Creates a new and optimized server image.

Usage:

kc.sh build [OPTIONS]

Creates a new and optimized server image based on the configuration options
passed to this command. Once created, the configuration will be persisted and
read during startup without having to pass them over again.

Some configuration options require this command to be executed in order to
actually change a configuration. For instance

- Change database vendor
- Enable/disable features
- Enable/Disable providers or set a default

Consider running this command before running the server in production for an
optimal runtime.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.

Cluster:

--cache <type>       Defines the cache mechanism for high-availability. By default, a 'ispn' cache
                       is used to create a cluster between multiple server nodes. A 'local' cache
                       disables clustering and is intended for development and testing purposes.
                       Default: ispn.
--cache-config-file <file>
                     Defines the file from which cache configuration should be loaded from.
--cache-stack <stack>
                     Define the default stack to use for cluster communication and node discovery.
                       This option only takes effect if 'cache' is set to 'ispn'. Default: udp.

Database:

--db <vendor>        The database vendor. Possible values are: h2-file, h2-mem, mariadb, mssql,
                       mssql-2012, mysql, oracle, postgres, postgres-95
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Feature:

--features-account2 <enabled|disabled>
                     Enables the ACCOUNT2 feature.
--features-account_api <enabled|disabled>
                     Enables the ACCOUNT_API feature.
--features-admin2 <enabled|disabled>
                     Enables the ADMIN2 feature.
--features-admin_fine_grained_authz <enabled|disabled>
                     Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
--features-authorization <enabled|disabled>
                     Enables the AUTHORIZATION feature.
--features-ciba <enabled|disabled>
                     Enables the CIBA feature.
--features-client_policies <enabled|disabled>
                     Enables the CLIENT_POLICIES feature.
--features-declarative_user_profile <enabled|disabled>
                     Enables the DECLARATIVE_USER_PROFILE feature.
--features-docker <enabled|disabled>
                     Enables the DOCKER feature.
--features-impersonation <enabled|disabled>
                     Enables the IMPERSONATION feature.
--features-map_storage <enabled|disabled>
                     Enables the MAP_STORAGE feature.
--features-openshift_integration <enabled|disabled>
                     Enables the OPENSHIFT_INTEGRATION feature.
--features-par <enabled|disabled>
                     Enables the PAR feature.
--features-scripts <enabled|disabled>
                     Enables the SCRIPTS feature.
--features-token_exchange <enabled|disabled>
                     Enables the TOKEN_EXCHANGE feature.
--features-upload_scripts <enabled|disabled>
                     Enables the UPLOAD_SCRIPTS feature.
--features-web_authn <enabled|disabled>
                     Enables the WEB_AUTHN feature.
-ft, --features <preview>
                     Enables all tech preview features.

Hostname:

--hostname <hostname>
                     Hostname for the Keycloak server.
--hostname-admin <url>
                     Overrides the hostname for the admin console and APIs.
--hostname-path <path>
                     This should be set if proxy uses a different context-path for Keycloak.
--hostname-strict <true|false>
                     Disables dynamically resolving the hostname from request headers. Should
                       always be set to true in production, unless proxy verifies the Host header.
                       Default: true.
--hostname-strict-backchannel <true|false>
                     By default backchannel URLs are dynamically resolved from request headers to
                       allow internal an external applications. If all applications use the public
                       URL this option should be enabled. Default: false.

HTTP/TLS:

--http-enabled <true|false>
                     Enables the HTTP listener. Default: false.
--http-host <host>   The used HTTP Host. Default: 0.0.0.0.
--http-port <port>   The used HTTP port. Default: 8080.
--http-relative-path <path>
                     Set the path relative to '/' for serving resources. Default: /.
--https-certificate-file <file>
                     The file path to a server certificate or certificate chain in PEM format.
--https-certificate-key-file <file>
                     The file path to a private key in PEM format.
--https-cipher-suites <ciphers>
                     The cipher suites to use. If none is given, a reasonable default is selected.
--https-client-auth <auth>
                     Configures the server to require/request client authentication. Possible
                       Values: none, request, required. Default: none.
--https-key-store-file <file>
                     The key store which holds the certificate information instead of specifying
                       separate files.
--https-key-store-password <password>
                     The password of the key store file. Default: password.
--https-key-store-type <type>
                     The type of the key store file. If not given, the type is automatically
                       detected based on the file name.
--https-port <port>  The used HTTPS port. Default: 8443.
--https-protocols <protocols>
                     The list of protocols to explicitly enable.
--https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--https-trust-store-password <password>
                     The password of the trust store file.
--https-trust-store-type <type>
                     The type of the trust store file. If not given, the type is automatically
                       detected based on the file name.

Metrics:

--metrics-enabled <true|false>
                     If the server should expose metrics and healthcheck. If enabled, metrics are
                       available at the '/metrics' endpoint and healthcheck at the '/health'
                       endpoint. Default: false.

Proxy:

--proxy <mode>       The proxy address forwarding mode if the server is behind a reverse proxy.
                       Possible values are: none,edge,reencrypt,passthrough Default: none.

Vault:

--vault-file-path <dir>
                     If set, secrets can be obtained by reading the content of files within the
                       given path.
--vault-hashicorp-paths <paths>
                     A set of one or more paths that should be used when looking up secrets.

Examples:

  Optimize the server based on a profile configuration:

      $ kc.sh --profile=prod build

  Change database settings:

      $ kc.sh build --db=postgres [--db-url][--db-username][--db-password]

  Enable a feature:

      $ kc.sh build --features-<feature_name>=[enabled|disabled]

  Or alternatively, enable all tech preview features:

      $ kc.sh build --features=preview

  Enable metrics:

      $ kc.sh build --metrics-enabled=true

  Change the relative path:

      $ kc.sh build --http-relative-path=/auth

You can also use the "--auto-build" option when starting the server to avoid
running this command every time you change a configuration:

    $ kc.sh start --auto-build <OPTIONS>

By doing that you have an additional overhead when the server is starting.

Use 'kc.sh build --help-all' to list all available options, including the start
options.