diff --git a/assets/styles/layouts/article/_tables.scss b/assets/styles/layouts/article/_tables.scss index ed673c293..68ee8651c 100644 --- a/assets/styles/layouts/article/_tables.scss +++ b/assets/styles/layouts/article/_tables.scss @@ -65,7 +65,10 @@ table + table { margin-top: -1.5rem; } -#flags:not(.no-shorthand), #global-flags { +// Adjust spacing to push long-hand and short-hand columns closer together +#flags:not(.no-shorthand), +#global-flags, +.shorthand-flags { & + table { td:nth-child(2) code { margin-left: -2rem; } } diff --git a/content/chronograf/v1/tools/chronoctl/_index.md b/content/chronograf/v1/tools/chronoctl/_index.md index 0fa0bc6cd..9c598af7a 100644 --- a/content/chronograf/v1/tools/chronoctl/_index.md +++ b/content/chronograf/v1/tools/chronoctl/_index.md @@ -13,14 +13,21 @@ The `chronoctl` command line interface (CLI) includes commands to interact with ## Usage ``` -chronoctl [command] -chronoctl [flags] +chronoctl [flags] [command] ``` ## Commands -| Command | Description | -|:------- |:----------- | -| [add-superadmin](/chronograf/v1/tools/chronoctl/add-superadmin/) | Create a new user with superadmin status | -| [list-users](/chronograf/v1/tools/chronoctl/list-users) | List all users in the Chronograf data store | -| [migrate](/chronograf/v1/tools/chronoctl/migrate) | Migrate your Chronograf configuration store | +| Command | Description | +| :--------------------------------------------------------------- | :------------------------------------------------------------------------------------- | +| [add-superadmin](/chronograf/v1/tools/chronoctl/add-superadmin/) | Create a new user with superadmin status | +| [gen-keypair](/chronograf/v1/tools/chronoctl/gen-keypair) | Generate RSA keypair in the Chronograf data store | +| [list-users](/chronograf/v1/tools/chronoctl/list-users) | List all users in the Chronograf data store | +| [migrate](/chronograf/v1/tools/chronoctl/migrate) | Migrate your Chronograf configuration store | +| [token](/chronograf/v1/tools/chronoctl/token) | Get current token for a superadmin user (chronograf must be started with a public key) | + +## Flags + +| Flag | | Description | +| :--- | -------- | :------------------ | +| `-h` | `--help` | Output command help | diff --git a/content/chronograf/v1/tools/chronoctl/add-superadmin.md b/content/chronograf/v1/tools/chronoctl/add-superadmin.md index 13c98d64c..1f56e339a 100644 --- a/content/chronograf/v1/tools/chronoctl/add-superadmin.md +++ b/content/chronograf/v1/tools/chronoctl/add-superadmin.md @@ -6,7 +6,7 @@ menu: chronograf_v1: name: chronoctl add-superadmin parent: chronoctl - weight: 20 +weight: 201 --- The `add-superadmin` command creates a new user with superadmin status. diff --git a/content/chronograf/v1/tools/chronoctl/gen-keypair.md b/content/chronograf/v1/tools/chronoctl/gen-keypair.md new file mode 100644 index 000000000..1853e300f --- /dev/null +++ b/content/chronograf/v1/tools/chronoctl/gen-keypair.md @@ -0,0 +1,42 @@ +--- +title: chronoctl gen-keypair +description: > + The `gen-keypair` command generates an RSA keypair and writes it to the file system. +menu: + chronograf_v1: + name: chronoctl gen-keypair + parent: chronoctl +weight: 201 +--- + +The `gen-keypair` command generates an RSA keypair and writes it to the file system. +Private keys are stored in a file at a specified location. +Private keys are stored in the same location using the same name with the `.pub` +extension added. + +## Usage + +```sh +chronoctl gen-keypair [flags] +``` + +## Flags + +| Flag | | Description | Input type | +| :--- | :------- | :-------------------------------------------------------------------- | :--------: | +| | `--bits` | Number of bits to use to generate the RSA keypair _(default is 4096)_ | integer | +| `-h` | `--help` | Output command help | | +| | `--out` | Keypair file path to write to _(default is `chronograf-rsa`)_ | string | + + +## Examples + +The following example generates a 4096 bit RSA keypair and writes the following +files to the local file system: + +- `/path/to/chrono-rsa`: Private key +- `/path/to/chrono-rsa.pub`: Public key + +```sh +chronoctl gen-keypair --out /path/to/chrono-rsa +``` diff --git a/content/chronograf/v1/tools/chronoctl/list-users.md b/content/chronograf/v1/tools/chronoctl/list-users.md index e4b026bcb..2296eddac 100644 --- a/content/chronograf/v1/tools/chronoctl/list-users.md +++ b/content/chronograf/v1/tools/chronoctl/list-users.md @@ -7,7 +7,7 @@ menu: chronograf_v1: name: chronoctl list-users parent: chronoctl - weight: 30 +weight: 201 --- The `list-users` command lists all users in the Chronograf data store. diff --git a/content/chronograf/v1/tools/chronoctl/migrate.md b/content/chronograf/v1/tools/chronoctl/migrate.md index 836a635c4..078464906 100644 --- a/content/chronograf/v1/tools/chronoctl/migrate.md +++ b/content/chronograf/v1/tools/chronoctl/migrate.md @@ -6,7 +6,7 @@ menu: chronograf_v1: name: chronoctl migrate parent: chronoctl - weight: 40 +weight: 201 --- The `migrate` command lets you migrate your Chronograf configuration store. diff --git a/content/chronograf/v1/tools/chronoctl/token.md b/content/chronograf/v1/tools/chronoctl/token.md new file mode 100644 index 000000000..1c0bf8536 --- /dev/null +++ b/content/chronograf/v1/tools/chronoctl/token.md @@ -0,0 +1,46 @@ +--- +title: chronoctl token +description: > + The `token` command reads a private token file, generates and signs the nonce, + and then returns an expiring token to be used in the `Authorization` header. +menu: + chronograf_v1: + name: chronoctl token + parent: chronoctl +weight: 201 +--- + +The `token` command reads a private token file, generates and signs the nonce, +and then returns an expiring token to be used in the `Authorization` header. +For example: + +```sh +Authorization: CHRONOGRAF-SHA256 +``` + +## Usage +``` +chronoctl token [flags] +``` + +## Flags +| Flag | | Description | Env. Variable | +| :--- | :----------------- | :------------------------------------------------------------ | :--------------: | +| `-h` | `--help` | Output command help | | +| | `--chronograf-url` | Chronograf's URL _(default is `http://localhost:8888`)_ | `CHRONOGRAF_URL` | +| `-k` | `--skip-verify` | Skip TLS certification verification | | +| | `--priv-key-file` | Private key file location for superadmin token authentication | `PRIV_KEY_FILE` | + +## Examples + +The following example uses the RSA key used when started the Chronograf server and +returns an expiring token that can be used to gain superadmin access to Chronograf. + +{{% note %}} +The private key must correspond to the public key used when starting the +Chronograf server. +{{% /note %}} + +```sh +chronoctl token --priv-key-file /path/to/chronograf-rsa +``` diff --git a/content/chronograf/v1/tools/chronograf-cli/_index.md b/content/chronograf/v1/tools/chronograf-cli/_index.md deleted file mode 100644 index 5b1a146a3..000000000 --- a/content/chronograf/v1/tools/chronograf-cli/_index.md +++ /dev/null @@ -1,145 +0,0 @@ ---- -title: chronograf CLI -description: > - The `chronograf` command line interface (CLI) includes options to manage many aspects of Chronograf security. -menu: - chronograf_v1: - name: chronograf CLI - parent: Tools - weight: 10 - ---- - -The `chronograf` command line interface (CLI) includes options to manage Chronograf security. - -## Usage -``` -chronograf [flags] -``` - -## Chronograf service flags - -| Flag | Description | Env. Variable | -|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------|:---------------------| -| `--host` | IP the Chronograf service listens on. By default, `0.0.0.0` | `$HOST` | -| `--port` | Port the Chronograf service listens on for insecure connections. By default, `8888` | `$PORT` | -| `-b`,`--bolt-path` | File path to the BoltDB file. By default, `./chronograf-v1.db` | `$BOLT_PATH` | -| `-c`,`--canned-path` | File path to the directory of canned dashboard files. By default, `/usr/share/chronograf/canned` | `$CANNED_PATH` | -| `--resources-path` | Path to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, `/usr/share/chronograf/resources` | `$RESOURCES_PATH` | -| `-p`, `--basepath` | URL path prefix under which all Chronograf routes will be mounted. | `$BASE_PATH` | -| `--status-feed-url` | URL of JSON feed to display as a news feed on the client status page. By default, `https://www.influxdata.com/feed/json` | `$STATUS_FEED_URL` | -| `-v`, `--version` | Displays the version of the Chronograf service | | -| `-h`, `--host-page-disabled` | Disables the hosts page | `$HOST_PAGE_DISABLED`| - -## InfluxDB connection flags - -| Flag | Description | Env. Variable | -| :-------------------- | :-------------------------------------------------------------------------------------- | :------------------- | -| `--influxdb-url` | InfluxDB URL, including the protocol, IP address, and port | `$INFLUXDB_URL` | -| `--influxdb-username` | InfluxDB username | `$INFLUXDB_USERNAME` | -| `--influxdb-password` | InfluxDB password | `$INFLUXDB_PASSWORD` | -| `--influxdb-org` | InfluxDB 2.x or InfluxDB Cloud organization name | `$INFLUXDB_ORG` | -| `--influxdb-token` | InfluxDB 2.x or InfluxDB Cloud [authentication token](/influxdb/cloud/security/tokens/) | `$INFLUXDB_TOKEN` | - -## Kapacitor connection flags - -| Flag | Description | Env. Variable | -|:-----------------------|:-------------------------------------------------------------------------------|:----------------------| -| `--kapacitor-url` | Location of your Kapacitor instance, including `http://`, IP address, and port | `$KAPACITOR_URL` | -| `--kapacitor-username` | Username for your Kapacitor instance | `$KAPACITOR_USERNAME` | -| `--kapacitor-password` | Password for your Kapacitor instance | `$KAPACITOR_PASSWORD` | - -## TLS (Transport Layer Security) flags - -| Flag | Description | Env. Variable | -|:--------- |:------------------------------------------------------------ |:--------------------| -| `--cert` | File path to PEM-encoded public key certificate | `$TLS_CERTIFICATE` | -| `--key` | File path to private key associated with given certificate | `$TLS_PRIVATE_KEY` | -| `--tls-ciphers` | Comma-separated list of supported cipher suites. Use `help` to print available ciphers. | `$TLS_CIPHERS` | -| `--tls-min-version` | Minimum version of the TLS protocol that will be negotiated. (default: 1.2) | `$TLS_MIN_VERSION` | -| `--tls-max-version` | Maximum version of the TLS protocol that will be negotiated. | `$TLS_MAX_VERSION` | - -## Other service option flags - -| Flag | Description | Env. Variable | -| :--------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- | -| `--custom-auto-refresh` | Add custom auto-refresh options using semicolon separated list of label=milliseconds pairs | `$CUSTOM-AUTO-REFRESH | -| `--custom-link` | Add a custom link to Chronograf user menu options using `:` syntax. For multiple custom links, include multiple flags. | | -| `-d`, `--develop` | Run the Chronograf service in developer mode | | -| `-h`, `--help` | Display command line help for Chronograf | | -| `-l`, `--log-level` | Set the logging level. Valid values include `info` (default), `debug`, and `error` | `$LOG_LEVEL` | -| `-r`, `--reporting-disabled` | Disable reporting of usage statistics. Usage statistics reported once every 24 hours include: `OS`, `arch`, `version`, `cluster_id`, and `uptime`. | `$REPORTING_DISABLED` | - -## Authentication option flags - -### General authentication flags - -| Flag | Description | Env. Variable | -| :--------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------- | -| `-t`, `--token-secret` | Secret for signing tokens | `$TOKEN_SECRET` | -| `--auth-duration` | Total duration, in hours, of cookie life for authentication. Default value is `720h`. | `$AUTH_DURATION` | -| `--public-url` | Public URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be `http://localhost:8888`. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers. | `$PUBLIC_URL` | -| `—-htpasswd` | Path to password file for use with HTTP basic authentication. See [NGINX documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/) for more on password files. | `$HTPASSWD` | - -### GitHub-specific OAuth 2.0 authentication flags - -| Flag | Description | Env. Variable | -| :----------------------------- | :------------------------------------------------------------------------------------------------------------------------------------- | :------------------ | -| `--github-url` | Github base URL. Default is `https://github.com`. {{< req "Required if using Github Enterprise" >}} | `$GH_URL` | -| `-i`, `--github-client-id` | GitHub client ID value for OAuth 2.0 support | `$GH_CLIENT_ID` | -| `-s`, `--github-client-secret` | GitHub client secret value for OAuth 2.0 support | `$GH_CLIENT_SECRET` | -| `-o`, `--github-organization` | Restricts authorization to users from specified Github organizations. To add more than one organization, add multiple flags. Optional. | `$GH_ORGS` | - -### Google-specific OAuth 2.0 authentication flags - -| Flag | Description | Env. Variable | -|:-------------------------|:--------------------------------------------------------------------------------|:------------------------| -| `--google-client-id` | Google client ID value for OAuth 2.0 support | `$GOOGLE_CLIENT_ID` | -| `--google-client-secret` | Google client secret value for OAuth 2.0 support | `$GOOGLE_CLIENT_SECRET` | -| `--google-domains` | Restricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional. | `$GOOGLE_DOMAINS` | - - -### Auth0-specific OAuth 2.0 authentication flags - -| Flag | Description | Env. Variable | -|:------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------| -| `--auth0-domain` | Subdomain of your Auth0 client. Available on the configuration page for your Auth0 client. | `$AUTH0_DOMAIN` | -| `--auth0-client-id` | Auth0 client ID value for OAuth 2.0 support | `$AUTH0_CLIENT_ID` | -| `--auth0-client-secret` | Auth0 client secret value for OAuth 2.0 support | `$AUTH0_CLIENT_SECRET` | -| `--auth0-organizations` | Restricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the user’s `app_metadata`. | `$AUTH0_ORGS` | - -### Heroku-specific OAuth 2.0 authentication flags - -| Flag | Description | Env. Variable | -|:------------------------|:-----------------------------------------------------------------------------------------|:--------------------| -| `--heroku-client-id` | Heroku client ID value for OAuth 2.0 support | `$HEROKU_CLIENT_ID` | -| `--heroku-secret` | Heroku secret for OAuth 2.0 support | `$HEROKU_SECRET` | -| `--heroku-organization` | Restricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional. | `$HEROKU_ORGS` | - -### Generic OAuth 2.0 authentication flags - -| Flag | Description | Env. Variable | -| :------------------------ | :----------------------------------------------------------------------------- | :----------------------- | -| `--generic-name` | Generic OAuth 2.0 name presented on the login page | `$GENERIC_NAME` | -| `--generic-client-id` | Generic OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service. | `$GENERIC_CLIENT_ID` | -| `--generic-client-secret` | Generic OAuth 2.0 client secret value | `$GENERIC_CLIENT_SECRET` | -| `--generic-scopes` | Scopes requested by provider of web client | `$GENERIC_SCOPES` | -| `--generic-domains` | Email domain required for user email addresses | `$GENERIC_DOMAINS` | -| `--generic-auth-url` | Authorization endpoint URL for the OAuth 2.0 provider | `$GENERIC_AUTH_URL` | -| `--generic-token-url` | Token endpoint URL for the OAuth 2.0 provider | `$GENERIC_TOKEN_URL` | -| `--generic-api-url` | URL that returns OpenID UserInfo-compatible information | `$GENERIC_API_URL` | -| `--oauth-no-pkce` | Disable OAuth PKCE | `$OAUTH_NO_PKCE` | - -### etcd flags - -| Flag | Description | Env. Variable | -| :----------------------- | :--------------------------------------------------------------------------------------------------------- | :---------------------- | -| `-e`, `--etcd-endpoints` | etcd endpoint URL (include multiple flags for multiple endpoints) | `$ETCD_ENDPOINTS` | -| `--etcd-username` | etcd username | `$ETCD_USERNAME` | -| `--etcd-password` | etcd password | `$ETCD_PASSWORD` | -| `--etcd-dial-timeout` | Total time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s) | `$ETCD_DIAL_TIMEOUT` | -| `--etcd-request-timeout` | Total time to wait before timing out the etcd view or update (0 means no timeout, default: -1s) | `$ETCD_REQUEST_TIMEOUT` | -| `--etcd-cert` | Path to PEM encoded TLS public key certificate for use with TLS | `$ETCD_CERTIFICATE` | -| `--etcd-key` | Path to private key associated with given certificate for use with TLS | `$ETCD_PRIVATE_KEY` | -| `--etcd-root-ca` | Path to root CA certificate for TLS verification | `$ETCD-ROOT-CA | - diff --git a/content/chronograf/v1/tools/chronograf/_index.md b/content/chronograf/v1/tools/chronograf/_index.md new file mode 100644 index 000000000..0a9e6c0ce --- /dev/null +++ b/content/chronograf/v1/tools/chronograf/_index.md @@ -0,0 +1,166 @@ +--- +title: chronograf - Chronograf server +description: > + The `chronograf` daemon starts and manages all the processes associated with + the Chronograf server and includes options that manage many aspects of + Chronograf security. +menu: + chronograf_v1: + name: chronograf + parent: Tools + weight: 10 +aliases: + - /chronograf/v1/tools/chronograf-cli/ +--- + +The `chronograf` daemon starts and manages all the processes associated with +the Chronograf server and includes options that manage many aspects of +Chronograf security. + +## Usage + +``` +chronograf [flags] +``` + +## Flags + +- [Chronograf server flags](#chronograf-server-flags) +- [InfluxDB connection flags](#influxdb-connection-flags) +- [Kapacitor connection flags](#kapacitor-connection-flags) +- [TLS (Transport Layer Security) flags](#tls-(transport-layer-security)-flags) +- [Other server option flags](#other-server-option-flags) +- [Authentication option flags](#authentication-option-flags) + - [General authentication flags](#general-authentication-flags) + - [GitHub-specific OAuth 2.0 authentication flags](#github-specific-oauth-20-authentication-flags) + - [Google-specific OAuth 2.0 authentication flags](#google-specific-oauth-20-authentication-flags) + - [Auth0-specific OAuth 2.0 authentication flags](#auth0-specific-oauth-20-authentication-flags) + - [Heroku-specific OAuth 2.0 authentication flags](#heroku-specific-oauth-20-authentication-flags) + - [Generic OAuth 2.0 authentication flags](#generic-oauth-20-authentication-flags) +- [etcd flags](#etcd-flags) + +### Chronograf server flags {.shorthand-flags} + +| Flag | | Description | Env. Variable | +| :--- | ---------------------- | :--------------------------------------------------------------------------------------------------------------------------------------- | :------------------- | +| | `--host` | IP the Chronograf service listens on. By default, `0.0.0.0` | `HOST` | +| | `--port` | Port the Chronograf service listens on for insecure connections. By default, `8888` | `PORT` | +| `-b` | `--bolt-path` | File path to the BoltDB file. By default, `./chronograf-v1.db` | `BOLT_PATH` | +| `-c` | `--canned-path` | File path to the directory of canned dashboard files. By default, `/usr/share/chronograf/canned` | `CANNED_PATH` | +| | `--resources-path` | Path to directory of canned dashboards, sources, Kapacitor connections, and organizations. By default, `/usr/share/chronograf/resources` | `RESOURCES_PATH` | +| `-p` | `--basepath` | URL path prefix under which all Chronograf routes will be mounted. | `BASE_PATH` | +| | `--status-feed-url` | URL of JSON feed to display as a news feed on the client status page. By default, `https://www.influxdata.com/feed/json` | `STATUS_FEED_URL` | +| `-v` | `--version` | Displays the version of the Chronograf service | | +| `-h` | `--host-page-disabled` | Disables the hosts page | `HOST_PAGE_DISABLED` | + +### InfluxDB connection flags + +| Flag | Description | Env. Variable | +| :-------------------- | :-------------------------------------------------------------------------------------- | :------------------ | +| `--influxdb-url` | InfluxDB URL, including the protocol, IP address, and port | `INFLUXDB_URL` | +| `--influxdb-username` | InfluxDB username | `INFLUXDB_USERNAME` | +| `--influxdb-password` | InfluxDB password | `INFLUXDB_PASSWORD` | +| `--influxdb-org` | InfluxDB 2.x or InfluxDB Cloud organization name | `INFLUXDB_ORG` | +| `--influxdb-token` | InfluxDB 2.x or InfluxDB Cloud [authentication token](/influxdb/cloud/security/tokens/) | `INFLUXDB_TOKEN` | + +### Kapacitor connection flags + +| Flag | Description | Env. Variable | +| :--------------------- | :----------------------------------------------------------------------------- | :------------------- | +| `--kapacitor-url` | Location of your Kapacitor instance, including `http://`, IP address, and port | `KAPACITOR_URL` | +| `--kapacitor-username` | Username for your Kapacitor instance | `KAPACITOR_USERNAME` | +| `--kapacitor-password` | Password for your Kapacitor instance | `KAPACITOR_PASSWORD` | + +### TLS (Transport Layer Security) flags + +| Flag | Description | Env. Variable | +| :------------------ | :-------------------------------------------------------------------------------------- | :---------------- | +| `--cert` | File path to PEM-encoded public key certificate | `TLS_CERTIFICATE` | +| `--key` | File path to private key associated with given certificate | `TLS_PRIVATE_KEY` | +| `--tls-ciphers` | Comma-separated list of supported cipher suites. Use `help` to print available ciphers. | `TLS_CIPHERS` | +| `--tls-min-version` | Minimum version of the TLS protocol that will be negotiated. (default: 1.2) | `TLS_MIN_VERSION` | +| `--tls-max-version` | Maximum version of the TLS protocol that will be negotiated. | `TLS_MAX_VERSION` | + +### Other server option flags {.shorthand-flags} + +| Flag | | Description | Env. Variable | +| :--- | ----------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- | +| | `--custom-auto-refresh` | Add custom auto-refresh options using semicolon-separated list of label=milliseconds pairs | `CUSTOM-AUTO-REFRESH` | +| | `--custom-link` | Add a custom link to Chronograf user menu options using `:` syntax. For multiple custom links, include multiple flags. | | +| `-d` | `--develop` | Run the Chronograf service in developer mode | | +| `-h` | `--help` | Display command line help for Chronograf | | +| `-l` | `--log-level` | Set the logging level. Valid values include `info` (default), `debug`, and `error` | `LOG_LEVEL` | +| `-r` | `--reporting-disabled` | Disable reporting of usage statistics. Usage statistics reported once every 24 hours include: `OS`, `arch`, `version`, `cluster_id`, and `uptime`. | `REPORTING_DISABLED` | + +### Authentication option flags + +#### General authentication flags {.shorthand-flags} + +| Flag | | Description | Env. Variable | +| :--- | ----------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------- | +| `-t` | `--token-secret` | Secret for signing tokens | `TOKEN_SECRET` | +| | `--auth-duration` | Total duration, in hours, of cookie life for authentication. Default value is `720h`. | `AUTH_DURATION` | +| | `--public-url` | Public URL required to access Chronograf using a web browser. For example, if you access Chronograf using the default URL, the public URL value would be `http://localhost:8888`. Required for Google OAuth 2.0 authentication. Used for Auth0 and some generic OAuth 2.0 authentication providers. | `PUBLIC_URL` | +| | `—-htpasswd` | Path to password file for use with HTTP basic authentication. See [NGINX documentation](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/) for more on password files. | `HTPASSWD` | + +#### GitHub-specific OAuth 2.0 authentication flags {.shorthand-flags} + +| Flag | | Description | Env. Variable | +| :--- | ------------------------ | :------------------------------------------------------------------------------------------------------------------------------------- | :----------------- | +| | `--github-url` | GitHub base URL. Default is `https://github.com`. {{< req "Required if using GitHub Enterprise" >}} | `GH_URL` | +| `-i` | `--github-client-id` | GitHub client ID value for OAuth 2.0 support | `GH_CLIENT_ID` | +| `-s` | `--github-client-secret` | GitHub client secret value for OAuth 2.0 support | `GH_CLIENT_SECRET` | +| `-o` | `--github-organization` | Restricts authorization to users from specified GitHub organizations. To add more than one organization, add multiple flags. Optional. | `GH_ORGS` | + +#### Google-specific OAuth 2.0 authentication flags + +| Flag | Description | Env. Variable | +| :----------------------- | :------------------------------------------------------------------------------------------------------------------------------ | :--------------------- | +| `--google-client-id` | Google client ID value for OAuth 2.0 support | `GOOGLE_CLIENT_ID` | +| `--google-client-secret` | Google client secret value for OAuth 2.0 support | `GOOGLE_CLIENT_SECRET` | +| `--google-domains` | Restricts authorization to users from specified Google email domain. To add more than one domain, add multiple flags. Optional. | `GOOGLE_DOMAINS` | + + +#### Auth0-specific OAuth 2.0 authentication flags + +| Flag | Description | Env. Variable | +| :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-------------------- | +| `--auth0-domain` | Subdomain of your Auth0 client. Available on the configuration page for your Auth0 client. | `AUTH0_DOMAIN` | +| `--auth0-client-id` | Auth0 client ID value for OAuth 2.0 support | `AUTH0_CLIENT_ID` | +| `--auth0-client-secret` | Auth0 client secret value for OAuth 2.0 support | `AUTH0_CLIENT_SECRET` | +| `--auth0-organizations` | Restricts authorization to users specified Auth0 organization. To add more than one organization, add multiple flags. Optional. Organizations are set using an organization key in the user’s `app_metadata`. | `AUTH0_ORGS` | + +#### Heroku-specific OAuth 2.0 authentication flags + +| Flag | Description | Env. Variable | +| :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------- | :----------------- | +| `--heroku-client-id` | Heroku client ID value for OAuth 2.0 support | `HEROKU_CLIENT_ID` | +| `--heroku-secret` | Heroku secret for OAuth 2.0 support | `HEROKU_SECRET` | +| `--heroku-organization` | Restricts authorization to users from specified Heroku organization. To add more than one organization, add multiple flags. Optional. | `HEROKU_ORGS` | + +#### Generic OAuth 2.0 authentication flags + +| Flag | Description | Env. Variable | +| :------------------------ | :----------------------------------------------------------------------------- | :---------------------- | +| `--generic-name` | Generic OAuth 2.0 name presented on the login page | `GENERIC_NAME` | +| `--generic-client-id` | Generic OAuth 2.0 client ID value. Can be used for a custom OAuth 2.0 service. | `GENERIC_CLIENT_ID` | +| `--generic-client-secret` | Generic OAuth 2.0 client secret value | `GENERIC_CLIENT_SECRET` | +| `--generic-scopes` | Scopes requested by provider of web client | `GENERIC_SCOPES` | +| `--generic-domains` | Email domain required for user email addresses | `GENERIC_DOMAINS` | +| `--generic-auth-url` | Authorization endpoint URL for the OAuth 2.0 provider | `GENERIC_AUTH_URL` | +| `--generic-token-url` | Token endpoint URL for the OAuth 2.0 provider | `GENERIC_TOKEN_URL` | +| `--generic-api-url` | URL that returns OpenID UserInfo-compatible information | `GENERIC_API_URL` | +| `--oauth-no-pkce` | Disable OAuth PKCE | `OAUTH_NO_PKCE` | + +### etcd flags {.shorthand-flags} + +| Flag | | Description | Env. Variable | +| :--- | ------------------------ | :--------------------------------------------------------------------------------------------------------- | :--------------------- | +| `-e` | `--etcd-endpoints` | etcd endpoint URL (include multiple flags for multiple endpoints) | `ETCD_ENDPOINTS` | +| | `--etcd-username` | etcd username | `ETCD_USERNAME` | +| | `--etcd-password` | etcd password | `ETCD_PASSWORD` | +| | `--etcd-dial-timeout` | Total time to wait before timing out while connecting to etcd endpoints (0 means no timeout, default: -1s) | `ETCD_DIAL_TIMEOUT` | +| | `--etcd-request-timeout` | Total time to wait before timing out the etcd view or update (0 means no timeout, default: -1s) | `ETCD_REQUEST_TIMEOUT` | +| | `--etcd-cert` | Path to PEM-encoded TLS public key certificate for use with TLS | `ETCD_CERTIFICATE` | +| | `--etcd-key` | Path to private key associated with given certificate for use with TLS | `ETCD_PRIVATE_KEY` | +| | `--etcd-root-ca` | Path to root CA certificate for TLS verification | `ETCD-ROOT-CA` |