A build item that allows extension to define a that runs write before RESTEasy Reactive attempt to do exception mapping according to the JAX-RS spec. This is only meant to be used in very advanced use cases.
A marker build item which extensions can generate when they want to force RESTEasy Reactive to not reply with 404 when it does not handle the path and instead just pass control onto the next Vert.x handler
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17-runtime:1.16 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11-runtime:1.16 is used as the default.
+
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17-runtime:1.17 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11-runtime:1.16 is used as the default.
Used when QuarkusIntegrationTest is meant to execute against an application that is already running and listening on the host specified by this property.
If insecure (i.e. http rather than https) requests are allowed. If this is enabled then http works as normal. redirect will still open the http port, but all requests will be redirected to the HTTPS port. disabled will prevent the HTTP port from opening at all.
If this is true (the default) then HTTP/2 will be enabled. Note that for browsers to be able to use it HTTPS must be enabled, and you must be running on JDK11 or above, as JDK8 does not support ALPN.
-
Environment variable: QUARKUS_HTTP_HTTP2
+
Environment variable: QUARKUS_HTTP_HTTP2
@@ -7664,7 +7698,7 @@
Enables or Disable the HTTP/2 Push feature. This setting can be used to disable server push. The server will not send a PUSH_PROMISE frame if it receives this parameter set to @{code false}.
Origins allowed for CORS Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000 In case an entry of the list is surrounded by forward slashes, it is interpreted as a regular expression.
-
Environment variable: QUARKUS_HTTP_CORS_ORIGINS
+
Environment variable: QUARKUS_HTTP_CORS_ORIGINS
@@ -7698,7 +7732,7 @@
HTTP methods allowed for CORS Comma separated list of valid methods. ex: GET,PUT,POST The filter allows any method if this is not set. default: returns any requested method as valid
-
Environment variable: QUARKUS_HTTP_CORS_METHODS
+
Environment variable: QUARKUS_HTTP_CORS_METHODS
@@ -7715,7 +7749,7 @@
HTTP headers allowed for CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition The filter allows any header if this is not set. default: returns any requested header as valid
-
Environment variable: QUARKUS_HTTP_CORS_HEADERS
+
Environment variable: QUARKUS_HTTP_CORS_HEADERS
@@ -7732,7 +7766,7 @@
HTTP headers exposed in CORS Comma separated list of valid headers. ex: X-Custom,Content-Disposition default: empty
The Access-Control-Allow-Credentials header is used to tell the browsers to expose the response to front-end JavaScript code when the request’s credentials mode Request.credentials is “include”. The value of this header will default to true if quarkus.http.cors.origins property is set and there is a match with the precise Origin header.
The CredentialsProvider. If this property is configured then a matching 'CredentialsProvider' will be used to get the keystore, keystore key and truststore passwords unless these passwords have already been configured. Please note that using MicroProfile ConfigSource which is directly supported by Quarkus Configuration should be preferred unless using CredentialsProvider provides for some additional security and dynamism.
It is the @Named value of the credentials provider bean. It is used to discriminate if multiple CredentialsProvider beans are available. It is recommended to set this property even if there is only one credentials provider currently available to ensure the same provider is always found in deployments where more than one provider may be available.
The list of path to server certificates private key file using the PEM format. Specifying multiple files require SNI to be enabled. The order of the key files must match the order of the certificates.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to define the password for the key, in case it’s different from key-store-password If not given then it may be retrieved from CredentialsProvider.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
Sets the ordered list of enabled SSL/TLS protocols.
+
+
+
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
+
+
+
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
-
Environment variable: QUARKUS_HTTP_SSL_PROTOCOLS
+
Environment variable: QUARKUS_HTTP_SSL_PROTOCOLS
@@ -8127,7 +8167,7 @@
Enables Server Name Indication (SNI), an TLS extension allowing the server to use multiple certificates. The client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
The number if IO threads used to perform IO. This will be automatically set to a reasonable value based on the number of CPU cores if it is not provided. If this is set to a higher value than the number of Vert.x event loops then it will be capped at the number of event loops. In general this should be controlled by setting quarkus.vertx.event-loops-pool-size, this setting should only be used if you want to limit the number of HTTP io threads to a smaller number than the total number of IO threads.
Allows the sender to inform the remote endpoint of the maximum size of the header compression table used to decode header blocks, in octets. The encoder can select any size equal to or less than this value by using signaling specific to the header compression format inside a header block. The initial value is 4,096 octets.
Indicates the maximum number of concurrent streams that the sender will allow. This limit is directional: it applies to the number of streams that the sender permits the receiver to create. Initially, there is no limit to this value. It is recommended that this value be no smaller than 100, to not unnecessarily limit parallelism.
Set the SETTINGS_MAX_FRAME_SIZE HTTP/2 setting. Indicates the size of the largest frame payload that the sender is willing to receive, in octets. The initial value is 2^14 (16,384) octets.
Set the SETTINGS_MAX_HEADER_LIST_SIZE HTTP/2 setting. This advisory setting informs a peer of the maximum size of header list that the sender is prepared to accept, in octets. The value is based on the uncompressed size of header fields, including the length of the name and value in octets plus an overhead of 32 octets for each header field. The default value is 8192
Http connection read timeout for blocking IO. This is the maximum amount of time a thread will wait for data, before an IOException will be thrown and the connection closed.
-
Environment variable: QUARKUS_HTTP_READ_TIMEOUT
+
Environment variable: QUARKUS_HTTP_READ_TIMEOUT
@@ -8514,7 +8554,7 @@
If true, they will be stored in quarkus.http.body-handler.uploads-directory and will be made available via io.vertx.ext.web.RoutingContext.fileUploads(). Otherwise, the files sent using multipart/form-data will not be stored locally, and io.vertx.ext.web.RoutingContext.fileUploads() will always return an empty collection. Note that even with this option being set to false, the multipart/form-data requests will be accepted.
If true the uploaded files stored in quarkus.http.body-handler.uploads-directory will be removed after handling the request. Otherwise, the files will be left there forever.
If true the body buffer is pre-allocated according to the size read from the Content-Length header. Otherwise, the body buffer is pre-allocated to 1KB, and is resized dynamically
A comma-separated list of ContentType to indicate whether a given multipart field should be handled as a file part. You can use this setting to force HTTP-based extensions to parse a message part as a file based on its content type. For now, this setting only works when using RESTEasy Reactive.
The encryption key that is used to store persistent logins (e.g. for form auth). Logins are stored in a persistent cookie that is encrypted with AES-256 using a key derived from a SHA-256 hash of the key that is provided here. If no key is provided then an in-memory one will be generated, this will change on every restart though so it is not suitable for production environments. This must be more than 16 characters long for security reasons
Enable socket reuse port (linux/macOs native transport only)
-
Environment variable: QUARKUS_HTTP_SO_REUSE_PORT
+
Environment variable: QUARKUS_HTTP_SO_REUSE_PORT
@@ -8662,7 +8702,7 @@
Enable tcp quick ack (linux native transport only)
-
Environment variable: QUARKUS_HTTP_TCP_QUICK_ACK
+
Environment variable: QUARKUS_HTTP_TCP_QUICK_ACK
@@ -8679,7 +8719,7 @@
Enable tcp cork (linux native transport only)
-
Environment variable: QUARKUS_HTTP_TCP_CORK
+
Environment variable: QUARKUS_HTTP_TCP_CORK
@@ -8696,7 +8736,7 @@
Enable tcp fast open (linux native transport only)
-
Environment variable: QUARKUS_HTTP_TCP_FAST_OPEN
+
Environment variable: QUARKUS_HTTP_TCP_FAST_OPEN
@@ -8713,7 +8753,7 @@
The accept backlog, this is how many connections can be waiting to be accepted before connections start being rejected
-
Environment variable: QUARKUS_HTTP_ACCEPT_BACKLOG
+
Environment variable: QUARKUS_HTTP_ACCEPT_BACKLOG
@@ -8730,7 +8770,7 @@
Set the SETTINGS_INITIAL_WINDOW_SIZE HTTP/2 setting. Indicates the sender’s initial window size (in octets) for stream-level flow control. The initial value is 2^16-1 (65,535) octets.
If this is true then the request start time will be recorded to enable logging of total request time. This has a small performance penalty, so is disabled by default.
If this is true then the address, scheme etc. will be set from headers forwarded by the proxy server, such as X-Forwarded-For. This should only be set if you are behind a proxy that sets these headers.
If this is true and proxy address forwarding is enabled then the standard Forwarded header will be used. In case the not standard X-Forwarded-For header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-x-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
If either this or allow-forwarded are true and proxy address forwarding is enabled then the not standard Forwarded header will be used. In case the standard Forwarded header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
The HTTP policy that this permission set is linked to. There are 3 built in policies: permit, deny and authenticated. Role based policies can be defined, and extensions can add their own policies.
The methods that this permission set applies to. If this is not set then they apply to all methods. Note that if a request matches any path from any permission set, but does not match the constraint due to the method not being listed then the request will be denied. Method specific permissions take precedence over matches that do not have any methods set. This means that for example if Quarkus is configured to allow GET and POST requests to /admin to and no other permissions are configured PUT requests to /admin will be denied.
The paths that this permission check applies to. If the path ends in /* then this is treated as a path prefix, otherwise it is treated as an exact match. Matches are done on a length basis, so the most specific path match takes precedence. If multiple permission sets match the same path then explicit methods matches take precedence over matches without methods set, otherwise the most restrictive permissions are applied.
Path specific authentication mechanism which must be used to authenticate a user. It needs to match HttpCredentialTransport authentication scheme such as 'basic', 'bearer', 'form', etc.
Permissions granted to the SecurityIdentity if this policy is applied successfully (the policy allows request to proceed) and the authenticated request has required role. For example, you can map permission perm1 with actions action1 and action2 to role admin by setting quarkus.http.auth.policy.role-policy1.permissions.admin=perm1:action1,perm1:action2 configuration property. Granted permissions are used for authorization with the @PermissionsAllowed annotation.
Permissions granted by this policy will be created with a java.security.Permission implementation specified by this configuration property. The permission class must declare exactly one constructor that accepts permission name (String) or permission name and actions (String, String[]).
Enables / Disables the usage of a separate interface/port to expose the management endpoints. If sets to true, the management endpoints will be exposed to a different HTTP server. This avoids exposing the management endpoints on a publicly available server.
If this is true and credentials are present then a user will always be authenticated before the request progresses. If this is false then an attempt will only be made to authenticate the user if a permission check is performed or the current user is required for some other reason.
A common root path for management endpoints. Various extension-provided management endpoints such as metrics and health are deployed under this path by default.
The HTTP host Defaults to 0.0.0.0 Defaulting to 0.0.0.0 makes it easier to deploy Quarkus to container, however it is not suitable for dev/test mode as other people on the network can connect to your development machine.
The CredentialsProvider. If this property is configured then a matching 'CredentialsProvider' will be used to get the keystore, keystore key and truststore passwords unless these passwords have already been configured. Please note that using MicroProfile ConfigSource which is directly supported by Quarkus Configuration should be preferred unless using CredentialsProvider provides for some additional security and dynamism.
It is the @Named value of the credentials provider bean. It is used to discriminate if multiple CredentialsProvider beans are available. It is recommended to set this property even if there is only one credentials provider currently available to ensure the same provider is always found in deployments where more than one provider may be available.
The list of path to server certificates private key file using the PEM format. Specifying multiple files require SNI to be enabled. The order of the key files must match the order of the certificates.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to define the password for the key, in case it’s different from key-store-password If not given then it may be retrieved from CredentialsProvider.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
+
+
+
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
Enables Server Name Indication (SNI), an TLS extension allowing the server to use multiple certificates. The client indicate the server name during the TLS handshake, allowing the server to select the right certificate.
-
Environment variable: QUARKUS_MANAGEMENT_SSL_SNI
+
Environment variable: QUARKUS_MANAGEMENT_SSL_SNI
@@ -10062,7 +10108,7 @@
When set to true, the HTTP server automatically sends 100 CONTINUE response when the request expects it (with the Expect: 100-Continue header).
Allows the sender to inform the remote endpoint of the maximum size of the header compression table used to decode header blocks, in octets. The encoder can select any size equal to or less than this value by using signaling specific to the header compression format inside a header block. The initial value is 4,096 octets.
Indicates the maximum number of concurrent streams that the sender will allow. This limit is directional: it applies to the number of streams that the sender permits the receiver to create. Initially, there is no limit to this value. It is recommended that this value be no smaller than 100, to not unnecessarily limit parallelism.
Set the SETTINGS_MAX_FRAME_SIZE HTTP/2 setting. Indicates the size of the largest frame payload that the sender is willing to receive, in octets. The initial value is 2^14 (16,384) octets.
Set the SETTINGS_MAX_HEADER_LIST_SIZE HTTP/2 setting. This advisory setting informs a peer of the maximum size of header list that the sender is prepared to accept, in octets. The value is based on the uncompressed size of header fields, including the length of the name and value in octets plus an overhead of 32 octets for each header field. The default value is 8192
If true, they will be stored in quarkus.http.body-handler.uploads-directory and will be made available via io.vertx.ext.web.RoutingContext.fileUploads(). Otherwise, the files sent using multipart/form-data will not be stored locally, and io.vertx.ext.web.RoutingContext.fileUploads() will always return an empty collection. Note that even with this option being set to false, the multipart/form-data requests will be accepted.
If true the uploaded files stored in quarkus.http.body-handler.uploads-directory will be removed after handling the request. Otherwise, the files will be left there forever.
If true the body buffer is pre-allocated according to the size read from the Content-Length header. Otherwise, the body buffer is pre-allocated to 1KB, and is resized dynamically
A comma-separated list of ContentType to indicate whether a given multipart field should be handled as a file part. You can use this setting to force HTTP-based extensions to parse a message part as a file based on its content type. For now, this setting only works when using RESTEasy Reactive.
If this is true then the address, scheme etc. will be set from headers forwarded by the proxy server, such as X-Forwarded-For. This should only be set if you are behind a proxy that sets these headers.
If this is true and proxy address forwarding is enabled then the standard Forwarded header will be used. In case the not standard X-Forwarded-For header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-x-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
If either this or allow-forwarded are true and proxy address forwarding is enabled then the not standard Forwarded header will be used. In case the standard Forwarded header is enabled and detected on HTTP requests, the standard header has the precedence. Activating this together with quarkus.http.proxy.allow-forwarded has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
The HTTP policy that this permission set is linked to. There are 3 built in policies: permit, deny and authenticated. Role based policies can be defined, and extensions can add their own policies.
The methods that this permission set applies to. If this is not set then they apply to all methods. Note that if a request matches any path from any permission set, but does not match the constraint due to the method not being listed then the request will be denied. Method specific permissions take precedence over matches that do not have any methods set. This means that for example if Quarkus is configured to allow GET and POST requests to /admin to and no other permissions are configured PUT requests to /admin will be denied.
The paths that this permission check applies to. If the path ends in /* then this is treated as a path prefix, otherwise it is treated as an exact match. Matches are done on a length basis, so the most specific path match takes precedence. If multiple permission sets match the same path then explicit methods matches take precedence over matches without methods set, otherwise the most restrictive permissions are applied.
Path specific authentication mechanism which must be used to authenticate a user. It needs to match HttpCredentialTransport authentication scheme such as 'basic', 'bearer', 'form', etc.
Permissions granted to the SecurityIdentity if this policy is applied successfully (the policy allows request to proceed) and the authenticated request has required role. For example, you can map permission perm1 with actions action1 and action2 to role admin by setting quarkus.http.auth.policy.role-policy1.permissions.admin=perm1:action1,perm1:action2 configuration property. Granted permissions are used for authorization with the @PermissionsAllowed annotation.
Permissions granted by this policy will be created with a java.security.Permission implementation specified by this configuration property. The permission class must declare exactly one constructor that accepts permission name (String) or permission name and actions (String, String[]).
If Dev Services for Elasticsearch has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For Elasticsearch, Dev Services starts a server unless quarkus.elasticsearch.hosts is set.
Thread counts higher than the number of processors should not be necessary because the I/O threads rely on non-blocking operations, but you may want to use a thread count lower than the number of processors.
Determine if the OAuth2 extension is enabled. Enabled by default if you include the elytron-security-oauth2 dependency, so this would be used to disable it.
-
Environment variable: QUARKUS_OAUTH2_ENABLED
+
Environment variable: QUARKUS_OAUTH2_ENABLED
@@ -12011,7 +12113,7 @@
The claim that is used in the introspection endpoint response to load the roles.
-
Environment variable: QUARKUS_OAUTH2_ROLE_CLAIM
+
Environment variable: QUARKUS_OAUTH2_ROLE_CLAIM
@@ -12028,7 +12130,7 @@
The OAuth2 client id used to validate the token. Mandatory if the extension is enabled.
-
Environment variable: QUARKUS_OAUTH2_CLIENT_ID
+
Environment variable: QUARKUS_OAUTH2_CLIENT_ID
@@ -12045,7 +12147,7 @@
The OAuth2 client secret used to validate the token. Mandatory if the extension is enabled.
The OAuth2 server certificate file. Warning: this is not supported in native mode where the certificate must be included in the truststore used during the native image generation, see Using SSL With Native Executables.
-
Environment variable: QUARKUS_OAUTH2_CA_CERT_FILE
+
Environment variable: QUARKUS_OAUTH2_CA_CERT_FILE
@@ -12101,7 +12203,7 @@
If the properties are stored in plain text. If this is false (the default) then it is expected that the passwords are of the form HEX( MD5( username ":" realm ":" password ) )
If the properties are stored in plain text. If this is false (the default) then it is expected that the passwords are of the form HEX( MD5( username ":" realm ":" password ) )
Locations starting with filesystem: point to a directory on the filesystem, may only contain SQL migrations and are only scanned recursively down non-hidden directories.
-
Environment variable: QUARKUS_FLYWAY_LOCATIONS
+
Environment variable: QUARKUS_FLYWAY_LOCATIONS
@@ -12331,7 +12433,7 @@
Comma-separated list of fully qualified class names of Callback implementations to use to hook into the Flyway lifecycle. The org.flywaydb.core.api.callback.Callback subclass must have a no-args constructor and must not be abstract. These classes must also not have any fields that hold state (unless that state is initialized in the constructor).
-
Environment variable: QUARKUS_FLYWAY_CALLBACKS
+
Environment variable: QUARKUS_FLYWAY_CALLBACKS
@@ -12348,7 +12450,7 @@
Flag to enable / disable Flyway.
-
Environment variable: QUARKUS_FLYWAY_ENABLED
+
Environment variable: QUARKUS_FLYWAY_ENABLED
@@ -12368,7 +12470,7 @@
After each failed attempt, Flyway will wait up to the configured connect-retries-interval duration before attempting to connect again, up to the maximum number of times specified by connectRetries.
The JDBC URL that Flyway uses to connect to the database. Falls back to the datasource URL if not specified.
-
Environment variable: QUARKUS_FLYWAY_JDBC_URL
+
Environment variable: QUARKUS_FLYWAY_JDBC_URL
@@ -12453,7 +12555,7 @@
The username that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource username if not specified.
-
Environment variable: QUARKUS_FLYWAY_USERNAME
+
Environment variable: QUARKUS_FLYWAY_USERNAME
@@ -12470,7 +12572,7 @@
The password that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource password if not specified.
-
Environment variable: QUARKUS_FLYWAY_PASSWORD
+
Environment variable: QUARKUS_FLYWAY_PASSWORD
@@ -12487,7 +12589,7 @@
Comma-separated case-sensitive list of schemas managed by Flyway. The first schema in the list will be automatically set as the default one during the migration. It will also be the one containing the schema history table.
-
Environment variable: QUARKUS_FLYWAY_SCHEMAS
+
Environment variable: QUARKUS_FLYWAY_SCHEMAS
@@ -12504,7 +12606,7 @@
The name of Flyway’s schema history table. By default (single-schema mode), the schema history table is placed in the default schema for the connection provided by the datasource. When the flyway.schemas property is set (multi-schema mode), the schema history table is placed in the first schema of the list.
-
Environment variable: QUARKUS_FLYWAY_TABLE
+
Environment variable: QUARKUS_FLYWAY_TABLE
@@ -12521,7 +12623,7 @@
The file name prefix for versioned SQL migrations. Versioned SQL migrations have the following file name structure: prefixVERSIONseparatorDESCRIPTIONsuffix , which using the defaults translates to V1.1__My_description.sql
The file name prefix for repeatable SQL migrations. Repeatable SQL migrations have the following file name structure: prefixSeparatorDESCRIPTIONsuffix , which using the defaults translates to R__My_description.sql
Ignore missing migrations when reading the history table. When set to true migrations from older versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Ignore future migrations when reading the history table. When set to true migrations from newer versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
The SQL statements to run to initialize a new database connection immediately after opening it.
-
Environment variable: QUARKUS_FLYWAY_INIT_SQL
+
Environment variable: QUARKUS_FLYWAY_INIT_SQL
@@ -12844,7 +12946,7 @@
Whether to validate migrations and callbacks whose scripts do not obey the correct naming convention. A failure can be useful to check that errors such as case sensitivity in migration prefixes have been corrected.
Ignore migrations during validate and repair according to a given list of patterns (see https://flywaydb.org/documentation/configuration/parameters/ignoreMigrationPatterns for more information). When this configuration is set, the ignoreFutureMigrations and ignoreMissingMigrations settings are ignored. Patterns are comma separated.
Locations starting with filesystem: point to a directory on the filesystem, may only contain SQL migrations and are only scanned recursively down non-hidden directories.
Comma-separated list of fully qualified class names of Callback implementations to use to hook into the Flyway lifecycle. The org.flywaydb.core.api.callback.Callback subclass must have a no-args constructor and must not be abstract. These classes must also not have any fields that hold state (unless that state is initialized in the constructor).
Sets the placeholders to replace in SQL migration scripts.
-
Environment variable: QUARKUS_FLYWAY_PLACEHOLDERS
+
Environment variable: QUARKUS_FLYWAY_PLACEHOLDERS
@@ -12938,7 +13040,7 @@
After each failed attempt, Flyway will wait up to the configured connect-retries-interval duration before attempting to connect again, up to the maximum number of times specified by connectRetries.
The username that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource username if not specified.
The password that Flyway uses to connect to the database. If no specific JDBC URL is configured, falls back to the datasource password if not specified.
Comma-separated case-sensitive list of schemas managed by Flyway. The first schema in the list will be automatically set as the default one during the migration. It will also be the one containing the schema history table.
The name of Flyway’s schema history table. By default (single-schema mode), the schema history table is placed in the default schema for the connection provided by the datasource. When the flyway.schemas property is set (multi-schema mode), the schema history table is placed in the first schema of the list.
The file name prefix for versioned SQL migrations. Versioned SQL migrations have the following file name structure: prefixVERSIONseparatorDESCRIPTIONsuffix , which using the defaults translates to V1.1__My_description.sql
The file name prefix for repeatable SQL migrations. Repeatable SQL migrations have the following file name structure: prefixSeparatorDESCRIPTIONsuffix , which using the defaults translates to R__My_description.sql
Ignore missing migrations when reading the history table. When set to true migrations from older versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Ignore future migrations when reading the history table. When set to true migrations from newer versions present in the history table but absent in the configured locations will be ignored (and logged as a warning), when false (the default) the validation step will fail.
Whether to validate migrations and callbacks whose scripts do not obey the correct naming convention. A failure can be useful to check that errors such as case sensitivity in migration prefixes have been corrected.
Ignore migrations during validate and repair according to a given list of patterns (see https://flywaydb.org/documentation/configuration/parameters/ignoreMigrationPatterns for more information). When this configuration is set, the ignoreFutureMigrations and ignoreMissingMigrations settings are ignored. Patterns are comma separated.
Cloud Event type (ce-type) that triggers this function. Default value is function name. This config item is only required when there is more than one function defined within the deployment. The ce-type is not looked at if there is only one function in the deployment. The message will just be dispatched to that function. This allows you to change the knative trigger binding without having to change the configuration of the quarkus deployment.
The function to export. If there is more than one function defined for this deployment, then you must set this variable. If there is only a single function, you do not have to set this config item.
-
Environment variable: QUARKUS_FUNQY_EXPORT
+
Environment variable: QUARKUS_FUNQY_EXPORT
@@ -13548,7 +13650,7 @@
The function name. Function names are specified on function classes using the @jakarta.inject.Named annotation. If this name is unspecified and there is exactly one unnamed function then this unnamed function will be used. If there is only a single named function and the name is unspecified then the named function will be used. These rules apply for each function implementation (HttpFunction, BackgroundFunction, RawBackgroundFunction).
Enable the do_not_audit_optimistic_locking_field feature. Maps to org.hibernate.envers.configuration.EnversSettings#DO_NOT_AUDIT_OPTIMISTIC_LOCKING_FIELD.
Defines the suffix to be used for modified flag columns. Defaults to _MOD. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_FLAG_SUFFIX
Defines the fully qualified class name of a user defined revision listener. Maps to org.hibernate.envers.configuration.EnversSettings#REVISION_LISTENER.
Defines the property name for the audit entity’s composite primary key. Defaults to originalId. Maps to org.hibernate.envers.configuration.EnversSettings#ORIGINAL_ID_PROP_NAME.
Defines the column name that holds the end revision number in audit entities. Defaults to REVEND. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_END_REV_FIELD_NAME.
Enables the audit_strategy_validity_store_revend_timestamp feature. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_STORE_REVEND_TIMESTAMP.
Defines the column name of the revision end timestamp in the audit tables. Defaults to REVEND_TSTMP. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_REVEND_TIMESTAMP_FIELD_NAME.
Defines the name of the column used for storing collection ordinal values for embeddable elements. Defaults to SETORDINAL. Maps to org.hibernate.envers.configuration.EnversSettings#EMBEDDABLE_SET_ORDINAL_FIELD_NAME.
Defines the naming strategy to be used for modified columns. Defaults to org.hibernate.envers.boot.internal.LegacyModifiedColumnNamingStrategy. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_COLUMN_NAMING_STRATEGY.
Enable the do_not_audit_optimistic_locking_field feature. Maps to org.hibernate.envers.configuration.EnversSettings#DO_NOT_AUDIT_OPTIMISTIC_LOCKING_FIELD.
Defines the suffix to be used for modified flag columns. Defaults to _MOD. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_FLAG_SUFFIX
Defines the fully qualified class name of a user defined revision listener. Maps to org.hibernate.envers.configuration.EnversSettings#REVISION_LISTENER.
Defines the property name for the audit entity’s composite primary key. Defaults to originalId. Maps to org.hibernate.envers.configuration.EnversSettings#ORIGINAL_ID_PROP_NAME.
Defines the column name that holds the end revision number in audit entities. Defaults to REVEND. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_END_REV_FIELD_NAME.
Enables the audit_strategy_validity_store_revend_timestamp feature. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_STORE_REVEND_TIMESTAMP.
Defines the column name of the revision end timestamp in the audit tables. Defaults to REVEND_TSTMP. Maps to org.hibernate.envers.configuration.EnversSettings#AUDIT_STRATEGY_VALIDITY_REVEND_TIMESTAMP_FIELD_NAME.
Defines the name of the column used for storing collection ordinal values for embeddable elements. Defaults to SETORDINAL. Maps to org.hibernate.envers.configuration.EnversSettings#EMBEDDABLE_SET_ORDINAL_FIELD_NAME.
Defines the naming strategy to be used for modified columns. Defaults to org.hibernate.envers.boot.internal.LegacyModifiedColumnNamingStrategy. Maps to org.hibernate.envers.configuration.EnversSettings#MODIFIED_COLUMN_NAMING_STRATEGY.
Pluggable strategy contract for applying physical naming rules for database object names. Class name of the Hibernate PhysicalNamingStrategy implementation
Pluggable strategy for applying implicit naming rules when an explicit name is not given. Class name of the Hibernate ImplicitNamingStrategy implementation
Set to none by default, meaning no identifiers will be quoted. If set to all, all identifiers and column definitions will be quoted. Additionally, setting it to all-except-column-definitions will skip the column definitions, which can usually be required when they exist, or else use the option only-keywords to quote only identifiers deemed SQL keywords by the Hibernate ORM dialect.
If hibernate is not auto generating the schema, and Quarkus is running in development mode then Quarkus will attempt to validate the database after startup and print a log message if there are any problems.
Whether session metrics should be appended into the server log for each Hibernate session. This only has effect if statistics are enabled (quarkus.hibernate-orm.statistics). The default is false (which means both statistics and log-session-metrics need to be enabled for the session metrics to appear in the log).
Select whether the database schema is generated or not. drop-and-create is awesome in development mode. This defaults to 'none', however if Dev Services is in use and no other extensions that manage the schema are present this will default to 'drop-and-create'. Accepted values: none, create, drop-and-create, drop, update, validate.
Existing applications rely (implicitly or explicitly) on Hibernate ignoring any DiscriminatorColumn declarations on joined inheritance hierarchies. This setting allows these applications to maintain the legacy behavior of DiscriminatorColumn annotations being ignored when paired with joined inheritance.
Pluggable strategy contract for applying physical naming rules for database object names. Class name of the Hibernate PhysicalNamingStrategy implementation
Pluggable strategy for applying implicit naming rules when an explicit name is not given. Class name of the Hibernate ImplicitNamingStrategy implementation
Set to none by default, meaning no identifiers will be quoted. If set to all, all identifiers and column definitions will be quoted. Additionally, setting it to all-except-column-definitions will skip the column definitions, which can usually be required when they exist, or else use the option only-keywords to quote only identifiers deemed SQL keywords by the Hibernate ORM dialect.
If hibernate is not auto generating the schema, and Quarkus is running in development mode then Quarkus will attempt to validate the database after startup and print a log message if there are any problems.
Select whether the database schema is generated or not. drop-and-create is awesome in development mode. This defaults to 'none', however if Dev Services is in use and no other extensions that manage the schema are present this will default to 'drop-and-create'. Accepted values: none, create, drop-and-create, drop, update, validate.
Existing applications rely (implicitly or explicitly) on Hibernate ignoring any DiscriminatorColumn declarations on joined inheritance hierarchies. This setting allows these applications to maintain the legacy behavior of DiscriminatorColumn annotations being ignored when paired with joined inheritance.
In particular, it doesn’t affect the default EL feature level for custom violations created programmatically in validator implementations. The feature level for those can only be configured directly in the validator implementation.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
Add a site name to start the Infinispan Server Container with Cross Site Replication enabled (ex. lon). Cross Site Replication is the capability to connect two separate Infinispan Server Clusters that might run in different Data Centers, and configure backup caches to copy the data across the clusters with active-active or active-passive replication. See more about Cross Site Replication in the Infinispan Documentation https://infinispan.org/docs/stable/titles/xsite/xsite.html Configure mcast-port to avoid forming a cluster with any other running Infinispan Server container.
Sets the URI of the running Infinispan server to connect to. hotrod://localhost:11222@admin:password If provided hosts, username and password will be ignored.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Sets SASL mechanism used by authentication. Available values: * DIGEST-MD5 - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials. This is the default. * EXTERNAL - Uses client certificates to provide valid identities to Infinispan Server and enable encryption. * PLAIN - Sends credentials in plain text (unencrypted) over the wire in a way that is similar to HTTP BASIC authentication. You should use PLAIN authentication only in combination with TLS encryption.
Specifies the filename of a truststore to use to create the SSLContext. You also need to specify a trustStorePassword. Setting this property implicitly enables SSL/TLS.
Whether a tracing propagation is enabled in case the Opentelemetry extension is present. By default the propagation of the context is propagated from the client to the Infinispan Server.
Enables or disables Protobuf generated schemas upload to the server. Set it to 'false' when you need to handle the lifecycle of the Protobuf Schemas on Server side yourself. Default is 'true'. This is a global setting and is not specific to a Infinispan Client.
Cache configuration file in XML, JSON or YAML is defined in build time to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-resource=cacheConfig.xml
Cache configuration file in XML, JSON or YAML is defined in build time to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-resource=cacheConfig.xml
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
Add a site name to start the Infinispan Server Container with Cross Site Replication enabled (ex. lon). Cross Site Replication is the capability to connect two separate Infinispan Server Clusters that might run in different Data Centers, and configure backup caches to copy the data across the clusters with active-active or active-passive replication. See more about Cross Site Replication in the Infinispan Documentation https://infinispan.org/docs/stable/titles/xsite/xsite.html Configure mcast-port to avoid forming a cluster with any other running Infinispan Server container.
Cache configuration in inlined XML to create the cache on first access. Will be ignored if the configuration-uri is provided for the same cache name. An example of the user defined property: quarkus.infinispan-client.cache.bookscache.configuration=
Cache configuration file in XML, Json or YAML whose path will be converted to URI to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-uri=cacheConfig.xml
Sets near cache mode used by the Infinispan Client Available values: * DISABLED - Means that near caching is disabled. This is the default value. * INVALIDATED - Means is near caching is invalidated, so when entries are updated or removed server-side, invalidation messages will be sent to clients to remove them from the near cache.
Sets the URI of the running Infinispan server to connect to. hotrod://localhost:11222@admin:password If provided hosts, username and password will be ignored.
Sets client intelligence used by authentication Available values: * BASIC - Means that the client doesn’t handle server topology changes and therefore will only use the list of servers supplied at configuration time. * TOPOLOGY_AWARE - Use this provider if you don’t want the client to present any certificates to the remote TLS host. * HASH_DISTRIBUTION_AWARE - Like TOPOLOGY_AWARE but with the additional advantage that each request involving keys will be routed to the server who is the primary owner which improves performance greatly. This is the default.
Sets SASL mechanism used by authentication. Available values: * DIGEST-MD5 - Uses the MD5 hashing algorithm in addition to nonces to encrypt credentials. This is the default. * EXTERNAL - Uses client certificates to provide valid identities to Infinispan Server and enable encryption. * PLAIN - Sends credentials in plain text (unencrypted) over the wire in a way that is similar to HTTP BASIC authentication. You should use PLAIN authentication only in combination with TLS encryption.
Specifies the filename of a truststore to use to create the SSLContext. You also need to specify a trustStorePassword. Setting this property implicitly enables SSL/TLS.
Whether a tracing propagation is enabled in case the Opentelemetry extension is present. By default the propagation of the context is propagated from the client to the Infinispan Server.
Cache configuration in inlined XML to create the cache on first access. Will be ignored if the configuration-uri is provided for the same cache name. An example of the user defined property: quarkus.infinispan-client.cache.bookscache.configuration=
Cache configuration file in XML, Json or YAML whose path will be converted to URI to create the cache on first access. An example of the user defined property. cacheConfig.xml file is located in the 'resources' folder: quarkus.infinispan-client.cache.bookscache.configuration-uri=cacheConfig.xml
Sets near cache mode used by the Infinispan Client Available values: * DISABLED - Means that near caching is disabled. This is the default value. * INVALIDATED - Means is near caching is invalidated, so when entries are updated or removed server-side, invalidation messages will be sent to clients to remove them from the near cache.
Exclude classes to automatically be bound to the default JAXB context. Values with suffix .*, i.e. org.acme.*, are considered packages and exclude all classes that are members of these packages
If enabled, Jackson will serialize durations as numeric value(s). When disabled, they are serialized in ISO 8601 format. This is enabled by default to match the default Jackson behavior.
If set, Jackson will default to using the specified timezone when formatting dates. Some examples values are "Asia/Jakarta" and "GMT+3". If not set, Jackson will use its own default.
-
Environment variable: QUARKUS_JACKSON_TIMEZONE
+
Environment variable: QUARKUS_JACKSON_TIMEZONE
@@ -23722,7 +23824,7 @@
Define which properties of Java Beans are to be included in serialization.
Defines how names of JSON properties ("external names") are derived from names of POJO methods and fields ("internal names"). The value can be one of the one of the constants in com.fasterxml.jackson.databind.PropertyNamingStrategies, so for example, LOWER_CAMEL_CASE or UPPER_CAMEL_CASE. The value can also be a fully qualified class name of a com.fasterxml.jackson.databind.PropertyNamingStrategy subclass.
A comma separated list of name = value tracer level tags, which get added to all reported spans. The value can also refer to an environment variable using the format ${envVarName:default}, where the :default is optional, and identifies a value to be used if the environment variable cannot be found
-
Environment variable: QUARKUS_JAEGER_TAGS
+
Environment variable: QUARKUS_JAEGER_TAGS
@@ -24226,7 +24328,7 @@
Comma separated list of formats to use for propagating the trace context. Defaults to the standard Jaeger format. Valid values are jaeger and b3
Whether the registration of tracer as the global tracer should be disabled. This setting should only be turned on in tests that need to install a mock tracer.
Keycloak server URL, for example, https://host:port. If this property is not set then the Keycloak Admin Client injection will fail - use org.keycloak.admin.client.KeycloakBuilder to create it instead.
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
Adapters will make separate HTTP invocations to the Keycloak server to turn an access code into an access token. This config option defines how many connections to the Keycloak server should be pooled
Specifies how the adapter should fetch the server for resources associated with paths in your application. If true, the policy enforcer is going to fetch resources on-demand accordingly with the path being requested
Specifies how scopes should be mapped to HTTP methods. If set to true, the policy enforcer will use the HTTP method from the current request to check whether access should be granted
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
This value controls the minimum number of replicas each revision should have. Knative will attempt to never have less than this number of replicas at any point in time.
+
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
This value controls the maximum number of replicas each revision should have. Knative will attempt to never have more than this number of replicas running, or in the process of being created, at any point in time.
+
The UserName in Windows to run the entrypoint of the container process.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If set, the config map will be mounted to the application container and its contents will be used for application configuration.
+
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
The SELinux level label that applies to the container.
+
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+
The type of service that will be generated for the application
Indicates that the container must run as a non-root user.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
+
The scheme of the HTTP get action. Can be either "HTTP" or "HTTPS".
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
This value controls the minimum number of replicas each revision should have. Knative will attempt to never have less than this number of replicas at any point in time.
This value controls the maximum number of replicas each revision should have. Knative will attempt to never have more than this number of replicas running, or in the process of being created, at any point in time.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty.
Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is to be routed to this Revision or Configuration. 0 (zero) mean no traffic, 100 means all traffic.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
The target deployment platform. Defaults to kubernetes. Can be kubernetes, openshift, knative, minikube etc., or any combination of the above as comma separated list.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty.
Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is to be routed to this Revision or Configuration. 0 (zero) mean no traffic, 100 means all traffic.
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
+
The service port number to be used by this Ingress rule. This is only used when the servicePortName is not set.
Whether to add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
+
If true, the init task will be generated. Otherwise, the init task resource generation will be skipped.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
+
The key identifying the field from which the value is extracted.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
+
The port number to use when configuring the http get action. If not configured, the port corresponding to the httpActionPortName will be used.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
+
The port name for selecting the port of the HTTP get action.
Define the annotation used to indicate services that should be scraped. By default, /scrape will be appended to the defined prefix.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The target deployment platform. Defaults to kubernetes. Can be kubernetes, openshift, knative, minikube etc., or any combination of the above as comma separated list.
+
If enabled and grpc-action is not provided, it will use the generated service name and the gRPC port.
The class of the Ingress. If the ingressClassName is omitted, a default Ingress class is used.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
+
If enabled and grpc-action is not provided, it will use the generated service name and the gRPC port.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
+
The amount of time to wait before starting to probe.
Deadline in seconds for starting the job if it misses scheduled time for any reason. Missed jobs executions will be counted as failed ones.
+
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
The SELinux type label that applies to the container.
+
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+
The UID to run the entrypoint of the container process.
The UID to run the entrypoint of the container process.
+
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
+
It holds policies that will be used for applying fsGroup to a volume when volume is mounted. Values: OnRootMismatch, Always
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
Sysctls hold a list of namespaced sysctls used for the pod.
+
The OpenShift flavor / version to use. Older versions of OpenShift have minor differences in the labels and fields they support. This option allows users to have their manifests automatically aligned to the OpenShift 'flavor' they use.
It holds policies that will be used for applying fsGroup to a volume when volume is mounted. Values: OnRootMismatch, Always
+
The kind of the deployment resource to use. Supported values are 'Deployment', 'StatefulSet', 'Job', 'CronJob' and 'DeploymentConfig' defaulting to the latter.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
+
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
It specifies the address at which the debug socket will listen.
+
Add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
If enabled, the port will be configured to use the schema HTTPS.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
It must be a value between 0000 and 0777. If not specified, the volume defaultMode will be used.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
+
The host under which the application is going to be exposed
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
+
Specifies the number of retries before marking this job failed.
The scheme of the HTTP get action. Can be either "HTTP" or "HTTPS".
+
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
+
If deploy is enabled, it will follow this strategy to update the resources to the target OpenShift cluster.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
+
If enabled, the port will be configured to use the schema HTTPS.
The "kind" resource to use by the Subject element in the generated Role Binding resource. By default, it uses the "ServiceAccount" kind.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The OpenShift flavor / version to use. Older versions of OpenShift have minor differences in the labels and fields they support. This option allows users to have their manifests automatically aligned to the OpenShift 'flavor' they use.
+
The amount of time to wait before starting to probe.
The kind of the deployment resource to use. Supported values are 'Deployment', 'StatefulSet', 'Job', 'CronJob' and 'DeploymentConfig' defaulting to the latter.
The namespace the generated resources should belong to. If not value is set, then the 'namespace' field will not be added to the 'metadata' section of the generated manifests. This in turn means that when the manifests are applied to a cluster, the namespace will be resolved from the current Kubernetes context (see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#context for more details).
Add the build timestamp to the Kubernetes annotations This is a very useful way to have manifests of successive builds of the same application differ - thus ensuring that Kubernetes will apply the updated resources
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
+
The optional name of the ConfigMap from which a value is to be extracted. Mutually exclusive with from-secret.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
When true (the default), emit a set of annotations to identify services that should be scraped by prometheus for metrics. In configurations that use the Prometheus operator with ServiceMonitor, annotations may not be necessary.
+
The port number to use when configuring the http get action. If not configured, the port corresponding to the httpActionPortName will be used.
Define the annotation prefix used for scrape values, this value will be used as the base for other annotation name defaults. Altering the base for generated annotations can make it easier to define re-labeling rules and avoid unexpected knock-on effects. The default value is prometheus.io See Prometheus example: https://github.com/prometheus/prometheus/blob/main/documentation/examples/prometheus-kubernetes.yml
+
The port name for selecting the port of the HTTP get action.
Define the annotation used to indicate services that should be scraped. By default, /scrape will be appended to the defined prefix.
+
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
+
The map associating environment name to its associated value.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
+
The optional name of the Secret from which a value is to be extracted. Mutually exclusive with from-configmap.
Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer.
Limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted.
GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+
Name of the RoleBinding resource to be generated. If not provided, it will use the application name plus the role ref name.
A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If unspecified, no groups will be added to any container.
+
The "apiGroup" resource that matches with the "kind" property. By default, it’s empty.
A special supplemental group that applies to all containers in a pod.
+
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
on-root-mismatchIt indicates that volume’s ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume., alwaysIt indicates that volume’s ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.
If enabled, it means the JVM will wait for the debugger to attach before executing the main class. If false, the JVM will immediately execute the main class, while listening for the debugger connection.
+
The "name" resource to use by the Subject element in the generated Role Binding resource.
Switch used to control whether non-idempotent fields are included in generated kubernetes resources to improve git-ops compatibility
+
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The http path to use for the probe. For this to work, the container port also needs to be set. Assuming the container port has been set (as per above comment), if execAction or tcpSocketAction are not set, an HTTP probe will be used automatically even if no path is set (which will result in the root path being used). If Smallrye Health is used, the path will automatically be set according to the health check path.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
The "namespace" resource to use by the Subject element in the generated Role Binding resource. By default, it will use the same as provided in the generated resources.
Enable the generation of the RBAC manifests. If enabled and no other role binding are provided using the properties quarkus.kubernetes.rbac., it will generate a default role binding using the role "view" and the application service account.
If Dev Services for Kubernetes should be used. (default to true) If this is true and kubernetes client is not configured then a kubernetes cluster will be started and will be used.
Whether configuration can be read from secrets. If set to true, Kubernetes resources allowing access to secrets (role and role binding) will be generated.
ConfigMaps to look for in the namespace that the Kubernetes Client has been configured for. ConfigMaps defined later in this list have a higher priority that ConfigMaps defined earlier in this list. Furthermore, any Secrets defined in secrets, will have higher priorities than all ConfigMaps.
Secrets to look for in the namespace that the Kubernetes Client has been configured for. If you use this, you probably want to enable quarkus.kubernetes-config.secrets.enabled. Secrets defined later in this list have a higher priority that ConfigMaps defined earlier in this list. Furthermore, these Secrets have a higher priorities than all ConfigMaps defined in configMaps.
Namespace to look for config maps and secrets. If this is not specified, then the namespace configured in the kubectl config context is used. If the value is specified and the namespace doesn’t exist, the application will fail to start.
Only used when extractStackTrace is true. A value of 0 will extract the whole stack trace. Any positive value will walk the cause chain: 1 corresponds with exception.getCause(), 2 with exception.getCause().getCause(), … Negative throwable reference walk the exception chain from the root cause side: -1 will extract the root cause, -2 the exception wrapping the root cause, …
Additional field type specification. Supported types: String, long, Long, double, Double and discover. Discover is the default if not specified, it discovers field type based on parseability.
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name and source line number.
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name and source line number.
Printing the details can be expensive as the values are retrieved from the caller. The details include the source class name, source file name, source method name and source line number.
The SMTP port. The default value depends on the configuration. The port 25 is used as default when ssl is disabled. This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmission of email from email server to email server. The port 587 is the default port when ssl is enabled. It ensures that email is submitted securely. Note that the port 465 may be used by SMTP servers, however, IANA has reassigned a new service to this port, and it should no longer be used for SMTP communications.
-
Environment variable: QUARKUS_MAILER_PORT
+
Environment variable: QUARKUS_MAILER_PORT
@@ -43812,7 +59586,7 @@
Sets the username to connect to the SMTP server.
-
Environment variable: QUARKUS_MAILER_USERNAME
+
Environment variable: QUARKUS_MAILER_USERNAME
@@ -43829,7 +59603,7 @@
Sets the password to connect to the SMTP server.
-
Environment variable: QUARKUS_MAILER_PASSWORD
+
Environment variable: QUARKUS_MAILER_PASSWORD
@@ -43846,7 +59620,7 @@
Enables or disables the TLS/SSL.
-
Environment variable: QUARKUS_MAILER_SSL
+
Environment variable: QUARKUS_MAILER_SSL
@@ -43863,7 +59637,7 @@
Set whether all server certificates should be trusted. This option is only used when ssl is enabled.
-
Environment variable: QUARKUS_MAILER_TRUST_ALL
+
Environment variable: QUARKUS_MAILER_TRUST_ALL
@@ -43880,7 +59654,7 @@
Sets the max number of open connections to the mail server.
Sets if connection pool is enabled. If the connection pooling is disabled, the max number of sockets is enforced nevertheless.
-
Environment variable: QUARKUS_MAILER_KEEP_ALIVE
+
Environment variable: QUARKUS_MAILER_KEEP_ALIVE
@@ -43931,7 +59705,7 @@
Disable ESMTP. The RFC-1869 states that clients should always attempt EHLO as first command to determine if ESMTP is supported, if this returns an error code, HELO is tried to use the regular SMTP command.
Sets the allowed authentication methods. These methods will be used only if the server supports them. If not set, all supported methods may be used. The list is given as a space separated list, such as DIGEST-MD5 CRAM-SHA256 CRAM-SHA1 CRAM-MD5 PLAIN LOGIN.
-
Environment variable: QUARKUS_MAILER_AUTH_METHODS
+
Environment variable: QUARKUS_MAILER_AUTH_METHODS
@@ -44223,7 +59997,7 @@
Sets the trust store password if any. Note that the password is only used for JKS and PCK#12 trust stores.
Sets the trust store type. By default, it guesses the type from the file name extension. For instance, truststore.pem will be seen as a PEM file, while truststore.jks will be seen as a JKS file. truststore.p12 and truststore.pfx will both be seen as PKCS#12 files. Accepted values are: JKS, PEM, PKCS.
Whether the mail should always been sent as multipart even if they don’t have attachments. When sets to true, the mail message will be encoded as multipart even for simple mails without attachments.
Set the keep alive timeout for the SMTP connection. This value determines how long a connection remains unused in the pool before being evicted and closed. A timeout of 0 means there is no timeout.
Approved recipients are compiled to a Pattern and must be a valid regular expression. The created Pattern is case-insensitive as emails are case insensitive. Provided patterns are trimmed before being compiled.
The SMTP port. The default value depends on the configuration. The port 25 is used as default when ssl is disabled. This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmission of email from email server to email server. The port 587 is the default port when ssl is enabled. It ensures that email is submitted securely. Note that the port 465 may be used by SMTP servers, however, IANA has reassigned a new service to this port, and it should no longer be used for SMTP communications.
Disable ESMTP. The RFC-1869 states that clients should always attempt EHLO as first command to determine if ESMTP is supported, if this returns an error code, HELO is tried to use the regular SMTP command.
Sets the allowed authentication methods. These methods will be used only if the server supports them. If not set, all supported methods may be used. The list is given as a space separated list, such as DIGEST-MD5 CRAM-SHA256 CRAM-SHA1 CRAM-MD5 PLAIN LOGIN.
Sets the trust store type. By default, it guesses the type from the file name extension. For instance, truststore.pem will be seen as a PEM file, while truststore.jks will be seen as a JKS file. truststore.p12 and truststore.pfx will both be seen as PKCS#12 files. Accepted values are: JKS, PEM, PKCS.
Whether the mail should always been sent as multipart even if they don’t have attachments. When sets to true, the mail message will be encoded as multipart even for simple mails without attachments.
Set the keep alive timeout for the SMTP connection. This value determines how long a connection remains unused in the pool before being evicted and closed. A timeout of 0 means there is no timeout.
Approved recipients are compiled to a Pattern and must be a valid regular expression. The created Pattern is case-insensitive as emails are case insensitive. Provided patterns are trimmed before being compiled.
Support for HTTP client metrics will be enabled if Micrometer support is enabled, the REST client feature is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for HTTP server metrics will be enabled if Micrometer support is enabled, an extension serving HTTP traffic is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for JVM metrics will be enabled if Micrometer support is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Kafka metrics will be enabled if Micrometer support is enabled, the Kafka Consumer or Producer interface is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Redis metrics will be enabled if Micrometer support is enabled, the Quarkus Redis client extension is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for gRPC server metrics will be enabled if Micrometer support is enabled, the gRPC server interfaces are on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for gRPC client metrics will be enabled if Micrometer support is enabled, the gRPC client interfaces are on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for System metrics will be enabled if Micrometer support is enabled, and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
Support for Vert.x metrics will be enabled if Micrometer support is enabled, Vert.x MetricsOptions is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.binder-enabled-default is true.
The path for the JSON metrics endpoint. The default value is metrics. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
Statistics like max, percentiles, and histogram counts decay over time to give greater weight to recent samples. Samples are accumulated to such statistics in ring buffers which rotate after the expiry, with this buffer length.
Statistics like max, percentiles, and histogram counts decay over time to give greater weight to recent samples. Samples are accumulated to such statistics in ring buffers which rotate after this expiry, with a particular buffer length.
Support for Prometheus will be enabled if Micrometer support is enabled, the PrometheusMeterRegistry is on the classpath and either this value is true, or this value is unset and quarkus.micrometer.registry-enabled-default is true.
Maximum number of unique URI tag values allowed. After the max number of tag values is reached, metrics with additional tag values are denied by filter.
Maximum number of unique URI tag values allowed. After the max number of tag values is reached, metrics with additional tag values are denied by filter.
If DevServices has been explicitly enabled or disabled. DevServices is generally enabled by default, unless there is an existing configuration present. When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode.
When choosing among multiple MongoDB servers to send a request, the driver will only send that request to a server whose ping time is less than or equal to the server with the fastest ping time plus the local threshold.
This property configures the DNS server. If the server is not set, it tries to read the first nameserver from /etc /resolv.conf (if the file exists), otherwise fallback to the default.
When choosing among multiple MongoDB servers to send a request, the driver will only send that request to a server whose ping time is less than or equal to the server with the fastest ping time plus the local threshold.
Configures the journal writing aspect. If set to true: the driver waits for the server to group commit to the journal file on disk. If set to false: the driver does not wait for the server to group commit to the journal file on disk.
When set, the driver adds w: wValue to all write commands. It requires safe to be true. The value is typically a number, but can also be the majority string.
Configures the journal writing aspect. If set to true: the driver waits for the server to group commit to the journal file on disk. If set to false: the driver does not wait for the server to group commit to the journal file on disk.
When set, the driver adds w: wValue to all write commands. It requires safe to be true. The value is typically a number, but can also be the majority string.
Configures the authentication mechanism to use if a credential was supplied. The default is unspecified, in which case the client will pick the most secure mechanism available based on the sever version. For the GSSAPI and MONGODB-X509 mechanisms, no password is accepted, only the username. Supported values: null or GSSAPI|PLAIN|MONGODB-X509|SCRAM_SHA_1|SCRAM_SHA_256|MONGODB_AWS
Configures the source of the authentication credentials. This is typically the database that the credentials have been created. The value defaults to the database specified in the path portion of the connection string or in the 'database' configuration property. If the database is specified in neither place, the default value is admin. This option is only respected when using the MONGO-CR mechanism (the default).
Configures the authentication mechanism to use if a credential was supplied. The default is unspecified, in which case the client will pick the most secure mechanism available based on the sever version. For the GSSAPI and MONGODB-X509 mechanisms, no password is accepted, only the username. Supported values: null or GSSAPI|PLAIN|MONGODB-X509|SCRAM_SHA_1|SCRAM_SHA_256|MONGODB_AWS
Configures the source of the authentication credentials. This is typically the database that the credentials have been created. The value defaults to the database specified in the path portion of the connection string or in the 'database' configuration property. If the database is specified in neither place, the default value is admin. This option is only respected when using the MONGO-CR mechanism (the default).
The name of the directory where the transaction logs will be stored when using the file-system object store. If the value is not absolute then the directory is relative to the user.dir system property.
The REST endpoint on which a coordinator is running. In order for an LRA to begin and end successfully and in order to join with an existing LRA, this coordinator must be available whenever a service method annotated with @LRA is invoked. In this version of the extension, a failed coordinator with LRAs that have not yet finished must be restarted.
-
Environment variable: QUARKUS_LRA_COORDINATOR_URL
+
Environment variable: QUARKUS_LRA_COORDINATOR_URL
@@ -47480,7 +63394,7 @@
The value configuring the io.netty.allocator.maxOrder system property of Netty. The default value is 3. Configuring this property overrides the minimum maxOrder requested by the extensions. This property affects the memory consumption of the application. It must be used carefully. More details on https://programmer.group/pool-area-of-netty-memory-pool.html.
When DevServices is enabled Quarkus will attempt to automatically configure and start Keycloak when running in Dev or Test mode and when Docker is running.
Note Keycloak Quarkus and Keycloak WildFly images are initialized differently. By default, Dev Services for Keycloak will assume it is a Keycloak Quarkus image if the image version does not end with a '-legacy' string. Set 'quarkus.keycloak.devservices.keycloak-x-image' to override this check.
If Keycloak-X image is used. By default, Dev Services for Keycloak will assume a Keycloak-X image is used if the image name contains a 'keycloak-x' string. Set 'quarkus.keycloak.devservices.keycloak-x-image' to override this check which may be necessary if you build custom Keycloak-X or Keycloak images. You do not need to set this property if the default check works.
The comma-separated list of class or file system paths to Keycloak realm files which will be used to initialize Keycloak. The first value in this list will be used to initialize default tenant connection properties.
Keycloak start command. Use this property to experiment with Keycloak start options, see https://www.keycloak.org/server/all-config. Note it will be ignored when loading legacy Keycloak WildFly images.
The Keycloak realm name. This property will be used to create the realm if the realm file pointed to by the 'realm-path' property does not exist, default value is 'quarkus' in this case. If the realm file pointed to by the 'realm-path' property exists then it is still recommended to set this property for Dev Services for Keycloak to avoid parsing the realm file in order to determine the realm name.
Indicates if the Keycloak realm has to be created when the realm file pointed to by the 'realm-path' property does not exist. Disable it if you’d like to create a realm using Keycloak Administration Console or Keycloak Admin API from io.quarkus.test.common.QuarkusTestResourceLifecycleManager.
The Keycloak users map containing the username and password pairs. If this map is empty then two users, 'alice' and 'bob' with the passwords matching their names will be created. This property will be used to create the Keycloak users if the realm file pointed to by the 'realm-path' property does not exist.
The Keycloak user roles. If this map is empty then a user named 'alice' will get 'admin' and 'user' roles and all other users will get a 'user' role. This property will be used to create the Keycloak roles if the realm file pointed to by the 'realm-path' property does not exist.
The WebClient timeout. Use this property to configure how long an HTTP client used by Dev UI handlers will wait for a response when requesting tokens from OpenId Connect Provider and sending them to the service endpoint.
Enable the registration of the Default TokenIntrospection and UserInfo Cache implementation bean. Note it only allows to use the default implementation, one needs to configure it in order to activate it, please see OidcConfig#tokenCache.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.
Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens.
-
Environment variable: QUARKUS_OIDC_TOKEN_PATH
+
Environment variable: QUARKUS_OIDC_TOKEN_PATH
@@ -47897,7 +63811,7 @@
Relative path or absolute URL of the OIDC token revocation endpoint.
-
Environment variable: QUARKUS_OIDC_REVOKE_PATH
+
Environment variable: QUARKUS_OIDC_REVOKE_PATH
@@ -47914,7 +63828,7 @@
The client-id of the application. Each application has a client-id that is used to identify the application
-
Environment variable: QUARKUS_OIDC_CLIENT_ID
+
Environment variable: QUARKUS_OIDC_CLIENT_ID
@@ -47931,7 +63845,7 @@
The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.
The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.
The maximum size of the connection pool used by the WebClient
-
Environment variable: QUARKUS_OIDC_MAX_POOL_SIZE
+
Environment variable: QUARKUS_OIDC_MAX_POOL_SIZE
@@ -48001,7 +63915,7 @@
Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.
@@ -48327,7 +64241,7 @@
Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.
-
Environment variable: QUARKUS_OIDC_PROXY_HOST
+
Environment variable: QUARKUS_OIDC_PROXY_HOST
@@ -48344,7 +64258,7 @@
The port number of the Proxy. Default value is 80.
-
Environment variable: QUARKUS_OIDC_PROXY_PORT
+
Environment variable: QUARKUS_OIDC_PROXY_PORT
@@ -48361,7 +64275,7 @@
The username, if Proxy needs authentication.
-
Environment variable: QUARKUS_OIDC_PROXY_USERNAME
+
Environment variable: QUARKUS_OIDC_PROXY_USERNAME
@@ -48378,7 +64292,7 @@
The password, if Proxy needs authentication.
-
Environment variable: QUARKUS_OIDC_PROXY_PASSWORD
+
Environment variable: QUARKUS_OIDC_PROXY_PASSWORD
@@ -48395,7 +64309,7 @@
Certificate validation and hostname verification, which can be one of the following values from enum Verification. Default is required.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
A unique tenant identifier. It must be set by TenantConfigResolver providers which resolve the tenant configuration dynamically and is optional in all other cases.
-
Environment variable: QUARKUS_OIDC_TENANT_ID
+
Environment variable: QUARKUS_OIDC_TENANT_ID
@@ -48618,7 +64532,7 @@
If this tenant configuration is enabled. Note that the default tenant will be disabled if it is not configured but either TenantConfigResolver which will resolve tenant configurations is registered or named tenants are configured. You do not have to disable the default tenant in this case.
-
Environment variable: QUARKUS_OIDC_TENANT_ENABLED
+
Environment variable: QUARKUS_OIDC_TENANT_ENABLED
@@ -48635,7 +64549,7 @@
The application type, which can be one of the following values from enum ApplicationType.
Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.
-
Environment variable: QUARKUS_OIDC_USER_INFO_PATH
+
Environment variable: QUARKUS_OIDC_USER_INFO_PATH
@@ -48688,7 +64602,7 @@
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.
-
Environment variable: QUARKUS_OIDC_JWKS_PATH
+
Environment variable: QUARKUS_OIDC_JWKS_PATH
@@ -48722,7 +64636,7 @@
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.
List of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in one or more different claims.
Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.
Expected issuer 'iss' claim value. Note this property overrides the issuer property which may be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.
-
Environment variable: QUARKUS_OIDC_TOKEN_ISSUER
+
Environment variable: QUARKUS_OIDC_TOKEN_ISSUER
@@ -48877,7 +64791,7 @@
Expected audience 'aud' claim value which may be a string or an array of strings. Note the audience claim will be verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens will only be done if this property is configured.
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with 'quarkus.oidc.token.lifespan-grace' to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid ('exp') expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an 'exp' claim. However, even if the current logout token is allowed to have no 'exp' claim, the exp claim will be still verified if the logout token contains it.
-
Environment variable: QUARKUS_OIDC_TOKEN_AGE
+
Environment variable: QUARKUS_OIDC_TOKEN_AGE
@@ -48946,7 +64860,7 @@
Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and sub claims are checked.
Refresh expired authorization code flow ID or access tokens. If this property is enabled then a refresh token request will be performed if the authorization code ID or access token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property will be enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not have to enable this property manually in this case.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time then a refresh is going to happen.
Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE}.
-
Environment variable: QUARKUS_OIDC_TOKEN_HEADER
+
Environment variable: QUARKUS_OIDC_TOKEN_HEADER
@@ -49033,7 +64947,7 @@
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.
Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to false instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using Tenant qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens have to be accepted but OpenId Connect provider does not have a token introspection endpoint. This property will have no effect when JWT tokens have to be verified.
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
-
Environment variable: QUARKUS_OIDC_LOGOUT_PATH
+
Environment variable: QUARKUS_OIDC_LOGOUT_PATH
@@ -49171,7 +65085,7 @@
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
Logout token claim whose value will be used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.
Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated if 'restorePathAfterRedirect' is set to 'true'.
If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI will be restored even if this property is disabled.
Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.
Relative path to the public endpoint which will process the error response from the OIDC authorization endpoint. If the user authentication has failed then the OIDC provider will return an 'error' and an optional 'error_description' parameters, instead of the expected authorization 'code'. If this property is set then the user will be redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if it is set as '/error' and the current request URI is 'https://localhost:8080/callback?error=invalid_scope' then a redirect will be made to 'https://localhost:8080/error?error=invalid_scope'. If this property is not set then HTTP 401 status will be returned in case of the user authentication failure.
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles. Access token is not verified by default since it is meant to be propagated to the downstream services. The verification of the access token should be enabled if it is injected as a JWT token. Access tokens obtained as part of the code flow will always be verified if quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision will be based on the roles extracted from the access token. Bearer access tokens are always verified.
Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout post_logout_redirect_uri and the local redirect requests.
Add the 'openid' scope automatically to the list of scopes. This is required for OpenId Connect providers but will not work for OAuth2 providers such as Twitter OAuth2 which does not accept that scope and throws an error.
If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is 'q_session' but can be changed to 'q_session_test' if this property is set to 'test'.
Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value will be used to set a path parameter for the session, state and post logout cookies. If the header is missing then the cookie-path property will be checked.
If a state cookie is present then a state query parameter must also be present and both the state cookie name suffix and state cookie value have to match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie may represent the authentication flow initiated from another tab and not related to the current request. Disable this property if you would like to avoid supporting multiple authorization code flows running in the same browser.
If this property is set to 'true' then an OIDC UserInfo endpoint will be called. This property will be enabled if quarkus.oidc.roles.source is userinfo or quarkus.oidc.token.verify-access-token-with-user-info is true or quarkus.oidc.authentication.id-token-required is set to false, you do not have to enable this property manually in these cases.
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user will be redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a non-zero value then the expired ID token can be refreshed before the session has expired. This property will be ignored if the token.refresh-expired property has not been enabled.
If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to false then a status code of '499' will be returned to allow the client to handle the redirect manually
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken will be generated in such cases.
Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret must be set if PKCE is required but no client secret is set. The length of the secret which will be used to encrypt the code verifier must be 32 characters long.
+
Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret should be at least 32 characters long.
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. Client secret will not be used as a PKCE code verifier encryption secret if it is less than 32 characters long.
+
+
+
The secret will be auto-generated if it remains uninitialized after checking all of these properties.
+
+
+
Error will be reported if the secret length is less than 16 characters.
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. Warning will be logged if the secret length is less than 16 characters.
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.
Additional parameters, in addition to the required code and redirect-uri parameters, which have to be included to complete the authorization code grant request.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.
The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.
The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.
Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.
@@ -50440,7 +66433,7 @@
Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
A unique tenant identifier. It must be set by TenantConfigResolver providers which resolve the tenant configuration dynamically and is optional in all other cases.
If this tenant configuration is enabled. Note that the default tenant will be disabled if it is not configured but either TenantConfigResolver which will resolve tenant configurations is registered or named tenants are configured. You do not have to disable the default tenant in this case.
Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.
List of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in one or more different claims.
Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.
Expected issuer 'iss' claim value. Note this property overrides the issuer property which may be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.
Expected audience 'aud' claim value which may be a string or an array of strings. Note the audience claim will be verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens will only be done if this property is configured.
A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with 'quarkus.oidc.token.lifespan-grace' to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid ('exp') expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an 'exp' claim. However, even if the current logout token is allowed to have no 'exp' claim, the exp claim will be still verified if the logout token contains it.
Refresh expired authorization code flow ID or access tokens. If this property is enabled then a refresh token request will be performed if the authorization code ID or access token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property will be enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not have to enable this property manually in this case.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time then a refresh is going to happen.
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.
Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to false instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using Tenant qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens have to be accepted but OpenId Connect provider does not have a token introspection endpoint. This property will have no effect when JWT tokens have to be verified.
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
Logout token claim whose value will be used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.
Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated if 'restorePathAfterRedirect' is set to 'true'.
If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI will be restored even if this property is disabled.
Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.
Relative path to the public endpoint which will process the error response from the OIDC authorization endpoint. If the user authentication has failed then the OIDC provider will return an 'error' and an optional 'error_description' parameters, instead of the expected authorization 'code'. If this property is set then the user will be redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if it is set as '/error' and the current request URI is 'https://localhost:8080/callback?error=invalid_scope' then a redirect will be made to 'https://localhost:8080/error?error=invalid_scope'. If this property is not set then HTTP 401 status will be returned in case of the user authentication failure.
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles. Access token is not verified by default since it is meant to be propagated to the downstream services. The verification of the access token should be enabled if it is injected as a JWT token. Access tokens obtained as part of the code flow will always be verified if quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision will be based on the roles extracted from the access token. Bearer access tokens are always verified.
Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout post_logout_redirect_uri and the local redirect requests.
Add the 'openid' scope automatically to the list of scopes. This is required for OpenId Connect providers but will not work for OAuth2 providers such as Twitter OAuth2 which does not accept that scope and throws an error.
If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is 'q_session' but can be changed to 'q_session_test' if this property is set to 'test'.
Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value will be used to set a path parameter for the session, state and post logout cookies. If the header is missing then the cookie-path property will be checked.
If a state cookie is present then a state query parameter must also be present and both the state cookie name suffix and state cookie value have to match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie may represent the authentication flow initiated from another tab and not related to the current request. Disable this property if you would like to avoid supporting multiple authorization code flows running in the same browser.
If this property is set to 'true' then an OIDC UserInfo endpoint will be called. This property will be enabled if quarkus.oidc.roles.source is userinfo or quarkus.oidc.token.verify-access-token-with-user-info is true or quarkus.oidc.authentication.id-token-required is set to false, you do not have to enable this property manually in these cases.
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user will be redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a non-zero value then the expired ID token can be refreshed before the session has expired. This property will be ignored if the token.refresh-expired property has not been enabled.
If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to false then a status code of '499' will be returned to allow the client to handle the redirect manually
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken will be generated in such cases.
Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret must be set if PKCE is required but no client secret is set. The length of the secret which will be used to encrypt the code verifier must be 32 characters long.
+
Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret should be at least 32 characters long.
+
+
+
If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. Client secret will not be used as a PKCE code verifier encryption secret if it is less than 32 characters long.
Additional parameters, in addition to the required code and redirect-uri parameters, which have to be included to complete the authorization code grant request.
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. Warning will be logged if the secret length is less than 16 characters.
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.
The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.
The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.
Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.
@@ -52500,7 +68572,7 @@
Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen.
Requires that all filters which use 'OidcClient' acquire the tokens at the post-construct initialization time, possibly long before these tokens are used. This property should be disabled if the access token may expire before it is used for the first time and no refresh token is available.
Custom HTTP headers which have to be sent to the token endpoint
-
Environment variable: QUARKUS_OIDC_CLIENT_HEADERS
+
Environment variable: QUARKUS_OIDC_CLIENT_HEADERS
@@ -53003,7 +69075,7 @@
The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.
The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.
The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.
Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.
@@ -53484,7 +69556,7 @@
Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.
An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.
An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.
An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.
Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen.
Requires that all filters which use 'OidcClient' acquire the tokens at the post-construct initialization time, possibly long before these tokens are used. This property should be disabled if the access token may expire before it is used for the first time and no refresh token is available.
Enable OidcClientRequestFilter for all the injected MP RestClient implementations. If this property is disabled then OidcClientRequestFilter has to be registered as an MP RestClient provider.
Name of the configured OidcClient used by the OidcClientRequestFilter. You can override this configuration for individual MP RestClient with the io.quarkus.oidc.client.filter.OidcClientFilter annotation.
Name of the configured OidcClient used by the OidcClientRequestReactiveFilter. You can override this configuration for individual MP RestClients with the io.quarkus.oidc.client.filter.OidcClientFilter annotation.
Enable either AccessTokenRequestFilter or JsonWebTokenRequestFilter for all the injected MP RestClient implementations. AccessTokenRequestFilter can propagate both opaque (binary) and JsonWebToken tokens but it can not modify and secure the updated JsonWebToken tokens. JsonWebTokenRequestFilter can only propagate JsonWebToken tokens but it can also modify and secure them again. Enable the 'jsonWebToken' property to have JsonWebTokenRequestFilter registered. Alternatively, instead of using this property for registering these filters with all the injected MP RestClient implementations, both filters can be registered as MP RestClient providers with the specific MP RestClient implementations.
Enable JsonWebTokenRequestFilter instead of AccessTokenRequestFilter for all the injected MP RestClient implementations. This filter can propagate as well as modify and secure the updated JsonWebToken tokens. Note this property is ignored unless the 'registerFilter' property is enabled.
Secure the injected and possibly modified JsonWebToken. For example, a JsonWebToken produced and signed by OpenId Connect provider can be re-signed using a new private key. Note this property is injected into JsonWebTokenRequestFilter.
Exchange the current token with OpenId Connect Provider for a new token using either "urn:ietf:params:oauth:grant-type:token-exchange" or "urn:ietf:params:oauth:grant-type:jwt-bearer" token grant before propagating it. Note this property is injected into AccessTokenRequestFilter.
Name of the configured OidcClient. Note this property is injected into AccessTokenRequestFilter and is only used if the exchangeToken property is enabled.
Exchange the current token with OpenId Connect Provider for a new token using either "urn:ietf:params:oauth:grant-type:token-exchange" or "urn:ietf:params:oauth:grant-type:jwt-bearer" token grant before propagating it.
Sets the OTLP endpoint to connect to. If unset, defaults to OtlpExporterRuntimeConfig#DEFAULT_GRPC_BASE_URI. We are currently using just the traces, therefore quarkus.otel.exporter.otlp.traces.endpoint is recommended.
Key-value pairs to be used as headers associated with gRPC requests. The format is similar to the OTEL_EXPORTER_OTLP_HEADERS environment variable, a list of key-value pairs separated by the "=" character. i.e.: key1=value1,key2=value2
Sets the maximum time to wait for the collector to process an exported batch of spans. If unset, defaults to `OtlpExporterRuntimeConfig#DEFAULT_TIMEOUT_SECS`s.
OTLP defines the encoding of telemetry data and the protocol used to exchange data between the client and the server. Depending on the exporter, the available protocols will be different.
In such cases this property allows users to make the trade-off between fast build cycles with the older version of picocli, and temporarily accept slower build cycles with the latest version of picocli until the updated extension is available.
Name of bean annotated with io.quarkus.picocli.runtime.annotations.TopCommand or FQCN of class which will be used as entry point for Picocli CommandLine instance. This class needs to be annotated with picocli.CommandLine.Command.
-
Environment variable: QUARKUS_PICOCLI_TOP_COMMAND
+
Environment variable: QUARKUS_PICOCLI_TOP_COMMAND
@@ -54829,7 +70901,7 @@
Set this to true to read configuration from system properties and environment variables only. This only applies to runtime.
Native-image build uses it to define additional locales that are supposed to be available at runtime.
-
Environment variable: QUARKUS_LOCALES
+
Environment variable: QUARKUS_LOCALES
@@ -54881,7 +70953,7 @@
Native-image build uses this property to derive user.language and user.country for the application’s runtime.
-
Environment variable: QUARKUS_DEFAULT_LOCALE
+
Environment variable: QUARKUS_DEFAULT_LOCALE
@@ -54898,7 +70970,7 @@
Profile that will be active when Quarkus launches.
-
Environment variable: QUARKUS_PROFILE
+
Environment variable: QUARKUS_PROFILE
@@ -54915,7 +70987,7 @@
Accepts a single configuration profile name. If a configuration property cannot be found in the current active profile, the config performs the same lookup in the profile set by this configuration.
Additional config locations to be loaded with the Config. The configuration support multiple locations separated by a comma and each must represent a valid java.net.URI.
-
Environment variable: QUARKUS_CONFIG_LOCATIONS
+
Environment variable: QUARKUS_CONFIG_LOCATIONS
@@ -54950,7 +71022,7 @@
Access this generated UUID using expressions: ${quarkus.uuid}.
-
Environment variable: QUARKUS_UUID
+
Environment variable: QUARKUS_UUID
@@ -54967,7 +71039,7 @@
true to quit exit right after the initialization. The option is not meant be used directly by users.
-
Environment variable: QUARKUS_INIT_AND_EXIT
+
Environment variable: QUARKUS_INIT_AND_EXIT
@@ -54987,7 +71059,7 @@
We don’t make it a list as the args are separated by a space, not a comma.
-
Environment variable: QUARKUS_ARGS
+
Environment variable: QUARKUS_ARGS
@@ -55004,7 +71076,7 @@
If Build time analytics are disabled.
-
Environment variable: QUARKUS_ANALYTICS_DISABLED
+
Environment variable: QUARKUS_ANALYTICS_DISABLED
@@ -55021,7 +71093,7 @@
The Segment base URI.
-
Environment variable: QUARKUS_ANALYTICS_URI_BASE
+
Environment variable: QUARKUS_ANALYTICS_URI_BASE
@@ -55038,7 +71110,7 @@
The Timeout to send the build time analytics to segment.
-
Environment variable: QUARKUS_ANALYTICS_TIMEOUT
+
Environment variable: QUARKUS_ANALYTICS_TIMEOUT
@@ -55055,7 +71127,7 @@
The name of the application. If not set, defaults to the name of the project (except for tests where it is not set at all).
-
Environment variable: QUARKUS_APPLICATION_NAME
+
Environment variable: QUARKUS_APPLICATION_NAME
@@ -55072,7 +71144,7 @@
The version of the application. If not set, defaults to the version of the project (except for tests where it is not set at all).
-
Environment variable: QUARKUS_APPLICATION_VERSION
+
Environment variable: QUARKUS_APPLICATION_VERSION
@@ -55089,7 +71161,7 @@
The header to use for UI Screen (Swagger UI, GraphQL UI etc).
The path of the banner (path relative to root of classpath) which could be provided by user
-
Environment variable: QUARKUS_BANNER_PATH
+
Environment variable: QUARKUS_BANNER_PATH
@@ -55123,7 +71195,7 @@
Whether the banner will be displayed
-
Environment variable: QUARKUS_BANNER_ENABLED
+
Environment variable: QUARKUS_BANNER_ENABLED
@@ -55140,7 +71212,7 @@
If set to true, the workspace initialization will be based on the effective POMs (i.e. properly interpolated, including support for profiles) instead of the raw ones.
If set to true, workspace discovery will be enabled for all launch modes. Usually, workspace discovery is enabled by default only for dev and test modes.
Artifacts that will never be loaded by the class loader, and will not be packed into the final application. This allows you to explicitly remove artifacts from your application even though they may be present on the class path.
Global flag that can be used to disable all Dev Services. If this is set to false then Dev Services will not be used.
-
Environment variable: QUARKUS_DEVSERVICES_ENABLED
+
Environment variable: QUARKUS_DEVSERVICES_ENABLED
@@ -55533,7 +71605,7 @@
The timeout for starting a container
-
Environment variable: QUARKUS_DEVSERVICES_TIMEOUT
+
Environment variable: QUARKUS_DEVSERVICES_TIMEOUT
@@ -55551,7 +71623,7 @@
The Ide to use to open files from the DevUI. auto means that Quarkus will attempt to determine the Ide being used.
-
Environment variable: QUARKUS_IDE_TARGET
+
Environment variable: QUARKUS_IDE_TARGET
@@ -55570,7 +71642,7 @@
Paths of library to load.
-
Environment variable: QUARKUS_JNI_LIBRARY_PATHS
+
Environment variable: QUARKUS_JNI_LIBRARY_PATHS
@@ -55587,7 +71659,7 @@
Whether Quarkus should enable its ability to not do a full restart when changes to classes are compatible with JVM instrumentation. If this is set to true, Quarkus will perform class redefinition when possible.
Whether logging metrics are published in case a metrics extension is present.
-
Environment variable: QUARKUS_LOG_METRICS_ENABLED
+
Environment variable: QUARKUS_LOG_METRICS_ENABLED
@@ -55725,7 +71797,7 @@
The default minimum log level.
-
Environment variable: QUARKUS_LOG_MIN_LEVEL
+
Environment variable: QUARKUS_LOG_MIN_LEVEL
@@ -55770,7 +71842,7 @@
In addition, it also supports the standard JDK log levels.
-
Environment variable: QUARKUS_LOG_LEVEL
+
Environment variable: QUARKUS_LOG_LEVEL
@@ -55787,7 +71859,7 @@
The names of additional handlers to link to the root category. These handlers are defined in consoleHandlers, fileHandlers or syslogHandlers.
-
Environment variable: QUARKUS_LOG_HANDLERS
+
Environment variable: QUARKUS_LOG_HANDLERS
@@ -55804,7 +71876,7 @@
By default, Quarkus will install a non-functional JNDI initial context, to help mitigate against Log4Shell style attacks. If your application does need to use JNDI you can change this flag.
-
Environment variable: QUARKUS_NAMING_ENABLE_JNDI
+
Environment variable: QUARKUS_NAMING_ENABLE_JNDI
@@ -55821,7 +71893,7 @@
Comma-separated, additional arguments to pass to the build process. If an argument includes the , symbol, it needs to be escaped, e.g. \\,
The default value for java.awt.headless JVM option. Switching this option affects linking of awt libraries.
-
Environment variable: QUARKUS_NATIVE_HEADLESS
+
Environment variable: QUARKUS_NATIVE_HEADLESS
@@ -55889,11 +71961,11 @@
Defines the file encoding as in -Dfile.encoding=…. Native image runtime uses the host’s (i.e. build time) value of file.encoding system property. We intentionally default this to UTF-8 to avoid platform specific defaults to be picked up which can then result in inconsistent behavior in the generated native executable.
If the native image build should wait for a debugger to be attached before running. This is an advanced option and is generally only intended for those familiar with GraalVM internals
If a JVM based 'fallback image' should be created if native image fails. This is not recommended, as this is functionally the same as just running the application in a JVM
If the bytecode of all proxies should be dumped for inspection
-
Environment variable: QUARKUS_NATIVE_DUMP_PROXIES
+
Environment variable: QUARKUS_NATIVE_DUMP_PROXIES
@@ -56076,7 +72148,7 @@
If this build should be done using a container runtime. Unless container-runtime is also set, docker will be used by default. If docker is not available or is an alias to podman, podman will be used instead as the default.
The docker image to use to do the image build. It can be one of graalvm, mandrel, or the full image path, e.g. quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-17.
If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident.
Don’t build a native image if it already exists. This is useful if you have already built an image and you want to use Quarkus to deploy it somewhere. Note that this is not able to detect if the existing image is outdated, if you have modified source or config and want a new image you must not use this flag.
Note that Quarkus extensions typically include the resources they require by themselves. This option is useful in situations when the built-in functionality is not sufficient.
the resource red.png will be available in the native image while the resources foo/green.png and bar/blue.png will not be available in the native image.
Allows passing extra arguments to the UPX command line (like --brute). The arguments are comma-separated. The exhaustive list of parameters can be found in https://github.com/upx/upx/blob/devel/doc/upx.pod.
The default built in types are 'jar' (which will use 'fast-jar'), 'legacy-jar' for the pre-1.12 default jar packaging, 'uber-jar', 'mutable-jar' (for remote development mode), 'native' and 'native-sources'.
-
Environment variable: QUARKUS_PACKAGE_TYPE
+
Environment variable: QUARKUS_PACKAGE_TYPE
@@ -56487,7 +72559,7 @@
If the Implementation information should be included in the runner jar’s MANIFEST.MF.
If your application has main classes annotated with io.quarkus.runtime.annotations.QuarkusMain then this can also reference the name given in the annotation, to avoid the need to specify fully qualified names in the config.
-
Environment variable: QUARKUS_PACKAGE_MAIN_CLASS
+
Environment variable: QUARKUS_PACKAGE_MAIN_CLASS
@@ -56524,7 +72596,7 @@
Files that should not be copied to the output artifact
Indicates whether the generated binary file (uber-jar or native image) should have the runner suffix appended. Turning off the runner suffix in case of the uber-jar package type, the original build system (Maven, Gradle, etc) built JAR will be replaced with the Quarkus built uber JAR.
Whether to automate the creation of AppCDS. This has no effect when a native binary is needed and will be ignored in that case. Furthermore, this option only works for Java 11+ and is considered experimental for the time being. Finally, care must be taken to use the same exact JVM version when building and running the application.
When AppCDS generation is enabled, if this property is set, then the JVM used to generate the AppCDS file will be the JVM present in the container image. The builder image is expected to have the 'java' binary on its PATH. This flag is useful when the JVM to be used at runtime is not the same exact JVM version as the one used to build the jar. Note that this property is consulted only when quarkus.package.create-appcds=true and it requires having docker available during the build.
This option only applies when using fast-jar or mutable-jar. If this option is true then a list of all the coordinates of the artifacts that made up this image will be included in the quarkus-app directory. This list can be used by vulnerability scanners to determine if your application has any vulnerable dependencies.
An advanced option that will decompile generated and transformed bytecode into the 'decompiled' directory. This is only taken into account when fast-jar is used.
If set to true, it will result in the Quarkus writing the transformed application bytecode to the build tool’s output directory. This is useful for post-build tools that need to scan the application bytecode - for example for offline code-coverage tools. For example, if using Maven, enabling this feature will result in the classes in target/classes being updated with the versions that result after Quarkus has applied its transformations. Setting this to true however, should be done with a lot of caution and only if subsequent builds are done in a clean environment (i.e. the build tool’s output directory has been completely cleaned).
Custom manifest attributes to be added to the main section of the MANIFEST.MF file. An example of the user defined property: quarkus.package.manifest.attributes."Entry-key1"=Value1 quarkus.package.manifest.attributes."Entry-key2"=Value2
Custom manifest sections to be added to the MANIFEST.MF file. An example of the user defined property: quarkus.package.manifest.manifest-sections."Section-Name"."Entry-Key1"=Value1 quarkus.package.manifest.manifest-sections."Section-Name"."Entry-Key2"=Value2
The timeout to wait for running requests to finish. If this is not set then the application will exit immediately. Setting this timeout will incur a small performance penalty, as it requires active requests to be tracked.
-
Environment variable: QUARKUS_SHUTDOWN_TIMEOUT
+
Environment variable: QUARKUS_SHUTDOWN_TIMEOUT
@@ -56938,7 +73010,7 @@
Default value is dependent on extensions deployed (i.e. when using AWS Lambda extensions, this will be set to true by default)
-
Environment variable: QUARKUS_SNAPSTART_ENABLE
+
Environment variable: QUARKUS_SNAPSTART_ENABLE
@@ -56955,7 +73027,7 @@
Will do a classpath search for all META-INF/quarkus-preload-classes.txt files These files contain fully qualified classnames that should be loaded in the SnapStart/CRaC beforeCheckpoint() phase.
Start the full application during the snapshotting process. In other words, when enabled, it performs Application.start() within SnapStart/CRaC beforeCheckpoint() phase.
If continuous testing is enabled. The default value is 'paused', which will allow you to start testing from the console or the Dev UI, but will not run tests on startup. If this is set to 'enabled' then testing will start as soon as the application has started. If this is 'disabled' then continuous testing is not enabled, and can’t be enabled without restarting the application.
Tags that should be included for continuous testing. This supports JUnit Tag Expressions.
-
Environment variable: QUARKUS_TEST_INCLUDE_TAGS
+
Environment variable: QUARKUS_TEST_INCLUDE_TAGS
@@ -57093,7 +73165,7 @@
Tags that should be excluded by default with continuous testing. This is ignored if include-tags has been set. Defaults to 'slow'. This supports JUnit Tag Expressions.
-
Environment variable: QUARKUS_TEST_EXCLUDE_TAGS
+
Environment variable: QUARKUS_TEST_EXCLUDE_TAGS
@@ -57110,7 +73182,7 @@
Tests that should be included for continuous testing. This is a regular expression and is matched against the test class name (not the file name).
Tests that should be excluded with continuous testing. This is a regular expression and is matched against the test class name (not the file name). This is ignored if include-pattern has been set.
Changes tests to use the 'flat' ClassPath used in Quarkus 1.x versions. This means all Quarkus and test classes are loaded in the same ClassLoader, however it means you cannot use continuous testing. Note that if you find this necessary for your application then you may also have problems running in development mode, which cannot use a flat class path.
The profile (dev, test or prod) to use when testing using @QuarkusTest
-
Environment variable: QUARKUS_TEST_PROFILE
+
Environment variable: QUARKUS_TEST_PROFILE
@@ -57246,7 +73318,7 @@
The tags this profile is associated with. When the quarkus.test.profile.tags System property is set (its value is a comma separated list of strings) then Quarkus will only execute tests that are annotated with a @TestProfile that has at least one of the supplied (via the aforementioned system property) tags.
-
Environment variable: QUARKUS_TEST_PROFILE_TAGS
+
Environment variable: QUARKUS_TEST_PROFILE_TAGS
@@ -57263,7 +73335,7 @@
Controls the container network to be used when @QuarkusIntegration needs to launch the application in a container. This setting only applies if Quarkus does not need to use a shared network - which is the case if DevServices are used when running the test.
Additional launch parameters to be used when Quarkus launches the produced artifact for @QuarkusIntegrationTest When the artifact is a jar, this string is passed right after the java command. When the artifact is a container, this string is passed right after the docker run command. When the artifact is a native binary, this string is passed right after the native binary name.
-
Environment variable: QUARKUS_TEST_ARG_LINE
+
Environment variable: QUARKUS_TEST_ARG_LINE
@@ -57297,7 +73369,7 @@
Used in @QuarkusIntegrationTest to determine how long the test will wait for the application to launch
-
Environment variable: QUARKUS_TEST_WAIT_TIME
+
Environment variable: QUARKUS_TEST_WAIT_TIME
@@ -57315,7 +73387,7 @@
Configures the hang detection in @QuarkusTest. If no activity happens (i.e. no test callbacks are called) over this period then QuarkusTest will dump all threads stack traces, to help diagnose a potential hang. Note that the initial timeout (before Quarkus has started) will only apply if provided by a system property, as it is not possible to read all config sources until Quarkus has booted.
The type of test to run, this can be either: quarkus-test: Only runs @QuarkusTest annotated test classes unit: Only runs classes that are not annotated with @QuarkusTest all: Runs both, running the unit tests first
-
Environment variable: QUARKUS_TEST_TYPE
+
Environment variable: QUARKUS_TEST_TYPE
@@ -57352,7 +73424,7 @@
If a class matches this pattern then it will be cloned into the Quarkus ClassLoader even if it is in a parent first artifact. This is important for collections which can contain objects from the Quarkus ClassLoader, but for most parent first classes it will just cause problems.
If this is true then only the tests from the main application module will be run (i.e. the module that is currently running mvn quarkus:dev). If this is false then tests from all dependency modules will be run as well.
Modules that should be excluded for continuous testing. This is a regular expression and is matched against the module groupId:artifactId. This is ignored if include-module-pattern has been set.
Prefill core thread pool. The core thread pool will be initialised with the core number of threads at startup
-
Environment variable: QUARKUS_THREAD_POOL_PREFILL
+
Environment variable: QUARKUS_THREAD_POOL_PREFILL
@@ -57522,7 +73594,7 @@
The maximum number of threads. If this is not specified then it will be automatically sized to the greatest of 8 * the number of available processors and 200. For example if there are 4 processors the max threads will be 200. If there are 48 processors it will be 384.
The executor growth resistance. A resistance factor applied after the core pool is full; values applied here will cause that fraction of submissions to create new threads when no idle thread is available. A value of 0.0f implies that threads beyond the core size should be created as aggressively as threads within it; a value of 1.0f implies that threads beyond the core size should never be created.
The shutdown timeout. If all pending work has not been completed by this time then additional threads will be spawned to attempt to finish any pending tasks, and the shutdown process will continue
The amount of time to wait for thread pool shutdown before tasks should be interrupted. If this value is greater than or equal to the value for shutdown-timeout, then tasks will not be interrupted before the shutdown timeout occurs.
The frequency at which the status of the thread pool should be checked during shutdown. Information about waiting tasks and threads will be checked and possibly logged at this interval. Setting this key to an empty value disables the shutdown check interval.
The minimum log level for this category. By default, all categories are configured with DEBUG minimum level. To get runtime logging below DEBUG, e.g. TRACE, the minimum level has to be adjusted at build time, the right log level needs to be provided at runtime. As an example, to get TRACE logging, minimum level needs to be at TRACE and the runtime log level needs to match that.
If console logging should go to System#err instead of System#out.
-
Environment variable: QUARKUS_LOG_CONSOLE_STDERR
+
Environment variable: QUARKUS_LOG_CONSOLE_STDERR
@@ -57779,7 +73851,7 @@
The log format. Note that this value will be ignored if an extension is present that takes control of console formatting (e.g. an XML or JSON-format extension).
-
Environment variable: QUARKUS_LOG_CONSOLE_FORMAT
+
Environment variable: QUARKUS_LOG_CONSOLE_FORMAT
@@ -57796,7 +73868,7 @@
The console log level.
-
Environment variable: QUARKUS_LOG_CONSOLE_LEVEL
+
Environment variable: QUARKUS_LOG_CONSOLE_LEVEL
@@ -57813,7 +73885,7 @@
Specify how much the colors should be darkened. Note that this value will be ignored if an extension is present that takes control of console formatting (e.g. an XML or JSON-format extension).
-
Environment variable: QUARKUS_LOG_CONSOLE_DARKEN
+
Environment variable: QUARKUS_LOG_CONSOLE_DARKEN
@@ -57830,7 +73902,7 @@
The name of the filter to link to the console handler.
The log level for this category. Note that to get log levels below INFO, the minimum level build time configuration option needs to be adjusted as well.
The log format. Note that this value will be ignored if an extension is present that takes control of console formatting (e.g. an XML or JSON-format extension).
Specify how much the colors should be darkened. Note that this value will be ignored if an extension is present that takes control of console formatting (e.g. an XML or JSON-format extension).
The label to be used to pull remote configuration properties. The default is set on the Spring Cloud Config Server (generally "master" when the server uses a Git backend).
Password to recover key from KeyStore for SSL client authentication with the Config server If no value is provided, the key-store-password will be used
To create Quartz tables, you can perform a schema migration via the Flyway extension using a SQL script matching your database picked from Quartz repository.
-
Environment variable: QUARKUS_QUARTZ_STORE_TYPE
+
Environment variable: QUARKUS_QUARTZ_STORE_TYPE
@@ -59572,7 +75646,7 @@
Optionally needed when using the jdbc-tx or jdbc-cmt store types. If not specified, defaults to using the default datasource.
-
Environment variable: QUARKUS_QUARTZ_DATASOURCE
+
Environment variable: QUARKUS_QUARTZ_DATASOURCE
@@ -59592,7 +75666,7 @@
Ignored if using a ram store i.e StoreType#RAM
-
Environment variable: QUARKUS_QUARTZ_TABLE_PREFIX
+
Environment variable: QUARKUS_QUARTZ_TABLE_PREFIX
@@ -59618,7 +75692,7 @@
An example SQL string SELECT * FROM {0}LOCKS WHERE SCHED_NAME = {1} AND LOCK_NAME = ? FOR UPDATE
If this is set to false (the default), the values can be stored as name-value pairs rather than storing more complex objects in their serialized form in the BLOB column. This can be handy, as you avoid the class versioning issues that can arise from serializing your non-String classes into a BLOB. This is equivalent of setting org.quartz.jobStore.useProperties to true.
The identifier of Quartz instance that must be unique for all schedulers working as if they are the same logical Scheduler within a cluster. Use the default value AUTO or some of the configured instance ID generators if you wish the identifier to be generated for you.
-
Environment variable: QUARKUS_QUARTZ_INSTANCE_ID
+
Environment variable: QUARKUS_QUARTZ_INSTANCE_ID
@@ -59695,7 +75769,7 @@
The amount of time in milliseconds that a trigger is allowed to be acquired and fired ahead of its scheduled fire time.
The maximum amount of time Quarkus will wait for currently running jobs to finish. If the value is 0, then Quarkus will not wait at all for these jobs to finish - it will call org.quartz.Scheduler.shutdown(false) in this case.
By default, the NOT_FOUND constant is written to the output. However, in the development mode the PropertyNotFoundStrategy#THROW_EXCEPTION is used by default, i.e. when the strategy is not specified.
Specify whether the parser should remove standalone lines from the output. A standalone line is a line that contains at least one section tag, parameter declaration, or comment but no expression and no non-whitespace character.
The global rendering timeout in milliseconds. It is used if no timeout template instance attribute is set.
-
Environment variable: QUARKUS_QUTE_TIMEOUT
+
Environment variable: QUARKUS_QUTE_TIMEOUT
@@ -60267,7 +76341,7 @@
If set to true then the timeout should also be used for asynchronous rendering methods, such as TemplateInstance#createUni() and TemplateInstance#renderAsync().
The additional map of suffixes to content types. This map is used when working with template variants. By default, the java.net.URLConnection#getFileNameMap() is used to determine the content type of a template file.
-
Environment variable: QUARKUS_QUTE_CONTENT_TYPES
+
Environment variable: QUARKUS_QUTE_CONTENT_TYPES
@@ -60306,7 +76380,7 @@
By default, REST Client Reactive uses text/plain content type for String values and application/json for everything else. MicroProfile Rest Client spec requires the implementations to always default to application/json. This build item disables the "smart" behavior of RESTEasy Reactive to comply to the spec. This property is applicable to reactive REST clients only.
Mode in which the form data are encoded. Possible values are HTML5, RFC1738 and RFC3986. The modes are described in the Netty documentation By default, Rest Client Reactive uses RFC1738. This property is applicable to reactive REST clients only.
A string value in the form of : that specifies the HTTP proxy server hostname (or IP address) and port for requests of clients to use. Can be overwritten by client-specific settings.
Proxy username, equivalent to the http.proxy or https.proxy JVM settings. Can be overwritten by client-specific settings. This property is applicable to reactive REST clients only.
Proxy password, equivalent to the http.proxyPassword or https.proxyPassword JVM settings. Can be overwritten by client-specific settings. This property is applicable to reactive REST clients only.
Hosts to access without proxy, similar to the http.nonProxyHosts or https.nonProxyHosts JVM settings. Please note that unlike the JVM settings, this property is empty by default. Can be overwritten by client-specific settings. This property is applicable to reactive REST clients only.
How many characters of the body should be logged. Message body can be large and can easily pollute the logs. By default, set to 100. This property is applicable to reactive REST clients only.
If true, the REST clients will not provide additional contextual information (like REST client class and method names) when exception occurs during a client invocation. This property is applicable to reactive REST clients only.
Default configuration for the HTTP user-agent header to use in all REST clients. Can be overwritten by client-specific settings. This property is applicable to reactive REST clients only.
The time in ms for which a connection remains unused in the connection pool before being evicted and closed. A timeout of 0 means there is no timeout. Can be overwritten by client-specific settings.
The maximum number of redirection a request can follow. Can be overwritten by client-specific settings. This property is applicable to reactive REST clients only.
Map where keys are fully-qualified provider classnames to include in the client, and values are their integer priorities. The equivalent of the @RegisterProvider annotation. Can be overwritten by client-specific settings.
The CDI scope to use for injections of REST client instances. Value can be either a fully qualified class name of a CDI scope annotation (such as "jakarta.enterprise.context.ApplicationScoped") or its simple name (such as"ApplicationScoped"). Default scope for the rest-client extension is "Dependent" (which is the spec-compliant behavior). Default scope for the rest-client-reactive extension is "ApplicationScoped". Can be overwritten by client-specific settings.
-
Environment variable: QUARKUS_REST_CLIENT_SCOPE
+
Environment variable: QUARKUS_REST_CLIENT_SCOPE
@@ -60661,7 +76735,7 @@
An enumerated type string value with possible values of "MULTI_PAIRS" (default), "COMMA_SEPARATED", or "ARRAY_PAIRS" that specifies the format in which multiple values for the same query parameter is used. Can be overwritten by client-specific settings.
Set whether hostname verification is enabled. Default is enabled. This setting should not be disabled in production as it makes the client vulnerable to MITM attacks. Can be overwritten by client-specific settings.
If the Application-Layer Protocol Negotiation is enabled, the client will negotiate which protocol to use over the protocols exposed by the server. By default, it will try to use HTTP/2 first and if it’s not enabled, it will use HTTP/1.1. When the property http2 is enabled, this flag will be automatically enabled.
-
Environment variable: QUARKUS_REST_CLIENT_ALPN
+
Environment variable: QUARKUS_REST_CLIENT_ALPN
@@ -60833,7 +76907,7 @@
The base URL to use for this service. This property or the uri property is considered required, unless the baseUri attribute is configured in the @RegisterRestClient annotation.
The base URI to use for this service. This property or the url property is considered required, unless the baseUri attribute is configured in the @RegisterRestClient annotation.
The CDI scope to use for injection. This property can contain either a fully qualified class name of a CDI scope annotation (such as "jakarta.enterprise.context.ApplicationScoped") or its simple name (such as "ApplicationScoped").
Map where keys are fully-qualified provider classnames to include in the client, and values are their integer priorities. The equivalent of the @RegisterProvider annotation.
A string value in the form of : that specifies the HTTP proxy server hostname (or IP address) and port for requests of this client to use. Use none to disable proxy
An enumerated type string value with possible values of "MULTI_PAIRS" (default), "COMMA_SEPARATED", or "ARRAY_PAIRS" that specifies the format in which multiple values for the same query parameter is used.
Set whether hostname verification is enabled. Default is enabled. This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
Set to true to share the HTTP client between REST clients. There can be multiple shared clients distinguished by name, when no specific name is set, the name __vertx.DEFAULT is used. This property is applicable to reactive REST clients only.
If the Application-Layer Protocol Negotiation is enabled, the client will negotiate which protocol to use over the protocols exposed by the server. By default, it will try to use HTTP/2 first and if it’s not enabled, it will use HTTP/1.1. When the property http2 is enabled, this flag will be automatically enabled.
The size of the output stream response buffer. If a response is larger than this and no content-length is provided then the request will be chunked. Larger values may give slight performance increases for large responses, at the expense of more memory usage.
If no security annotations are affecting a method then they will default to requiring these roles, (equivalent to adding an @RolesAllowed annotation with the roles to every endpoint class). The role of '**' means any authenticated user, which is equivalent to the io.quarkus.security.Authenticated annotation.
If this is true (the default) then JSON is set to the default media type. If a method has no produces/consumes and there is no builtin provider than can handle the type then we will assume the response should be JSON. Note that this will only take effect if a JSON provider has been installed, such as quarkus-resteasy-jsonb or quarkus-resteasy-jackson.
IMPLEMENTATION NOTE: jakarta.ws.rs.Path turns into a CDI stereotype with singleton scope. As a result, if a user annotates a JAX-RS resource with a stereotype which has a different default scope the deployment fails with IllegalStateException.
Ignore all explicit JAX-RS Application classes. As multiple JAX-RS applications are not supported, this can be used to effectively merge all JAX-RS applications.
By default, we assume a default produced media type of "text/plain" for String endpoint return types. If this is disabled, the default produced media type will be "[text/plain, */*]" which is more expensive due to negotiation.
When one of the quarkus-resteasy-reactive-jackson or quarkus-resteasy-reactive-jsonb extension are active and the result type of an endpoint is an application class or one of Collection, List, Set or Map, we assume the default return type is "application/json" if this configuration is enabled.
If no security annotations are affecting a method then they will default to requiring these roles, (equivalent to adding an @RolesAllowed annotation with the roles to every endpoint class). The role of '**' means any authenticated user, which is equivalent to the io.quarkus.security.Authenticated annotation.
Removes JSON specification restriction on special floating-point values such as NaN and Infinity and enables their serialization and deserialization. When enabling it, please ensure that the receiving party will be able to encode and decode these special values.
Enables structured objects to be serialized as map keys by changing serialized form of the map from JSON object (key-value pairs) to flat array like [k1, v1, k2, v2].
Enables coercing incorrect JSON values to the default property value in the following cases: 1. JSON value is null but property type is non-nullable. 2. Property type is an enum type, but JSON value contains unknown enum member.
Its relaxations can be expanded in the future, so that lenient parser becomes even more permissive to invalid value in the input, replacing them with defaults.
Disabling this flag when one does not use [JsonNames] at all may sometimes result in better performance, particularly when a large count of fields is skipped with [ignoreUnknownKeys].
If multiple values are set, this datasource will create a pool with a list of servers instead of a single server. The pool uses a round-robin load balancing when a connection is created to select different servers. Note: some driver may not support multiple values here.
When #event-loop-size is set to a strictly positive value, the pool assigns as many event loops as specified, in a round-robin fashion. By default, the number of event loops configured or calculated by Quarkus is used. If #event-loop-size is set to zero or a negative value, the pool assigns the current event loop to the new connection.
Set to true to share the pool among datasources. There can be multiple shared pools distinguished by name, when no specific name is set, the __vertx.DEFAULT name is used.
If multiple values are set, this datasource will create a pool with a list of servers instead of a single server. The pool uses a round-robin load balancing when a connection is created to select different servers. Note: some driver may not support multiple values here.
When #event-loop-size is set to a strictly positive value, the pool assigns as many event loops as specified, in a round-robin fashion. By default, the number of event loops configured or calculated by Quarkus is used. If #event-loop-size is set to zero or a negative value, the pool assigns the current event loop to the new connection.
Set to true to share the pool among datasources. There can be multiple shared pools distinguished by name, when no specific name is set, the __vertx.DEFAULT name is used.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
The container image name to use, for container based DevServices providers. If you want to use Redis Stack modules (bloom, graph, search…), use: redis/redis-stack-server:latest.
The URI provided uses the following schema redis://[username:password@][host][:port][/database] Use quarkus.redis.hosts-provider-name to provide the hosts programmatically.
The client will always work on pipeline mode, this means that messages can start queueing. Using this configuration option, you can control how much backlog you’re willing to accept.
When DevServices is enabled Quarkus will attempt to automatically configure and start a database when running in Dev or Test mode and when Docker is running.
The container image name to use, for container based DevServices providers. If you want to use Redis Stack modules (bloom, graph, search…), use: redis/redis-stack-server:latest.
The URI provided uses the following schema redis://[username:password@][host][:port][/database] Use quarkus.redis.hosts-provider-name to provide the hosts programmatically.
The client will always work on pipeline mode, this means that messages can start queueing. Using this configuration option, you can control how much backlog you’re willing to accept.
Set the local interface to bind for network connections. When the local address is null, it will pick any local address, the default local address is null.
Set the local interface to bind for network connections. When the local address is null, it will pick any local address, the default local address is null.
Scheduler can be started in different modes. By default, the scheduler is not started unless a io.quarkus.scheduler.Scheduled business method is found.
The origin of the application. The origin is basically protocol, host and port. If you are calling WebAuthn API while your application is located at https://example.com/login, then origin will be https://example.com. If you are calling from http://localhost:2823/test, then the origin will be http://localhost:2823. Please note that WebAuthn API will not work on pages loaded over HTTP, unless it is localhost, which is considered secure context.
Resident key required. A resident (private) key, is a key that cannot leave your authenticator device, this means that you cannot reuse the authenticator to log into a second computer.
Non-negative User Verification timeout. Authentication must occur within the timeout, this will prevent the user browser from being blocked with a pop-up required user verification, and the whole ceremony must be completed within the timeout period. After the timeout, any previously issued challenge is automatically invalidated.
Allowed Public Key Credential algorithms by preference order. Webauthn mandates that all authenticators must support at least the following 2 algorithms: ES256 and RS256. Applications may require stronger keys and algorithms, for example: ES512 or EdDSA. Note that the use of stronger algorithms, e.g.: EdDSA may require Java 15 or a cryptographic JCE provider that implements the algorithms.
How old a cookie can get before it will be replaced with a new cookie with an updated timeout, also referred to as "renewal-timeout". Note that smaller values will result in slightly more server load (as new encrypted cookies will be generated more often), however larger values affect the inactivity timeout as the timeout is set when a cookie is generated. For example if this is set to 10 minutes, and the inactivity timeout is 30m, if a users last request is when the cookie is 9m old then the actual timeout will happen 21m after the last request, as the timeout is only refreshed when a new cookie is generated. In other words, no timeout is tracked on the server side; the timestamp is encoded and encrypted in the cookie itself, and it is decrypted and parsed with each request.
The rootPath under which queries will be served. Default to graphql By default, this value will be resolved as a path relative to ${quarkus.http.root-path}.
Enable Apollo Federation. If this value is unspecified, then federation will be enabled automatically if any GraphQL Federation annotations are detected in the application.
List of extension fields that should be included in the error response. By default, none will be included. Examples of valid values include [exception,classification,code,description,validationErrorType,queryPath]
List of Runtime Exceptions class names that should show the error message. By default, Runtime Exception messages will be hidden and a generic Server Error message will be returned.
Subprotocols that should be supported by the server for graphql-over-websocket use cases. Allowed subprotocols are "graphql-ws" and "graphql-transport-ws". By default, both are enabled.
The path where GraphQL UI is available. The value / is not allowed as it blocks the application from serving anything else. By default, this URL will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
WebSocket subprotocols that should be supported by this client for running GraphQL operations over websockets. Allowed values are: - graphql-ws for the deprecated Apollo protocol - graphql-transport-ws for the newer GraphQL over WebSocket protocol (default value) If multiple protocols are provided, the actual protocol to be used will be subject to negotiation with the server.
Maximum time in milliseconds that will be allowed to wait for the server to acknowledge a websocket connection (send a subprotocol-specific ACK message).
Root path for health-checking endpoints. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
The relative path of the liveness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the readiness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the wellness health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
The relative path of the startup health-checking endpoint. By default, this value will be resolved as a path relative to ${quarkus.smallrye-health.rootPath}.
If management interface is turned on the health endpoints and ui will be published under the management interface. This allows you to exclude Health from management by setting the value to false
The path where Health UI is available. The value / is not allowed as it blocks the application from serving anything else. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
Always create HTTP 401 challenge, even for requests containing no authentication credentials. JWT authentication mechanism will return HTTP 401 when an authentication challenge is required. However if it is used alongside one of the interactive authentication mechanisms then returning HTTP 401 to the users accessing the application from a browser may not be desired. If you prefer you can request that JWT authentication mechanism does not create a challenge in such cases by setting this property to 'true'.
-
Environment variable: QUARKUS_SMALLRYE_JWT_SILENT
+
Environment variable: QUARKUS_SMALLRYE_JWT_SILENT
@@ -68312,7 +84403,7 @@
The path to the metrics handler. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}. If the management interface is enabled, the value will be resolved as a path relative to ${quarkus.management.root-path}.
Apply Micrometer compatibility mode, where instead of regular 'base' and 'vendor' metrics, Quarkus exposes the same 'jvm' metrics that Micrometer does. Application metrics are unaffected by this mode. The use case is to facilitate migration from Micrometer-based metrics, because original dashboards for JVM metrics will continue working without having to rewrite them.
If management interface is turned on the openapi schema document will be published under the management interface. This allows you to exclude OpenAPI from management by setting the value to false
Whether it should automatically configure the connector attribute of channels that don’t have an upstream source (for incoming channels), or a downstream consumer (for outgoing channels). When enabled, it verifies that there is only a single connector on the classpath. In that case, it automatically associates the orphans channel to the connector, removing the need to add the .connector attribute in the application configuration.
If Dev Services for AMQP has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For AMQP, Dev Services starts a broker unless amqp-host or amqp-port are set or if all the Reactive Messaging AMQP channel are configured with host or port.
The image to use. Note that only ActiveMQ Artemis images are supported. Specifically, the image repository must end with artemiscloud/activemq-artemis-broker. Check the activemq-artemis-broker on Quay page to find the available versions.
Whether Kafka serializer/deserializer generation is enabled. When no serializer/deserializer are found and not set, Quarkus generates a Jackson-based serde.
Enables the graceful shutdown in dev and test modes. The graceful shutdown waits until the inflight records have been processed and the offset committed to Kafka. While this setting is highly recommended in production, in dev and test modes, it’s disabled by default. This setting allows to re-enable it.
If Dev Services for MQTT has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For MQTT, Dev Services starts a broker unless *.host or *.port are set for one of the connectors or if all the Reactive Messaging MQTT channel are configured with host or port.
If Dev Services for RabbitMQ has been explicitly enabled or disabled. Dev Services are generally enabled by default, unless there is an existing configuration present. For RabbitMQ, Dev Services starts a broker unless rabbitmq-host or rabbitmq-port are set or if all the Reactive Messaging RabbitMQ channel are configured with host or port.
The value / is not allowed as it blocks the application from serving anything else. By default, this value will be resolved as a path relative to ${quarkus.http.non-application-root-path}.
-
Environment variable: QUARKUS_SWAGGER_UI_PATH
+
Environment variable: QUARKUS_SWAGGER_UI_PATH
@@ -69923,7 +86031,7 @@
If this should be included every time. By default, this is only included when the application is running in dev mode.
If set, enables filtering. The top bar will show an edit box that you can use to filter the tagged operations that are shown. Can be Boolean to enable or disable, or a string, in which case filtering will be enabled using that string as the filter expression. Filtering is case-sensitive matching the filter expression anywhere inside the tag.
-
Environment variable: QUARKUS_SWAGGER_UI_FILTER
+
Environment variable: QUARKUS_SWAGGER_UI_FILTER
@@ -70148,7 +86256,7 @@
If set, limits the number of tagged operations displayed to at most this many. The default is to show all operations.
Apply a sort to the operation list of each API. It can be 'alpha' (sort by paths alphanumerically), 'method' (sort by HTTP method) or a function (see Array.prototype.sort() to know how sort function works). Default is the order returned by the server unchanged.
Apply a sort to the tag list of each API. It can be 'alpha' (sort by paths alphanumerically) or a function (see Array.prototype.sort() to learn how to write a sort function). Two tag name strings are passed to the sorter for each pass. Default is the order determined by Swagger UI.
MUST be a function. Function to intercept remote definition, "Try it out", and OAuth 2.0 requests. Accepts one argument requestInterceptor(request) and must return the modified request, or a Promise that resolves to the modified request.
If set, MUST be an array of command line options available to the curl command. This can be set on the mutated request in the requestInterceptor function.
MUST be a function. Function to intercept remote definition, "Try it out", and OAuth 2.0 responses. Accepts one argument responseInterceptor(response) and must return the modified response, or a Promise that resolves to the modified response.
If set to true, uses the mutated request returned from a requestInterceptor to produce the curl command in the UI, otherwise the request before the requestInterceptor was applied is used.
List of HTTP methods that have the "Try it out" feature enabled. An empty array disables "Try it out" for all operations. This does not filter the operations from the display.
By default, Swagger UI attempts to validate specs against swagger.io’s online validator. You can use this parameter to set a different validator URL, for example for locally deployed validators (Validator Badge). Setting it to either none, 127.0.0.1 or localhost will disable validation.
Function to set default value to parameters. Accepts two arguments parameterMacro(operation, parameter). Operation and parameter are objects passed for context, both remain immutable
OAuth only activated for the accessCode flow. During the authorization_code request to the tokenUrl, pass the Client Password using the HTTP Basic Authentication scheme - Used in the initOAuth method.
OAuth only applies to authorization code flows. Proof Key for Code Exchange brings enhanced security for OAuth public clients - Used in the initOAuth method.
If Swagger UI is included, it should be enabled/disabled. By default, Swagger UI is enabled if it is included (see always-include).
-
Environment variable: QUARKUS_SWAGGER_UI_ENABLE
+
Environment variable: QUARKUS_SWAGGER_UI_ENABLE
@@ -70777,7 +86885,7 @@
The urls that will be included as options. By default, the OpenAPI path will be used. Here you can override that and supply multiple urls that will appear in the TopBar plugin.
The buffer size to use for Servlet. If this is not specified the default will depend on the amount of available memory. If there is less than 64mb it will default to 512b heap buffer, less that 128mb 1k direct buffer and otherwise 16k direct buffers.
-
Environment variable: QUARKUS_SERVLET_BUFFER_SIZE
+
Environment variable: QUARKUS_SERVLET_BUFFER_SIZE
@@ -70863,7 +86971,7 @@
If Servlet should use direct buffers, this gives maximum performance but can be problematic in memory constrained environments
The maximum number of HTTP request parameters permitted for Servlet requests. If a client sends more than this number of parameters in a request, the connection is closed.
If the websocket methods should be run in a worker thread. This allows them to run blocking tasks, however it will not be as fast as running directly in the IO thread.
Start gRPC server in dev mode even if no gRPC services are implemented. By default set to true to ease incremental development of new services using dev mode.
If set to true, and a Stork load balancer is used, connections with all available service instances will be requested proactively. This means better load balancing at the cost of having multiple active connections.
An optional trust store which holds the certificate information of the certificates to trust The trust store can be either on classpath or in an external file.
The format uses the standard java.time.Duration format. You can also provide duration values starting with a number. In this case, if the value consists only of a number, the converter treats the value as seconds. Otherwise, PT is implicitly prepended to the value to obtain a standard java.time.Duration format.
Do we use separate HTTP server to serve gRPC requests. Set this to false if you want to use new Vert.x gRPC support, which uses existing Vert.x HTTP server.
The classpath path or file path to the corresponding certificate private key file in PEM format.
-
Environment variable: QUARKUS_GRPC_SERVER_SSL_KEY
+
Environment variable: QUARKUS_GRPC_SERVER_SSL_KEY
@@ -71937,7 +88101,7 @@
An optional key store which holds the certificate information instead of specifying separate files. The key store can be either on classpath or an external file.
An optional trust store which holds the certificate information of the certificates to trust The trust store can be either on classpath or an external file.
+
An optional trust store which holds the certificate information of the certificates to trust
+
+
+
The trust store can be either on classpath or an external file.
Sets the ordered list of enabled SSL/TLS protocols.
+
+
+
If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".
+
+
+
Note that setting an empty list, and enabling SSL/TLS is invalid. You must at least have one protocol.
Enables the gRPC Reflection Service. By default, the reflection service is only exposed in dev mode. This setting allows overriding this choice and enable the reflection service every time.
Number of gRPC server verticle instances. This is useful for scaling easily across multiple cores. The number should not exceed the amount of event loops.
Sets a custom permit-keep-alive duration. This configures the most aggressive keep-alive time clients are permitted to configure. The server will try to detect clients exceeding this rate and when detected will forcefully close the connection.
-You may call it without any parameter to use the interactive mode: mvn io.quarkus.platform:quarkus-maven-plugin:3.2.0.Final:create-extension -N
+You may call it without any parameter to use the interactive mode: mvn io.quarkus.platform:quarkus-maven-plugin:3.2.1.Final:create-extension -N
Your %test. prefixed properties will be used at the test runtime.
-
You can override the profile the executable is built with and runs with using the quarkus-profile=test property, e.g.
-./mvnw clean verify -Dnative -Dquarkus-profile=test. This might come handy if there are test specific resources to be processed,
+
You can override the profile the executable is built with and runs with using the quarkus.profile=test property, e.g.
+./mvnw clean verify -Dnative -Dquarkus.profile=test. This might come handy if there are test specific resources to be processed,
such as importing test data into the database.
@@ -741,7 +741,7 @@
Profiles
-
The executable built with -Dquarkus-profile=test is not suitable for production deployment.
+
The executable built with -Dquarkus.profile=test is not suitable for production deployment.
It contains your test resources files and settings. Once the testing is done, the executable would have to be built again,
using the default, prod profile.
In CDI, a normal scoped bean must always declare a no-args constructor (this constructor is normally generated by the compiler unless you declare any other constructor).
However, this requirement complicates constructor injection - you need to provide a dummy no-args constructor to make things work in CDI.
The container attempts to remove all unused beans, interceptors and decorators during build by default.
This optimization helps to minimize the amount of generated classes, thus conserving memory.
@@ -989,7 +919,7 @@
5
To use this mode, set quarkus.arc.remove-unused-beans to fwk or framework.
-
5.5.1. What’s Removed?
+
4.5.1. What’s Removed?
Quarkus first identifies so-called unremovable beans that form the roots in the dependency tree.
A good example is a Jakarta REST resource class or a bean which declares a @Scheduled method.
@@ -1058,7 +988,7 @@
5.5.1. What
-
5.5.2. How To Eliminate False Positives
+
4.5.2. How To Eliminate False Positives
Users can instruct the container to not remove any of their specific beans (even if they satisfy all the rules specified above) by annotating them with @io.quarkus.arc.Unremovable.
This annotation can be declared on a class, a producer method or field.
Quarkus adds a capability that CDI currently does not support which is to conditionally declare a bean if no other bean with equal types and qualifiers was declared by any available means (bean class, producer, synthetic bean, …)
This is done using the @io.quarkus.arc.DefaultBean annotation and is best explained with an example.
@@ -1163,7 +1093,7 @@
5.6. Default
-
5.7. Enabling Beans for Quarkus Build Profile
+
4.7. Enabling Beans for Quarkus Build Profile
Quarkus adds a capability that CDI currently does not support which is to conditionally enable a bean when a Quarkus build time profile is enabled,
via the @io.quarkus.arc.profile.IfBuildProfile and @io.quarkus.arc.profile.UnlessBuildProfile annotations.
@@ -1228,7 +1158,7 @@
-
5.8. Enabling Beans for Quarkus Build Properties
+
4.8. Enabling Beans for Quarkus Build Properties
Quarkus adds a capability that CDI currently does not support which is to conditionally enable a bean when a Quarkus build time property has/has not a specific value,
via the @io.quarkus.arc.properties.IfBuildProperty and @io.quarkus.arc.properties.UnlessBuildProperty annotations.
@@ -1304,7 +1234,7 @@
In CDI, an alternative bean may be selected either globally for an application by means of @Priority, or for a bean archive using a beans.xml descriptor.
Quarkus has a simplified bean discovery and the content of beans.xml is ignored.
The Interceptors specification is clear that around-invoke methods must not be declared static.
However, this restriction was driven mostly by technical limitations.
@@ -1424,7 +1354,7 @@
5.12. Ability to handle 'final' classes and methods
+
4.12. Ability to handle 'final' classes and methods
In normal CDI, classes that are marked as final and / or have final methods are not eligible for proxy creation,
which in turn means that interceptors and normal scoped beans don’t work properly.
@@ -1464,7 +1394,7 @@
There is no standard concurrency control mechanism for CDI beans.
Nevertheless, a bean instance can be shared and accessed concurrently from multiple threads.
@@ -1523,7 +1453,7 @@
In certain situations, it is practical to obtain a bean instance programmatically via an injected jakarta.enterprise.inject.Instance and Instance.get().
However, according to the specification the get() method must identify the matching bean and obtain a contextual reference.
@@ -1648,7 +1578,7 @@
5.16. Declaratively Choose Beans That Can Be Obtained by Programmatic Lookup
+
4.16. Declaratively Choose Beans That Can Be Obtained by Programmatic Lookup
It is sometimes useful to narrow down the set of beans that can be obtained by programmatic lookup via jakarta.enterprise.inject.Instance.
Typically, a user needs to choose the appropriate implementation of an interface based on a runtime configuration property.
In CDI, it’s possible to inject multiple bean instances (aka contextual references) via the jakarta.enterprise.inject.Instance which implements java.lang.Iterable.
However, it’s not exactly intuitive.
@@ -1796,7 +1726,7 @@
5.18. Ignoring Class-Level Interceptor Bindings for Methods and Constructors
+
4.18. Ignoring Class-Level Interceptor Bindings for Methods and Constructors
If a managed bean declares interceptor binding annotations on the class level, the corresponding @AroundInvoke interceptors will apply to all business methods.
Similarly, the corresponding @AroundConstruct interceptors will apply to the bean constructor.
@@ -1846,7 +1776,7 @@
-
5.19. Exceptions Thrown By An Asynchronous Observer Method
+
4.19. Exceptions Thrown By An Asynchronous Observer Method
If an exception is thrown by an asynchronous observer then the CompletionStage returned by the fireAsync() method completes exceptionally so that the event producer may react appropriately.
However, if the event producer does not care then the exception is ignored silently.
@@ -1871,7 +1801,7 @@
-
6. Build Time Extensions
+
5. Build Time Extensions
Quarkus incorporates build-time optimizations in order to provide instant startup and low memory footprint.
@@ -1882,7 +1812,7 @@
6. Build
-
7. Development Mode
+
6. Development Mode
In the development mode, two special endpoints are registered automatically to provide some basic debug info in the JSON format:
@@ -1936,7 +1866,7 @@
7. Deve
-
7.1. Monitoring Business Method Invocations and Events
+
6.1. Monitoring Business Method Invocations and Events
In the development mode, it is also possible to enable monitoring of business method invocations and fired events.
Simply set the quarkus.arc.dev-mode.monitoring-enabled configuration property to true and explore the relevant Dev UI pages.
@@ -1945,7 +1875,7 @@
-
8. Strict Mode
+
7. Strict Mode
By default, ArC does not perform all validations required by the CDI specification.
@@ -1986,7 +1916,7 @@
8. Strict Mode
-
9. ArC Configuration Reference
+
8. ArC Configuration Reference
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Quarkus Platform release BOM is identified by groupId:artifactId:version (GAV) coordinates. When specifying a platform release BOM, you may use empty segments to fall back to default values (shown with quarkus create app --help). If you specify only one segment (no :), it is assumed to be a version.
-
io.quarkus.platform is the default groupId. Specifying -P :quarkus-bom: is equivalent to -P io.quarkus.platform:quarkus-bom:3.2.0.Final. Note that you need to specify the groupId to work with a snapshot, e.g. -P io.quarkus::999-SNAPSHOT is equivalent to -P io.quarkus:quarkus-bom:999-SNAPSHOT.
+
io.quarkus.platform is the default groupId. Specifying -P :quarkus-bom: is equivalent to -P io.quarkus.platform:quarkus-bom:3.2.1.Final. Note that you need to specify the groupId to work with a snapshot, e.g. -P io.quarkus::999-SNAPSHOT is equivalent to -P io.quarkus:quarkus-bom:999-SNAPSHOT.
Default values are subject to change. Use the --dry-run option to see the computed value.
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17-runtime:1.16 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11-runtime:1.16 is used as the default.
+
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17-runtime:1.17 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11-runtime:1.16 is used as the default.
-
Environment variable: QUARKUS_JIB_BASE_JVM_IMAGE
+
Environment variable: QUARKUS_JIB_BASE_JVM_IMAGE
@@ -953,7 +953,7 @@
Jib Options
The base image to be used when a container image is being produced for the native binary build. The default is "quay.io/quarkus/quarkus-micro-image". You can also use "registry.access.redhat.com/ubi8/ubi-minimal" which is a bigger base image, but provide more built-in utilities such as the microdnf package manager.
Controls the optimization which skips downloading base image layers that exist in a target registry. If the user does not set this property, then read as false. If true, base image layers are always pulled and cached. If false, base image layers will not be pulled/cached if they already exist on the target registry.
If not specified, OS default is linux and architecture default is amd64. If more than one platform is configured, it is important to note that the base image has to be a Docker manifest or an OCI image index containing a version of each chosen platform. The feature does not work with native images, as cross-compilation is not supported. This configuration is based on an incubating feature of Jib. See Jib FAQ for more information.
-
Environment variable: QUARKUS_JIB_PLATFORMS
+
Environment variable: QUARKUS_JIB_PLATFORMS
@@ -1219,7 +1219,7 @@
Jib Options
The path of a file in which the digest of the generated image will be written. If the path is relative, the base path is the output directory of the build tool.
The path of a file in which the id of the generated image will be written. If the path is relative, the base path is the output directory of the build tool.
-
Environment variable: QUARKUS_JIB_IMAGE_ID_FILE
+
Environment variable: QUARKUS_JIB_IMAGE_ID_FILE
@@ -1253,7 +1253,7 @@
Jib Options
Whether or not to operate offline.
-
Environment variable: QUARKUS_JIB_OFFLINE_MODE
+
Environment variable: QUARKUS_JIB_OFFLINE_MODE
@@ -1270,7 +1270,7 @@
Jib Options
Name of binary used to execute the docker commands. This is only used by Jib when the container image is being built locally.
Whether to set the creation time to the actual build time. Otherwise, the creation time will be set to the Unix epoch (00:00:00, January 1st, 1970 in UTC). See Jib FAQ for more information
Whether to set the modification time (last modified time) of the files put by Jib in the image to the actual build time. Otherwise, the modification time will be set to the Unix epoch (00:00:00, January 1st, 1970 in UTC). If the modification time is constant (flag is set to false so Unix epoch is used) across two consecutive builds, the docker layer sha256 digest will be different only if the actual files added by Jib to the docker layer were changed. More exactly, having 2 consecutive builds will generate different docker layers only if the actual content of the files within the docker layer was changed. If the current timestamp is used the sha256 digest of the docker layer will always be different even if the content of the files didn’t change.
Path to the JVM Dockerfile. If set to an absolute path then the absolute path will be used, otherwise the path will be considered relative to the project root. If not set src/main/docker/Dockerfile.jvm will be used.
Path to the native Dockerfile. If set to an absolute path then the absolute path will be used, otherwise the path will be considered relative to the project root. If not set src/main/docker/Dockerfile.native will be used.
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17:1.16 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11:1.16 is used as the default.
The directory where the jar is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non default image is used.
The directory where the native binary is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non-default image is used.
The resulting filename of the native binary in the S2I image. This option may be used if the selected S2I image uses a fixed name for the native binary.
The base image to be used when a container image is being produced for the jar build. When the application is built against Java 17 or higher, registry.access.redhat.com/ubi8/openjdk-17:1.16 is used as the default. Otherwise registry.access.redhat.com/ubi8/openjdk-11:1.16 is used as the default.
-
Environment variable: QUARKUS_S2I_BASE_JVM_IMAGE
+
Environment variable: QUARKUS_S2I_BASE_JVM_IMAGE
@@ -1835,7 +1835,7 @@
OpenS
The base image to be used when a container image is being produced for the native binary build
The directory where the jar is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non default image is used.
-
Environment variable: QUARKUS_S2I_JAR_DIRECTORY
+
Environment variable: QUARKUS_S2I_JAR_DIRECTORY
@@ -1903,7 +1903,7 @@
OpenS
The resulting filename of the jar in the S2I image. This option may be used if the selected S2I image uses a fixed name for the jar.
-
Environment variable: QUARKUS_S2I_JAR_FILE_NAME
+
Environment variable: QUARKUS_S2I_JAR_FILE_NAME
@@ -1920,7 +1920,7 @@
OpenS
The directory where the native binary is added during the assemble phase. This is dependent on the S2I image and should be supplied if a non-default image is used.
The resulting filename of the native binary in the S2I image. This option may be used if the selected S2I image uses a fixed name for the native binary.