Whether or not an health check is published in case the smallrye-health extension is present.

Environment variable: QUARKUS_VAULT_HEALTH_ENABLED

Specifies if being a standby should still return the active status code instead of the standby status code.

Environment variable: QUARKUS_VAULT_HEALTH_STAND_BY_OK

Specifies if being a performance standby should still return the active status code instead of the performance standby status code.

Environment variable: QUARKUS_VAULT_HEALTH_PERFORMANCE_STAND_BY_OK

If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present.

When DevServices is enabled Quarkus will attempt to automatically configure and start a vault instance when running in Dev or Test mode and when Docker is running.

Environment variable: QUARKUS_VAULT_DEVSERVICES_ENABLED

The container image name to use, for container based DevServices providers.

Environment variable: QUARKUS_VAULT_DEVSERVICES_IMAGE_NAME

Indicates if the Vault instance managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Vault starts a new container.

The discovery uses the quarkus-dev-service-vault label. The value is configured using the service-name property.

Container sharing is only used in dev mode.

Environment variable: QUARKUS_VAULT_DEVSERVICES_SHARED

The value of the quarkus-dev-service-vault label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Vault looks for a container with the quarkus-dev-service-vault label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise it starts a new container with the quarkus-dev-service-vault label set to the specified value.

This property is used when you need multiple shared Vault instances.

Environment variable: QUARKUS_VAULT_DEVSERVICES_SERVICE_NAME

Optional fixed port the dev service will listen to.

If not defined, the port will be chosen randomly.

Environment variable: QUARKUS_VAULT_DEVSERVICES_PORT

Should the Transit secret engine be enabled

Environment variable: QUARKUS_VAULT_DEVSERVICES_TRANSIT_ENABLED

Should the PKI secret engine be enabled

Environment variable: QUARKUS_VAULT_DEVSERVICES_PKI_ENABLED

Custom container initialization commands

Environment variable: QUARKUS_VAULT_DEVSERVICES_INIT_COMMANDS

Microprofile Config ordinal.

This is provided as an alternative to the config_ordinal property defined by the specification, to make it easier and more natural for applications to override the default ordinal.

The default value is higher than the file system or jar ordinals, but lower than env vars.

Environment variable: QUARKUS_VAULT_CONFIG_ORDINAL

Vault server url. <p> Example: https://localhost:8200 <p> See also the documentation for the kv-secret-engine-mount-path property for some insights on how the full Vault url gets built.

Environment variable: QUARKUS_VAULT_URL

Renew grace period duration. <p> This value if used to extend a lease before it expires its ttl, or recreate a new lease before the current lease reaches its max_ttl. By default Vault leaseDuration is equal to 7 days (ie: 168h or 604800s). If a connection pool maxLifetime is set, it is reasonable to set the renewGracePeriod to be greater than the maxLifetime, so that we are sure we get a chance to renew leases before we reach the ttl. In any case you need to make sure there will be attempts to fetch secrets within the renewGracePeriod, because that is when the renewals will happen. This is particularly important for db dynamic secrets because if the lease reaches its ttl or max_ttl, the password of the db user will become invalid and it will be not longer possible to log in. This value should also be smaller than the ttl, otherwise that would mean that we would try to recreate leases all the time.

Environment variable: QUARKUS_VAULT_RENEW_GRACE_PERIOD

Vault config source cache period. <p> Properties fetched from vault as MP config will be kept in a cache, and will not be fetched from vault again until the expiration of that period. This property is ignored if secret-config-kv-path is not set.

Environment variable: QUARKUS_VAULT_SECRET_CONFIG_CACHE_PERIOD

List of comma separated vault paths in kv store, where all properties will be available as MP config properties as-is, with no prefix. <p> For instance, if vault contains property foo, it will be made available to the quarkus application as @ConfigProperty(name = "foo") String foo; <p> If 2 paths contain the same property, the last path will win. <p> For instance if <p> * secret/base-config contains foo=bar and * secret/myapp/config contains foo=myappbar, then <p> @ConfigProperty(name = "foo") String foo will have value myappbar with application properties quarkus.vault.secret-config-kv-path=base-config,myapp/config <p> See also the documentation for the kv-secret-engine-mount-path property for some insights on how the full Vault url gets built.

Environment variable: QUARKUS_VAULT_SECRET_CONFIG_KV_PATH

Maximum number of attempts when fetching MP Config properties on the initial connection.

Environment variable: QUARKUS_VAULT_MP_CONFIG_INITIAL_ATTEMPTS

Used to hide confidential infos, for logging in particular. Possible values are: <p> * low: display all secrets. * medium: display only usernames and lease ids (ie: passwords and tokens are masked). * high: hide lease ids and dynamic credentials username.

Environment variable: QUARKUS_VAULT_LOG_CONFIDENTIALITY_LEVEL

Kv secret engine version. <p> see https://www.vaultproject.io/docs/secrets/kv/index.html

Environment variable: QUARKUS_VAULT_KV_SECRET_ENGINE_VERSION

KV secret engine path. <p> This value is used when building the url path in the KV secret engine programmatic access (i.e. VaultKVSecretEngine) and the vault config source (i.e. fetching configuration properties from Vault). <p> For a v2 KV secret engine (default - see kv-secret-engine-version property) the full url is built from the expression <url>/v1/</kv-secret-engine-mount-path>/data/…​. <p> With property quarkus.vault.url=https://localhost:8200, the following call vaultKVSecretEngine.readSecret("foo/bar") would lead eventually to a GET on Vault with the following url: https://localhost:8200/v1/secret/data/foo/bar. <p> With a KV secret engine v1, the url changes to: <url>/v1/</kv-secret-engine-mount-path>/…​. <p> The same logic is applied to the Vault config source. With quarkus.vault.secret-config-kv-path=config/myapp The secret properties would be fetched from Vault using a GET on https://localhost:8200/v1/secret/data/config/myapp for a KV secret engine v2 (or https://localhost:8200/v1/secret/config/myapp for a KV secret engine v1). <p> see https://www.vaultproject.io/docs/secrets/kv/index.html

Environment variable: QUARKUS_VAULT_KV_SECRET_ENGINE_MOUNT_PATH

Timeout to establish a connection with Vault.

Environment variable: QUARKUS_VAULT_CONNECT_TIMEOUT

Request timeout on Vault.

Environment variable: QUARKUS_VAULT_READ_TIMEOUT

List of remote hosts that are not proxied when the client is configured to use a proxy. This list serves the same purpose as the JVM nonProxyHosts configuration.

Entries can use the * wildcard character for pattern matching, e.g *.example.com matches www.example.com.

Environment variable: QUARKUS_VAULT_NON_PROXY_HOSTS

The proxy host. If set the client is configured to use a proxy.

Environment variable: QUARKUS_VAULT_PROXY_HOST

The port the proxy is listening on, 3128 by default.

Environment variable: QUARKUS_VAULT_PROXY_PORT

List of comma separated vault paths in kv store, where all properties will be available as prefixed MP config properties. <p> For instance if the application properties contains quarkus.vault.secret-config-kv-path.myprefix=config, and vault path secret/config contains foo=bar, then myprefix.foo will be available in the MP config. <p> If the same property is available in 2 different paths for the same prefix, the last one will win. <p> See also the documentation for the quarkus.vault.kv-secret-engine-mount-path property for some insights on how the full Vault url gets built.

Environment variable: QUARKUS_VAULT_SECRET_CONFIG_KV_PATH__PREFIX_

Dynamic credentials' role. <p> Roles are defined by the secret engine in use. For example, database credentials roles are defined by the database secrets engine described at <a href="https://www.vaultproject.io/docs/secrets/databases/index.html">Vault Databases</a>. <p> One of credentials-role or kv-path can to be defined. not both.

Environment variable: QUARKUS_VAULT_CREDENTIALS_PROVIDER__CREDENTIALS_PROVIDER__CREDENTIALS_ROLE

Mount of dynamic credentials secrets engine, for example database or rabbitmq. <p> Only used when credentials-role is defined.

Environment variable: QUARKUS_VAULT_CREDENTIALS_PROVIDER__CREDENTIALS_PROVIDER__CREDENTIALS_MOUNT

Path of dynamic credentials request. <p> Request paths are dictated by the secret engine in use. For standard secret engines this should be left as the default of creds. <p> Only used when credentials-role is defined.

Environment variable: QUARKUS_VAULT_CREDENTIALS_PROVIDER__CREDENTIALS_PROVIDER__CREDENTIALS_REQUEST_PATH

A path in vault kv store, where we will find the kv-key. <p> One of database-credentials-role or kv-path needs to be defined. not both. <p> see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html">KV Secrets Engine</a>

Environment variable: QUARKUS_VAULT_CREDENTIALS_PROVIDER__CREDENTIALS_PROVIDER__KV_PATH

Key name to search in vault path kv-path. The value for that key is the credential. <p> kv-key should not be defined if kv-path is not. <p> see <a href="https://www.vaultproject.io/docs/secrets/kv/index.html">KV Secrets Engine</a>

Environment variable: QUARKUS_VAULT_CREDENTIALS_PROVIDER__CREDENTIALS_PROVIDER__KV_KEY

Vault Enterprise namespace <p> If set, this will add a X-Vault-Namespace header to all requests sent to the Vault server. <p> See https://www.vaultproject.io/docs/enterprise/namespaces

Environment variable: QUARKUS_VAULT_ENTERPRISE_NAMESPACE

Vault token, bypassing Vault authentication (kubernetes, userpass or approle). This is useful in development where an authentication mode might not have been set up. In production we will usually prefer some authentication such as userpass, or preferably kubernetes, where Vault tokens get generated with a TTL and some ability to revoke them. Lease renewal does not apply.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_CLIENT_TOKEN

Client token wrapped in a wrapping token, such as what is returned by:

vault token create -wrap-ttl=60s -policy=myapp

client-token and client-token-wrapping-token are exclusive. Lease renewal does not apply.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_CLIENT_TOKEN_WRAPPING_TOKEN

Role Id for AppRole auth method. This property is required when selecting the app-role authentication type.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_APP_ROLE_ROLE_ID

Secret Id for AppRole auth method. This property is required when selecting the app-role authentication type.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_APP_ROLE_SECRET_ID

Wrapping token containing a Secret Id, obtained from:

vault write -wrap-ttl=60s -f auth/approle/role/myapp/secret-id

secret-id and secret-id-wrapping-token are exclusive

Environment variable: QUARKUS_VAULT_AUTHENTICATION_APP_ROLE_SECRET_ID_WRAPPING_TOKEN

Allows configure Approle authentication mount path.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_APP_ROLE_AUTH_MOUNT_PATH

User for userpass auth method. This property is required when selecting the userpass authentication type.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_USERPASS_USERNAME

Password for userpass auth method. This property is required when selecting the userpass authentication type.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_USERPASS_PASSWORD

Wrapping token containing a Password, obtained from:

vault kv get -wrap-ttl=60s secret/

The key has to be 'password', meaning the password has initially been provisioned with:

vault kv put secret/ password=

password and password-wrapping-token are exclusive

Environment variable: QUARKUS_VAULT_AUTHENTICATION_USERPASS_PASSWORD_WRAPPING_TOKEN

Allows configure userpass authentication mount path.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_USERPASS_AUTH_MOUNT_PATH

Kubernetes authentication role that has been created in Vault to associate Vault policies, with Kubernetes service accounts and/or Kubernetes namespaces. This property is required when selecting the Kubernetes authentication type.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_KUBERNETES_ROLE

Location of the file containing the Kubernetes JWT token to authenticate against in Kubernetes authentication mode.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_KUBERNETES_JWT_TOKEN_PATH

Allows configure Kubernetes authentication mount path.

Environment variable: QUARKUS_VAULT_AUTHENTICATION_KUBERNETES_AUTH_MOUNT_PATH

Allows to bypass certificate validation on TLS communications.

If true this will allow TLS communications with Vault, without checking the validity of the certificate presented by Vault. This is discouraged in production because it allows man in the middle type of attacks.

Environment variable: QUARKUS_VAULT_TLS_SKIP_VERIFY

Certificate bundle used to validate TLS communications with Vault.

The path to a pem bundle file, if TLS is required, and trusted certificates are not set through javax.net.ssl.trustStore system property.

Environment variable: QUARKUS_VAULT_TLS_CA_CERT

If true and Vault authentication type is kubernetes, TLS will be active and the cacert path will be set to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. If set, this setting will take precedence over property quarkus.vault.tls.ca-cert. This means that if Vault authentication type is kubernetes and we want to use quarkus.vault.tls.ca-cert or system property javax.net.ssl.trustStore, then this property should be set to false.

Environment variable: QUARKUS_VAULT_TLS_USE_KUBERNETES_CA_CERT

Specifies the name of the key to use. By default this will be the property key alias. Used when the same transit key is used with different configurations. Such as in:

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__NAME

Set to true when the input is already hashed. Applies to sign operations.

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__PREHASHED

When using a RSA key, specifies the RSA signature algorithm. Applies to sign operations.

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__SIGNATURE_ALGORITHM

Specifies the hash algorithm to use for supporting key types. Applies to sign operations.

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__HASH_ALGORITHM

Specifies the type of key to create for the encrypt operation. Applies to encrypt operations.

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__TYPE

If enabled, the key will support convergent encryption, where the same plaintext creates the same ciphertext. Applies to encrypt operations.

Environment variable: QUARKUS_VAULT_TRANSIT_KEY__KEY__CONVERGENT_ENCRYPTION