_NAME | The attribute name in the token where the family name is placed in | X | family_name | +| AUTH_TOKEN_ATTRIBUTE_PREFERRED_USERNAME | The attribute name in the token where the preferred username is placed in | X | preferred_username | +| END_SESSION_PATH | IDP end session path, will be used to logout | X | /protocol/openid-connect/logout | :information_source: A note on the GPG configuration. Quarkus (and therefore Tapir) is based on [Smallrye microprofile](https://smallrye.io/smallrye-config/2.9.1/config/indexed-properties/) and supports indexed properties. Hence, you can add one or more key specifying indexed properties. See example below for passing two GPG keys (**Mind the two subsequent underscores after the index**): ``` diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 3d0f2089..259613a0 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -12,7 +12,7 @@ registry: token-path: ${AUTH_TOKEN_PATH} auth-path: ${AUTH_PATH} role-source: ${AUTH_ROLE_SOURCE:accesstoken} - logout-session-path: ${AUTH_LOGOUT_SESSION_PATH} + end-session-path: ${END_SESSION_PATH:/protocol/openid-connect/logout} token-attributes: email: ${AUTH_TOKEN_ATTRIBUTE_EMAIL:email} givenName: ${AUTH_TOKEN_ATTRIBUTE_GIVEN_NAME:given_name} @@ -87,7 +87,7 @@ quarkus: authentication: id-token-required: false token-path: ${registry.auth.token-path} - end-session-path: ${registry.auth.logout-session-path} + end-session-path: ${registry.auth.end-session-path} authorization-path: ${registry.auth.auth-path} provider: ${registry.auth.provider} s3: