Describe mTLS overrides for the management interface

Closes keycloak#30094 Signed-off-by: Martin Bartoš <mabartos@redhat.com>
mabartos · Jun 26, 2024 · 9ab5bce · 9ab5bce
1 parent 224cf44
commit 9ab5bce
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/docs/guides/server/enabletls.adoc b/docs/guides/server/enabletls.adoc
@@ -81,4 +81,8 @@ Using the value `required` sets up {project_name} to always ask for certificates
 
 Be aware that this is the basic certificate configuration for mTLS use cases where {project_name} acts as server. When {project_name} acts as client instead, e.g. when {project_name} tries to get a token from a token endpoint of a brokered identity provider that is secured by mTLS, you need to set up the HttpClient to provide the right certificates in the keystore for the outgoing request. To configure mTLS in these scenarios, see <@links.server id="outgoinghttp"/>.
 
+NOTE: Management interface properties are inherited from the main HTTP server, including mTLS settings.
+It means when mTLS is set, it is also enabled for the management interface.
+To override the behavior, use the `https-management-client-auth` property.
+
 </@tmpl.guide>
diff --git a/docs/guides/server/management-interface.adoc b/docs/guides/server/management-interface.adoc
@@ -14,10 +14,10 @@ The most significant advantage might be seen in Kubernetes environments as the s
 == Management interface configuration
 
 The management interface is turned on by default, so management endpoints such as `/metrics`, and `/health` are exposed on the default management port `9000`.
+The management interface provides a set of options and is fully configurable.
 In order to change the port for the management interface, you can use the {project_name} option `http-management-port`.
 
-The management interface provides a set of options and is fully configurable.
-If these options for the management HTTP server are not explicitly set, their values are automatically inherited from the default HTTP server.
+NOTE: If management interface properties are not explicitly set, their values are automatically inherited from the default HTTP server.
 
 You can change the relative path of the management interface, as the prefix path for the management endpoints can be different.
 You can achieve it via the {project_name} option `http-management-relative-path`.
@@ -48,4 +48,4 @@ Beware, the `legacy-observability-interface` option is deprecated and will be re
 It only allows you to give more time for the migration.
 ====
 
-</@tmpl.guide>
+</@tmpl.guide>