Influxdata
/
docs-v2
mirror of https://github.com/influxdata/docs-v2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add missing chronoctl commands and clean up chronograf daemon page (#5181) 

* add missing chronoctl commands, closes influxdata/DAR#239, closes #3256

* Apply suggestions from code review

Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com>

---------

Co-authored-by: Jason Stirnaman <stirnamanj@gmail.com>
pull/4137/head^2
Scott Anderson 2023-10-17 11:22:14 -06:00 committed by GitHub
parent 5bc6fb2865
commit 3a892b8d3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 275 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
assets/styles/layouts/article/_tables.scss
View File

@ -65,7 +65,10 @@ table + table {
margin-top: -1.5rem;
}
#flags:not(.no-shorthand), #global-flags {
// Adjust spacing to push long-hand and short-hand columns closer together
#flags:not(.no-shorthand),
#global-flags,
.shorthand-flags {
& + table {
td:nth-child(2) code { margin-left: -2rem; }
}

21
content/chronograf/v1/tools/chronoctl/_index.md
View File

@ -13,14 +13,21 @@ The `chronoctl` command line interface (CLI) includes commands to interact with
## Usage
```
chronoctl [command]
chronoctl [flags]
chronoctl [flags] [command]
```
## Commands
| Command | Description |
|:------- |:----------- |
| [add-superadmin](/chronograf/v1/tools/chronoctl/add-superadmin/) | Create a new user with superadmin status |
| [list-users](/chronograf/v1/tools/chronoctl/list-users) | List all users in the Chronograf data store |
| [migrate](/chronograf/v1/tools/chronoctl/migrate) | Migrate your Chronograf configuration store |
| Command | Description |
| :--------------------------------------------------------------- | :------------------------------------------------------------------------------------- |
| [add-superadmin](/chronograf/v1/tools/chronoctl/add-superadmin/) | Create a new user with superadmin status |
| [gen-keypair](/chronograf/v1/tools/chronoctl/gen-keypair) | Generate RSA keypair in the Chronograf data store |
| [list-users](/chronograf/v1/tools/chronoctl/list-users) | List all users in the Chronograf data store |
| [migrate](/chronograf/v1/tools/chronoctl/migrate) | Migrate your Chronograf configuration store |
| [token](/chronograf/v1/tools/chronoctl/token) | Get current token for a superadmin user (chronograf must be started with a public key) |
## Flags
| Flag | | Description |
| :--- | -------- | :------------------ |
| `-h` | `--help` | Output command help |

2
content/chronograf/v1/tools/chronoctl/add-superadmin.md
View File

@ -6,7 +6,7 @@ menu:
chronograf_v1:
name: chronoctl add-superadmin
parent: chronoctl
weight: 20
weight: 201
---
The `add-superadmin` command creates a new user with superadmin status.

42
content/chronograf/v1/tools/chronoctl/gen-keypair.md Normal file
View File

@ -0,0 +1,42 @@
---
title: chronoctl gen-keypair
description: >
The `gen-keypair` command generates an RSA keypair and writes it to the file system.
menu:
chronograf_v1:
name: chronoctl gen-keypair
parent: chronoctl
weight: 201
---
The `gen-keypair` command generates an RSA keypair and writes it to the file system.
Private keys are stored in a file at a specified location.
Private keys are stored in the same location using the same name with the `.pub`
extension added.
## Usage
```sh
chronoctl gen-keypair [flags]
```
## Flags
| Flag | | Description | Input type |
| :--- | :------- | :-------------------------------------------------------------------- | :--------: |
| | `--bits` | Number of bits to use to generate the RSA keypair _(default is 4096)_ | integer |
| `-h` | `--help` | Output command help | |
| | `--out` | Keypair file path to write to _(default is `chronograf-rsa`)_ | string |
## Examples
The following example generates a 4096 bit RSA keypair and writes the following
files to the local file system:
- `/path/to/chrono-rsa`: Private key
- `/path/to/chrono-rsa.pub`: Public key
```sh
chronoctl gen-keypair --out /path/to/chrono-rsa
```

2
content/chronograf/v1/tools/chronoctl/list-users.md
View File

@ -7,7 +7,7 @@ menu:
chronograf_v1:
name: chronoctl list-users
parent: chronoctl
weight: 30
weight: 201
---
The `list-users` command lists all users in the Chronograf data store.

2
content/chronograf/v1/tools/chronoctl/migrate.md
View File

@ -6,7 +6,7 @@ menu:
chronograf_v1:
name: chronoctl migrate
parent: chronoctl
weight: 40
weight: 201
---
The `migrate` command lets you migrate your Chronograf configuration store.

46
content/chronograf/v1/tools/chronoctl/token.md Normal file
View File

@ -0,0 +1,46 @@
---
title: chronoctl token
description: >
The `token` command reads a private token file, generates and signs the nonce,
and then returns an expiring token to be used in the `Authorization` header.
menu:
chronograf_v1:
name: chronoctl token
parent: chronoctl
weight: 201
---
The `token` command reads a private token file, generates and signs the nonce,
and then returns an expiring token to be used in the `Authorization` header.
For example:
```sh
Authorization: CHRONOGRAF-SHA256 <returned-expiring-token>
```
## Usage
```
chronoctl token [flags]
```
## Flags
| Flag | | Description | Env. Variable |
| :--- | :----------------- | :------------------------------------------------------------ | :--------------: |
| `-h` | `--help` | Output command help | |
| | `--chronograf-url` | Chronograf's URL _(default is `http://localhost:8888`)_ | `CHRONOGRAF_URL` |
| `-k` | `--skip-verify` | Skip TLS certification verification | |
| | `--priv-key-file` | Private key file location for superadmin token authentication | `PRIV_KEY_FILE` |
## Examples
The following example uses the RSA key used when started the Chronograf server and
returns an expiring token that can be used to gain superadmin access to Chronograf.
{{% note %}}
The private key must correspond to the public key used when starting the
Chronograf server.
{{% /note %}}
```sh
chronoctl token --priv-key-file /path/to/chronograf-rsa
```

145
content/chronograf/v1/tools/chronograf-cli/_index.md
View File

@ -1,145 +0,0 @@
---
title: chronograf CLI
description: >
The `chronograf` command line interface (CLI) includes options to manage many aspects of Chronograf security.
menu:
chronograf_v1:
name: chronograf CLI
parent: Tools
weight: 10
---
The `chronograf` command line interface (CLI) includes options to manage Chronograf security.
## Usage
```
chronograf [flags]
```
## Chronograf service flags
| Flag | Description | Env. Variable |
|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------|:---------------------|
| `--host` | IP the Chronograf service listens on. By default, `0.0.0.0` | `$HOST` |
| `--port` | Port the Chronograf service listens on for insecure connections. By default, `8888` | `$PORT` |
| `-b`,`--bolt-path` | File path to the BoltDB file. By default, `./chronograf-v1.db` | `$BOLT_PATH` |
| `-c`,`--canned-path` | File path to the directory of canned dashboard files. By default, `/usr/share/chronograf/canned` | `$CANNED_PATH` |
| `--resources-path` | Path to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, `/usr/share/chronograf/resources` | `$RESOURCES_PATH` |
| `-p`, `--basepath` | URL path prefix under which all Chronograf routes will be mounted. | `$BASE_PATH` |
| `--status-feed-url` | URL of JSON feed to display as a news feed on the client status page. By default, `https://www.influxdata.com/feed/json` | `$STATUS_FEED_URL` |
| `-v`, `--version` | Displays the version of the Chronograf service | |
| `-h`, `--host-page-disabled` | Disables the hosts page | `$HOST_PAGE_DISABLED`|
## InfluxDB connection flags
| Flag | Description | Env. Variable |
| :-------------------- | :-------------------------------------------------------------------------------------- | :------------------- |
| `--influxdb-url` | InfluxDB URL, including the protocol, IP address, and port | `$INFLUXDB_URL` |
| `--influxdb-username` | InfluxDB username | `$INFLUXDB_USERNAME` |
| `--influxdb-password` | InfluxDB password | `$INFLUXDB_PASSWORD` |
| `--influxdb-org` | InfluxDB 2.x or InfluxDB Cloud organization name | `$INFLUXDB_ORG` |
| `--influxdb-token` | InfluxDB 2.x or InfluxDB Cloud [authentication token](/influxdb/cloud/security/tokens/) | `$INFLUXDB_TOKEN` |
## Kapacitor connection flags
| Flag | Description | Env. Variable |
|:-----------------------|:-------------------------------------------------------------------------------|:----------------------|
| `--kapacitor-url` | Location of your Kapacitor instance, including `http://`, IP address, and port | `$KAPACITOR_URL` |
| `--kapacitor-username` | Username for your Kapacitor instance | `$KAPACITOR_USERNAME` |
| `--kapacitor-password` | Password for your Kapacitor instance | `$KAPACITOR_PASSWORD` |
## TLS (Transport Layer Security) flags
| Flag | Description | Env. Variable |
|:--------- |:------------------------------------------------------------ |:--------------------|
| `--cert` | File path to PEM-encoded public key certificate | `$TLS_CERTIFICATE` |
| `--key` | File path to private key associated with given certificate | `$TLS_PRIVATE_KEY` |
| `--tls-ciphers` | Comma-separated list of supported cipher suites. Use `help` to print available ciphers. | `$TLS_CIPHERS` |
| `--tls-min-version` | Minimum version of the TLS protocol that will be negotiated. (default: 1.2) | `$TLS_MIN_VERSION` |
| `--tls-max-version` | Maximum version of the TLS protocol that will be negotiated. | `$TLS_MAX_VERSION` |
## Other service option flags
| Flag | Description | Env. Variable |
| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- |
| `--custom-auto-refresh` | Add custom auto-refresh options using semicolon separated list of label=milliseconds pairs | `$CUSTOM-AUTO-REFRESH |
| `--custom-link` | Add a custom link to Chronograf user menu options using `<display_name>:<link_address>` syntax. For multiple custom links, include multiple flags. | |
| `-d`, `--develop` | Run the Chronograf service in developer mode | |
| `-h`, `--help` | Display command line help for Chronograf | |
| `-l`, `--log-level` | Set the logging level. Valid values include `info` (default), `debug`, and `error` | `$LOG_LEVEL` |
| `-r`, `--reporting-disabled` | Disable reporting of usage statistics. Usage statistics reported once every 24 hours include: `OS`, `arch`, `version`, `cluster_id`, and `uptime`. | `$REPORTING_DISABLED` |
## Authentication option flags
### General authentication flags
| Flag | Description | Env. Variable |
| :--------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------- |
| `-t`, `--token-secret` | Secret for signing tokens | `$TOKEN_SECRET` |
| `--auth-duration` | Total duration, in hours, of cookie life for authentication. Default value is `720h`. | `$AUTH_DURATION` |
| `--public-url` | Public URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be `http://localhost:8888`. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers. | `$PUBLIC_URL` |
| `—-htpasswd` | Path to password file for use with HTTP basic authentication. See [NGINX documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/) for more on password files. | `$HTPASSWD` |
### GitHub-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :----------------------------- | :------------------------------------------------------------------------------------------------------------------------------------- | :------------------ |
| `--github-url` | Github base URL. Default is `https://github.com`. {{< req "Required if using Github Enterprise" >}} | `$GH_URL` |
| `-i`, `--github-client-id` | GitHub client ID value for OAuth 2.0 support | `$GH_CLIENT_ID` |
| `-s`, `--github-client-secret` | GitHub client secret value for OAuth 2.0 support | `$GH_CLIENT_SECRET` |
| `-o`, `--github-organization` | Restricts authorization to users from specified Github organizations. To add more than one organization, add multiple flags. Optional. | `$GH_ORGS` |
### Google-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
|:-------------------------|:--------------------------------------------------------------------------------|:------------------------|
| `--google-client-id` | Google client ID value for OAuth 2.0 support | `$GOOGLE_CLIENT_ID` |
| `--google-client-secret` | Google client secret value for OAuth 2.0 support | `$GOOGLE_CLIENT_SECRET` |
| `--google-domains` | Restricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional. | `$GOOGLE_DOMAINS` |
### Auth0-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
|:------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------|
| `--auth0-domain` | Subdomain of your Auth0 client. Available on the configuration page for your Auth0 client. | `$AUTH0_DOMAIN` |
| `--auth0-client-id` | Auth0 client ID value for OAuth 2.0 support | `$AUTH0_CLIENT_ID` |
| `--auth0-client-secret` | Auth0 client secret value for OAuth 2.0 support | `$AUTH0_CLIENT_SECRET` |
| `--auth0-organizations` | Restricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the users `app_metadata`. | `$AUTH0_ORGS` |
### Heroku-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
|:------------------------|:-----------------------------------------------------------------------------------------|:--------------------|
| `--heroku-client-id` | Heroku client ID value for OAuth 2.0 support | `$HEROKU_CLIENT_ID` |
| `--heroku-secret` | Heroku secret for OAuth 2.0 support | `$HEROKU_SECRET` |
| `--heroku-organization` | Restricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional. | `$HEROKU_ORGS` |
### Generic OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :------------------------ | :----------------------------------------------------------------------------- | :----------------------- |
| `--generic-name` | Generic OAuth 2.0 name presented on the login page | `$GENERIC_NAME` |
| `--generic-client-id` | Generic OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service. | `$GENERIC_CLIENT_ID` |
| `--generic-client-secret` | Generic OAuth 2.0 client secret value | `$GENERIC_CLIENT_SECRET` |
| `--generic-scopes` | Scopes requested by provider of web client | `$GENERIC_SCOPES` |
| `--generic-domains` | Email domain required for user email addresses | `$GENERIC_DOMAINS` |
| `--generic-auth-url` | Authorization endpoint URL for the OAuth 2.0 provider | `$GENERIC_AUTH_URL` |
| `--generic-token-url` | Token endpoint URL for the OAuth 2.0 provider | `$GENERIC_TOKEN_URL` |
| `--generic-api-url` | URL that returns OpenID UserInfo-compatible information | `$GENERIC_API_URL` |
| `--oauth-no-pkce` | Disable OAuth PKCE | `$OAUTH_NO_PKCE` |
### etcd flags
| Flag | Description | Env. Variable |
| :----------------------- | :--------------------------------------------------------------------------------------------------------- | :---------------------- |
| `-e`, `--etcd-endpoints` | etcd endpoint URL (include multiple flags for multiple endpoints) | `$ETCD_ENDPOINTS` |
| `--etcd-username` | etcd username | `$ETCD_USERNAME` |
| `--etcd-password` | etcd password | `$ETCD_PASSWORD` |
| `--etcd-dial-timeout` | Total time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s) | `$ETCD_DIAL_TIMEOUT` |
| `--etcd-request-timeout` | Total time to wait before timing out the etcd view or update (0 means no timeout, default: -1s) | `$ETCD_REQUEST_TIMEOUT` |
| `--etcd-cert` | Path to PEM encoded TLS public key certificate for use with TLS | `$ETCD_CERTIFICATE` |
| `--etcd-key` | Path to private key associated with given certificate for use with TLS | `$ETCD_PRIVATE_KEY` |
| `--etcd-root-ca` | Path to root CA certificate for TLS verification | `$ETCD-ROOT-CA |

166
content/chronograf/v1/tools/chronograf/_index.md Normal file
View File

@ -0,0 +1,166 @@
---
title: chronograf - Chronograf server
description: >
The `chronograf` daemon starts and manages all the processes associated with
the Chronograf server and includes options that manage many aspects of
Chronograf security.
menu:
chronograf_v1:
name: chronograf
parent: Tools
weight: 10
aliases:
- /chronograf/v1/tools/chronograf-cli/
---
The `chronograf` daemon starts and manages all the processes associated with
the Chronograf server and includes options that manage many aspects of
Chronograf security.
## Usage
```
chronograf [flags]
```
## Flags
- [Chronograf server flags](#chronograf-server-flags)
- [InfluxDB connection flags](#influxdb-connection-flags)
- [Kapacitor connection flags](#kapacitor-connection-flags)
- [TLS (Transport Layer Security) flags](#tls-(transport-layer-security)-flags)
- [Other server option flags](#other-server-option-flags)
- [Authentication option flags](#authentication-option-flags)
- [General authentication flags](#general-authentication-flags)
- [GitHub-specific OAuth 2.0 authentication flags](#github-specific-oauth-20-authentication-flags)
- [Google-specific OAuth 2.0 authentication flags](#google-specific-oauth-20-authentication-flags)
- [Auth0-specific OAuth 2.0 authentication flags](#auth0-specific-oauth-20-authentication-flags)
- [Heroku-specific OAuth 2.0 authentication flags](#heroku-specific-oauth-20-authentication-flags)
- [Generic OAuth 2.0 authentication flags](#generic-oauth-20-authentication-flags)
- [etcd flags](#etcd-flags)
### Chronograf server flags {.shorthand-flags}
| Flag | | Description | Env. Variable |
| :--- | ---------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- | :------------------- |
| | `--host` | IP the Chronograf service listens on. By default, `0.0.0.0` | `HOST` |
| | `--port` | Port the Chronograf service listens on for insecure connections. By default, `8888` | `PORT` |
| `-b` | `--bolt-path` | File path to the BoltDB file. By default, `./chronograf-v1.db` | `BOLT_PATH` |
| `-c` | `--canned-path` | File path to the directory of canned dashboard files. By default, `/usr/share/chronograf/canned` | `CANNED_PATH` |
| | `--resources-path` | Path to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, `/usr/share/chronograf/resources` | `RESOURCES_PATH` |
| `-p` | `--basepath` | URL path prefix under which all Chronograf routes will be mounted. | `BASE_PATH` |
| | `--status-feed-url` | URL of JSON feed to display as a news feed on the client status page. By default, `https://www.influxdata.com/feed/json` | `STATUS_FEED_URL` |
| `-v` | `--version` | Displays the version of the Chronograf service | |
| `-h` | `--host-page-disabled` | Disables the hosts page | `HOST_PAGE_DISABLED` |
### InfluxDB connection flags
| Flag | Description | Env. Variable |
| :-------------------- | :-------------------------------------------------------------------------------------- | :------------------ |
| `--influxdb-url` | InfluxDB URL, including the protocol, IP address, and port | `INFLUXDB_URL` |
| `--influxdb-username` | InfluxDB username | `INFLUXDB_USERNAME` |
| `--influxdb-password` | InfluxDB password | `INFLUXDB_PASSWORD` |
| `--influxdb-org` | InfluxDB 2.x or InfluxDB Cloud organization name | `INFLUXDB_ORG` |
| `--influxdb-token` | InfluxDB 2.x or InfluxDB Cloud [authentication token](/influxdb/cloud/security/tokens/) | `INFLUXDB_TOKEN` |
### Kapacitor connection flags
| Flag | Description | Env. Variable |
| :--------------------- | :----------------------------------------------------------------------------- | :------------------- |
| `--kapacitor-url` | Location of your Kapacitor instance, including `http://`, IP address, and port | `KAPACITOR_URL` |
| `--kapacitor-username` | Username for your Kapacitor instance | `KAPACITOR_USERNAME` |
| `--kapacitor-password` | Password for your Kapacitor instance | `KAPACITOR_PASSWORD` |
### TLS (Transport Layer Security) flags
| Flag | Description | Env. Variable |
| :------------------ | :-------------------------------------------------------------------------------------- | :---------------- |
| `--cert` | File path to PEM-encoded public key certificate | `TLS_CERTIFICATE` |
| `--key` | File path to private key associated with given certificate | `TLS_PRIVATE_KEY` |
| `--tls-ciphers` | Comma-separated list of supported cipher suites. Use `help` to print available ciphers. | `TLS_CIPHERS` |
| `--tls-min-version` | Minimum version of the TLS protocol that will be negotiated. (default: 1.2) | `TLS_MIN_VERSION` |
| `--tls-max-version` | Maximum version of the TLS protocol that will be negotiated. | `TLS_MAX_VERSION` |
### Other server option flags {.shorthand-flags}
| Flag | | Description | Env. Variable |
| :--- | ----------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- |
| | `--custom-auto-refresh` | Add custom auto-refresh options using semicolon-separated list of label=milliseconds pairs | `CUSTOM-AUTO-REFRESH` |
| | `--custom-link` | Add a custom link to Chronograf user menu options using `<display_name>:<link_address>` syntax. For multiple custom links, include multiple flags. | |
| `-d` | `--develop` | Run the Chronograf service in developer mode | |
| `-h` | `--help` | Display command line help for Chronograf | |
| `-l` | `--log-level` | Set the logging level. Valid values include `info` (default), `debug`, and `error` | `LOG_LEVEL` |
| `-r` | `--reporting-disabled` | Disable reporting of usage statistics. Usage statistics reported once every 24 hours include: `OS`, `arch`, `version`, `cluster_id`, and `uptime`. | `REPORTING_DISABLED` |
### Authentication option flags
#### General authentication flags {.shorthand-flags}
| Flag | | Description | Env. Variable |
| :--- | ----------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------- |
| `-t` | `--token-secret` | Secret for signing tokens | `TOKEN_SECRET` |
| | `--auth-duration` | Total duration, in hours, of cookie life for authentication. Default value is `720h`. | `AUTH_DURATION` |
| | `--public-url` | Public URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be `http://localhost:8888`. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers. | `PUBLIC_URL` |
| | `—-htpasswd` | Path to password file for use with HTTP basic authentication. See [NGINX documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/) for more on password files. | `HTPASSWD` |
#### GitHub-specific OAuth 2.0 authentication flags {.shorthand-flags}
| Flag | | Description | Env. Variable |
| :--- | ------------------------ | :------------------------------------------------------------------------------------------------------------------------------------- | :----------------- |
| | `--github-url` | GitHub base URL. Default is `https://github.com`. {{< req "Required if using GitHub Enterprise" >}} | `GH_URL` |
| `-i` | `--github-client-id` | GitHub client ID value for OAuth 2.0 support | `GH_CLIENT_ID` |
| `-s` | `--github-client-secret` | GitHub client secret value for OAuth 2.0 support | `GH_CLIENT_SECRET` |
| `-o` | `--github-organization` | Restricts authorization to users from specified GitHub organizations. To add more than one organization, add multiple flags. Optional. | `GH_ORGS` |
#### Google-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :----------------------- | :------------------------------------------------------------------------------------------------------------------------------ | :--------------------- |
| `--google-client-id` | Google client ID value for OAuth 2.0 support | `GOOGLE_CLIENT_ID` |
| `--google-client-secret` | Google client secret value for OAuth 2.0 support | `GOOGLE_CLIENT_SECRET` |
| `--google-domains` | Restricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional. | `GOOGLE_DOMAINS` |
#### Auth0-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- |
| `--auth0-domain` | Subdomain of your Auth0 client. Available on the configuration page for your Auth0 client. | `AUTH0_DOMAIN` |
| `--auth0-client-id` | Auth0 client ID value for OAuth 2.0 support | `AUTH0_CLIENT_ID` |
| `--auth0-client-secret` | Auth0 client secret value for OAuth 2.0 support | `AUTH0_CLIENT_SECRET` |
| `--auth0-organizations` | Restricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the users `app_metadata`. | `AUTH0_ORGS` |
#### Heroku-specific OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------- | :----------------- |
| `--heroku-client-id` | Heroku client ID value for OAuth 2.0 support | `HEROKU_CLIENT_ID` |
| `--heroku-secret` | Heroku secret for OAuth 2.0 support | `HEROKU_SECRET` |
| `--heroku-organization` | Restricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional. | `HEROKU_ORGS` |
#### Generic OAuth 2.0 authentication flags
| Flag | Description | Env. Variable |
| :------------------------ | :----------------------------------------------------------------------------- | :---------------------- |
| `--generic-name` | Generic OAuth 2.0 name presented on the login page | `GENERIC_NAME` |
| `--generic-client-id` | Generic OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service. | `GENERIC_CLIENT_ID` |
| `--generic-client-secret` | Generic OAuth 2.0 client secret value | `GENERIC_CLIENT_SECRET` |
| `--generic-scopes` | Scopes requested by provider of web client | `GENERIC_SCOPES` |
| `--generic-domains` | Email domain required for user email addresses | `GENERIC_DOMAINS` |
| `--generic-auth-url` | Authorization endpoint URL for the OAuth 2.0 provider | `GENERIC_AUTH_URL` |
| `--generic-token-url` | Token endpoint URL for the OAuth 2.0 provider | `GENERIC_TOKEN_URL` |
| `--generic-api-url` | URL that returns OpenID UserInfo-compatible information | `GENERIC_API_URL` |
| `--oauth-no-pkce` | Disable OAuth PKCE | `OAUTH_NO_PKCE` |
### etcd flags {.shorthand-flags}
| Flag | | Description | Env. Variable |
| :--- | ------------------------ | :--------------------------------------------------------------------------------------------------------- | :--------------------- |
| `-e` | `--etcd-endpoints` | etcd endpoint URL (include multiple flags for multiple endpoints) | `ETCD_ENDPOINTS` |
| | `--etcd-username` | etcd username | `ETCD_USERNAME` |
| | `--etcd-password` | etcd password | `ETCD_PASSWORD` |
| | `--etcd-dial-timeout` | Total time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s) | `ETCD_DIAL_TIMEOUT` |
| | `--etcd-request-timeout` | Total time to wait before timing out the etcd view or update (0 means no timeout, default: -1s) | `ETCD_REQUEST_TIMEOUT` |
| | `--etcd-cert` | Path to PEM-encoded TLS public key certificate for use with TLS | `ETCD_CERTIFICATE` |
| | `--etcd-key` | Path to private key associated with given certificate for use with TLS | `ETCD_PRIVATE_KEY` |
| | `--etcd-root-ca` | Path to root CA certificate for TLS verification | `ETCD-ROOT-CA` |