Persistence
Overview#
Persistence is a special container to load initial data for supported persistence.
Versions#
See Packages for available versions.
Environment Variables#
The following environment variables are supported by the container:
CN_CONFIG_ADAPTER
: The config backend adapter, can beconsul
(default) orkubernetes
.CN_CONFIG_CONSUL_HOST
: hostname or IP of Consul (default tolocalhost
).CN_CONFIG_CONSUL_PORT
: port of Consul (default to8500
).CN_CONFIG_CONSUL_CONSISTENCY
: Consul consistency mode (choose one ofdefault
,consistent
, orstale
). Default tostale
mode.CN_CONFIG_CONSUL_SCHEME
: supported Consul scheme (http
orhttps
).CN_CONFIG_CONSUL_VERIFY
: whether to verify cert or not (default tofalse
).CN_CONFIG_CONSUL_CACERT_FILE
: path to Consul CA cert file (default to/etc/certs/consul_ca.crt
). This file will be used if it exists andCN_CONFIG_CONSUL_VERIFY
set totrue
.CN_CONFIG_CONSUL_CERT_FILE
: path to Consul cert file (default to/etc/certs/consul_client.crt
).CN_CONFIG_CONSUL_KEY_FILE
: path to Consul key file (default to/etc/certs/consul_client.key
).CN_CONFIG_CONSUL_TOKEN_FILE
: path to file contains ACL token (default to/etc/certs/consul_token
).CN_CONFIG_KUBERNETES_NAMESPACE
: Kubernetes namespace (default todefault
).CN_CONFIG_KUBERNETES_CONFIGMAP
: Kubernetes configmaps name (default tojans
).CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG
: Load credentials from$HOME/.kube/config
, only useful for non-container environment (default tofalse
).CN_SECRET_ADAPTER
: The secrets' adapter, can bevault
(default),kubernetes
, orgoogle
.CN_SECRET_VAULT_VERIFY
: whether to verify cert or not (default tofalse
).CN_SECRET_VAULT_ROLE_ID_FILE
: path to file contains Vault AppRole role ID (default to/etc/certs/vault_role_id
).CN_SECRET_VAULT_SECRET_ID_FILE
: path to file contains Vault AppRole secret ID (default to/etc/certs/vault_secret_id
).CN_SECRET_VAULT_CERT_FILE
: path to Vault cert file (default to/etc/certs/vault_client.crt
).CN_SECRET_VAULT_KEY_FILE
: path to Vault key file (default to/etc/certs/vault_client.key
).CN_SECRET_VAULT_CACERT_FILE
: path to Vault CA cert file (default to/etc/certs/vault_ca.crt
). This file will be used if it exists andCN_SECRET_VAULT_VERIFY
set totrue
.CN_SECRET_VAULT_ADDR
: URL of Vault (default tohttp://localhost:8200
).CN_SECRET_VAULT_NAMESPACE
: Namespace used to access secrets (default to empty string).CN_SECRET_VAULT_KV_PATH
: Path to KV secrets engine (default tosecret
).CN_SECRET_VAULT_PREFIX
: Base prefix name used to build secret path (default tojans
).CN_SECRET_VAULT_APPROLE_PATH
: Path to AppRole (default toapprole
).CN_SECRET_KUBERNETES_NAMESPACE
: Kubernetes namespace (default todefault
).CN_SECRET_KUBERNETES_SECRET
: Kubernetes secrets name (default tojans
).CN_SECRET_KUBERNETES_USE_KUBE_CONFIG
: Load credentials from$HOME/.kube/config
, only useful for non-container environment (default tofalse
).CN_WAIT_MAX_TIME
: How long the startup "health checks" should run (default to300
seconds).CN_WAIT_SLEEP_DURATION
: Delay between startup "health checks" (default to10
seconds).CN_OXTRUST_CONFIG_GENERATION
: Whether to generate oxShibboleth configuration or not (default totrue
).CN_CACHE_TYPE
: Supported values areIN_MEMORY
,REDIS
,MEMCACHED
, andNATIVE_PERSISTENCE
(default toNATIVE_PERSISTENCE
).CN_EXT_SIGNING_JWKS_URI
: URI of external signing JWKS (default is "").CN_REDIS_URL
: URL of Redis server, format is host:port (optional; default tolocalhost:6379
).CN_REDIS_TYPE
: Redis service type, eitherSTANDALONE
orCLUSTER
(optional; default toSTANDALONE
).CN_MEMCACHED_URL
: URL of Memcache server, format is host:port (optional; default tolocalhost:11211
).CN_PERSISTENCE_TYPE
: Persistence backend being used (couchbase
,sql
, orhybrid
; default tosql
).CN_HYBRID_MAPPING
: Specify data mapping for each persistence (default to"{}"
). Note this environment only takes effect whenCN_PERSISTENCE_TYPE
is set tohybrid
. See hybrid mapping section for details.CN_PERSISTENCE_SKIP_INITIALIZED
: skip initialization if backend already initialized (default tofalse
).CN_PERSISTENCE_UPDATE_AUTH_DYNAMIC_CONFIG
: Whether to allow automatic updates ofjans-auth
configuration (default totrue
).CN_COUCHBASE_URL
: Address of Couchbase server (default tolocalhost
).CN_COUCHBASE_USER
: Username of Couchbase server (default toadmin
).CN_COUCHBASE_SUPERUSER
: Superuser of Couchbase server (default to empty-string).CN_COUCHBASE_CERT_FILE
: Couchbase root certificate location (default to/etc/certs/couchbase.crt
).CN_COUCHBASE_PASSWORD_FILE
: Path to file contains Couchbase password (default to/etc/jans/conf/couchbase_password
).CN_COUCHBASE_SUPERUSER_PASSWORD_FILE
: Path to file contains Couchbase superuser password (default to/etc/jans/conf/couchbase_superuser_password
).CN_DOCUMENT_STORE_TYPE
: Document store type (one ofLOCAL
orDB
; default toDB
).CN_JACKRABBIT_URL
: URL to remote repository (default tohttp://localhost:8080
).CN_JACKRABBIT_ADMIN_ID_FILE
: Absolute path to file contains ID for admin user (default to/etc/jans/conf/jackrabbit_admin_id
).CN_JACKRABBIT_ADMIN_PASSWORD_FILE
: Absolute path to file contains password for admin user (default to/etc/gluu/conf/jackrabbit_admin_password
).GOOGLE_APPLICATION_CREDENTIALS
: Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials.GOOGLE_PROJECT_ID
: ID of Google project.CN_GOOGLE_SECRET_VERSION_ID
: Janssen secret version ID in Google Secret Manager. Defaults tolatest
, which is recommended.CN_GOOGLE_SECRET_NAME_PREFIX
: Prefix for Janssen secret in Google Secret Manager. Defaults tojans
. If leftjans-secret
secret will be created.CN_GOOGLE_SECRET_MANAGER_PASSPHRASE
: Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults tosecret
.CN_SQL_DB_HOST
: Hostname of the SQL database (default tolocalhost
).CN_SQL_DB_PORT
: Port of the SQL database (default to3306
for MySQL).CN_SQL_DB_NAME
: SQL database name (default tojans
).CN_SQL_DB_USER
: User name to access the SQL database (default tojans
).CN_SQL_DB_DIALECT
: Dialect name of the SQL (mysql
for MySQL orpgsql
for PostgreSQL; default tomysql
).CN_SQL_DB_TIMEZONE
: Timezone used by the SQL database (default toUTC
).CN_SQL_DB_SCHEMA
: Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as"public"
).CN_AWS_SECRETS_ENDPOINT_URL
: The URL of AWS secretsmanager service (if omitted, will use the one in specified region).CN_AWS_SECRETS_PREFIX
: The prefix name of the secrets (default tojans
).CN_AWS_SECRETS_REPLICA_FILE
: The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file:[{"Region": "us-west-1"}]
.AWS_DEFAULT_REGION
: The default AWS Region to use, for example,us-west-1
orus-west-2
.AWS_SHARED_CREDENTIALS_FILE
: The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).AWS_CONFIG_FILE
: The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).AWS_PROFILE
: The default profile to use, if any.CN_MESSAGE_TYPE
: Message provider type (one ofDISABLED
,POSTGRES
, andREDIS
; default toDISABLED
).
Hybrid mapping#
As per v1.0.1, hybrid persistence supports all available persistence types. To configure hybrid persistence and its data mapping, follow steps below:
-
Set
CN_PERSISTENCE_TYPE
environment variable tohybrid
-
Set
CN_HYBRID_MAPPING
with the following format:{ "default": "<couchbase|sql>", "user": "<couchbase|sql>", "site": "<couchbase|sql>", "cache": "<couchbase|sql>", "token": "<couchbase|sql>", "session": "<couchbase|sql>", }
Example:
{ "default": "sql", "user": "sql", "site": "sql", "cache": "sql", "token": "couchbase", "session": "sql", }
Last update:
2024-11-12
Created: 2021-11-26
Created: 2021-11-26